From firewalls-owner Wed Feb 1 09:04:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA14683 for firewalls-outgoing; Wed, 1 Feb 1995 08:25:51 -0800 Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA14678 for ; Wed, 1 Feb 1995 08:25:48 -0800 Received: from lci by mail.uunet.ca with UUCP id <86874-3>; Wed, 1 Feb 1995 07:13:09 -0500 Received: by lci (MKS Internet Anywhere); Tue, 31 Jan 95 22:42:29 UTC From: lci!cklung (C.K. Lung) To: "Dr. Frederick B. Cohen" , mckenney@smiley.mitre.org (Brian W. McKenney) Cc: firewalls@GreatCircle.COM Subject: Re: Testing firewalls Date: Tue, 31 Jan 1995 22:01:24 -0500 X-MAILER: MKS Internet Anywhere - Compose 1.1d X-MKSIA-SN: 3990260790 Message-Id: <791592149@lci> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are the following firewall testers are UNIX based? Are there any MS Windows-based firewall testers? > >So far, I have recieved the following list of testers: > > ftp.cw.purdue.edu /pub/spaf/COAST/Tripwire > > net.tamu.edu /pub/security/TAMU > > ftp.cert.org /pub/tools/cops > > ftp.cw.purdue.edu /pub/spaf/COAST/Tripwire > > ftp.uu.net /usenet/comp.sources.misc/volume39/iss > > ftp.cert.org /pub/tools/crack Thanks. -- C.K. Lung Toronto, Ontario ck.lung@rose.com From firewalls-owner Wed Feb 1 12:07:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15360 for firewalls-outgoing; Wed, 1 Feb 1995 11:14:47 -0800 Received: from dfw.net (root@dfw.net [198.175.15.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA15347 for ; Wed, 1 Feb 1995 11:14:39 -0800 Received: by dfw.net (4.1/SMI-4.1) id AA09510; Wed, 1 Feb 95 00:08:25 CST Date: Wed, 1 Feb 1995 00:08:24 -0600 (CST) From: Aleph One To: Paul Traina Cc: Jon Peatfield , "Jonathan M. Bresler" , Jim Duncan , rens@imsi.com, ddrew@mci.net, firewalls@GreatCircle.COM, bugtraq@fc.net, z056716@uprc.com, jp107@amtp.cam.ac.uk Subject: Re: Router filtering not enough! (Was: Re: CERT advisory ) In-Reply-To: <199501261811.KAA16212@feta.cisco.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 26 Jan 1995, Paul Traina wrote: > > How hard would it be to modify tcpwraper (for example) to check the > > incomming MAC address on a connection and to be worried if it came from a > > list of routers but the address was the local net? > > This breaks people who might have their netmasks set incorrectly on the local > net. > Is this bad? dont think so if it breaks it you will notice and be able to fix it. a1 http://underground.org From firewalls-owner Wed Feb 1 12:08:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15734 for firewalls-outgoing; Wed, 1 Feb 1995 11:19:10 -0800 Received: from inet-gw-3.pa.dec.com (inet-gw-3.pa.dec.com [16.1.0.33]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA15714; Wed, 1 Feb 1995 11:19:04 -0800 Received: from vbv03.vbv.dec.com by inet-gw-3.pa.dec.com (5.65/10Aug94) id AA22974; Wed, 1 Feb 95 01:21:25 -0800 Received: by vbv03.vbv.dec.com (5.65/MS-012594); id AA03677; Wed, 1 Feb 1995 03:56:36 -0500 Message-Id: <9502010856.AA03677@vbv03.vbv.dec.com> To: firewalls-owner@greatcircle.com Cc: firewalls@greatcircle.com Subject: Re: Test labs In-Reply-To: Your message of "Tue, 31 Jan 95 20:12:17 EST." Date: Wed, 01 Feb 95 03:56:35 -0500 From: "Frank Byrum" X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes: >Oh I agree, now everyone out there whose organization *has* a dedicated >test lab for firewalls, please stand up... Ok, we do....actually we have several.... Frank ........................................................................ . Frank Byrum . Internet: byrum@vbv.dec.com . . Digital Equipment Corporation . ENET: vbv03::byrum . . 4417 Corporation Lane . All-in-One: Frank Byrum@VBV . . Suite 100 . Phone: +1 804 473 5437 DTN: 373 . . Virginia Beach, VA 23462 . Beep: +1 800 SKY PAGE (347 1603) . ........................................................................ From firewalls-owner Wed Feb 1 12:30:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15312 for firewalls-outgoing; Wed, 1 Feb 1995 11:14:11 -0800 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA15280 for ; Wed, 1 Feb 1995 11:14:02 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id MAA08369 for ; Wed, 1 Feb 1995 12:44:42 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id MAA27246 for ; Wed, 1 Feb 1995 12:44:42 -0500 Received: from ([129.9.249.35]) by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA07985; Wed, 1 Feb 95 12:58:37 EST Message-Id: <9502011758.AA07985@clncrdv1.is.chrysler.com> X-Sender: t0925mp@clncrdv1 X-Mailer: Windows Eudora Version 1.4.3b4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Feb 1995 12:44:35 -0500 To: firewalls@greatcircle.com From: mjp2@is.chrysler.com (Mike Papais) Subject: National Science Laboratory Break In ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone heard of any break ins of an entity with a name like National Science Laboratory? I just got asked by our IS director about the circumstances of this break in (was there a firewall, what kind, type of break in). This event may predate my involvement with this forum so I am looking for any and all paths I might follow. Please respond via private email to mjp2@is.chrysler.com Thank you. From firewalls-owner Wed Feb 1 12:33:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15311 for firewalls-outgoing; Wed, 1 Feb 1995 11:14:10 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA15293 for ; Wed, 1 Feb 1995 11:14:05 -0800 Received: from voyager.datatools.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id LAA04266; Wed, 1 Feb 1995 11:08:28 -0800 Message-Id: <199502011908.LAA04266@mycroft.GreatCircle.COM> Received: from nova.datatools.com.datatools.com by voyager.datatools.com (4.1/4.7); Wed, 1 Feb 95 09:55:13 PST Date: Wed, 1 Feb 95 09:55:13 PST From: greep@datatools.com (Steven Tepper) Received: by nova.datatools.com.datatools.com (4.1/SMI-4.1) id AA01949; Wed, 1 Feb 95 09:51:44 PST To: "Ian C. Blenke" Cc: firewalls@GreatCircle.COM, greep@datatools.com In-Reply-To: (blenke@suntan.eng.usf.edu) Subject: Re: Ident server redux Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PARANOID controls reverse host lookups, not user name lookups, at least on the version (6.1) of tcpd that I use. From the README file: When the sources are compiled with -DPARANOID, the wrappers will drop the connection in case of a host name/address discrepancy. ALWAYS_RFC931 controls user name lookups. ---------------------------------------------------------------------------- > Date: Tue, 31 Jan 1995 20:22:01 -0500 (EST) > From: "Ian C. Blenke" > > On Tue, 31 Jan 1995, Wes Morgan wrote: > > Well, there are packages out there that look for Ident info (and can > > delay processing while waiting for it). If memory serves, both the > > wuarchive ftpd and Allman's 8.6.x sendmail have this capability. > > And TCPD on most systems. Now, you may not use PARANOID, but it still > tries to look up connections. ... > What really gets my goat is the fact most "secure" sites enable PARANOID > so that poor PC users (that don't run identd servers, mind you) have to > wait for an excruciating period of time. Is identd so reliable and > widespread as to REQUIRE its use for logging? From firewalls-owner Wed Feb 1 12:54:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15623 for firewalls-outgoing; Wed, 1 Feb 1995 11:18:07 -0800 Received: from uustar.starnet.net (uustar.starnet.net [128.252.135.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA15582 for ; Wed, 1 Feb 1995 11:17:58 -0800 Received: from boatmens.UUCP by uustar.starnet.net with UUCP id AA00688 (5.67b/IDA-1.5 for greatcircle.com!Firewalls); Wed, 1 Feb 1995 11:06:19 -0600 Received: from bkc05000 by boatmens.uucp (4.1/SMI-4.1) id AA14466; Wed, 1 Feb 95 10:54:54 CST Received: by bkc05000 (1.37.109.6/16.2) id AA01801; Wed, 1 Feb 95 10:49:07 -0600 Date: Wed, 1 Feb 1995 10:49:07 -0600 (CST) From: "Barry J. Archer" To: Firewalls@greatcircle.com Subject: Internal Networks ( was RE: Network performance ) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ( To deLurk myself here for a moment, I too have enjoyed the rational tone and expertise on this list from the Wise Ones. ) I am curious if the problems of internal firewalls are appropriate for discussion. Since we at the moment lack a direct Internet connection, my concern has been primarily how to sort out the best ways to deal with some internal networks and services that we have to trust more than others. Most of the firewall discussions center around the Internet specifically. I would suspect that most corporations have multiple interconnected internal LANs that span both varying security levels and managerial zones of influence. Most folks probably would prefer not to reveal their internal topologies, but some general discussion might be helpful to at least me. :-) What I've found myself so far is that not all of our internal functions fit well with a pure proxy host solution. Is everyone looking at 'one size fits all' solutions? I've been tossing around the following split level approach: - untrusted networks, modems and *all* interactive applications are forced through a proxy bastion host on a screened subnet. OTP for authentication, etc. - selected applications on "more trusted" internal networks are handled by packet filters with extended access lists - additional controls ( and intramural cooperation ) for normal internal security conformance. There's obviously more to it than that, but the general idea is to approach internal firewalling as a process to identify the appropriate access control based upon functionality, risk, security policies, application and (yes) cost. - Barry ted.doty@nsco.network.com writes: >While this is drifting somewhat far afield of the scope of this list, I >would >like to make the case that performance counts, that there are applications >that we'd really like to firewall INSIDE the organization (like NFS), and >that there are serious limitations imposed on the community by the "Hard >Crunch Shell around a Soft Chewy Center" paradigm. > >What do I do about firewalling my personnel department inside my >organization? >Hook them to my FDDI backbone by a T1? =============================================================================== Barry Archer Boatmen's Investment Banking Division /Technology Support - Kansas City 816/691-7826 From firewalls-owner Wed Feb 1 12:54:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15089 for firewalls-outgoing; Wed, 1 Feb 1995 11:10:34 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA15075 for ; Wed, 1 Feb 1995 11:10:29 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id XAA10209; Tue, 31 Jan 1995 23:16:11 -0500 Date: Tue, 31 Jan 1995 23:16:11 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199502010416.XAA10209@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: Consultant quals Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [MJR: if your prospective in the desert is going to *directly* and normally FTP files from uunet, he's gonna need an in at the internic if he's gonna get a DNS record in under 5 hours! But then again, preumably the idea was to hack your way there any old how and suck down RFC2736, "Emergency Beacon Requirements," so you could implement it in DEBUG on the laptop, strip the coax into a dipole, hope that one of the search planes has a WWV receiver on 10MHz, and eventually get home.] With all the spoofing and hijacking foofaraw, we lost track of this other thread. I had some comments to throw in, since it's somewhat close to home. Padgett pointed out that the field is still very new, changing on a daily basis, and we're all scrambling like hell to keep up. But then he says Probably the best bet is to ask for a list of previous clients and see what they thought. and Ian Poynter adds References are a must. ... I think it's also a very good idea to ask the references how long things have been up and running which begs the following question: What if someone is just starting out as a consultant, and doesn't *have* any references yet? You are proposing a bit of a catch-22 that keeps the "old boys network" running just fine, but doesn't help the guy who's been in industry jobs forever but now wants to set out on his own. Furthermore, if the field is changing that fast, there may have been a few things one didn't think about or implement in that previous gig, right? Suppose that reference says, "well, that `security consultant' didn't do anything for us about faked source addresses, we got hit anyway, and now we want to sue his sorry butt"?? It seems to me that more credence should be paid to a discussion about *current* issues between the applicant and the more technical members of the client's staff, with decisions based on the aptness of the consultant's responses. Entertaining backlash to MJR's desert example or hard info about Kerberos at one end of the spectrum, and "walks on water" at the other, or something like that. I'd agree that degrees carry considerably less weight in this particular field than bare-metal experience, wherever said experience came from. And in my mind, someone in a suit claiming to be a un*x consultant might already have one strike against him, and he'll have to intelligently discuss a lot of hard technical poop to make up for it. A lot of potential clients may not realize this until told, however -- not realizing that their pick of the slick "professional" over the scruffy Unix hacker may have just hurt them. Emphasis on use of the client's existing resources is definitely good, as it'll be cheaper and points up preexisting knowledge and versatility on the part of the consultant. "You mean our little dialup router box can already packet-filter? Cool!" This is another reason I'm leery of all these "turnkey" firewalls, because as someone else put it, security is a *process*. But people are always all too willing to trust a single thing that sounds good on paper, and not think about what might be wrong with it. I would not propose any work that wasn't phrased along the lines of "do the work, document everything, and make sure the client understands it and how to make his own changes later". Would this scare a lot of them off? Some people don't want to *understand*, they just want to be spoon-fed warm fuzzies for their money. Go figure. As a techie, I often have some trouble with this... Rens pipes up: Covering all the bases, and not just the new and interesting ones, is what separates a security practitioner from a security theorist. There are plenty of both. Which harks back a little to the issue of degrees. Ever run into an EE who can't fix his toaster? Actually one of the currently discussed attacks provides a wonderful illustration of there being nothing new under the Sun: the loadable module thing has almost exactly the same effect as that old program that does TIOCSTI on ttys, allowing the attacker to stuff in keystrokes. Apparently the creators and/or subsequent modifiers of "TAP" had forgotten about this one. And back when the "stuffer" was written, it even worked without the attacker being root due to bugs in setpgrp() vs. controlling ttys which may *still* work in some OSes, ten years later. Did anyone else think of this, or am I just an old fart? Sarah Reidy chimes in: take the time to find a consultant you are truly comfortable with. ... I was able to take enough time to find a decent consultant. But you failed to explain what qualities this consultant posessed that you were comfortable with. How did you determine this? In what specific ways did you rake her over the coals? Padgett later sez Just a year ago, solutions did not need to pay attention to HTTP but woe betide anyone who ignores the web today. Oh hell, I guess this means I'm really going to have to read all the CERN code soon. See, I'm not afraid to say "I don't know" when I don't know... _H* From firewalls-owner Wed Feb 1 12:57:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16371 for firewalls-outgoing; Wed, 1 Feb 1995 11:23:56 -0800 Received: from ns.gbnet.net (root@ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA16160 for ; Wed, 1 Feb 1995 11:22:42 -0800 Received: (from jrg@localhost) by ns.gbnet.net (8.6.9/8.6.9) id LAA11980; Wed, 1 Feb 1995 11:25:51 GMT Date: Wed, 1 Feb 1995 11:25:51 GMT From: James R Grinter Message-Id: <199502011125.LAA11980@ns.gbnet.net> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@GreatCircle.COM Subject: Re: IP spoofing vs tcp wrappers and netacl Cc: Gary Palmer , Patrick Horgan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe I'm just being dumb, but... On Fri 27 Jan, 1995, Gary Palmer wrote: >Patrick Horgan wrote: >> ARGH!!!!! Is this true? With IP forwarding a packet shouldn't be accepted >> if it's not to the "reachable" interface. I just tried this out on a >> Sun running Solaris, and an Amdahl machine running UTS, and neither of >> them had this bug. Is it really true that BSD machines will accept a >> packet addressed to one interface on the other? Why should they not? The addressing is the IP destination, so if the box has ip forwarding switched on (sysctl net.inet.ip.forwarding = 1 under 4.4BSD) then it should answer a packet with the destination address of interface B when it receives it on interface A, because it's been told to route (and we don't want to put it through more levels of the network stack code than we need to). If it doesn't have ip forwarding on, how would we have got the packet? Someone sent it to us with our MAC address: that's a routing issue on your local network and not something that can be effected externally. >If you have the code it probably wouldn't take all that long to change >the logic in the file - you should be able to alter the `if' statement to >do the necessary checks. However what happens when the packet forwarding >code gets ahold of it is another matter! I have a sneaky suspicion it'll packet forwarding only happens if ipfowarding == 1, (and I still don't see exactly what the problem is). ip_forward() only gets the chance when it has been decided that the packet is destined for elsewhere. James. From firewalls-owner Wed Feb 1 13:26:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA16012 for firewalls-outgoing; Wed, 1 Feb 1995 11:21:35 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA16002 for ; Wed, 1 Feb 1995 11:21:30 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id MAA00922; Wed, 1 Feb 1995 12:29:13 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma000920; Wed Feb 1 12:29:00 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA06914 (5.67b/IDA-1.5); Wed, 1 Feb 1995 12:34:53 -0600 Date: Wed, 1 Feb 1995 12:34:53 -0600 From: Ken Hardy Message-Id: <199502011834.AA06914@ignatz.bridge.com> To: tpaquett@aec.ca Subject: Re: CERN httpd vs http-gw Cc: firewalls@greatcircle.com, bdrennin@plaind.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This was originally posted to fwtk-users, but the thread is now talking about non fwtk-specific proxies, so I'm cc:ing the firewalls list and not fwtk-users. Pardon me if this is a faux pas. I presume that almost everyone on fwtk-users also monitors firewalls.] tpaquett@aec.ca wrote: >On Feb 1, 11:41am, wrote: >> I am running the fwtk (v1.3). I am using it for mail, and to allow only >> out-going ftp & http. When I got everything running/configured, I had a >> consultant come in and give it a 'once over'. He suggested using the >> http daemon from CERN (v3.0) as a proxy instead of the http-gw. The >> primary reason being improved performance since CERN's daemon will cache >> data on the firewall. So, for example, if 2 users access Netscape's home > >This is what we are doing here. The caching capabilities of the CERN httpd >proxy >are GREAT! It really speeds up access to frequently accessed pages. It can also >be configured to be secure as well (Ie what IPS/hostnames can access it etc..) But what CERN's cannot be configured for, AFAIK, is specific IP addresses to _not_ access it. I.e., unless I want to enter all my subnets (for a class B, plus some class Cs), I cannot explicitely deny my border net (the DMZ). What about controlling destinations? If I want to deny the trusted<-->trusted traffic to protect against IP spoofing, as was recently discussed (to death) on these lists? -KH From firewalls-owner Wed Feb 1 13:28:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA19421 for firewalls-outgoing; Wed, 1 Feb 1995 12:10:16 -0800 Received: from SJOFFRI.DOA.STATE.LA.US (sjoffri.DOA.State.LA.US [192.206.109.27]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA19405 for ; Wed, 1 Feb 1995 12:10:09 -0800 From: sjoffri@SJOFFRI.DOA.STATE.LA.US Received: by SJOFFRI.DOA.STATE.LA.US (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA1255; Wed, 01 Feb 95 14:07:58 -0800 Message-Id: <9502012207.AA1255@SJOFFRI.DOA.STATE.LA.US> Date: Wed, 1 Feb 95 14:00:19 CST Reply-To: sjoffri@SJOFFRI.DOA.STATE.LA.US To: firewalls@GreatCircle.COM Subject: Security Training Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Louisiana Council of Information Services Directors (LaCISD) is interested in a structured course addressing network security for local and wide area networks. The LaCISD consists of data processing managers from all major state agencies and educational institutions in Louisiana. LaCISD, through its technical subcommittee, recognizes the need for education and support in developing strategies for network security. This includes but is not limited to firewalls and LAN and WAN security considerations. By way of this correspondence, the LaCISD invites any interested parties to submit a proposal to sjoffri@doa.state.la.us for our consideration. ================================================================= Su Joffrion Voice: (504) 342-5165 State of Louisiana FAX: (504) 342-5137 Division of Administration Email: sjoffri@sjoffri.doa.state.la.us Office of Information Services P.O. Box 44335 Baton Rouge, La. 70804 From firewalls-owner Wed Feb 1 13:56:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21792 for firewalls-outgoing; Wed, 1 Feb 1995 13:39:07 -0800 Received: from noc.infonet.net (jeffo@noc.infonet.net [167.142.225.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA21787 for ; Wed, 1 Feb 1995 13:39:02 -0800 Received: (from jeffo@localhost) by noc.infonet.net (8.6.9/8.6.9) id PAA14620; Wed, 1 Feb 1995 15:38:30 -0600 Date: Wed, 1 Feb 1995 15:38:30 -0600 (CST) From: "Jeffrey C. Ollie" Reply-To: "Jeffrey C. Ollie" To: Steven Tepper cc: "Ian C. Blenke" , firewalls@GreatCircle.COM, greep@datatools.com Subject: Re: Ident server redux In-Reply-To: <199502011908.LAA04266@mycroft.GreatCircle.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Feb 1995, Steven Tepper wrote: > PARANOID controls reverse host lookups, not user name lookups, at least on > the version (6.1) of tcpd that I use. From the README file: > > When the sources are compiled with -DPARANOID, the wrappers will drop > the connection in case of a host name/address discrepancy. > > ALWAYS_RFC931 controls user name lookups. The behavior is similar in TCP Wrappers 7.X. Defining PARANOID forces reverse lookups on all connections. 7.X also has the capability to selectively do reverse lookups based upon service. The same goes for RFC 931 queries. > ---------------------------------------------------------------------------- > > Date: Tue, 31 Jan 1995 20:22:01 -0500 (EST) > > From: "Ian C. Blenke" > > > > On Tue, 31 Jan 1995, Wes Morgan wrote: > > > Well, there are packages out there that look for Ident info (and can > > > delay processing while waiting for it). If memory serves, both the > > > wuarchive ftpd and Allman's 8.6.x sendmail have this capability. > > > > And TCPD on most systems. Now, you may not use PARANOID, but it still > > tries to look up connections. > ... > > What really gets my goat is the fact most "secure" sites enable PARANOID > > so that poor PC users (that don't run identd servers, mind you) have to > > wait for an excruciating period of time. Is identd so reliable and > > widespread as to REQUIRE its use for logging? > Jeffrey C. Ollie Iowa Network Services Support Daemon From firewalls-owner Wed Feb 1 14:07:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA17193 for firewalls-outgoing; Wed, 1 Feb 1995 11:34:15 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA17186; Wed, 1 Feb 1995 11:34:11 -0800 Received: by maily1.prodigy.com id AA29464 (5.65c/IDA-1.4.4); Wed, 1 Feb 1995 10:22:55 -0500 Date: Wed, 1 Feb 1995 10:22:55 -0500 (EST) From: Frank Wortner To: Brent Chapman Cc: Firewalls@greatcircle.com Subject: Re: Web Browser-Firewall Question (fwd) In-Reply-To: Message-Id: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-Fax: 1-914-448-1946 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Jan 1995, Brent Chapman wrote: > But W3 browsers that do this [automatically invoke Postscript or > other browsers on the contents of a message] (most of them) > are much more common than email agents that do this (few of them). That depends on the environment. My own history includes working in sites where "multimedia" email was common, so I'm a bit more paranoid about the possibilities for abuse of this particular capability. A fair number of systems shipping now have at least the "hooks" built in. Check out what you have, use it wisely, and be aware of the pitfalls. Firewalls can and do provide protection from numerous direct attacks on a network, but they obviously can't close every possible back door. My point is that a "smart" email program may be just as subject to unauthorised exploitation as a modem line connected to a network attached PC. Both of these --- not to mention other possible routes for attack --- *will* be common in the near future, if they are not already. Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Wed Feb 1 14:08:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21337 for firewalls-outgoing; Wed, 1 Feb 1995 13:16:36 -0800 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA21332 for ; Wed, 1 Feb 1995 13:16:29 -0800 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.9/8.6.9) with SMTP id PAA12958 for ; Wed, 1 Feb 1995 15:17:14 -0600 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 194050001; 1 Feb 95 15:17 CST Received: from spirit by sccmailhost.sctc.com id 275120000; 1 Feb 95 15:16 CST Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.9/8.6.9) with ESMTP id PAA15077 for ; Wed, 1 Feb 1995 15:13:12 -0600 Received: (from smith@localhost) by shade.sctc.com (8.6.9/8.6.9) id PAA11746; Wed, 1 Feb 1995 15:13:10 -0600 Date: Wed, 1 Feb 1995 15:13:10 -0600 From: Rick Smith Message-Id: <199502012113.PAA11746@shade.sctc.com> To: firewalls@greatcircle.com Subject: Re: Test labs References: <9502010856.AA03677@vbv03.vbv.dec.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can we stipulate that all firewalls vendors have test labs? There may be some garage shops without them, but a real player is going to make the investment. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Wed Feb 1 14:09:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA18653 for firewalls-outgoing; Wed, 1 Feb 1995 11:55:07 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA18648 for ; Wed, 1 Feb 1995 11:54:56 -0800 Received: by taureau.as03.bull.oz.au id AA29601 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Thu, 2 Feb 1995 07:21:05 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id AAA03401; Thu, 2 Feb 1995 00:05:03 +1100 Message-Id: <199502011305.AAA03401@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: firewalls@greatcircle.com Subject: Re: Test labs In-Reply-To: Your message of "Tue, 31 Jan 95 19:35:38 CDT." <9502010035.AA06263@uvs1.orl.mmc.com> Date: Thu, 02 Feb 1995 00:05:00 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > sjg rites: > >What's wrong with setting up your firewall in a test lab? I mean the > >entire DMZ,choke etc etc. You can then test it until you are happy > >before letting others have a go... > > Oh I agree, now everyone out there whose organization *has* a dedicated That's just it though. You don't need a "test lab". You need a couple of desks (well, actually I just setup several machines stacked one atop the other :-) and a few power boards. Ok, the power boards are usually the biggest problem... more than once I've had to nip out to Tandy (or whatever...) Presumably you already have the bastion host(s) and router(s) that you plan to put into the firewall. Now just set it all up but _don't_ connect it to either the internet or the internal net - tempting as that might be... The only real extra resources needed are the two (or more) systems needed to simulate your attackers and the prize (internal net). Most companies can scrounge a couple of 386's to run NetBSD or whatever for this... When you are done testing, just plug in the other networks. --sjg Next week we'll explain how to build box girder bridges and how to play the flute... Monty Python From firewalls-owner Wed Feb 1 14:10:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA17374 for firewalls-outgoing; Wed, 1 Feb 1995 11:36:27 -0800 Received: from feta.cisco.com (feta.cisco.com [171.69.1.158]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA17222 for ; Wed, 1 Feb 1995 11:35:17 -0800 Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) with SMTP id VAA10348; Tue, 31 Jan 1995 21:51:57 -0800 Message-Id: <199502010551.VAA10348@feta.cisco.com> X-Authentication-Warning: feta.cisco.com: Host localhost.cisco.com didn't use HELO protocol To: Aleph One Cc: Jon Peatfield , "Jonathan M. Bresler" , Jim Duncan , rens@imsi.com, ddrew@mci.net, firewalls@GreatCircle.COM, bugtraq@fc.net, z056716@uprc.com, jp107@amtp.cam.ac.uk Subject: Re: Router filtering not enough! (Was: Re: CERT advisory ) In-Reply-To: Your message of "Wed, 01 Feb 1995 00:08:24 CST." Date: Tue, 31 Jan 1995 21:51:56 -0800 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, my personal opinion is that it's a waste of time given that any packet filtering forwarder fixes this problem trivially, and randomizing the ISS properly solves the actuall problem. If someone wants to throw time and effort into doing it, I have no objection, as long as they don't mess up the kernel. From: Aleph One Subject: Re: Router filtering not enough! (Was: Re: CERT advisory ) On Thu, 26 Jan 1995, Paul Traina wrote: > > How hard would it be to modify tcpwraper (for example) to check the > > incomming MAC address on a connection and to be worried if it came from a > > list of routers but the address was the local net? > > This breaks people who might have their netmasks set incorrectly on the loc >>al > net. > Is this bad? dont think so if it breaks it you will notice and be able to fix it. a1 http://underground.org From firewalls-owner Wed Feb 1 14:18:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA20864 for firewalls-outgoing; Wed, 1 Feb 1995 13:01:14 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA20853 for ; Wed, 1 Feb 1995 13:01:09 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11239; Wed, 1 Feb 95 15:14:57 -0500 Date: Wed, 1 Feb 95 15:14:56 -0500 Message-Id: <9502012014.AA11239@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: Test Labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sjg rites: >Presumably you already have the bastion host(s) and router(s) that you >plan to put into the firewall. Now just set it all up but _don't_ >connect it to either the internet or the internal net - tempting as >that might be... First convincing your supervisor that you really do not need a network connection yet... >The only real extra resources needed are the two (or more) systems >needed to simulate your attackers and the prize (internal net). Most >companies can scrounge a couple of 386's to run NetBSD or whatever for >this... I generally also have a pair of sniffers on either side of the 'wall/etc to capture all packets for later dissection. An isolated net is good for this since the only packets are the ones you are interested in and an attack test can be disruptive to the net. Something like this is invaluable for seeing what really happens particularly in a flood situation and for comparing logs to actual numbers. Warmly, Padgett From firewalls-owner Wed Feb 1 14:26:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA22720 for firewalls-outgoing; Wed, 1 Feb 1995 14:09:14 -0800 Received: from gate3.fmr.com (gate3.FMR.Com [192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA22714; Wed, 1 Feb 1995 14:09:09 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id RAA09180; Wed, 1 Feb 1995 17:04:00 -0500 Message-Id: <199502012204.RAA09180@gate3.fmr.com> Received: from mail3.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma009170; Wed Feb 1 22:03:53 1995 Date: Wed, 01 Feb 1995 17:04:05 -0500 From: Joe Judge Subject: Re: Web Browser-Firewall Question (fwd) To: Brent@GreatCircle.COM, fc@all.net, frank@prodigy.com Cc: Firewalls@GreatCircle.COM Content-transfer-encoding: 7BIT Content-length: 212 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >The problem you describe isn't limited to W3 browsers. In fact, *any* And ... the rare (X windows) FTPtool - a GUI FTP client that binds file suffixes to applications which get fork-exec'd - -joe From firewalls-owner Wed Feb 1 14:42:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA20959 for firewalls-outgoing; Wed, 1 Feb 1995 13:02:49 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA20954 for ; Wed, 1 Feb 1995 13:02:46 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rZj8b-0000i5C; Wed, 1 Feb 95 09:46 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA03735; Wed, 1 Feb 1995 09:50:48 +0800 Date: Wed, 1 Feb 1995 09:50:48 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9502011750.AA03735@brittany.oes.amdahl.com> To: padgett@tccslr.dnet.mmc.com, will.watson@mccaw.com Subject: Re: Test labs Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1017 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We test firewalls in a lab...it's really not that big a deal, we have a machine for a firewall, a hub and some stuff to be the inside net...it varies from one to three machines...the "bad guys net" i.e. the pseudo internet, is just one of our internal networks. That means I can sit in my office and be a "bad guy"TM :) Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Feb 1 14:56:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA22618 for firewalls-outgoing; Wed, 1 Feb 1995 14:06:59 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA22613 for ; Wed, 1 Feb 1995 14:06:56 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id RAA18796; Wed, 1 Feb 1995 17:01:43 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma018794; Wed Feb 1 17:01:40 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id RAA11583; Wed, 1 Feb 1995 17:01:39 -0500 Date: Wed, 1 Feb 1995 17:01:39 -0500 From: John Adams Message-Id: <199502012201.RAA11583@galaxy.concorde.com> To: fc@all.net, sjg@zen.void.oz.au Subject: Re: Testing firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We tested our firewall by attacking it from the public machine that sits on our perimeter network... seemed to pass pretty well.. we used ISS, cops, crack.. lots of things until we were happy. -john From firewalls-owner Wed Feb 1 15:00:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA20732 for firewalls-outgoing; Wed, 1 Feb 1995 12:56:50 -0800 Received: from isse.gmu.edu (isse.gmu.edu [129.174.40.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA20720; Wed, 1 Feb 1995 12:56:45 -0800 From: soonam@isse.gmu.edu (Soonam Kahng) Received: by isse.gmu.edu (4.1/3.1.090690-ISSE) id AA04849; Wed, 1 Feb 95 15:51:06 EST Message-Id: <9502012051.AA04849@isse.gmu.edu> Subject: Re: Test labs To: byrum@vbv.dec.com (Frank Byrum) Date: Wed, 1 Feb 1995 15:51:05 -0500 (EST) Cc: firewalls-owner@greatcircle.com, firewalls@greatcircle.com In-Reply-To: <9502010856.AA03677@vbv03.vbv.dec.com> from "Frank Byrum" at Feb 1, 95 03:56:35 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 879 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Padgett writes: > > >Oh I agree, now everyone out there whose organization *has* a dedicated > >test lab for firewalls, please stand up... What equipments are required for this kind lab ? only several WS's and routers ? any suggestions are welcome. soonam@isse.gmu.edu > > Ok, we do....actually we have several.... > > Frank > > ........................................................................ > . Frank Byrum . Internet: byrum@vbv.dec.com . > . Digital Equipment Corporation . ENET: vbv03::byrum . > . 4417 Corporation Lane . All-in-One: Frank Byrum@VBV . > . Suite 100 . Phone: +1 804 473 5437 DTN: 373 . > . Virginia Beach, VA 23462 . Beep: +1 800 SKY PAGE (347 1603) . > ........................................................................ > From firewalls-owner Wed Feb 1 15:05:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA17503 for firewalls-outgoing; Wed, 1 Feb 1995 11:37:56 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA17487 for ; Wed, 1 Feb 1995 11:37:51 -0800 Received: from relay.imsi.com by wintermute.imsi.com id JAA17485; Wed, 1 Feb 1995 09:34:53 -0500 Received: from lorax.imsi.com by relay.imsi.com id JAA28320; Wed, 1 Feb 1995 09:34:52 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA22072; Wed, 1 Feb 95 09:34:50 EST Message-Id: <9502011434.AA22072@lorax.imsi.com> To: jailbait@intercon.com (Jailbait) Cc: mulligan@incog.com, Firewalls@greatcircle.com Subject: Dangerous Proxy (Was: benefit of proxy-server ) In-Reply-To: Your message of "Tue, 31 Jan 1995 18:15:16 EST." <199501312315.SAA13172@intercon.com> Reply-To: rens@imsi.com Date: Wed, 01 Feb 1995 09:34:50 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Jailbait" == Jailbait writes: Jailbait> TCP/Connect II for Macintosh 2.x (Current Release: 2.1) Jailbait> does, indeed, support Socks. TCPC2 for Windows will soon Jailbait> (where soon is an undifined interval) I see the standardization of SOCKS without some sort of cryptographic user authentication to be a ver very dangerous thing. Once a firewall is known to be running a 'standard' version of socks, it's fairly trivial to subvert it by delivering a trojan either through email or through evaluation software. For this reason, I've hacked the socks protocol at a couple of places I've installed to make it unrecognizable. I work in the sercurities business, where security is absolutely crucial...standardized socks is just too dangerous. Others may have different security requirements, of course, but be warned. "Jailbait", I'd advise your developers to allow end-users to drop different implementations of the socks protocol into your applications, and use the segment loader explicitly to call them. FOr windows, you could just provide a separate socks DLL. -Rens From firewalls-owner Wed Feb 1 15:15:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA20752 for firewalls-outgoing; Wed, 1 Feb 1995 12:57:01 -0800 Received: from uu3.psi.com (uu3.psi.com [38.145.250.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA20747 for ; Wed, 1 Feb 1995 12:56:58 -0800 Received: from host8fa52298.tiaa.org by uu3.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA15215 for firewalls@greatcircle.com; Wed, 1 Feb 95 15:54:54 -0500 Received: from sys001.tiaa.org by tiaa.org (4.1/SMI-4.1) id AA07801; Wed, 1 Feb 95 15:54:23 EST Received: by sys001.tiaa.org (4.1/SMI-4.1) id AA01289; Wed, 1 Feb 95 15:54:14 EST Date: Wed, 1 Feb 95 15:54:14 EST From: mjs@tiaa.org (marty shannon) Message-Id: <9502012054.AA01289@sys001.tiaa.org> To: firewalls@greatcircle.com Subject: Re: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] From firewalls-owner@GreatCircle.COM Wed Feb 1 15:30:53 1995 ] To: firewalls-owner@greatcircle.com ] Cc: firewalls@greatcircle.com ] Subject: Re: Test labs ] From: "Frank Byrum" ] X-Mts: smtp ] Sender: firewalls-owner@GreatCircle.COM ] Precedence: bulk ] Content-Length: 696 ] X-Lines: 16 ] ] Padgett writes: ] ] >Oh I agree, now everyone out there whose organization *has* a dedicated ] >test lab for firewalls, please stand up... Doesn't everybody else call their's the "production" net? :-) To be serious, I get the impression that -- for many organizations -- Internet is worth paying for for all the obvious benefits, but if the proper (organization specific) security measures are instated with all the attendant redundancy and test facilities, it's too expensive to justify. I don't know of any Fortune 500 folks by name, but the reluctance to do it right seems not to know size boundaries.... Marty -- This article was probably forged -- unless it has a PGP signature, *I* wouldn't trust its authenticity. Why should you? Finger mjs@shannon.com for PGP public key, or get it from any keyserver. Remember: sign your own key; spread the web of trust; trust no text lacking a PGP signature. Paranoia? Ask the NSA.... From firewalls-owner Wed Feb 1 15:24:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA17146 for firewalls-outgoing; Wed, 1 Feb 1995 11:33:48 -0800 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA17141 for ; Wed, 1 Feb 1995 11:33:44 -0800 Date: Wed, 1 Feb 1995 11:36:07 -0500 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id LAA06110 for firewalls@greatcircle.com; Wed, 1 Feb 1995 11:36:07 -0500 Message-Id: <199502011636.LAA06110@real.com> To: firewalls@greatcircle.com Subject: Re: Nothing New Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Information Week had an article that came up with an 8% figure for this > (this may even be the original source for that number). It's in the April > 12, 1993 issue, page 35. There's a graph of breakin types, where dialup > access was about 34% of breakins, "unknown" got 34% also, and the rest was > divided about equally among Internet access, physical machine access, > direct LAN access, and mainframe port access. It didn't have a figure for > trashing. > trashing would prolly be a mixed bag.. Some people get information on a site, through trashing, and then use dialup or inet access to go further.. > Your conclusion is still 100% right, though.... I bet that the weakest > point in most networks is the number of personal PCs with dial-in lines, > running Carbon Copy or PC-anywhere, or Linux with a getty on the line. Well, here is another point.. And one that I dont think that a lot of people think about.. How many people are in office buidlings with false ceilings? How many of those sites have the physical LAN wire up in the ceiling? How easy would it be for a person to put some sorta sniffer up in the ceiling with a vampire clip? I know that when I installed network wire for a few companies they ran it in the ceiling, and they shared common walls with other business.. Also, with public areas (so someone wouldnt even have to rent space in the building to get physical access to the wire).. They never thought about anything happening like that.. There were also outlets up in the ceiling, which would allow for an easy way for the computer to be powered.. Just a thought... From firewalls-owner Wed Feb 1 15:26:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA23634 for firewalls-outgoing; Wed, 1 Feb 1995 14:41:10 -0800 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA23628 for ; Wed, 1 Feb 1995 14:40:57 -0800 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA01007 for ; Wed, 1 Feb 95 17:26:33 -0500 Date: Wed, 1 Feb 95 16:24:30 CST From: chris@applied.com (Chris Johnston) Received: by applied.com (4.1/3.2.083191-Applied Financial Management) id AA13075; Wed, 1 Feb 95 16:24:30 CST Message-Id: <9502012224.AA13075@applied.com> To: chris@applied.com, firewalls@greatcircle.com Subject: spoofing attack - filtering forged addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I haven't seen this mentioned in any of the mail about the recent CERT advisory. Lots of people are filtering packets from the "outside" with forged "inside" source addresses. Is anyone blocking this spoofing attack at origination? That is, packets going from the "inside" to the "outside" that claim they are from the "outside"? Can you tell if someone from your site is the attacker? best regards, chris From firewalls-owner Wed Feb 1 15:40:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA23240 for firewalls-outgoing; Wed, 1 Feb 1995 14:24:31 -0800 Received: from gate3.fmr.com (gate3.FMR.Com [192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA23235 for ; Wed, 1 Feb 1995 14:24:27 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id RAA09297 for ; Wed, 1 Feb 1995 17:20:01 -0500 Message-Id: <199502012220.RAA09297@gate3.fmr.com> Received: from mail3.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma009295; Wed Feb 1 22:19:52 1995 Date: Wed, 01 Feb 1995 17:20:09 -0500 From: Joe Judge Subject: Re: Test labs To: firewalls@GreatCircle.COM Content-transfer-encoding: 7BIT Content-length: 549 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here, too. The hands-on gateway gurus continually fight to make sure it does not get raided for parts or is bypassed as the place for initial installation of goodies (before moving it to the production side). -- joe > > Uhmmm we do (Labrat Watson stands up in the back of the room). We're > completely isolated from the rest of the corp. and damn insistent of it. Too > many things blow up in here (damn I love my job). It's not dedicated to just > firewalls but our isolation allows us to test firewalls and the other goodies > ... From firewalls-owner Wed Feb 1 15:43:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA23298 for firewalls-outgoing; Wed, 1 Feb 1995 14:27:35 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA23293 for ; Wed, 1 Feb 1995 14:27:30 -0800 Received: from relay.imsi.com by wintermute.imsi.com id RAA19141; Wed, 1 Feb 1995 17:23:16 -0500 Received: from lorax.imsi.com by relay.imsi.com id RAA02492; Wed, 1 Feb 1995 17:23:15 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA22944; Wed, 1 Feb 95 17:23:14 EST Message-Id: <9502012223.AA22944@lorax.imsi.com> To: Ken Hardy Cc: tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Subject: Re: CERN httpd vs http-gw In-Reply-To: Your message of "Wed, 01 Feb 1995 12:34:53 CST." <199502011834.AA06914@ignatz.bridge.com> Reply-To: rens@imsi.com Date: Wed, 01 Feb 1995 17:23:14 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Ken" == Ken Hardy writes: Ken> But what CERN's cannot be configured for, AFAIK, is specific IP Ken> addresses to _not_ access it. I.e., unless I want to enter all Ken> my subnets (for a class B, plus some class Cs), I cannot Ken> explicitely deny my border net (the DMZ). The best way to configure CERN is to run it on an internal machine, making it's outbound connections with SOCKS or call-compatible socks replacement through the firewall. I would not run it on the bastion. -Rens From firewalls-owner Wed Feb 1 15:55:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA22676 for firewalls-outgoing; Wed, 1 Feb 1995 14:07:53 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA22657 for ; Wed, 1 Feb 1995 14:07:46 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id RAA18838 for ; Wed, 1 Feb 1995 17:05:14 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma018825; Wed Feb 1 17:04:44 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id RAA11604 for firewalls@greatcircle.com; Wed, 1 Feb 1995 17:04:43 -0500 Date: Wed, 1 Feb 1995 17:04:43 -0500 From: John Adams Message-Id: <199502012204.RAA11604@galaxy.concorde.com> To: firewalls@greatcircle.com Subject: Prevention of LOCAL spoofing/duplicate IP's? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We had an incident recently where someone used the same IP address on a machine (a PC running winsock) as one of our fileservers... nevertheless, the fileserver spazzed out, NFS went completey awry, and we were forced to start rebooting clients and the server to get things back to normal. Besides going to 10BaseT (star configuration, intelligent hubs that only pass the proper IP address to the client connected to that leg of the hub) Is there any way to prevent this? ANYONE can edit their Winsock configuration and make the IP address the same, and really hose your network... And this is internally... How do you prevent this, short of spending TONS of money on new hubs? -jna From firewalls-owner Wed Feb 1 16:08:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA22807 for firewalls-outgoing; Wed, 1 Feb 1995 14:10:44 -0800 Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA22796 for ; Wed, 1 Feb 1995 14:10:34 -0800 Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id PAA19547 for ; Wed, 1 Feb 1995 15:07:04 -0700 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma019542; Wed Feb 1 15:06:47 1995 Received: from sanjose.ssds.com (sanjose.ssds.com [134.127.10.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id PAA11490 for ; Wed, 1 Feb 1995 15:06:46 -0700 Received: (from pcc@localhost) by sanjose.ssds.com (8.6.9/8.6.9.SSDSnet-site) id OAA28542; Wed, 1 Feb 1995 14:06:44 -0800 Date: Wed, 1 Feb 1995 14:06:43 -0800 (PST) From: Phil Cox X-Sender: pcc@sanjose To: firewalls@greatcircle.com Subject: 4.1.3_U1 file list to remove Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a generic list of file on a SunOS 4.1.3_U1 machine that can/should be removed for a firewall? A pointer if such a file/list exisits would be appreciated. If not, I will post what I ultimately come up with. Phil * Philip C. Cox | Quote of the Day: * * pcc@ssds.com | "When opportunity knocks, about all * * PAGER: (510) 734-7983 | some people do is complain about * * VOICE: (510) 294-3557 | the noise." * From firewalls-owner Wed Feb 1 16:23:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA23191 for firewalls-outgoing; Wed, 1 Feb 1995 14:23:41 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA23185 for ; Wed, 1 Feb 1995 14:23:35 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id JAA20058; Thu, 2 Feb 1995 09:21:56 +1100 Date: Thu, 2 Feb 1995 09:21:55 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Ident server redux To: Steven Tepper cc: "Ian C. Blenke" , firewalls@GreatCircle.COM, greep@datatools.com In-Reply-To: <199502011908.LAA04266@mycroft.GreatCircle.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Date: Tue, 31 Jan 1995 20:22:01 -0500 (EST) > > From: "Ian C. Blenke" > > > > On Tue, 31 Jan 1995, Wes Morgan wrote: > > > Well, there are packages out there that look for Ident info (and can > > > delay processing while waiting for it). If memory serves, both the > > > wuarchive ftpd and Allman's 8.6.x sendmail have this capability. > > > > And TCPD on most systems. Now, you may not use PARANOID, but it still > > tries to look up connections. > ... > > What really gets my goat is the fact most "secure" sites enable PARANOID > > so that poor PC users (that don't run identd servers, mind you) have to > > wait for an excruciating period of time. Is identd so reliable and > > widespread as to REQUIRE its use for logging? I modified an earlier version of tcpd so that it would fork and connect the real daemon immediately if the connection was going to be allowed, and continue trying RFC931 in the background. Worked well, I thought, and I sent the changes to Wietse, but he did not like the fact that you ended up with three copies of tcpd running for a short time - one to exec the real daemon, one to do the rfc931, and one to hold the real connection open while the rfc931 proceeded (for quick connections like finger). Danny From firewalls-owner Wed Feb 1 16:25:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA23846 for firewalls-outgoing; Wed, 1 Feb 1995 14:45:57 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA23841 for ; Wed, 1 Feb 1995 14:45:50 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id QAA02987 for ; Wed, 1 Feb 1995 16:39:23 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma002974; Wed Feb 1 16:39:16 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA12258 (5.67b/IDA-1.5 for ); Wed, 1 Feb 1995 16:45:11 -0600 Date: Wed, 1 Feb 1995 16:45:11 -0600 From: Ken Hardy Message-Id: <199502012245.AA12258@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: Re: login/password attacks (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In short -- I see nothing wrong with occasional questions on this list >from reporters. I say ``occasional'' only because too many would be >noise for a focused list like this; on netnews, the sky's the limit. Heck, let's give them as good an education as we can. Maybe we won't have to put up so much with the really stoopid statements and "analyses" that we're used to seeing in the general press. -KH From firewalls-owner Wed Feb 1 16:39:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA24960 for firewalls-outgoing; Wed, 1 Feb 1995 15:16:18 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA24951 for ; Wed, 1 Feb 1995 15:16:14 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12105; Wed, 1 Feb 95 18:00:08 -0500 Date: Wed, 1 Feb 95 18:00:07 -0500 Message-Id: <9502012300.AA12105@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "ck.lung@rose.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Testing Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk C.K. Lung rites: >Are there any MS Windows-based firewall testers? Depends on what you want to do. The FTP PCTCP pakage permits TELNETing to any port and I wrote my own testers (daemon pinger, socket2me) using the FTP SDK and the Waterloo libraries (bought the "book" even 8*). Added to that I use ETHLOAD and BEHOLDER/GOBBLER, all PC based. This lets me do just about anything with my NCR notebook and MegaHertz PCMCIA adapter (both 10Base-2 and 10Base-T) - blatant plugs. Even the current version of KERMIT (hi Joe 8*) contains valuable TCP/IP test capabilities if you know how to use them. Bottom line, I have never found anything I cannot do with a PC and the fact that it is too dumb to think for itself is an *asset* IMHO. Warmly, Padgett ps PLEASE do not ask about my utilities - between selling two cars and my new hobby (Zenith TransOceanics) they have not been made "pretty" enough for commercialization. Point is, it is simple to "roll your own" with PD/Shareware stuff and Borland's Turbo C++ (I use 4.0 - 'nother plug - but TC is enough). From firewalls-owner Wed Feb 1 16:48:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA24742 for firewalls-outgoing; Wed, 1 Feb 1995 15:11:12 -0800 Received: from aero.org (aero.org [130.221.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA24737 for ; Wed, 1 Feb 1995 15:11:08 -0800 Received: from simba.aero.org ([130.221.128.205]) by aero.org with SMTP id <111106-3>; Wed, 1 Feb 1995 15:08:39 -0800 Received: by simba.aero.org/D8/sws-04; Wed, 1 Feb 95 15:10:42 PST Date: Wed, 1 Feb 1995 15:10:42 -0800 From: Glenn Bailey Posted-Date: Wed, 1 Feb 95 15:10:42 PST Message-Id: <9502012310.AA28341@simba.aero.org> To: firewalls@GreatCircle.COM Subject: RE: Test Labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! One more lurker decloaking for a moment: We would qualify as a medium size corporation. With a few PC's or Suns that have been mothballed due to user's upgrading we can set up a "demo" outside/dmz/inside net in one room and beat on the "wall" to our hearts content (or until our managment/ info security people are satisfied). Generally, we have done this to each new major piece of our multi-protocol/multi-bastion host firewall. It does not take much in resources for us (since we have a good turnover in people upgrading machines/routers). It does take some people some time commitment to give the setup a good workout. An automatic firewall tester which can be extended for new attacks would be nice. Recloaking and returning to the lurker zone ================================================================= Glenn Bailey (gbailey@aero.org) | The Aerospace Corporation Network Systems Section | P.O Box 92957, MS M4-913 Corp. Information Resources Div'n| Los Angeles, CA 90009-2957 UNIX Systems Administration | (310)336-8316 (FAX: 336-1474) ================================================================= From firewalls-owner Wed Feb 1 16:54:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA27356 for firewalls-outgoing; Wed, 1 Feb 1995 16:24:41 -0800 Received: from hopi.dtcc.edu (hopi.dtcc.edu [138.123.84.240]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA27351 for ; Wed, 1 Feb 1995 16:24:37 -0800 Received: by hopi.dtcc.edu (5.4R3.10/200.1.1.4) id AA26551; Wed, 1 Feb 1995 19:22:45 -0500 Date: Wed, 1 Feb 1995 19:22:45 -0500 (EST) From: Ken Weaverling To: John Adams Cc: firewalls@greatcircle.com Subject: Re: Prevention of LOCAL spoofing/duplicate IP's? In-Reply-To: <199502012204.RAA11604@galaxy.concorde.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Besides going to 10BaseT (star configuration, intelligent hubs that only > pass the proper IP address to the client connected to that leg of the hub) > Is there any way to prevent this? ANYONE can edit their Winsock configuration > and make the IP address the same, and really hose your network... And this > is internally... How do you prevent this, short of spending TONS of money > on new hubs? All of our lab PC C: drives are write-protected, with booting from floppy disabled in the BIOS. The prevents all kind of problems, including viruses and mucking with config files. It *creates* problems too, like certain software (like Microsoft Word 6.0) insists on writing to C:, even if it isn't stored on C:. I actually had to break out a disassembler, trace the code and develop a jmp to go around the offending code :-( -- Ken Weaverling weave@dtcc.edu |*| "Is it too late to change the way Manager of Computer Services |*| we're bound to go? Stanton/Wilmington Campuses of |*| Surely one of us must know." Delaware Technical & Community College |*| -- Sandy Denny, 1948-1978 From firewalls-owner Wed Feb 1 16:55:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA27670 for firewalls-outgoing; Wed, 1 Feb 1995 16:34:19 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA27663 for ; Wed, 1 Feb 1995 16:34:14 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12391; Wed, 1 Feb 95 19:15:06 -0500 Date: Wed, 1 Feb 95 19:15:06 -0500 Message-Id: <9502020015.AA12391@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "daveh@dhcs.demon.co.uk"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Network Performance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I rote: > For the most part, a good PC is only capable of about 160 kbps max (and I see > many operating at about 60kbps - at that a 56kbps line could just about > keep up with one user. Dave (and several others) responded: >I've just finished installing a bunch of NT boxes on a trading floor, >and believe me, a PCI bus Pentium box is more than able to eat or >generate 900k a second and still have time to do other stuff. OK, OK, let me elaborate: What I was referring to was the typical transfer rate between a workstation with a corporate standard ISA NIC (the bottleneck) and a file server. Certainly just about any good CPU and a PCI or VESA bus NIC can do more but now you are talking ral money for the NIC. "Blem wit" the concept is to define the measuring routine and there are a lot. In this case, the one I have seen the most often is the benchmark test in Borland's SYSINFO. Something like the Waterloo SPEED which just sees how fast packets can be pumped out may show a rate 3-4 times higher. MMea culpa. Warmly, Padgett From firewalls-owner Wed Feb 1 17:10:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA27296 for firewalls-outgoing; Wed, 1 Feb 1995 16:22:27 -0800 Received: from airdata.com (nwestwall.nwest.airdata.com [141.204.13.59]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA27289 for ; Wed, 1 Feb 1995 16:22:23 -0800 Received: from nwestmail.airdata.com by airdata.com (5.0/McCaw WDD SUN nwestwall 070594/PHG) id AA05764; Wed, 1 Feb 1995 16:19:59 -0800 Received: from dividivi (dividivi.nwest.airdata.com) by nwestmail.airdata.com (5.0/McCaw WDD SUN nwestmail 070594/PHG) id AA16483; Wed, 1 Feb 1995 16:19:58 -0800 Received: by dividivi (5.0/McCaw WDD SUN client 042894PHG) id AA27190; Wed, 1 Feb 1995 16:19:57 -0800 Date: Wed, 1 Feb 1995 16:19:57 -0800 From: peterg@airdata.com (Peter Gregory) Message-Id: <9502020019.AA27190@dividivi> X-Ray: a common medical diagnosis tool. X-Homepage: Visit our home page at http://www.airdata.com/ To: firewalls@greatcircle.com Subject: Supply-side spoofing prevention X-Sun-Charset: US-ASCII Content-Length: 905 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Lots of people are filtering packets from the "outside" with > forged "inside" source addresses. Is anyone blocking this spoofing > attack at origination? That is, packets going from the "inside" to > the "outside" that claim they are from the "outside"? Can you tell > if someone from your site is the attacker? Excellent point. We're all concerned with INbound spoofing (because they harm US and represent a threat to US), but how many of us filter OUTbound spoofing? Probably damned few of us. I mean, who'd want to go to the extra trouble to complicate our access lists with entries that do nothing to protect us and just slow down our routers? Just my $0.02... Pete -- Peter Gregory [NICname PG11] peter.gregory@asix.com Senior Consultant. ASIX Inc., 1420 Fifth Ave, Suite 2200, Seattle, WA 98101 on-site at McCaw Wireless Data, Inc., Kirkland, WA - peter.gregory@airdata.com From firewalls-owner Wed Feb 1 17:55:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA00514 for firewalls-outgoing; Wed, 1 Feb 1995 17:49:01 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA00509 for ; Wed, 1 Feb 1995 17:48:50 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id MAA25465; Thu, 2 Feb 1995 12:46:06 +1100 Date: Thu, 2 Feb 1995 12:46:05 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Prevention of LOCAL spoofing/duplicate IP's? To: John Adams cc: firewalls@GreatCircle.COM In-Reply-To: <199502012204.RAA11604@galaxy.concorde.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Feb 1995, John Adams wrote: > > We had an incident recently where someone used the same IP address on a machine > (a PC running winsock) as one of our fileservers... nevertheless, the > fileserver spazzed out, NFS went completey awry, and we were forced to > start rebooting clients and the server to get things back to normal. > > Besides going to 10BaseT (star configuration, intelligent hubs that only > pass the proper IP address to the client connected to that leg of the hub) > Is there any way to prevent this? ANYONE can edit their Winsock configuration > and make the IP address the same, and really hose your network... And this > is internally... How do you prevent this, short of spending TONS of money > on new hubs? Get arpwatch. You'll be able to detect these things quickly, at least. Maybe it could be hacked to send network jam to the offender while you send the storm troopers down to get the b****d. :-) Danny From firewalls-owner Wed Feb 1 19:30:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA01792 for firewalls-outgoing; Wed, 1 Feb 1995 19:15:50 -0800 Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA01787 for ; Wed, 1 Feb 1995 19:15:47 -0800 From: carson@cs.columbia.edu Received: from pizza.cs.columbia.edu (pizza.cs.columbia.edu [128.59.26.43]) by cs.columbia.edu (8.6.9/8.6.6) with ESMTP id WAA26524; Wed, 1 Feb 1995 22:14:00 -0500 Received: (from carson@localhost) by pizza.cs.columbia.edu (8.6.9/8.6.6) id WAA01820; Wed, 1 Feb 1995 22:13:58 -0500 Date: Wed, 1 Feb 1995 22:13:58 -0500 Message-Id: <199502020313.WAA01820@pizza.cs.columbia.edu> To: John Adams Cc: firewalls@GreatCircle.COM Subject: Re: Prevention of LOCAL spoofing/duplicate IP's? In-Reply-To: <199502012204.RAA11604@galaxy.concorde.com> References: <199502012204.RAA11604@galaxy.concorde.com> Reply-To: carson@cs.columbia.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> On Wed, 1 Feb 1995 17:04:43 -0500, John Adams said: John> Is there any way to prevent this? ANYONE can edit their Winsock configuration John> and make the IP address the same, and really hose your network... And this John> is internally... How do you prevent this, short of spending TONS of money John> on new hubs? Well, we put the badly-behaved PCs on their own networks, and the routers are smart enough to keep them honest about their IP addresses. It also keeps broken IP implementations from hosing you other boxes. -- -- A Queen Trapped in a Butch Body is: Carson Gaspar -- carson@cs.columbia.edu, carson@lehman.com From firewalls-owner Wed Feb 1 19:55:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA02104 for firewalls-outgoing; Wed, 1 Feb 1995 19:40:44 -0800 Received: from sequoia.itd.uts.EDU.AU (daemon@sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA02094 for ; Wed, 1 Feb 1995 19:40:37 -0800 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA14419 (5.65c/IDA-1.4.4 for ); Thu, 2 Feb 1995 14:38:01 +1100 Received: by lordmuck.itd.uts.edu.au (5.x/SMI-SVR4) id AA26177; Thu, 2 Feb 1995 14:40:03 +1100 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9502020340.AA26177@lordmuck.itd.uts.edu.au> Subject: Re: Test Labs To: glenn@simba.aero.org (Glenn Bailey) Date: Thu, 2 Feb 1995 14:40:02 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: <9502012310.AA28341@simba.aero.org> from "Glenn Bailey" at Feb 1, 95 03:10:42 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Bailey wrote this... > > An automatic firewall tester which can be extended for new attacks > would be nice. i have been thinking about this for somewhile, and im not sure if it is appropriate... one of the guys from plan9 developed an automatic protocol tester for empircally testing protocols (such as task switching on a mutliprocessor machine). in fact they found a few bugs in their code using this piece of software.. i had been thinking lately while this thread has been floating around about automatic testers, that maybe it could be adapted for this sort of work? anyway, just an idea... (if you want more details i can dig them out of the plan9 docs). Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia email: matt@uts.edu.au www: http://milliways.itd.uts.edu.au/~matt/ ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Wed Feb 1 20:09:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA02156 for firewalls-outgoing; Wed, 1 Feb 1995 19:47:21 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA02151; Wed, 1 Feb 1995 19:47:10 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rZsTh-0007N6C; Wed, 1 Feb 95 19:45 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Wed, 1 Feb 95 19:25 PST Message-Id: From: brian@ilinx.com (Brian J. Murrell) Subject: Re: Web Browser-Firewall Question (fwd) To: frank@prodigy.com (Frank Wortner) Date: Wed, 1 Feb 1995 19:25:09 -0800 (PST) Cc: Brent@greatcircle.com, Firewalls@greatcircle.com In-Reply-To: from "Frank Wortner" at Feb 1, 95 10:22:55 am X-Phone: '1 604 983 UNIX' Organization: 'InterLinx Support Services, Inc.' X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1437 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As enscripted by Frank Wortner: > > On Tue, 31 Jan 1995, Brent Chapman wrote: > > > But W3 browsers that do this [automatically invoke Postscript or > > other browsers on the contents of a message] (most of them) > > are much more common than email agents that do this (few of them). > > That depends on the environment. My own history includes working in > sites where "multimedia" email was common, so I'm a bit more paranoid > about the possibilities for abuse of this particular capability. A fair > number of systems shipping now have at least the "hooks" built in. Check > out what you have, use it wisely, and be aware of the pitfalls. I've been looking at this one for a bit, and thought I'd put forth my CAN$0.0144. :-) I don't see any problems with executing PS programs directly from W3, email, or any of the like. The point is that a PS interpreter does not (or should not) run with any more permission than that the user invoking it. Therefore they should not be able to (inadvertatly or not) to do any more damage than as if they wrote a shell script. Please do correct me if I'm incorrect. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Wed Feb 1 20:25:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA02586 for firewalls-outgoing; Wed, 1 Feb 1995 20:11:16 -0800 Received: from posaune.tamu.edu (POSAUNE.TAMU.EDU [128.194.177.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA02570 for ; Wed, 1 Feb 1995 20:11:11 -0800 From: dhess@net.tamu.edu Received: by posaune.tamu.edu (NX5.67d/NX3.0M) id AA26368; Wed, 1 Feb 95 22:09:48 -0600 Date: Wed, 1 Feb 95 22:09:48 -0600 Message-Id: <9502020409.AA26368@posaune.tamu.edu> Received: by NeXT.Mailer (1.100) Received: by NeXT Mailer (1.100) To: firewalls@greatcircle.com, academic-firewalls@net.tamu.edu Subject: Drawbridge 2.0 Beta Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, Drawbridge 2.0 is finally out of Alpha and ready for a Beta test. Here is the README for the package. ----------------------------------------------------------------------------- Drawbridge 2.0 Beta INTRODUCTION: Drawbridge is a copyrighted but freely distributable bridging IP filter with a powerful syntax and good performance. It uses a PC with either two Ethernet cards or two FDDI cards to perform the filtering. It is composed of three different tools: Filter, Filter Compiler and Filter Manager. This distribution is version 2.0 which is a major overhaul of Filter. To get a better idea of how Drawbridge works and how it is used, begin with the OVERVIEW paper in the doc directory. The paper tamu.ps describes the entire suite of TAMU security tools. (Note that this paper is in the process of being updated. The portions concerning Drawbridge are up to date, however.) CHANGES: o Filter now supports FDDI to FDDI filtering. Note however that due to the inherent limitations with bridging on FDDI, Filter will only work under a very specific and limited configuration. Please send email to drawbridge@net.tamu.edu if you are interested in attempting this. o Filter now uses NDIS 2.01 DOS drivers. Therefore any Ethernet cards or FDDI cards with adequate NDIS drivers can be used with Drawbridge 2.0. o Filter now has an IP protocol stack and the management occurs via UDP. This allows the Filter Manager to run on just about any Unix platform that has BSD sockets. (Note that currently I haven't ported it to platforms other than Solaris 2.3.) o Filter now uses an (as far as we know) exportable Pseudo One Time Pad cryptographic scheme for authentication and privacy over the management channel. o Filter now provides statistics from both the console and Filter Manager. Both Filter specific and NDIS statistics are reported. o Filter is now interrupt driven rather than polling (forced because of NDIS) and performance is better. With the previously recommended setup Filter now produces peak transfer rates of approximately 5.5 Mb/sec versus the previously measured peak of 3.5 Mb/sec. 10 Mb/sec on ethernet should be easily achieved with faster cards, buses and CPUs. Under FDDI with a 60MHz Pentium and two EISA Network Peripherals FDDI cards, data rates up to 18Mb/sec have been measured. The actual limit is higher but we do not have a reliable testbed capable of generating and measuring higher data rates at this time. o Filter now uses XMS to store the network tables in extended memory. A cache is kept in low memory. o Filter has a new switch which controls whether or not packets other than IP/ARP/RARP are transparently bridged. o Filter Compiler (and Filter) is backward source and binary compatible. Other than bug fixes, no changes have been made to the Filter Compiler. For Filter, the DES key file is no longer used and a new file PASSWORD is maintained. Also Filter Manager no longer uses .fmkey.* files. o The GNU Copyleft has been removed. This material is now covered under a Berkeley/MIT style copyright. I.E. you can do anything you want with the code but must credit us. See the file COPYING. o A few commands have been added/changed in the Filter Manager. The changes are documented under the help system. o Bug fixes since the Alpha release Filter was binding to the cards opposite of what was specified in the protocol.ini file (oops!). Filter Manager was core dumping when querying the reject or allow tables. A bug with subnets in the allow table has been fixed. Fixed a race condition in the event management which could allow events to be lost. Fixed a serious (but not fatal) bug in the event management that would cause events not to fire after the first time midnight went by. The symptom was Drawbridge would no longer respond to keystrokes. Fixed and cleaned up all of the NDIS error messages. o Changes since the Alpha release NDIS 2.1 from Microsoft rather than NDIS 2.0 from 3Com is now included. Thanks go to Alex Li for giving me the pointer to the newer version. Patches have been made so that fc and fm will now run on little endian machines. If you can get fc and fm to compile, endianness should not be a problem. Thanks go to Danny Thomas for generating the fixes for fc. (Note that due to the extensive amount of changes required, fc and fm do not and will not any time soon run on 64 bit architectures (e.g. Alpha).) An uptime statistic has been added to the statistics reporting. The original paper covering the entire TAMU security package has been updated to cover Drawbridge 2.0. It is still not up to date on Tiger and Netlog but will be soon. Added "retries" and "timeout" variables to the fm user interface. When managing a Drawbridge installation that uses floppy disk for the storage of the tables, a write can easily timeout. The default values are 3 retries and 3 seconds. AVAILABILITY: Drawbridge is available via anonymous ftp from net.tamu.edu (128.194.177.1) in pub/security/drawbridge as: drawbridge-2.0b.tar.gz The package should untar into 4 directories: doc - directory with documentation about Drawbridge (including three papers referenced in the documentation) fm - directory with source code for the Filter Manager plus a binary for Solaris 2.3 on Sparc. fc - directory with source code for the Filter Compiler plus a binary for Solaris 2.3 on Sparc. filter - directory with three PKZIP archives and PKUNZIP.EXE ndis.zip - PKZIP archive containing version 2.1 of the NDIS 2.01 utilities. filter.zip - PKZIP archive with source code and executable for the Filter. config.zip - PKZIP archive with example config.sys, protocol.ini, autoexec.bat and the latest SMC driver for the Ethernet cards required by earlier versions of Drawbridge. And 2 files: README - this file COPYING - copyright notice. REQUIREMENTS: The requirements are less stringent in Drawbridge version 2.0. Filter is compiled for and requires an 80386 or higher processor (it is documented in the makefile how to compile specifically for a higher processor). Any Ethernet or FDDI boards for any bus may be used as long as they have DOS NDIS 2.01 drivers. NOTE! These drivers *must* support promiscuous mode, *must* allow you to configure the driver to support two cards in one PC, and *must* provide access to the native media frame format. Be careful to confirm this before you settle on any adapters. Some adapters do not support these features. It is recommended that you use a PC with a hard disk, however, you can build a setup that uses a floppy. The reason for recommending a hard disk is that when Filter performs a write and writes all of its tables to disk, *all packet forwarding stops* for the duration of the write. This may take a substantial amount of time on a floppy depending on the configuration loaded into Filter. BUILDING: The Filter Compiler and Filter Manager both require an ANSI C compiler; the GNU C Compiler (gcc) is recommended. The Filter requires Borland C++ 4.02 and Borland Turbo Assembler 4.0. An executable version of Filter is provided in case you do not have access to these tools. To build Filter Compiler (fc) and Filter Manager (fm), just go into the respective directories and type "make". This will build the exectuables. To install fc and fm, edit the makefiles to set the destination directory, become root and type "make install". To build Filter, unarchive the PKZIP archive, go to the source directory and type "make". CONTACTS: Any suggestions or comments can be sent to: drawbridge@net.tamu.edu Any and all feedback on this Beta release is welcome. Also, ports of the Filter Compiler and Filter Manager to other platforms would be appreciated. Drawbridge is designed and programmed by: David K. Hess Douglas Lee Schales David R. Safford Texas A&M University February 1, 1994 ----------------------------------------------------------------------------- --- David K. Hess Network Analyst David-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University From firewalls-owner Wed Feb 1 20:55:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA02922 for firewalls-outgoing; Wed, 1 Feb 1995 20:28:29 -0800 Received: from houston.chron.com (houston.chron.com [130.80.26.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA02917 for ; Wed, 1 Feb 1995 20:28:26 -0800 Received: from relay.chron.com by houston.chron.com with SMTP id AA28928 (5.65c/IDA-1.4.4 for ); Wed, 1 Feb 1995 22:26:36 -0600 Received: from office4.chron.com by relay.chron.com (4.1/SMI-4.1) id AA21743; Wed, 1 Feb 95 22:26:35 CST Received: by office4.chron.com (4.1/SMI-4.1) id AA12602; Wed, 1 Feb 95 22:26:34 CST From: Don.Harper@chron.com (Don Harper) Message-Id: <9502020426.AA12602@office4.chron.com> Subject: Re: login/password attacks (fwd) To: smb@research.att.com Date: Wed, 1 Feb 1995 22:26:34 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199502010230.SAA10747@miles.greatcircle.com> from "smb@research.att.com" at Jan 31, 95 09:13:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 770 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And so smb@research.att.com said... :-) P.S. It is, of course, worth noting that even newspapers have networking :-) needs, and the questions might be coming from someone on the technical :-) side of the house. But that doesn't change my answer: if you don't want :-) to be quoted, don't say it. And I say 'Amen, Brother!' That comes from someone who just inherited a firewall for the 16th largest daily newspaper in the country. :) Don -ps anyone care to suggest some good reading material to get me up to speed here? Thanks! -- Don Harper | Voice: Technology Resources, The Houston Chronicle | (713) 220-2937 Don.Harper@houston.chron.com | Fax: #include | (713) 250-3121 From firewalls-owner Wed Feb 1 21:25:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA03594 for firewalls-outgoing; Wed, 1 Feb 1995 21:05:41 -0800 Received: from aztec.asu.edu (aztec.ASU.EDU [129.219.13.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA03589 for ; Wed, 1 Feb 1995 21:05:38 -0800 Received: (from phillip@localhost) by aztec.asu.edu (8.6.9/8.6.9) id WAA04287; Wed, 1 Feb 1995 22:04:36 -0700 Date: Wed, 1 Feb 1995 22:04:36 -0700 Message-Id: <199502020504.WAA04287@aztec.asu.edu> From: phillip@aztec.inre.asu.edu (PHILLIP PODLEVSKY) To: Firewalls@Greatcircle.com Subject: unsuscribe firewalls Reply-To: phillip@aztec.inre.asu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Wed Feb 1 22:25:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA04509 for firewalls-outgoing; Wed, 1 Feb 1995 22:00:02 -0800 Received: from gateway.morgan.com (gateway.morgan.com [138.20.30.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA04495 for ; Wed, 1 Feb 1995 21:59:58 -0800 Received: from otadm1.morgan.com ([161.144.246.18]) by gateway.morgan.com with SMTP id <41430>; Thu, 2 Feb 1995 00:58:07 -0500 Received: from tkis1.morgan.com by otadm1.morgan.com (5.65c/IDA-sendmail/cf.hub v1.29) id AA09618; Thu, 2 Feb 1995 14:58:01 +0900 Received: by tkis1.morgan.com (5.65c/IDA-sendmail/cf.host v1.26) id AA09977; Thu, 2 Feb 1995 14:58:01 +0900 From: pod@morgan.com (Paul O'Donnell) Message-Id: <199502020558.AA09977@tkis1.morgan.com> Subject: servers on PCs To: firewalls@greatcircle.com (firewalls) Date: Thu, 2 Feb 1995 00:58:00 -0500 X-Face: #mT^U,17J-aUFAO![bO5%!!8(!&pY+pxsx3W"6*}&"{36w_~[(4ov.NM6< \T82Y%zp$@Z>c>8%yV2+&"G`xsq.TH/}J7(SaAM=IC3XUMQA4>Gut4pF`z |)~rn!IqaV#HwH){R6I?Ue_2KS c/B\oWEuW+Z#5Oa\&,jH;V6jXmGcbS@ X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 245 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following from Steve's comment about finding surprising servers on a PC. Chameleon contains an NFS server, it's turned off by default, but it only took a couple of button clicks before I was able to mount a colleague's PC over a dial up link. From firewalls-owner Wed Feb 1 22:55:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA04674 for firewalls-outgoing; Wed, 1 Feb 1995 22:27:59 -0800 Received: from vger.tripcom.com (vger-ppp0.tripcom.com [198.5.220.193]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA04669 for ; Wed, 1 Feb 1995 22:27:55 -0800 Received: from localhost (adam@localhost) by vger.tripcom.com (8.6.5/8.6.5) id AAA17482 for firewalls@greatcircle.com; Thu, 2 Feb 1995 00:26:02 -0600 From: Adam Horwitz Message-Id: <199502020626.AAA17482@vger.tripcom.com> Subject: IBM Firewall Solution To: firewalls@greatcircle.com Date: Thu, 2 Feb 1995 00:26:01 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A customer has mentioned that IBM has a firewall solution. Does anyone know anything about it? -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.com From firewalls-owner Wed Feb 1 23:29:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA05140 for firewalls-outgoing; Wed, 1 Feb 1995 23:17:29 -0800 Received: from access.mbnet.mb.ca (root@access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA05135 for ; Wed, 1 Feb 1995 23:17:25 -0800 Received: from ppp01.eitc.mb.ca ([198.163.9.201]) by access.mbnet.mb.ca with SMTP id AA16811 (5.67b/IDA-1.4.4 for ); Thu, 2 Feb 1995 01:14:41 -0600 Message-Id: <199502020714.AA16811@access.mbnet.mb.ca> X-Sender: sdearth@mail.mbnet.mb.ca X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Feb 1995 02:02:11 -0600 To: firewalls@greatcircle.com From: Steve_Dearth@MBnet.MB.CA (Steve Dearth) Subject: Netware, IP and firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone out there have any experience with attacks on Netware servers via the internet or simply involving the IP protocol? Is anyone out there willing to expound on the risks involved in running the IP protocol stack on a Netware file server, from the standpoint of preventing attacks, or unauthorized access to the server via the IP protocol? (In our case we do not have Netware IP, or NFS. The IP stack is just loaded to provide IP routing between segments and to support Lan Workgroup in some cases.) I am asking this because some shops that I know of do not feel they need a firewall, other than router filtering. They feel that the risk of breakin to a Netware file server is not that great. From firewalls-owner Wed Feb 1 23:55:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA05631 for firewalls-outgoing; Wed, 1 Feb 1995 23:52:49 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA05626 for ; Wed, 1 Feb 1995 23:52:46 -0800 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id XAA06448 for ; Wed, 1 Feb 1995 23:50:11 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA17894; Wed, 1 Feb 95 23:34:06 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@GreatCircle.COM id AA18206; Wed, 1 Feb 95 23:49:41 -0800 Date: Wed, 1 Feb 95 23:49:41 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9502020749.AA18206@abulafia.genmagic.com> To: firewalls@GreatCircle.COM Subject: NTP clock isolation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this is not really on-the-topic, so please send replies to me personally and I'll summarize if there's interest. I'm looking for a cheap radio clock receiver I can set up so that we don't have to rely on NTP packets coming in from the outside world. (The real issue is I hate having to fool xntpd on a couple of servers into thinking that they have clocks. It's ugly, and I'm willing to spend a few hundred to correct the kludge. :-) -- J. Eric Townsend vox #: USA 408.774.4252 work: jet@genmagic.com AT&T PersonaLink: A5803643645@attpls.net play: jet@well.sf.ca.us or get my card from directory information From firewalls-owner Thu Feb 2 01:55:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA07005 for firewalls-outgoing; Thu, 2 Feb 1995 01:34:40 -0800 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA07000 for ; Thu, 2 Feb 1995 01:34:34 -0800 Received: from tpone (actually host tpone.telepac.pt) by bath.pipex.net with SMTP (PP); Thu, 2 Feb 1995 09:31:24 +0000 Received: from GSA.telepac.pt (gsi.telepac.pt) by tpone (5.0/SMI-SVR4) id AA15816; Thu, 2 Feb 1995 10:29:50 +0000 Message-Id: <9502021029.AA15816@tpone> X-Sender: paulo@telepac.pt Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Feb 1995 11:16:07 -0400 To: Firewalls@Greatcircle.com From: paulo@tpone.telepac.pt (Paulo Ribeiro) Subject: unsuscribe firewalls X-Mailer: content-length: 22 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Thu Feb 2 03:25:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA07919 for firewalls-outgoing; Thu, 2 Feb 1995 03:12:58 -0800 Received: from zeus.datasrv.co.il (root@zeus.datasrv.co.il [192.114.20.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA07914 for ; Thu, 2 Feb 1995 03:12:48 -0800 Received: from elexmgw.elex.co.il by zeus.datasrv.co.il with SMTP id AA19882 (5.65c/IDA-1.4.4 for ); Thu, 2 Feb 1995 13:10:34 +0200 Received: from elex.co.il (tlhuph12) by elexmgw.elex.co.il (4.1/SMI-4.1-allowed) id AA21157; Thu, 2 Feb 95 13:06:24 IST Received: from tibam.elex.co.il (tibamsun3.elex.co.il) by elex.co.il with SMTP (1.37.109.14/16.2) id AA180803193; Thu, 2 Feb 1995 13:06:34 +0200 Received: from tibamsun23.cbds_yp by tibam.elex.co.il (4.1/SMI-4.1) id AA24461; Thu, 2 Feb 95 13:03:32 IST Received: by tibamsun23.cbds_yp (4.1/SMI-4.1) id AA03721; Thu, 2 Feb 95 13:03:32 IST Date: Thu, 2 Feb 1995 13:03:31 +0200 (IST) From: sun2 X-Sender: moshe@tibamsun23 To: Firewalls@greatcircle.com Subject: unsuscribe firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Thu Feb 2 03:55:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA08261 for firewalls-outgoing; Thu, 2 Feb 1995 03:28:00 -0800 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA08255 for ; Thu, 2 Feb 1995 03:27:56 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id GAA16865 for ; Thu, 2 Feb 1995 06:26:10 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id GAA29806 for ; Thu, 2 Feb 1995 06:26:10 -0500 Received: from rgm3 (bobsgrid.is.chrysler.com) by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA15569; Thu, 2 Feb 95 06:40:00 EST Message-Id: <9502021140.AA15569@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Feb 1995 06:25:02 -0600 To: jet@abulafia.genmagic.com (J. Eric Townsend), firewalls@greatcircle.com From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Re: NTP clock isolation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:49 PM 2/1/95 -0800, J. Eric Townsend wrote: >I realize this is not really on-the-topic, so please send replies to >me personally and I'll summarize if there's interest. > >I'm looking for a cheap radio clock receiver I can set up so that we >don't have to rely on NTP packets coming in from the outside world. >(The real issue is I hate having to fool xntpd on a couple of servers >into thinking that they have clocks. It's ugly, and I'm willing to >spend a few hundred to correct the kludge. :-) Heath Kit use to have a $500 unit, but they discontinued it. They might have something else... Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Thu Feb 2 04:55:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA09104 for firewalls-outgoing; Thu, 2 Feb 1995 04:28:03 -0800 Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA09099 for ; Thu, 2 Feb 1995 04:28:00 -0800 Received: from escact.ksc.nasa.gov.ksc.nasa.gov (actually escact.ksc.nasa.gov) by pp with SMTP (PP); Thu, 2 Feb 1995 07:26:59 -0500 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA18440; Thu, 2 Feb 95 07:23:43 EST Date: Thu, 2 Feb 95 07:23:43 EST From: Mark.Gibbons-1@kmail.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9502021223.AA18440@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@greatcircle.com Subject: Re: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a testbed network on which we do a lot of router/bridge/switch testing as well as a complete network operating systems testbed. I have done a lot of testing of access list performance (mostly on various Cisco platforms). Currently we do have an interest in developing a "test suite" for access list issues as part of a larger project. It is low priority, however, so it isn't going to come out of our shop for a while. If someone out there wanted to colaborate they could drop me a note. We would have to get approval from our NASA masters before we could agree, but I would be willing to try. meg ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: mark e. gibbons Network Engineer M.S. INI-18 (v)407.867.4847 mark@luke.ksc.nasa.gov Kennedy Space Center, (f)407.867.4079 mark.e.gibbons-1@ksc.nasa.gov Florida 32899 "Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor." -- Wernher von Braun From firewalls-owner Thu Feb 2 05:25:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA09322 for firewalls-outgoing; Thu, 2 Feb 1995 05:02:16 -0800 Received: from netman-mel.dfci.harvard.edu (netman-mel.dfci.harvard.edu [134.174.55.53]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA09311 for ; Thu, 2 Feb 1995 05:02:12 -0800 Received: (from ellozy@localhost) by netman-mel.dfci.harvard.edu (8.6.9/8.6.6) id IAA23121 for firewalls@GreatCircle.com; Thu, 2 Feb 1995 08:00:22 -0500 From: Mohamed Ellozy Message-Id: <199502021300.IAA23121@netman-mel.dfci.harvard.edu> Subject: Compiling S/Key on Solaris hosts To: firewalls@GreatCircle.com Date: Thu, 2 Feb 1995 08:00:21 -0500 (EST) Reply-To: ellozy@dfci.harvard.edu X-Organization: Dana-Farber Cancer Institute X-phone: 617-632-3034, 617-632-3425 X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 314 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone modified S/Key to get it to compile under Solaris 2.X? There are a bunch of problems in skeysubr.c, all involving ioctl's, and I would love to avoid having to read through the old BSD manuals to understand what is going on, then through the SVR4 manuals to learn how to replace them! Thanks. Mohamed From firewalls-owner Thu Feb 2 06:25:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA10417 for firewalls-outgoing; Thu, 2 Feb 1995 06:01:00 -0800 Received: from ciesin.org (mail.ciesin.org [160.39.8.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA10412 for ; Thu, 2 Feb 1995 06:00:57 -0800 Received: from bean.ciesin.org (bean.ciesin.org [160.39.1.224]) by ciesin.org (8.6.9/8.6.9) with SMTP id IAA19415 for ; Thu, 2 Feb 1995 08:59:07 -0500 Date: Thu, 2 Feb 1995 08:58:30 -0400 (EDT) From: Kalpesh Unadkat Subject: unsuscribe firewalls To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Thu Feb 2 06:38:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA10763 for firewalls-outgoing; Thu, 2 Feb 1995 06:14:56 -0800 Received: from d.ecc.engr.uky.edu (d.ecc.engr.uky.edu [128.163.144.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA10758 for ; Thu, 2 Feb 1995 06:14:53 -0800 Received: from s.ecc.engr.uky.edu by d.ecc.engr.uky.edu (5.59/25-eef) id AA03682; Thu, 2 Feb 95 09:07:36 EST Received: by s.ecc.engr.uky.edu (4.1/SMI-4.1) id AA01142; Thu, 2 Feb 95 09:12:01 EST Date: Thu, 2 Feb 95 09:12:01 EST From: morgan@engr.uky.edu (Wes Morgan) Message-Id: <9502021412.AA01142@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Re: tweaking PC setups for TCP/IP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Besides going to 10BaseT (star configuration, intelligent hubs that only >> pass the proper IP address to the client connected to that leg of the hub) >> Is there any way to prevent this? ANYONE can edit their Winsock configuration >> and make the IP address the same, and really hose your network... And this >> is internally... How do you prevent this, short of spending TONS of money >> on new hubs? When presented with this problem (in an educational environment, no less; lots of folks keen to play with config files), we simply required (read: dictated) that any TCP/IP apps had to come from the server. On the ser- ver, all apps/config files were read-only configured for BOOTP. Anyone bringing 'unknown' or 'new version' TCP/IP software onto their PC was roundly castigated. The source of most of our problems in this area came from trying-to-help folks who said "don't bother the support staff; I'll just give you my copy, since it's freeware." (Kermit was notable in this respect, as was WinQVT). BOOTP (or even RARP) can be your friend. 8) --Wes From firewalls-owner Thu Feb 2 06:51:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA10739 for firewalls-outgoing; Thu, 2 Feb 1995 06:11:22 -0800 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA10734 for ; Thu, 2 Feb 1995 06:11:16 -0800 Received: from scsing.switch.ch by chx400.switch.ch with SMTP (PP); Thu, 2 Feb 1995 15:09:13 +0100 Received: from ecofin.UUCP by scsing.switch.ch (SWITCHsendmail1) id AA11757; Thu, 2 Feb 95 15:07:42 +0100 Received: from LAVA_MAIL (QM 3.0) by ecofin.uucp (UMCP\QM 2.1.3) id AA03321; Thu, 2 Feb 1995 15:08:23 -0100 Message-Id: <00614.2874582503.3321@ecofin.uucp> To: firewalls-digest@GreatCircle.COM (FireWalls Digest) From: jdb@ecofin.ch (John B*hrer) Date: Thu, 2 Feb 1995 15:05:00 -0100 Subject: Some questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date 2.2.95 Subject Some questions >From John B*hrer To FireWalls Digest Some questions (Internet) 1) I've seen this diagram proposed in recent postings: Internet -- Router1 -- Firewall -- Router2 -- Internal Network What's the purpose of Router2 ? That is, what extra security does it provide? Can't I accomplish the same thing with proper configurations of Router1 and the Firewall itself? Assuming that the Router -- Firewall connections are in fact subnets (and not some sort of serial link), I would call the first subnet (Router1 -- FireWall) a DMZ, for low-security hosts visible to the outside world. Functionally speaking, what would you call the subnet between the Firewall and Router2 ? 2) I see the point of this configuration: Internet -- Router1 -- Firewall -- Internal Network but recently someone proposed this: Internet -- Firewall -- Router1 -- Internal Network Although this makes it easier to restrict internal users from going outside, does this offer any more security against the outside world coming in ? I can see that the latter supports more logging than the first scenario, ie, when the router disallows an inbound packet, this generally isn't logged, but a firewall computer can do it. 3) FWTK vs. Socks: I'm wondering about this too. Any objections if I run both systems on the Firewall, dividing my services accordingly ? For example, I like the convenience of Socks FTP, but I suspect that the TIS http-gw can offer more security for WWW. 4) Subnets: Class-A's were gone long ago, and a mere mortal can't get a Class-B, so we "grass roots" administrators must put up with a single Class-C address for our sites. Of course I need sub-networks, but the policy of "forbidding all zeros / all ones" in a subnet address is just too restrictive. I don't care what the RFC says, I'm not going to throw away a good chunk of my address range just to install subnets! (eg: one-bit subnet = throw away ALL usable host addresses, 2-bits = throw away half, 3-bits = throw away 25%, 4-bits = limited to 14 machines per subnet, no way!) Given that I'm ignoring this discriminatory restriction and doing it anyway (I don't support broadcast-to-all-nets or "this-network" references), do you see any security holes as a result? Does it matter if my DMZ subnet is the "illegal" upper network with a mask of 255.255.255.192 ? I'm using Cisco routers if that makes any difference. Who uses these reserved subnet bands anyway? John Buehrer jdb@ecofin.ch Ecofin, AG phone: +411 / 201 68 33 Lavaterstr. 45 fax: +411 / 202 89 47 CH-8027 Zurich Switzerland From firewalls-owner Thu Feb 2 06:57:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA11227 for firewalls-outgoing; Thu, 2 Feb 1995 06:49:19 -0800 Received: from uu7.psi.com (uu7.psi.com [38.145.204.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA11222 for ; Thu, 2 Feb 1995 06:49:16 -0800 Received: from viacom.COM by uu7.psi.com (8.6.9/SMI-4.1.3-PSI) id JAA24777; Thu, 2 Feb 1995 09:39:56 -0500 Received: from smtpgate.viacom.com by viacom.viacom.COM id aa13370; 2 Feb 95 9:26 EST Received: by SMTPGATE.VIACOM.COM with Microsoft Mail id <2F31198D@SMTPGATE.VIACOM.COM>; Thu, 02 Feb 95 09:42:37 PST From: "Bai, Mario" To: firewalls Subject: re:IBM Firewall Solution Date: Thu, 02 Feb 95 09:42:00 PST Message-ID: <2F31198D@SMTPGATE.VIACOM.COM> Encoding: 9 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We evaluated the IBM product, NetSP, and unfortunately found that it did not fit our needs. It had several problems, the one glaring drawback was that it included the full operating system of AIX, and did not seem very secure. The interface was very nice, all of its utilities ran under X-Windows. The way the user set up the ACL lists was pretty confusing. You set up a user-id, and then defined what services were available to said user. The set-up was not straight-forward, but then again, we did not spend a whole hell of alot of time investigating it. From firewalls-owner Thu Feb 2 07:08:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA10221 for firewalls-outgoing; Thu, 2 Feb 1995 05:57:31 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA10210; Thu, 2 Feb 1995 05:57:28 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id HAA07659; Thu, 2 Feb 1995 07:55:35 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HMKEOWRBS09I4EOA@GateV1.SEMATECH.Org>; Thu, 02 Feb 1995 07:55:27 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id HAA10090; Thu, 2 Feb 1995 07:55:23 -0600 Date: Thu, 02 Feb 1995 07:55:12 -0600 From: Quentin Fennessy Subject: Re: Web Browser-Firewall Question (fwd) In-reply-to: Your message of "Wed, 01 Feb 1995 19:25:09 PST." To: brian@ilinx.com (Brian J. Murrell) Cc: frank@prodigy.com (Frank Wortner), Brent@greatcircle.com, Firewalls@greatcircle.com Message-id: <199502021355.HAA10090@thecount.eng.sematech.org> Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian- You are correct - the interpreted PS would run with the privilieges of the account running the browser. However, this might be hard to detect -- so it is not like a shell script, which could be viewed easily or run in debug mode. The Postscript engines I have seen have not been very accessible in terms of making the effects of the program visible (except for the printed page, of course). Also, on many sites it might be possible to do nasty things with normal user privilege. Imagine a PS file that writes a shell script to your .profile? THe next time it is executed it could: Mail a password file somewhere ftp (out) some interesting files delete all your files send embarrassing mail I see this as similar to leaving your account logged in while in the computer room of a university -- you never know what will happen. Quentin From firewalls-owner Thu Feb 2 07:26:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA11469 for firewalls-outgoing; Thu, 2 Feb 1995 06:58:12 -0800 Received: from timbuk.cray.com (root@timbuk.cray.com [128.162.19.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA11462 for ; Thu, 2 Feb 1995 06:58:08 -0800 Received: from matrix.cray.com (btk@matrix.cray.com [128.162.22.44]) by timbuk.cray.com (8.6.9/CRI-fence-1.3) with SMTP id IAA24989; Thu, 2 Feb 1995 08:55:11 -0600 Received: by matrix.cray.com (4.1/CRI-5.14) id AA11470; Thu, 2 Feb 95 08:55:10 CST From: btk@matrix.cray.com (Bryan Koch) Message-Id: <9502021455.AA11470@matrix.cray.com> Subject: Re: Supply-side spoofing prevention To: peterg@airdata.com (Peter Gregory) Date: Thu, 2 Feb 95 8:55:09 CST Cc: firewalls@greatcircle.com In-Reply-To: <9502020019.AA27190@dividivi>; from "Peter Gregory" at Feb 1, 95 4:19 pm X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Excellent point. We're all concerned with INbound spoofing (because > they harm US and represent a threat to US), but how many of us filter > OUTbound spoofing? > > Probably damned few of us. > > I mean, who'd want to go to the extra trouble to complicate our access lists > with entries that do nothing to protect us and just slow down our routers? We have always filtered outbound packets to ensure that they originate on our assigned networks. Bryan Koch Cray Research From firewalls-owner Thu Feb 2 07:56:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA12399 for firewalls-outgoing; Thu, 2 Feb 1995 07:43:34 -0800 Received: from gate.projo.com (gate.projo.com [147.136.254.253]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA12392 for ; Thu, 2 Feb 1995 07:43:30 -0800 Received: (from smap@localhost) by gate.projo.com (8.6.9/8.6.9) id KAA17598 for ; Thu, 2 Feb 1995 10:41:14 -0500 Received: from hades.projo.com(147.136.5.207) by gate via smap (V1.3mjr) id sma017594; Thu Feb 2 10:41:12 1995 Received: from crete.projo.com by ProJo.COM (4.1/projo-srv1.0) id AA10916; Thu, 2 Feb 95 10:41:11 EST Received: from (oracle@localhost) by crete.projo.com (8.6.9/8.6.9) with SMTP id KAA04570 for firewalls@GreatCircle.COM; Thu, 2 Feb 1995 10:41:08 -0500 Date: Thu, 2 Feb 1995 10:41:08 -0500 From: "Brian C. Stormont" Message-Id: <199502021541.KAA04570@crete.projo.com> To: firewalls@GreatCircle.COM Subject: Re: Supply-side spoofing prevention X-Orcl-Application: In-Reply-To: ORAMAIL.PROJO.COM:INET:firewalls-digest-owner@GreatCircle.COM's message of 01-Feb-95 21:10 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, with many firewall products preventing supply side (or internal) spoofing of external addresses to the outside world is easy and is very beneficial. >From personal experience, it has flagged some misconfigured machines on our internal network and prevented them from accidentally wreaking havok. In my case, I am using FW-1 with outgoing filters that prevent apparently non-local internet side traffic from going out to the internet. -brian From firewalls-owner Thu Feb 2 08:14:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA12248 for firewalls-outgoing; Thu, 2 Feb 1995 07:34:44 -0800 Received: from ariel.ncsl.nist.gov (ARIEL.NCSL.NIST.GOV [129.6.54.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA12242 for ; Thu, 2 Feb 1995 07:34:41 -0800 Received: (jwack@localhost) by ariel.ncsl.nist.gov (8.6.9/8.6.4) id KAA14818 for firewalls@GreatCircle.COM; Thu, 2 Feb 1995 10:31:39 -0500 From: John Wack Message-Id: <199502021531.KAA14818@ariel.ncsl.nist.gov> Subject: Intro to Firewalls pub available To: firewalls@GreatCircle.COM Date: Thu, 2 Feb 1995 10:31:38 -0500 (EST) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 812 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NIST just put out a final copy of an introduction to Internet firewalls, which is available electronically as well as hard copy (1 per request, copies are limited). The place to get it electronically is http://csrc.ncsl.nist.gov/nistpubs/800-10.ps or via anonymous ftp at above address. You can also get a hard copy, although we couldn't afford to print up too many so electronic is preferred, at 301-975-2821. This document attempts to be all things to all firewalls, but the main thing is that it is an _introduction_ to people who don't know much about firewalls. I hope you like it. -John Wack -- John P. Wack, National Institute of Standards and Technology Technology A-216, Gaithersburg, Md. 20899 JWack@nist.gov making do in the greater D.C. area... neither NIST nor I speak for each other... From firewalls-owner Thu Feb 2 08:26:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA12755 for firewalls-outgoing; Thu, 2 Feb 1995 08:09:22 -0800 Received: from mailgate.ericsson.se (mailgate.ericsson.se [130.100.2.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA12743 for ; Thu, 2 Feb 1995 08:09:16 -0800 Received: from ere.ericsson.se (ere.ericsson.se [136.225.97.10]) by mailgate.ericsson.se (8.6.9/1.0) with SMTP id RAA10441; Thu, 2 Feb 1995 17:06:51 +0100 Received: from tempest.nis.gsunix by ere.ericsson.se (4.1/SMI-4.1-LME1.6) id AA02764; Thu, 2 Feb 95 17:08:27 +0100 Date: Thu, 2 Feb 95 17:08:26 +0100 From: eremf@ere.ericsson.se (Martin Fredriksson) Message-Id: <9502021608.AA02764@ere.ericsson.se> To: jdb@ecofin.ch Subject: Re: Some questions Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- jdb@ecofin.ch wrote: > 4) Subnets: Class-A's were gone long ago [...] > [......] > Who uses these reserved subnet bands anyway? Could it be that they are "reserved" for a reason? Maybe the RFC isn't just trying to make life hard on us? Don't think there is a security problem with using the "reserved" addresses, but as they are actually the "this host" and "broadcast" addresses you might find other problems (probably won't since it seems to be some implementation confusion in this area?). /Martin O.G. Fredriksson From firewalls-owner Thu Feb 2 08:35:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA12162 for firewalls-outgoing; Thu, 2 Feb 1995 07:30:07 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA12157; Thu, 2 Feb 1995 07:30:03 -0800 Received: from smtpgate.gannett.com by relay1.UU.NET with SMTP id QQybiz21122; Thu, 2 Feb 1995 10:28:10 -0500 Received: by smtpgate.gannett.com with Microsoft Mail id <2F312444@smtpgate.gannett.com>; Thu, 02 Feb 95 10:28:20 PST From: "Robertson, Paul" To: firewalls@greatcircle.com, firewalls-owner@GreatCircle.COM, "Wright, Robert" Subject: Prevention of LOCAL spoofing/duplicate I Date: Thu, 02 Feb 95 10:26:00 PST Message-ID: <2F312444@smtpgate.gannett.com> Encoding: 22 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [snip] >We had an incident recently where someone used the same IP address on a >machine >(a PC running winsock) as one of our fileservers... nevertheless, the >fileserver spazzed out, NFS went completey awry, and we were forced to >start rebooting clients and the server to get things back to normal. > >Besides going to 10BaseT (star configuration, intelligent hubs that only >pass the proper IP address to the client connected to that leg of the hub) >Is there any way to prevent this? ANYONE can edit their Winsock configuration >and make the IP address the same, and really hose your network... And this >is internally... How do you prevent this, short of spending TONS of money >on new hubs? > > -jna 1. Put your production boxes on their own subnet. 2. Bootp your users Before anyone says anything, bootp doesn't STOP them from using a valid address, but it will stop them from doing so "accidently". From firewalls-owner Thu Feb 2 08:56:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13512 for firewalls-outgoing; Thu, 2 Feb 1995 08:42:43 -0800 Received: from brandx.cs.ohiou.edu (brandx.cs.ohiou.edu [132.235.1.242]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA13507 for ; Thu, 2 Feb 1995 08:42:40 -0800 Received: by brandx.cs.ohiou.edu (5.59/25-eef) id AA02403; Thu, 2 Feb 95 11:41:42 EST From: C Matthew Curtin Message-Id: <9502021641.AA02403@brandx.cs.ohiou.edu> Subject: Re: unsuscribe firewalls To: firewalls@greatcircle.com Date: Thu, 2 Feb 95 11:41:39 EST In-Reply-To: ; from "Kalpesh Unadkat" at Feb 2, 95 8:58 am X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yet Another Person(tm) wrote: > unsuscribe firewalls Hey Brent, maybe you should have your filter look for "unsuscribe" as well as "unsubscribe"... :-/ I can't figure out how that mistake is so popular... "s" and "b" aren't even close to each other, and I can't imagine anyone actually pronouncing "unsubscribe" as "unsuscribe"... Sigh. -matt From firewalls-owner Thu Feb 2 09:29:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13685 for firewalls-outgoing; Thu, 2 Feb 1995 08:52:39 -0800 Received: from brandx.cs.ohiou.edu (brandx.cs.ohiou.edu [132.235.1.242]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA13674 for ; Thu, 2 Feb 1995 08:52:34 -0800 Received: by brandx.cs.ohiou.edu (5.59/25-eef) id AA02436; Thu, 2 Feb 95 11:51:38 EST From: C Matthew Curtin Message-Id: <9502021651.AA02436@brandx.cs.ohiou.edu> Subject: re:IBM Firewall Solution To: firewalls@greatcircle.com Date: Thu, 2 Feb 95 11:51:34 EST In-Reply-To: <2F31198D@SMTPGATE.VIACOM.COM>; from "Bai, Mario" at Feb 2, 95 9:42 am X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We evaluated the IBM product, NetSP, and unfortunately found that it did not > fit our needs. It had several problems, the one glaring drawback was that > it included the full operating system of AIX, and did not seem very secure. Obviously, to run more services than what you need to support is a bad idea for a firewall, but couldn't the unwanted services just be switched off? AIX, as annoying as it is until you get it figured out, actually has some security features that could be useful for a secure machine. I've found that the limitations of the user/group/other-type permissions are easy to get around in AIX, through the use of its ACLs. What other Unix implementations have such flexible management of their extended inodes? I can't think of any off of the top of my head. My question is: "Wouldn't AIX be a good OS choice for a Unix-based firewall?" I'm curious why people use the OSes that they do for firewall implementation. -matt From firewalls-owner Thu Feb 2 09:45:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13657 for firewalls-outgoing; Thu, 2 Feb 1995 08:52:09 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA13645 for ; Thu, 2 Feb 1995 08:52:05 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id LAA12377 for ; Thu, 2 Feb 1995 11:54:58 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id smaa12374; Thu Feb 2 11:54:45 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id LAA04393 for ; Thu, 2 Feb 1995 11:54:26 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA18633; Thu, 2 Feb 95 11:54:03 EST To: firewalls@GreatCircle.COM Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Test labs Date: 2 Feb 1995 11:54:02 -0500 Organization: Milkyway Networks Corporation Lines: 18 Distribution: milkyway Message-Id: <3gr2na$i66@calisto.milkyway.com> References: <9502011750.AA03735@brittany.oes.amdahl.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9502011750.AA03735@brittany.oes.amdahl.com>, Patrick Horgan wrote: >just one of our internal networks. That means I can sit in my office and >be a "bad guy"TM :) I've found myself wanting more serial ports on my desk, and have pulled some wiring from my desk to the lab so I can do RS-232 consoles on the firewall, victim, attacker, etc... Real hard to monitor three machines, all of which refuse telnet connections :-) expect is also really useful for automating attacks. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Thu Feb 2 09:59:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14292 for firewalls-outgoing; Thu, 2 Feb 1995 09:28:19 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA14287 for ; Thu, 2 Feb 1995 09:28:08 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0ra5Hq-0000ZxC; Thu, 2 Feb 95 09:25 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Thu, 2 Feb 95 09:04 PST Message-Id: Received: by miro.ilinx.com id ; Thu, 2 Feb 95 09:04:08 -0800 From: brian@imcon.ilinx.com To: morgan@engr.uky.edu Subject: Re[2]: tweaking PC setups for TCP/IP Cc: firewalls@greatcircle.com Date: Thu, 2 Feb 1995 09:04:08 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of morgan@engr.uky.edu (Wes Morgan) > > When presented with this problem (in an educational environment, no less; > lots of folks keen to play with config files), we simply required (read: > dictated) that any TCP/IP apps had to come from the server. On the ser- > ver, all apps/config files were read-only configured for BOOTP. Yes, that's what we do as well, but it does not prevent somebody knowlegable enough from chaning the TCP/IP config from getting the IP address from a bootp packet to "user entered" with the software we use. How do manage to prevent that kind of change?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Thu Feb 2 10:26:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14249 for firewalls-outgoing; Thu, 2 Feb 1995 09:25:45 -0800 Received: from charon.cargill.com (charon.cargill.com [157.239.225.225]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA14242 for ; Thu, 2 Feb 1995 09:25:35 -0800 From: jim_bostwick@cargill.com Received: by charon.cargill.com; (5.65/1.1.8.2/22Jun94-0316PM) id AA09667; Thu, 2 Feb 1995 11:23:48 -0600 Received: from merlin.res.cargill.com(157.239.3.126) by charon.cargill.com via smap (V1.3mjr) id sma009665; Thu Feb 2 11:23:39 1995 Received: from localhost by merlin.res.cargill.com; (5.65/1.1.8.2/14Jun94-1223PM) id AA00446; Thu, 2 Feb 1995 11:23:38 -0600 Message-Id: <9502021723.AA00446@merlin.res.cargill.com> To: Firewalls@greatcircle.com Cc: jim_bostwick@cargill.com Subject: Re: login/password attacks (fwd) Date: Thu, 02 Feb 95 11:23:38 -0600 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes writes on 31 Jan: >brian@imcon.ilinx.com wrote : >> To: jon@nytimes.com > ^^^^^^^^^^^ >> Cc: firewalls@greatcircle.com, gordy@nytimes.com, stan@nytimes.com > ^^^^^^^^^^^ ^^^^^^^^^^^> > >Isn't it time we stop providing the NY Times folks with free info ? If >they want to do a follow-up story let'em dig the facts themselves :-) ; Thu, 2 Feb 1995 08:12:32 -0800 Received: (from ellozy@localhost) by netman-mel.dfci.harvard.edu (8.6.9/8.6.6) id LAA24019 for firewalls@GreatCircle.com; Thu, 2 Feb 1995 11:10:45 -0500 From: Mohamed Ellozy Message-Id: <199502021610.LAA24019@netman-mel.dfci.harvard.edu> Subject: Compiling S/Key on Solaris hosts To: firewalls@GreatCircle.com Date: Thu, 2 Feb 1995 11:10:45 -0500 (EST) Reply-To: ellozy@dfci.harvard.edu X-Organization: Dana-Farber Cancer Institute X-phone: 617-632-3034, 617-632-3425 X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1061 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mohamed Ellozy writes > > Has anyone modified S/Key to get it to compile under Solaris 2.X? > > There are a bunch of problems in skeysubr.c, all involving ioctl's, > and I would love to avoid having to read through the old BSD manuals > to understand what is going on, then through the SVR4 manuals to learn > how to replace them! > > Thanks. > > Mohamed The problem exists with the "original" Bellcore version of S/Key, which lives on thumper.bellcore.com in pub/nmh/skey. There are two other versions in pub/nmh, one labelled crimelab.com.1.1 and the other in subdirectory nrl labelled skey.md5. The crimelab version compiles cleanly on Solaris. Thanks to: Mats Akerberg (mats@exodata.se) emailed me the tar file Hal Pomeranz pointed me to crimelab Adam Shostack pointed me to logdaemon Mohamed PS: I never cease to be amazed by the prompt support I get on "free and therefore unsupported" software. I send my call for help out at 8 AM, and by 10 I had three replies. By 11 the stuff was compiled. From firewalls-owner Thu Feb 2 10:33:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13434 for firewalls-outgoing; Thu, 2 Feb 1995 08:38:58 -0800 Received: from relay.tandy.com (relay.Tandy.COM [139.60.210.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA13415 for ; Thu, 2 Feb 1995 08:38:43 -0800 Received: from tcgw.tandy.com by relay.tandy.com (5.65/3.1.090690) id AA18005; Thu, 2 Feb 95 10:28:34 -0600 Received: from abacus.tis.tandy.com by tcgw.tandy.com (5.65/3.1.090690) id AA00078; Thu, 2 Feb 95 10:24:52 -0600 Received: by abacus.tis.tandy.com (931110.SGI/930416.SGI) for firewalls@greatcircle.com id AA19913; Thu, 2 Feb 95 10:24:34 -0600 From: criney1@abacus.tis.tandy.com (Chris Riney) Message-Id: <9502021624.AA19913@abacus.tis.tandy.com> Subject: Re: Supply-side spoofing prevention To: firewalls@greatcircle.com Date: Thu, 2 Feb 1995 10:24:34 -0600 (CST) In-Reply-To: <9502021455.AA11470@matrix.cray.com> from "Bryan Koch" at Feb 2, 95 08:55:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1233 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Excellent point. We're all concerned with INbound spoofing (because > > they harm US and represent a threat to US), but how many of us filter > > OUTbound spoofing? > > > > Probably damned few of us. > > > > I mean, who'd want to go to the extra trouble to complicate our access lists > > with entries that do nothing to protect us and just slow down our routers? > > We have always filtered outbound packets to ensure that they originate > on our assigned networks. > > Bryan Koch > Cray Research > So do we. It kind of helps when you have groups that insist on using an unregistered (at least not to them/US) IP address range (Not that we have anybody doing this currently). I also think that our service provider also has a filter on their side to restrict US to registered (with them) IP Subnets. At least when we configured the service, they wanted to know what Subnets we wanted/needed to have access from our site. ========================================================================== Chris Riney E-mail: chris.riney@tandy.com Tandy Information Services Tandy Technology Sqr, Suite 200 Fort Worth, TX 76102 Phone: 817/878-0308; 8:00am-5:00pm CST,Mo-Fr From firewalls-owner Thu Feb 2 10:51:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14081 for firewalls-outgoing; Thu, 2 Feb 1995 09:15:20 -0800 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA14069 for ; Thu, 2 Feb 1995 09:15:17 -0800 From: Keith.McCabe@ranplc.co.uk Received: from othello (actually host othello.ranplc.co.uk) by bath.pipex.net with SMTP (PP); Thu, 2 Feb 1995 17:13:13 +0000 Received: by othello; (5.65/1.1.8.2/15Jan95-8.2MPM) id AA10989; Thu, 2 Feb 1995 17:15:06 GMT Received: from osf1(193.133.99.100) by othello.ranplc.co.uk via smap (V1.3) id sma010984; Thu Feb 2 17:14:52 1995 Received: by ranplc.co.uk; id AA17001; Thu, 2 Feb 1995 17:13:52 GMT Received: by (5.0/SMI-SVR4) id AA00443; Thu, 2 Feb 1995 17:12:05 +0000 Date: Thu, 2 Feb 1995 17:12:05 +0000 Message-Id: <9502021712.AA00443@> To: Firewalls@greatcircle.com Subject: Gateway services menu Content-Length: 1220 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I was wondering if anyone has implemented a 'Gateway Services Menu' of the kind described by Cheswick & Bellovin (p100 Firewalls and Internet Security) on a FWTK gateway. Basically, the menu allows users to get at facilities like ping, traceroute and dig without actually having accounts on the gateway. The menu runs in a shell script and is spawned when users on a trusted internal network access a specified port on the gateway via telnet. netacl/tcpd provides the necessary network filtering of course. What seems to be required is a version of telnetd that accepts an argument of the script to spawn and I guess it needs some of the 'login' code cut out of it. Does anyone know of such a beast or am I misunderstanding what is required? Sorry if this has been asked umpteen times before. ******************************************************************************** Keith S McCabe email: Keith.McCabe@ranplc.co.uk Unix System Administrator phone: +44 71 374 4841 Rolfe & Nolan fax: +44 71 374 0732 1/9 City Road London EC1Y 1AA ******************************************************************************** From firewalls-owner Thu Feb 2 10:56:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14005 for firewalls-outgoing; Thu, 2 Feb 1995 09:10:10 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA13998 for ; Thu, 2 Feb 1995 09:10:05 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id MAA12414 for ; Thu, 2 Feb 1995 12:12:58 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma012412; Thu Feb 2 12:12:44 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id MAA04517 for ; Thu, 2 Feb 1995 12:12:39 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA18717; Thu, 2 Feb 95 12:12:11 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Some questions Date: 2 Feb 1995 12:12:10 -0500 Organization: Milkyway Networks Corporation Lines: 17 Distribution: milkyway Message-Id: <3gr3pa$i8q@calisto.milkyway.com> References: <00614.2874582503.3321@ecofin.uucp> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <00614.2874582503.3321@ecofin.uucp>, John B*hrer wrote: >4) Subnets: Class-A's were gone long ago, and a mere mortal can't get a >Class-B, so we "grass roots" administrators must put up with a single >Class-C address for our sites. Of course I need sub-networks, but the If you are using application level proxies, then your internal network doesn't have to be routable from the outside. You can use whatever networks you like. There are several networks (some Bs, a bunch of Cs, and I think an A) that are set aside for these kinds of "autonomous" networks. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Thu Feb 2 11:20:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA13884 for firewalls-outgoing; Thu, 2 Feb 1995 09:02:07 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA13879 for ; Thu, 2 Feb 1995 09:02:04 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id MAA12405 for ; Thu, 2 Feb 1995 12:04:58 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma012403; Thu Feb 2 12:04:43 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id MAA04476 for ; Thu, 2 Feb 1995 12:03:48 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA18677; Thu, 2 Feb 95 12:03:25 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: spoofing attack - filtering forged addresses Date: 2 Feb 1995 12:03:24 -0500 Organization: Milkyway Networks Corporation Lines: 28 Distribution: milkyway Message-Id: <3gr38s$i7i@calisto.milkyway.com> References: <9502012224.AA13075@applied.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9502012224.AA13075@applied.com>, Chris Johnston wrote: > Lots of people are filtering packets from the "outside" with >forged "inside" source addresses. Is anyone blocking this spoofing >attack at origination? That is, packets going from the "inside" to >the "outside" that claim they are from the "outside"? Can you tell >if someone from your site is the attacker? We are blocking packets that arrive on an interface different from the one that the kernel routing tables say an outgoing packet to the originating address would go. Hmm. That sentence isn't very clear. if (ifp(src-of-incoming) != route-to(src-of-incoming-as-dest)) then we are beeing spoofed. If there are multiple or extended internal networks, and the (static!) routing table reflects that, then there is no problem. We don't distinguish in the software between protected and public networks. The rule policy determines that. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Thu Feb 2 11:26:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13465 for firewalls-outgoing; Thu, 2 Feb 1995 08:40:15 -0800 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA13458 for ; Thu, 2 Feb 1995 08:40:08 -0800 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Thu, 2 Feb 1995 16:35:12 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2F3107C6@smtpgty.saicuk.co.uk>; Thu, 02 Feb 95 16:26:46 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: RE: Internal Networks ( was RE: Network performance ) Date: Thu, 02 Feb 95 16:18:00 GMT Message-ID: <2F3107C6@smtpgty.saicuk.co.uk> Encoding: 105 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Always encouraging to see someone looking at the risk implications BEFORE introducing a new service. Also encouraging to see someone recognising that not every part of the enterprise needs the same level of protection and trying to find out WHICH part needs WHAT protection. There will probably be a number of people who will say that nothing is appropriate to this forum unless it deals with fine technicality of a firewall, whatever that is. They will probably each have their own narrow (and different) view of what a firewall is. They might also expect you to believe that security for IT networks is a new requirement and that the firewall concept was the first, and still the only, way of providing security. There is technology which has been available (even commercially) for more than a decade (some of it pre-dates the computer and electricity) which is more effective than the typical firewall and at lower cost in particular circumstances. Your internal networks MUST be of prime importance. Why spend money protecting something which has NO value? Why spend money on protection which fails to protect YOU? If you look at what your networks are and how they work, you will probably find that you need to take some urgent action but that doesnt have to be a firewall (that depends on how you describe what a firewall is). Most security devices are some form of barrier which controls access to some extent. It doesnt matter much where they sit in a system, but they will obviously be located at a point of access which could be a gateway to another network, or an access/function point within a software application. However much the media hypes up attacks on Information Highway users, the high percentage of problems are inside the internal networks. Some attacks are only possible with the assistance (deliberate of accidental) of someone inside the internal net. Given that you are probably going to have to work with a limited budget and address problems in a priority list, the only way you can do that is to analyse the threats and rank them. Thinking 'firewall' for any part of the system is limiting your ability to analyse. There may be much less costly and more effective methods of achieving your objective. The only problem could be that the person looking at MIS is not the same person who is looking at the Inet links, is not the same person looking at human resources, is not the same person looking at buildings and real estate and so on. For example, you might have one employee who has a PC connected to a LAN and to other corporate LANs and through them to say the Internet. It could be that what this person does is so sensitive and critical to the corporation that you cannot afford anyone else to access that work. You could implement a sophisticated security system at great cost which would permit this person to communicate with colleagues and even the outside world. A better solution might be total electronic isolation at a greatly reduced cost. At the other end of the scale, you may have employees whose work is not in any way sensitive or critical. It would not make much sense to impede access for them with a security system which is unnecessary. One approach is to have a series of internal networks which are protected by their own barriers or are air-gapped from eachother (then there is the question of how effective air-gapping is if all internal networks include workstations which can read floppy disks produced by a workstation on another network and what form of safe sex should be practiced). However, it could be much more cost effective to introduce Multi-Level Secure, MLS, environments which provide the ability to separate users electronically and also allows individual security profiles for every user which are very flexible in configuration and re-configuration, so permitting maximum acceptable access at every level. The technology will not come cheap, but the financial returns from a flexible effective security system can make this very affordable and even profitable. Because of the way that criteria 'package' assurance and functionality, MLS Operating Systems can also greatly improve the effectivenes of firewalls. The only thing to watch is that covert channel analysis may be a feature of some B1/B1= ( MLS) products but is not a mandated feature. A number of Internet users have found that typical firewall solutions do not provide adequate assurance for their purposes and have used particular MLS based solutions to introduce manual control over traffic at the gateway. This can greatly impede traffic flows in busy systems but does avoid the need to completely cut the link to Inet. There have been cases where someone following this approach requires all Inet traffic to pass through this customs point because insufficient knowledge exists of internal networks to judge which ones could be connected to the Inet by other means. Yet another example of a 'system high' approach imposing undue overhead on low/zero sensitivity traffic. There are also examples of organisations which spend a great deal of time and money on firewall technology on their Inet links but have completely open links to other Information Highways, such as X.25/ISDN, running from the same internal private networks. Ian J-B ---------- From: firewalls-owner To: Firewalls Subject: Internal Networks ( was RE: Network performance ) Date: 01 February 1995 10:49 ( To deLurk myself here for a moment, I too have enjoyed the rational tone and expertise on this list from the Wise Ones. ) I am curious if the problems of internal firewalls are appropriate for discussion. Since we at the moment lack a direct Internet connection, my concern has been primarily how to sort out the best ways to deal with some internal networks and services that we have to trust more than others. From firewalls-owner Thu Feb 2 11:29:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13451 for firewalls-outgoing; Thu, 2 Feb 1995 08:40:02 -0800 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA13443 for ; Thu, 2 Feb 1995 08:39:38 -0800 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Thu, 2 Feb 1995 16:34:46 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2F3107B0@smtpgty.saicuk.co.uk>; Thu, 02 Feb 95 16:26:24 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: Re: Test labs Date: Thu, 02 Feb 95 14:07:00 GMT Message-ID: <2F3107B0@smtpgty.saicuk.co.uk> Encoding: 139 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems to be true that many enterprises are connecting to the Internet without thinking the case through first, in the same way that some will adopt the types of firewalls discussed on this BBS without thinking through their security needs. The real reasons for this are frequently that the decisions have been taken at a relatively low management level, at least initially. There is evidence that some enterprises got their first connection in this way and then found a number of benefits which encouraged them to expand coverage, often assuming that all the benefits and risks were considered by someone else when the first link was made. The financial structure of the Internet makes this approach very easy. In the same way, there are many examples of systems where owners spent the money to implement some form of protection and even paid various people and organisations to test the solution, only to have the security subverted because employees acquired other undisclosed connections (to avoid the restrictions imposed by the security system), and opened back doors into the internal networks. Most of the arguments for not spending money on Internet security have been used for generations in other areas. Health & Safety regulations have been introduced because manufacturers claimed that they could not justify putting money into training and protective systems in production plants. Aircraft and automotive construction and use regulations have been introduced because manufacturers and users claimed that they could not afford to address safety issues. The same is true of fire preventation and a host of other areas. In each case, legislation was triggered because of a serious incident or a number of serious incidents. We are just seeing the first tentative stages of legislation in the area of data protection. Environments, such as the Internet, not only make the need for effective legislation imperative, but they also make it more difficult. A comment on this BBS recently mentioned the differences of attitude between Europeans and North Americans in the early meetings to develop the international Common Criteria. That comment was polite in suggesting that Europeans thought the outline approach too Amerivcan and Americans thought it too European. Many internal reports after the event were very much more caustic and provincial. Getting agreement between two countries can be difficult and lengthy. The current communications environments are truly international and the only truly international organisation with legislative power and or influence is the United Nations. Having seen how this body deals with other matters it is not best placed to attempt to deal with international communications issues. For many enterprises using, or about to use, Information Highways such as the Internet, this form of communication will be essential to maintaining their business in exactly the same way that virtually every enterprise, however small, has to install a telephone system of some sort. In some industries, it is already a mandatory condition, imposed by customers on suppliers, that they are connected to one of the public networks to permit electronic trading. Therefore, love it or hate it, connection is inevitable. In that situation, an enterprise cannot afford not to connect if it wants to survive and prosper ( As an historical footnote, Strowger would not have invented an affordable automatic telephone switch had it not been for a security issue. Like other businessmen, he could not afford to be without a telephone, but he found that he was loosing business because the operators in his area were accepting 'commissions' from competitors to direct business to them. His solution was to automate and remove the human from the switching centre. Ironically, some large Internet users have found that the common forms of firewall are inadequate for their situations and have started to introduce a manually controled barrier because the human is more trustworthy than the automatic switch). Having made the connection, lack of security could result in an attack which causes the enterprise to fail. Given that risk, the cost of adequate security is insignificant. Where an enterprise feels that it can buy a firewall but cant afford to use tested components or have the resulting system tested, it is really saying that it is entirely trusting the supplier and if it is cutting financial corners in this way, it may well have failed to produce an accurate brief for the supplier, therefore making an adequate solution virtually impossible to achieve. All too often, the approach is similar to someone rushing out to buy a popular suit of armour and spending at lot of time trying to enhance it, when the best answer might be to buy a machine gun, or learn to run fast. In an ideal world, security would only be provided by people who have been carefully screened and every element is checked and re-checked by different people. Governments have done this for centuries and there are still examples of security vetting system failures. Many companies assume that carefull vetting and testing can only be done on and by their own direct employees. That is probably wrong because even experienced vetting agencies fail to spot every danager sign and in the IT environment technology and threats move rapidly making it difficult for the user to keep up with every change and run his own business. External specialists are frequently best placed to deal with the changing environment and may prove much more reliable than direct employees. For those people who want to carryout their own tests there is a growing range of commercially available test suites. There are also organisations which provide dial-in test suites and this may be growth industry. In the final analysis it all comes down to how you measure costs and what you think prices mean. Human nature tends to ignoring threats until they become incidents. What looks like a low price today may prove a high cost tomorrow. Ian J-B ---------- From: firewalls-owner To: firewalls Subject: Re: Test labs Date: 01 February 1995 15:54 ] From firewalls-owner@GreatCircle.COM Wed Feb 1 15:30:53 1995 ] To: firewalls-owner@greatcircle.com ] Cc: firewalls@greatcircle.com ] Subject: Re: Test labs ] From: "Frank Byrum" ] X-Mts: smtp ] Sender: firewalls-owner@GreatCircle.COM ] Precedence: bulk ] Content-Length: 696 ] X-Lines: 16 ] ] Padgett writes: ] ] >Oh I agree, now everyone out there whose organization *has* a dedicated ] >test lab for firewalls, please stand up... Doesn't everybody else call their's the "production" net? :-) To be serious, I get the impression that -- for many organizations -- Internet is worth paying for for all the obvious benefits, but if the proper (organization specific) security measures are instated with all the attendant redundancy and test facilities, it's too expensive to justify. I don't know of any Fortune 500 folks by name, but the reluctance to do it right seems not to know size boundaries.... Marty -- This article was probably forged -- unless it has a PGP signature, *I* wouldn't trust its authenticity. Why should you? Finger mjs@shannon.com for PGP public key, or get it from any keyserver. Remember: sign your own key; spread the web of trust; trust no text lacking a PGP signature. Paranoia? Ask the NSA.... From firewalls-owner Thu Feb 2 11:37:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14091 for firewalls-outgoing; Thu, 2 Feb 1995 09:15:57 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA14085 for ; Thu, 2 Feb 1995 09:15:51 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id MAA21070 for firewalls@GreatCircle.COM; Thu, 2 Feb 1995 12:11:26 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502021711.MAA21070@all.net> Subject: searching Firewalls digest To: firewalls@GreatCircle.COM Date: Thu, 2 Feb 1995 12:11:19 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 306 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have noticed tha6t some users are trying to access the firewalls search without going through our home page. Unfortunately, the lower level files involved in our W3 server change often. Please use the http://all.net:8080 address to access the firewalls search - all else is subject to change. FC From firewalls-owner Thu Feb 2 11:39:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA12954 for firewalls-outgoing; Thu, 2 Feb 1995 08:17:32 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA12949 for ; Thu, 2 Feb 1995 08:17:27 -0800 From: ted.doty@nsco.network.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15605; Thu, 2 Feb 95 11:15:04 -0500 Date: Thu, 2 Feb 95 11:15:04 -0500 Message-Id: <9502021615.AA15605@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Network Performance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes: >I rote: >> For the most part, a good PC is only capable of about 160 kbps max (and I see >> many operating at about 60kbps - at that a 56kbps line could just about >> keep up with one user. > >Dave (and several others) responded: >>I've just finished installing a bunch of NT boxes on a trading floor, >>and believe me, a PCI bus Pentium box is more than able to eat or >>generate 900k a second and still have time to do other stuff. > >OK, OK, let me elaborate: What I was referring to was the typical >transfer rate between a workstation with a corporate standard ISA NIC (the >bottleneck) and a file server. Certainly just about any good CPU and a PCI >or VESA bus NIC can do more but now you are talking ral money for the NIC. When I trashed windows on my Compaq 486/66 and loaded Linux, my FTP thruput went from under 1 Mbps to over 5 Mbps. If you do transfers to /dev/null, you get over 6.5 Mbps. Not too bad for a weeny PC. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Feb 2 11:42:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14350 for firewalls-outgoing; Thu, 2 Feb 1995 09:32:42 -0800 Received: from relay1.fnet.fr (relay1.fnet.fr [192.134.192.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA14342 for ; Thu, 2 Feb 1995 09:32:37 -0800 Received: from isoftfr.UUCP by relay1.fnet.fr (5.65c8d/92.02.29) via Fnet/EUnet-France id AA18658; Thu, 2 Feb 1995 18:28:00 +0100 (MET) Received: by isoftfr.isoft.fr, Thu, 2 Feb 95 17:35:45 +0100 Date: Thu, 2 Feb 95 17:35:45 +0100 From: isoftfr!beru%isoftfr.isoft.fr (Hubert Gayet) Message-Id: <9502021635.AA24041@isoftfr.isoft.fr> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Thu Feb 2 12:00:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA13209 for firewalls-outgoing; Thu, 2 Feb 1995 08:30:11 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA13203 for ; Thu, 2 Feb 1995 08:30:08 -0800 Received: from hermes.bwh.harvard.edu (hermes.bwh.harvard.edu [134.174.81.39]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id LAA27289; Thu, 2 Feb 1995 11:27:35 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: from localhost (adam@localhost) by hermes.bwh.harvard.edu (8.6.4/8.6.4) id LAA15034; Thu, 2 Feb 1995 11:30:43 -0500 Message-Id: <199502021630.LAA15034@hermes.bwh.harvard.edu> Subject: Re: IBM Firewall Solution To: adam@tripcom.com (Adam Horwitz) Date: Thu, 2 Feb 1995 11:30:42 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199502020626.AAA17482@vger.tripcom.com> from "Adam Horwitz" at Feb 2, 95 00:26:01 am X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 256 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | A customer has mentioned that IBM has a firewall solution. Does | anyone know anything about it? We discussed this a little around Jan 9; check the archives. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Feb 2 12:02:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14380 for firewalls-outgoing; Thu, 2 Feb 1995 09:34:26 -0800 Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA14375; Thu, 2 Feb 1995 09:34:22 -0800 Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/22Jul94-0844AM) id AA25499; Thu, 2 Feb 1995 12:35:18 -0500 Received: by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA19120; Thu, 2 Feb 1995 12:32:34 -0500 Date: Thu, 2 Feb 1995 12:32:32 -0500 (EST) From: Gordy Thompson To: firewalls@greatcircle.com Cc: smb@research.att.com, Umesh_Reghuram@notes.pw.com, jon@nytimes.com, Brent@greatcircle.com, lavondes@tidtest.total.fr Subject: "Lurking Reporters" (Was Re: login/password attacks) In-Reply-To: <199502010230.SAA10747@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Jan 1995 smb@research.att.com wrote: [bulk of _excellent_ summary of the issue deleted for brevity.] > > In short -- I see nothing wrong with occasional questions on this list > from reporters. I say ``occasional'' only because too many would be > noise for a focused list like this; on netnews, the sky's the limit. > > --Steve Bellovin > > P.S. It is, of course, worth noting that even newspapers have networking > needs, and the questions might be coming from someone on the technical > side of the house. But that doesn't change my answer: if you don't want > to be quoted, don't say it. None of the people posting here from "nytimes.com" in recent days are reporters. As Steve surmised, we're on the technical side, in the Systems Department, and we have nothing to do with the newsgathering process. I have no way of knowing if any of our reporters are lurking on this list; I would tend to doubt it, since I would think a more efficient way to go about covering a huge topic like "the Internet" would be to cultivate solid personal sources who themselves are experts in the field, and stay in touch with _them_. Similarly, if a technical question needed clarification, it would be more likely that the reporter or researcher would try to contact Brent, Steve or one of the recognized leaders in the area rather than just ask the whole list. In any case, though, the newsroom's policy is never to pick up and print anything from a mailing list or a newsgroup without at least verifying its authenticity; where possible, it's also highly preferable to contact the author directly to make sure the remark isn't being picked up out of context. Gordy -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Thu Feb 2 12:04:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA14959 for firewalls-outgoing; Thu, 2 Feb 1995 10:07:29 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA14954; Thu, 2 Feb 1995 10:07:21 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0ra5uC-0001EcC; Thu, 2 Feb 95 10:05 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Thu, 2 Feb 95 09:48 PST Message-Id: Received: by miro.ilinx.com id ; Thu, 2 Feb 95 09:47:54 -0800 From: brian@imcon.ilinx.com To: brian@ilinx.com Subject: Re[2]: Web Browser-Firewall Question (fwd) Cc: frank@prodigy.com, Brent@greatcircle.com, Firewalls@greatcircle.com Date: Thu, 2 Feb 1995 09:47:54 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of brian@ilinx.com (Brian J. Murrell) > I've been looking at this one for a bit, and thought I'd put forth my > CAN$0.0144. :-) I don't see any problems with executing PS programs > directly from W3, email, or any of the like. The point is that a PS > interpreter does not (or should not) run with any more permission than > that the user invoking it. Therefore they should not be able to > (inadvertatly or not) to do any more damage than as if they wrote a > shell script. > > Please do correct me if I'm incorrect. > Well, to follow up on my own posting, I have been enlightened!! That's the beauty of this list. When I examined the possibilities with regard to PS and interpreters, I was only looking at it from one angle. A person sending along a trojan horse PS program to break a system from the "priveledged" point of view. There are of course many things a non-priveledged user can do to weaken security, such as send out the password file, modify their .rhosts file to allow a site from outside to have user equivilency inside, just to name a few. I was also thinking along the lines that this sort of PS interpretation would be done on a machine on the inside (clean) network which when I install fire-walls, have no "packet-forwarding" abilities to the dirty network. There is also the malicous cases of the user not-knowingly doing damage to their own datafiles such as rm -r in their home-directory. While this is a pain in the butt, I don't hold that situation in as high a priority as the user breaching security in-advertantly. Sounds like what's really needed is "secure" versions of PS interpreters and the like. Ghostscript would be a good place to start. Perhaps a command line switch which prevents the use of "environment-modifying" PS commands, such as the arbitrary file read/write, process invokation, etc. A very interesting world we live in indeed. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Thu Feb 2 12:05:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA14799 for firewalls-outgoing; Thu, 2 Feb 1995 09:56:42 -0800 Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA14787 for ; Thu, 2 Feb 1995 09:56:32 -0800 Received: from champagne.inria.fr (champagne.inria.fr [128.93.2.15]) by concorde.inria.fr (8.6.9/8.6.9) with ESMTP id SAA12597; Thu, 2 Feb 1995 18:54:45 +0100 Received: from localhost (touvet@localhost) by champagne.inria.fr (8.6.8/8.6.6) with SMTP id SAA21937; Thu, 2 Feb 1995 18:54:44 +0100 Message-Id: <199502021754.SAA21937@champagne.inria.fr> To: C Matthew Curtin Cc: firewalls@greatcircle.com Subject: Re: unsuscribe firewalls In-reply-to: <9502021641.AA02403@brandx.cs.ohiou.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Feb 1995 18:54:43 +0100 From: JC Touvet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yet Another Person(tm) wrote: > > > unsuscribe firewalls > > Hey Brent, maybe you should have your filter look for "unsuscribe" as > well as "unsubscribe"... :-/ > > I can't figure out how that mistake is so popular... "s" and "b" aren't > even close to each other, and I can't imagine anyone actually pronouncing > "unsubscribe" as "unsuscribe"... Sigh. Well, maybe they speak french... Subscribe could be translated to "souscrire" in french (but "insouscrire" doesn't exist ;-) Cheers, -JCT- From firewalls-owner Thu Feb 2 12:33:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA17767 for firewalls-outgoing; Thu, 2 Feb 1995 11:46:12 -0800 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA17748 for ; Thu, 2 Feb 1995 11:45:46 -0800 Received: from adm.loc3.tandem.com by suntan.Tandem.com (4.1/suntan5.940222) for firewalls@greatcircle.com id AA13505; Thu, 2 Feb 95 11:43:06 PST Received: from newshost.loc3.tandem.com (newshost_110.loc3.tandem.com) by adm.loc3.tandem.com (4.1/6main.940209) id AA24767; Thu, 2 Feb 95 11:42:47 PST Received: by newshost.loc3.tandem.com (4.1/6nospool.940209) id AA24407; Thu, 2 Feb 95 11:43:04 PST To: firewalls@tandem.com Path: scott From: scott@tandem.com (mueller_scott) Newsgroups: tandem.lists.firewalls Subject: Re: Prevention of LOCAL spoofing/duplicate IP's? Date: 2 Feb 1995 19:43:03 GMT Organization: Tandem Computers Inc., Cupertino CA Lines: 23 Distribution: tandem Message-Id: <3grck7$nql@newshost.loc3.tandem.com> References: Reply-To: scott@tandem.com Nntp-Posting-Host: zorch.loc3.tandem.com Originator: scott@zorch.loc3.tandem.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , "Daniel O'Callaghan" writes: On Wed, 1 Feb 1995, John Adams wrote: >Besides going to 10BaseT (star configuration, intelligent hubs that only >pass the proper IP address to the client connected to that leg of the hub) >Is there any way to prevent this? ANYONE can edit their Winsock configuration >and make the IP address the same, and really hose your network... And this >is internally... How do you prevent this, short of spending TONS of money >on new hubs? YA non-preventive measure: If you've got root working somewhere, and keep your correct ethernet address information handy, you can publish an arp entry with the correct MAC/IP address pair and blow the troublemaker back *off* the net. (ARP wars, anyone?) -- Scott Hazen Mueller, Tandem Computers +1 408 285 5762 scott@tandem.com Unix System/Network Administrator, Host-, Post-, News- and Web-Master From firewalls-owner Thu Feb 2 12:44:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA18247 for firewalls-outgoing; Thu, 2 Feb 1995 11:56:08 -0800 Received: from clavin (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA13782 for ; Mon, 30 Jan 1995 05:49:53 -0800 Received: from cygnus.uprc.com by clavin (4.1/3.2.012693-Union Pacific Resources Company); id AA14407 for firewalls@greatcircle.com; Mon, 30 Jan 95 07:47:31 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA10223; Mon, 30 Jan 1995 07:47:30 +0600 Date: Mon, 30 Jan 1995 07:47:30 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9501301347.AA10223@cygnus.uprc.com> To: firewalls@greatcircle.com, gil@checkpoint.com Subject: Re: Firewall-1 and TCP Sequence Number Spoofing X-Sun-Charset: US-ASCII Content-Length: 920 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Please send FireWall-1 specific discussions to the FireWall-1 mailing list. > You can subscribe by sending a message to majordomo@applicom.co.il, > with a body "subscribe firewall-1". > > -- Gil > > Although I appreciate the intent of this message, I find it odd that it would come from a checkpoint employee right after a somewhat scathing commentary and real-world experience post. I would much rather see more of these evaluations come out in the open so we can all make more intelligent choices. I don't want to get into another "what's good and bad about Firewall-1", but I do not want to see evaluations censored either. ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Thu Feb 2 13:07:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA18961 for firewalls-outgoing; Thu, 2 Feb 1995 12:07:16 -0800 Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA06319 for ; Mon, 30 Jan 1995 19:23:02 -0800 Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/22Jul94-0844AM) id AA03533; Mon, 30 Jan 1995 22:25:12 -0500 Received: from [191.254.22.8] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA15895; Mon, 30 Jan 1995 22:22:32 -0500 Date: Mon, 30 Jan 1995 22:22:32 -0500 Message-Id: <9501310322.AA15895@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jon@nytimes.com (Jon E. Price) Subject: security from proxy-servers??? Cc: stan@nytimes.com, gordy@nytimes.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't understand how proxy-servers add security to a firewall. I understand that they allow for a common place for logging, which can help security, but beyond that I don't understand the advantage. My best guess is that somehow by keeping track of connections it provides security, but just what does it keep track of, what "bad" things does it prevent, and how does it detect "bad" things? From firewalls-owner Thu Feb 2 13:15:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA20406 for firewalls-outgoing; Thu, 2 Feb 1995 12:38:11 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA20399 for ; Thu, 2 Feb 1995 12:38:06 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA08847 (5.67b8/IDA-1.5 for ); Thu, 2 Feb 1995 15:34:59 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA02721; Thu, 2 Feb 95 15:36:11 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00661; Thu, 2 Feb 1995 15:34:29 +0500 Date: Thu, 2 Feb 1995 15:34:29 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9502022034.AA00661@ Paragon-Systems.COM> To: IJB@saicuk.co.uk Subject: RE: Internal Networks ( was RE: Network performance ) Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1482 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Thu Feb 2 14:43 EST 1995 > From: "Johnson-Bryden, Ian" > To: "'Firewalls@GreatCircle.COM'" > Subject: RE: Internal Networks ( was RE: Network performance ) > Date: Thu, 02 Feb 95 16:18:00 GMT > Encoding: 105 TEXT > > > Always encouraging to see someone looking at the risk implications BEFORE > introducing a new service. Also encouraging to see someone recognising that > not every part of the enterprise needs the same level of protection and > trying to find out WHICH part needs WHAT protection. > > There will probably be a number of people who will say that nothing is > appropriate to this forum unless it deals with fine technicality of a > firewall, whatever that is. They will probably each have their own narrow > (and different) view of what a firewall is. They might also expect you to > believe that security for IT networks is a new requirement and that the > firewall concept was the first, and still the only, way of providing > security. There is technology which has been available (even commercially) > for more than a decade (some of it pre-dates the computer and electricity) > which is more effective than the typical firewall and at lower cost in > particular circumstances. Fine! fine! piece of oratory IJB. So as not to let that sterling piece of wordsmithsmanship go to rack, which one of these bloody firewall companies should I buy stock in? rmck From firewalls-owner Thu Feb 2 13:26:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA18560 for firewalls-outgoing; Thu, 2 Feb 1995 12:00:43 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA18555 for ; Thu, 2 Feb 1995 12:00:40 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id NAA11458; Thu, 2 Feb 1995 13:58:51 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HMKRDBD6V49I4G1A@GateV1.SEMATECH.Org>; Thu, 02 Feb 1995 13:58:43 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id NAA26519; Thu, 2 Feb 1995 13:58:40 -0600 Date: Thu, 02 Feb 1995 13:58:38 -0600 From: Quentin Fennessy Subject: Re: IBM Firewall Solution To: C Matthew Curtin Cc: firewalls@greatcircle.com Message-id: <199502021958.NAA26519@thecount.eng.sematech.org> X-Mailer: exmh version 1.5.3 12/28/94 Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew- You asked "Wouldn't AIX be a good OS choice for a Unix-based firewall?" (This is one question out of a 3 paragraph note, but it caught my eye) I have the misfortune to use AIX for a UNIX based firewall. But I won't do so again. I keep running into flaws in networking and authentication that drive me crazy. The AIX login.cfg auth1 and auth2 facilities look like great stuff, but are broken in practice. This and other facilities are poorly documented. No, I don't think AIX is a good OS choice for a UNIX based firewall. (Want to see my scars?) Quentin (OK, my next generation will be BSDI, or Plan9 -- what about Amoeba?) From firewalls-owner Thu Feb 2 13:38:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA20925 for firewalls-outgoing; Thu, 2 Feb 1995 12:55:29 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA20920 for ; Thu, 2 Feb 1995 12:55:19 -0800 From: ted.doty@nsco.network.com Received: from nscultrix2.network.com by nsco.network.com (4.1/1.34) id AA04654; Thu, 2 Feb 95 15:08:50 CST Received: by nscultrix2.network.com (5.57/Ultrix3.0-C) id AA22157; Thu, 2 Feb 95 14:53:26 CST Date: Thu, 2 Feb 95 15:49:23 PST Subject: Re: Prevention of LOCAL spoofing/duplicate IP's? To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Mueller writes: >>Besides going to 10BaseT (star configuration, intelligent hubs that only >>pass the proper IP address to the client connected to that leg of the hub) >>Is there any way to prevent this? ANYONE can edit their Winsock configuration >>and make the IP address the same, and really hose your network... And this >>is internally... How do you prevent this, short of spending TONS of money >>on new hubs? > >YA non-preventive measure: If you've got root working somewhere, and keep >your correct ethernet address information handy, you can publish an arp entry >with the correct MAC/IP address pair and blow the troublemaker back *off* >the net. Network System's routers have been able to verify {IP address, Mac Address} pairs since about 1988, and audit any violations of the pairings. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Feb 2 13:38:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21137 for firewalls-outgoing; Thu, 2 Feb 1995 13:00:23 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA21132 for ; Thu, 2 Feb 1995 13:00:20 -0800 Received: from relay.imsi.com by wintermute.imsi.com id PAA23514; Thu, 2 Feb 1995 15:58:32 -0500 Received: from lorax.imsi.com by relay.imsi.com id PAA13372; Thu, 2 Feb 1995 15:58:31 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA24418; Thu, 2 Feb 95 15:58:31 EST Message-Id: <9502022058.AA24418@lorax.imsi.com> To: C Matthew Curtin Cc: firewalls@greatcircle.com Subject: Re: unsuscribe firewalls In-Reply-To: Your message of "Thu, 02 Feb 1995 11:41:39 EST." <9502021641.AA02403@brandx.cs.ohiou.edu> Reply-To: rens@imsi.com Date: Thu, 02 Feb 1995 15:58:30 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "C" == C Matthew Curtin writes: C> I can't figure out how that mistake is so popular... "s" and "b" C> aren't even close to each other, and I can't imagine anyone C> actually pronouncing "unsubscribe" as "unsuscribe"... Sigh. In New York, that's how we pronounce it! -Rens From firewalls-owner Thu Feb 2 13:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21939 for firewalls-outgoing; Thu, 2 Feb 1995 13:20:31 -0800 Received: from holmes.sgate.com (holmes.sgate.com [199.171.50.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA21898 for ; Wed, 1 Feb 1995 13:46:05 -0800 Received: (from dempstet@localhost) by holmes.sgate.com (8.6.9/8.6.9) id QAA30072; Wed, 1 Feb 1995 16:44:17 -0500 From: Thomas Dempster Message-Id: <199502012144.QAA30072@holmes.sgate.com> Subject: Book on firewalls To: firewalls@GreatCircle.COM Date: Wed, 1 Feb 1995 16:44:16 -0500 (EST) Cc: tomd@tomd.cais.com X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 151 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi does anyone know a book that could be bought to give an overview of how to setup a firewall?? All help would be appreciated. Thanks! Tom Dempster. From firewalls-owner Thu Feb 2 14:10:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21968 for firewalls-outgoing; Thu, 2 Feb 1995 13:20:43 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA25461 for ; Wed, 1 Feb 1995 15:28:34 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12161; Wed, 1 Feb 95 18:16:49 -0500 Date: Wed, 1 Feb 95 18:16:48 -0500 Message-Id: <9502012316.AA12161@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Getting started Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >which begs the following question: What if someone is just starting out as >a consultant, and doesn't *have* any references yet? You are proposing >a bit of a catch-22 that keeps the "old boys network" running just fine, >but doesn't help the guy who's been in industry jobs forever but now wants to >set out on his own. Well, I am and always have been in "industry jobs" (why this is my hobby), and that has not bothered me. True, I use vacation to go to conferences but this lets me go to the IFIP in Curacao and Defcon in Vegas (I prefer warm climates). Does remind me a bit of the story attributed to Wolfgang Amadeus that ended "..Ah yes, but I didn't have to ask." 8*). >I'd agree that degrees carry considerably less weight in this particular >field than bare-metal experience, wherever said experience came from. Well it is an indicator that the person does have perserverance and was at least taught how to think. >...someone in a suit claiming to be a un*x consultant might already have >one strike against him, and he'll have to intelligently discuss a lot of hard >technical poop to make up for it. A lot of potential clients may not realize >this until told, however -- not realizing that their pick of the slick >"professional" over the scruffy Unix hacker may have just hurt them. Disagree here, Unix theory is only half of the equation. Understanding the "corporate environment" is just as important since the solution must be USED to be effective. In my mind, the technical part is easy, getting management to accept/endorse/require so that it is not "circular filed" the first time there is a diffuglety it is the hard part. Called to dinner so must stop, Padgett From firewalls-owner Thu Feb 2 14:15:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA21987 for firewalls-outgoing; Thu, 2 Feb 1995 13:20:53 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA27617 for ; Wed, 1 Feb 1995 16:32:31 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id TAA19890; Wed, 1 Feb 1995 19:27:42 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502020027.TAA19890@all.net> Subject: Re: Consultant quals To: hobbit@bronze.lcs.mit.edu (*Hobbit*) Date: Wed, 1 Feb 1995 19:27:41 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199502010416.XAA10209@bronze.lcs.mit.edu> from "*Hobbit*" at Jan 31, 95 11:16:11 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 5685 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > which begs the following question: What if someone is just starting out as > a consultant, and doesn't *have* any references yet? You are proposing > a bit of a catch-22 that keeps the "old boys network" running just fine, > but doesn't help the guy who's been in industry jobs forever but now wants to > set out on his own. The industry job is a fine reference - in fact, for many clients, it is preferred. The point of references is to allow potential clients to find out what they are risking by paying you to do a job. > > Furthermore, if the field is changing that fast, there may have been a few > things one didn't think about or implement in that previous gig, right? > Suppose that reference says, "well, that `security consultant' didn't do > anything for us about faked source addresses, we got hit anyway, and now we > want to sue his sorry butt"?? It seems to me that more credence should be paid > to a discussion about *current* issues between the applicant and the more > technical members of the client's staff, with decisions based on the aptness of > the consultant's responses. Entertaining backlash to MJR's desert example or > hard info about Kerberos at one end of the spectrum, and "walks on water" > at the other, or something like that. A good consultant will tell the client about the limitations of their work and help them understand the true nature of information protection - any consultant that tells you they will solve all your problems is probably not a good person to hire in this field. > > I'd agree that degrees carry considerably less weight in this particular > field than bare-metal experience, wherever said experience came from. And in > my mind, someone in a suit claiming to be a un*x consultant might already have > one strike against him, and he'll have to intelligently discuss a lot of hard > technical poop to make up for it. A lot of potential clients may not realize > this until told, however -- not realizing that their pick of the slick > "professional" over the scruffy Unix hacker may have just hurt them. Most consulting jobs I encounter require a strong mix of technical and management skills. Most clients already have technical talent or can hire it for very little money. The thing that really turns the trick is understanding both the technical and the management points of view and being able to bridge the gap between them. Even the most technical of consulting jobs require the ability to explain the value of the work to the management people responsible for deciding to use you. > > Emphasis on use of the client's existing resources is definitely good, as it'll > be cheaper and points up preexisting knowledge and versatility on the part of > the consultant. "You mean our little dialup router box can already > packet-filter? Cool!" This is another reason I'm leery of all these "turnkey" > firewalls, because as someone else put it, security is a *process*. But > people are always all too willing to trust a single thing that sounds good on > paper, and not think about what might be wrong with it. You have to be true to your beliefs and try to explain the fact that (a quote from my book on computer viruses - reused in my latest book) "Protection is something you do, not something you buy." Perhaps a good analogy will help you to back that statement up. > > I would not propose any work that wasn't phrased along the lines of "do the > work, document everything, and make sure the client understands it and how > to make his own changes later". Would this scare a lot of them off? Some > people don't want to *understand*, they just want to be spoon-fed warm fuzzies > for their money. Go figure. As a techie, I often have some trouble with > this... Most techies make lousy consultants. In most cases, the problem is not that they don't want to know - it is that you don't know how to explain it to them. > > Rens pipes up: > > Covering all the bases, and not just the new and interesting ones, is > what separates a security practitioner from a security theorist. There > are plenty of both. > Of course some of us theorists actually cover far more of the bases than you practitioners who don't understand the underlying reasons that things are the way they are. > Which harks back a little to the issue of degrees. Ever run into an EE who > can't fix his toaster? I am an EE and I have fixed toasters > Actually one of the currently discussed attacks > provides a wonderful illustration of there being nothing new under the > Sun: the loadable module thing has almost exactly the same effect as that > old program that does TIOCSTI on ttys, allowing the attacker to stuff in > keystrokes. Apparently the creators and/or subsequent modifiers of "TAP" had > forgotten about this one. And back when the "stuffer" was written, it even > worked without the attacker being root due to bugs in setpgrp() vs. controlling > ttys which may *still* work in some OSes, ten years later. Did anyone else > think of this, or am I just an old fart? Lots of us are aware of such things, but we don't usually give it away for free. Another sign of a good consultant - they know the value of their knowledge and charge appropriately for it. In my case, I write books that detail these things and many other consultants read those books to keep up to date. ... > > Oh hell, I guess this means I'm really going to have to read all the CERN > code soon. See, I'm not afraid to say "I don't know" when I don't know... You don't necessarily have to read all of the code to understand the implications. That's where theory and experience come into play. FC From firewalls-owner Thu Feb 2 14:33:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA24128 for firewalls-outgoing; Thu, 2 Feb 1995 14:04:48 -0800 Received: from EMXCABQ (emxcabq.cabq.gov [143.120.99.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA24123 for ; Thu, 2 Feb 1995 14:04:39 -0800 X400-Received: by mta EMXCABQ in /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 2 Feb 1995 14:53:32 -0700 X400-Received: by mta isdaix.cabq.gov in /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 2 Feb 1995 15:01:30 -0700 X400-Received: by /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 2 Feb 1995 15:01:30 -0700 Date: Thu, 2 Feb 1995 15:01:30 -0700 X400-Originator: stark@cabq.gov X400-Recipients: firewalls@GreatCircle.com X400-MTS-Identifier: [/PRMD=CABQ/ADMD=TELEMAIL/C=US/;0000700001025363000002] X400-Content-Type: P2-1988 (22) Content-Identifier: Re: IBM Firew... From: " (K. Lee Stark)" Message-ID: <9502022201.AA20467@isdaix.cabq.gov> To: fw-list Cc: stark Subject: Re: IBM Firewall Solution Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at: http://www.raleigh.ibm.com/nga/ngaprod.html No endorsement is either expressed or implied, blah, blah, etc., harumph. L ----- ============================================================================= K. Lee Stark | One Civic Plaza NW | +1 505 768 2978 Systems Administrator | Room 2061 | +1 505 768 4615 fax City of Albuquerque | Albuquerque, NM | stark@cabq.gov Information Svcs Div | 87102-2166 | ============================================================================= From firewalls-owner Thu Feb 2 14:56:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA25666 for firewalls-outgoing; Thu, 2 Feb 1995 14:44:17 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA25661 for ; Thu, 2 Feb 1995 14:44:14 -0800 Received: from hermes.bwh.harvard.edu (hermes.bwh.harvard.edu [134.174.81.39]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id RAA01098 for ; Thu, 2 Feb 1995 17:41:47 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: from localhost (adam@localhost) by hermes.bwh.harvard.edu (8.6.4/8.6.4) id RAA17464 for firewalls@greatcircle.com; Thu, 2 Feb 1995 17:44:55 -0500 Message-Id: <199502022244.RAA17464@hermes.bwh.harvard.edu> Subject: NFS proxy code? To: firewalls@greatcircle.com (Firewalls mailing list) Date: Thu, 2 Feb 1995 17:44:55 -0500 (EST) X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 175 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there an NFS proxy available anywhere? Please respond to me; I'll summarize. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Feb 2 15:10:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA25711 for firewalls-outgoing; Thu, 2 Feb 1995 14:45:30 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA25703 for ; Thu, 2 Feb 1995 14:45:26 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id JAA10888; Fri, 3 Feb 1995 09:42:14 +1100 Date: Fri, 3 Feb 1995 09:42:13 +1100 (EST) From: "Daniel O'Callaghan" Subject: ARPWATCH: ( was Re: Prevention of LOCAL spoofing/duplicate IP's To: Robert Hufsky cc: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Feb 1995, Robert Hufsky wrote: > On Thu, 2 Feb 1995 12:46:05 +1100 (EST) Daniel O'Callaghan wrote: > > Get arpwatch. You'll be able to detect these things quickly, at least. > > Maybe it could be hacked to send network jam to the offender while you > > send the storm troopers down to get the b****d. :-) > > > > Sounds good, can you provide a pointer to it ? ftp://www.unimelb.edu.au/pub/misc/arpwatch-1.0.tar.gz http://www.unimelb.edu.au:8088/pub/misc/arpwatch-1.0.tar.gz Danny From firewalls-owner Thu Feb 2 15:24:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA25031 for firewalls-outgoing; Thu, 2 Feb 1995 14:29:58 -0800 Received: from gate.teledata.co.at (root@teledata-eunet.AT.EU.net [193.80.63.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA25023 for ; Thu, 2 Feb 1995 14:29:53 -0800 Received: from ws59.teledata.co.at (ws59.teledata.co.at [193.80.185.59]) by gate.teledata.co.at (8.6.9/8.6.9) with SMTP id XAA00192; Thu, 2 Feb 1995 23:33:16 +0100 Date: Thu, 2 Feb 1995 23:23:33 MET From: Mazinger Peter Reply-To: pmazinge@teledata.co.at Subject: Re: Re[2]: tweaking PC setups for TCP/IP To: brian@imcon.ilinx.com cc: morgan@engr.uky.edu, firewalls@greatcircle.com Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could use [Restrictions] in PROGMAN.INI and not allow the users to change their icons, position, to install new one, take the File Menu (Program Manager) away, no MS-DOS prompt, no File-Manager, and get them directly into Windows, without break I am using in that way with Trumpet Winsock etc. On Thu, 2 Feb 1995 09:04:08 -0700 (PST) brian@imcon.ilinx.com wrote: > From:brian@imcon.ilinx.com> Date: Thu, 2 Feb 1995 09:04:08 -0700 (PST) > Subject: Re[2]: tweaking PC setups for TCP/IP > To: morgan@engr.uky.edu > Cc: firewalls@greatcircle.com > > from the quill of morgan@engr.uky.edu (Wes Morgan) > > > > When presented with this problem (in an educational environment, no less; > > lots of folks keen to play with config files), we simply required (read: > > dictated) that any TCP/IP apps had to come from the server. On the ser- > > ver, all apps/config files were read-only configured for BOOTP. > Yes, that's what we do as well, but it does not prevent somebody > knowlegable enough from chaning the TCP/IP config from getting the IP > address from a bootp packet to "user entered" with the software we use. > How do manage to prevent that kind of change?? > > b. > > -- > Brian J. Murrell brian@ilinx.com > InterLinx Support Services, Inc. brian@wimsey.com > North Vancouver, B.C. 604 983 UNIX > Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD -------------------------------------------------------- Mazinger Peter-Sandor pmazinge@teledata.co.at Teledata Consulting & Systemmanagement GmbH. A-6840 Goetzis, Austria, Vorarlberger Wirtschaftspark Tel. +43/(0)5523/52623-0 Fax. +43/(0)5523/52623-9 From firewalls-owner Thu Feb 2 15:30:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA26903 for firewalls-outgoing; Thu, 2 Feb 1995 15:18:50 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA26891 for ; Thu, 2 Feb 1995 15:18:44 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17670; Thu, 2 Feb 95 18:03:45 -0500 Date: Thu, 2 Feb 95 18:03:44 -0500 Message-Id: <9502022303.AA17670@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Piled Higher and Deeper Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Covering all the bases, and not just the new and interesting ones, is > what separates a security practitioner from a security theorist. There > are plenty of both. :Of course some of us theorists actually cover far more of the bases than :you practitioners who don't understand the underlying reasons that things :are the way they are. But then a practitioner who understands the theory (or the reverse) and who does not mind sharing it is better yet. Am a hobbyist myself. >> Which harks back a little to the issue of degrees. Ever run into an EE who >> can't fix his toaster? >I am an EE and I have fixed toasters And a P.E. guarantees it 8*). Warmly, Padgett From firewalls-owner Thu Feb 2 15:54:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA26857 for firewalls-outgoing; Thu, 2 Feb 1995 15:17:03 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA26851 for ; Thu, 2 Feb 1995 15:16:58 -0800 Received: from relay.imsi.com by wintermute.imsi.com id SAA24220; Thu, 2 Feb 1995 18:14:46 -0500 Received: from lorax.imsi.com by relay.imsi.com id SAA14575; Thu, 2 Feb 1995 18:14:45 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA24743; Thu, 2 Feb 95 18:14:44 EST Message-Id: <9502022314.AA24743@lorax.imsi.com> To: "Dr. Frederick B. Cohen" Cc: hobbit@bronze.lcs.mit.edu (*Hobbit*), firewalls@greatcircle.com Subject: Re: Consultant quals In-Reply-To: Your message of "Wed, 01 Feb 1995 19:27:41 EST." <199502020027.TAA19890@all.net> Reply-To: rens@imsi.com Date: Thu, 02 Feb 1995 18:14:44 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Frederick" == Frederick B Cohen writes: >> Rens pipes up: >> >> Covering all the bases, and not just the new and interesting >> ones, is what separates a security practitioner from a security >> theorist. There are plenty of both. >> Frederick> Of course some of us theorists actually cover far more of Frederick> the bases than you practitioners who don't understand the Frederick> underlying reasons that things are the way they are. ! And how about us practitioners who do? I'm not sure what to make of this statement, except to assume you have a big chip on your shoulder. So far all your mail on firewalls has been to complain about the work other people have done, after all. Frederick> You don't necessarily have to read all of the code to Frederick> understand the implications. That's where theory and Frederick> experience come into play. Sorry, If you don't look at the code, you don't know what it does. Of course, you could just assume you know everything. Whatever. -Rens From firewalls-owner Thu Feb 2 16:00:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA29552 for firewalls-outgoing; Thu, 2 Feb 1995 15:50:24 -0800 Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA29495 for ; Thu, 2 Feb 1995 15:50:14 -0800 From: KIDSTOJ@pcux.citec.qld.gov.au Received: from pcux.citec.qld.gov.au by staff.cs.su.OZ.AU (mail from KIDSTOJ for firewalls@greatcircle.com) with MHSnet (insertion MHSnet site: citecub.citec.qld.gov.au); Fri, 03 Feb 1995 10:48:18 +1100 Received: from pcux.citec.qld.gov.au by citec.qld.gov.au (5.0/SMI-SVR4) id AA18685; Fri, 3 Feb 1995 09:47:45 +1000 Received: from CITEC-Message_Server by pcux.citec.qld.gov.au with WordPerfect_Office; Fri, 03 Feb 1995 09:47:24 +1000 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Fri, 03 Feb 1995 09:46:33 +1000 To: firewalls%greatcircle.com@citec.qld.gov.au, jon%nytimes.com@citec.qld.gov.au Subject: Re: security from proxy-servers??? content-length: 753 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** >>> "jon@nytimes.com" 31/January/1995 01:22pm >>> >I don't understand how proxy-servers add security to a firewall. >I understand that they allow for a common place for logging, which can >help security, but beyond that I don't understand the advantage. > >My best guess is that somehow by keeping track of connections it > provides security, but just what does it keep track of, what "bad" > things does it prevent, and how does it detect "bad" things? Depending on the proxy-server you may get one or more of: 1. Hiding of internal net addresses 2. The ability to restrict access (in or out) to pre-defined network addresses 3. Caching on the proxy server, to minimise external traffic 4. Logging of all connections From firewalls-owner Thu Feb 2 16:35:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00481 for firewalls-outgoing; Thu, 2 Feb 1995 16:08:36 -0800 Received: from escape.com (root@escape.com [198.6.71.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA00476 for ; Thu, 2 Feb 1995 16:08:33 -0800 Received: from plv (plv.escape.com [198.6.71.51]) by escape.com (8.6.9/8.6.5) with SMTP id TAA08192; Thu, 2 Feb 1995 19:01:38 -0500 Message-Id: <199502030001.TAA08192@escape.com> X-Sender: plv@198.6.71.10 X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Feb 1995 19:03:58 -0500 To: labatt@disaster.com (Chris Labatt-Simon - D&D Consulting), firewalls@GreatCircle.COM From: plv@escape.com (Philip LaViscount) Subject: re: Proposed Newsgroup Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:49 1/13/95 -0500, Chris Labatt-Simon - D&D Consulting wrote: >I want to reiterate, as before, that the RFD for comp.security.firewalls >does *not* state anywhere that the proposed newsgroup will be gated >with the current firewalls mailing list. >As others have mentioned, and as I have mentioned in previous >postings, the bit.listserv.* hierarchy was expressly created >for gating mailing lists. Having this list gated to a 'comp.security.firewalls' would frankly be quite useful (scanning for applicable topics instead of wading through dozens of mail messages per day, etc.). I am greatly in favor of the newsgroup creation. > >I'm about even on the number of messages I've received re: Moderated >vs. Unmoderated. I'm starting to lean towards a loosely moderated >approach, where 95% of the posts go through and the garbage ones >and the ones that are _way_ off topic won't. We'll see. I am also _greatly_ in favor of a Moderated newsgroup. Relative 'newbie' questions could be forwarded to a more general security group. Summaries of responses to questions could be created and circulated. Mistaken entries (mis-addressed, off topic, mail system error messages, etc.) could be culled. Please let me know how this works out. -oo- plv From firewalls-owner Thu Feb 2 17:25:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA03140 for firewalls-outgoing; Thu, 2 Feb 1995 17:23:24 -0800 Received: from dot.ca.gov (nic.dot.ca.gov [149.136.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA03135 for ; Thu, 2 Feb 1995 17:23:22 -0800 Received: from trew002 (trew.dot.ca.gov) by dot.ca.gov (4.1/01.14.95) id AA17476; Thu, 2 Feb 95 17:21:40 PST Message-Id: <9502030121.AA17476@dot.ca.gov> Date: Thu, 2 Feb 1995 17:13:53 -0800 From: stan@dot.ca.gov ( ) To: firewalls@greatcircle.com Subject: local spoofing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk john adams writes: >We had an incident recently where someone used the same IP address on a machine >(a PC running winsock) as one of our fileservers... nevertheless, the >fileserver spazzed out, NFS went completey awry, and we were forced to >start rebooting clients and the server to get things back to normal. Is there any way to prevent this? You can get Firefox. Everyone on a Novell network shares the same IP address and the IPX addresses are dynamically created anyone and unique. Stan From firewalls-owner Thu Feb 2 18:25:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA03744 for firewalls-outgoing; Thu, 2 Feb 1995 18:01:26 -0800 Received: from uustar.starnet.net (uustar.starnet.net [128.252.135.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA03739 for ; Thu, 2 Feb 1995 18:01:22 -0800 Received: from devildog.UUCP by uustar.starnet.net with UUCP id AA18391 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Thu, 2 Feb 1995 19:55:10 -0600 Received: by devildog (5.65/1.35) id AA10609; Thu, 2 Feb 95 19:28:13 -0600 From: devildog!grover@uustar.starnet.net (grover davidson) Message-Id: <9502030128.AA10609@devildog> Subject: Re: IBM Firewall Solution To: Quentin.Fennessy@sematech.org (Quentin Fennessy) Date: Thu, 2 Feb 95 19:28:12 CST Cc: firewalls@greatcircle.com In-Reply-To: <199502021958.NAA26519@thecount.eng.sematech.org>; from "Quentin Fennessy" at Feb 2, 95 1:58 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Matthew- > You asked "Wouldn't AIX be a good OS choice for a Unix-based firewall?" > (This is one question out of a 3 paragraph note, but it caught my eye) > > I have the misfortune to use AIX for a UNIX based firewall. But I won't > do so again. I keep running into flaws in networking and authentication > that drive me crazy. The AIX login.cfg auth1 and auth2 facilities look > like great stuff, but are broken in practice. This and other facilities > are poorly documented. > > No, I don't think AIX is a good OS choice for a UNIX based firewall. > (Want to see my scars?) > > Quentin > > (OK, my next generation will be BSDI, or Plan9 -- what about Amoeba?) > Sorry to hear this. I use an rs6000 with TIS for our firewall. There is a trick to using AIX. We have an advantage in that we have ALOT of rs6000's that we were able to find a 'stable' release of aix with. IBM is known for a 'patch hell' where every patch that you install breaks something else. And the 'patch' is normally between 100-200 MB on a tape. If you are careful and know how to do it, the patch can usually be reduced to about 20-30 MB each. (Very painful!) In addition, for better or worse, IBM has chosen to make AIX completely different to administer from any other unix I know of. Before you decide to start any mission critical operation, make SURE you know how to admin the system you are using, regardless of whose it is. My real point is here that if you don't know the system from the admin point VERY well, learn it before you try to impliment a firewall with it. -- Grover Grover C. Davidson II | I speak for ME! This is my machine, and my 828 Fall Crown Ln | ideas. My employer doen't pay for my machine Fenton, Mo 63026 | or ask for my opinions. 314-343-5642 | grover@devildog.st-louis.mo.us From firewalls-owner Thu Feb 2 21:55:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA06405 for firewalls-outgoing; Thu, 2 Feb 1995 21:27:03 -0800 Received: from brandx.cs.ohiou.edu (brandx.cs.ohiou.edu [132.235.1.242]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA06400 for ; Thu, 2 Feb 1995 21:27:00 -0800 Received: from slip1-70.acs.ohio-state.edu by brandx.cs.ohiou.edu (5.59/25-eef) id AA03639; Fri, 3 Feb 95 00:25:22 EST Received: by goffer.acs.ohio-state.edu (4.1/SMI-4.1) id AA03773; Fri, 3 Feb 95 00:20:22 EST Date: Fri, 3 Feb 95 00:20:22 EST From: cmcurtin@goffer (C Matthew Curtin) Message-Id: <9502030520.AA03773@goffer.acs.ohio-state.edu> To: cmc@brandx.cs.ohiou.edu, Quentin.Fennessy@SEMATECH.Org Subject: Plan9 firewall (was: Re: IBM Firewall Solution) Cc: firewalls@greatcircle.com Reply-To: cmc@brandx.cs.ohiou.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From Quentin.Fennessy@SEMATECH.Org Thu Feb 2 14:59:45 1995 >(OK, my next generation will be BSDI, or Plan9 -- what about Amoeba?) Actually, I'm really interested in Plan9. I haven't seen or heard much about it since I read the group of papers on it from a few years back... Is there more information available? -matt From firewalls-owner Thu Feb 2 22:25:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA06651 for firewalls-outgoing; Thu, 2 Feb 1995 22:02:16 -0800 Received: from suntan.eng.usf.edu (blenke@suntan.eng.usf.edu [131.247.101.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA06640 for ; Thu, 2 Feb 1995 22:02:12 -0800 Received: (blenke@localhost) by suntan.eng.usf.edu (8.6.9/8.6.5) id AAA27893; Fri, 3 Feb 1995 00:58:58 -0500 Date: Fri, 3 Feb 1995 00:58:57 -0500 (EST) From: "Ian C. Blenke" X-Sender: blenke@suntan To: Mazinger Peter cc: brian@imcon.ilinx.com, morgan@engr.uky.edu, firewalls@GreatCircle.COM Subject: Re: Re[2]: tweaking PC setups for TCP/IP In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Feb 1995, Mazinger Peter wrote: > You could use [Restrictions] in PROGMAN.INI and not allow the users to > change their icons, position, to install new one, take the File Menu > (Program Manager) away, no MS-DOS prompt, no File-Manager, and get > them directly into Windows, without break I am using in that way with > Trumpet Winsock etc. And any knowledgable user/student will know how to take those limitations out of their PROGMAN.INI. How do you disable the ability to change the IP number under Trumpet Winsock? Regardless, you can only lock down a DOS machine to a point - the key is physically segmenting them on their own subnet. If an unsecure machine (any PC, truely) can be tampered with on the same segment as your servers, you still face some ugly possiblities. But I can always be wrong, mind you... (twice now in a week.. I'm breaking the Lurker's covenant... "thou shalt not respond". :) - Ian Blenke ___________________________________________________________________________ / Ian C. Blenke / / Yes, it's valid ;) / / University of South Florida / / Prof. student.... / / Tachyon Communications Corp / / Start a provider :) / ---- Net meister. Wizard in training. Linux advocate. Procrastinator. ----- From firewalls-owner Thu Feb 2 23:25:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA08137 for firewalls-outgoing; Thu, 2 Feb 1995 23:13:58 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA08132 for ; Thu, 2 Feb 1995 23:13:54 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id CAA27319; Fri, 3 Feb 1995 02:11:12 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma027317; Fri Feb 3 02:11:02 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id CAA19105; Fri, 3 Feb 1995 02:11:01 -0500 Date: Fri, 3 Feb 1995 02:11:01 -0500 From: John Adams Message-Id: <199502030711.CAA19105@galaxy.concorde.com> To: firewalls@GreatCircle.COM, stan@dot.ca.gov Subject: Re: local spoofing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk But does firefox handle the fact that our PC's run both IPX and IP to connect to our novell and IP networks? -john From firewalls-owner Thu Feb 2 23:37:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA08194 for firewalls-outgoing; Thu, 2 Feb 1995 23:19:42 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA08189 for ; Thu, 2 Feb 1995 23:19:39 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id CAA27331 for ; Fri, 3 Feb 1995 02:17:12 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma027329; Fri Feb 3 02:16:45 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id CAA19199 for firewalls@GreatCircle.COM; Fri, 3 Feb 1995 02:16:43 -0500 Date: Fri, 3 Feb 1995 02:16:43 -0500 From: John Adams Message-Id: <199502030716.CAA19199@galaxy.concorde.com> To: firewalls@GreatCircle.COM Subject: Forgot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somehow half of my message was removed. Anyhow.. the forementioned HTML user guide had references to the infoservice, and this program is not a part of the standard tis distribution. thankjs again. -Jna From firewalls-owner Thu Feb 2 23:49:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA08170 for firewalls-outgoing; Thu, 2 Feb 1995 23:17:42 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA08165 for ; Thu, 2 Feb 1995 23:17:39 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id CAA27325 for ; Fri, 3 Feb 1995 02:15:12 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma027323; Fri Feb 3 02:15:00 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id CAA19120 for firewalls@GreatCircle.COM; Fri, 3 Feb 1995 02:14:58 -0500 Date: Fri, 3 Feb 1995 02:14:58 -0500 From: John Adams Message-Id: <199502030714.CAA19120@galaxy.concorde.com> To: firewalls@GreatCircle.COM Subject: TIS infoserver Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone wrote an an HTML user guide to TIS' firewall toolkit, and I believe they were from sq.com (soft quad?) because all of the file references pointed to that location. The inforserver ran on the firewall and allowed local users to use thigns like archie, whois, finger,etc.. from the inside. Does anyone have a copy of this program? We'd like to use it. thanks -john From firewalls-owner Fri Feb 3 00:25:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA08817 for firewalls-outgoing; Thu, 2 Feb 1995 23:56:45 -0800 Received: from gate.teledata.co.at (root@teledata-eunet.AT.EU.net [193.80.63.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA08812 for ; Thu, 2 Feb 1995 23:56:41 -0800 Received: from ws59.teledata.co.at (ws59.teledata.co.at [193.80.185.59]) by gate.teledata.co.at (8.6.9/8.6.9) with SMTP id JAA00119 for ; Fri, 3 Feb 1995 09:01:04 +0100 Date: Fri, 3 Feb 1995 08:51:20 MET From: Mazinger Peter Reply-To: pmazinge@teledata.co.at Subject: Re: Re[2]: tweaking PC setups for TCP/IP To: firewalls@greatcircle.com Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Feb 1995 00:58:57 -0500 (EST) Ian C. Blenke wrote: > From: Ian C. Blenke > Date: Fri, 3 Feb 1995 00:58:57 -0500 (EST) > Subject: Re: Re[2]: tweaking PC setups for TCP/IP > To: Mazinger Peter > Cc: brian@imcon.ilinx.com, morgan@engr.uky.edu, firewalls@greatcircle.com > > And any knowledgable user/student will know how to take those limitations > out of their PROGMAN.INI. How do you disable the ability to change the IP > number under Trumpet Winsock? Put Trumpet on a read-only filesystem and use BOOTP. > Regardless, you can only lock down a DOS > machine to a point - the key is physically segmenting them on their own > subnet. If an unsecure machine (any PC, truely) can be tampered with > on the same segment as your servers, you still face some ugly possiblities. > > But I can always be wrong, mind you... > > (twice now in a week.. I'm breaking the Lurker's covenant... "thou shalt > not respond". :) > > - Ian Blenke > Peter From firewalls-owner Fri Feb 3 11:06:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00258 for firewalls-outgoing; Fri, 3 Feb 1995 10:27:47 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00924 for ; Fri, 3 Feb 1995 09:58:53 -0800 Received: from plan9.research.att.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10782; Fri, 3 Feb 1995 06:29:08 -0800 From: ches@plan9.research.att.com Message-Id: <199502031429.GAA10782@mycroft.GreatCircle.COM> To: firewalls@greatcircle.com Date: Fri, 3 Feb 1995 09:27:07 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Plan 9, the research operating system developed here at the Labs, should be available for general release soon. The binaries (for PCs) may be free (i.e. ftp-able), and the cdrom with all the sources available for O($500). They are working on the details now. This is cool, because Plan 9 is a fine example of a simple TCB: a good platform for building firewalls, web servers, etc. I plan to move our outgoing circuit gateway (the proxy stuff) to a single stand-alone plan 9 machine in the near future. ches From firewalls-owner Fri Feb 3 11:25:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02205 for firewalls-outgoing; Fri, 3 Feb 1995 11:04:19 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00601 for ; Fri, 3 Feb 1995 09:57:14 -0800 Received: from eros.britain.eu.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA11145; Fri, 3 Feb 1995 09:26:42 -0800 Resent-From: pd@uit.co.uk Received: from uit.co.uk by eros.britain.eu.net with UUCP id ; Fri, 3 Feb 1995 16:45:57 +0000 Resent-Message-Id: <16210.9502031510@mars.uit.co.uk> Received: from scopc.uit.co.uk by mars.uit.co.uk; Fri, 3 Feb 95 15:10:13 GMT From: pd@uit.co.uk To: Adam Glass Cc: firewalls@greatcircle.com Subject: Re: Not a new problem (C2 certification) Date: Thu, 12 Jan 95 19:08:11 EST Resent-Date: 3 Feb 1995 15:11:16 +0000 Resent-To: nmm@uit.co.uk Message-Id: <9502031511.aa14244@scopc.uit.co.uk> Source-Info: From (or Sender) name not authenticated. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMB (various versions) is the file sharing protocol that runs on top of the NetBIOS api. I can't think of an all encompassing ftp site for the docs except the home of 'Samba: a unix smb-server"... see comp.protocols.smb for an ftp location. Hey -- there's only one version of me, I don't have my own newsgroup ('cause I'm not Kibo), and I *don't* do MS-DOS! Gotta trademark my login.... --Steve Bellovin smb@research.att.com From firewalls-owner Fri Feb 3 11:29:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00271 for firewalls-outgoing; Fri, 3 Feb 1995 10:27:56 -0800 Received: from fshops.sfsu.edu (fshops.sfsu.edu [130.212.45.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00265 for ; Fri, 3 Feb 1995 10:27:52 -0800 Received: from sansom@fshops.sfsu.edu by fshops.sfsu.edu (5.64/Tenon-1.35.01) id AA03990; Fri, 3 Feb 95 08:28:54 -0800 (PST) Received: by servo.fshops.sfsu.edu (AIX 3.2/UCB 5.64/4.03) id AA28946; Fri, 3 Feb 1995 08:27:34 -0800 Date: Fri, 3 Feb 1995 08:27:32 -0800 (PST) From: Rob Sansom Reply-To: Rob Sansom Subject: AIX ftp site To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone out there know of an ftp site that has AIX security stuff?? I'm not a real slick C programmer, and don't have the time to try to port the stuff to AIX myself. Thanks, Rob S. From firewalls-owner Fri Feb 3 11:55:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02033 for firewalls-outgoing; Fri, 3 Feb 1995 10:56:41 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00655 for ; Fri, 3 Feb 1995 09:57:24 -0800 Received: from access4.digex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA10873; Fri, 3 Feb 1995 07:05:09 -0800 Received: by access4.digex.net id AA01261 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 3 Feb 1995 10:07:27 -0500 From: Don Krapf Message-Id: <199502031507.AA01261@access4.digex.net> Subject: Re: local spoofing To: firewalls@greatcircle.com (FireWalls List) Date: Fri, 3 Feb 1995 10:07:27 -0500 (EST) In-Reply-To: <199502030711.CAA19105@galaxy.concorde.com> from "John Adams" at Feb 3, 95 02:11:01 am X-Mailer: ELM [version 2.4 PL24beta] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 792 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Adams asks: > But does firefox handle the fact that our PC's run both IPX and IP to > connect to our novell and IP networks? Yes. It's one of a handful of products which work by putting a stub winsock on the MS-Windows machine and using another protocol (IPX, in this case) to pass the IP calls to the machine where the IP stack really lives. Unless I'm mistaken, Firefox is implemented as an NLM so it lives on a Novell server. There are several other products which do this on an OS/2 box with dual (IP and IPX) stacks. Usually the IP call is passed over IPX via a NetBIOS RPC. If anybody's interested in these products, I'll look them up. I have the info around here somethwere. Don -- dkrapf@access.digex.net | See Clearly dkrapf@hermes.acm.rpi.edu | Think Clearly From firewalls-owner Fri Feb 3 11:55:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02051 for firewalls-outgoing; Fri, 3 Feb 1995 10:58:52 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00686 for ; Fri, 3 Feb 1995 09:57:30 -0800 Received: from mwunix.mitre.org by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA11086; Fri, 3 Feb 1995 09:10:38 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.9/8.6.4) with SMTP id KAA18043 for ; Fri, 3 Feb 1995 10:49:20 -0500 Received: from [128.29.140.105] (jkahn-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA00529; Fri, 3 Feb 95 10:48:53 EST Date: Fri, 3 Feb 95 10:48:51 EST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: jkahn@smiley.mitre.org (Jay J. Kahn) Subject: lurkers and open discussion Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On 31 Jan, Brent Chapman wrote: >We've been through this already. I consider their questions perfectly >reasonable, and I think a lot of lurkers on the list are learning a lot >from this discussion. > >Wouldn't you rather they get the details from us, than from folks less >informed and more hysterical? There is an interesting side version of this discussion that ran in the RISKS forum about 3 years ago. Especially noteworthy were references to articles in the London Times from the 1840s that claimed that by discussing the relative strength of door and safe locks, the Times was contributing to criminal knowledge, and that some subjects were too sensitive to allow public discussion. Going back even further: Generally, he who occupies the field of battle first and awaits his enemy is at ease. Against those skilled in the attack, an enemy does not know where to defend. Against the experts in defense, the enemy does not know where to attack. (Sun-tzu, circa fourth century B.C.) We humans appear to have kept this argument about open discussion and dangerous subjects alive for over 2,500 years!!!! So far history seems to indicate that the closed discussion side has been unable to restrict the flow of information. Jay Kahn From firewalls-owner Fri Feb 3 12:00:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00910 for firewalls-outgoing; Fri, 3 Feb 1995 10:30:33 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00784 for ; Fri, 3 Feb 1995 10:30:06 -0800 Received: from cannon.ecf.toronto.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10751; Fri, 3 Feb 1995 06:15:23 -0800 Received: by cannon.ecf.toronto.edu id <4199>; Fri, 3 Feb 1995 09:17:28 -0500 From: Steve Kotsopoulos To: cmc@brandx.cs.ohiou.edu Subject: Re: Plan9 firewall (was: Re: IBM Firewall Solution) Cc: firewalls@greatcircle.com Message-Id: <95Feb3.091728edt.4199@cannon.ecf.toronto.edu> Date: Fri, 3 Feb 1995 09:16:52 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >From Quentin.Fennessy@SEMATECH.Org Thu Feb 2 14:59:45 1995 > >(OK, my next generation will be BSDI, or Plan9 -- what about Amoeba?) > > Actually, I'm really interested in Plan9. I haven't seen or heard much > about it since I read the group of papers on it from a few years back... > Is there more information available? The Plan 9 developers are currently working on a new release. There hasn't been an official announcement yet, but rumors are that this will be a 'general' release (you don't have to be at a university to get it). More information in on the Plan 9 WWW page, url: http://www.ecf.toronto.edu/plan9/ Steve From firewalls-owner Fri Feb 3 12:39:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02119 for firewalls-outgoing; Fri, 3 Feb 1995 11:00:44 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00704 for ; Fri, 3 Feb 1995 09:57:33 -0800 Received: from clavin by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10847; Fri, 3 Feb 1995 06:53:38 -0800 Received: from cygnus.uprc.com by clavin (4.1/3.2.012693-Union Pacific Resources Company); id AA24711 for firewalls@greatcircle.com; Fri, 3 Feb 95 08:55:31 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA23000; Fri, 3 Feb 1995 08:55:13 +0600 Date: Fri, 3 Feb 1995 08:55:13 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9502031455.AA23000@cygnus.uprc.com> To: firewalls@greatcircle.com, jon@nytimes.com, KIDSTOJ@pcux.citec.qld.gov.au Subject: Re: security from proxy-servers??? X-Sun-Charset: US-ASCII Content-Length: 1400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My own personal feelings about this topic is not that proxies add security, but that they are a side-effect (a necessity if you will) of the choice not to allow direct TCP connections between internal and external machines. So it is the choice to disallow these direct connections that add security, not the proxies themselves. ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... > > >>> "jon@nytimes.com" 31/January/1995 01:22pm >>> > > >I don't understand how proxy-servers add security to a firewall. > >I understand that they allow for a common place for logging, which can > >help security, but beyond that I don't understand the advantage. > > > >My best guess is that somehow by keeping track of connections it > > provides security, but just what does it keep track of, what "bad" > > things does it prevent, and how does it detect "bad" things? > > > Depending on the proxy-server you may get one or more of: > > 1. Hiding of internal net addresses > 2. The ability to restrict access (in or out) to pre-defined network > addresses > 3. Caching on the proxy server, to minimise external traffic > 4. Logging of all connections > > > > > > > From firewalls-owner Fri Feb 3 12:45:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02071 for firewalls-outgoing; Fri, 3 Feb 1995 10:59:56 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00698 for ; Fri, 3 Feb 1995 09:57:32 -0800 Received: from ns.inter.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10861; Fri, 3 Feb 1995 06:58:24 -0800 From: CUETARA@zorzal.metro.inter.edu Received: from [164.42.132.7] by ns.inter.edu (AIX 3.2/UCB 5.64/4.03) id AA29032; Fri, 3 Feb 1995 11:04:14 -0500 Received: from NSTTC1/SMTPQueue by zorzal.metro.inter.edu (Mercury 1.11); Fri, 3 Feb 95 10:40:02 +500 Received: from Mailqueue by NSTTC1 (Mercury 1.11); Fri, 3 Feb 95 10:39:50 +500 Organization: Locally Produced Equipment Project To: firewalls@greatcircle.com Date: Fri, 3 Feb 1995 10:39:47 AST Subject: Re: Re[2]: tweaking PC setups for TCP/IP Priority: normal X-Mailer: Pegasus Mail v3.22 Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan J Murrel wrote: > from the quill of morgan@engr.uky.edu (Wes Morgan) > > > > When presented with this problem (in an educational environment, no less; > > lots of folks keen to play with config files), we simply required (read: > > dictated) that any TCP/IP apps had to come from the server. On the ser- > > ver, all apps/config files were read-only configured for BOOTP. > Yes, that's what we do as well, but it does not prevent somebody > knowlegable enough from chaning the TCP/IP config from getting the IP > address from a bootp packet to "user entered" with the software we use. > How do manage to prevent that kind of change?? > > b. > We're considering the use of a small wedge that hooks the packet drivers we have on our PC's. It would act as a simple outgoing packet filter, and drop any packet that doesn't match our requirements, i.e. "doesn't have this PC's IP address" or "uses port 666", and give the calling program a no error reponse. Besides prevention of internal IP spoofing, it would have other uses: 1. Doom control (our motivation) 2. Would prevent accidental routing around your firewall by someone with a modem. I don't know how this would work with BOOTP, but someone out there may have suggestions. Ramon De La Cuetara Universidad Interamericana de Puerto Rico, Departamento de Quimica Tel. (809) 250-8379 cuetara@zorzal.inter.edu From firewalls-owner Fri Feb 3 12:46:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02129 for firewalls-outgoing; Fri, 3 Feb 1995 11:01:51 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00761 for ; Fri, 3 Feb 1995 09:58:00 -0800 Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA10879; Fri, 3 Feb 1995 07:06:28 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA20664; Fri, 3 Feb 95 09:29:03 -0500 Date: Fri, 3 Feb 95 09:29:02 -0500 Message-Id: <9502031429.AA20664@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "rgm3@is.chrysler.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In fact, not only will we have to maintain a testbed, I have to develop a >cirtification process. Anyone got one already done ;) Well, first you need a policy that states what is permitted and what is not. Next, setup the firewall/bastion/proxy system up in the lab with two nodes on either side. Next program one node on each side to be "promiscuous" and record all packets on the net. Then setup one "outside" node to attempt to access the "inside". Exactly what tests are used depend on the policy but a start would be to send a series of packets of different types to see if the pass/fail/log parameters operate correctly and if all packets are accounted for. Of these, at least one series should be an attempt to open all 65k sockets on the "inside" node (take a coffee break) recording which requests got through and which succeeded. This is often an eye-opener. Of the sockets that open, tests need to be made that they are properly controlled. Finally a report indicating the setup used, software and hardware version numbers, and which tests succeeded, were blocked, and were logged. Error messages should also be recorded. It is important to emphasize that the certification state the precise configuration used and for a decision to be made as to what leeway there is in it. Sorry to be a bit vague but the security policy must come first and all else depends from that. The important thing is that the entire process must be the product of logical deductive reasoning that has its foundation in the policy. If at any point inductive reasoning is required, there has either been an error or something was not covered properly in the policy. Warmly, Padgett From firewalls-owner Fri Feb 3 12:54:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00899 for firewalls-outgoing; Fri, 3 Feb 1995 10:30:29 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00778 for ; Fri, 3 Feb 1995 10:30:05 -0800 Received: from maily1.prodigy.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10684; Fri, 3 Feb 1995 06:01:13 -0800 Received: by maily1.prodigy.com id AA70638 (5.65c/IDA-1.4.4); Fri, 3 Feb 1995 08:38:10 -0500 Date: Fri, 3 Feb 1995 08:38:10 -0500 (EST) From: Frank Wortner To: *Hobbit* Cc: firewalls@greatcircle.com Subject: Re: Consultant quals In-Reply-To: <199502010416.XAA10209@bronze.lcs.mit.edu> Message-Id: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-Fax: 1-914-448-1946 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Jan 1995, *Hobbit* wrote: > which begs the following question: What if someone is just starting out as > a consultant, and doesn't *have* any references yet? On a bit of a philosophical note ... I was once interviewing for a job, and offered to show my prospective employer a list of references. He cheerfully dismissed the offer by saying, "Frank, I've never seen anyone offer references that weren't good!" Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Fri Feb 3 12:59:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02045 for firewalls-outgoing; Fri, 3 Feb 1995 10:57:44 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00680 for ; Fri, 3 Feb 1995 09:57:29 -0800 Received: from blackhole.milkyway.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA10969; Fri, 3 Feb 1995 07:22:35 -0800 Received: (from uucp@localhost) by blackhole.milkyway.com (8.6.7/8.6.6) id KAA00251 for ; Fri, 3 Feb 1995 10:24:10 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma000249; Fri Feb 3 10:23:57 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id KAA07760 for ; Fri, 3 Feb 1995 10:28:25 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA20159; Fri, 3 Feb 95 10:28:00 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: IBM Firewall Solution Date: 3 Feb 1995 10:27:59 -0500 Organization: Milkyway Networks Corporation Lines: 25 Distribution: milkyway Message-Id: <3gti1v$jls@calisto.milkyway.com> References: <2F31198D@SMTPGATE.VIACOM.COM> <9502021651.AA02436@brandx.cs.ohiou.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9502021651.AA02436@brandx.cs.ohiou.edu>, C Matthew Curtin wrote: >My question is: "Wouldn't AIX be a good OS choice for a Unix-based firewall?" It is a reasonable OS, but not the best choice: too many quirks that make it different enough from regular Unix (by that I mean BSD derived Unix, like SunOS, not SCO!) to be misunderstood. If you have hacked AIX since version 1.0 (on an RT) then it would be your best choice. >I'm curious why people use the OSes that they do for firewall implementation. Availability of source, and overall experience with it. SunOS, although full of holes, has lots of *well-documented* holes, and is widely understood. BSDI comes with source, so most of the holes are fixed, but the firewall builder can fix any they are not happy with. Better the devil you know than the devil you don't know. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Fri Feb 3 13:25:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02040 for firewalls-outgoing; Fri, 3 Feb 1995 10:57:13 -0800 Received: from disaster.com (root@eniac136.disaster.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA02035 for ; Fri, 3 Feb 1995 10:57:00 -0800 Message-Id: X-Sender: labatt@mailhost.disaster.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 17 Jan 1995 13:49:12 -0500 To: firewalls@GreatCircle.COM From: labatt@disaster.com (Chris Labatt-Simon - D&D Consulting) Subject: Revised - RFD: comp.security.firewalls.misc & comp.security.firewalls.announce X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Request For Discussion: comp.security.firewalls.misc comp.security.firewalls.announce RFD Authors Note ---------------- Much of the information below was culled from the firewall FAQ available at rtfm.mit.edu. It was included below because it is this author's opinion that there is no need to rewrite what is already written. The FAQ is maintained by fwalls-faq@tis.com. It has been pointed out that this information can be considered copyrighted regardless of an explicit copyright notice, but it is my hope that nobody will have a big problem with this. Where to Find this RFD ---------------------- This Request for discussion will be posted to news.announce.newgroups, news.announce, comp.security.misc, comp.security.unix, alt.security and to firewalls@GreatCircle.com. Amendments: Purpose ------- These newsgroups will be for the discussion of firewalls on various operating systems and networks. Various dicussions on the .misc newsgroup might include: - How to firewall a network - How to secure an operating system - What firewall software is available - Troubleshooting a firewall - Sources of firewall information - General discussion of firewall related topics Comp.security.firewalls.announce will be solely for the purpose of announcing new firewall tools, including but not limited to firewall software, firewall hardware, and tools to exploit security weaknesses within firewalls. What is A Firewall? -------------------- (from the FAQ) A firewall is any one of several ways of protecting one network from another untrusted network. The actual mechanism whereby this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Rationale --------- Currently there is a firewall mailing list (firewalls@GreatCircle.COM). The volume of messages on this list is quite high, and based on messages retrieved from both comp.security.unix and comp.security.misc there is recent interest in the formation of a USENET group devoted to firewalls. After careful checking of the USENET hierarchy, no groups dedicated to firewall discusssions are currently available. We also believe that many users are unwilling or unable to subscribe to the firewalls mailing list, but will actively participate in a USENET group. Charter ------- Comp.security.firewalls.misc is a moderated newsgroup which will serve as a forum for discussing firewalls and firewall related topics. The group will serve both those looking at implementing a firewall and those who have already installed one and require external support. Topics that may be discussed include: - General information on Firewalls - Discussions on the implementation of firewalls - Discussions on the configuration of firewalls - Security holes in firewalls - Personal experiences with both Commercial and publically available firewall software - General discussion about firewall related topics Comp.security.firewalls.announce is a moderated newsgroup which will only include messages relating to following topics, or similar topics: - Announcements of new versions of firewall software - Announcements of tools used to break through firewalls - Announcements of tools used to test the implementation of a firewall Announcement information will *only* be accepted under comp.security.firewalls.announce, and will have the following limitations: - Must be a new product, or - Must be a product incorporating significant changes since the previous version, or - If the product is not new or has not been upgraded, informational postings are limited to 1 every 3 months Moderator --------- Being the author of this RFD, I propose myself as moderator. Just to give a little background, I am the owner of Design & Disaster Recovery Consulting. One of the areas we focus on is Internet connectivity and UNIX/Network security. D&D Consulting does not sell any hardware or software, we only make recommendations. Therefore we are not tied to, and do not receive stipends from, any vendors. In addition, I have had experience in moderating newsgroups in the past. I believe that I will be well suited for this job. Discussion ---------- Any objections to this RFD will be considered and, if determined to be appropriate, will be incorporated. The discussion period will be for a period of 21 days after which the first CFV will be issued or a modified RFD will be posted (the authors will post interim modified RFDs to the same groups the original RFD was posted to). Who to Contact -------------- Netiquette suggests that all discussions relating to the formation of a new USENET group be posted to news.groups and/or the forums that this RFD is posted to. If you need to contact the original authors of this RFD, send mail to labatt@disaster.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Labatt-Simon Internet: labatt@disaster.com Design & Disaster Recovery Consulting CIS: 73542,2601 Albany, New York PHONE: (518) 495-5474 FAX: (518) 432-1829 Subscribe to the Lotus Notes Mailing List (LNOTES-L) - mail for info.. For info on D&D, mail to info@disaster.com or http://www.disaster.com INTERNET/UNIX/NETWARE/LAN/WAN SPECIALISTS AND MORE ALL UNDER ONE ROOF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Feb 3 13:29:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01986 for firewalls-outgoing; Fri, 3 Feb 1995 10:55:11 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00622 for ; Fri, 3 Feb 1995 09:57:16 -0800 Received: from apache.spirit.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA11215; Fri, 3 Feb 1995 09:35:25 -0800 Reply-To: rik@spirit.com Received: from localhost (rik@localhost) by apache.spirit.com (8.6.5/8.6.5) id VAA00233; Thu, 2 Feb 1995 21:26:13 -0700 Date: Thu, 2 Feb 1995 21:26:13 -0700 From: Rik Farrow Message-Id: <199502030426.VAA00233@apache.spirit.com> To: isdmill@gatekeeper.ddp.state.me.us Subject: Cleaning out compilers Cc: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave: I collect exploit scripts when I can--and many DO rely on finding and being able to use a C compiler. The point behind creating a bastion host is to create a system with only the minimum necessary software on it. The more software, the more opportunity for finding a security hole. A system which permits users to login in is not a bastion host, and makes a weak firewall. Given the cost of PCs these days, it seems silly not to dedicate one to the job of being a firewall host. If your budget (and network) are small, an old 386 can do the job. Regards, Rik Farrow rik@spirit.com From firewalls-owner Fri Feb 3 13:53:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02724 for firewalls-outgoing; Fri, 3 Feb 1995 11:31:08 -0800 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA02711 for ; Fri, 3 Feb 1995 11:30:56 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id OAA24471 for ; Fri, 3 Feb 1995 14:28:55 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id OAA04743 for ; Fri, 3 Feb 1995 14:28:54 -0500 Received: from bobsgrid.is.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA00224; Fri, 3 Feb 95 14:42:53 EST Message-Id: <9502031942.AA00224@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Feb 1995 14:28:42 -0600 To: firewalls@greatcircle.com From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Anyone using SmartDisk??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SmartDisk is a device in a 3.5" diskette format that slips into a diskette drive, but is really a complete security device. It's principle use is for securing the PC itself. However, they have a toolkit that allows for safe storage of passwords in the EEPROM on the SmartDisk. Allegedly, some orgs have used this to script log ins, and since the user never even sees their real password, it can be something really tough to guess. The SmartDisk people have another device, the Crypto SmartDisk, that also has an RSA, DSA and DES engine on board. Seems like this unit could be directly integrated with many challenge/response systems, and the DES engine could be used to actually encrypt the session in real time. The neat thing about the SmartDisk technology is it uses the standard 3.5" diskette drive for communicating with the PC. The user does not have to do any keying after their SmartDisk password. The support staff does not have to handle esoteric interfacing devices. Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Fri Feb 3 13:57:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01258 for firewalls-outgoing; Fri, 3 Feb 1995 10:31:52 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01080 for ; Fri, 3 Feb 1995 10:31:05 -0800 Received: from mailgate.ericsson.se by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id FAA10513; Fri, 3 Feb 1995 05:03:51 -0800 Received: from ere.ericsson.se (ere.ericsson.se [136.225.97.10]) by mailgate.ericsson.se (8.6.9/1.0) with SMTP id OAA00196 for ; Fri, 3 Feb 1995 14:05:17 +0100 Received: from tempest.nis.gsunix by ere.ericsson.se (4.1/SMI-4.1-LME1.6) id AA02103; Fri, 3 Feb 95 14:06:53 +0100 Date: Fri, 3 Feb 95 14:06:53 +0100 From: eremf@ere.ericsson.se (Martin Fredriksson) Message-Id: <9502031306.AA02103@ere.ericsson.se> To: firewalls@GreatCircle.COM Subject: Re: tweaking PC setups for TCP/IP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry if I haven't followed the discussion well enough (tripple-clicking on that delete button...), but are you really discussing ways to prevent a PC/MS-DOS/Windows user from modifying his/hers IP-adress!? The way I understand it is that regardless of which TCP/IP stack is used, or how it is loaded, the total lack of an access control system in MS-DOS/Windows will allow anyone to perform any modification (the only requirement being how-to knowledge). Ok, remove hard disk, floppy, add new boot-prom, special ethernet-controller, etc, (or just put a real OS on the PC), and the system is secure, but is that what you're talking about? I would love to be wrong here! Martin O.G. Fredriksson From firewalls-owner Fri Feb 3 14:04:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00927 for firewalls-outgoing; Fri, 3 Feb 1995 10:30:36 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00796 for ; Fri, 3 Feb 1995 10:30:09 -0800 Received: from ensta.ensta.fr by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10719; Fri, 3 Feb 1995 06:06:16 -0800 Received: from itesec.hsc-sec.fr (itesec.hsc-sec.fr [192.70.106.33]) by ensta.ensta.fr (8.6.4/8.6.4) with SMTP id PAA29439; Fri, 3 Feb 1995 15:07:57 +0100 Received: by itesec.hsc-sec.fr (5.65d8/IDA-1.5f) via HSCnet id AA08756; Fri, 3 Feb 1995 15:07:40 +0100 From: Ollivier Robert Message-Id: <199502031407.AA08756@itesec.hsc-sec.fr> Subject: Re: ARPWATCH: ( was Re: Prevention of LOCAL spoofing/duplicate IP's To: danny@miriworld.its.unimelb.EDU.AU (Daniel O'Callaghan) Date: Fri, 3 Feb 1995 15:07:39 +0100 (MET) Cc: rhufsky@csesys.co.at, firewalls@GreatCircle.COM In-Reply-To: from "Daniel O'Callaghan" at Feb 3, 95 09:42:13 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1008 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Sounds good, can you provide a pointer to it ? > > ftp://www.unimelb.edu.au/pub/misc/arpwatch-1.0.tar.gz > http://www.unimelb.edu.au:8088/pub/misc/arpwatch-1.0.tar.gz You can get an new version from lbl.gov, see this extract from the README: @(#) $Header: README,v 1.7 94/10/04 13:15:34 leres Exp $ (LBL) ARPWATCH 1.3 Lawrence Berkeley Laboratory Network Research Group tcpdump@ee.lbl.gov ftp://ftp.ee.lbl.gov/arpwatch-*.tar.Z This directory contains source code for arpwatch, a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also from LBL, in: ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z. -- Ollivier ROBERT -=-=- Hervé Schauer Consultants -=-=- roberto@hsc.fr.net -=-=-=-=-=- Support The Free UNIX Systems ! FreeBSD NetBSD Linux -=-=-=-=-=- From firewalls-owner Fri Feb 3 14:14:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01569 for firewalls-outgoing; Fri, 3 Feb 1995 10:33:15 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01382 for ; Fri, 3 Feb 1995 10:32:25 -0800 Received: from sg543689.eng.chrysler.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id EAA10385; Fri, 3 Feb 1995 04:41:51 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id HAA15882 for ; Fri, 3 Feb 1995 07:44:05 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id HAA03146 for ; Fri, 3 Feb 1995 07:44:04 -0500 Received: from bobsgrid.is.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA26191; Fri, 3 Feb 95 07:58:02 EST Message-Id: <9502031258.AA26191@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Feb 1995 07:43:52 -0600 To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Re: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:35 PM 1/31/95 -0500, A. Padgett Peterson, P.E. Information Security wrote: >sjg rites: >>What's wrong with setting up your firewall in a test lab? I mean the >>entire DMZ,choke etc etc. You can then test it until you are happy >>before letting others have a go... > >Oh I agree, now everyone out there whose organization *has* a dedicated >test lab for firewalls, please stand up (sit down Marcus 8*). The long-running >joke around here is that I do all testing at home because I have better >equipment there (well, I do have a TCP/IP & IPX system with both 10Base-2 >and 10Base-T that son and friends overload with DOOM but no Cisco. Yet.) > This is exactly what senior management is insisting we do as part of the on-going firewall cirtification process. Reasonable money outlays are not a problem (boy, it is nice to make a profit!). In fact, not only will we have to maintain a testbed, I have to develop a cirtification process. Anyone got one already done ;) Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Fri Feb 3 14:25:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01303 for firewalls-outgoing; Fri, 3 Feb 1995 10:32:01 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01119 for ; Fri, 3 Feb 1995 10:31:15 -0800 Received: from d.ecc.engr.uky.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id FAA10602; Fri, 3 Feb 1995 05:38:09 -0800 Received: from s.ecc.engr.uky.edu by d.ecc.engr.uky.edu (5.59/25-eef) id AA12131; Fri, 3 Feb 95 08:19:19 EST Received: by s.ecc.engr.uky.edu (4.1/SMI-4.1) id AA03147; Fri, 3 Feb 95 08:23:46 EST Date: Fri, 3 Feb 95 08:23:46 EST From: morgan@engr.uky.edu (Wes Morgan) Message-Id: <9502031323.AA03147@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Re: tweaking PC setups Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is something of a bureaucratic question for the policy wonks out there. >> You could use [Restrictions] in PROGMAN.INI and not allow the users to >> change their icons, position, to install new one, take the File Menu >> (Program Manager) away, no MS-DOS prompt, no File-Manager, and get >> them directly into Windows, without break I am using in that way with >> Trumpet Winsock etc. > >And any knowledgable user/student will know how to take those limitations >out of their PROGMAN.INI. If one of my corporate users went to such lengths, intentionally removing the protections placed on their configurations, I'd be making a formal re- quest for an administrative reprimand. When their actions have the poten- tial to toast the entire net, the network manager's word should be law. Which, of course, brings me to my question: Do your responsibilities as 'the network guy' or 'the security guy' extend this far? Do you have the authority to deliver an administrative (read: personnel file) reprimand to users who ignore your policies/procedures? Should such authority be part of a developing firewall policy? It's often been said, in this forum, that the technology is only half the battle; the *people* are the other half. Frankly, I should want some sort of recourse for the person who insists on a clandestine modem, mucking with his config, et cetera... Given that our responsibilities as 'network folks' span the bureaucratic maze, affecting virtually every department of our organizations, it would seem that we need some authority that crosses those borders. Of course, we could always just cut off that segment of the network until the recalcitrant user sees the light (or has it shown to him). 8) --Wes From firewalls-owner Fri Feb 3 14:32:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01110 for firewalls-outgoing; Fri, 3 Feb 1995 10:31:14 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00892 for ; Fri, 3 Feb 1995 10:30:27 -0800 Received: from ttown.apci.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA10842; Fri, 3 Feb 1995 06:50:02 -0800 Received: by ttown.apci.com (5.65c+/DEC-Ultrix/4.3) id AA04176; Fri, 3 Feb 1995 09:49:09 -0500 Date: Fri, 3 Feb 1995 09:49:09 -0500 From: gaulse@ttown.apci.com (Stephen E. Gaul Jr.) Message-Id: <199502031449.AA04176@ttown.apci.com> To: firewalls@greatcircle.com Subject: re: Plan9 firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>From Quentin.Fennessy@SEMATECH.Org Thu Feb 2 14:59:45 1995 >>(OK, my next generation will be BSDI, or Plan9 -- what about Amoeba?) >Actually, I'm really interested in Plan9. I haven't seen or heard much >about it since I read the group of papers on it from a few years back... >Is there more information available? well, i'd like to throw something out to the audience, all flames are also welcome. i too am extremely interested in Plan9. yes, i'm one of those sick few who believe it is in the state UNIX was back in the early seventies and also believe that it just may be the successor of UNIX. anyway, here is my response to the above and a few further questions. i ftp'd the programming doc's and available material from research.att.com, i think about a year ago. i read an artical in bell lab news the interviewed the author's of the OS and they made mention that it was distributed to a few 100 universities or so...(all AT&T clarifications welcome). from what have i seen and read of the OS it holds alot of promise. Questions: how stable is it? how well will it work as the "next generation" firewall? and has any firewall work been done in this area? respond privately or via list, i will post a summary of all e-mail received thanx in advance, I'm also lost, can you direct me to the information superhighway? ________________________________________________________________ /// / /// Stephen E. Gaul, Jr. / /// /\ Air Products and Chemicals, Inc. / __/// /__\ Lehigh Valley, PA 18001 / ///_ ______ __ INET: gaulse@ttown.apci.com / ///// /______\ \/ VOICE: (610) 481-7054 / ///______________ FAX: (610) 481-3300 / //////////////////______________________________________________/ NOTE: These statements and opinions are mine, not those of APCI... From firewalls-owner Fri Feb 3 14:54:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06130 for firewalls-outgoing; Fri, 3 Feb 1995 14:01:08 -0800 Received: from dot.ca.gov (nic.dot.ca.gov [149.136.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA06123 for ; Fri, 3 Feb 1995 14:01:03 -0800 Received: from trew002 (trew.dot.ca.gov) by dot.ca.gov (4.1/01.14.95) id AA27182; Fri, 3 Feb 95 13:58:57 PST Message-Id: <9502032158.AA27182@dot.ca.gov> Date: Fri, 3 Feb 1995 13:51:11 -0800 From: stan@dot.ca.gov ( ) To: firewalls@GreatCircle.COM, jna@concorde.com, stan@dot.ca.gov Subject: Re: local spoofing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Adams writes: But does firefox handle the fact that our PC's run both IPX and IP to connect to our novell and IP networks? Firefox gives you a way to provide IP connections where you don't have to manage IP addresses for hosts on a novell network running IPX. Firefox clients make IPX connections to the FIrefox gateway who creates a TCP connection to the actual destination. On the other side of it, if you are trying to do policy filters on IP services for different folks it's harder because you have many hosts appearing to come from the same virtual host. Disclaimer: I have no stock in the company. I am a customer. Stan From firewalls-owner Fri Feb 3 14:57:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04574 for firewalls-outgoing; Fri, 3 Feb 1995 12:51:48 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA04564 for ; Fri, 3 Feb 1995 12:51:43 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22565; Fri, 3 Feb 95 15:39:24 -0500 Date: Fri, 3 Feb 95 15:39:24 -0500 Message-Id: <9502032039.AA22565@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Dangerous Visions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jay rites: >Especially noteworthy were references to >articles in the London Times from the 1840s that claimed that by discussing >the relative strength of door and safe locks, the Times was contributing to >criminal knowledge, and that some subjects were too sensitive to allow >public discussion. Well IMNSHO, one sign of a lack of knowlege is a refusal to participate in intelligent discussion. At the same time, I reserve the right to demand some proof of intelligence (or at least politeness) before going into complex discussion. I have been assailed too often by people demanding not information but to be spoon-feed tools of destruction and who become abusive when I refuse to pander to their whims. There is a difference between teaching (which requires only a log and a willing student) and someone who demands gifts as their "right". Warmly, Padgett From firewalls-owner Fri Feb 3 15:15:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA04825 for firewalls-outgoing; Fri, 3 Feb 1995 13:01:47 -0800 Received: from subzero.winternet.com (root@subzero.winternet.com [198.174.169.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA04820 for ; Fri, 3 Feb 1995 13:01:33 -0800 Received: by subzero.winternet.com (SunOS Smail3.1.28.1 #5) id m0raV6G-000Ql8C; Fri, 3 Feb 95 14:59 CST Date: Fri, 3 Feb 1995 14:59:27 -0600 (CST) From: James Smilanich To: firewalls@greatcircle.com cc: James Smilanich Subject: Connections to Partners and Clients Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings. Our company is in the process of developing a closer relationship with a partner that is based in London. This relationship will require that we provide telnet and ftp access in both directions, as well as the ability to submit jobs to print queues, again in both directions. Estimated cost for the network link is $10,000. Before anyone says anything, let me state that this decision and the cost estimate was made by the powers that be without any representation of the network administration staff. While we have not yet had a chance to put together a cost analysis of a safe connection, we knew that something was planned for later this year. Well, now we are being told that we need to get something up by March 1st for next to nothing. I am looking for input from neutral, reasonably qualified observers (you know who you are ;) ) as to the feasibility and cost of a couple of options that we've been kicking around. We want to ensure that both companies' security concerns are met by whatever we propose. Given the sensitive nature of our client information on both our networks, those of us in network support in the US company would prefer to err on the side of caution. However, the risk is not perceived as being an issue by the systems manager for Production Systems in our company, and our VP rightfully insists on cost justification before spending money on anything. Especially if what we are thinking about will run us into the tens of thousands of dollars, as I expect it will. They are currently providing access for our joint Paris office to their network via BT's X.25 network. They claim no plans for Internet access, but we do. At this time, we already have an existing bubble of our network in their office in order to provide output to printers that we own. We do not currently have any connection between their network and ours. I should note that I think that we will be told to leave the bubble net and its devices in place. The configuration looks something like this: | +-------+ +--------+ | Our | | Our | _________| Their | | Bubble cloud |----| router|________\ | router |-------| Net | | | | | | | +-------+ +--------+ | At this time, our network stops at the WAN interface on router 2. The bubble net is actually a subnet range of the English company's network. This subnet is in use in their network, so before we connect the two together, we will have to change IP assignments there. The current thinking by others is that we turn the bubble net into a single DMZ shared by the two companies. My partner in crime and I both believe that we need to set up a firewall here in the US that only we control. If we are going to do that, Jeff argues that we need to stop our network at router 1, and possibly before. Essentially, he wants to avoid any advertisements of our network numbers to other parties. He proposed something along the following before we found out about the services that were required and the short deadline: | +---------+ | New +--------+ Our | | Our | | "external | Our | cloud |--|firewall |---|------------| router |------+ | | | | services" | | | | +---------+ | network +--------+ | | | +--------+ | +--------+ | Their | | Their | | Bubble | Their | | cloud |--|Firewall|--|-------------| router |-------+ | | | | Net | | | | | | +--------+ +--------+ His thought is that we use the "external services" network for all incoming connections, from customers and business partners, vendors, public networks like the Internet and possible X.25 links, etc. This network would have a new, Class C number from the InterNic, thereby preventing our corporate network from being advertised. I have argued and still feel that we can't expose our clients and our business partners to the added risk of putting them on a shared network with the Internet. While several of our clients have Internet access today, most of them do not. I would rather that instead, we set up a separate firewall/DMZ for the Internet and other public services. However, all of the clients that we currently have limited links with (or our bubble net in their office) already have Internet links. His response is that we should not put ourselves in the position of controlling their security, and since the Internet exposure is already there for us through them, we need to start closing our own holes. In addition, he points out that we will not get the money to do a two firewall solution anyway. On this point, I think he's probably right. He also points out that it is also possible that the InterNIC may refuse us more than one Class C for this DMZ. (Recently, there was a local outfit turned down. They were told to go back to their local provider to get the Class C. Naturally, the local provider didn't have one to give them one either. The company has reapplied to the InterNIC). Jeff, if I have missed any points in summing up your arguements, please clarify. On the other hand, I don't like moving forward with this English link without a firewall. This is by far the highest level of connectivity that we have been asked to set up with any other organization. However, given the extremely tight timeframe which I don't think we can move and the small initial estimate by those who don't know, we may not get one right away. Maybe can build something now and tighten it up later. (No, hold the rotten eggs. I'm kidding!) Any thoughts, comments, questions? Jim Smilanich | "A man should be able to pilot a starship, plan an jsmilan@winternet.com | invasion, diaper a baby..... specialization is for Winternet is my access | insects!" -- Lazarus Long provider, so don't blame| them for my opinions! | From firewalls-owner Fri Feb 3 15:22:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05777 for firewalls-outgoing; Fri, 3 Feb 1995 13:40:25 -0800 Received: from hobiecat.pcmp.caltech.edu (hobiecat.pcmp.caltech.edu [131.215.130.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA05772 for ; Fri, 3 Feb 1995 13:40:23 -0800 Received: from suntan1.UUCP by hobiecat.pcmp.caltech.edu with UUCP (1.36.108.4/DEI:4.42) id AA20030; Fri, 3 Feb 1995 16:38:26 -0500 Received: by suntan1 (4.1/SMI-4.1) id AA19871; Fri, 3 Feb 95 13:23:46 PST From: charles@Tanner.COM (Charles Augustine) Message-Id: <9502032123.AA19871@suntan1> Subject: Need info on ufc-crypt site To: firewalls@greatcircle.com Date: Fri, 3 Feb 1995 13:23:46 -0800 (PST) Reply-To: charles.augustine@Tanner.COM (Charles Augustine) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 636 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, could someone point me to a site from where I could get ufc crypt. I need it to run CRACk faster. Thanks charles -- **************************************************************** CHARLES AUGUSTINE Phone - (818) -568 -3370 [Res] Network Administrator (818) -792 -3000 [Wrk] Tanner Research Inc (818) -792 -0300 [Fax] 180 N Vinedo Ave Pasadena, CA 91107. Internet - Charles@tanner.com "u cant wait for inspiration U have to go after it with a CLUB ! - Jack London ***************************************************************** From firewalls-owner Fri Feb 3 15:24:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA07604 for firewalls-outgoing; Fri, 3 Feb 1995 15:03:22 -0800 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA07598 for ; Fri, 3 Feb 1995 15:03:18 -0800 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA25739 for ; Fri, 3 Feb 95 17:48:34 -0500 Received: from shellgate.shell.com by shell.com SHELLGATE-X1.4 id AA29145; Fri, 3 Feb 95 16:43:00 -0600 Received: from kelly by shellgate.shell.com SHELLGATE-I1.3 id AA29141; Fri, 3 Feb 95 16:42:56 -0600 Received: from localhost by kelly.ic.shell.com (4.1/BRC-2.0) id AA01470; Fri, 3 Feb 95 16:42:13 CST Message-Id: <9502032242.AA01470@kelly.ic.shell.com> To: firewalls@greatcircle.com Subject: Clear text passwords Date: Fri, 03 Feb 95 16:42:12 -0600 From: "Anh-Huy (Steve) T. Ton" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I set up a firewall between my company & the Internet & allow ftp & telnet access out, is there any way I can prevent the passwords from ftp & telnet from being sent out across the Internet in clear text? I think not, but I thought I'd ask anyway. Also can anyone point me to a testsuite so that I can test my firewall in my "testlab"? .............................................................................. . Anh-Huy (Steve) T. Ton Shell Oil Company . . Network Systems Projects 1500 O.S.T., Rm. 2P18I . . E-mail : ton@shell.com Houston, TX 77054 . . Skypage : 1(800)SKY-GRAM, PIN : 8841224 (713)245-2636 . .............................................................................. From firewalls-owner Fri Feb 3 15:26:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05241 for firewalls-outgoing; Fri, 3 Feb 1995 13:20:53 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA05230 for ; Fri, 3 Feb 1995 13:20:49 -0800 Received: from wallyman (wallynet.dialup.access.net) by panix.com with SMTP id AA08477 (5.67b/IDA-1.5 for ); Fri, 3 Feb 1995 16:18:51 -0500 Message-Id: <199502032118.AA08477@panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Fri, 03 Feb 1995 16:18:39 -0500 To: Firewalls@greatcircle.com From: wallynet@panix.com (Walter F. InterNetman) Subject: SEAL's IP over DECNET, POP goes the Weasel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this on for size.... If you were me you have a huge flat network and users who want to use Netscape on Chameleon winsock Pathworks or other NDIS Decnet transport mechanism, but can't because the IP to Decnet address translator which Digital has bundled with SEAL only supports UUNET funtionality. Hmmmm.... So.. Ok lets build an Xclient and the associated infrastructure for 500 users to start, and load Hummingbird Xserver and the associated font libraries on everyones machine. I'll bet you envy me as the sys admin of this cludge. Well... Who can come up with a better way to give the users what they want and not introduce IP onto the backbone? If you can impliment this next week we need to talk! RSVP 212.795.2902 From firewalls-owner Fri Feb 3 15:54:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06900 for firewalls-outgoing; Fri, 3 Feb 1995 14:38:12 -0800 Received: from ren.stanford.edu (Ren.Stanford.EDU [36.47.0.91]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA06895 for ; Fri, 3 Feb 1995 14:38:09 -0800 Received: from MR.STANFORD.EDU by REN.STANFORD.EDU (PMDF #3651 ) id <01HMM6YM42XG0005MC@REN.STANFORD.EDU>; Fri, 3 Feb 1995 14:35:47 PDT Received: with PMDF-MR; Fri, 3 Feb 1995 22:35:43 PDT Date: 03 Feb 1995 13:28:42 -0700 (PDT) From: rgm3%is.chrysler.com@MR.STANFORD.EDU Subject: Anyone using SmartDisk??? To: "firewalls@greatcircle.com" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: 03 Feb 1995 14:35:00 -0700 (PDT) Importance: normal Priority: non-urgent UA-content-id: B134ZVPOKUC5K X-Hop-count: 1 A1-type: MAIL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >SmartDisk is a device in a 3.5" diskette format that slips into a diskette >drive, but is really a complete security device. It's principle use is for >securing the PC itself. >However, they have a toolkit that allows for safe storage of passwords in >the EEPROM on the SmartDisk. Allegedly, some orgs have used this to script >log ins, and since the user never even sees their real password, it can be >something really tough to guess. >The SmartDisk people have another device, the Crypto SmartDisk, that also >has an RSA, DSA and DES engine on board. Seems like this unit could be >directly integrated with many challenge/response systems, and the DES engine >could be used to actually encrypt the session in real time. >The neat thing about the SmartDisk technology is it uses the standard 3.5" >diskette drive for communicating with the PC. The user does not have to do >any keying after their SmartDisk password. The support staff does not have >to handle esoteric interfacing devices. >Robert Moskowitz >Chrysler Corporation >(810) 758-8212 I'd also very much love to hear from anyone working with the SmartDisk. I got a free copy of the software and the toolkit (sans-RSA) at the RSA conference where this vendor is just beginning to market their RSA-supported product. I hear there are some very creative applications that have been programmed using this technology. Connie Sadler sadler_c@hosp.stanford.edu From firewalls-owner Fri Feb 3 15:54:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA07937 for firewalls-outgoing; Fri, 3 Feb 1995 15:14:03 -0800 Received: from anon.penet.fi (anon.penet.fi [193.64.202.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA07925 for ; Fri, 3 Feb 1995 15:13:57 -0800 Received: by anon.penet.fi (5.67/1.35) id AA28702; Fri, 3 Feb 95 23:51:21 +0200 Message-Id: <9502032151.AA28702@anon.penet.fi> To: firewalls@greatcircle.com From: an156793@anon.penet.fi (Craving Knowledge) X-Anonymously-To: firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an156793@anon.penet.fi Date: Fri, 3 Feb 1995 21:51:20 UTC Subject: More on Network Performance and Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Paul Pomes Date: Tue, 31 Jan 1995 20:11:24 -0600 Subject: Re: Network Performance > A. Padgett Peterson writes: > |The reason that firewalls are not designed to handle T1+ speeds (though > |several can apparantly handle c.a. 3 Mbps) is that the market is not there. > |To get that kind of speed you do not use Ethernet. But more important, most > |people do not have more than T-1 and few need that kind of connect rate with > |the outside. Paul Pomes responds: > The University of Illinois has a 45 Mbps (DS3) link to the Internet cloud. > Any firewall that my organization puts in place at the border has to be > that fast or there will be a palace coup within days. So for now the > solution is no firewall at all. Your situation is much like those of the scientific community on the Internet (actually you are a subset of this community to some degree). This community does demand higher speeds to push all the data around the Internet. We also face the coup problem and are trying to solve it to some degree before the firewall is put in place. The scientific communites are Universities, Government organizations and private organizations. My organization does work with a myriad of groups belonging to all three of these groups and we all are sharing Gigabytes of data per day. To say there is no demand for higher speeds is just a little short sighted. True there are vast amounts of small companies and organizations that will never probably need speeds above T1 (or 56k or modem speeds), but demands for high speed technology and computing is a significant presence in todays computing field. We have been analyzing our computing needs here and have come to the conclusion that we do need a first line of defense. Our need to have a firewall give us speeds above and beyond T1 is a technical aspect that could defeat our ability to install a firewall. Marcus Ranum pointed out that it is possible to gain back some performance by putting proxy servers up in parallel each dedicated to one proxy service, such as one for ftpd, one for telnetd, etc. Has anyone else dealt with such a configuration? If so, do you know what your thruput actually is??? Ted Doty writes: > Once faster links become more > common, firewalls will have to be improved if they are to be kept. I again have to agree with you as well. Our presence as well as the presence of our constituents on the Internet has been keeping up with technology. Security had always been dealt with in a centralized facility up to a decade ago because everyone had mainframes. Now, with the advent of workstations in the early 80s, security for many of us have become decentralized again. Firewalls, ANS, Drawbridge, and other products are ways to get a grip on security in a centralized manner. We understand in a large sense the shell/soft chewy middle concept and we consider our Unix system security to be as strong as our weakest link. We are strengthening our links, but see a real need to create the hard shell. We are hoping that Security technology will start seriously addressing network performance issues, so that all the organizations like ours don't have to waste so much time and resources in this decentralized security scheme. ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Fri Feb 3 16:25:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA10401 for firewalls-outgoing; Fri, 3 Feb 1995 16:22:45 -0800 Received: from Vela.ACS.Oakland.Edu (mgscheue@vela.acs.oakland.edu [141.210.10.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA10396 for ; Fri, 3 Feb 1995 16:22:41 -0800 Received: by Vela.ACS.Oakland.Edu id AA25716 (5.67a+/IDA-1.5); Fri, 3 Feb 1995 19:20:38 -0500 Date: Fri, 3 Feb 1995 19:20:38 -0500 (EST) From: "Mark G. Scheuern" Subject: Re: Firewalls-Digest V4 #86 To: Firewalls@greatcircle.com In-Reply-To: <199502032226.OAA06650@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From: Rob Sansom > Date: Fri, 3 Feb 1995 08:27:32 -0800 (PST) > Subject: AIX ftp site > > Does anyone out there know of an ftp site that has AIX security stuff?? > I'm not a real slick C programmer, and don't have the > time to try to port the stuff to AIX myself. > > Thanks, > Rob S. A good site for AIX binaries (and ported source code) is ftp://aixpdslib.seas.ucla.edu, though it doesn't have loads of security stuff. It's been my experience that, although AIX is a rather strange Unix, most popular security software (e.g. tcpwrapper, COPS, TIGER, Crack) builds from the standard sources with very little trouble. Mark | Mark G. Scheuern | http://www.acs.oakland.edu/~mgscheue/ | | Chrysler Corp. | finger mgscheue@vela.acs.oakland.edu | | mgscheue@oakland.edu | 20 67 4B E0 15 5C 7C 87 | | 73150.1770@compuserve.com | 28 B3 DB BA 63 B1 5F A1 | From firewalls-owner Fri Feb 3 19:54:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA12789 for firewalls-outgoing; Fri, 3 Feb 1995 19:38:21 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA12784 for ; Fri, 3 Feb 1995 19:38:17 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA24290; Fri, 3 Feb 95 22:31:32 -0500 Date: Fri, 3 Feb 95 22:31:31 -0500 Message-Id: <9502040331.AA24290@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: SmartDisk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subj: Anyone using SmartDisk??? Saw something like this at a CSI bash last year. Thought it was a brilliant concept that needed a little bit more work. In that one, you needed the special "floppy" only for booting after which it could be removed. The vulnerability was that if a miscreant could get about 5 seconds alone with a booted system, the intercept could be captured and given that, the machine could be reactivated later *without knowing the password". Sent a notice of this to the mfr along with a demo disk and some suggestions but never heard back from them. Warmly, Padgett From firewalls-owner Fri Feb 3 23:24:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA13978 for firewalls-outgoing; Fri, 3 Feb 1995 22:58:42 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA13973 for ; Fri, 3 Feb 1995 22:58:40 -0800 From: mulligan@future.incog.com Received: from coslabs.incog.com by ns.incog.com (8.6.9/94082501) id WAA22209; Fri, 3 Feb 1995 22:56:48 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA06551; Fri, 3 Feb 1995 23:54:04 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA04729; Fri, 3 Feb 1995 23:52:51 -0700 Message-Id: <9502040652.AA04729@future.incog.com> To: rgm3@is.chrysler.com (Robert Moskowitz) Cc: firewalls@greatcircle.com Subject: Re: Anyone using SmartDisk??? Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 03 Feb 95 14:28:42 CST." <9502031942.AA00224@clncrdv1.is.chrysler.com> Date: Fri, 03 Feb 95 23:52:51 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I thought it was a very interesting product, but as I remember it could only do 512 Diffie Hellman operations and didn't scale well to 1024 bit. It uses a Siemens chipset, I think. If you didn't want to use smartcard or pcmcia form factor readers and were satisfied with 512 bit key lengths for RSA it seemed interesting. Maybe they have improved the internal technology and fixed these limitations. geoff From firewalls-owner Sat Feb 4 05:24:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA18190 for firewalls-outgoing; Sat, 4 Feb 1995 05:02:14 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA18185 for ; Sat, 4 Feb 1995 05:02:10 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id HAA02360 for firewalls@greatcircle.com; Sat, 4 Feb 1995 07:57:36 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502041257.HAA02360@all.net> Subject: ISS scan service - trials only To: firewalls@greatcircle.com Date: Sat, 4 Feb 1995 07:57:32 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 869 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have put an on-line ISS scan feature on our WWW server for TEMPORARY TEST PURPOSES ONLY!!! The scan asks for an IP address and, if it can get a hostname for the address, does an ISS run from this machine against the IP address and mails the results to postmaster@hostname. I figure that this is adequate insurance against people running scans against non-owned machines from this machine, since they can't get the results without rerouting internet mail along the way, and they could simply run iss themselves to do the scan in a hostile way. If I get any complaints from people who have been scanned by this service not at their own request, I will almost certainly shut the service down - so be polite! If this works out, I will consider adding other external firewall test capabilities to the site. Comments are welcomed - FC The URL is http://all.net:8080 From firewalls-owner Sat Feb 4 07:24:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA19462 for firewalls-outgoing; Sat, 4 Feb 1995 06:54:44 -0800 Received: from tumif.cs.uni-magdeburg.de (tumif.cs.TU-Magdeburg.de [141.44.27.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA19457 for ; Sat, 4 Feb 1995 06:54:38 -0800 Received: by tumif.cs.uni-magdeburg.de (Smail3.1.28.1 #2) id m0raln1-0003W8a; Sat, 4 Feb 95 15:48 MET Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from relay3.UU.NET (192.48.96.8) with smtp id ; Fri, 3 Feb 95 23:18 MET Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQybns13451; Fri, 3 Feb 1995 17:06:24 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02724 for firewalls-outgoing; Fri, 3 Feb 1995 11:31:08 -0800 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA02711 for ; Fri, 3 Feb 1995 11:30:56 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id OAA24471 for ; Fri, 3 Feb 1995 14:28:55 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id OAA04743 for ; Fri, 3 Feb 1995 14:28:54 -0500 Received: from bobsgrid.is.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA00224; Fri, 3 Feb 95 14:42:53 EST Message-Id: <9502031942.AA00224@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Feb 1995 14:28:42 -0600 To: firewalls@greatcircle.com From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Anyone using SmartDisk??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SmartDisk is a device in a 3.5" diskette format that slips into a diskette drive, but is really a complete security device. It's principle use is for securing the PC itself. However, they have a toolkit that allows for safe storage of passwords in the EEPROM on the SmartDisk. Allegedly, some orgs have used this to script log ins, and since the user never even sees their real password, it can be something really tough to guess. The SmartDisk people have another device, the Crypto SmartDisk, that also has an RSA, DSA and DES engine on board. Seems like this unit could be directly integrated with many challenge/response systems, and the DES engine could be used to actually encrypt the session in real time. The neat thing about the SmartDisk technology is it uses the standard 3.5" diskette drive for communicating with the PC. The user does not have to do any keying after their SmartDisk password. The support staff does not have to handle esoteric interfacing devices. Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Sat Feb 4 08:24:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA20410 for firewalls-outgoing; Sat, 4 Feb 1995 08:11:10 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA20405 for ; Sat, 4 Feb 1995 08:11:06 -0800 From: root@tumif.cs.Uni-Magdeburg.DE Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA25760; Sat, 4 Feb 95 11:08:40 -0500 Date: Sat, 4 Feb 95 11:08:39 -0500 Message-Id: <9502041608.AA25760@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: SmartDisk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subj: Anyone using SmartDisk??? Saw something like this at a CSI bash last year. Thought it was a brilliant concept that needed a little bit more work. In that one, you needed the special "floppy" only for booting after which it could be removed. The vulnerability was that if a miscreant could get about 5 seconds alone with a booted system, the intercept could be captured and given that, the machine could be reactivated later *without knowing the password". Sent a notice of this to the mfr along with a demo disk and some suggestions but never heard back from them. Warmly, Padgett From firewalls-owner Sat Feb 4 09:19:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA20774 for firewalls-outgoing; Sat, 4 Feb 1995 08:37:06 -0800 Received: from netsys.com (netsys.com [198.175.9.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA20769 for ; Sat, 4 Feb 1995 08:37:03 -0800 Received: from death.netsys.com by netsys.com with SMTP id AA17125 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Sat, 4 Feb 1995 08:35:11 -0800 From: len@netsys.com (Len Rose) Message-Id: <9502040835.ZM3510@death.netsys.com> Date: Sat, 4 Feb 1995 08:35:10 -0800 In-Reply-To: "Dr. Frederick B. Cohen" "ISS scan service - trials only" (Feb 4, 7:57am) References: <199502041257.HAA02360@all.net> X-Phone: 415-854-1982 X-Mailer: Z-Mail (2.1.5 20sep93) To: "Dr. Frederick B. Cohen" , firewalls@greatcircle.com Subject: Re: ISS scan service - trials only Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe this to be irresponsible beyond credulity. You've just handed a tool to someone who may not be able to run scans for whatever reasons. Len On Feb 4, 7:57am, "Dr. Frederick B. Cohen" wrote: > Subject: ISS scan service - trials only > I have put an on-line ISS scan feature on our WWW server for TEMPORARY > TEST PURPOSES ONLY!!! [rest deleted] >-- End of excerpt from "Dr. Frederick B. Cohen" Len Rose http://www.netsys.com From firewalls-owner Sat Feb 4 09:31:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA20885 for firewalls-outgoing; Sat, 4 Feb 1995 08:41:49 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA20880 for ; Sat, 4 Feb 1995 08:41:45 -0800 From: root@tumif.cs.Uni-Magdeburg.DE Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA25834; Sat, 4 Feb 95 11:39:18 -0500 Date: Sat, 4 Feb 95 11:39:17 -0500 Message-Id: <9502041639.AA25834@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Dangerous Visions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jay rites: >Especially noteworthy were references to >articles in the London Times from the 1840s that claimed that by discussing >the relative strength of door and safe locks, the Times was contributing to >criminal knowledge, and that some subjects were too sensitive to allow >public discussion. Well IMNSHO, one sign of a lack of knowlege is a refusal to participate in intelligent discussion. At the same time, I reserve the right to demand some proof of intelligence (or at least politeness) before going into complex discussion. I have been assailed too often by people demanding not information but to be spoon-feed tools of destruction and who become abusive when I refuse to pander to their whims. There is a difference between teaching (which requires only a log and a willing student) and someone who demands gifts as their "right". Warmly, Padgett From firewalls-owner Sat Feb 4 09:46:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA20661 for firewalls-outgoing; Sat, 4 Feb 1995 08:26:05 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA20656 for ; Sat, 4 Feb 1995 08:25:59 -0800 From: root@tumif.cs.Uni-Magdeburg.DE Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA25791; Sat, 4 Feb 95 11:22:57 -0500 Date: Sat, 4 Feb 95 11:22:56 -0500 Message-Id: <9502041622.AA25791@uvs1.orl.mmc.com> To: "rgm3@is.chrysler.com"@uvs1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In fact, not only will we have to maintain a testbed, I have to develop a >cirtification process. Anyone got one already done ;) Well, first you need a policy that states what is permitted and what is not. Next, setup the firewall/bastion/proxy system up in the lab with two nodes on either side. Next program one node on each side to be "promiscuous" and record all packets on the net. Then setup one "outside" node to attempt to access the "inside". Exactly what tests are used depend on the policy but a start would be to send a series of packets of different types to see if the pass/fail/log parameters operate correctly and if all packets are accounted for. Of these, at least one series should be an attempt to open all 65k sockets on the "inside" node (take a coffee break) recording which requests got through and which succeeded. This is often an eye-opener. Of the sockets that open, tests need to be made that they are properly controlled. Finally a report indicating the setup used, software and hardware version numbers, and which tests succeeded, were blocked, and were logged. Error messages should also be recorded. It is important to emphasize that the certification state the precise configuration used and for a decision to be made as to what leeway there is in it. Sorry to be a bit vague but the security policy must come first and all else depends from that. The important thing is that the entire process must be the product of logical deductive reasoning that has its foundation in the policy. If at any point inductive reasoning is required, there has either been an error or something was not covered properly in the policy. Warmly, Padgett From firewalls-owner Sat Feb 4 10:29:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22911 for firewalls-outgoing; Sat, 4 Feb 1995 10:13:21 -0800 Received: from pfm.PFM-Mainz.de (pfm.PFM-Mainz.DE [192.129.36.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA17863 for ; Sat, 4 Feb 1995 04:52:47 -0800 Received: from perseus by pfm.PFM-Mainz.de with smtp (Smail3.1.28.1 #5) id m0rajwp-00029OC; Sat, 4 Feb 95 13:50 MEZ Message-Id: X-Sender: bernd@pfm.PFM-Mainz.DE X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 04 Feb 1995 14:11:44 +0100 To: Firewalls@greatcircle.com From: bernd@pfm.PFM-Mainz.DE (Bernd Hennig) Subject: http-Proxy-Server (binaries/sources) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, we need a http-Proxy Server -as Source or binary for Solaris 4.1 (SunOS) or SCO ODT 3.0 - I hope someone here can help us.... -- bernd@pfm.PFM-Mainz.DE ...on perseus.PFM-Mainz.DE with Eudora 1.4 Eibenweg 4 D-55128 Mainz | Tel.: 06131/362779 | Fax.: 06131/366894 From firewalls-owner Sat Feb 4 10:40:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22880 for firewalls-outgoing; Sat, 4 Feb 1995 10:12:17 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA07169 for ; Fri, 3 Feb 1995 14:51:49 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA26866; Fri, 3 Feb 95 23:46:07 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA00252; Fri, 3 Feb 95 23:42:33 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502032342.AA00252@tidtest.total.fr> Subject: Re: unsuscribe firewalls To: Jean-Christophe.Touvet@inria.fr (JC Touvet) Date: Fri, 3 Feb 95 23:42:32 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199502021754.SAA21937@champagne.inria.fr>; from "JC Touvet" at Feb 2, 95 6:54 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JC Touvet wrote : > > > > I can't figure out how that mistake is so popular... "s" and "b" aren't > > even close to each other, and I can't imagine anyone actually pronouncing > > "unsubscribe" as "unsuscribe"... Sigh. > > Well, maybe they speak french... > > Subscribe could be translated to "souscrire" in french (but "insouscrire" > doesn't exist ;-) > Except that "souscrire" doesn't have much to do with "subscribing" (closest english translations would be underwrite (of insurance policies or stock) or second (of opinions), so it would take someone with *very* poor english (OK, so they might be french, after all - oh, well) to confuse the words. Besides, I see so many misspellings (not sure how to spell that :-), I can't believe all of them come from poor typing or careless rereading. Maybe that's a common one ... -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Sat Feb 4 19:51:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA29684 for firewalls-outgoing; Sat, 4 Feb 1995 19:28:07 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA22926 for ; Sat, 4 Feb 1995 10:14:32 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id NAA09154 for firewalls@greatcircle.com; Sat, 4 Feb 1995 13:10:00 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502041810.NAA09154@all.net> Subject: TAMU bug/remnant (tiger) To: firewalls@greatcircle.com Date: Sat, 4 Feb 1995 13:09:54 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 381 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It appears that TAMU leaves a set of temporary files in the /tmp directory after running - they contain lists of embedded programs (implied by pathnames I believe). This is potentially hazardous in that tmp areas are commonly accessible by those who perhaps should not have access and of course these files make attack eisier to expand once someone has gotten minimal access. FC From firewalls-owner Sat Feb 4 20:05:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA29696 for firewalls-outgoing; Sat, 4 Feb 1995 19:28:18 -0800 Received: from denali.realtime.ab.ca (denali.realtime.ab.ca [198.161.107.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA23069 for ; Sat, 4 Feb 1995 10:18:45 -0800 Received: (from davis@localhost) by denali.realtime.ab.ca (8.6.9/8.6.9) id LAA16294 for firewalls@GreatCircle.COM; Sat, 4 Feb 1995 11:16:14 -0700 From: Glenn Davis Message-Id: <199502041816.LAA16294@denali.realtime.ab.ca> Subject: Re: ISS scan service - trials only To: firewalls@GreatCircle.COM Date: Sat, 4 Feb 1995 11:16:12 -0700 (MST) In-Reply-To: <9502040835.ZM3510@death.netsys.com> from "Len Rose" at Feb 4, 95 08:35:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 418 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Len Rose writes: > > I believe this to be irresponsible beyond credulity. You've just handed a tool > to someone who may not be able to run scans for whatever reasons. > I think that was the point! I used this service as a check on my own site security; this assumes that you trust the results that are mailed back. Given that mail is sent to "postmaster", I don't see any real risk in providing the tool. Glenn From firewalls-owner Sat Feb 4 20:19:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA29708 for firewalls-outgoing; Sat, 4 Feb 1995 19:29:26 -0800 Received: from netcom.netcom.com (root@netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA22279 for ; Sat, 4 Feb 1995 09:55:55 -0800 From: anonymous_fw_guy@some.site.other.than.netcom Received: from noc1.mid.net by netcom.netcom.com (8.6.9/Netcom) id JAA08955; Sat, 4 Feb 1995 09:47:48 -0800 Date: Sat, 4 Feb 1995 09:47:48 -0800 Message-Id: <199502041747.JAA08955@netcom.netcom.com> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, don't you love netcom? I'm considering implementing something on our firewalls. Obviously, this is not a new idea, and I would be surprised if it weren't already implemented at many sites. Regardless, I'd like to discuss the pros and cons. Imagine, if you will, a firewalled network. Out in the big bad world, bad people sniff and "hijack" connections to and from the firewall. However, there exists connections to the firewall which are needed, because the people on site at the firewall are lame and can't admin it. Plus we can charge them money to admin, etc... So, we develop a deslogin into the firewall. This allows us to do remote admin, so long as the des encryption implementation is done correctly. Another reason I like this, as opposed to skey, is that it allows a person to telnet to the firewall, then telnet around within the internal network with little fear that their paswords are vulnerable. Obviously, the other ways to do offsite firewall management are skey, or out of band management (modems, etc..) Both of those are inconvenient, and if this plan is as effective and secure, I would rather do that. Comments? -- anonyfw From firewalls-owner Sun Feb 5 12:19:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05384 for firewalls-outgoing; Sun, 5 Feb 1995 12:17:12 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA22355 for ; Sat, 4 Feb 1995 09:56:29 -0800 Received: from relay1.pipex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id IAA14637; Sat, 4 Feb 1995 08:52:12 -0800 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Sat, 4 Feb 1995 16:55:40 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2F33AF77@smtpgty.saicuk.co.uk>; Sat, 04 Feb 95 16:46:47 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: RE: Dangerous Visions Date: Sat, 04 Feb 95 13:09:00 GMT Message-ID: <2F33AF77@smtpgty.saicuk.co.uk> Encoding: 84 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: firewalls-owner To: "firewalls@greatcircle.com" Subject: Dangerous Visions Date: 03 February 1995 15:39 Jay rites: >Especially noteworthy were references to >articles in the London Times from the 1840s that claimed that by discussing >the relative strength of door and safe locks, the Times was contributing to >criminal knowledge, and that some subjects were too sensitive to allow >public discussion. Well IMNSHO, one sign of a lack of knowlege is a refusal to participate in intelligent discussion. At the same time, I reserve the right to demand some proof of intelligence (or at least politeness) before going into complex discussion. I have been assailed too often by people demanding not information but to be spoon-feed tools of destruction and who become abusive when I refuse to pander to their whims. There is a difference between teaching (which requires only a log and a willing student) and someone who demands gifts as their "right". Warmly, Padgett --------------- Its an imperfect world. Both the publicists and the covert folk have strong arguments in favour of their respective positions. The problem with trying to keep something secret is that once you tell one other person it isnt secret anymore. Its still a long step from discussion of technology on a need-to-know basis and posting it on a public noticeboard where anyone can walk by and read it. The intruder alarm folk have always claimed that a large bell box with their advertising slogan painted on it deters intruders. Having recently worked through some police report documents on that subject, the real benefit of the bell box advert is to the vendor who tries to sell every other house in the neighbourhood on his system. Analysis of incident reports and interviews with criminals produces some interesting information which maps across even onto subjects like firewalls. The casual opportunist criminal is detered by the bell box because he does not have the skills to defeat an alarm system and is looking for an opportunity to sneak and grab from a soft target. The criminal who makes a professional living from burgulary reacts very differently. When he sees a bell box he knows that the owner *thinks* he has something of value to protect and is a suspect opportunity. The criminal then makes a study of the suspect to qualify into prospect or reject. If he believes there is a real prospect of gain, he will then prepare a detailed plan of how to break in. The advert on the bell box is a great help because it tells him who the alarm provider is. On-going research into security companies keeps the criminal informed of the technology favoured by each vendor. This may be banded on different types of building. The criminal can also buy the technology and work on it until he knows how best to break it. Thats all in an industry which takes some trouble not to publish the fine detail of their technology but does try to find out how each attack was made to introduce improved products. One argument used for public discussion of technology and threats is that the potential victims can best understand the likely risks and improve their defences quickly to meet known threats. In theory, if 6,000 users discuss/lurk in something like 'Firewalls'. They will rapidly know that one of them has just suffered a particular and new form of attack which they can modify their own firewalls to defeat. That assumes that everyone works rapidly to plug the hole in their own system. However, 20 lurkers may be attackers who never thought of trying that kind of attack and then work more quickly to exploit the hole then the firewall users do to plug it. At the end of the day it comes down to what you think the main risks are and how far you can afford to protect yourself and still do business. If you believe your main threat is the casual criminal, open discussion may be a good deal. If you think that your main external threat is highly professional, you may go for covert/need-to-know information exchanges. Some people just cant do business with lots of security. Its much like the design of armoured fighting vehicles were the three cardinal points are; mobility; protection; firepower, instead of; assurance; integrity; availability. Some very successful AFVs have had very thin skins but have been able to carry a big gun very fast over very rough country. Other very successful designs have been slow but thick shinned with a small gun or a big one, and so on. Its just a question of knowing what you want to achieve. Ian J-B From firewalls-owner Sun Feb 5 12:33:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05368 for firewalls-outgoing; Sun, 5 Feb 1995 12:16:59 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA22349 for ; Sat, 4 Feb 1995 09:56:28 -0800 Received: from relay1.pipex.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id IAA14634; Sat, 4 Feb 1995 08:51:59 -0800 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Sat, 4 Feb 1995 16:55:27 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2F33AF6A@smtpgty.saicuk.co.uk>; Sat, 04 Feb 95 16:46:34 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: Re: tweaking PC setups Date: Sat, 04 Feb 95 13:23:00 GMT Message-ID: <2F33AF6A@smtpgty.saicuk.co.uk> Encoding: 73 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: firewalls-owner To: firewalls Subject: Re: tweaking PC setups Date: 03 February 1995 08:23 This is something of a bureaucratic question for the policy wonks out there. >> You could use [Restrictions] in PROGMAN.INI and not allow the users to >> change their icons, position, to install new one, take the File Menu >> (Program Manager) away, no MS-DOS prompt, no File-Manager, and get >> them directly into Windows, without break I am using in that way with >> Trumpet Winsock etc. > >And any knowledgable user/student will know how to take those limitations >out of their PROGMAN.INI. If one of my corporate users went to such lengths, intentionally removing the protections placed on their configurations, I'd be making a formal re- quest for an administrative reprimand. When their actions have the poten- tial to toast the entire net, the network manager's word should be law. Which, of course, brings me to my question: Do your responsibilities as 'the network guy' or 'the security guy' extend this far? Do you have the authority to deliver an administrative (read: personnel file) reprimand to users who ignore your policies/procedures? Should such authority be part of a developing firewall policy? It's often been said, in this forum, that the technology is only half the battle; the *people* are the other half. Frankly, I should want some sort of recourse for the person who insists on a clandestine modem, mucking with his config, et cetera... Given that our responsibilities as 'network folks' span the bureaucratic maze, affecting virtually every department of our organizations, it would seem that we need some authority that crosses those borders. Of course, we could always just cut off that segment of the network until the recalcitrant user sees the light (or has it shown to him). 8) --Wes -------------- Wes has covered some of the key fundamental issues of risk management. Unfortunately, most enterprises ignor them completely. Risk management is just like information management. If an enterprise has a number of people working in individual pockets with no one having clear executive control, the (well intentioned) actions of one person can screw up for everyone else. Very often, the actions are entirely selfish. There are some clear steps to solution which we all claim to be familiar with. First we identify the issues and develop an approach to a solution. Then we produce a specification vendors can bid against. Having procured a system we implement (including training the users), then we maintain it. At least thats the theory and some folk are better at it than others. Many people may fail at each step to some degree because they are working with inadequate budgets or dont know how to measure cost and price. They may also have inadequate authority. The most common failing is in maintaining a system after it has installed. There are many possible reasons for this, but the most common one is that the person charged with the nominal responsibility does not have the time to monitor or the power to ENFORCE. In many cases that lack of personal power is made more dangerous because there is no clear reporting route to someone who does have the power. Ian J-B From firewalls-owner Sun Feb 5 12:49:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05492 for firewalls-outgoing; Sun, 5 Feb 1995 12:27:16 -0800 Received: from nova.unix.portal.com (root@nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA24124 for ; Sat, 4 Feb 1995 10:56:27 -0800 Received: from X1.COM (x1.com [156.151.128.93]) by nova.unix.portal.com (8.6.9/8.6.5) with SMTP id KAA08019 for ; Sat, 4 Feb 1995 10:41:46 -0800 Received: from expert by X1.COM (4.1/SMI-4.1) id AA10693; Sat, 4 Feb 95 10:42:08 PST Received: by expert (4.1/SMI-4.1) id AA20145; Sat, 4 Feb 95 10:40:36 PST Date: Sat, 4 Feb 95 10:40:36 PST From: J.Horstmann@X1.COM (Jens Horstmann) Message-Id: <9502041840.AA20145@expert> To: Firewalls@GreatCircle.COM Subject: DNS thru firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi - hope this question hasn't been asked too often already. Assume the firewall host is serviced by an internal NIS server. This server, however, can't talk thru the firewall to the domainname server. Thus, it cannot resolve hostnames on the firewall which is ugly from a user standpoint (since he has to run nslookup first to get the address). Now, I identified two solutions (all under SunOS): (1) Modify our proxy routines to do this lookup or use a proxy that uses resolver library. I'm using the perl based pkg - is there a better one? (2) run a slave/forward nameserver on the firewall allowing our NIS server to resolve its queries I tried this but for some reason can't get it to work? Does anybody out did this?). Now, from a security point of view what is the better solution, or, is there yet a better way than (1) or (2)? Your help and comments are greatly appreciated! Jens Horstmann. From firewalls-owner Sun Feb 5 13:07:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05437 for firewalls-outgoing; Sun, 5 Feb 1995 12:22:24 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA22363 for ; Sat, 4 Feb 1995 09:56:30 -0800 Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id IAA14643; Sat, 4 Feb 1995 08:53:09 -0800 Received: by relay.tis.com; id LAA00469; Sat, 4 Feb 1995 11:56:35 -0500 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V1.3) id sma000464; Sat Feb 4 11:56:16 1995 Received: from otter.tis.com. by tis.com (4.1/SUN-5.64) id AA12306; Sat, 4 Feb 95 11:53:25 EST From: Marcus J Ranum Message-Id: <9502041653.AA12306@tis.com> Subject: Re: More on Network Performance and Firewalls To: an156793@anon.penet.fi Date: Sat, 4 Feb 1995 12:00:47 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9502032151.AA28702@anon.penet.fi> from "Craving Knowledge" at Feb 3, 95 09:51:20 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 10697 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Paul Pomes responds: >> The University of Illinois has a 45 Mbps (DS3) link to the Internet cloud. >> Any firewall that my organization puts in place at the border has to be >> that fast or there will be a palace coup within days. So for now the >> solution is no firewall at all. > >Your situation is much like those of the scientific community on the Internet >(actually you are a subset of this community to some degree). This community >does demand higher speeds to push all the data around the Internet. We also >face the coup problem and are trying to solve it to some degree before the >firewall is put in place. In private mail I pointed out to Paul that the "coup" problem is, basically, a policy issue. If the user community completely rejects and bypasses security, then they are either violating the organization's policy on computer security, or the firewall was built wrong. :) In order to resolve the matter, a mandate from management is *REQUIRED*, or the conflict will be endless. The first firewall I ever built was under orders from my direct supervisor. Basically my orders were: "track what the guys on the west coast are doing, and if you do anything differently from the way they do, clear it with them and if there's a disagreement they win automatically and you do what they say." *THAT* is a pretty clear policy. With all policy issues, it depends on management, and it is the responsibility of *ALL* employees [if they care about the success or failure of their organization] to give management the most accurate and best information upon which to base a decision. If management screws up, then that's life, and as a good employee it's reasonable to go on record saying, "this is a bad idea and here is why" but at least a clear decision gets made. Once the clear decision gets made, then the rest is just implementation details. I've GOT to believe that some of the organizations I know of, with research labs on the 'net behind flimsy routers, or mission critical data on servers that are completely unscreened, or no security at all - I've GOT to believe that if the organizational officer in charge *KNEW* and *UNDERSTOOD* the risks that are being run - the plug would be pulled instantly or maybe sooner. I see that kind of situation all the time. There are lots of folks out there with internet connections, who will have hell to pay if their bosses bosses bosses find out. Essentially, that's a policy issue: the guys in the lab are making policy (in a vacuum, without bothering to tell anyone) for the entire organization. When someone says, "geeze - if we do that, our users will go around it" - that speaks to me of a severe organizational problem, because essentially it says either that: a) management has never made its wishes with respect to computer security clear b) management *HAS* made its wishes clear, but the staff are willing to ignore them Usually, in a corporate environment, if management hasn't told you you should do something, then you should *ASK* *FIRST*. What I see happening all the time (and it shocks the hell out of me) is the grown-up equivalent of a 10-year-old who goes to Daddy and says, "Can I have a cookie" and Daddy says, "No." So the kid goes to Mommy and mommy says "No" and finally the kid asks his big brother who says, "Sure." We are grown-ups, most of us, but we do exactly the same thing, all the time, when it comes to mission/organization critical computing resources. There are entire organizations being placed at risk every day, just so the guys in the lab can play world-wide web, and they'd be unemployed in about an hour if their bosses bosses bosses knew about it. None of this is aimed at Paul or at the previous correspondent's remarks, BTW. Paul's mail indicates that there's awareness at an organizational level of the tension between business needs and security practices. That's a start. In an ideal world, someone would raise the issue to a sufficient level of authority, explain the situation, and find out whether management's policy is that security comes first, or second. Once you've made that decision, the rest is easy. >The scientific communites are Universities, Government organizations and >private organizations. My organization does work with a myriad of groups >belonging to all three of these groups and we all are sharing Gigabytes >of data per day. Where the pain comes is when those organizations have different policies (or have been given different policies by their employees) from a perspective of security. If 'A' connects to 'B' and 'A' takes security seriously and 'B' doesn't, then you have a pretty wicked lowest-common-denominator effect. The fact of the matter is that it's *EASY* to share gigs of data a day, either in a very secure manner, or in a very open manner. Once the decision about which it SHOULD be is made, then actually doing it is an implementation detail. Generally, what happens is that the decision never gets made, of course, so security never gets addressed, so 2 years down the road someone tries to fix the problem and everyone HATES them for trying to mess things up when really, in fact, they have been messed up all along. :) >To say there is no demand for higher speeds is just a little short sighted. >True there are vast amounts of small companies and organizations that will >never probably need speeds above T1 (or 56k or modem speeds), but demands for >high speed technology and computing is a significant presence in todays >computing field. I believe that there will definitely be demands for higher speeds. But that is an implementation detail which should be worked out after the policy level stuff is worked out. You *CAN* do T3 speeds with high security right now. It's a "simple" matter of figuring out where you need security and where you don't and putting the stuff that needs security where it can be secured and the stuff that doesn't where it doesn't, and then tying it together with appropriate speed devices. High performance plus high security is *SIMPLE* -- you just need to decide what needs to have access controlled to it, and the rest is easy! The reason firewalls suck is because people use a firewall to try to have their cake and eat it too. Whenever you catch yourself trying to do that, you'll notice it's hard. :) TIS (for example) has a very simple access control policy to our network: If you ain't from TIS, you don't get in. That's a nice simplifying assumption. Secondly, we have public stuff that we want to publish, and we have private stuff that we don't want to publish. The issue on the private stuff is information control, the issue on the public stuff is maintaining its integrity. Those are separate problems and we address them separately, but having a machine outside with public stuff (ftp.tis.com) that is designed to be hard to tamper with, and a machine inside with private stuff that is designed to be hard to get access to. It only gets ugly when you have UNtrusted business partners who need high speed access to your internal network. Which might be a bad idea, if you think about it. It gets even worse if the firewall needs to be there because the UNtrusted business partner's security stinks and you need something to keep from being wide open to them. In that case, do you REALLY want a T3 hose between them and you? >We have been analyzing our computing needs here and have come to the >conclusion that we do need a first line of defense. Our need to have a >firewall give us speeds above and beyond T1 is a technical aspect that >could defeat our ability to install a firewall. That's an implementation detail. Does your upper management say security is a requirement?? If so, then some kind of defense is not an option, so "defeating the ability to install a firewall" is not an option either. In such a case, the only option is to sort out what services need to be provided how, and secure them as needed. >Ted Doty writes: >> Once faster links become more >> common, firewalls will have to be improved if they are to be kept. Ted's a router salesman who makes high speed routers, so of course he's going to feel that way. :) In a sense, he's right. But the router or the firewall is an implementation detail that derives trivially from a clear and consistent security policy. If you don't have a clear and consistent security policy, then you can sweat the implementation details forever, and you still won't have any security, so, sure, it's reasonable to decide the firewall can't be kept: all it's there for is to cover someone's butt anyhow. >I again have to agree with you as well. Our presence as well as the >presence of our constituents on the Internet has been keeping up with >technology. Security had always been dealt with in a centralized >facility up to a decade ago because everyone had mainframes. Now, >with the advent of workstations in the early 80s, security for many >of us have become decentralized again. Firewalls, ANS, Drawbridge, >and other products are ways to get a grip on security in a centralized >manner. We understand in a large sense the shell/soft chewy >middle concept and we consider our Unix system security to be as >strong as our weakest link. We are strengthening our links, but see >a real need to create the hard shell. We are hoping that >Security technology will start seriously addressing network >performance issues, so that all the organizations like ours don't >have to waste so much time and resources in this decentralized >security scheme. Decentralized *AND* centralized security is the way to do it. But it depends on what you're trying to accomplish, and it depends on your policy goals, and an awareness of what you are trying to protect. See-sawing back and forth between measures that don't work is a typical mode of operation. :) Years ago when I used to talk to guys at **** they used to claim their security was the best because they had good firewalls. Four years later, they were giving talks at conferences about how they found that firewalls stunk an they were now the world's best experts at defense-in-depth. Now they are back to firewalls, after a few years of being broken into constantly. (And their firewalls are pretty flimsy because they can't be very good because their UNtrusted business partners need goofy things like NFS access into their file servers). We need to accept that we're in a field where some of the things we're trying to do don't make sense if done at the same time, on the same network, on the same machine. The only logical answer is to separate services based on what needs to be done with whom and when. mjr. From firewalls-owner Sun Feb 5 13:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05511 for firewalls-outgoing; Sun, 5 Feb 1995 12:27:28 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA27744 for ; Sat, 4 Feb 1995 17:31:12 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA17960 (5.67b8/IDA-1.5 for ); Sat, 4 Feb 1995 20:29:11 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA00676; Sat, 4 Feb 95 20:30:24 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00447; Sat, 4 Feb 1995 20:28:39 +0500 Date: Sat, 4 Feb 1995 20:28:39 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9502050128.AA00447@ Paragon-Systems.COM> To: morgan@engr.uky.edu Subject: Re: Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 3111 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Sat Feb 4 19:25 EST 1995 > Date: Fri, 3 Feb 95 08:23:46 EST > From: morgan@engr.uky.edu (Wes Morgan) > To: firewalls@greatcircle.com > Subject: Re: tweaking PC setups > > This is something of a bureaucratic question for the policy wonks out there. > > >> You could use [Restrictions] in PROGMAN.INI and not allow the users to > >> change their icons, position, to install new one, take the File Menu > >> (Program Manager) away, no MS-DOS prompt, no File-Manager, and get > >> them directly into Windows, without break I am using in that way with > >> Trumpet Winsock etc. > > > >And any knowledgable user/student will know how to take those limitations > >out of their PROGMAN.INI. > > If one of my corporate users went to such lengths, intentionally removing > the protections placed on their configurations, I'd be making a formal re- > quest for an administrative reprimand. When their actions have the poten- > tial to toast the entire net, the network manager's word should be law. > > Which, of course, brings me to my question: > > Do your responsibilities as 'the network guy' or 'the security > guy' extend this far? Do you have the authority to deliver an > administrative (read: personnel file) reprimand to users who > ignore your policies/procedures? > > Should such authority be part of a developing firewall policy? It's > often been said, in this forum, that the technology is only half the > battle; the *people* are the other half. Frankly, I should want some > sort of recourse for the person who insists on a clandestine modem, > mucking with his config, et cetera... > > Given that our responsibilities as 'network folks' span the bureaucratic > maze, affecting virtually every department of our organizations, it would > seem that we need some authority that crosses those borders. > > Of course, we could always just cut off that segment of the network until > the recalcitrant user sees the light (or has it shown to him). 8) > > --Wes > What does the your organization headshed have to say about folks who deliberately leave a backdoor propped open so people can wander in and help themselves to whatever they like? I don't know your operation, but, you pull the kind of stunt referenced above where I work and you'd be damn lucky if the only thing that happend to you is to be escorted to the personnel office before being summarily thrown out of the place. Sound common sense business practice is always set at the very top. If there is strength in that chair, then there will be a SPP (Standard Practices and Procedures) Manual that will crisply articulate the security practices and policies of your organization. From that you will know exactly where you stand. If you still aren't clear, go the the head of security and ask for clarification. Of course if there is no SPP or security policy, then your only recourse is to either go to the president/provost/top dog, and ask him to appoint you the security director and immediately begin to develop one, or start looking for employment elsewhere. rmck From firewalls-owner Sun Feb 5 15:26:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA09078 for firewalls-outgoing; Sun, 5 Feb 1995 15:07:58 -0800 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA01156 for ; Sat, 4 Feb 1995 21:07:32 -0800 Received: (from alan@localhost) by westie.mid.net (8.6.9/8.6.9) id XAA28170; Sat, 4 Feb 1995 23:05:25 -0600 From: Alan Hannan Message-Id: <199502050505.XAA28170@westie.mid.net> Subject: Re: ISS scan service - trials only To: davis@realtime.ab.ca (Glenn Davis) Date: Sat, 4 Feb 1995 23:05:25 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199502041816.LAA16294@denali.realtime.ab.ca> from "Glenn Davis" at Feb 4, 95 11:16:12 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 725 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Len Rose writes: > > > > I believe this to be irresponsible beyond credulity. You've just handed a tool > > to someone who may not be able to run scans for whatever reasons. > > > > Given that mail is sent to "postmaster", I don't see any real risk in > providing the tool. Hmm, well, I'm the postmaster, and I never received the mail that the doctor said I would. Hmm.... makes you wonder. -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "If I could be anyone in the world, I would be myself so + +MIDnet, Inc. \\____ I wouldn't have to buy new clothes" - Jim, "Taxi" + From firewalls-owner Sun Feb 5 15:41:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA09108 for firewalls-outgoing; Sun, 5 Feb 1995 15:08:47 -0800 Received: from access.mbnet.mb.ca (root@access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA01462 for ; Sat, 4 Feb 1995 23:16:20 -0800 Received: from ppp01.eitc.mb.ca ([198.163.9.201]) by access.mbnet.mb.ca with SMTP id AA10538 (5.67b/IDA-1.4.4 for ); Sun, 5 Feb 1995 01:13:30 -0600 Message-Id: <199502050713.AA10538@access.mbnet.mb.ca> X-Sender: sdearth@mail.mbnet.mb.ca X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 05 Feb 1995 02:00:37 -0600 To: firewalls@greatcircle.com From: Steve_Dearth@MBnet.MB.CA (Steve Dearth) Subject: Re: local spoofing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >John Adams writes: > > But does firefox handle the fact that our PC's run both IPX and IP to > connect to our novell and IP networks? > >Firefox gives you a way to provide IP connections where you don't have to manage >IP addresses for hosts on a novell network running IPX. > >Firefox clients make IPX connections to the FIrefox gateway who creates a TCP >connection to the actual destination. > >On the other side of it, if you are trying to do policy filters on IP services >for different folks it's harder because you have many hosts appearing to come >from the same virtual host. > >Disclaimer: I have no stock in the company. I am a customer. > >Stan > > We use Trumpet TCP in combination with VLM (using the odipkt and winpkt of course) to give us dual protocol stacks. The nice part is that the Novell server does not have to bind IP and (I think) is fairly safe from an attack from an IP based network (Internet). The PC's can then talk directly to the internet and to the netware servers and have fixed IP addresses (managed through bootp). This solution should also work well when (if) Windows 95 comes out and supports Winsock directly, as well as supports some kind of Netware requester. From firewalls-owner Sun Feb 5 18:49:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12439 for firewalls-outgoing; Sun, 5 Feb 1995 18:28:21 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA06978 for ; Sun, 5 Feb 1995 13:21:06 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id PAA19021 for ; Sun, 5 Feb 1995 15:19:10 -0600 Received: by jayhawk. (5.x/SMI-SVR4) id AA02022; Sun, 5 Feb 1995 15:19:09 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9502052119.AA02022@jayhawk.> Subject: Re: your mail To: firewalls@greatcircle.com Date: Sun, 5 Feb 1995 15:19:09 -0600 (CST) In-Reply-To: <199502041747.JAA08955@netcom.netcom.com> from "anonymous_fw_guy@some.site.other.than.netcom" at Feb 4, 95 09:47:48 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone anonymous wrote: > So, we develop a deslogin into the firewall. This > allows us to do remote admin, so long as the des encryption implementation > is done correctly. > I've also heard a bit of talk about MIT's version of telnet. Anyone have any experience with that? It seems to me that this would be secure, and would only threaten the network with any bugs in the encryption-tunnel server on the firewall, though I trust both the deslogind and what I've heard about MIT's telnetd. ps - anonymous isn't always.... ;) -- Alan Hannan Unix Sysadmin, MIDnet INC. (402) 472-0241 ------------------------------\ 201 N. 8th, Lincoln NE fax (402) 472-0240 \______________________________________________ From firewalls-owner Sun Feb 5 18:59:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12427 for firewalls-outgoing; Sun, 5 Feb 1995 18:28:12 -0800 Received: from netway.rz.uni-ulm.de (netway.rz.uni-ulm.de [134.60.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04816 for ; Sun, 5 Feb 1995 10:45:07 -0800 From: karl.gaissmaier@rz.uni-ulm.de Received: by netway.rz.uni-ulm.de (5.57/UniUlm-12.1.93-kg) id AA16361; Sun, 5 Feb 95 19:43:03 +0100 Message-Id: <9502051843.AA12722@lyra.rz.uni-ulm.de> To: firewalls-digest@greatcircle.com, fwall-users@tis.com Subject: How to disable incoming ICMP redirects for SunOS 4.1.x ? Date: Sun, 05 Feb 1995 19:42:59 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear readers, i wish to disable the possibility to change my routing tables with spoofed ICMP redirects. I know this is possible if i run gated on my host or when i shield my host with packet screens on my shielding routers. But this isn't very kiss (keep it small and simple), it would be better to build an kernel which isn't sensitiv for this type of packets. Question: Is there a kernel option in SunOs 4.1.x or do i have to patch the code? Thanks for any help Charly PS: with gated running it is possible to change the routing table with ICMP redirects, but the gated change the kernel routing table back if you tell this gated in his config-file. It would be better if you are able to disable this faeture in the kernel itself. ========================================================================= Universitaet Ulm karl.gaissmaier@rz.uni-ulm.de Universitaetsrechenzentrum smtp postmaster, networkadmin Karl Gaissmaier Telefon: (Germany) +49 731/5022499 D-89069 Ulm Telefax: (Germany) +49 731/5022471 ========================================================================= From firewalls-owner Sun Feb 5 19:13:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12414 for firewalls-outgoing; Sun, 5 Feb 1995 18:27:53 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA03263 for ; Sun, 5 Feb 1995 03:02:18 -0800 Received: by taureau.as03.bull.oz.au id AA08904 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Sun, 5 Feb 1995 22:29:27 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id WAA27641 for ; Sun, 5 Feb 1995 22:03:54 +1100 Message-Id: <199502051103.WAA27641@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: firewalls@greatcircle.com Subject: safe logins In-Reply-To: Your message of "Sat, 04 Feb 95 09:47:48 -0800." <199502041747.JAA08955@netcom.netcom.com> Date: Sun, 05 Feb 1995 22:03:51 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > money to admin, etc... So, we develop a deslogin into the firewall. This > allows us to do remote admin, so long as the des encryption implementation > is done correctly. I've implemented a telnet/telnetd that uses a one time RSA public key arrangement to exchange a random session key, then use DES in CFB mode for the rest of the session. Works very nicely and requires no setup at all. Trouble is, that without a shared secret known to the server and the client you can never be totally confident that that you are talking to whom you thought you were. Ie. server sends pub key, bad guy in middle sends his own pub key to client and sends his own session key to server. Server and client both think they have a secure channel but they don't. I've considered a modified netgotiation which is similar to the existing auth option but given that you can never be 100% confident that the "secret" key's are secret, I'm not sure that it would really buy you any more security. I may implement it anyay... For now though, I'll stick with the current scheme which is safe from idle eavesdroppers and replay attacks etc but not 100% safe. > Another reason I like this, as opposed to skey, is that it allows a person > to telnet to the firewall, then telnet around within the internal network with > little fear that their paswords are vulnerable. You should be using one-time passwords of any flavour rather than normal passwords. Even so, you are _not_ really safe just safer... --sjg From firewalls-owner Sun Feb 5 19:19:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12678 for firewalls-outgoing; Sun, 5 Feb 1995 18:52:21 -0800 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA10976 for ; Sun, 5 Feb 1995 16:27:52 -0800 Received: from jayhawk. (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.9/8.6.9) with SMTP id SAA19427; Sun, 5 Feb 1995 18:25:54 -0600 Received: by jayhawk. (5.x/SMI-SVR4) id AA02401; Sun, 5 Feb 1995 18:25:54 -0600 From: alan@mid.net (Alan Hannan) Message-Id: <9502060025.AA02401@jayhawk.> Subject: Re: You forgot the Subject line To: sargent@SGT.COM (Robert Sargent) Date: Sun, 5 Feb 1995 18:25:53 -0600 (CST) Cc: alan@mid.net, firewalls@greatcircle.com In-Reply-To: <199502060003.TAA19738@tusk.sgt.com> from "Robert Sargent" at Feb 5, 95 07:03:22 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > So Alan, > > Whats the point? The point is I better read up on sendmail.... ;) -- Alan Hannan Unix Sysadmin, MIDnet INC. (402) 472-0241 ------------------------------\ 201 N. 8th, Lincoln NE fax (402) 472-0240 \______________________________________________ From firewalls-owner Sun Feb 5 19:35:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12452 for firewalls-outgoing; Sun, 5 Feb 1995 18:28:32 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA07852 for ; Sun, 5 Feb 1995 14:06:04 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id QAA24282; Sun, 5 Feb 1995 16:59:34 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502052159.QAA24282@all.net> Subject: Re: tweaking PC setups To: IJB@saicuk.co.uk (Johnson-Bryden Ian) Date: Sun, 5 Feb 1995 16:59:29 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <2F33AF6A@smtpgty.saicuk.co.uk> from "Johnson-Bryden, Ian" at Feb 4, 95 01:23:00 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 3186 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is something of a bureaucratic question for the policy wonks out there. ... > Which, of course, brings me to my question: > > Do your responsibilities as 'the network guy' or 'the security > guy' extend this far? Do you have the authority to deliver an > administrative (read: personnel file) reprimand to users who > ignore your policies/procedures? > > Should such authority be part of a developing firewall policy? It's > often been said, in this forum, that the technology is only half the > battle; the *people* are the other half. Frankly, I should want some > sort of recourse for the person who insists on a clandestine modem, > mucking with his config, et cetera... In my experience, things are rarely cut and dried in the way you describe them. Policy needs procedures, standards, and implementation to back it up. These in turn require proper training, education, testing, detection, and response in order to assure that the reality meets the theory. In a properly set-up protection environment, these sorts of events don't happen except in rare circumstances, and in those rare cases, there is a management procedure developed to deal with it. > > Given that our responsibilities as 'network folks' span the bureaucratic > maze, affecting virtually every department of our organizations, it would > seem that we need some authority that crosses those borders. In a well-designed organizatoinal environment, protection management exists at the top levels of the organization, and there are channels for crossing any boundaries. > > Of course, we could always just cut off that segment of the network until > the recalcitrant user sees the light (or has it shown to him). 8) That would work too, for a few minutes, and then you might get fired. ... > Many people may fail at each step to some degree because they are working > with inadequate budgets or dont know how to measure cost and price. They may > also have inadequate authority. > For protection to be effective in an organization, it must be built-in to the way the organization as a whole operates. > The most common failing is in maintaining a system after it has installed. > There are many possible reasons for this, but the most common one is that > the person charged with the nominal responsibility does not have the time to > monitor or the power to ENFORCE. In many cases that lack of personal power > is made more dangerous because there is no clear reporting route to someone > who does have the power. In my personal experience, protection more often fails because the person who manages the network got the job by being the person who did backups of the server before the previous network administrator left. My interpretation of both of these examples is a lack of adequate understanding and attention by management. It seems pretty clear that without adequate understanding and attention by management, any component of an enterprise is likely to fail - whether it be information protection or manufacturing. The solution is to help management better understand the issues so that they can make more enlightened decisions. FC From firewalls-owner Sun Feb 5 19:49:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12647 for firewalls-outgoing; Sun, 5 Feb 1995 18:52:01 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA10460 for ; Sun, 5 Feb 1995 15:57:14 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id SAA00445; Sun, 5 Feb 1995 18:52:36 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502052352.SAA00445@all.net> Subject: Re: ISS scan service - trials only To: alan@mid.net (Alan Hannan) Date: Sun, 5 Feb 1995 18:52:31 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199502050505.XAA28170@westie.mid.net> from "Alan Hannan" at Feb 4, 95 11:05:25 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 557 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Given that mail is sent to "postmaster", I don't see any real risk in > > providing the tool. > > Hmm, well, I'm the postmaster, and I never received the mail that the doctor > said I would. Hmm.... makes you wonder. As the service tells you, your system must accept mail to the postmaster account and be identifiable via the PSI DNS or the service won't work. This protects against IP address forgeries, etc. It should not make you wonder unduely, however, if all these things are true, perhaps someone is intercepting your pastmaster mail! FC From firewalls-owner Sun Feb 5 19:52:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12699 for firewalls-outgoing; Sun, 5 Feb 1995 18:52:42 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA11016 for ; Sun, 5 Feb 1995 16:34:07 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id TAA00974 for firewalls@greatcircle.com; Sun, 5 Feb 1995 19:29:38 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502060029.TAA00974@all.net> Subject: Re: ISS scan service - trials only (fwd) To: firewalls@greatcircle.com Date: Sun, 5 Feb 1995 19:29:36 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 698 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Given that mail is sent to "postmaster", I don't see any real risk in > > > providing the tool. > > > > Hmm, well, I'm the postmaster, and I never received the mail that the doctor > > said I would. Hmm.... makes you wonder. > > As the service tells you, your system must accept mail to the postmaster > account and be identifiable via the PSI DNS or the service won't work. > This protects against IP address forgeries, etc. It should not make you > wonder unduely, however, if all these things are true, perhaps someone > is intercepting your pastmaster mail! > FC MY MISTAKE!!! The service failed for almost 12 hours today! It is now back up and running (and tested again). FC From firewalls-owner Sun Feb 5 20:06:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12659 for firewalls-outgoing; Sun, 5 Feb 1995 18:52:13 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA10585 for ; Sun, 5 Feb 1995 16:05:12 -0800 Received: from tusk.sgt.com (sargent@tusk.SGT.COM [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id TAA24667; Sun, 5 Feb 1995 19:03:18 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id TAA19738; Sun, 5 Feb 1995 19:03:22 -0500 Date: Sun, 5 Feb 1995 19:03:22 -0500 From: Robert Sargent Message-Id: <199502060003.TAA19738@tusk.sgt.com> To: alan@mid.net Subject: You forgot the Subject line Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So Alan, Whats the point? Regards- Robert ===================================================================== > From firewalls-owner@GreatCircle.COM Sat Feb 4 23:26:51 1995 > From: anonymous_fw_guy@some.site.other.than.netcom > Date: Sat, 4 Feb 1995 09:47:48 -0800 > > Hello, don't you love netcom? > > I'm considering implementing something on our firewalls. Obviously, this is > not a new idea, and I would be surprised if it weren't already implemented at > many sites. Regardless, I'd like to discuss the pros and cons. > > Imagine, if you will, a firewalled network. Out in the big bad world, bad > people sniff and "hijack" connections to and from the firewall. However, > there exists connections to the firewall which are needed, because the people > on site at the firewall are lame and can't admin it. Plus we can charge them > money to admin, etc... So, we develop a deslogin into the firewall. This > allows us to do remote admin, so long as the des encryption implementation > is done correctly. > > Another reason I like this, as opposed to skey, is that it allows a person > to telnet to the firewall, then telnet around within the internal network with > little fear that their paswords are vulnerable. > > Obviously, the other ways to do offsite firewall management are skey, or > out of band management (modems, etc..) Both of those are inconvenient, and if > this plan is as effective and secure, I would rather do that. > > Comments? > -- > anonyfw > > From firewalls-owner Sun Feb 5 20:08:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA12857 for firewalls-outgoing; Sun, 5 Feb 1995 19:00:09 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA12204 for ; Sun, 5 Feb 1995 18:07:16 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rbIpP-000457C; Sun, 5 Feb 95 18:05 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Sun, 5 Feb 95 17:45 PST Message-Id: Received: by miro.ilinx.com id ; Sun, 5 Feb 95 17:45:14 -0800 From: brian@imcon.ilinx.com To: firewalls@GreatCircle.COM Subject: individual ftp accounts from the dirty net Date: Sun, 5 Feb 1995 17:45:14 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got a bit of a dilema. I have to set up non-anonymous ftp for an organization. The basic structure is that this organization wants to set up ftp accounts so that selected people can retreive information via the 'net. The requirements of any one individual are that (a) they can store and retreive files (b) the files be removed once they have retreived them (by the individual or other means). The files being transferred are going to be encrypted, so there is no danger if somebody gets files that weren't meant for them, there is however the problem of only allowing the owner of a file to delete/modify their files. I really have no problem with giving everybody the same ftp account with the exception of preventing one individual from damaging another's file(s), either by removal or overwriting it. This could be acheived with a modified ftp server and is being considered. I was thinking that outbound files would be protected such that they could only be read, and the ftp server would be modified to remove the file after it was retreived. Or something along those lines. *Sigh* The other approach is to give everybody their own ftp account with their own privatized directory structure. The problem with this approach is that the machine that will be used for this ftp access will be the single bastion host of their firewall, and good firewall design dictates that user accounts on the bastion are a no-no. Or are they in the case of ftp-only access?? Is there a safe way to create accounts on the bastion for ftp access only, such that they could not be used to break the firewall?? Thots?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sun Feb 5 20:22:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12635 for firewalls-outgoing; Sun, 5 Feb 1995 18:51:51 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA10002 for ; Sun, 5 Feb 1995 15:45:53 -0800 Received: (from uucp@localhost) by blackhole.milkyway.com (8.6.7/8.6.6) id SAA05264 for ; Sun, 5 Feb 1995 18:43:27 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id smaa05260; Sun Feb 5 18:43:08 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id SAA01483 for ; Sun, 5 Feb 1995 18:48:43 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA01058; Sun, 5 Feb 95 18:48:19 EST To: firewalls@GreatCircle.COM Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: More on Network Performance and Firewalls Date: 5 Feb 1995 18:48:18 -0500 Organization: Milkyway Networks Corporation Lines: 75 Distribution: milkyway Message-Id: <3h3o42$10v@calisto.milkyway.com> References: <9502032151.AA28702@anon.penet.fi> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9502032151.AA28702@anon.penet.fi>, Craving Knowledge wrote: >The scientific communites are Universities, Government organizations and >private organizations. My organization does work with a myriad of groups >belonging to all three of these groups and we all are sharing Gigabytes >of data per day. > >To say there is no demand for higher speeds is just a little short sighted. >True there are vast amounts of small companies and organizations that will >never probably need speeds above T1 (or 56k or modem speeds), but demands for >high speed technology and computing is a significant presence in todays >computing field. ... >Marcus Ranum pointed out that it is possible to gain back some >performance by putting proxy servers up in parallel each dedicated >to one proxy service, such as one for ftpd, one for telnetd, etc. >Has anyone else dealt with such a configuration? If so, do you know what >your thruput actually is??? The critical question is does the load divide well? If you are using your 45Mb/s for live action video, and need 20-30Mb/s in a single stream, then putting proxy services in the way may really, really hurt. On the other hand, if you really only need an agregate thoughput of 45Mbs then multiple firewall machines are the way to go. There are really only two problems I see: - maintaining consistent rulesets across the firewalls - load balancing The ruleset problem could be a basic admin workload (do it manually), or could involve some kind of client/server technology. Perhaps, if you are putting FDDI cards into your firewalls anyway, and they have ethernet on the motherboard, then that third interface could be for interfirewall communication. Otherwise, you must use get into using some cryptographic techniques to talk client/server (on the protected network). The load balancing problem is a bigger problem. It could be done by department, or internal subnet. This assumes that all subnets will have equal loads. This is probably a bad assumption. I should preface my further comments by noting that we do ip spoofing in the firewall, so the packets arrive at our machine via a default route. Plain application level proxy services are reached with some kind of more explicit route (something has to know you are talking to the firewall in some way. Wither $http_proxy, or socks). Packet filters see the packets because of default routes. One thought I had was to use a router and/or routing daemons internally. The firewalls would send routing packets to internal routers giving hop counts that depended on their load. This would work very well with packet filters. The routes would then pick the firewall with the lowest load, and use it. Of course, if you can implement the packet filter in the router, then you might be able to do this all in one box. This doesn't work too well with application level proxies, because you can't switch firewalls once the TCP connection has started. You are permitted, however, to direct new requests from the same host to the same destination to a new firewall (because a new proxy will start). Somehow, you have to remember which firewall a given host has connected to and direct all further packets at that firewall. If you can do this dynamically, and release the lock after a quiet period, then you win. This job sounds almost as difficult to do with off-the-shelf components as building a T3 speed firewall in the first place. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun Feb 5 21:19:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA15996 for firewalls-outgoing; Sun, 5 Feb 1995 21:14:12 -0800 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA15991 for ; Sun, 5 Feb 1995 21:14:09 -0800 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V4.3-10 #7935) id <01HMP6LADBQ88WW0T5@Badger.Arnold.Com>; Sun, 05 Feb 1995 23:12:03 -0600 (CST) Date: Sun, 05 Feb 1995 22:57:20 -0600 (CST) Subject: Anyone read these books? To: FireWalls@GreatCircle.Com Cc: Stephen.L.Arnold@Arnold.Com Message-id: <01HMPHKE1DOK8WW0T5@Badger.Arnold.Com> Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Library of Computer and Information Sciences (a Newbridge book club) is featuring a book this month that could be of interest to readers of this forum: Internet Firewalls and Network Security, by Chris Hare and Karanjit Siyan, January 1995 ($25 to members, publisher's price $35) It appears to be introductory, since the blurb says, "You needn't be an expert on networking protocols or security concepts to understand this book, because authors...give you a primer on both topics." I'm practitioner, so I probably don't need the book, but I wonder if it would be useful to purchase for helping clients understand issues before I help them formulate their security policies. If you want to pass along a personal opinion or published review to me by private mail, I'll summarize to the list. I suppose we'll see a lot of books on this topic in the coming months. We might as well know what the good ones are (in addition to Cheswick and Bellovin). [I have no financial interest in the book club, but I've purchased two books from it and am satisfied with its prices and service.] Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Sun Feb 5 21:36:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA15975 for firewalls-outgoing; Sun, 5 Feb 1995 21:11:43 -0800 Received: from nova.unix.portal.com (root@nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA15970 for ; Sun, 5 Feb 1995 21:11:40 -0800 Received: from jobe.shell.portal.com (bwalker@jobe.shell.portal.com [156.151.3.4]) by nova.unix.portal.com (8.6.9/8.6.5) with ESMTP id VAA18109; Sun, 5 Feb 1995 21:09:23 -0800 Received: (bwalker@localhost) by jobe.shell.portal.com (8.6.9/8.6.5) id VAA22388; Sun, 5 Feb 1995 21:09:21 -0800 From: Brad - Walker Message-Id: <199502060509.VAA22388@jobe.shell.portal.com> Subject: Re: How to disable incoming ICMP redirects for SunOS 4.1.x ? To: karl.gaissmaier@rz.uni-ulm.de Date: Sun, 5 Feb 1995 21:09:20 -0800 (PST) Cc: firewalls-digest@greatcircle.com, fwall-users@tis.com In-Reply-To: <9502051843.AA12722@lyra.rz.uni-ulm.de> from "karl.gaissmaier@rz.uni-ulm.de" at Feb 5, 95 07:42:59 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2871 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Dear readers, > > i wish to disable the possibility to change my routing tables with > spoofed ICMP redirects. I know this is possible if i run gated > on my host or when i shield my host with packet screens on my > shielding routers. > > But this isn't very kiss (keep it small and simple), it would be better > to build an kernel which isn't sensitiv for this type of packets. > > Question: > > Is there a kernel option in SunOs 4.1.x or do i have to patch the > code? > the following was written by > David Mitchell, Systems Administrator, email: D.Mitchell@dcs.shef.ac.uk > Dept. Computer Science, Sheffield Uni. phone: +44 742-825573 > 211 Portobello St, Sheffield S1 4DP, UK. fax: +44 742-780972 and here it is.. #!/bin/sh # # allow_mask_reply, DAPM 9-Jun-94 # # D.Mitchell@dcs.shef.ac.uk # # allow/disallow a host to send out ICMP subnet mask replies. # Useful if you're doing strange things with subnet masks and # dont want to confuse hosts who pick up their mask via an ICMP subnet # request. # # WARNING: this script works by altering the code in the in-core image # of /vmunix using adb. Use at your own peril. Effect will not survive # a reboot. # usage() { echo "usage: $0 {-y|-n}" exit 1 } # # How it works. # # The icmp code in the BSD src sys/netinet/ip_icmp.c has a section like this: # case ICMP_MASKREQ: # if (icmplen < ICMP_MASKLEN || # (ia = ifptoia(m->m_pkthdr.rcvif)) == 0) # break; # icp->icmp_type = ICMP_MASKREPLY; # .......... # # I assume that the SunOS code is very similar. By converting the # condititional branch associated with the " if (icmplen < ICMP_MASKLEN) break" # code into an unconditional branch, the code is effectively changed to # case ICMP_MASKREQ: # break; # .... # ie we change the code # _icmp_input+0x398: cmp %i2, 0xc # _icmp_input+0x39c: bl,a _icmp_input + 0x5a0 # to # _icmp_input+0x398: cmp %i2, 0xc # _icmp_input+0x39c: ba _icmp_input + 0x5a0 # which can be effected by changing the value at location _icmp_input+0x39c # from 0x26800081 to 0x10800081 # # Since this is very OS-specific, we check to see which OS is running. # I have only tested this under 4.1.1 and 4.1.3_U1, but since the # code is the same for both these releases, the chances are it will work # for releases inbetween too. # I havent even considered Solaris-2 ! [ $# -eq 1 ] || usage; case $1 in -y) enable=1;; -n) enable=0;; *) usage;; esac if [ $enable -eq 1 ]; then value=0x26800081; else value=0x10800081; fi os=`/bin/uname -r` case $os in 4.1.1) ;; 4.1.3_U1) ;; *) echo "unsupported OS: $os"; exit 1;; esac echo "_icmp_input+0x39c/W $value" | adb -w -k /vmunix /dev/mem > /dev/null From firewalls-owner Sun Feb 5 21:49:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA16213 for firewalls-outgoing; Sun, 5 Feb 1995 21:35:36 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA16208 for ; Sun, 5 Feb 1995 21:35:34 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id AAA06684; Mon, 6 Feb 1995 00:32:23 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma006682; Mon Feb 6 00:32:08 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id AAA25574; Mon, 6 Feb 1995 00:32:08 -0500 Date: Mon, 6 Feb 1995 00:32:08 -0500 From: John Adams Message-Id: <199502060532.AAA25574@galaxy.concorde.com> To: firewalls@GreatCircle.COM, morgan@engr.uky.edu Subject: Re: tweaking PC setups Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Beyond issuing personal repremands, and beyond internal problems; We simply can't allow this sort of problem to occur. The downtime that would happen if a user could set their IP address to another (let's say, oh, the fileserver) is just plain _bad_... -john From firewalls-owner Sun Feb 5 22:50:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA16784 for firewalls-outgoing; Sun, 5 Feb 1995 22:24:40 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA16779 for ; Sun, 5 Feb 1995 22:24:32 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rbIBo-0009tFC; Mon, 6 Feb 95 01:24 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: individual ftp accounts from the dirty net To: brian@imcon.ilinx.com Date: Mon, 6 Feb 1995 01:24:23 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "brian@imcon.ilinx.com" at Feb 5, 95 05:45:14 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1996 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I've got a bit of a dilema. I have to set up non-anonymous ftp for an > organization. The basic structure is that this organization wants to set > up ftp accounts so that selected people can retreive information via the > 'net. The requirements of any one individual are that (a) they can store > and retreive files (b) the files be removed once they have retreived them ... > -- > Brian J. Murrell brian@ilinx.com > InterLinx Support Services, Inc. brian@wimsey.com > North Vancouver, B.C. 604 983 UNIX > Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD Can't this be solved by the more or less standard 'secret' structure: You put a directory in the anon ftp area with permissions: +x -r (+-w). +x allows traversal by the os, but -r disallows anyone but root from reading the directory. Allow +w if you want outside users to be able to write files or create directories. In the -w scenario you could make a directory for each user and allow +w for that. To make this work, you just suggest/insist/enforce/assign unguessable filenames and directory names under secret. Assuming sufficiently long filenames, this gives good security. You can even setup a root process to purge old stuff. I'm working on a system where a user wants to upload info to a web server and having a program assign temp directories this way looks much easier than managing ftp accounts, etc. Does anyone have solid problems with this or a better method? sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw Senior Consultant 513-865-9599 FAX/LIG 513.496.5223 OH Page BA Aug94-Feb95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs ICBM/GPS: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.28Jan95 From firewalls-owner Sun Feb 5 23:19:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA17223 for firewalls-outgoing; Sun, 5 Feb 1995 23:11:15 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA17218 for ; Sun, 5 Feb 1995 23:11:12 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id CAA00317; Mon, 6 Feb 1995 02:08:31 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502060708.CAA00317@schoolnet.carleton.ca> Subject: Re: individual ftp accounts from the dirty net To: sdw@lig.net (Stephen D. Williams) Date: Mon, 6 Feb 1995 02:08:31 -0500 (EST) Cc: firewalls@GreatCircle.COM Reply-To: shaver@ingenia.com In-Reply-To: from "Stephen D. Williams" at Feb 6, 95 01:24:23 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 876 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stephen D. Williams mumbled something vague about: > > I've got a bit of a dilema. I have to set up non-anonymous ftp for an > > organization. The basic structure is that this organization wants to set > > Can't this be solved by the more or less standard 'secret' structure: [standard secret structure snipped =) ] > Does anyone have solid problems with this or a better method? I do, if only on the grounds that STO is a bad plan, for anything. My basic philosophy towards security is that you have to assume at all times that someone wants very badly anything that you want to protect. I'll admit that I wasn't such a hardliner at one point, but I've learned a few lessons, and my experiences with low-level network programming make me very untrusting of the network in general. I really don't want to start up the STO debate again, but that's where I sit. Mike From firewalls-owner Sun Feb 5 23:49:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA17558 for firewalls-outgoing; Sun, 5 Feb 1995 23:32:34 -0800 Received: from netway.rz.uni-ulm.de (netway.rz.uni-ulm.de [134.60.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA17553 for ; Sun, 5 Feb 1995 23:32:28 -0800 From: karl.gaissmaier@rz.uni-ulm.de Received: by netway.rz.uni-ulm.de (5.57/UniUlm-12.1.93-kg) id AA26197; Mon, 6 Feb 95 08:30:34 +0100 Message-Id: <9502060730.AA18739@lyra.rz.uni-ulm.de> To: Brad - Walker Cc: firewalls-digest@greatcircle.com Subject: Re: How to disable incoming ICMP redirects for SunOS 4.1.x ? In-Reply-To: Your message of Sun, 05 Feb 1995 21:09:20 -0800. <199502060509.VAA22388@jobe.shell.portal.com> Date: Mon, 06 Feb 1995 08:30:29 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mr. Walker, thanks for the reply. I don't believe this is the right piece of code, because it handles the ICMP Subnet Mask stuff and not the ICMP redirects. >> Question: >> >> Is there a kernel option in SunOs 4.1.x or do i have to patch the >> code? >> > > >the following was written by > >> David Mitchell, Systems Administrator, email: D.Mitchell@dcs.shef.ac.uk >> Dept. Computer Science, Sheffield Uni. phone: +44 742-825573 >> 211 Portobello St, Sheffield S1 4DP, UK. fax: +44 742-780972 > >and here it is.. > >#!/bin/sh ># ># allow_mask_reply, DAPM 9-Jun-94 ># ># D.Mitchell@dcs.shef.ac.uk ># ># allow/disallow a host to send out ICMP subnet mask replies. ># Useful if you're doing strange things with subnet masks and ># dont want to confuse hosts who pick up their mask via an ICMP subnet ># request. ># ># WARNING: this script works by altering the code in the in-core image ># of /vmunix using adb. Use at your own peril. Effect will not survive ># a reboot. ># >usage() { > echo "usage: $0 {-y|-n}" > exit 1 >} ># ># How it works. ># ># The icmp code in the BSD src sys/netinet/ip_icmp.c has a section like this: ># case ICMP_MASKREQ: ># if (icmplen < ICMP_MASKLEN || ># (ia = ifptoia(m->m_pkthdr.rcvif)) == 0) ># break; ># icp->icmp_type = ICMP_MASKREPLY; ># .......... ># ># I assume that the SunOS code is very similar. By converting the ># condititional branch associated with the " if (icmplen < ICMP_MASKLEN) break" ># code into an unconditional branch, the code is effectively changed to ># case ICMP_MASKREQ: ># break; ># .... ># ie we change the code ># _icmp_input+0x398: cmp %i2, 0xc ># _icmp_input+0x39c: bl,a _icmp_input + 0x5a0 ># to ># _icmp_input+0x398: cmp %i2, 0xc ># _icmp_input+0x39c: ba _icmp_input + 0x5a0 ># which can be effected by changing the value at location _icmp_input+0x39c ># from 0x26800081 to 0x10800081 ># ># Since this is very OS-specific, we check to see which OS is running. ># I have only tested this under 4.1.1 and 4.1.3_U1, but since the ># code is the same for both these releases, the chances are it will work ># for releases inbetween too. ># I havent even considered Solaris-2 ! > >[ $# -eq 1 ] || usage; >case $1 in > -y) enable=1;; > -n) enable=0;; > *) usage;; >esac > >if [ $enable -eq 1 ]; then value=0x26800081; else value=0x10800081; fi > >os=`/bin/uname -r` > >case $os in > 4.1.1) ;; > 4.1.3_U1) ;; > *) echo "unsupported OS: $os"; exit 1;; >esac > > > >echo "_icmp_input+0x39c/W $value" | adb -w -k /vmunix /dev/mem > /dev/null thanks for your time Charly ========================================================================= Universitaet Ulm karl.gaissmaier@rz.uni-ulm.de Universitaetsrechenzentrum smtp postmaster, networkadmin Karl Gaissmaier Telefon: (Germany) +49 731/5022499 D-89069 Ulm Telefax: (Germany) +49 731/5022471 ========================================================================= From firewalls-owner Mon Feb 6 01:19:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA19746 for firewalls-outgoing; Mon, 6 Feb 1995 01:10:08 -0800 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA19740 for ; Mon, 6 Feb 1995 01:10:05 -0800 Received: from ilonet.ilo.dec.com by inet-gw-2.pa.dec.com (5.65/10Aug94) id AA18288; Mon, 6 Feb 95 01:03:23 -0800 Received: by ilonet.ilo.dec.com (5.65/MS-012594); id AA19850; Mon, 6 Feb 1995 09:04:58 GMT Received: (from dtynan@localhost) by corrib.ilo.dec.com (8.6.8/8.6.6) id JAA23503; Mon, 6 Feb 1995 09:03:19 GMT Date: Mon, 6 Feb 1995 09:03:19 GMT From: Dermot Tynan Message-Id: <199502060903.JAA23503@corrib.ilo.dec.com> To: lavondes@tidtest.total.fr Subject: Encryption. Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel, I have been reliably informed that it is illegal (FFR300,000 fine + 3 months in the Bastille) to ship encrypted IP packets through France. Is this true? If so, it begs a lot of questions about privacy, etc. - Der From firewalls-owner Mon Feb 6 01:49:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA20339 for firewalls-outgoing; Mon, 6 Feb 1995 01:21:26 -0800 Received: from bronze.lcs.mit.edu (bronze.lcs.mit.edu [18.30.0.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA20334 for ; Mon, 6 Feb 1995 01:21:22 -0800 Received: by bronze.lcs.mit.edu (Sendmail 8.6.9/940527.SGW) id EAA04811; Mon, 6 Feb 1995 04:18:45 -0500 Date: Mon, 6 Feb 1995 04:18:45 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Message-Id: <199502060918.EAA04811@bronze.lcs.mit.edu> To: firewalls@greatcircle.com Subject: corporate policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's one reason I bailed out of my last corporate job. After outlining various issues that managerial types needed to think about in developing a security policy, I decided that I wasn't the person to complete it [i.e. define the Official Policy] and handed it off to people who claimed that they'd deal swiftly, and that's the last I saw of it. Meanwhile, an ongoing part of my job was stupidity-checking. I would do things like occasionally sweep for open FTP servers, log in and retrieve the config file responsible for the server being open, fix it, and write it back. I would hound people about lame passwords or creating outside accounts for their "friends". I would admonish co-workers about exploding random tar files as root and typing "make install". I'd monitor for evil doings of all sorts, and wade through megabytes of logs. I felt kind of like a human firewall, because I wasn't allowed to build one out of good ol' policy-enforcing silicon yet. But clearly I could invent some of it on the fly, and that was okay, as long as totally free IP connectivity remained available. But it was never defined. There was no stated set of Forbidden Acts, and no real recourse. The Word of the Security Guy was not holy or backed up by any real authority, and was more commonly ignored or passed off as Hobbit being grumpy today. "It is a vessel of fertilizer, and it promoteth growth." And during this I I kept telling myself it would ease off, because management would soon bless the Policy, and us oppressed network weenies could implement it and slam the door on all the rest of the holes, and life would be easier. The rest is history. This isn't intended as a specific slam, just an example of what one commonly runs up against. I suspect that there are a lot of other related war stories out there. _H* From firewalls-owner Mon Feb 6 03:19:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA21654 for firewalls-outgoing; Mon, 6 Feb 1995 02:51:25 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA21649 for ; Mon, 6 Feb 1995 02:51:06 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA24338; Mon, 6 Feb 95 11:45:15 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA01198; Mon, 6 Feb 95 11:41:41 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502061141.AA01198@tidtest.total.fr> Subject: Re: ISS scan service - trials only To: davis@realtime.ab.ca (Glenn Davis) Date: Mon, 6 Feb 95 11:41:39 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199502041816.LAA16294@denali.realtime.ab.ca>; from "Glenn Davis" at Feb 4, 95 11:16 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Davis wrote : > > Len Rose writes: > > > > I believe this to be irresponsible beyond credulity. You've just handed a tool > > to someone who may not be able to run scans for whatever reasons. > > > > I think that was the point! I used this service as a check on my own site > security; this assumes that you trust the results that are mailed back. > > Given that mail is sent to "postmaster", I don't see any real risk in > providing the tool. > Is this tool execute-only, or can it be tampered with or downloaded ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Feb 6 03:49:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA22143 for firewalls-outgoing; Mon, 6 Feb 1995 03:44:48 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA22118 for ; Mon, 6 Feb 1995 03:44:13 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA25081; Mon, 6 Feb 95 12:38:19 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA01244; Mon, 6 Feb 95 12:34:44 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502061234.AA01244@tidtest.total.fr> Subject: Re: Encryption. To: dtynan@corrib.ilo.dec.com (Dermot Tynan) Date: Mon, 6 Feb 95 12:34:43 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199502060903.JAA23503@corrib.ilo.dec.com>; from "Dermot Tynan" at Feb 6, 95 9:03 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dermot Tynan wrote : > > Michel, I have been reliably informed that it is illegal (FFR300,000 fine > + 3 months in the Bastille) to ship encrypted IP packets through France. > Is this true? If so, it begs a lot of questions about privacy, etc. Well, I'm not a lawyer, so this should be taken with a spoonful of salt :-) but here's what I understood : 1) Whatever rules/laws exist apply to every kind of data transmission, not only IP. They also may apply to voice transmission (eg, if you consider voice compression to be encryption), or to some kinds of data compression. 2) Except maybe in special circumstances (eg, war) or from certain sources in France (eg, defence contractors) to certain countries, or other "sensitive" circumstances, first offenders may get no more than a slap on the wrist, ie it's weakly enforced if at all. 3) Within France, I think the only requirement is that the key/encryption process be held in escrow by, or possibly given on request to, the hush-hush guys. Also, I think this applies only to true encryption, not to authentication/signature. 4) To/from a foreign country, special rules may apply to embassies and such. Otherwise, and depending on the country and the source/destination in France, same rules as 3 would apply. 5) Through France between foreign countries (eg, on a leased line between Germany and Great Britain that just happens to cross French territory), I'm not sure what rules/treaties would apply, nor how they could possibly be enforced. My own opinion (don't quote me, please !) is that this is about as silly and as enforceable as US regulations regarding export of encryption technologies, but that (usually) you're better off not fighting City Hall :-(. -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Mon Feb 6 07:51:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27984 for firewalls-outgoing; Mon, 6 Feb 1995 07:48:29 -0800 Received: from dot.ca.gov (nic.dot.ca.gov [149.136.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27978 for ; Mon, 6 Feb 1995 07:48:25 -0800 Received: from trew002 (trew.dot.ca.gov) by dot.ca.gov (4.1/01.14.95) id AA04945; Mon, 6 Feb 95 07:46:32 PST Message-Id: <9502061546.AA04945@dot.ca.gov> Date: Mon, 6 Feb 1995 07:38:45 -0800 From: stan@dot.ca.gov ( ) To: firewalls@greatcircle.com, ton@shell.com Subject: Re: Clear text passwords Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Anh-Huy (Steve) T. Ton" writes: >If I set up a firewall between my company & the Internet & allow ftp >& telnet access out, is there any way I can prevent the passwords from >ftp & telnet from being sent out across the Internet in clear text? >I think not, but I thought I'd ask anyway. > Yes but two conditions must prevail 1) you have access to the packets to change tohe passwords 2) the host on the end would understand what you were doing. Stan From firewalls-owner Mon Feb 6 08:29:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA28477 for firewalls-outgoing; Mon, 6 Feb 1995 08:11:45 -0800 Received: from nta.nta.com (root@NTA.COM [198.51.166.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA28472 for ; Mon, 6 Feb 1995 08:11:41 -0800 Received: by nta.nta.com with smtp id m0rbVzK-0005HCC; Mon, 6 Feb 95 08:08 PST Received: by nta.com (4.1/SMI-4.1) id AA18083; Mon, 6 Feb 95 08:08:18 PST Date: Mon, 6 Feb 1995 08:08:15 -0800 (PST) From: Bob_Gerrish_ex459 X-Sender: u-rpg@nta1 To: Jens Horstmann Cc: Firewalls@GreatCircle.COM Subject: Re: DNS thru firewall In-Reply-To: <9502041840.AA20145@expert> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Feb 1995, Jens Horstmann wrote: > Hi - > > hope this question hasn't been asked too often already. > > Assume the firewall host is serviced by an internal NIS > server. This server, however, can't talk thru the firewall > to the domainname server. Thus, it cannot resolve hostnames > on the firewall which is ugly from a user standpoint (since > he has to run nslookup first to get the address). > [snip] > > (2) run a slave/forward nameserver on the firewall allowing > our NIS server to resolve its queries I tried this but > for some reason can't get it to work? Does anybody out > did this?). Our internal net are Suns running SunOS 4.1.3. I have the firewall set up to run DNS as a root nameserver and the the Suns are running NIS, only. The Suns are set up to use DNS on the firewall. nslookup on the Suns query the firewall and if the query cannot be resolved on the firewall, it is resolved via the nameservers defined in db.cache. The only address I advertise via dns is the address of the firewall itself. Since our internet service provider has us set up with them listed as our domain server, they get the queries. They also only advertise the firewall's IP address. Our intent was to do our own domain name service, but either way, we provide no access to our internal IP addresses. Bob Gerrish - bobg@nta.com From firewalls-owner Mon Feb 6 08:50:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA28905 for firewalls-outgoing; Mon, 6 Feb 1995 08:29:35 -0800 Received: from zaphod.axion.bt.co.uk (zaphod.axion.bt.co.uk [132.146.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA28900 for ; Mon, 6 Feb 1995 08:29:30 -0800 Received: from everest.srd.bt.co.uk by zaphod.axion.bt.co.uk with SMTP (PP); Mon, 6 Feb 1995 16:23:57 +0000 Received: from antrim.srd.bt.co.uk by everest.srd.bt.co.uk; Mon, 6 Feb 95 16:23:27 GMT From: Jake Hill Date: Mon, 6 Feb 95 16:24:14 GMT Message-Id: <1657.9502061624@antrim.srd.bt.co.uk> To: firewalls@greatcircle.com Subject: Re: Anyone using SmartDisk??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >SmartDisk is a device in a 3.5" diskette format that slips into a diskette >drive, but is really a complete security device. It's principle use is for >securing the PC itself. I have the developers kit for the smartdisk & the crypto-smartdisk. Ain't had time to look at them yet, but I've seen some of the software that SmartDisk are selling for PC/Mac access control. I think they are an excellent idea, since the main problem with most of the crypto-based protocols for TCP is that they store the keys on the client's host. Not having to splash out on card readers is a real bonus. Jake. From firewalls-owner Mon Feb 6 09:49:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA29742 for firewalls-outgoing; Mon, 6 Feb 1995 09:20:47 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA29737 for ; Mon, 6 Feb 1995 09:20:44 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQybyb28766; Mon, 6 Feb 1995 12:15:55 -0500 Received: from gw.3Com.COM by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA16778; Mon, 6 Feb 95 17:20:32 GMT Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gw.3Com.COM with SMTP id AA01969 (5.65c/IDA-1.4.4); Mon, 6 Feb 1995 09:15:50 -0800 Received: by manzanita.noname (4.1/SMI-4.1) id AA06305; Mon, 6 Feb 95 08:03:05 PST Date: Mon, 6 Feb 95 08:03:05 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9502061603.AA06305@manzanita.noname> To: jsmilan@subzero.winternet.com Subject: Re: Connections to Partners and Clients Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Personally, I'd recommend what we're doing, which is to set up Frame Relay links (X.25 would work as well) between the two companies. Then, on each side of the frame relay links, you set up a different sort of firewall. While this doesn't cost "next to nothing", it's far more secure than going over the internet. One other point that probably needs to be made to the execs in charge is that there are several concerns. I share them with my counter- parts in other companies with whom we do business this way. 1) Our company confidential stuff could be crossing the Internet subject to public view. 2) Their company confidential stuff could be doing likewise. 3) We want to keep the other company's people out of our network 4) The other company feels the same about us (just policy, we all agree here) 5) Lack of careful planning and operation of a "free-for-all" network could have disastrous consequences for the flow of business on either net with a cost-to-repair that far exceeds any cost to setup I don't doubt that you understand these issues, I just thought that an unbiased opinion and verbage might be of help to you in this case. As for the firewall itself... Instead of the usual type where classes of inbound and outbound traffic are defined, specific point-to-point limitations on forwarded traffic, and route advertising are defined. Here are some examples. Set the Default Filter Action to Discard all packets Add an ip Filter to allow 1.2.3.4 to talk to (forward packets to) 5.4.3.2. If your router can get that specific, add filters for the precise types of traffic you plan to allow for (Telnet, FTP, SMTP, whatever) Limit the route advertising on the two router interfaces for just the networks that each side needs to know about on the other side in order to conduct the conversations described above. In our case, we both do this, thereby adding some latency to the conversations, but since the links are not that high speed anyway, the filtering latency is not really noticeable. I like this approach personally, since with X.25 or Frame Relay, you KNOW who is at the other end of the connection. All that remains is to control precisely who and what goes over the connection. Where dialup is a requirement, then each side is run through an authentication mechanism (An access control server, there are several on the market), and if you're feeling particularly paranoid, you can get one that uses dial-back, thus authenticating the source in two ways. As far as the hosts themselves are concerned, if they are Unix boxes, you can also change the login user id and its group, and the permissions on Telnet, FTP, etc. so that they cannot be executed by the remote user. HTH, BobK From firewalls-owner Mon Feb 6 10:02:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00728 for firewalls-outgoing; Mon, 6 Feb 1995 09:43:54 -0800 Received: from charon.cargill.com (charon.cargill.com [157.239.225.225]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA00723 for ; Mon, 6 Feb 1995 09:43:51 -0800 From: jim_bostwick@cargill.com Received: by charon.cargill.com; (5.65/1.1.8.2/22Jun94-0316PM) id AA16293; Mon, 6 Feb 1995 11:42:00 -0600 Received: from merlin.res.cargill.com(157.239.3.126) by charon.cargill.com via smap (V1.3mjr) id sma016291; Mon Feb 6 11:41:31 1995 Received: from localhost by merlin.res.cargill.com; (5.65/1.1.8.2/14Jun94-1223PM) id AA08339; Mon, 6 Feb 1995 11:41:30 -0600 Message-Id: <9502061741.AA08339@merlin.res.cargill.com> To: Firewalls@greatcircle.com Cc: jim_bostwick@cargill.com Subject: Re: Re: ISS scan service - trials only In-Reply-To: Your message of "Sun, 05 Feb 95 01:00:11 PST." <199502050900.BAA02037@miles.greatcircle.com> Date: Mon, 06 Feb 95 11:41:30 -0600 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Len Rose writes: >> >> I believe this to be irresponsible beyond credulity. You've just handed a tool >> to someone who may not be able to run scans for whatever reasons. >> and Glenn Davis replies: >I think that was the point! I used this service as a check on my own site >security; this assumes that you trust the results that are mailed back. >Given that mail is sent to "postmaster", I don't see any real risk in >providing the tool. I'm with Glenn - this appears a useful service. As to risk, any A6 worth the title has ISS and lots more already. For that matter, ISS does nothing that a determined (or bored) individual couldn't do by hand. While a 'clean' report won't make me feel that much more comfortable, you can bet your boots that anything odd it tells me will get VERY close scrutiny! -jim From firewalls-owner Mon Feb 6 10:19:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01496 for firewalls-outgoing; Mon, 6 Feb 1995 10:08:25 -0800 Received: from moscvax.demos.su (moscvax.demos.su [192.91.186.212]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01491 for ; Mon, 6 Feb 1995 10:08:18 -0800 Received: from kremvax.demos.su by moscvax.demos.su with UUCP id VAA09131; (8.6.9/D) Mon, 6 Feb 1995 21:03:27 +0300 Received: by kremvax.demos.su; Mon, 6 Feb 1995 21:00:42 +0300 Received: by phreak.demos.su; Mon, 6 Feb 1995 20:55:21 +0300 Received: by inzer.msk.su; Mon, 6 Feb 95 18:27:14 +0300 (MSD) X-Mailer: Inzer Windows Instant Mailer (version 1.00) Date: Mon, 6 Feb 95 18:27:13 +0300 (MSD) To: firewalls@GreatCircle.COM From: MOROZ@inzer.msk.su (Oleg Moroz) Message-Id: Subject: Which free 386 Unix flavor is best for a firewall ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, all ! I'm to set up the Internet firewall for my company and (at present time) I'm limited with 486 PC and Linux or FreeBSD/NetBSD for this purpose. The connection will be slow (64kbps at most) and the load won't be very heavy also. So, does anybody here have something to say about Linux vs. FreeBSD in this respect ? Oleg From firewalls-owner Mon Feb 6 11:49:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA03284 for firewalls-outgoing; Mon, 6 Feb 1995 11:46:26 -0800 Received: from nuchat.sccsi.com (nuchat.sccsi.com [198.65.128.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA03279 for ; Mon, 6 Feb 1995 11:46:23 -0800 Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Mon, 6 Feb 95 13:47 CST Date: Mon, 6 Feb 1995 13:37:28 -0500 (CST) From: Jeff Libman Subject: Re: Which free 386 Unix flavor is best for a firewall ? To: Oleg Moroz cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i started with the idea of building an isp business last october. i started with a 486 running linux. after 2 months of hacking away at linux, i decided that i had been working with professionally supported operating systems for 20 years, and i ordered bsd from bsdi for about $500. this not only comes with 60 days free support, but it is one of the best unix implementations i have had the pleasure to install, configure, and administer. i refuse to belittle linux, free-bsd, or any other operating system. i'm not a software/os snob. but i accomplished in 1 week with the bsdi os what i had been working on for 2 months on the linux box. this includes: ppp connection to my current isp; ppp connection into MY unix box; dns/routing through my current isp; pop server, mail server, www server, anonymous ftp. i asked bsdi rep what the difference is between free/net/bsd and bsdi's bsd. answer: "support, bug fixes, new releases, etc.". my choice to 'buy' bsdi (they offer an attractvie deal on binaries for additional systems!) is based on the fact, that, while hacking an os's source code is challenging, fun and educational, what am i in business for? what are my goals? i'll pay for the service and support and os implementation, and spend my time/energy/efforts on getting other things accomplished, like administering this system! IMHO, jeff On Mon, 6 Feb 1995, Oleg Moroz wrote: > Hello, all ! > > I'm to set up the Internet firewall for my company and (at present > time) I'm limited with 486 PC and Linux or FreeBSD/NetBSD for this > purpose. The connection will be slow (64kbps at most) and the load > won't be very heavy also. So, does anybody here have something to > say about Linux vs. FreeBSD in this respect ? > > Oleg > From firewalls-owner Mon Feb 6 12:24:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04012 for firewalls-outgoing; Mon, 6 Feb 1995 12:05:36 -0800 Received: from nntp.interaccess.com (nntp.interaccess.com [198.80.0.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA03974 for ; Mon, 6 Feb 1995 12:05:26 -0800 Received: from srvcon_10.UUCP (cbot@localhost) by nntp.interaccess.com (8.6.5/8.6.5) with UUCP id NAA09726 for firewalls@GreatCircle.COM; Mon, 6 Feb 1995 13:40:39 -0600 Received: from CBOTSMTP by srvcon_10.cbot.com (5.0/SMI-SVR4) id AA02334; Mon, 6 Feb 1995 13:30:10 -0600 Received: from BLUE-Message_Server by CBOTSMTP with Novell_GroupWise; Mon, 06 Feb 1995 13:32:10 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 06 Feb 1995 13:04:41 -0600 From: Steven Schulze To: firewalls@GreatCircle.com Subject: Janus Firewalling Product / Other Products content-length: 532 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone out there had direct experience with the Janus package? Besides the standard security measures (router filtering, preventing any connection to the general network, etc.), we would like to be able to purchase a firewall package that will grow with us. Janus was recommended but I'd like to hear unbiased opinions. We plan on using a beefed up 486 initially, with plans to migrate to a UNIX platform as the demand warrants the expense / effort. It would be nice to have one package for both platforms. Thanks, SS From firewalls-owner Mon Feb 6 12:52:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA03517 for firewalls-outgoing; Mon, 6 Feb 1995 11:56:05 -0800 Received: from urhep.pas.rochester.edu (urhep.pas.rochester.edu [128.151.144.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA03512 for ; Mon, 6 Feb 1995 11:56:02 -0800 Received: from URHEP.PAS.ROCHESTER.EDU by URHEP.PAS.ROCHESTER.EDU (PMDF V4.2-11 #4191) id <01HMQEFDB8XS8WVZFK@URHEP.PAS.ROCHESTER.EDU>; Mon, 6 Feb 1995 14:53:35 EST Date: Mon, 06 Feb 1995 14:53:35 -0500 (EST) From: "Bill VanRemmen U. of Rochester (716)275-4825" Subject: FW-1 and DECnet/Appletalk/IPX To: Firewalls@GreatCircle.COM Message-id: <01HMQEFDBILE8WVZFK@URHEP.PAS.ROCHESTER.EDU> X-VMS-To: IN%"Firewalls@GreatCircle.COM" X-VMS-Cc: BILLY MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone tell me if Sun's FW-1 product can handle DECnet, Appletalk and IPX in addition to TCP/IP? -Bill VanRemmen, KA2WFJ billy@urhep.pas.rochester.edu URHEP::billy My opinions. No one in their right mind would claim otherwise. ============================================================================== "Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficient . . . the greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." Justice Louis Brandeis Olmstead vs. United States, United States Supreme Court, 1928 ============================================================================== From firewalls-owner Mon Feb 6 13:50:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05741 for firewalls-outgoing; Mon, 6 Feb 1995 13:38:55 -0800 Received: from hpschd.claremont.edu (HPSCHD.CLAREMONT.EDU [134.173.5.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA05736 for ; Mon, 6 Feb 1995 13:38:53 -0800 Received: from POMADM.POMONA.EDU by HPSCHD.CLAREMONT.EDU (PMDF V4.3-11 #7950) id <01HMQBKRHTMO000KEC@HPSCHD.CLAREMONT.EDU>; Mon, 06 Feb 1995 13:32:16 -0700 (PDT) Received: from POMADM.POMONA.EDU by POMADM.POMONA.EDU (PMDF V4.3-10 #7950) id <01HMQBP43VJ40007G3@POMADM.POMONA.EDU>; Mon, 06 Feb 1995 13:34:51 -0700 (PDT) Date: Mon, 06 Feb 1995 13:34:50 -0700 (PDT) From: "Dr. Stephan L. Moss" Subject: Janus - We're interested, too. To: firewalls@greatcircle.com Message-id: X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We would be interested in opinions on Janus, also. We just had a demo by a sales person that looked pretty good. We are too early in our process (we still are defining stance and basic needs) to make any choices yet, but we were attracted by some of what Janus had to offer. We would need to know more before we could even begin to make a choice. Thanks Steve Moss ! ! Dr. Stephan L. Moss stevem@pomadm.pomona.edu ! ! Administrative Computing Pomona College ! Claremont, CA 91711 ! (909) 621-8000 ext. 1734 From firewalls-owner Mon Feb 6 15:56:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA07356 for firewalls-outgoing; Mon, 6 Feb 1995 15:20:12 -0800 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA07351 for ; Mon, 6 Feb 1995 15:20:04 -0800 Received: from mothost.mot.com by motgate.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA25117; Mon, 6 Feb 1995 17:17:39 -0600 Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com) by mothost.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA15503; Mon, 6 Feb 1995 17:17:38 -0600 Received: from dragon.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1) id AA29821; Mon, 6 Feb 95 15:17:34 PST Received: from sun11k.mdd.comm.mot.com by dragon.mdd.comm.mot.com (4.1/SMI-4.1) id AA25407; Mon, 6 Feb 95 15:17:32 PST Date: Mon, 6 Feb 95 15:17:32 PST From: dhami@mdd.comm.mot.com (Mandeep S Dhami) Message-Id: <9502062317.AA25407@dragon.mdd.comm.mot.com> Received: by sun11k.mdd.comm.mot.com (4.1/SMI-4.1) id AA15111; Mon, 6 Feb 95 15:17:31 PST To: Firewalls@greatcircle.com Subject: Firewall digest Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I was wondering if this mailing list is also posted in a digest format (ie. all the messages in one mail, at the end of the day). Right now, I receive each message as a seperate e-mail. If it is, how can I change it; and if it is not, would that be a good idea? Thanks, Mandeep ------------------------------------------------------------------------------ From firewalls-owner Mon Feb 6 16:19:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA07843 for firewalls-outgoing; Mon, 6 Feb 1995 16:04:56 -0800 Received: from mbadev.mba.com ([198.60.144.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA07838 for ; Mon, 6 Feb 1995 16:04:53 -0800 Message-Id: <199502070004.QAA07838@miles.greatcircle.com> Received: from he.mba.com by mbadev.mba.com with SMTP (1.37.109.8/16.2) id AA03380; Mon, 6 Feb 1995 17:00:50 -0700 Date: Mon, 6 Feb 1995 17:00:50 -0700 X-Sender: cxh@mbadev.mba.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: cxh@mba.com (Cynthia He) Subject: unix for 486 with token ring card as a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are trying to set up a pentium machine with a token ring card as a firewall for our internal networks. I have been messing with linux for more a month now and can not make it to work with our ibm token ring card (I put on a beta code for token ring). We are in a hurry to set up this firewall because of all the security incidents on network security. If someone could point me to a version of unix that runs on a 486 and supports a ibm token ring card (free or not), we will be happy to try it out. Thanks for your time. ============================= Cynthia He Miles Burke Associates, Inc. cxh@mba.com (602)852-5600 ext.152 From firewalls-owner Mon Feb 6 17:19:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08806 for firewalls-outgoing; Mon, 6 Feb 1995 16:49:30 -0800 Received: from feta.cisco.com (feta.cisco.com [171.69.1.158]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA08801 for ; Mon, 6 Feb 1995 16:49:27 -0800 Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) with SMTP id QAA00427; Mon, 6 Feb 1995 16:47:06 -0800 Message-Id: <199502070047.QAA00427@feta.cisco.com> X-Authentication-Warning: feta.cisco.com: Host localhost.cisco.com didn't use HELO protocol To: jeffrl@nuchat.sccsi.com (Jeff Libman) Cc: firewalls@GreatCircle.COM Subject: Re: Which free 386 Unix flavor is best for a firewall ? In-Reply-To: jeffrl@nuchat.sccsi.com's message of 06 Feb 1995 10:37:28 PST Date: Mon, 06 Feb 1995 16:47:05 -0800 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While I most definitely agree with the idea of "buying" your UNIX from BSDI, if, for some reason, that's not an interesting option, I would like to point out that FreeBSD 2.0 and newer has packet-filtering firewall support code built right into the system (configurable as a kernel option). I personally believe in a mixture of packet filtering and application relays, and I find this combination quite useful if one doesn't have another device (ahem) that can act as a packet filter. From firewalls-owner Mon Feb 6 17:45:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08861 for firewalls-outgoing; Mon, 6 Feb 1995 16:54:22 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA08856 for ; Mon, 6 Feb 1995 16:54:16 -0800 Received: from demon.demon.co.uk by post.demon.co.uk id ab05724; 6 Feb 95 23:31 GMT Received: from ford by demon.demon.co.uk id aa23905; 6 Feb 95 23:31 GMT From: Steve Kennedy Message-Id: <1591.9502062306@ford.gbnet.org> Subject: KarlBridge/KarlBrouter and IP address spoofing To: firewalls@greatcircle.com Date: Mon, 6 Feb 1995 23:06:21 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1018 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, just a quick note to say that the KarlBridge/KarlBrouter products correctly drop spoofed IP addresses. Ports are specified as local or remote and both the source and destination addresses are compared against the local/remote rule sets. Therefore as rules are executed in-order of entry it is possible to specify that any packets with your address entering your network are dropped and then a general rule that allows any packets through. Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Mon Feb 6 19:19:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA10142 for firewalls-outgoing; Mon, 6 Feb 1995 19:02:33 -0800 Received: from feta.cisco.com (feta.cisco.com [171.69.1.158]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA10137 for ; Mon, 6 Feb 1995 19:02:30 -0800 Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) with SMTP id TAA09170; Mon, 6 Feb 1995 19:00:11 -0800 Message-Id: <199502070300.TAA09170@feta.cisco.com> X-Authentication-Warning: feta.cisco.com: Host localhost.cisco.com didn't use HELO protocol To: Jeff Libman Cc: firewalls@GreatCircle.COM Subject: Re: Which free 386 Unix flavor is best for a firewall ? In-Reply-To: Your message of "Mon, 06 Feb 1995 20:56:13 EST." Date: Mon, 06 Feb 1995 19:00:11 -0800 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Jeff Libman Subject: Re: Which free 386 Unix flavor is best for a firewall ? is this like the gwscreen kernel option in BSDI's implementation? I'm not familiar with that option in the BSDI kernel, but likely yes. Does it invoke a decision-making daemon in user space (like screend) or load a decision tree up into kernel space? From firewalls-owner Mon Feb 6 19:49:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA10097 for firewalls-outgoing; Mon, 6 Feb 1995 18:55:21 -0800 Received: from nuchat.sccsi.com (nuchat.sccsi.com [198.65.128.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA10092 for ; Mon, 6 Feb 1995 18:55:19 -0800 Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Mon, 6 Feb 95 20:56 CST Date: Mon, 6 Feb 1995 20:56:13 -0500 (CST) From: Jeff Libman Subject: Re: Which free 386 Unix flavor is best for a firewall ? To: Paul Traina cc: firewalls@GreatCircle.COM In-Reply-To: <199502070047.QAA00427@feta.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk is this like the gwscreen kernel option in BSDI's implementation? On Mon, 6 Feb 1995, Paul Traina wrote: > While I most definitely agree with the idea of "buying" your UNIX from BSDI, > if, for some reason, that's not an interesting option, I would like to point > out that FreeBSD 2.0 and newer has packet-filtering firewall support code > built right into the system (configurable as a kernel option). > > I personally believe in a mixture of packet filtering and application relays, > and I find this combination quite useful if one doesn't have another device > (ahem) that can act as a packet filter. From firewalls-owner Mon Feb 6 19:59:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA10151 for firewalls-outgoing; Mon, 6 Feb 1995 19:06:35 -0800 Received: from nuchat.sccsi.com (nuchat.sccsi.com [198.65.128.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA10146 for ; Mon, 6 Feb 1995 19:06:33 -0800 Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Mon, 6 Feb 95 21:07 CST Date: Mon, 6 Feb 1995 21:04:51 -0500 (CST) From: Jeff Libman Subject: Re: Which free 386 Unix flavor is best for a firewall ? To: Paul Traina cc: firewalls@GreatCircle.COM In-Reply-To: <199502070300.TAA09170@feta.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk screend is exactly what i am implementing. i am starting an isp business, and my first stage system plans call for using a bsdi box with an sdl synchronous serial card connecting to a t1 csu/dsu as my internet router. the current version of bsdi (1.1) comes with routed, while the announced 2.0 version is supposed to come with gated. anyway, screend is recommended as a simple firewall type program. On Mon, 6 Feb 1995, Paul Traina wrote: > > From: Jeff Libman > Subject: Re: Which free 386 Unix flavor is best for a firewall ? > > is this like the gwscreen kernel option in BSDI's implementation? > > I'm not familiar with that option in the BSDI kernel, but likely yes. > Does it invoke a decision-making daemon in user space (like screend) > or load a decision tree up into kernel space? From firewalls-owner Mon Feb 6 21:19:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA13873 for firewalls-outgoing; Mon, 6 Feb 1995 20:59:31 -0800 Received: from zephyr.isi.edu (zephyr.isi.edu [128.9.160.160]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA13866 for ; Mon, 6 Feb 1995 20:59:27 -0800 Received: by zephyr.isi.edu (5.65c/5.61+local-17) id ; Mon, 6 Feb 1995 20:57:06 -0800 From: bmanning@ISI.EDU (Bill Manning) Message-Id: <199502070457.AA14660@zephyr.isi.edu> Subject: Re: ISS scan service - trials only To: fc@all.net (Dr. Frederick B. Cohen) Date: Mon, 6 Feb 1995 20:57:06 -0800 (PST) Cc: alan@mid.net, firewalls@greatcircle.com In-Reply-To: <199502052352.SAA00445@all.net> from "Dr. Frederick B. Cohen" at Feb 5, 95 06:52:31 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 250 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > As the service tells you, your system must accept mail to the postmaster > account and be identifiable via the PSI DNS or the service won't work. the PSI DNS? Is this some bastard form of the Internet DNS that the rest of us use? -- --bill From firewalls-owner Mon Feb 6 21:49:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA13809 for firewalls-outgoing; Mon, 6 Feb 1995 20:54:45 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA13802 for ; Mon, 6 Feb 1995 20:54:40 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rbdGP-0009vAC; Mon, 6 Feb 95 23:54 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: unix for 486 with token ring card as a firewall To: cxh@mba.com (Cynthia He) Date: Mon, 6 Feb 1995 23:54:31 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199502070004.QAA07838@miles.greatcircle.com> from "Cynthia He" at Feb 6, 95 05:00:50 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1487 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > We are trying to set up a pentium machine with a token ring card > as a firewall for our internal networks. I have been messing with > linux for more a month now and can not make it to work with our > ibm token ring card (I put on a beta code for token ring). > > We are in a hurry to set up this firewall because of all the security > incidents on network security. If someone could point me to a version > of unix that runs on a 486 and supports a ibm token ring card (free > or not), we will be happy to try it out. Although I'd love to hear that it'd work, I'd suggest trying to find a hub or router (that you probably have) that can have a standard ethernet port. It will be a snap to access from the Linux system. An NE2000 clone for $35 will work just fine. Token ring is so obsolete it's not funny. Between $35 ethernet nics, 100baseT server nics, and switching hubs, nothing else will make sense for quite a while. > Thanks for your time. > > ============================= > Cynthia He > Miles Burke Associates, Inc. > cxh@mba.com > (602)852-5600 ext.152 sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw Senior Consultant 513-865-9599 FAX/LIG 513.496.5223 OH Page BA Aug94-Feb95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs ICBM/GPS: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.28Jan95 From firewalls-owner Mon Feb 6 21:51:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA14041 for firewalls-outgoing; Mon, 6 Feb 1995 21:11:47 -0800 Received: from sdwsys (root@sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA14035 for ; Mon, 6 Feb 1995 21:11:42 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rbdWs-0009vIC; Tue, 7 Feb 95 00:11 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: individual ftp accounts from the dirty net To: shaver@ingenia.com Date: Tue, 7 Feb 1995 00:11:38 +0000 (GMT) Cc: sdw@lig.net, firewalls@GreatCircle.COM In-Reply-To: <199502060708.CAA00317@schoolnet.carleton.ca> from "Mike Shaver" at Feb 6, 95 02:08:31 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1667 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Stephen D. Williams mumbled something vague about: ... > > Can't this be solved by the more or less standard 'secret' structure: > > [standard secret structure snipped =) ] > > > Does anyone have solid problems with this or a better method? > > I do, if only on the grounds that STO is a bad plan, for anything. STO... Hmm don't match that tonite: definition? Do you have an alternative? > My basic philosophy towards security is that you have to assume at all times > that someone wants very badly anything that you want to protect. I'll admit > that I wasn't such a hardliner at one point, but I've learned a few lessons, > and my experiences with low-level network programming make me very > untrusting of the network in general. > I really don't want to start up the STO debate again, but that's where I > sit. I'm not trusting the network more than I would have to for normal uids/passwords, am I? As far as accountability, I'm loosing since a user can give our the secret file/directory name with probably less intrepidation than an account. However as far as access, it is still protected by a 'password'. A one/two time one at that. If you don't use fully encrypted sessions you are trusting the network quite a bit in any case. > Mike sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw Senior Consultant 513-865-9599 FAX/LIG 513.496.5223 OH Page BA Aug94-Feb95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs ICBM/GPS: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.28Jan95 From firewalls-owner Mon Feb 6 22:05:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA14380 for firewalls-outgoing; Mon, 6 Feb 1995 21:28:18 -0800 Received: from feta.cisco.com (feta.cisco.com [171.69.1.158]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA14374 for ; Mon, 6 Feb 1995 21:28:10 -0800 Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) with SMTP id VAA14039; Mon, 6 Feb 1995 21:25:47 -0800 Message-Id: <199502070525.VAA14039@feta.cisco.com> X-Authentication-Warning: feta.cisco.com: Host localhost.cisco.com didn't use HELO protocol To: Jeff Libman Cc: firewalls@GreatCircle.COM Subject: Re: Which free 386 Unix flavor is best for a firewall ? In-Reply-To: Your message of "Mon, 06 Feb 1995 21:04:51 EST." Date: Mon, 06 Feb 1995 21:25:46 -0800 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Jeff Libman Subject: Re: Which free 386 Unix flavor is best for a firewall ? screend is exactly what i am implementing. i am starting an isp business, and my first stage system plans call for using a bsdi box with an sdl synchronous serial card connecting to a t1 csu/dsu as my internet router. the current version of bsdi (1.1) comes with routed, while the announced 2.0 version is supposed to come with gated. anyway, screend is recommended as a simple firewall type program. Screend is not a routing protocol daemon, it's just yet another daemon that for each packet, gets passed either the packet, or the header, I forget which, it gives back either a yea or nea to the question "may I forward this packet?" From firewalls-owner Tue Feb 7 00:19:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA17132 for firewalls-outgoing; Tue, 7 Feb 1995 00:05:12 -0800 Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA17126 for ; Tue, 7 Feb 1995 00:05:01 -0800 Received: from ms.mimos.my by jaring.my with SMTP id AA27228 (5.67a/IDA-1.5 for ); Tue, 7 Feb 1995 16:02:59 +0800 Received: by ms.mimos.my (5.64/7.0) id AA04596; Tue, 7 Feb 95 16:02:57 +0800 Date: Tue, 7 Feb 1995 15:48:26 +0800 (MYT) From: Lee Hooi Teck Subject: CISCO packet filtering To: firewalls@greatcircle.com Cc: Lee Hooi Teck Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, I am trying to configure a router with the following requirements: int E 0 ip address x.y.z.2 ip access-group 101 1. access list 101 permit ip a.b.c.0 0.0.0.255 2. permit the above network to access all the services in net x.y.z.0 3. permit ip 0.0.0.0 255.255.255.255 4. permit the above to access only the web server Will the router understand rule 2 is apply to 1 and rule 4 is apply to 3? If not how should I specify the rules? The configuration of the network is: ________ S1| |E0 other networks ---- a.b.c.0 ----| router |------- x.y.z.0 |________| thanks, teck -------------------------------------------------- | Malaysian Institute of Microelectronic Systems | | Ministry of Science and The Environment | | Malaysia | -------------------------------------------------- From firewalls-owner Tue Feb 7 03:19:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA20239 for firewalls-outgoing; Tue, 7 Feb 1995 03:07:28 -0800 Received: from hearnvax.nic.surfnet.nl (hearnvax.nic.surfnet.nl [192.87.5.131]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA20234 for ; Tue, 7 Feb 1995 03:07:20 -0800 Received: from bdypwt.knmi.nl by HEARNVAX.nic.SURFnet.nl (PMDF V4.2-12 #3330) id <01HMRMYMQFBK007GW7@HEARNVAX.nic.SURFnet.nl>; Tue, 7 Feb 1995 12:07:54 +0200 (MET-DST) Received: by bdypwt.knmi.nl id AA18870 (5.67b+/IDA-1.5 for Firewalls@GreatCircle.COM); Tue, 7 Feb 1995 11:05:21 GMT Date: Tue, 07 Feb 1995 11:05:21 +0000 (GMT) From: Joost Rietveld Subject: Re: Firewalls-Digest V4 #92[562]rietveld@bdypwt:/d1/usr/users/rietveld % arp -a | grep btp019 In-reply-to: <199502070900.BAA18283@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Feb 7, 95 01:00:20 am To: Firewalls@GreatCircle.COM Cc: btp019.knmi.nl@KNMI.NL (145.23.16.36), at@KNMI.NL Message-id: <199502071105.AA18870@bdypwt.knmi.nl> X-Envelope-to: Firewalls@greatcircle.COM X-Mailer: ELM [version 2.4 PL23] Content-type: text Content-transfer-encoding: 7BIT Content-Length: 0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Feb 7 05:55:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA21585 for firewalls-outgoing; Tue, 7 Feb 1995 05:28:41 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA21580 for ; Tue, 7 Feb 1995 05:28:35 -0800 Received: from relay.imsi.com by wintermute.imsi.com id IAA07113; Tue, 7 Feb 1995 08:26:43 -0500 Received: from lorax.imsi.com by relay.imsi.com id IAA23449; Tue, 7 Feb 1995 08:26:42 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA01306; Tue, 7 Feb 95 08:26:41 EST Message-Id: <9502071326.AA01306@lorax.imsi.com> To: Paul Traina Cc: jeffrl@nuchat.sccsi.com (Jeff Libman), firewalls@greatcircle.com Subject: Re: Which free 386 Unix flavor is best for a firewall ? In-Reply-To: Your message of "Mon, 06 Feb 1995 16:47:05 PST." <199502070047.QAA00427@feta.cisco.com> Reply-To: rens@imsi.com Date: Tue, 07 Feb 1995 08:26:41 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Paul" == Paul Traina writes: Paul> While I most definitely agree with the idea of "buying" your Paul> UNIX from BSDI, if, for some reason, that's not an interesting Paul> option, I would like to point out that FreeBSD 2.0 and newer Paul> has packet-filtering firewall support code built right into Paul> the system (configurable as a kernel option). NetBSD support for a packet filter is also imminent. -Rens From firewalls-owner Tue Feb 7 06:49:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA22483 for firewalls-outgoing; Tue, 7 Feb 1995 06:27:13 -0800 Received: from joy.jsc.nasa.gov (joy.jsc.nasa.gov [139.169.137.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA22478 for ; Tue, 7 Feb 1995 06:27:09 -0800 Received: from msmtp-out.jsc.nasa.gov ([139.169.94.6]) by joy.jsc.nasa.gov (4.1/25-eef) id AA23501; Tue, 7 Feb 95 08:27:49 CST Received: by msmtp-out.jsc.nasa.gov with Microsoft Mail id <2F378343@msmtp-out.jsc.nasa.gov>; Tue, 07 Feb 95 08:27:15 cst From: "McMullen, Michael K." To: greatcircle Subject: X anyone ? Date: Tue, 07 Feb 95 08:21:00 cst Message-Id: <2F378343@msmtp-out.jsc.nasa.gov> Encoding: 19 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Lord knows that there are a variety of opinions. I'm looking for more information about X in general (how it works and vulnerabilities), then more specific information about X proxies across ANS+CORE's Interlock 3.0. How vulnerable or safe is it ? If you are an expert or novice, any thoughts on the matter will be appreciated. Thanks, Mike M. K. McMullen IPSO/DC 713/244-5432 mmcmulle@gp801.jsc.nasa.gov "better to try something and fail, than to try nothing and succeed" From firewalls-owner Tue Feb 7 10:23:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA24264 for firewalls-outgoing; Tue, 7 Feb 1995 09:59:06 -0800 Received: from netcom3.netcom.com (bbosen@netcom3.netcom.com [192.100.81.103]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA24259 for ; Tue, 7 Feb 1995 09:59:03 -0800 Received: by netcom3.netcom.com (8.6.9/Netcom) id JAA12917; Tue, 7 Feb 1995 09:55:40 -0800 Date: Tue, 7 Feb 1995 09:55:40 -0800 (PST) From: Bob Bosen Subject: Re: Clear text passwords To: "Anh-Huy (Steve) T. Ton" cc: firewalls@greatcircle.com In-Reply-To: <9502032242.AA01470@kelly.ic.shell.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Feb 1995, Anh-Huy (Steve) T. Ton wrote: > > If I set up a firewall between my company & the Internet & allow ftp > & telnet access out, is there any way I can prevent the passwords from > ftp & telnet from being sent out across the Internet in clear text? > I think not, but I thought I'd ask anyway. > > Also can anyone point me to a testsuite so that I can test my firewall > in my "testlab"? > > .............................................................................. > . Anh-Huy (Steve) T. Ton Shell Oil Company . > . Network Systems Projects 1500 O.S.T., Rm. 2P18I . > . E-mail : ton@shell.com Houston, TX 77054 . > . Skypage : 1(800)SKY-GRAM, PIN : 8841224 (713)245-2636 . > .............................................................................. > Steve: Yes, in most cases you can eliminate or at least "front-end" your replayable passwords with non-replayable ones. In a networked, client/server orientation this would mean you would have to deploy some software and/or hardware around your network as follows: Authentication Manager: You'd need at least one of these for each network. This is where your administrator would "live", adding in new users, deleting old users, etc. Authentication Servers: There are several popular network authentication protocols that set the rules by which network equipment can ask for help when it's time to identify a user. You would need at least one Authentication Server per network, for each of the authentication protocols you decide to support. Authentication Clients: You'd need one of these for each network data path leading into your sensitive applications. Often these are contained within your routers or comm servers, but you can deploy them inside individual hosts or workstations too. These must be built to support the same authentication protocols as the Authentication Servers you choose to deploy. Authenticators: One per user. These might be "super-smart cards", "cryptocalculators", printed one-time password "scratchoff lists", or "soft token" software that issues one-time passwords. As a general rule, lots of authentication clients are already available free of charge (already in your comms equipment), or else you can obtain public-domain source code to roll your own. Widespread availability of clients is very important, since you will probably deploy many more clients than servers. Also, you may be able to obtain other components free of charge too. Some vendors, (such as my company) charge you for one or more components and then try to make life easy for you by allowing you to obtain the remaining components free of charge. In our case, we always charge for the management core components and we can usually help you locate everything else free of charge. Authenticators are available from many different sources; some are free, others are quite expensive. You can learn a lot about this stuff by examining our anonymous ftp archives. See the pointer in my signature below. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.netcom.com /pub/bb/bbosen/Enigma read.me ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** From firewalls-owner Tue Feb 7 12:19:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25465 for firewalls-outgoing; Tue, 7 Feb 1995 11:55:25 -0800 Received: from atc.boeing.com (atc.boeing.com [130.42.28.80]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA25460 for ; Tue, 7 Feb 1995 11:55:21 -0800 Received: by atc.boeing.com (5.57) id AA26238; Tue, 7 Feb 95 11:57:44 -0800 Received: from baker (baker.ds.boeing.com) by splinter.boeing.com with SMTP (1.37.109.14/16.2) id AA137246756; Tue, 7 Feb 1995 11:52:36 -0800 Received: by baker.ds.boeing.com (4.1/SMI-4.1) id AA06849; Tue, 7 Feb 95 11:51:10 PST Date: Tue, 7 Feb 95 11:51:10 PST From: garys@baker.ds.boeing.com (Gary Stoneburner) Message-Id: <9502071951.AA06849@baker.ds.boeing.com> To: firewalls@greatcircle.com Subject: Which OS for a Firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some discussion has taken place on which operating system is best in implementing a firewall. I'd suggest sidetracking the question completely. We've decided to port an SMTP filter on top of the trusted kernel and minimal file-system of our high-assurance router (NCSC evaluated at class A1). The router provides IP-address/TCP-port filtering and the email filter receives, filters, and forwards mail, elmininating a through TCP connection for email. This certainly doesn't solve all problems, but does provide some firewall functionality without the potential holes in a typical OS based installation. Gary Gary R. Stoneburner Boeing Computer Services PHONE: 206-865-5603 P.O. Box 24346, MS 7L-15 FAX: 206-865-6903 Seattle, WA 98124-0346 EMAIL: garys@baker.ds.boeing.com The opinions represented herein are not necessarily those of Boeing. From firewalls-owner Tue Feb 7 14:01:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA26867 for firewalls-outgoing; Tue, 7 Feb 1995 13:46:51 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA26862 for ; Tue, 7 Feb 1995 13:46:46 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id QAA17439 for firewalls@greatcircle.com; Tue, 7 Feb 1995 16:42:15 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502072142.QAA17439@all.net> Subject: scan results To: firewalls@greatcircle.com Date: Tue, 7 Feb 1995 16:42:13 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 693 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am interested in finding out some things about the results of scans done using all.net by those in this forum. Any answers would be welcomed: 1) Did the service detect anything you did not expect? 2) Was the range of tests interesting enough to warrant keeping the service? 3) Is the service genuinely helpful or just a waste of time? 4) Did your defense detect the attempted attacks/defend against them? Thank you in advance for your replies. Also, I would like to note that of several thousand scans performed over the last few days, only 20 or so failed to be delivered to the tester because of mail failures. I have no idea of how successfull the scans were at detecting holes. FC From firewalls-owner Tue Feb 7 14:49:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA27594 for firewalls-outgoing; Tue, 7 Feb 1995 14:21:26 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA27589 for ; Tue, 7 Feb 1995 14:21:23 -0800 Received: from smtpgate.gannett.com by relay1.UU.NET with SMTP id QQyccn08896; Tue, 7 Feb 1995 17:18:59 -0500 Received: by smtpgate.gannett.com with Microsoft Mail id <2F381C0B@smtpgate.gannett.com>; Tue, 07 Feb 95 17:19:07 PST From: "Robertson, Paul" To: firewalls@GreatCircle.COM Subject: Proxy NFS code? Date: Tue, 07 Feb 95 17:15:00 PST Message-ID: <2F381C0B@smtpgate.gannett.com> Encoding: 11 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I'm looking for code for a proxy NFS agent that will allow me to pass it via TCP. I'm in agreement with the discussion of it in Cheswick & Bellovin, but don't have time to hack up the Linux code esp. since this is (as usual) one of those "need it yesterday" kinds of things. If someone has the proxy stuff available for FTP, I'd appreciate a pointer. Paul D. Robertson proberts@moc1.gannett.com From firewalls-owner Tue Feb 7 15:24:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28155 for firewalls-outgoing; Tue, 7 Feb 1995 14:51:00 -0800 Received: from Smrtstr.smartstar.com (smrtstr.smartstar.com [192.135.139.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA28150 for ; Tue, 7 Feb 1995 14:50:54 -0800 From: dennis@smartstar.com Received: from marlin.smartstar.com by Smrtstr.smartstar.com (4.1/SMI-4.1(Smrtstr)) id AA01416; Tue, 7 Feb 95 14:46:56 PST Received: by marlin.smartstar.com (5.57/Ultrix3.0-C) id AA16888; Tue, 7 Feb 95 14:46:52 -0800 Message-Id: <9502072246.AA16888@marlin.smartstar.com> To: "Dr. Frederick B. Cohen" Cc: firewalls@greatcircle.com, dennis@smartstar.com Subject: Re: scan results In-Reply-To: Your message of "Tue, 07 Feb 95 16:42:13 EST." <199502072142.QAA17439@all.net> Date: Tue, 07 Feb 95 14:46:50 -0800 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies but, I got carried away with the delete button and nuked the original offer. I would like to scan my system. Unfortunately, I do not have the details to go about using ISS (?) from yuor site. I'm hoping to use the results to justify more of my time being dedicated to security. Thus far the allocation has been very limited. Thanks, Dennis From firewalls-owner Tue Feb 7 17:24:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA00787 for firewalls-outgoing; Tue, 7 Feb 1995 17:02:24 -0800 Received: from gateway.morgan.com (gateway.morgan.com [138.20.30.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA00781 for ; Tue, 7 Feb 1995 17:02:21 -0800 Received: from exadm1.morgan.com ([199.89.81.4]) by gateway.morgan.com with SMTP id <41413>; Tue, 7 Feb 1995 20:00:24 -0500 Received: from exit111.morgan.com by exadm1.morgan.com (5.65c/IDA-sendmail/cf.hub v1.29) id AA07240; Tue, 7 Feb 1995 20:00:13 -0500 Received: by exit111.morgan.com (5.65c/IDA-sendmail/cf.host v1.26) id AA03278; Tue, 7 Feb 1995 20:00:12 -0500 Date: Tue, 7 Feb 1995 20:00:12 -0500 From: boyanzhu@morgan.com (Mike Boyanzhu) Message-Id: <9502072000.ZM3276@morgan.com> In-Reply-To: ches@plan9.research.att.com "" (Feb 3, 9:27am) References: <199502031429.GAA10782@mycroft.GreatCircle.COM> X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Packet filters and port ranges Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some commercial and public domain packet filters allow one to specify port ranges, as opposed to "eq" "gt" etc. statements It's a great feature to use with multi-socket server programs, the ones that listen on multiple ports at the same time. It may also be helpful in further limiting the allowed ranges of ephemerial "random" ports. A regular statement "gt 1023" implies range 1023-65535. But many TCP stacks do not cover the entire range. Some cover 1023-5000, some 32768-65535, on some of them it is a tunable parameter, etc... Question: Did anyone attempt to collect the info about the presize ranges TCP/IP stack vendors use for ephemerial ports? Thank you, ------------------------------------------- Mike Boyanzhu, Senior Network Administrator Security Group, Morgan Stanley, NYC, USA (212)703-6272 boyanzhu@morgan.com From firewalls-owner Tue Feb 7 17:49:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA01140 for firewalls-outgoing; Tue, 7 Feb 1995 17:40:39 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA01135 for ; Tue, 7 Feb 1995 17:40:36 -0800 Received: from tusk.sgt.com (sargent@tusk.SGT.COM [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id UAA07463; Tue, 7 Feb 1995 20:38:47 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id UAA02603; Tue, 7 Feb 1995 20:38:54 -0500 Date: Tue, 7 Feb 1995 20:38:54 -0500 From: Robert Sargent Message-Id: <199502080138.UAA02603@tusk.sgt.com> To: boyanzhu@morgan.com Subject: Re: Packet filters and port ranges Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, u rote: > Some commercial and public domain packet filters allow one > to specify port ranges, as opposed to "eq" "gt" etc. statements I realize this doesn't address your question, but... Doesn't a gt statement followed by a lt statement equal a range? Regards- Robert From firewalls-owner Wed Feb 8 03:19:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA05511 for firewalls-outgoing; Wed, 8 Feb 1995 02:49:04 -0800 Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA05505 for ; Wed, 8 Feb 1995 02:48:48 -0800 Received: from q950.bvl.pt by relay.puug.pt with UUCP id AA23259 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Wed, 8 Feb 1995 11:46:51 +0100 Received: from q950 (q950.bvl.pt) by jessica.bvl.pt with SMTP id AA12894 (5.65c/IDA-1.4.4 for ); Wed, 8 Feb 1995 11:21:10 GMT Message-Id: <199502081121.AA12894@jessica.bvl.pt> Date: 8 Feb 1995 11:27:33 +0000 From: "Antonio Vasconcelos" Subject: Address translation To: "FireWalls Mailing List" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I need to know if there is some firewall software for unix that over the firewall stuff do some addr translation for me. It goes like this: | firewall |----[router/filter]------<<>> |---------()--------| ()-| | | ()-| |-() | | |-() internal external network network PRIVATE OFICIAL addresses addresses When a user from the internal net is telneting or ftping to an outside host it must present an legal address from our oficial class C network not the stuff we use inside, the reverse must be done too in order to receive the replies. So, the firewall must do; first the filtering stuff, then it must rebuild the packet in order to change (eg) 192.168.129.1 to 194.104.35.45, and do the reverse ONLY if the incamming packet is a reply. There will be an one-to-one relation between the official addresses and the private addresses. I've never saw this kind of software, but I'm sure it must existe. Thanks in advance... NOTE: This is my first posting to this mailing list, and I'm using a gateway from Microsoft Mail (Macintosh) to SMTP, if you see something wrong like strange chars or invalid From: lines, please let me know to vasco@bvl.pt. -- Vasco From firewalls-owner Wed Feb 8 06:20:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06640 for firewalls-outgoing; Wed, 8 Feb 1995 06:06:49 -0800 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA06635 for ; Wed, 8 Feb 1995 06:06:46 -0800 Received: from [199.98.139.100] by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA06810 for firewalls@greatcircle.com; Wed, 8 Feb 95 09:04:57 -0500 Received: from cc:Mail by imcsmtpgty.imcinc.com id AA792262964 Wed, 08 Feb 95 09:02:44 EDT Date: Wed, 08 Feb 95 09:02:44 EDT From: GMurad@imcsmtpgty.imcinc.com (Murad, Greg) Encoding: 357 Text Message-Id: <9501087922.AA792262964@imcsmtpgty.imcinc.com> To: firewalls@greatcircle.com Subject: Set up Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if any one has any suggestions on creating the least expensive firewall. I can dedicate a 486DX 66Mhz w/8mb ram for this task. If any one can refer me to a third party vendor or a simple how to on configuring the machine I would certainly appreciate it. Thank You greg gmurad@imcinc.com From firewalls-owner Wed Feb 8 06:48:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06684 for firewalls-outgoing; Wed, 8 Feb 1995 06:11:24 -0800 Received: from ns.dknet.dk (ns.dknet.dk [193.88.44.42]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA06679 for ; Wed, 8 Feb 1995 06:11:18 -0800 From: bjm@f-and-l.dk Received: from smtp.f-and-l.dk by ns.dknet.dk with SMTP id AA09994 (5.65c8/IDA-1.4.4j for ); Wed, 8 Feb 1995 15:08:29 +0100 Received: from cc:Mail by smtp.f-and-l.dk id AA792285063; Wed, 08 Feb 95 15:10:50 CET Date: Wed, 08 Feb 95 15:10:50 CET Encoding: 27 Text Message-Id: <9501087922.AA792285063@smtp.f-and-l.dk> To: firewalls@greatcircle.com Subject: RDBMS and firewalls X-Charset: ASCII X-Char-Esc: 29 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a question concerning the use of client rdbms applications in conjunction with firewalls. I want the client to sit on the "dirty" side and the server to sit on the "clean" site of the firewall? The RDBMS could be based upon Oracle, Sybase, Ingres or Informix, and the information, we are going to store in the database, are sensitive personal information which is not supposed to be published. Is there a general solution for such a scenario, and should data encryption between the client and the server be recommended. Any comments and suggestions are welcome, thanks. Bjoern Mose F&L ___ ___ | Bjoern Mose, Consultant, M.Sc., Fischer & Lorenz \ \ | Direct Phone: + 45 39 47 07 27 \ \ | Internet : bjm@f-and-l.dk ___ ___ ___ | X.400 : G=Bjoern; S=Mose; \ \ \ | O=Fischer and Lorenz; P=F+L; \ \ \ | A=DK400; C=DK From firewalls-owner Wed Feb 8 06:58:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA06960 for firewalls-outgoing; Wed, 8 Feb 1995 06:42:13 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA06955 for ; Wed, 8 Feb 1995 06:42:09 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA03404; Wed, 8 Feb 1995 09:36:48 -0500 Date: Wed, 8 Feb 1995 09:36:48 -0500 (EST) From: David Miller Subject: IP spoofing To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I take the following steps: 1. Filter in screening router to drop source route packets 2. Filter in screening router to drop packets with internal addresses arriving on external ports. 3. Filter in screening router to drop packets with source address of 127.0.0.* arriving on external port 4. Modify demons to make SYN numbers very difficult to guess Am I still subject to IP address spoofing? Under what conditions? Note I am not trusting DNS services not to be subverted, just asking about IP addresses. Thanks in advance, David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Feb 8 07:19:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07463 for firewalls-outgoing; Wed, 8 Feb 1995 07:09:21 -0800 Received: from znanost.mz.hr (znanost.mz.hr [161.53.4.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA07424 for ; Wed, 8 Feb 1995 07:07:30 -0800 Received: from gaus.mz.hr [161.53.4.50] by znanost.mz.hr (8.6.9/Ultrix 4.2A) id QAA23204; Wed, 8 Feb 1995 16:03:49 +0100 Date: Wed, 8 Feb 1995 16:03:08 CET From: Damir Rajnovic Subject: Where to find TNI (Red Book) To: firewalls@greatcircle.com Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello to all, Sorry about this post but.... Can someone tell me where I can find Red Book but Poscript Version. I look at various places but I found only TXT version. Cordially Gaus From firewalls-owner Wed Feb 8 07:31:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA07339 for firewalls-outgoing; Wed, 8 Feb 1995 07:00:27 -0800 Received: from relay2.pipex.net (pp@relay2.pipex.net [158.43.128.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA07334 for ; Wed, 8 Feb 1995 07:00:22 -0800 Received: from gate.nwwl.co.uk by pipe.pipex.net with SMTP (PP); Wed, 8 Feb 1995 14:58:30 +0000 Received: by nwwl.co.uk (AIX 3.2/UCB 5.64/4.03) id AA20881; Wed, 8 Feb 1995 14:53:36 GMT Posted-Date: Wed, 8 Feb 95 14:55:16 +0000 Received: from pr005252a(158.41.127.81) by gate.nwwl.co.uk via smap (V1.3mjr) id sma022671; Wed Feb 8 14:53:05 1995 Received: from by mailgate.nwwl.co.uk (AIX 3.2/UCB 5.64/4.03) id AA15940; Wed, 8 Feb 1995 14:55:36 GMT X-Openmail-Hops: 1 Date: Wed, 8 Feb 95 14:55:16 +0000 Message-Id: Subject: Web proxy From: Gresley-Jones_Ian/Internet_admin@nwwl.co.uk To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, Yet another question from a lurker which may have been covered previously, but I'd like an up-to-date opinion from people with more experience than myself. I've been able to restrict Internet access from our users quite severely (compared to many installations) up to now and hence had less of a nightmare configuring and maintaining a firewall. However at last the cries have started ringing out as was inevitable ..... "Please can we have Web access - we really need it for blah blah reasons woffle blah business justification blah..." Having steered clear of the http-gw part of fwtk when I used other bits, and not having investigated CERN httpd etc, I wondered if you experts could possibly guide me in my ignorance. I only want to allow internal users use of Web client programs, I'm not intending to set up a Web server (though I'm interested if anyone cares to comment on the best ways to do so). My firewall is a filtering-router and bastion host on a boundary net type with fwtk and SOCKS proxies in use already. What do people think is the most secure way to allow client access? I guess http-gw on the bastion, with any Web client on internal machines but I may be wrong. Is configuring a httpd server straddling the firewall a sensible option (I doubt it)? Are there any security concerns with Web clients, I'm sure I read something about the possibility of executing arbitrary commands on a machine running a Web program but can't remember if this was a client or a server. Do Mosaic or Netscape or any other client front-ends have any known security holes ? Is there a particularly secure client program I can use ?(no way to get shell access or execute a command remotely) Any opinions please mail me direct, especially if the subject matter has been discussed thoroughly in the past, and I'll be sure to mail a summary to the list (It was very noisy of late wasn't it! ). Thanks in advance Ian. ======================================================================== Ian Gresley-Jones | Lurkers don't need disclaimers, we're just Security Consultant | 'opinionally challenged'. :-D Protek. or: ======================================================================== From firewalls-owner Wed Feb 8 07:47:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA07193 for firewalls-outgoing; Wed, 8 Feb 1995 06:53:38 -0800 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA07181 for ; Wed, 8 Feb 1995 06:53:33 -0800 Message-Id: <199502081453.GAA07181@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.38.193.3/16.2) id AA16997; Thu, 9 Feb 95 01:51:25 +1100 From: Darren Reed Subject: IP Packet Filter for SunOS 4.1.x To: firewalls@greatcircle.com Date: Thu, 9 Feb 1995 01:51:25 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2169 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you're running SunOS 4.1.1 through to 4.1.3_U1, need packet filtering and don't have a router spare, then this might be what you're looking for. I haven't yet tested it on SunOS 4.1.4, but this is on my list of thins to do before semester starts. The most recent version of a packet filter I've written for SunOS 4.1 is now available from coombs.anu.edu.au:/pub/net/kernel/ip_fil2.4.tar.Z. With help from Mark Huber, I think I've pretty much ironed out all the bugs which were annoying me at the time of the last announcement (that being the logging wasn't 100%). Why would you be interested in this ? If you have a multihomed Sun server/workstation (2 or more ethernet interfaces) which performs routing and wonder how you are meant to stop the problem with IP headers being forged with no router to help you, then this package will allow you to setup packet filters for each interface, much like those which can be setup in Ciscos and others. Packets going in, or out can be filtered. They can just be logged, blocked or passed. You can filter on any combination of TCP flags, the various ICMP types as well as the standard variations on IP# source-destination pairs (with variable netmasks) and source-destination ports for TCP and UDP. Packets with non- standard IP header lengths (such as those with source routing information inside) can be selectived apart from standard packets. There is no need to worry about fragments as only complete IP packets are examined. Even if your workstation isn't multihomed, you may wish to use this packet filter in conjunction with PPP or SLIP (if it works as a server for one of these protocols). Or you may wish to use it on a standalone workstation, to isolate yourself from "bad hosts" or networks. This package contains no object files, only source code. You will need to compile and install a custom kernel (with loadable kernel modules enabled) to take advantage of this package. If you find any bugs or would like to make a suggestion regarding this package, please do not hesitate to email me. I'd like to ensure that this product reaches a fairly high standard quickly, if possible. Cheers, Darren From firewalls-owner Wed Feb 8 12:21:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11552 for firewalls-outgoing; Wed, 8 Feb 1995 12:11:53 -0800 Received: from srs.gov (bubba.srs.gov [192.33.240.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA11547 for ; Wed, 8 Feb 1995 12:11:47 -0800 Received: by srs.gov id AA07384 (InterLock SMTP Gateway 1.1 for firewalls@greatcircle.com); Wed, 8 Feb 1995 15:09:51 -0500 Received: by srs.gov (Internal Mail Agent-2); Wed, 8 Feb 1995 15:09:51 -0500 Received: by srs.gov (Internal Mail Agent-1); Wed, 8 Feb 1995 15:09:51 -0500 Alternate-Recipient: prohibited Disclose-Recipients: prohibited Date: Wed, 08 Feb 1995 15:03:00 -0400 (EDT) From: "RANDY E. CROLLEY" Subject: mailing list To: firewalls@greatcircle.com Message-Id: <01HMT7MEZKQ8001F6L@mr.srs.gov> X-Envelope-To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT Posting-Date: Wed, 08 Feb 1995 15:05:00 -0400 (EDT) Importance: normal Priority: normal A1-Type: MAIL Hop-Count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please put me on themailing list. From firewalls-owner Wed Feb 8 14:36:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12598 for firewalls-outgoing; Wed, 8 Feb 1995 13:54:59 -0800 Received: from ax.ibase.org.br (uuboemia@ax.ibase.br [192.153.88.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA28145 for ; Mon, 6 Feb 1995 07:53:35 -0800 Received: (from uuboemia@localhost) by ax.ibase.org.br (8.6.9/Revision: 1.180 ) id NAA24762 for Firewalls@greatcircle.com; Mon, 6 Feb 1995 13:48:20 -0200 From: Nelson Murilo To: bernd@pfm.pfm-mainz.de, Firewalls@greatcircle.com Subject: http-Proxy-Server (binaries/sources) Cc: nelson@boemia.pix.com.br X-Mailer: ScoMail 1.0 Date: Mon, 6 Feb 1995 10:56:35 -0400 (BRA) Message-ID: <9502061056.aa04893@boemia.pix.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk |> Hi, |> |> we need a http-Proxy Server -as Source or binary for Solaris 4.1 (SunOS) |> or SCO ODT 3.0 - I hope someone here can help us.... |> |> |> -- |> bernd@pfm.PFM-Mainz.DE ...on perseus.PFM-Mainz.DE with Eudora 1.4 |> Eibenweg 4 D-55128 Mainz | Tel.: 06131/362779 | Fax.: 06131/366894 |> |> If you have Mosaic, Lynx, etc, try www.cern.ch. - For CERN server. For NCSA server, try ftp anomnymous in ftp.ncsa.uiuc.edu, where you find too Mosaic. Nelson Murilo Nelson%boemia@ibase.br Nelsonix@guarany.cpd.unb.br From firewalls-owner Wed Feb 8 14:56:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA13789 for firewalls-outgoing; Wed, 8 Feb 1995 14:27:41 -0800 Received: from nebula (fastlane.net [204.155.144.84]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA12509 for ; Sun, 5 Feb 1995 18:36:28 -0800 Received: (from root@localhost) by nebula (8.6.8/8.6.6) id UAA10344 for firewalls; Sun, 5 Feb 1995 20:49:28 -0600 Date: Sun, 5 Feb 1995 20:49:28 -0600 From: "Jeffrey D. LaCoursiere XXX" Message-Id: <199502060249.UAA10344@nebula> To: firewalls@nebula Subject: tn3270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been given the task of proxying this app through our firewall. I seem to remember discussions about the toolkit telnet proxy being used for this purpose... is this correct? The destination is a single machine on the other side. Any thoughts on the use of the plugboard proxy instead? Thanks for insight, Jeff LaCoursiere FastLane Communications, Inc. From firewalls-owner Wed Feb 8 14:58:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12612 for firewalls-outgoing; Wed, 8 Feb 1995 13:55:34 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA12606 for ; Wed, 8 Feb 1995 13:55:29 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id QAA28202; Wed, 8 Feb 1995 16:52:58 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502082152.QAA28202@schoolnet.carleton.ca> Subject: Dual login for internal/external nets To: firewalls@greatcircle.com Date: Wed, 8 Feb 1995 16:52:58 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 951 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, it's time for another hypothetical situation... If I had a user community that was 100% dead set against any sort of one-time passwords, since they do lots and lots of logins every day over an internal net, and yet they occasionally do logins from remote (confusing enough... it's my fault), would the following scenario work? 1) Router on the link to the outside world, dropping all spoofed packets (src = (internal-net, loopback, 192.whatever, etc.). 2) A telnetd which ran either a normal, reusable password login if the connection was coming from an internal net, or an S/Key-type login if the connection was coming from an external net. The modification to telnetd seems trivial, and it would mean the best of both worlds: they get their one password for day-to-day use, and I get the no-reusable-passwords-over-the-net peace of mind. I'm certain that it couldn't be this simple, but I can't see anything wrong with it. Comments? Mike From firewalls-owner Wed Feb 8 15:18:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12806 for firewalls-outgoing; Wed, 8 Feb 1995 13:58:27 -0800 Received: from nta.nta.com (root@NTA.COM [198.51.166.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA23383 for ; Tue, 7 Feb 1995 08:02:58 -0800 Received: by nta.nta.com with smtp id m0rbsL4-0005FnC; Tue, 7 Feb 95 08:00 PST Received: by nta.com (4.1/SMI-4.1) id AA20144; Tue, 7 Feb 95 08:00:12 PST Date: Tue, 7 Feb 1995 08:00:09 -0800 (PST) From: Bob_Gerrish_ex459 X-Sender: u-rpg@nta1 To: firewalls@GreatCircle.COM Subject: Anonymous.posting Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Help! I don't know if this is the right place to ask, but since 2/3rds of my email postings yesterday were to this group, I'll post this here. I just received a message from anon.penet.fi and I never sent a message via their anonymous service. The only email I sent yesterday were responses to two postings to this mailing list and an email reply to someone on the rec.scouting newsgroup. The replys to this group were one to X1.COM which was bounced back to me because of a routing problem on their end, but the cc came to the list. The second one was a email reply regarding Linux as a firewall to someone at CEIM-S--CDC.mail.usace.army.mil which appearantly goes through pso49.pso.usace.army.mil as a mail exchanger. Both messages were sent around 8 AM PST and the message from anon.penet.fi was received around 11 AM PST. The third post was an email replay was to a newsgroup posting that was sent at 9:26 AM PST. It was cross posted to rec.scouting and comp.periphs. > Date: Mon, 6 Feb 95 20:02:49 +0200 > From: System Daemon > To: bobg@nta.com > Subject: Anonymous code name allocated. > > You have sent a message using the anonymous contact service. [snip] > If you want to use a nickname, please send a message to > nick@anon.penet.fi, with a Subject: field containing your nickname. > > For instructions, send a message to help@anon.penet.fi. What would cause the anonymous service to post this to me if I didn't use it? Is this caused by using the cc: in some way or could it be some cross posting on the newsgroups? I would imagine that it would be possible for someone to send anonymous messages and spoof my name and FQDN, but what would the purpose be? Has anyone else had this sort of thing happen? Thanks, Bob Gerrish - bobg@nta.com From firewalls-owner Wed Feb 8 15:19:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12476 for firewalls-outgoing; Wed, 8 Feb 1995 13:51:11 -0800 Received: from nebula (fastlane.net [204.155.144.84]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA12509 for ; Sun, 5 Feb 1995 18:36:28 -0800 Received: (from root@localhost) by nebula (8.6.8/8.6.6) id UAA10344 for firewalls; Sun, 5 Feb 1995 20:49:28 -0600 Date: Sun, 5 Feb 1995 20:49:28 -0600 From: "Jeffrey D. LaCoursiere XXX" Message-Id: <199502060249.UAA10344@nebula> To: firewalls@nebula Subject: tn3270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been given the task of proxying this app through our firewall. I seem to remember discussions about the toolkit telnet proxy being used for this purpose... is this correct? The destination is a single machine on the other side. Any thoughts on the use of the plugboard proxy instead? Thanks for insight, Jeff LaCoursiere FastLane Communications, Inc. From firewalls-owner Wed Feb 8 15:22:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12792 for firewalls-outgoing; Wed, 8 Feb 1995 13:58:20 -0800 Received: from iss.net (root@iss.net [198.79.48.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA23003 for ; Tue, 7 Feb 1995 07:27:27 -0800 Received: (from cklaus@localhost) by iss.net (8.6.9/8.6.9) id KAA10351 for firewalls@greatcircle.com; Tue, 7 Feb 1995 10:36:57 -0800 From: Christopher Klaus Message-Id: <199502071836.KAA10351@iss.net> Subject: IP Seq Vendor Update To: firewalls@greatcircle.com Date: Tue, 7 Feb 1995 10:36:56 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 895 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Atleast 2 vendors I know of are planning on coming out with patches for TCP Sequence spoofing. It helps, but it won't help secure your whole net, if only 2 types of Unix machines can be patched and the rest are open to attack. And I hope everyone realizes that it only takes one insecure machine on the net to easily compromise the rest of your network. You still may want to contact your own Unix vendors and see if they plan on coming out with patches. Maybe if they see enough interest, they will devote some resources to fixing a 10 year old security problem. PS. Infoworld (Jan 30th, Page 78, 85) last week had an article on comparing various Internet server machines and Firewalls. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 From firewalls-owner Wed Feb 8 15:49:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15778 for firewalls-outgoing; Wed, 8 Feb 1995 15:35:35 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA15773 for ; Wed, 8 Feb 1995 15:35:26 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id KAA03175; Thu, 9 Feb 1995 10:31:54 +1100 Date: Thu, 9 Feb 1995 10:31:53 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Web proxy To: Gresley-Jones_Ian/Internet_admin@nwwl.co.uk cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Feb 1995 Gresley-Jones_Ian/Internet_admin@nwwl.co.uk wrote: > I only want to allow internal users use of Web client programs, I'm not > intending to set up a Web server (though I'm interested if anyone cares > to comment on the best ways to do so). My firewall is a filtering-router > and bastion host on a boundary net type with fwtk and SOCKS proxies in > use already. What do people think is the most secure way to allow > client access? I guess http-gw on the bastion, with any Web client on > internal machines but I may be wrong. Is configuring a httpd server > straddling the firewall a sensible option (I doubt it)? Netscape and Mosaic support SOCKS. Danny From firewalls-owner Wed Feb 8 16:06:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15799 for firewalls-outgoing; Wed, 8 Feb 1995 15:35:54 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA15789 for ; Wed, 8 Feb 1995 15:35:47 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id KAA03211; Thu, 9 Feb 1995 10:34:11 +1100 Date: Thu, 9 Feb 1995 10:34:10 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: http-Proxy-Server (binaries/sources) To: Nelson Murilo cc: bernd@pfm.pfm-mainz.de, Firewalls@GreatCircle.COM, nelson@boemia.pix.com.br In-Reply-To: <9502061056.aa04893@boemia.pix.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Feb 1995, Nelson Murilo wrote: > > |> we need a http-Proxy Server -as Source or binary for Solaris 4.1 (SunOS) > |> or SCO ODT 3.0 - I hope someone here can help us.... > |> -- > |> bernd@pfm.PFM-Mainz.DE ...on perseus.PFM-Mainz.DE with Eudora 1.4 > |> Eibenweg 4 D-55128 Mainz | Tel.: 06131/362779 | Fax.: 06131/366894 > > If you have Mosaic, Lynx, etc, try www.cern.ch. - For CERN server. The new ftp name is ftp.w3.org > For NCSA server, try ftp anomnymous in ftp.ncsa.uiuc.edu, where you > find too Mosaic. NCSA httpd does not proxy. Also, read http://morse.colorado.edu/~wessels/Proxy/ a Masters thesis on a new proxy server for http. Danny From firewalls-owner Wed Feb 8 16:19:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA16900 for firewalls-outgoing; Wed, 8 Feb 1995 16:15:45 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA16895 for ; Wed, 8 Feb 1995 16:15:40 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rcMW1-0000fwC; Wed, 8 Feb 95 16:13 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA13706; Wed, 8 Feb 1995 16:14:03 +0800 Date: Wed, 8 Feb 1995 16:14:03 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9502090014.AA13706@brittany.oes.amdahl.com> To: firewalls@GreatCircle.COM, BobG@nta.com Subject: Re: Anonymous.posting X-Sun-Charset: US-ASCII content-length: 792 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you reply to an anonymous mail or usenet posting you automatically get an anonymous account. Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Feb 8 16:19:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA15495 for firewalls-outgoing; Wed, 8 Feb 1995 15:26:01 -0800 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA15489 for ; Wed, 8 Feb 1995 15:25:56 -0800 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-0 #7935) id <01HMTC0LND3K8WW56E@Badger.Arnold.Com>; Wed, 08 Feb 1995 17:23:42 -0600 (CST) Date: Wed, 08 Feb 1995 17:18:21 -0600 (CST) Subject: Re: Dual login for internal/external nets In-reply-to: "Your message dated Wed, 08 Feb 1995 16:52:58 -0500 (EST)" <199502082152.QAA28202@schoolnet.carleton.ca> To: mshaver@schoolnet.carleton.ca Cc: firewalls@greatcircle.com, Stephen.L.Arnold@Arnold.Com Message-id: 01HMTCAI7B248WW56E@Badger.Arnold.Com Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > OK, it's time for another hypothetical situation... > > If I had a user community that was 100% dead set against any sort of > one-time passwords, since they do lots and lots of logins every day over an > internal net, and yet they occasionally do logins from remote (confusing > enough... it's my fault), would the following scenario work? > > 1) Router on the link to the outside world, dropping all spoofed packets > (src = (internal-net, loopback, 192.whatever, etc.). > > 2) A telnetd which ran either a normal, reusable password login if the > connection was coming from an internal net, or an S/Key-type login if the > connection was coming from an external net. > > The modification to telnetd seems trivial, and it would mean the best of > both worlds: they get their one password for day-to-day use, and I get the > no-reusable-passwords-over-the-net peace of mind. > > I'm certain that it couldn't be this simple, but I can't see anything wrong > with it. > > Comments? > > Mike I'm a very happy user (disclaimer: and reseller!) of a new product that does exactly what you discribe: I use my reusable password when I log in at my station, but on the road I'm coming from outside the "trusted network", and so am forced to use my (SNK-like) Cryptocard token. (SecureID and S-Key are also supported). Unfortunately for most readers of this forum, the product, Secure/IP from TGV, Inc., runs only on OpenVMS! However, since it has the features you want, why not call TGV (+1 408 457 5200, or in the U.S. (800) TGV 3440) and buy the documentation? A quick read will expose many issues you'll want to deal with as you hack telnetd. Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Wed Feb 8 16:38:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA16672 for firewalls-outgoing; Wed, 8 Feb 1995 16:03:22 -0800 Received: from giga.bga.com (giga.bga.com [198.3.118.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA16667 for ; Wed, 8 Feb 1995 16:03:19 -0800 Received: from ftp.unisql.com (ftp.unisql.com [204.69.130.12]) by giga.bga.com (8.6.9/8.6.9) with SMTP id SAA25761 for ; Wed, 8 Feb 1995 18:01:33 -0600 Received: by ftp.unisql.com (4.1/SMI-4.1) id AA08283; Wed, 8 Feb 95 18:02:37 CST Received: from unisql.unisql.com(198.133.138.10) by ftp.unisql.com via smap (V1.3) id sma008281; Wed Feb 8 18:02:16 1995 Received: from rambler.unisql.com by unisql.unisql.com (4.1/SMI-4.1) id AA19707; Wed, 8 Feb 95 18:00:41 CST From: wrat@unisql.unisql.com (Louis Marco) Received: by rambler.unisql.com (4.1/client-1.2) id AA02752; Wed, 8 Feb 95 18:00:40 CST Message-Id: <9502090000.AA02752@rambler.unisql.com> Subject: 8 bit rlogins To: firewalls-digest@GreatCircle.COM Date: Wed, 8 Feb 1995 18:00:40 -0600 (CST) In-Reply-To: <199501270900.BAA24694@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Jan 27, 95 01:00:11 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 522 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My users demand dial-up ability to internal hosts. So I put 6 Qblazers on a Netblazer and created a login that routes them to tn-gw on the firewall. But that isn't good enough. They all want to use kermit, which fails over a telnet connection. So I need to get an 8 bit rlogin, i.e., rlogin -8. If I read the code correctly rlogin-gw should be an 8 bit connection (unlike rlogind, which appears to be 7 bit by default). Is this correct? Can I use a simple rlogin-gw instead of exec'ing rlogin -8 ? From firewalls-owner Wed Feb 8 16:49:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA17556 for firewalls-outgoing; Wed, 8 Feb 1995 16:38:17 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA17551 for ; Wed, 8 Feb 1995 16:38:12 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id TAA03222; Wed, 8 Feb 1995 19:35:31 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502090035.TAA03222@schoolnet.carleton.ca> Subject: Re: Dual login for internal/external nets To: blast@worldbit.com (Tim Keanini) Date: Wed, 8 Feb 1995 19:35:31 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Tim Keanini" at Feb 8, 95 03:29:50 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 568 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Keanini mumbled something vague about: > >Comments? > > Would it be too much to ask for the user community to use two ports? > You pick um and then one telnetd would be S/key'ed and the other passwd'ed? Yeah, that's workable, but I'd rather not even give the travelling user the option of using a reusable password. If I do it your way, then they could still do a "telnet foo.bar.com" and get to the reusable daemon. (Of course, since I've discovered the "netacl" from FWTK, I think I'll look at that. If nothing else, I can rip off *good* source. =) ) Mike From firewalls-owner Wed Feb 8 17:19:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA18341 for firewalls-outgoing; Wed, 8 Feb 1995 17:11:32 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA18336 for ; Wed, 8 Feb 1995 17:11:28 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16631; Wed, 8 Feb 95 20:05:22 -0500 Date: Wed, 8 Feb 95 20:05:22 -0500 Message-Id: <9502090105.AA16631@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Anon Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick rites: >If you reply to an anonymous mail or usenet posting you automatically get >an anonymous account. So I guess the question is "What happens if ANON receives a REPLY with someone else's REPLY TO:. Does it try to correlate the RECEIVED: FROM ? or even keep a record of the REPLYing header ?" Somehow I doubt that it is anything so rigorous but I do not know. Warmly, Padgett From firewalls-owner Wed Feb 8 18:06:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA18405 for firewalls-outgoing; Wed, 8 Feb 1995 17:18:10 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA18400 for ; Wed, 8 Feb 1995 17:18:06 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16664; Wed, 8 Feb 95 20:10:53 -0500 Date: Wed, 8 Feb 95 20:10:52 -0500 Message-Id: <9502090110.AA16664@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Kermit (was 8 bit logins) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My users demand dial-up ability to internal hosts. >So I put 6 Qblazers on a Netblazer and created a login that >routes them to tn-gw on the firewall. But that isn't good >enough. They all want to use kermit, which fails over a telnet >connection. So I need to get an 8 bit rlogin, i.e., rlogin -8. Huh, I haven't had any trouble with the latest MS-DOS Kermit though Dr. Joe had to help with a Multics machine. The TCP/IP TELNET support seems to work just fine as long as you do not try to TELNET 25 though was a bit arcane to configure. Will say that for DOS I prefer the NCSA Telnet though. Might want to check what version your users have. (3.13 is current ? Haven't looked lately). Warmly, Padgett From firewalls-owner Wed Feb 8 18:09:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA18085 for firewalls-outgoing; Wed, 8 Feb 1995 16:59:02 -0800 Received: from can02.pge.com (can02.pge.com [130.19.4.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA18080 for ; Wed, 8 Feb 1995 16:58:56 -0800 Received: from dns01.pge.com by can02.pge.com (4.1/SMI-4.1) id AA22343; Wed, 8 Feb 95 17:05:27 PST Received: from dns02.comp.pge.com by dns01.pge.com (4.1/SMI-4.1) id AA27739; Wed, 8 Feb 95 17:21:51 PST Received: from nms01.comp.pge.com by dns02.comp.pge.com (4.1/SMI-4.1) id AA26116; Wed, 8 Feb 95 16:54:39 PST Received: by nms01.comp.pge.com (4.1/SMI-4.1) id AA00567; Wed, 8 Feb 95 16:54:38 PST Date: Wed, 8 Feb 95 16:54:38 PST From: abc2@nms01.comp.pge.com (ALAN B. CONLEY) Message-Id: <9502090054.AA00567@nms01.comp.pge.com> To: firewalls@GreatCircle.COM Subject: Anon FTP Cc: abc2@nms01.pge.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have been using an anonymous FTP server for the last couple of years on our internel network. We'd like to set one up for access via the Internet, for both incoming and outgoing traffic. We have a good idea of the architecture, but I'm looking for specific suggestions for ftp servers. I've heard that wuftpd is good for large sites. Are there any particular packages which are more secure than others? Recommendations? Pointers to latest versions would also be appreciated. Alan Conley abc2@pge.com From firewalls-owner Wed Feb 8 18:23:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA18193 for firewalls-outgoing; Wed, 8 Feb 1995 17:02:28 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA18188 for ; Wed, 8 Feb 1995 17:02:24 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16591; Wed, 8 Feb 95 19:55:17 -0500 Date: Wed, 8 Feb 95 19:55:17 -0500 Message-Id: <9502090055.AA16591@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Dual login Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike rites: >If I had a user community that was 100% dead set against any sort of >one-time passwords, since they do lots and lots of logins every day over an >internal net, and yet they occasionally do logins from remote (confusing >enough... it's my fault), would the following scenario work? >2) A telnetd which ran either a normal, reusable password login if the >connection was coming from an internal net, or an S/Key-type login if the >connection was coming from an external net. Nothing wrong with it so long as the router is properly protected and you are only worried about intruders logging in, not that they might intercept your traffic. The trouble you get into is that to go from the telnetd node to any other node, they will still be sending a cleartext login/password. However, if they will accept S/Key, why not a token such as Enigma-Logic, Security Dynamics, or Secure Computing ? Or even a software OTP ? Much easier to use. Warmly, Padgett From firewalls-owner Wed Feb 8 18:49:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA20161 for firewalls-outgoing; Wed, 8 Feb 1995 18:37:26 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA20154 for ; Wed, 8 Feb 1995 18:37:23 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id UAA17078; Wed, 8 Feb 1995 20:30:13 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma017076; Wed Feb 8 20:30:13 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA09055 (5.67b/IDA-1.5); Wed, 8 Feb 1995 20:37:05 -0600 Date: Wed, 8 Feb 1995 20:37:04 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: Louis Marco Cc: firewalls-digest@greatcircle.com Subject: Re: 8 bit rlogins In-Reply-To: <9502090000.AA02752@rambler.unisql.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Feb 1995, Louis Marco wrote: > enough. They all want to use kermit, which fails over a telnet > connection. So I need to get an 8 bit rlogin, i.e., rlogin -8. Isn't kermit supposed to be the least-common-denominator of file transfer protocols? I think it should work on a 7-bit connection, at least if it is configured right. (I wouldn't want to use it, though. Even at 8 bits.) - KH From firewalls-owner Wed Feb 8 19:21:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA20616 for firewalls-outgoing; Wed, 8 Feb 1995 18:56:33 -0800 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA20603 for ; Wed, 8 Feb 1995 18:56:29 -0800 Received: from pobox.mot.com by motgate.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA25141; Wed, 8 Feb 1995 20:54:11 -0600 Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com) by pobox.mot.com with SMTP (5.67b/IDA-1.4.4/MOT-3.1 for ) id AA20174; Wed, 8 Feb 1995 20:54:09 -0600 Received: from dragon.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1) id AA14760; Wed, 8 Feb 95 18:54:07 PST Received: from sun11k.mdd.comm.mot.com by dragon.mdd.comm.mot.com (4.1/SMI-4.1) id AA24472; Wed, 8 Feb 95 18:54:06 PST Date: Wed, 8 Feb 95 18:54:06 PST From: dhami@mdd.comm.mot.com (Mandeep S Dhami) Message-Id: <9502090254.AA24472@dragon.mdd.comm.mot.com> Received: by sun11k.mdd.comm.mot.com (4.1/SMI-4.1) id AA18330; Wed, 8 Feb 95 18:54:04 PST To: Firewalls@greatcircle.com Subject: Anonymous IDs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Bob, The same thing happened to me right after I posted an article on firewall list. I requested for more information from postmaster at the anonymous site. In his/her response (seemed like a canned message to me), the following reasons were mentioned: 1) Reply to an anNUMBER@anon.penet.fi 2) anNUMBER@anon.penet.fi is subscribing to the same mailing list 3) Someone is faking you and sends e-mail and/or posts as though coming from your e-mail address. I think (2) was the reason ... the fix would be (by the same mail) ... > Please, tell the owner of the list you subscribe to change the > subsciption of the anon person from anNUMBER@anon.penet.fi to > naNUMBER@anon.penet.fi. Hope that helps, Mandeep ------------------------------------------------------------------------------ From firewalls-owner Wed Feb 8 19:51:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA21223 for firewalls-outgoing; Wed, 8 Feb 1995 19:17:03 -0800 Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA21218 for ; Wed, 8 Feb 1995 19:16:55 -0800 Received: from ms.mimos.my by jaring.my with SMTP id AA13627 (5.67a/IDA-1.5 for ); Thu, 9 Feb 1995 11:14:55 +0800 Received: by ms.mimos.my (5.64/7.0) id AA23158; Thu, 9 Feb 95 11:14:39 +0800 Date: Thu, 9 Feb 1995 11:13:33 +0800 (MYT) From: LEE Hooi Teck Subject: Re: Anonymous.posting To: Bob_Gerrish_ex459 Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I received the same thing. I am curios how this can happen. _______________________________________________________________ | LEE Hooi Teck email: teck@mimos.my | | fax: 603-2531898 | | MIMOS | | Malaysian Institute of Microelectronic Systems | | Misnistry of Science and The Environment | | Malaysia | |_____________________________________________________________| On Tue, 7 Feb 1995, Bob_Gerrish_ex459 wrote: > Date: Tue, 7 Feb 1995 08:00:09 -0800 (PST) > From: Bob_Gerrish_ex459 > To: firewalls@greatcircle.com > Subject: Anonymous.posting > > Help! I don't know if this is the right place to ask, but since 2/3rds > of my email postings yesterday were to this group, I'll post this here. > > I just received a message from anon.penet.fi and I never sent a > message via their anonymous service. The only email I sent yesterday > were responses to two postings to this mailing list and an email reply to > someone on the rec.scouting newsgroup. The replys to this group were > one to X1.COM which was bounced back to me because of a routing problem > on their end, but the cc came to the list. The second one was a email > reply regarding Linux as a firewall to someone at > CEIM-S--CDC.mail.usace.army.mil which appearantly goes through > pso49.pso.usace.army.mil as a mail exchanger. Both messages were sent > around 8 AM PST and the message from anon.penet.fi was received > around 11 AM PST. > > The third post was an email replay was to a newsgroup posting that was > sent at 9:26 AM PST. It was cross posted to rec.scouting and comp.periphs. > > > Date: Mon, 6 Feb 95 20:02:49 +0200 > > From: System Daemon > > To: bobg@nta.com > > Subject: Anonymous code name allocated. > > > > You have sent a message using the anonymous contact service. > [snip] > > If you want to use a nickname, please send a message to > > nick@anon.penet.fi, with a Subject: field containing your nickname. > > > > For instructions, send a message to help@anon.penet.fi. > > What would cause the anonymous service to post this to me if I didn't use > it? Is this caused by using the cc: in some way or could it be some > cross posting on the newsgroups? > > I would imagine that it would be possible for someone to send > anonymous messages and spoof my name and FQDN, but what would the purpose > be? Has anyone else had this sort of thing happen? > > Thanks, Bob Gerrish - bobg@nta.com > From firewalls-owner Wed Feb 8 20:49:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA22736 for firewalls-outgoing; Wed, 8 Feb 1995 20:31:38 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA22731 for ; Wed, 8 Feb 1995 20:31:35 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id XAA08634; Wed, 8 Feb 1995 23:29:04 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502090429.XAA08634@schoolnet.carleton.ca> Subject: Re: Dual login To: firewalls@greatcircle.com Date: Wed, 8 Feb 1995 23:29:03 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1817 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security mumbled something vague about: > Mike rites: > >If I had a user community that was 100% dead set against any sort of > >one-time passwords, since they do lots and lots of logins every day over an > >internal net, and yet they occasionally do logins from remote (confusing > >enough... it's my fault), would the following scenario work? > > >2) A telnetd which ran either a normal, reusable password login if the > >connection was coming from an internal net, or an S/Key-type login if the > >connection was coming from an external net. > > Nothing wrong with it so long as the router is properly protected > and you are only worried about intruders logging in, not that they > might intercept your traffic. Actaully, the next step in that would be to have a modified S/Key type thing which used the response as the key for an encrypted telnet. This is assuming, of course, that the site they're at would have this client, but for long-term contracts, it could probably be arranged. > The trouble you get into is that to go from the telnetd node to any other node, > they will still be sending a cleartext login/password. Yeah, that's true. I realize that our internal net will be totally insecure once someone gets that far, but I'm trying to at least minimize damage. We only have one Un*x server right now anyway, so if they want to send the cleartext passwords for their PC-ftp stuff, that's Not My Problem. > However, if they will accept S/Key, why not a token such as Enigma-Logic, > Security Dynamics, or Secure Computing ? Or even a software OTP ? Much easier > to use. I was just using S/Key as an example. I don't really care what mechanism it uses, as long as it's some sort of OTP scheme. And it was sort of a theoretical thing anyway... =) Mike From firewalls-owner Thu Feb 9 09:51:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00698 for firewalls-outgoing; Thu, 9 Feb 1995 09:10:49 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00673 for ; Thu, 9 Feb 1995 09:10:40 -0800 Received: from gate3.fmr.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA28945; Thu, 9 Feb 1995 09:04:41 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id KAA07453 for ; Thu, 9 Feb 1995 10:22:18 -0500 Message-Id: <199502091522.KAA07453@gate3.fmr.com> Received: from mbsb01.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma007447; Thu Feb 9 15:22:17 1995 Date: Thu, 09 Feb 1995 10:23:40 -0500 From: Joe Judge Subject: Re: Dual login for internal/external nets To: firewalls@greatcircle.com Content-transfer-encoding: 7BIT X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wouldn't the tcpwrappers also do this? (they're a netacl type daemon front-end). -joe > Tim Keanini mumbled something vague about: > > >Comments? > > > > Would it be too much to ask for the user community to use two ports? > > You pick um and then one telnetd would be S/key'ed and the other passwd'ed? > > Yeah, that's workable, but I'd rather not even give the travelling user the > option of using a reusable password. If I do it your way, then they could > still do a "telnet foo.bar.com" and get to the reusable daemon. > > (Of course, since I've discovered the "netacl" from FWTK, I think I'll look > at that. If nothing else, I can rip off *good* source. =) ) > > Mike From firewalls-owner Thu Feb 9 10:40:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00669 for firewalls-outgoing; Thu, 9 Feb 1995 09:10:39 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00619 for ; Thu, 9 Feb 1995 09:10:22 -0800 Received: from ns1.maf.mobile.al.us by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA28933; Thu, 9 Feb 1995 09:04:21 -0800 Received: by ns1.maf.mobile.al.us (5.0/SMI-SVR4) id AA01732; Thu, 9 Feb 1995 08:54:46 +0600 Date: Thu, 9 Feb 1995 08:54:46 -0600 (CST) From: Chuck Dean X-Sender: cdean@ns1 To: Firewalls@GreatCircle.COM Subject: Lotus Notes and Firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Comming out of deep lurk..... Our site is preparing to attach to the internet through a local Freenet. We are currently evaluating firewall solutions and determining the services we want to provide to our users and to users of the Freenet (as information providers). We are also moving toward the implementation of Lotus Notes on our network for internal email, data warehousing and document storage. After hereing about several new Lotus products that intergrate with the internet, I downloaded the Lotus Internet Cookbook. In this document they mention the possibliity of using notes as the firewall. Lotus currently has smtp to notesmail translation and nntp to notes database translation and will soon provide www authoring and browsing through notes. Could anyone with experience with notes comment on notes security vis a vi the internet. Any recomendations for firewall setup with notes a part of the picture? Chuck Dean Mobile Gas Service Corporation Mobile, Al From firewalls-owner Thu Feb 9 10:50:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00660 for firewalls-outgoing; Thu, 9 Feb 1995 09:10:35 -0800 Received: from salmon.maths.tcd.ie (mmdf@salmon.maths.tcd.ie [134.226.81.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA00496 for ; Thu, 9 Feb 1995 09:10:02 -0800 Received: from gosset.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id aa20618; 9 Feb 95 13:51 GMT To: firewalls@greatcircle.com, academic-firewalls@net.tamu.edu Subject: User authentication and restriction in proxy/application gateways Date: Thu, 09 Feb 1995 13:51:03 +0000 From: Alan Judge Message-ID: <9502091351.aa20618@salmon.maths.tcd.ie> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been asked by the local computer center people for suggestions to address a possibly unusual problem. In europe, Internet access is very expensive (at least by US standards) and bandwidth is at a premium. The current situation here is that only staff and postgrads have full internet access. The computer people would like both better monitoring of existing usage and to lift restrictions in as flexible a manner as possible, while keeping total usage under control. We can't afford sufficient bandwidth to let everyone run wild. [The other approach to fixing this is to get a pipe so small that we can afford to run it full 20 hours a day; this just makes life hell for everyone.] What they would like is a firewall/proxy/gateway that would authenticate users before allowing them remote access to things such as FTP, telnet, WWW, and so on. At the very least, they would like full logging of the amount of traffic and users involved, so that they can do stats and understand where the network load is coming from. These logs would probably also be useful for security and help us prevent our users from causing security problems at other sites. Given a flexible platform, users could even be classified and given differing amounts of access based on who they are; for example, undergrad access could be restricted to offpeak hours, or possibly bandwidth limited. Access to Irish sites could be fairly free but remote sites more limited, and so on. An ftp gateway that caches could be used, as another example. Has anyone out there suggestions as to tools (free or commercial) which would help in this task? I've already told them to get a copy of _Firewalls and Internet Security_. -- Alan From firewalls-owner Thu Feb 9 10:50:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01226 for firewalls-outgoing; Thu, 9 Feb 1995 09:18:37 -0800 Received: from norman.li.Cubic.COM (norman.li.Cubic.COM [149.63.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA01213 for ; Thu, 9 Feb 1995 09:18:29 -0800 Received: from localhost (mischler@localhost) by norman.li.Cubic.COM (8.3/8.3) id MAA02207; Thu, 9 Feb 1995 12:06:49 -0500 Date: Thu, 9 Feb 1995 12:06:49 -0500 From: Dave Mischler Message-Id: <199502091706.MAA02207@norman.li.Cubic.COM> To: antonio_vasconcelos@q950.bvl.pt, firewalls@GreatCircle.COM Subject: Re: Address translation Cc: Dave.Mischler@Cubic.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I need to know if there is some firewall software for unix that over > the firewall stuff do some addr translation for me. I have software for a dedicated 386-class PC that will perform IP routing with filtering and address translation. Address translation and filtering work fine, but the router is awfully light on routing protocols and O&M features. I am looking for some knowledgeable testers for the parts that are done. This should be considered alpha code at this time. The package supports IP routing, except that source routing is disabled, and the time stamp option is ignored. Async SLIP and ethernet over a packet driver are the only link layers right now. Demand dial is supported on the async lines, and multiple packet drivers are supported. The package can spit RIP, but doesn't listen to it yet. My address translation works by monitoring the status of all connections, so it can be used as a "dynamic packet filter". In particular, it is possible to block packets that look like TCP or UDP responses, but don't correspond to a live "connection". FTP control connections are monitored for "PORT" commands, and these commands are translated so that ordinary clients can FTP from the net without problems. It is possible to configure dedicated external addresses for internal machines, or use a single external address for all internal machines, or some of each. There is a configuration mode that supports connection monitoring and filtering without IP address translation, as well. If you are interested in testing this software please send me private mail telling me how you intend to use the package, and something about your background. I expect to provide some help, but I'm not interested in folks who have never configured any kind of router before, etc. Dave.Mischler@Cubic.COM From firewalls-owner Thu Feb 9 10:54:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00815 for firewalls-outgoing; Thu, 9 Feb 1995 09:12:28 -0800 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00804 for ; Thu, 9 Feb 1995 09:12:22 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id GAA14116 for ; Thu, 9 Feb 1995 06:34:10 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id GAA07399 for ; Thu, 9 Feb 1995 06:34:09 -0500 Received: from sg5382na.eng.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AB06576; Thu, 9 Feb 95 06:48:30 EST Message-Id: <9502091148.AB06576@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Feb 1995 06:34:01 -0600 To: firewalls@greatcircle.com From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Using PGP with anonymous FTP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have an idea for exchanging information securely across an internet via FTP, it goes as follows. The idea here is a file pull mechinism as exemplified by FTP versus the push mechinism of SMTP. All players create PGP keys for their transfer systems (located behind firewalls, as needed). A typical grouping of players might be a manufacturer and its suppliers. Thus the keyring could have a few thousand keys in it. All keys would be 1024, but since these are system keys, and not personal ones, I guess that a trust of 3 would be used for the web of trust. The anonyous server at each sending site would have a directory for each reciepient. When a file needs to be presented to another party, it is encrypted with the reciepients public key and signed with the senders public key; standard stuff here. But this will be done programmatically, so some gluing is needed for PGP and there is a concern about the program storage of the key phrase for the private key. The file will then be moved to the reciepients directory. The receipient goes to check for files in their directory, they then GET the file and decrypt it. If the signature is not correct, an error condition needs to be triggered. Again there is the issue of programmatically storing the pass phrase :(. The basic logic is trivial. The pass phrase storage is not. Comments? Ideas? Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Thu Feb 9 10:56:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00709 for firewalls-outgoing; Thu, 9 Feb 1995 09:10:52 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00686 for ; Thu, 9 Feb 1995 09:10:43 -0800 Received: from gate3.fmr.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id JAA28947; Thu, 9 Feb 1995 09:04:43 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id IAA06936 for ; Thu, 9 Feb 1995 08:57:13 -0500 Message-Id: <199502091357.IAA06936@gate3.fmr.com> Received: from mbsb01.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma006924; Thu Feb 9 13:56:57 1995 Date: Thu, 09 Feb 1995 08:58:08 -0500 From: Joe Judge Subject: Big company netnews To: firewalls@greatcircle.com Content-transfer-encoding: 7BIT X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Company firewalls that feed NNTP into the company bump into similar issues ... issues that are apart from the technical, security, firewall arena. These are the touchy subjects: policy, censorship, acceptable newsgroups, etc. I was involved in those things at the last job ... and I know what we did there. Being in the gateway group, I saw those rules/policies in action. I also saw how the folks- who-wish-to-choose-each-newsgroup-for-the-company and the how-netnews-fits-in-the-current-information-flow-of-us matured in this area as their understanding how the (Internet) world works ... and things changed. I'd like to save my company some of this struggle :) **** I'd like to find a couple Information Administrators for companies out there ... and have them relate what works and doesn't to the Information folks in here. In any case, it'd be nice to hear what other companies do in those respects from the firewall folks anyway. **** To put my info in the pot (from my experiences, colored through my eyes): - At PreviousCompany, there were separate gateway and netnews groups. The netnews group was dedicated to the netnews feed and support of netnews reading within the company. - started off feeding in most of the "obvious" choices in the newsgroups comp.* some talk.* not alt.sex.* (too racy), not alt.binaries.* (too big), - the netnews group had a netnews policy (basic philosophy was 'you're representing Company whenever you post, so behave properly') that had escalation procedures for bad behaviour (warning, supervisor warning, ... firing) - an "ad hoc" group gave OK or VETO to proposed netnews additions ... over time that faded away (I think) to a default 'add, unless blatantly scandalous'. Anyone else? - joe From firewalls-owner Thu Feb 9 11:17:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01365 for firewalls-outgoing; Thu, 9 Feb 1995 09:22:07 -0800 Received: from wolfe.wimsey.com (root@wolfe.wimsey.com [198.162.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA01353 for ; Thu, 9 Feb 1995 09:22:00 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #31) id m0rcV7i-0004iYC; Thu, 9 Feb 95 01:25 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Thu, 9 Feb 95 01:12 PST Message-Id: From: brian@ilinx.com (Brian J. Murrell) Subject: Re: Dual login for internal/external nets To: mshaver@schoolnet.carleton.ca (Mike Shaver) Date: Thu, 9 Feb 1995 01:12:11 -0800 (PST) Cc: firewalls@greatcircle.com In-Reply-To: <199502082152.QAA28202@schoolnet.carleton.ca> from "Mike Shaver" at Feb 8, 95 04:52:58 pm X-Phone: '1 604 983 UNIX' Organization: 'InterLinx Support Services, Inc.' X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1820 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As enscripted by Mike Shaver: > > OK, it's time for another hypothetical situation... > > If I had a user community that was 100% dead set against any sort of > one-time passwords, since they do lots and lots of logins every day over an > internal net, and yet they occasionally do logins from remote (confusing > enough... it's my fault), would the following scenario work? > > 1) Router on the link to the outside world, dropping all spoofed packets > (src = (internal-net, loopback, 192.whatever, etc.). > > 2) A telnetd which ran either a normal, reusable password login if the > connection was coming from an internal net, or an S/Key-type login if the > connection was coming from an external net. What machine would they be logging into from remotely (assuming an untrusted network here)?? Are you going to allow packets from the untrusted net to enter your trusted net?? If not, what host will have the telnetd which does an S/Key login if the packet is from an "outside" host?? Just trying to apply your idea to my firewall installations in which we have a screening router and dual-homed bastion host that does not forward packets inside. The only host I can telnet to from the untrusted net is the bastion, but then there is no reason to telnet there (maybe for maintenance) as it has no user accounts. Perhaps, because I'm using a proxy on the bastion and don't want to leak passwords of the internal machines when I use the bastion proxy to spring- board to machines on the inside. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Thu Feb 9 11:33:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01897 for firewalls-outgoing; Thu, 9 Feb 1995 09:33:05 -0800 Received: from relay.Ieunet.ie (relay.Ieunet.ie [192.111.39.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA01881 for ; Thu, 9 Feb 1995 09:32:58 -0800 Received: from erc by relay.Ieunet.ie via Ieunet with UUCP id aa16924; 9 Feb 95 15:27 +0000 Received: by erc.erc.ie (UUPC/extended 1.11z); Thu, 09 Feb 1995 15:44:52 EST From: BERNI@erc.ie Message-ID: <2f3a7ec5.erc@erc.erc.ie> To: firewalls@greatcircle.com Date: 9 Feb 95 15:44:50 Subject: apple macs Priority: normal X-mailer: Pegasus Mail v2.3 (R5). Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any software out there to password protect standalone Apple Macs? This may not be the correct place to ask...but...if anyone knows??? Thanks, Berni Dwan. From firewalls-owner Thu Feb 9 12:02:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02845 for firewalls-outgoing; Thu, 9 Feb 1995 09:47:11 -0800 Received: from pobox.cscs.ch (pobox.cscs.ch [148.187.10.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02835 for ; Thu, 9 Feb 1995 09:47:06 -0800 Received: from monte.cscs.ch by pobox.cscs.ch with SMTP inbound id <10667-0@pobox.cscs.ch>; Thu, 9 Feb 1995 11:04:13 +0100 Received: by monte.cscs.ch (4.1) id AA16140; Thu, 9 Feb 95 11:05:15 +0100 Date: Thu, 9 Feb 95 11:05:15 +0100 From: sklett Message-Id: <9502091005.AA16140@monte.cscs.ch> To: firewalls@greatcircle.com Subject: To discuss about network security and firewalls Cc: sklett@cscs.ch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I search people working in computer centres open to external users, with experience in network security solutions for discuss (eventual meet) network security and firewalls solutions. Main topics: - Access control for external users, - PVM, NQS and other applications - Firewalls performance for highspeed links (ATM). Please e-mails to sklett@cscs.ch. Stefano ___ (' ') ---------------------------oOO--(_)--OOo------------------------------------ Stefano Klett phone: +41 91 50 82 15 CSCS (Centro Svizzero di Calcolo Scientifico) fax: +41 91 50 67 11 Via Cantonale e-mail: sklett@cscs.ch CH-6928 Manno (Switzerland) X.400: S=sklett O=cscs P=switch A=arcom C=ch URL: http://www.cscs.ch/ ---------------------------------------------------------------------------- From firewalls-owner Thu Feb 9 12:12:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02991 for firewalls-outgoing; Thu, 9 Feb 1995 09:50:19 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02973 for ; Thu, 9 Feb 1995 09:50:14 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id AAA24581; Thu, 9 Feb 1995 00:38:48 -0500 From: Adam Shostack Message-Id: <199502090538.AAA24581@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Anon FTP To: abc2@nms01.comp.pge.com (ALAN B. CONLEY) Date: Thu, 9 Feb 1995 00:38:47 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <9502090054.AA00567@nms01.comp.pge.com> from "ALAN B. CONLEY" at Feb 8, 95 04:54:38 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 900 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Conley wrote: | We have been using an anonymous FTP server for the last couple | of years on our internel network. We'd like to set one up for | access via the Internet, for both incoming and outgoing traffic. | We have a good idea of the architecture, but I'm looking for specific | suggestions for ftp servers. I've heard that wuftpd is good for | large sites. | | Are there any particular packages which are more secure than others? | Recommendations? Pointers to latest versions would also be appreciated. I find WU-ftpd to be too big to be trusted. It does all sorts of nifty things, but are all those things well implemented? It also has had (at least) one trojan put into its source. I think the ftpd in the logdaemon package is pretty good. Its small, logs, and supports S/key. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Feb 9 12:29:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08093 for firewalls-outgoing; Thu, 9 Feb 1995 11:36:57 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA08088 for ; Thu, 9 Feb 1995 11:36:53 -0800 Received: from arthur.bwh.harvard.edu (arthur.bwh.harvard.edu [134.174.81.48]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id OAA29875; Thu, 9 Feb 1995 14:34:11 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: from localhost (adam@localhost) by arthur.bwh.harvard.edu (8.6.4/8.6.4) id OAA04802; Thu, 9 Feb 1995 14:35:50 -0500 Message-Id: <199502091935.OAA04802@arthur.bwh.harvard.edu> Subject: Re: Using PGP with anonymous FTP To: rgm3@is.chrysler.com (Robert Moskowitz) Date: Thu, 9 Feb 1995 14:35:49 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9502091148.AB06576@clncrdv1.is.chrysler.com> from "Robert Moskowitz" at Feb 9, 95 06:34:01 am X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 966 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Using PGP to automatically decrypt & encrypt files) Your plan seems to involve storing passphrases on disk somewhere. In order to do this well, set up a group of machines with no function other than encryption/decryption, and then trust those machines to do the job properly. Make sure each one only takes data signed by an approved party, and then decrypts it, and sends it off somewhere secure. The reason for doing this on a seperate machine is to restrict what that machine does to a base minimum. You are forced to trust things that appear to be coming from that machine, so once you've decrypted, you should sign the data before sending it out. Also, you should create at least 3 keys-- one to sign outgoing stuff, one to decrypt incoming stuff, and one to sign incoming stuff after decryption. This might not buy you very much at all, but keys are cheap. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Feb 9 12:32:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03889 for firewalls-outgoing; Thu, 9 Feb 1995 10:03:50 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA03861 for ; Thu, 9 Feb 1995 10:03:43 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA19239; Thu, 9 Feb 95 09:50:20 -0500 Date: Thu, 9 Feb 95 09:50:20 -0500 Message-Id: <9502091450.AA19239@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Anon getting flooded ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: UVS1::"daemon@anon.penet.fi" 8-FEB-1995 22:25:48.89 >To: padgett@tccslr.dnet.mmc.com >CC: >Subj: Anonymous code name allocated. >You have sent a message using the anonymous contact service. >You have been allocated the code name an199742. >You can be reached anonymously using the address >an199742@anon.penet.fi. >If you want to use a nickname, please send a message to >nick@anon.penet.fi, with a Subject: field containing your nickname. >For instructions, send a message to help@anon.penet.fi. Looks like anon is getting fed all of the names someone can find. If I were to make a guess I would say that someone has either put anon's address in a mailserver or set up an autometic FORWARD from another account. Since anon is felt to be compromised and all account names linked to actuals, this may be an attempt by someone to hide through flooding. I have no interest in this service personally, since IMHO the truth is and as has been demonstrated repeatedly, security by obscurity does not work. On the other hand, I wonder if the account numbers were assigned in order, in which case the number would still say antediluvian or postdiluvian. And on the gripping hand, guess this is a good indicator that I haven't had an anon account before 8*). Warmly, Padgett From firewalls-owner Thu Feb 9 12:32:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09338 for firewalls-outgoing; Thu, 9 Feb 1995 12:09:31 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09332 for ; Thu, 9 Feb 1995 12:09:27 -0800 Received: from relay.imsi.com by wintermute.imsi.com id PAA16387; Thu, 9 Feb 1995 15:07:15 -0500 Received: from lorax.imsi.com by relay.imsi.com id PAA17584; Thu, 9 Feb 1995 15:07:14 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA07726; Thu, 9 Feb 95 15:07:13 EST Message-Id: <9502092007.AA07726@lorax.imsi.com> To: rgm3@is.chrysler.com (Robert Moskowitz) Cc: firewalls@greatcircle.com Subject: Re: Using PGP with anonymous FTP In-Reply-To: Your message of "Thu, 09 Feb 1995 06:34:01 CST." <9502091148.AB06576@clncrdv1.is.chrysler.com> Reply-To: rens@imsi.com Date: Thu, 09 Feb 1995 15:07:12 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Robert" == Robert Moskowitz writes: Robert> The basic logic is trivial. The pass phrase storage is not. Robert> Comments? Ideas? One drawback is that you need to poll to find out if you have new information waiting, and said polling over ftp is a bit more expensive than stat(2)ing your mailbox. The key (passphrase) management issue is the other problem. -Rens From firewalls-owner Thu Feb 9 12:35:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03913 for firewalls-outgoing; Thu, 9 Feb 1995 10:03:58 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA03851 for ; Thu, 9 Feb 1995 10:03:34 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA27189; Thu, 9 Feb 95 10:31:15 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA02355; Thu, 9 Feb 95 10:27:42 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502091027.AA02355@tidtest.total.fr> Subject: Re: Anonymous.posting To: bobg@nta.com Date: Thu, 9 Feb 95 10:27:41 GMT Cc: firewalls@greatcircle.com (fw), patrick@oes.amdahl.com Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9502090014.AA13706@brittany.oes.amdahl.com>; from "Patrick Horgan" at Feb 8, 95 4:14 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Horgan wrote : > > If you reply to an anonymous mail or usenet posting you automatically get > an anonymous account. > I had the same problem with anon.penet.fi. Their postmaster tells me that posting or cc-ing to a list with an anon subscriber can cause this, and that a work-around is to change the subscriber's address from anxxxx to naxxxx (which prevents the replies from being made anonymous). I forgot the address of firewalls' listmaster, but maybe he could do that, or get in touch with the subscriber (BTW, what's the local policy on anon subscribers ?). An other possibility is mail spoofing (ie, if you didn't send mail, maybe someone did, posing as you.) In that case, you should put a password on your anon account, so the spoofer's attempts will (hopefully) bounce to you. This will not, however, help you find out where the spoofer is. To do that, you would have to work with postmaster@anon.penet.fi. HTH -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Thu Feb 9 12:50:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05295 for firewalls-outgoing; Thu, 9 Feb 1995 10:26:28 -0800 Received: from inetgate.scitexdpi.com (server.scitexdpi.com [198.140.218.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA05283 for ; Thu, 9 Feb 1995 10:26:05 -0800 Received: by inetgate.scitexdpi.com id AA10852 (5.67b/IDA-1.5 for ); Thu, 9 Feb 1995 13:23:57 -0500 Received: from server.scitexdpi.com(172.16.9.19) by inetgate via smap (V1.3) id sma010850; Thu Feb 9 13:23:47 1995 Received: by server.scitexdpi.com id AA11202 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Thu, 9 Feb 1995 13:23:41 -0500 Date: Thu, 9 Feb 1995 13:23:41 -0500 From: Bob Allison Message-Id: <199502091823.AA11202@server.scitexdpi.com> To: firewalls@greatcircle.com Subject: Firewall Reconfiguration Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings to all! The past few days I have been pondering a proposal I received from management to try to determine the best way to accomplish it; since I have not been very successful on my own, I thought I would get some advise from the experts... Our current network configuration: 172.16.x.x 198.140.218.x +---------+ | Main | Ethernet +----------+ Serial +-------+ PPP | Network +==========+ Firewall +--------+ Modem +--------> Internet +---------+ +----------+ Port +-------+ My mamagement would like to have a WWW/Gopher/anon.ftp/... server for global use. I want to place it on the "outside" of the firewall, which leads me to the following network configuration: 172.16.x.x 198.140.218.x +---------+ | Main | Ethernet +----------+ Ethernet +---+ ? | Network +==========+ Firewall +==========+ ? +--------> Internet +---------+ +----------+ | +---+ | | +---+----+ | server | +--------+ My main question is this: What is the best way to connect my "outside" Ethernet to Internet? We are currently using a 14.4Kb modem. It would not be unreasonable to upgrade that link to 56Kb and use some sort of Ethernet WideArea Bridge/Router. Another piece of information that might help: I have been told that we are going to receive a Cisco router from a different division of our parent company. I am not sure where that piece will fit yet, since I have not had a router before (the firewall does not do routing and the building is a single Ethernet right now). If anyone can give me some help I would appreciate it. If answers are eMailed directly to me and anyone else has some interest, I'll post a summary of the replies/suggestions I receive. -- To contact me (in order of decreasing reliability): E-Mail: bob.allison@scitexdpi.com Phone Mail: +1 513 259 3629 (I'm often out helping users) FAX "Mail": +1 513 259 3291 Snail Mail: Bob Allison SCITEX Digital Printing, Inc. 3100 Research Blvd. Dayton, OH 45420-4099 From firewalls-owner Thu Feb 9 12:56:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04253 for firewalls-outgoing; Thu, 9 Feb 1995 10:09:37 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA04247 for ; Thu, 9 Feb 1995 10:09:33 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id HAA11645; Thu, 9 Feb 1995 07:03:17 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502091203.HAA11645@schoolnet.carleton.ca> Subject: Re: Dual login To: firewalls@greatcircle.com Date: Thu, 9 Feb 1995 07:03:16 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 640 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Earlier, I wrote, > *Hobbit* mumbled something vague about: > > > > if you use the plaintext response as a key for an encrypted session, what > > have you gained? > > You don't. > The login sends out the challenge, and then the user the enters the response > into the telnet client at the remote end, whilst the server uses the > response for its end of the encryption. > The response is never passed along in cleartext. I tried to respond to this message, but neither the domain specified (avian.org) nor the host itself (narq.avian.org) exist, according to my DNS. And I didn't make myself very clear the last time, I think. =) Mike From firewalls-owner Thu Feb 9 12:57:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09581 for firewalls-outgoing; Thu, 9 Feb 1995 12:14:24 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09569; Thu, 9 Feb 1995 12:14:17 -0800 Received: from relay.imsi.com by wintermute.imsi.com id PAA16404; Thu, 9 Feb 1995 15:12:14 -0500 Received: from lorax.imsi.com by relay.imsi.com id PAA17631; Thu, 9 Feb 1995 15:12:13 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA07738; Thu, 9 Feb 95 15:12:13 EST Message-Id: <9502092012.AA07738@lorax.imsi.com> To: Brent@greatcircle.com (Brent Chapman) Cc: rens@imsi.com, Ken Hardy , tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Subject: Re: CERN httpd vs http-gw In-Reply-To: Your message of "Thu, 09 Feb 1995 14:55:34 EST." Reply-To: rens@imsi.com Date: Thu, 09 Feb 1995 15:12:12 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Brent" == Brent Chapman writes: rens> The best way to configure CERN is to run it on an internal rens> machine, making it's outbound connections with SOCKS or rens> call-compatible socks replacement through the firewall. I rens> would not run it on the bastion. Brent> Why? And are we talking about using it ONLY for proxying Brent> here, not for also serving external users (i.e., surfers from Brent> the Internet)? I'd be very nervous about having an HTTP Brent> server accessed by the outside world live anywhere EXCEPT on Brent> my bastion host. I was speaking of using it only as a proxy for the internal users; I'd typically set up another machine, outside the firewall (or in the outer DMZ on a dual-homed firewall) to serve the outside world. The HTTP servers out there nowadays are a bit too large and hard to read through for me to feel comfortable running them on my internet bastion; who knows what dangers lurk within. Your mileage may vary, of course. -Rens From firewalls-owner Thu Feb 9 13:16:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06782 for firewalls-outgoing; Thu, 9 Feb 1995 10:59:53 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA06776 for ; Thu, 9 Feb 1995 10:59:47 -0800 Received: from avenue.finsbury.co.uk by eros.britain.eu.net via UKIP with SMTP (PP) id ; Thu, 9 Feb 1995 18:56:57 +0000 Received: by finsbury.co.uk (4.1/25-eef) id AA02976; Thu, 9 Feb 95 15:34:12 GMT From: Ian Marr Message-Id: <9502091534.AA02976@finsbury.co.uk> Subject: Re: Address translation To: antonio_vasconcelos@q950.bvl.pt (Antonio Vasconcelos) Date: Thu, 9 Feb 1995 15:34:11 +0000 (GMT) Cc: firewalls@greatcircle.com, vasco@bvl.pt In-Reply-To: <199502081121.AA12894@jessica.bvl.pt> from "Antonio Vasconcelos" at Feb 8, 95 11:27:33 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2126 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Antonio Vasconcelos writes: > > I need to know if there is some firewall software for unix that over > the firewall stuff do some addr translation for me. Maybe ... but believe me, you *DON'T* want to do it. Bit the bullet and renumber your network; if you can't get enough registered addresses then use some from the ranged reserved in RFC1597. That said ... > So, the firewall must do; first the filtering stuff, then it must > rebuild the packet in order to change (eg) 192.168.129.1 to 194.104.35.45, > and do the reverse ONLY if the incamming packet is a reply. There will be an > one-to-one relation between the official addresses and the private addresses. > > I've never saw this kind of software, but I'm sure it must existe. This depends on what you mean by private addresses ... assuming they are 'illegal' unregistered (to you) addresses then, yes, you need an Address Translator. This came up a few months ago and a John Mayes from Network Translation, Inc, pop'd his head over the parapet and said they had developed a product, maybe it works ... I have no idea. Try jcm@translation.com. A company in the UK are also claiming a product do this, they are: Integralis, try: sales@integralis.co.uk ... However, IFF by private you mean RFC1597, then you do not have a major problem and can use an Application Proxy based Firewall such as TIS Firewall Toolkit, TIS Gauntlet or ANS Interlock to acheive your requirements. Ian. > NOTE: This is my first posting to this mailing list, and I'm using a > gateway from Microsoft Mail (Macintosh) to SMTP, if you see something wrong > like strange chars or invalid From: lines, please let me know to > vasco@bvl.pt. Only that your lines are longer than 80 chars and wrap in my standard Xterm ... but then maybe I shouldn't be using an 80 char window in this day! ------------------------------------------------------------------------------ Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK im@finsbury.co.uk +44-732-453-577 From firewalls-owner Thu Feb 9 13:17:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10555 for firewalls-outgoing; Thu, 9 Feb 1995 12:38:07 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10550 for ; Thu, 9 Feb 1995 12:38:03 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA21147; Thu, 9 Feb 95 15:26:47 -0500 Date: Thu, 9 Feb 95 15:26:47 -0500 Message-Id: <9502092026.AA21147@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Using PGP with FTP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a few quick comments for the few who did not notice (how's that for being nice 8*) >When a file needs to be presented to another party, it is encrypted with the >reciepients public key and signed with the senders public key; standard >stuff here. But this will be done programmatically, so some gluing is >needed for PGP and there is a concern about the program storage of the key >phrase for the private key. The file will then be moved to the reciepients >directory. Basically sound but the order specified created the ability to track message volume. What you need to do is to *first* sign the message with the sender's *private* key, and the encrypt with the recipient's *public* key. This protects the signature as well as the message. Done the other way around, it could be possible to strip off/examine the signature without disturbing the message. >The receipient goes to check for files in their directory, they then GET the >file and decrypt it. Don't forget to use PASV. >Again there is the issue of programmatically storing >the pass phrase :(. It could be stored on the local site encrypted with each local recipient's public key - they would then be able to retrieve/extract the master key offline if necessary. Warmly, Padgett ps is there any Firewalls poster in the last few days who did *not* get a account message from anon ? Did you already have one ? Was this really an elaborate ruse to find out who did ? From firewalls-owner Thu Feb 9 13:23:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09224 for firewalls-outgoing; Thu, 9 Feb 1995 12:06:00 -0800 Received: from alv.nada.kth.se (alv.nada.kth.se [130.237.223.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09201 for ; Thu, 9 Feb 1995 12:05:46 -0800 Received: (from x-frode@localhost) by alv.nada.kth.se (8.6.9/8.6.9) id VAA15263 for Firewalls@GreatCircle.COM; Thu, 9 Feb 1995 21:03:26 +0100 Date: Thu, 9 Feb 1995 21:03:26 +0100 From: Frode Hoem Message-Id: <199502092003.VAA15263@alv.nada.kth.se> To: Firewalls@GreatCircle.COM Subject: http-proxy through SOCKS or not ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all Consider a screened-subnet-firewall : On the "DMZ", a bastion host runs SOCKS for telnet access to the outside. I am thinking of running a http-proxy on the "DMZ" too, but I am not shure if I should let the http-proxy run on its own machine or on the bastion. 1 : Is running the http-proxy on the bastion less secure than running it on its own machine ? 2 : If the http-proxy runs alone, should it be SOCKSified and have all its transactions (gopher, ftp, http etc.) go through SOCKS on the bastion ? 3 : Which of these possibilities is the less complicated (most secure) for the router facing the Internet to handle ? I am also thinking of having an ftp-server on the "DMZ" to which external users access through the http-proxy only. I thought that would lighten the load on the outside router and make the ftp-server more secure. Am I wrong on this ? Any thoughts and advice on this is appreciated / Frode From firewalls-owner Thu Feb 9 13:25:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04259 for firewalls-outgoing; Thu, 9 Feb 1995 10:09:50 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA04254 for ; Thu, 9 Feb 1995 10:09:39 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id HAA11661; Thu, 9 Feb 1995 07:10:35 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502091210.HAA11661@schoolnet.carleton.ca> Subject: Re: Dual login for internal/external nets To: brian@ilinx.com (Brian J. Murrell) Date: Thu, 9 Feb 1995 07:10:35 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Brian J. Murrell" at Feb 9, 95 01:12:11 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 2203 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian J. Murrell mumbled something vague about: > > As enscripted by Mike Shaver: > > > > OK, it's time for another hypothetical situation... > > > > If I had a user community that was 100% dead set against any sort of > > one-time passwords, since they do lots and lots of logins every day over an > > internal net, and yet they occasionally do logins from remote (confusing > > enough... it's my fault), would the following scenario work? > > > > 1) Router on the link to the outside world, dropping all spoofed packets > > (src = (internal-net, loopback, 192.whatever, etc.). > > > > 2) A telnetd which ran either a normal, reusable password login if the > > connection was coming from an internal net, or an S/Key-type login if the > > connection was coming from an external net. > What machine would they be logging into from remotely (assuming an untrusted > network here)?? Are you going to allow packets from the untrusted net to > enter your trusted net?? If not, what host will have the telnetd which > does an S/Key login if the packet is from an "outside" host?? One possible application of this (and it's really just proof-of-concept anyway) would be for administration of the hosts in an external DMZ (between the packet-screening router and the bastion). You would need to log in from inside to update things, etc, and from teh outside to perhaps take advantage of the services being "published". It's also possible, though perhaps unsound practice, that I'd want to allow telnet to pass through for a select number of machines... I'm beginning to think I should have gone back and changed all the references to "telnetd" to "ftpd", which I considered just before I posted. =) > Perhaps, because I'm using a proxy on the bastion and don't want to leak > passwords of the internal machines when I use the bastion proxy to spring- > board to machines on the inside. Not everybody uses a proxy-based system though... If you've got a group of "internal" -- not necessarily the chewy part of the centre, though -- machines which are properly battened down with an OTP product and perhaps encrypted telnet, then you may very well want to allow those packets though the wall. Mike From firewalls-owner Thu Feb 9 13:53:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12038 for firewalls-outgoing; Thu, 9 Feb 1995 13:02:31 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA12033 for ; Thu, 9 Feb 1995 13:02:29 -0800 From: smb@research.att.com Message-Id: <199502092102.NAA12033@miles.greatcircle.com> Received: by gryphon; Thu Feb 9 15:51:04 EST 1995 To: lavondes@tidtest.total.fr cc: bobg@nta.com, firewalls@greatcircle.com (fw), patrick@oes.amdahl.com Subject: Re: Anonymous.posting Date: Thu, 09 Feb 95 15:51:03 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had the same problem with anon.penet.fi. Their postmaster tells me that posting or cc-ing to a list with an anon subscriber can cause this, and that a work-around is to change the subscriber's address from anxxxx to naxxxx (which prevents the replies from being made anonymous). I forgot the address of firewalls' listmaster, but maybe he could do that, or get in touch with the subscriber (BTW, what's the local policy on anon subscribers ?). The problem is that firewalls uses majordomo for list administration, and I don't know that it's smart enough. From firewalls-owner Thu Feb 9 13:53:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08776 for firewalls-outgoing; Thu, 9 Feb 1995 11:57:52 -0800 Received: from [198.102.244.40] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08769; Thu, 9 Feb 1995 11:57:39 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 9 Feb 1995 14:55:34 -0500 To: rens@imsi.com, Ken Hardy From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: CERN httpd vs http-gw Cc: tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 17:23 2/1/95, Rens Troost wrote: >>>>>> "Ken" == Ken Hardy writes: > > Ken> But what CERN's cannot be configured for, AFAIK, is specific IP > Ken> addresses to _not_ access it. I.e., unless I want to enter all > Ken> my subnets (for a class B, plus some class Cs), I cannot > Ken> explicitely deny my border net (the DMZ). > >The best way to configure CERN is to run it on an internal machine, >making it's outbound connections with SOCKS or call-compatible socks >replacement through the firewall. I would not run it on the bastion. Why? And are we talking about using it ONLY for proxying here, not for also serving external users (i.e., surfers from the Internet)? I'd be very nervous about having an HTTP server accessed by the outside world live anywhere EXCEPT on my bastion host. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Thu Feb 9 13:59:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08751 for firewalls-outgoing; Thu, 9 Feb 1995 11:57:26 -0800 Received: from [198.102.244.40] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08746; Thu, 9 Feb 1995 11:57:14 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 9 Feb 1995 14:55:08 -0500 To: abc2@nms01.comp.pge.com (ALAN B. CONLEY), firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Anon FTP Cc: abc2@nms01.pge.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:54 2/8/95, ALAN B. CONLEY wrote: >We have been using an anonymous FTP server for the last couple >of years on our internel network. We'd like to set one up for >access via the Internet, for both incoming and outgoing traffic. >We have a good idea of the architecture, but I'm looking for specific >suggestions for ftp servers. I've heard that wuftpd is good for >large sites. > >Are there any particular packages which are more secure than others? >Recommendations? Pointers to latest versions would also be appreciated. The WU-Archive FTP server (presumably available from wu-archive.wustl.edu) makes me a little nervous. ftpd was a big, complex program to start with, and they've made it a lot bigger and more complex in order to support all sorts of bells and whistles. I'd sugggest you look carefully at its feature list to determine which of its unique features you really need, and which would merely be nice to have. A good alternative to the WU-Archive ftpd is the ftpd in the TIS Firewalls Toolkit (available for anonymous FTP from ftp.tis.com), which is what I use for the server on ftp.greatcircle.com. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Thu Feb 9 14:24:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12051 for firewalls-outgoing; Thu, 9 Feb 1995 13:02:38 -0800 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA12039 for ; Thu, 9 Feb 1995 13:02:32 -0800 Received: from [192.0.2.1] (crl9.crl.com [165.113.1.40]) by world1.worldbit.com (8.6.4.1/A/UX 3.1) with SMTP id NAA04933 for ; Thu, 9 Feb 1995 13:06:52 -0800 Date: Thu, 9 Feb 1995 13:06:52 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Tim Keanini (Tim Keanini) Subject: America Online VIA TCP/IP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone, I am soon going to have to let some people on the inside on my network get out to America Online via TCP/IP. I was wondering if anyone has set up a proxy for this or if anyone has crossed this bridge at their site yet. I am going to get my sniffer out and see what src and dest ports I hit with it and I will let you folks know. --blast +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | "The limits of my language, are the limits of my world" | | --Wittgenstein | | | | | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Thu Feb 9 14:54:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15896 for firewalls-outgoing; Thu, 9 Feb 1995 14:12:58 -0800 Received: from alterdial.UU.NET (0@alterdial.UU.NET [192.48.96.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA15889 for ; Thu, 9 Feb 1995 14:12:53 -0800 From: jwk@s-s-s.com Received: from by alterdial.UU.NET with SMTP id QQycjw17354; Thu, 9 Feb 1995 17:10:49 -0500 Date: Thu, 9 Feb 1995 17:10:49 -0500 Message-Id: To: firewalls@greatcircle.com Subject: Firewall Product Review X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gentlepersons, The January 30th, 1995 Copy of Infoworld has a product comparison between various Firewall solutions. I am particularly concerned by the review of Firewall-1 (since one of my clients is using it). The troubling paragraph states: "...routers and Firewall-1 pass traffic without examining the contents, making it possible to "tunnel" data right through the router. And Firewall-1 lets the FSP command - used by hackers to transport their electronic tools - run on any port whatsoever, which is a dangerous situation. By running FSP on the DNS port, they can tunnel right through a router." Questions: 1) Does a split DNS solution (aka Bellovin & Cheswick) prevent this problem with regards to DNS only? 2) Is the FSP "trick" restricted to routers and intelligent routers (FW-1), or are all firewalls exposed to this technique (since most firewall solutions have to pass DNS traffic of some sort)? 3) What is FSP? 4) Is there a FW-1 configuration rule that can repell an FSP based attack? 5) Any validations or clarifications of the article in question would be welcome :) Thanx James W. Klein (jwk@s-s-s.com) UNIX System Administrator SOFTWARE & SCANNING SERVICES, 3330 N. Causeway, Ste. 422, Metairie, LA 70002, U.S.A. From firewalls-owner Thu Feb 9 15:40:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA17970 for firewalls-outgoing; Thu, 9 Feb 1995 15:16:42 -0800 Received: from nic.cerf.net (marty@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA17965 for ; Thu, 9 Feb 1995 15:16:39 -0800 Received: (from marty@localhost) by nic.cerf.net (8.6.9/8.6.9) id PAA03904; Thu, 9 Feb 1995 15:14:26 -0800 From: Marty Lyons Message-Id: <199502092314.PAA03904@nic.cerf.net> Subject: Re: America Online VIA TCP/IP To: blast@worldbit.com (Tim Keanini) Date: Thu, 9 Feb 1995 15:14:26 -0800 (PST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Tim Keanini" at Feb 9, 95 01:06:52 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 401 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tim Keanini writes: > >I am soon going to have to let some people on the inside on my network get >out to America Online via TCP/IP. I was wondering if anyone has set up a >proxy for this or if anyone has crossed this bridge at their site yet. > >I am going to get my sniffer out and see what src and dest ports I hit with >it and I will let you folks know. AOL uses TCP port 5190 for connections. From firewalls-owner Thu Feb 9 15:52:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA17202 for firewalls-outgoing; Thu, 9 Feb 1995 14:56:35 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA17196; Thu, 9 Feb 1995 14:56:30 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id JAA00782; Fri, 10 Feb 1995 09:54:37 +1100 Date: Fri, 10 Feb 1995 09:54:36 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Anon FTP To: Brent Chapman cc: "ALAN B. CONLEY" , firewalls@GreatCircle.COM, abc2@nms01.pge.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Feb 1995, Brent Chapman wrote: > At 16:54 2/8/95, ALAN B. CONLEY wrote: > >We have been using an anonymous FTP server for the last couple > >of years on our internel network. We'd like to set one up for > > > >Are there any particular packages which are more secure than others? > >Recommendations? Pointers to latest versions would also be appreciated. > > The WU-Archive FTP server (presumably available from wu-archive.wustl.edu) > makes me a little nervous. ftpd was a big, complex program to start with, > ...[stuff deleted] > A good alternative to the WU-Archive ftpd is the ftpd in the TIS Firewalls > Toolkit (available for anonymous FTP from ftp.tis.com), which is what I use > for the server on ftp.greatcircle.com. And/or pre-chroot the ftpd using the netacl in fwtk Danny From firewalls-owner Thu Feb 9 16:08:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA18756 for firewalls-outgoing; Thu, 9 Feb 1995 15:44:57 -0800 Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA18751 for ; Thu, 9 Feb 1995 15:44:53 -0800 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA00297; Thu, 9 Feb 95 23:42:12 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma000295; Thu Feb 9 23:42:10 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA03774; Thu, 9 Feb 95 23:42:05 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9502092342.AA03774@zeus.london.micrognosis.com> Subject: Re: Firewall Product Review To: jwk@s-s-s.com Date: Thu, 9 Feb 1995 23:42:04 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "jwk@s-s-s.com" at Feb 9, 95 05:10:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1238 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > "...routers and Firewall-1 pass traffic without examining the contents, > making it possible to "tunnel" data right through the router. > 2) Is the FSP "trick" restricted to routers and intelligent routers (FW-1), > or are all firewalls exposed to this technique (since most firewall solutions > have to pass DNS traffic of some sort)? If your implementation of the policy 'we allow DNS servers on the inside to be queried from the outside' is 'we forward arbitrary UDP packets to port 53 on any internal host' then clearly if someone can bind to port 53 on an internal host other than the nameserver then they can run any service they want there - FSP, Quote of the Day, IP tunnels ... You do not need a split DNS to fix this. You could limit the allowed destinations to be machines where you control what runs on port 53 (ie your nameservers) or you could run a named on the bastion to forward all the requests and avoid forwarding UDP packets at all. > 3) What is FSP? It's s file transport protocol that uses UDP instead of a TCP connection and so is not vulnerable to people firing RSTs at it :-) -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Thu Feb 9 16:12:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA17873 for firewalls-outgoing; Thu, 9 Feb 1995 15:12:53 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA17866 for ; Thu, 9 Feb 1995 15:12:50 -0800 Received: from blackhole.milkyway.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id PAA00820; Thu, 9 Feb 1995 15:06:50 -0800 Received: (from uucp@localhost) by blackhole.milkyway.com (8.6.7/8.6.6) id SAA16269 for ; Thu, 9 Feb 1995 18:08:54 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma016266; Thu Feb 9 18:08:26 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id SAA29255 for ; Thu, 9 Feb 1995 18:13:25 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA10146; Thu, 9 Feb 95 18:12:59 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Firewall Reconfiguration Date: 9 Feb 1995 18:12:58 -0500 Organization: Milkyway Networks Corporation Lines: 38 Distribution: milkyway Message-Id: <3he7hq$9sv@calisto.milkyway.com> References: <199502091823.AA11202@server.scitexdpi.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199502091823.AA11202@server.scitexdpi.com>, Bob Allison wrote: >My mamagement would like to have a WWW/Gopher/anon.ftp/... server for global >use. I want to place it on the "outside" of the firewall, which leads me to >the following network configuration: Or, you might want to do: > > 172.16.x.x 198.140.218.x > +---------+ > | Main | Ethernet +----------+ Serial +-------+ ? > | Network +==========+ Firewall +----------+ modem +--------> Internet > +---------+ +-----+----+ +-------+ > | ethernet > | +---+----+ | server | +--------+ no reason that a firewall need have only two interfaces, and this lets you protect your server as well. It does require either a packet filtering firewall, or something that can be made transparent (e.g. Blackhole) >Another piece of information that might help: I have been told that we are >going to receive a Cisco router from a different division of our parent >company. I am not sure where that piece will fit yet, since I have If it has V.35 interfaces, then get the 56k. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Thu Feb 9 16:26:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA19094 for firewalls-outgoing; Thu, 9 Feb 1995 15:53:50 -0800 Received: from firewall.island.com (gw.island.com [199.4.64.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA19089 for ; Thu, 9 Feb 1995 15:53:47 -0800 Received: (from daemon@localhost) by firewall.island.com (8.6.9/8.6.9) id PAA16409; Thu, 9 Feb 1995 15:54:11 -0800 Received: from island.island.com(199.4.85.1) by firewall via smap (V1.3mjr) id sma016402; Thu Feb 9 15:53:53 1995 Received: from coney.island.com by island.com (5.0/SMI-SVR4) id AA04912; Thu, 9 Feb 1995 15:51:29 +0800 Received: by coney.island.com (5.0/SMI-SVR4) id AA03844; Thu, 9 Feb 1995 15:51:28 +0800 Date: Thu, 9 Feb 1995 15:51:28 +0800 From: hue@island.com (Pond Scum) Message-Id: <9502092351.AA03844@coney.island.com> To: Firewalls@GreatCircle.COM, blast@worldbit.com Subject: Re: America Online VIA TCP/IP X-Sun-Charset: US-ASCII Content-Length: 896 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am soon going to have to let some people on the inside on my network get > out to America Online via TCP/IP. I was wondering if anyone has set up a > proxy for this or if anyone has crossed this bridge at their site yet. > > I am going to get my sniffer out and see what src and dest ports I hit with > it and I will let you folks know. Don't bother, just look at that CCL file "TCPack". It shows that the destination port is 5190, and the connection is made to host "americaonline.aol.com". I use plug-gw to proxy AOL traffic, and just edit the CCL file, putting the name of my proxy host in place of americaonline.aol.com. Don't forget to consider the risks of reusable passwords sent in the clear - the AOL TCP client software does not encrypt the username or password when it sends it across the Internet. It is trivial to sniff and steal AOL accounts. -Jonathan hue@island.com From firewalls-owner Thu Feb 9 16:45:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA19393 for firewalls-outgoing; Thu, 9 Feb 1995 16:00:54 -0800 Received: from nic.cerf.net (root@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA19381 for ; Thu, 9 Feb 1995 16:00:50 -0800 Received: from isis (ISIS.ISISPH.COM [192.65.129.1]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id PAA10722 for ; Thu, 9 Feb 1995 15:58:51 -0800 Received: from [192.65.129.90] (MacHeer) by isis (4.1/SMI-4.0) id AA05713; Thu, 9 Feb 95 15:49:39 PST Date: Thu, 9 Feb 95 15:49:38 PST X-Sender: chris@isis.isisph.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cheer@isisph.com (Christopher D. Heer) Subject: Re: Firewall Product Review Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I can answer a little of this! >Questions: >3) What is FSP? FSP is a UDP-based file transfer protocol. It's designed to place a minimal load on a server, so that a heavily used FSP-site won't kill a machine the way a heavily-used FTP site will. Because of this, pirates, etc., like it because end users can often set one up on a non-priviliged port and the sysadmin may not notice, since there is so little drain on system resources. wuarchive.wustl.edu runs an FSP server concurrently with their FTP server. By default, FSP runs on port 21 right along with FTP, but obviously end users can't run it there. I've seen them all over the board in terms of port numbers. 'Course, none of us are allowing UDP connections way up there, are we? :) -- Christopher D. Heer | "The fact that he's proliferate on Usenet, home of cheer@isisph.com | the adult concentration camp for people who want to My opinions are mine! | say, "I know you are, but what am I?" is, I'm sure, Network Admin | not a coincidence." -- David Navas From firewalls-owner Thu Feb 9 16:52:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA20651 for firewalls-outgoing; Thu, 9 Feb 1995 16:41:28 -0800 Received: from netcomsv.netcom.com ([163.179.3.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA20646 for ; Thu, 9 Feb 1995 16:41:25 -0800 From: dcarver@ivp.com Received: by netcomsv.netcom.com with UUCP (8.6.9/SMI-4.1) id QAA13578; Thu, 9 Feb 1995 16:35:46 -0800 Received: from cc:Mail by ivpcc.netcom.com id AA792376776 Thu, 09 Feb 95 16:39:36 Date: Thu, 09 Feb 95 16:39:36 Message-Id: <9501097923.AA792376776@ivpcc.netcom.com> To: firewalls@greatcircle.com Subject: Dial-Up Internet Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please point me to a place where I can learn of the risks of connecting a Novell LAN to the internet via a router and a dial-up ISDN connection. Does the dial-up nature of the connection (compared to dedicated line) substantially lessen the risk? Thanks, David Carver dcarver@ivp.com From firewalls-owner Thu Feb 9 17:04:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA19739 for firewalls-outgoing; Thu, 9 Feb 1995 16:11:36 -0800 Received: from iss.net (root@iss.net [198.79.48.60]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA19722 for ; Thu, 9 Feb 1995 16:11:14 -0800 Received: (from cklaus@localhost) by iss.net (8.6.9/8.6.9) id TAA07427 for firewalls@greatcircle.com; Thu, 9 Feb 1995 19:20:01 -0800 From: Christopher Klaus Message-Id: <199502100320.TAA07427@iss.net> Subject: Security FAQ Update To: firewalls@greatcircle.com Date: Thu, 9 Feb 1995 19:20:00 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1910 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frequently asked Questions about Security update. I received quite a few requests from people with only E-mail access for the Security FAQes and previously they were only available through Usenet, FTP, and Web. I have set up a file-mail server to obtain these vital security files for securing your network. To get a general index of the topics, E-mail info@iss.net. In the subject or body of the message have the following: send index To get the index of Faqs, "send index for FAQ" Then to get a particular FAQ, such as secure Anonymous FTP FAQ, "send anonftp of faq" to info@iss.net If you have any problems, concerns, feedbacks, e-mail me at cklaus@iss.net. The files will be sent back shar'd. They have shell commands at the beginning and very end. They are just there to make it easier to split the file, but for the very paranoid, you can easily use vi to split the files yourself, just incase somehow the commands are really trojans. 8-) Here is also some of the changes that have taken place with the newer FAQes, so you may want to get the most recent copies. Sniffer FAQ 1.0 A NEW FAQ ABOUT SNIFFERS. Vendor FAQ: 2.0 added Novell. updated SGI's info. Patches FAQ: 2.1 Added information about IP Address spoofing Added information about Hijacking 2.0 Added AIX SRC Routing and IP Forwarding off options Corrected ftp for tripwire Corrected ftp for AIX FixDist Updated HP-UX patch list. Updated SCO patch list. Included more useful options to turn on for SGI. Updated Sun and Solaris Patch list. Included info for Solaris's file permissions and Casper Dik's fix-mode. Compromise FAQ: 2.0 Added the reference location for nfs watch and crack. Anon FTP FAQ: 2.0 Added back in Gary Mills' pipe program. -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 From firewalls-owner Thu Feb 9 17:22:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA20243 for firewalls-outgoing; Thu, 9 Feb 1995 16:31:38 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA20238 for ; Thu, 9 Feb 1995 16:31:34 -0800 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id QAA26784; Thu, 9 Feb 1995 16:27:53 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA24460; Thu, 9 Feb 95 16:27:39 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:Firewalls@GreatCircle.COM id AA03566; Thu, 9 Feb 95 16:28:22 -0800 Date: Thu, 9 Feb 95 16:28:22 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9502100028.AA03566@abulafia.genmagic.com> To: Tim Keanini (Tim Keanini) Cc: Firewalls@GreatCircle.COM Subject: America Online VIA TCP/IP In-Reply-To: References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "blast" == Tim Keanini < (Tim Keanini)> writes: blast> Mime-Version: 1.0 blast> Content-Type: text/plain; charset="us-ascii" blast> Hi everyone, I am soon going to have to let some people on the blast> inside on my network get out to America Online via TCP/IP. I blast> was wondering if anyone has set up a proxy for this or if blast> anyone has crossed this bridge at their site yet. I told folks wanting to do tcp/ip out for aol that they need to have aol create a socksified client. We won't open up access for AOL-over-the-net when having dial-out lines is an option. (We have our pbx configured so that analog lines do not have external dids unless we get a note from a divine authority.) From firewalls-owner Thu Feb 9 17:23:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA20477 for firewalls-outgoing; Thu, 9 Feb 1995 16:37:58 -0800 Received: from shadow.net (cklaus@anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA20472; Thu, 9 Feb 1995 16:37:55 -0800 Received: (cklaus@localhost) by shadow.net (8.6.8.1/jc-1.0) id TAA00742; Thu, 9 Feb 1995 19:39:04 -0500 From: Christopher Klaus Message-Id: <199502100039.TAA00742@shadow.net> Subject: Re: Anon FTP To: danny@miriworld.its.unimelb.edu.au (Daniel O'Callaghan) Date: Thu, 9 Feb 1995 19:39:04 -0500 (EST) Cc: Brent@GreatCircle.COM, abc2@nms01.comp.pge.com, firewalls@GreatCircle.COM, abc2@nms01.pge.com In-Reply-To: from "Daniel O'Callaghan" at Feb 10, 95 09:54:36 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1181 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > On Thu, 9 Feb 1995, Brent Chapman wrote: > > > At 16:54 2/8/95, ALAN B. CONLEY wrote: > > >We have been using an anonymous FTP server for the last couple > > >of years on our internel network. We'd like to set one up for > > > > > >Are there any particular packages which are more secure than others? > > >Recommendations? Pointers to latest versions would also be appreciated. > > > > The WU-Archive FTP server (presumably available from wu-archive.wustl.edu) > > makes me a little nervous. ftpd was a big, complex program to start with, > > ...[stuff deleted] > > A good alternative to the WU-Archive ftpd is the ftpd in the TIS Firewalls > > Toolkit (available for anonymous FTP from ftp.tis.com), which is what I use > > for the server on ftp.greatcircle.com. The security FAQ for setting up anonymous FTP is available by doing the following command: "echo send anonftp from faq | mail info@iss.net" It contains some useful things to lookout for when setting up FTP. -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 From firewalls-owner Thu Feb 9 17:52:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA22596 for firewalls-outgoing; Thu, 9 Feb 1995 17:43:14 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA22591 for ; Thu, 9 Feb 1995 17:43:11 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA05362; Thu, 9 Feb 95 17:39:43 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA03868; Thu, 9 Feb 95 17:40:28 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F3AC547@ushqgw.sequent.com>; Thu, 09 Feb 95 17:45:43 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: FW: User authentication and restriction in proxy/application gateways Date: Thu, 09 Feb 95 17:39:00 PST Message-Id: <2F3AC547@ushqgw.sequent.com> Encoding: 27 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BlackHole firewall does this stuff. I'm sure there are others! You can try email to 'support@milkyway.com' Regards, Ned ---------- From: firewalls-owner To: firewalls@greatcircle.com, academic-firewalls@net.tamu.edu Subject: User authentication and restriction in proxy/application gateways Date: Thu, 09 Feb 1995 13:51:03 +0000 From: Alan Judge Message-Id: <9502091351.aa20618@salmon.maths.tcd.ie> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [snip] What they would like is a firewall/proxy/gateway that would authenticate users before allowing them remote access to things such as FTP, telnet, WWW, and so on. [snip] full logging of the amount of traffic and users involved, [snip] Given a flexible platform, users could even be classified and given differing amounts of access based on who they are; for example, undergrad access could be restricted to offpeak hours, or possibly bandwidth limited. Alan From firewalls-owner Thu Feb 9 18:52:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA23353 for firewalls-outgoing; Thu, 9 Feb 1995 18:31:14 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA23347 for ; Thu, 9 Feb 1995 18:31:02 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id NAA07620; Fri, 10 Feb 1995 13:28:53 +1100 Date: Fri, 10 Feb 1995 13:28:52 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: User authentication and restriction in proxy/application gateways To: Alan Judge cc: firewalls@GreatCircle.COM, academic-firewalls@net.tamu.edu In-Reply-To: <9502091351.aa20618@salmon.maths.tcd.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Alan, Welcome to volume charging! As far as I recall, telnet-gateway and ftp gateway from fwtk count the bytes transmitted in each session, which could help you. A socks daemon either does so or can be made to do so. Additionally, I would suggest that for WWW access, you install a machine to act as a WWW caching proxy server. That will record connecting client name/IP, destination, bytes transferred, and will provide a cache to reduce bandwidth. Best bangs/buck is probably a Pentium running BSDi if you want manuals or Linux/FreeBSD if you don't, with 2 GB of disk space. You should be able to save at least 30% of WWW traffic with that setup. Unimelb has 4,000 staff, currently about 600-700 are active with WWW, transferring > 500 MB/week in 40-50,000 requests 20,000 Students start back in 3 weeks... I wonder what that will do to our figures? We will be installing a cascade of WWW proxy servers to reduce the load on the central one, RSN. Alternatively, if you can fix people to IP addresses, use netramet to meter the traffic, (ask archie for location, or try ftp.aarnet.edu.au) Danny From firewalls-owner Thu Feb 9 19:08:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA23332 for firewalls-outgoing; Thu, 9 Feb 1995 18:29:46 -0800 Received: from can02.pge.com (can02.pge.com [130.19.4.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA23327 for ; Thu, 9 Feb 1995 18:29:42 -0800 From: MSH5%CnoIp%CTS@bangate.pge.com Received: from dns01.pge.com by can02.pge.com (4.1/SMI-4.1) id AA14459; Thu, 9 Feb 95 18:35:56 PST Received: from go00.comp.pge.com by dns01.pge.com (4.1/SMI-4.1) id AA01588; Thu, 9 Feb 95 18:53:28 PST Received: by go00.comp.pge.com; Thu, 9 Feb 95 18:26:57 PST Date: Thu, 9 Feb 95 18:26:57 PST Message-Id: To: firewalls-digest@GreatCircle.COM Subject: Outbound Filtering on Data Content X-Incognito-Sn: 393 X-Incognito-Format: VERSION=1.75 ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone perform data content filtering at the firewall on *outbound* file transfers? If so, why? Does your policy require this? What specifically are you filtering for? What are you stopping from going out and how do you follow up on it? What firewalls provide this capability? I'm evaluating firewall products and some appear to have this capability. Even though anyone can copy information to a diskette (if they already have authorized access) and walk out with it we may not want to open a T1 line for them to send it other persons. I think what mgmt would like to know is how not to open a pipeline to allow for easy disclosure of competitive information or proprietary source code. The idea would only be to close doors where possible to mitigate risk -- if policies mandate it. Filters could possibly: - Prevent encrypted files from going out - Prevent data going out based on keywords - Prevent data going out based on comparisons with data models It's assumed that persons with explicit authorization could do all of the above others not. Perhaps filtering is not the answer. Is limiting outbound file sizes the way? If so how large? I know,,,so many questions,,,so little time... Please respond to MSH5@pge.com. I'll post a summary of answers to the list. Thanks in advance for any feedback. Michael Harris Information Protection Pacific Gas & Electric From firewalls-owner Thu Feb 9 19:22:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA24034 for firewalls-outgoing; Thu, 9 Feb 1995 19:14:47 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA24026 for ; Thu, 9 Feb 1995 19:14:44 -0800 Received: from stargate.concorde.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id TAA01376; Thu, 9 Feb 1995 19:08:45 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id WAA29193; Thu, 9 Feb 1995 22:08:36 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma029191; Thu Feb 9 22:08:20 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id WAA23779; Thu, 9 Feb 1995 22:08:20 -0500 Date: Thu, 9 Feb 1995 22:08:20 -0500 From: John Adams Message-Id: <199502100308.WAA23779@galaxy.concorde.com> To: BobG@nta.com, firewalls@GreatCircle.COM Subject: Re: Anonymous.posting Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Every one can calm down about the anonymous posting scare.. *geesh*.. I realize it's a firewalls list, but yes, mail can be spoofed, and yes, it's okay to be paranoid, but paranoia must come in moderation. If you send mail to a mailing list, and the list is "exploded", and some IDIOT subscribed to the list under an anonymous remailer address, then everyone who's on the list that sends mail into the mailing list will get assigned an anonymous ID when they send mail into the mailing list. Whomever is subscribed under an anon service: thanks, thanks alot. =john= From firewalls-owner Thu Feb 9 20:01:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA24458 for firewalls-outgoing; Thu, 9 Feb 1995 19:41:34 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA24453 for ; Thu, 9 Feb 1995 19:41:31 -0800 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V1.3) id sma004747; Thu Feb 9 22:38:22 1995 From: Marcus J Ranum Message-Id: <9502100335.AA00744@tis.com> Subject: Re: Firewall Product Review To: jwk@s-s-s.com Date: Thu, 9 Feb 1995 22:43:27 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "jwk@s-s-s.com" at Feb 9, 95 05:10:49 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 1824 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1) Does a split DNS solution (aka Bellovin & Cheswick) prevent this problem >with regards to DNS only? The FSP "trick" the article referred to is a basic problem you'll encounter with most router-based firewalls. They operate at a network level and don't understand much about what goes across them. So, to them, a DNS packet, or an FSP packet, or an NFS packet is just another packet, if the ports match what the router expects to see. A firewall that lets NFS through is like a seatbelt that is designed to let your face reach the dashboard. :) Splitting DNS is mostly done for "information hiding" reasons rather than for traffic control. I'll save the list my usual "3 reasons why DNS hiding is useless in spite of what ches sez" rant. [Last time, someone actually *DID* come up with a good reason: if you're using non-issued addresses and want to hide them] >2) Is the FSP "trick" restricted to routers and intelligent routers (FW-1), or >are all firewalls exposed to this technique (since most firewall solutions >have to pass DNS traffic of some sort)? Well, a Gauntlet/toolkit type firewall isn't going to let FSP through. We "cure" UDP by murdering all UDP traffic completely. DNS on one of our firewalls works only if you're sending well-formed DNS requests at a nameserver on the firewall. >4) Is there a FW-1 configuration rule that can repell an FSP based attack? FSP isn't an "attack"; it's a way of transmitting files. One thing to bear in mind is equivalence. If you can mail large files (or many small ones) in and out of the firewall, you can also transfer files, or run TCP/IP over Email or whatever you want to do. Protocol-over-protocol tunnelling only requires a reasonably reliable means of getting data through a pipe. Router-based firewalls make it ridiculously easy, though. mjr. From firewalls-owner Thu Feb 9 20:52:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA25778 for firewalls-outgoing; Thu, 9 Feb 1995 20:40:34 -0800 Received: from hparn1.isd1.tafensw.edu.au ([153.107.113.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA25773 for ; Thu, 9 Feb 1995 20:40:29 -0800 Received: from mr.isd1.tafensw.edu.au by hparn1.isd1.tafensw.EDU.AU (PMDF V4.3-7 #5751) id <01HMW14UX45S001ZRB@hparn1.isd1.tafensw.EDU.AU>; Fri, 10 Feb 1995 15:37:10 +0000 Received: with PMDF-MR; Fri, 10 Feb 1995 15:36:26 +0000 MR-Received: by mta HOASY5; Relayed; Fri, 10 Feb 1995 15:36:26 +0000 MR-Received: by mta HPARN1; Relayed; Fri, 10 Feb 1995 15:36:38 +0000 Alternate-recipient: prohibited Date: Fri, 10 Feb 1995 15:27:04 +0000 From: Johnny Chow Subject: TAMU drawbridge To: firewalls%greatcircle.com%aarnet@mr.isd1.tafensw.edu.au Message-id: <"A21ZVPVMB0I1*/R=HOASYS/R=A1/U=CHOW JOHNNY/"@MHS> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: Fri, 10 Feb 1995 15:36:00 +0000 Importance: normal Priority: normal Sensitivity: Company-Confidential UA-content-id: A21ZVPVMB0I1 X400-MTS-identifier: [;62635101205991/230051@HOASYS] A1-type: MAIL Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G'day, We are thinking of setting up a TAMU drawbridge as our first stage of installing a firewall protection system (at a later stage, we may install a baston host to replace it). We would like to hear experience/stories from anyone related to the use of the drawbridge. Thanks in advance ! Johnny Chow NSW TAFE, Australia. From firewalls-owner Thu Feb 9 21:22:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA26254 for firewalls-outgoing; Thu, 9 Feb 1995 21:10:59 -0800 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA26249 for ; Thu, 9 Feb 1995 21:10:56 -0800 Received: from elf.wang.com by tuna.wang.com with SMTP id AA18884 (5.67b/IDA-1.5 for ); Fri, 10 Feb 1995 00:08:58 -0500 Received: from fnord.wang.com by elf.wang.com with SMTP id AA03024 (5.67a/IDA-1.5 for ); Fri, 10 Feb 1995 00:07:48 -0500 Received: by fnord.wang.com (5.67a/TF8) id AA00926; Fri, 10 Feb 1995 00:08:50 -0500 Date: Fri, 10 Feb 1995 00:08:50 -0500 From: Tom Fitzgerald Message-Id: <199502100508.AA00926@fnord.wang.com> To: firewalls@greatcircle.com Subject: Re: CERN httpd vs http-gw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk rens@imsi.com (Rens Troost) writes: > The HTTP servers out there nowadays are a bit too large and hard to > read through for me to feel comfortable running them on my internet > bastion; who knows what dangers lurk within. Your mileage may vary, of > course. CERN httpd runs fine in a chrooted environment, and is perfectly willing to relinquish root privs (both real and effective) once it's opened port 80. This makes it pretty easy to lock it into its own filesystem without much chance of getting out. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Fri Feb 10 00:52:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA28280 for firewalls-outgoing; Fri, 10 Feb 1995 00:26:54 -0800 Received: from efn.efn.org (Ugbear@efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA28275 for ; Fri, 10 Feb 1995 00:26:51 -0800 Received: from ideath.goldenbear.com by efn.efn.org (4.1/smail2.5/05-07-92) id AA06618; Fri, 10 Feb 95 00:24:48 PST Received: by ideath.goldenbear.com id AA18000 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Thu, 9 Feb 1995 18:15:40 -0800 From: Greg Broiles Message-Id: <199502100215.AA18000@ideath.goldenbear.com> Subject: Anon subscriber to list To: firewalls@greatcircle.com Date: Thu, 9 Feb 1995 18:15:37 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 539 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- A check of the subscription list reveals that an196844@anon.penet.fi is subscribed to 'firewalls'. This is likely the source of the "you have been allocated an address" messages. Now I'll probably get one, too. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLzrMJn3YhjZY3fMNAQEzCgQAtDfwm10eqVmDtaN0mbPwictnzYcICG1p SBJWITwocjv3wACjqKfIc8+m5/fkGBrALG9PMm4BTEYHOi+iLnQ0H9TzZfX75m0H KHMENKPmIySBb+TP/EcVRcXuKoeAE1NnaFPdyLhJkOIaZwdfU8zZNaElzxTdMSp/ A7cRSEwKHC4= =iQCD -----END PGP SIGNATURE----- From firewalls-owner Fri Feb 10 01:11:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA28378 for firewalls-outgoing; Fri, 10 Feb 1995 00:39:24 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA28373 for ; Fri, 10 Feb 1995 00:39:18 -0800 Received: from avenue.finsbury.co.uk by eros.britain.eu.net via UKIP with SMTP (PP) id ; Fri, 10 Feb 1995 08:37:07 +0000 Received: by finsbury.co.uk (4.1/25-eef) id AA00848; Fri, 10 Feb 95 08:38:56 GMT From: Ian Marr Message-Id: <9502100838.AA00848@finsbury.co.uk> Subject: Re: Outbound Filtering on Data Content To: MSH5@CnoIp (MSH5) Date: Fri, 10 Feb 1995 08:38:55 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "MSH5" at Feb 9, 95 06:26:57 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1898 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MSH5 writes: > > Filters could possibly: > - Prevent encrypted files from going out > - Prevent data going out based on keywords > - Prevent data going out based on comparisons with data models > It's assumed that persons with explicit authorization could do all of the > above others not. > > Perhaps filtering is not the answer. Is limiting outbound file sizes the > way? If so how large? I've come across the same problem but have concluded that you can take paranoia and control too far. Consider carefully your corporate's *current* pre-Internet policies ... I assume they already cover the restrictions imposed above without *any* form of direct policing. Now extrapolate them to an Internet connection: I think you'll find they still apply. My advice is don't get hung up on the underlying technology ... disclosure of information and data is a generic policy issue for Corporations. That said, I think that when corporate policy is strong enough and an Internet connection is implemented and given to the masses, then there should be an explicit registration procedure for *all* users, during which they are reminded of the existing policies and are given guidelines for acceptable *corporate* use of the Internet. Then you should police the connection with frequent auditing and monitoring. However, if management still have a problem with this, then proxy based firewalls can help you restrict 'export' functions to a registered set of users. [e.g. TIS FWTK ftp-gw PUT authentication whilst GET is open to all]. I'm sure even outbound SMTP mail could be similarly restricted. Ian. ------------------------------------------------------------------------------ Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK im@finsbury.co.uk +44-732-453-577 From firewalls-owner Fri Feb 10 01:52:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA29780 for firewalls-outgoing; Fri, 10 Feb 1995 01:39:03 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA29775 for ; Fri, 10 Feb 1995 01:38:54 -0800 Received: by mail.Germany.EU.net with UUCP (8.6.5:29/EUnetD-2.5.1.c) via EUnet id KAA13086; Fri, 10 Feb 1995 10:38:13 +0100 Received: from sit03.cp-nbg.philips.de by scax18.philips.de (4.1/PKI-3.0 (Domain)) id AA28478; Fri, 10 Feb 95 10:27:01 +0100 From: wolfgang.kuehnel@cp-nbg.philips.de (Wolfgang Kuehnel ) Date: Fri, 10 Feb 1995 10:26:58 --100 Message-Id: <9502100926.AA21084@sit03.cp-nbg.philips.de> Received: by sit03.cp-nbg.philips.de (5.0/PKI-3.0 (Domain)) id AA21084; Fri, 10 Feb 1995 10:26:58 --100 To: firewalls@greatcircle.com Subject: Anon subscribers X-Sun-Charset: US-ASCII Content-Length: 331 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greg Broiles: >A check of the subscription list reveals that an196844@anon.penet.fi >is subscribed to 'firewalls'. My personal opinion ist that this subscriber should be removed from the list. Why does this person try to hide behind that anon service? Maybe he/she answers and reveals his/her identity and motivation? Wolfgang From firewalls-owner Fri Feb 10 02:07:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA29919 for firewalls-outgoing; Fri, 10 Feb 1995 01:51:37 -0800 Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA29914 for ; Fri, 10 Feb 1995 01:51:07 -0800 Received: from jessica.bvl.pt by relay.puug.pt with UUCP id AA09490 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Fri, 10 Feb 1995 10:48:21 +0100 Received: by jessica.bvl.pt id AA05734 (5.65c/IDA-1.4.4); Fri, 10 Feb 1995 10:34:07 GMT From: Antonio Vasconcelos Message-Id: <199502101034.AA05734@jessica.bvl.pt> Subject: Re: Address translation To: im@finsbury.co.uk (Ian Marr) Date: Fri, 10 Feb 1995 10:34:05 +0000 (WET) Cc: firewalls@greatcircle.com In-Reply-To: <9502091534.AA02976@finsbury.co.uk> from "Ian Marr" at Feb 9, 95 03:34:11 pm X-Mailer: ELM [version 2.4 PL0] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Length: 1838 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ Ian Marr writes... ] ->> I need to know if there is some firewall software for unix that over ->> the firewall stuff do some addr translation for me. -> -> Maybe ... but believe me, you *DON'T* want to do it. Bit the bullet -> and renumber your network; if you can't get enough registered -> addresses then use some from the ranged reserved in RFC1597. That -> said ... I think that my unofficial addresses are from the RFC1597 range (192.168.x.x). But I *DON'T* want that those addresses are known as I don't want them to be called from the outside, and I want to set a rule in the incoming router that cut's EVERYTHING that don't have a destination addr in our external (and official) net, ACK packets included. -> This depends on what you mean by private addresses ... assuming they -> are 'illegal' unregistered (to you) addresses then, yes, you need No, they are not illegal, just private. -> However, IFF by private you mean RFC1597, then you do not have a -> major problem and can use an Application Proxy based Firewall such as -> TIS Firewall Toolkit, TIS Gauntlet or ANS Interlock to acheive -> your requirements. I'll grab TFTK as soon as I can. -> Only that your lines are longer than 80 chars and wrap in my standard -> Xterm ... but then maybe I shouldn't be using an 80 char window in -> this day! Ok, this stupid MS Mail thing doesn't insert EOLs when wraping lines, I try to remember to press ENTER but I forgot sometimes... Now I'm wrinting from a decent unix machine (NeXT) with a decent text editor (vi) and using a decent mailer (elm)... 8-) -- regards, Antonio Vasconcelos [postmaster & webmaster] @ The Lisbon $tock Exchange (BVL) Disclaimer: All opinions are my own, my employer thinks I'm working... <<< If you prick me, do I not... leak? >>> From firewalls-owner Fri Feb 10 03:22:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA01187 for firewalls-outgoing; Fri, 10 Feb 1995 02:54:22 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA01167; Fri, 10 Feb 1995 02:52:29 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA17464; Fri, 10 Feb 95 11:45:55 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA02964; Fri, 10 Feb 95 11:42:22 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502101142.AA02964@tidtest.total.fr> Subject: Anon subscriber to firewalls@greatcircle.com To: postmaster@greatcircle.com, admin@anon.penet.fi, postmaster@anon.penet.fi Date: Fri, 10 Feb 95 11:42:21 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk daemon@anon.penet.fi wrote : > From daemon@anon.penet.fi Thu Feb 9 23:40:45 1995 > Date: Fri, 10 Feb 95 00:24:39 +0200 > From: daemon@anon.penet.fi > Message-Id: <9502092224.AA26943@anon.penet.fi> > To: lavondes@tidtest.total.fr > Subject: Anonymous message failed (wrong password) > > The message you sent to the anonymous server could not be processed, as your > password (in the X-Anon-Password: header) didn't match the one stored in the > server. Either you have made a mistake, or somebody has used your account and > changed the password. If the latter is the case, please contact > admin@anon.penet.fi. > > Contents of failed message: > > ------------------------- > X-Envelope-To: an196844 > Received: by anon.penet.fi (5.67/1.35) > id AA23271; Thu, 9 Feb 95 22:54:35 +0200 > [some headers deleted] > Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03913 for firewalls-outgoing; Thu, 9 Feb 1995 10:03:58 -0800 > [rest of headers and message deleted] I interpret that message as meaning that anonymous account an196844 receives messages sent to firewalls@greatcircle.com, either as a subscriber or through automatic forwarding. Am I right ? If so, can one of you postmasters/admins do something about it ? Should I go on bothering every firewalls subscriber with what may be trivial lack of netiquette ? Am I hopelessly naive/outdated/ ? Regards -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Feb 10 04:26:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA02034 for firewalls-outgoing; Fri, 10 Feb 1995 04:08:59 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA02029 for ; Fri, 10 Feb 1995 04:08:55 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id HAA14145 for firewalls@greatcircle.com; Fri, 10 Feb 1995 07:04:11 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502101204.HAA14145@all.net> Subject: httpd in a safe(r) mode To: firewalls@greatcircle.com Date: Fri, 10 Feb 1995 07:04:07 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 393 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The reason we run all.net as http://all.net:8080 is that by using 8080 we are out of the range requiring a privileged account. Httpd runs as user NoName and only has that user's privileges (read only at best - another user owns all the files in the W3 server). I know that this doesn't give as much comfort as being able to analyze the code, but it's an improvement over running as root. FC From firewalls-owner Fri Feb 10 04:44:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA02067 for firewalls-outgoing; Fri, 10 Feb 1995 04:14:46 -0800 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA02062 for ; Fri, 10 Feb 1995 04:14:42 -0800 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.9/8.6.9) with ESMTP id HAA18468 for ; Fri, 10 Feb 1995 07:12:44 -0500 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.9/8.6.9) with SMTP id HAA10277 for ; Fri, 10 Feb 1995 07:10:49 -0500 Received: from bobsgrid.is.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA16309; Fri, 10 Feb 95 07:26:49 EST Message-Id: <9502101226.AA16309@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Feb 1995 07:11:05 -0600 To: Antonio Vasconcelos , im@finsbury.co.uk (Ian Marr) From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Re: Address translation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:34 AM 2/10/95 +0000, Antonio Vasconcelos wrote: >[ Ian Marr writes... ] >->> I need to know if there is some firewall software for unix that over >->> the firewall stuff do some addr translation for me. >-> >-> Maybe ... but believe me, you *DON'T* want to do it. Bit the bullet >-> and renumber your network; if you can't get enough registered >-> addresses then use some from the ranged reserved in RFC1597. That >-> said ... > >I think that my unofficial addresses are from the RFC1597 range >(192.168.x.x). But I *DON'T* want that those addresses are known as I >don't want them to be called from the outside, and I want to set a >rule in the incoming router that cut's EVERYTHING that don't have a >destination addr in our external (and official) net, ACK packets >included. Most Internet providers are already dropping any packets that are addressed to or from an RFC 1597 address. That was part of the plan for deploying it. It is only private if nothing public carries it. I am sure that some ISP somewhere does not have this set up, so of course don't count on it until you talk to your provider... Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Fri Feb 10 06:24:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA03221 for firewalls-outgoing; Fri, 10 Feb 1995 06:08:44 -0800 Received: from lvhgate.lvh.com (lvhgate.lvh.com [192.234.106.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA03215 for ; Fri, 10 Feb 1995 06:08:41 -0800 Message-Id: <199502101408.GAA03215@miles.greatcircle.com> Received: by lvhgate.lvh.com (1.37.109.4/16.2) id AA23082; Fri, 10 Feb 95 09:12:45 -0500 From: Mark Stickler Subject: Authenticated Telnet To: firewalls@greatcircle.com Date: Fri, 10 Feb 95 9:12:44 EST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologise in advance if this is not strictly firewall related, but does anyone know of any products that use RFC1416 type telnet authentication to acheive single-user login? If you know of anything/anybody doing this in a commercially avaliable product I would like to know. Private email please (mstickler@lvh.com) +----------------------------+-----------------------------+ | Mark G. Stickler | Voice: (610) 402-1459 | | Lehigh Valley Hospital | FAX: (610) 402-1409 | | Information Services | Internet: mstickler@lvh.com | | 2024 Lehigh Street | Title: Technical Analyst | | Allentown, PA 18103 | | +----------------------------+-----------------------------+ From firewalls-owner Fri Feb 10 06:38:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA03042 for firewalls-outgoing; Fri, 10 Feb 1995 05:52:34 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA03037; Fri, 10 Feb 1995 05:52:29 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA27175; Fri, 10 Feb 1995 08:46:55 -0500 Date: Fri, 10 Feb 1995 08:46:54 -0500 (EST) From: David Miller Subject: Re: CERN httpd vs http-gw To: Brent Chapman cc: rens@imsi.com, Ken Hardy , tpaquett@aec.ca, firewalls@GreatCircle.COM, bdrennin@plaind.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Feb 1995, Brent Chapman wrote: > At 17:23 2/1/95, Rens Troost wrote: > >>>>>> "Ken" == Ken Hardy writes: > > > > Ken> But what CERN's cannot be configured for, AFAIK, is specific IP > > Ken> addresses to _not_ access it. I.e., unless I want to enter all > > Ken> my subnets (for a class B, plus some class Cs), I cannot > > Ken> explicitely deny my border net (the DMZ). Why wouldn't you use simple software created for the task of access control to secure access control, like tcp_wrappers or netacl? > > > >The best way to configure CERN is to run it on an internal machine, > >making it's outbound connections with SOCKS or call-compatible socks > >replacement through the firewall. I would not run it on the bastion. > I wouldn't either. I would run it on a dedicated host in the DMZ. Let it cache accesses your users are making and have it provide anything you wish to serve to the net. Use http-gw to connect users to it from the soft chewy center. If the worst happens and hackers use the server to cause a meltdown you throw on a backup tape and a sniffer to see how they do it the next time. > Why? And are we talking about using it ONLY for proxying here, not for also > serving external users (i.e., surfers from the Internet)? I'd be very nervous > about having an HTTP server accessed by the outside world live anywhere > EXCEPT on my bastion host. > Tell me you didn't say that, Brent, or explain how the bastion host is not the hard shell around the soft chewy center. You wouldn't really contemplate running a BHPC like httpd on your firewall would you? Apologies in advance if bastion host != firewall in your statement:) > > -Brent > > -- > == For info about the Internet Security Firewalls Tutorial and a schedule == > == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == > ============================================================================== > == Brent Chapman Great Circle Associates == > == Brent@GreatCircle.COM 1057 West Dana Street == > == +1 415 962 0841 Mountain View, CA 94041 == > > > ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Fri Feb 10 07:30:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA03891 for firewalls-outgoing; Fri, 10 Feb 1995 06:56:48 -0800 Received: from totalrecall.rs.itd.umich.edu (totalrecall.rs.itd.umich.edu [141.211.144.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA03886 for ; Fri, 10 Feb 1995 06:56:45 -0800 Received: from ren.us.itd.umich.edu by totalrecall.rs.itd.umich.edu (8.6.9/2.3) with SMTP id JAA02639; Fri, 10 Feb 1995 09:54:21 -0500 Date: Fri, 10 Feb 1995 09:54:20 -0500 (EST) From: Lawrence Beasley X-Sender: leb@ren.us.itd.umich.edu To: BERNI@erc.ie cc: firewalls@GreatCircle.COM Subject: Re: apple macs In-Reply-To: <2f3a7ec5.erc@erc.erc.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 9 Feb 1995 BERNI@erc.ie wrote: > Is there any software out there to password protect standalone Apple > Macs? > > This may not be the correct place to ask...but...if anyone knows??? > > Thanks, > > Berni Dwan. > > I'm not sure of what kind of security you are looking for, but there are probably several things you could use: FolderBolt Pro protects folders from prying eyes... NightWatch protects the HD from unauthorized access (password protected, write-protected). You can get these two products in a bundle through MacWarehouse... There's FileGuard and DiskGuard to protect files/folders and harddrives (respectively)... ultraShield, ultraSecure, and cypherPad which pretty much do the same as the others... and then there's Empower and Empower II. I like these better than the rest (I use Empower II). Protects the machine at the driver level (can't bypass by holding down the shift key at startup) and I can control who has access to what on the machine (like no access to control panels). Empower is the less-featured version of Empower II. I would say call MacWarehouse or one of the other volume shippers for a catalog, see if you can get a demo (or a money back guarantee) try it and see if you can break it. ----------------------------------------------------------------- Lawrence Beasley leb@umich.edu Computer Systems Specialist 70732.2777@compuserve.com lawrence.beasley@aoce.itd.umich.edu University of Michigan 1310 Michigan Union "Before I talk, (313) 763 5750 I should read a book." (313) 763 1388 (FAX) Go Blue!! #include Go Blue!! ----------------------------------------------------------------- From firewalls-owner Fri Feb 10 07:55:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA04304 for firewalls-outgoing; Fri, 10 Feb 1995 07:37:26 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA04292 for ; Fri, 10 Feb 1995 07:37:20 -0800 Received: (from uucp@localhost) by blackhole.milkyway.com (8.6.7/8.6.6) id KAA17987 for ; Fri, 10 Feb 1995 10:34:47 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma017985; Fri Feb 10 10:34:45 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id KAA02328 for ; Fri, 10 Feb 1995 10:39:03 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA10525; Fri, 10 Feb 95 10:38:37 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: CERN httpd vs http-gw Date: 10 Feb 1995 10:38:36 -0500 Organization: Milkyway Networks Corporation Lines: 20 Distribution: milkyway Message-Id: <3hg19s$a8q@calisto.milkyway.com> References: <199502100508.AA00926@fnord.wang.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199502100508.AA00926@fnord.wang.com>, Tom Fitzgerald wrote: >CERN httpd runs fine in a chrooted environment, and is perfectly willing to >relinquish root privs (both real and effective) once it's opened port 80. ^^^^ This is the key word. It has to run as root for awhile. This makes me nervous. I'd rather have a program that opens port 80, chroots, and invokes httpd. Actually, I'd rather make chroot() and <1024 priveledges be contingeant on being in group "daemon" and never run these servers as root as at all. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Fri Feb 10 08:22:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA04908 for firewalls-outgoing; Fri, 10 Feb 1995 08:20:41 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA04901 for ; Fri, 10 Feb 1995 08:20:38 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id LAA20289; Fri, 10 Feb 1995 11:17:46 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502101617.LAA20289@schoolnet.carleton.ca> Subject: Re: CERN httpd vs http-gw To: mcr@milkyway.com (Michael Richardson) Date: Fri, 10 Feb 1995 11:17:45 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <3hg19s$a8q@calisto.milkyway.com> from "Michael Richardson" at Feb 10, 95 10:38:36 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1231 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Richardson mumbled something vague about: > In article <199502100508.AA00926@fnord.wang.com>, > Tom Fitzgerald wrote: > >CERN httpd runs fine in a chrooted environment, and is perfectly willing to > >relinquish root privs (both real and effective) once it's opened port 80. > ^^^^ > This is the key word. It has to run as root for awhile. This makes > me nervous. I'd rather have a program that opens port 80, chroots, and > invokes httpd. Even just changing uid right after the bind would be better. I know NCSA waits until after the accept *and* the logging to change, which is OK, but still not warm and fuzzy. > Actually, I'd rather make chroot() and <1024 priveledges be > contingeant on being in group "daemon" and never run these servers as > root as at all. How hard could it be to change the check for priviledged port access from if (uid == 0) to if (gid == 0) ? Sounds simple enough, if you've got sources. Actaully, I've heard that under Solaris you can designate ports arbitrarily as non-priviledged. Or perhaps you can just change the range that are priviledged... the former would be very convenient, the latter much less so. Mike From firewalls-owner Fri Feb 10 09:22:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA05580 for firewalls-outgoing; Fri, 10 Feb 1995 09:01:42 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA05575 for ; Fri, 10 Feb 1995 09:01:38 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA23834 (5.67b8/IDA-1.5 for ); Fri, 10 Feb 1995 11:59:34 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA01659; Fri, 10 Feb 95 12:00:50 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00507; Fri, 10 Feb 1995 11:58:57 +0500 Date: Fri, 10 Feb 1995 11:58:57 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9502101658.AA00507@ Paragon-Systems.COM> To: firewalls-digest@greatcircle.com Subject: Did I miss v4 #96? X-Sun-Charset: US-ASCII Content-Length: 52 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Did I miss #96 or has it not yet been posted? rmck From firewalls-owner Fri Feb 10 09:42:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA05739 for firewalls-outgoing; Fri, 10 Feb 1995 09:16:54 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA05728 for ; Fri, 10 Feb 1995 09:16:28 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA23848; Fri, 10 Feb 95 18:10:30 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03105; Fri, 10 Feb 95 18:06:57 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502101806.AA03105@tidtest.total.fr> Subject: Re: CERN httpd vs http-gw To: mcr@milkyway.com (Michael Richardson) Date: Fri, 10 Feb 95 18:06:56 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <3hg19s$a8q@calisto.milkyway.com>; from "Michael Richardson" at Feb 10, 95 10:38 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Richardson wrote : > > [snip] > > Actually, I'd rather make chroot() and <1024 priveledges be > contingeant on being in group "daemon" and never run these servers as > root as at all. > Wouldn't that increase the ease of opening privileged ports on a machine and thus doing such things as denial of service, password capture, and so on ? -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Feb 10 09:52:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05499 for firewalls-outgoing; Fri, 10 Feb 1995 08:57:45 -0800 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA05494 for ; Fri, 10 Feb 1995 08:57:36 -0800 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA06859; Fri, 10 Feb 95 06:53:33 HST Date: Fri, 10 Feb 1995 06:53:09 -1000 (HST) From: NetSurfer Subject: Re: servers on PCs To: "Paul O'Donnell" Cc: firewalls In-Reply-To: <199502020558.AA09977@tkis1.morgan.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Feb 1995, Paul O'Donnell wrote: > Following from Steve's comment about finding surprising servers on a > PC. Chameleon contains an NFS server, it's turned off by default, but > it only took a couple of button clicks before I was able to mount a > colleague's PC over a dial up link. Which buttons did you push, please? -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Fri Feb 10 10:10:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA05709 for firewalls-outgoing; Fri, 10 Feb 1995 09:13:40 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA05703 for ; Fri, 10 Feb 1995 09:12:51 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA23811; Fri, 10 Feb 95 18:05:57 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA03095; Fri, 10 Feb 95 18:02:24 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9502101802.AA03095@tidtest.total.fr> Subject: Re: Anon subscriber to firewalls@greatcircle.com To: Mike.Geipel@Controls.Eurotherm.COM Date: Fri, 10 Feb 95 18:02:23 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "Mike Geipel" at Feb 10, 95 9:16 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Geipel wrote : > > [snip] > > On the subject of whether anonymous subscribers should be allowed: > I have absolutely no problem with anonymous subscribers to a security > list. I completely understand the desire to do so. I certainly hope > that we do NOT start censoring people who read this list! > ++flame; Sorry, I can't follow you there. True, I have no problem with lurkers (ie, people who stay quiet and just listen), but I still want to know who subscribes to the list, or at list their (assumed) site, so I have someone to complain to, just in case. Just in case you wonder, I do the same with direct messages to me - delete without reading if anonymous, complain to someone supposedly responsible at their site if I feel it necessary. --flame; Regards -- Michel Lavondes E-Mail : lavondes@tidtest.total.fr lavondes%tidtest.total.fr@pegase.total.fr (if previous addr rejected) Tel : +33-1-4135-4198 Fax : +33-1-4135-4189 From firewalls-owner Fri Feb 10 10:13:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05492 for firewalls-outgoing; Fri, 10 Feb 1995 08:57:14 -0800 Received: from venere.inet.it (root@venere.inet.it [194.20.8.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA05487 for ; Fri, 10 Feb 1995 08:56:56 -0800 Received: from deneb.UUCP (uudeneb@localhost) by venere.inet.it (8.6.9/8.6.9) with UUCP id RAA117398 for firewalls@GreatCircle.COM; Fri, 10 Feb 1995 17:46:27 +0100 Date: Fri, 10 Feb 1995 17:46:27 +0100 Received: from deneb by deneb.it with UUPC; Fri, 10 Feb 95 17:43:27 +0100 (MET) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: pedriali@deneb.it (Roberto Pedriali) Subject: Re: Address translation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Ian Marr writes: >Antonio Vasconcelos writes: >> >> I need to know if there is some firewall software for unix that over >> the firewall stuff do some addr translation for me. > <... omissis...> > > This depends on what you mean by private addresses ... assuming they > are 'illegal' unregistered (to you) addresses then, yes, you need > an Address Translator. This came up a few months ago and a John > Mayes from Network Translation, Inc, pop'd his head over the parapet > and said they had developed a product, maybe it works ... I have no > idea. Try jcm@translation.com. > > A company in the UK are also claiming a product do this, they are: > Integralis, try: sales@integralis.co.uk ... > > However, IFF by private you mean RFC1597, then you do not have a > major problem and can use an Application Proxy based Firewall such as > TIS Firewall Toolkit, TIS Gauntlet or ANS Interlock to acheive > your requirements. > > Ian. > In the case where there are already run (or plan to run) a Application Proxy Firewall (for all the good reason to do it) seems to me that I don't need anymore an address translator, that is already "supplied" by Application Proxy, but what I need is to solve the "routing" problem on the firewall itself. With "illegal" addresses on internal network I will come out in a situation where I have the same address on both network (internal/external) of the firewall: the sw running on the firewall has to make routing decision based on the direction of the connection..... I can draw an example like this: a internal machine with IP address, let say 161.53.3.1(an "illegal" not registred address), want to connect to some Internet machine. It will telnet to Application Proxy on Firewall and after the validation, it will ask to connect to the machine exthost.extnet.com. The sw on the firewall will do name resolution and will come out with an address 161.53.3.1 (a official registered address). Now start the trouble:how can the sw decide the routing path to external host? By the way this is a real problem that I am also facing just now, so any suggestion or pointer to a solution will be very appreciate. Regards, Roberto ------------------------------------------------------------------------ Roberto Pedriali Tel.+39 (39) 6084076 Deneb srl Fax.+39 (39) 6084076 Piazza Unita' d'Italia 3/F/3 20059 Vimercate Italy e-mail: pedriali@deneb.it From firewalls-owner Fri Feb 10 10:23:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06049 for firewalls-outgoing; Fri, 10 Feb 1995 09:49:54 -0800 Received: from muse.microunity.com (muse1.microunity.com [192.216.206.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06043 for ; Fri, 10 Feb 1995 09:49:51 -0800 Received: from gaea.microunity.com by muse.microunity.com (4.1/ericm1.1) id AA08243; Fri, 10 Feb 95 09:47:08 PST Received: from dockmaster.microunity.com by gaea.microunity.com (4.1/muse1.3) id AA11255; Fri, 10 Feb 95 09:47:05 PST Received: from localhost by dockmaster.microunity.com (8.6.4/muse-sw.3) id JAA03194; Fri, 10 Feb 1995 09:47:03 -0800 From: ericm@MicroUnity.com (Eric Murray) Message-Id: <199502101747.JAA03194@dockmaster.microunity.com> Subject: Re: Anon subscribers To: wolfgang.kuehnel@cp-nbg.philips.de (Wolfgang Kuehnel) Date: Fri, 10 Feb 95 9:47:03 GMT Cc: firewalls@greatcircle.com In-Reply-To: <9502100926.AA21084@sit03.cp-nbg.philips.de>; from "Wolfgang Kuehnel" at Feb 10, 95 10:26 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wolfgang Kuehnel wrote: > > > Greg Broiles: > >A check of the subscription list reveals that an196844@anon.penet.fi > >is subscribed to 'firewalls'. > > My personal opinion ist that this > subscriber should be removed from > the list. Why does this person try > to hide behind that anon service? Perhaps they want to ask questions and gain knowledge without revealing their site's lack of security? A cracker, as you seem to imply that this anon account is, doesn't need an anon account in order to 'listen in' on the firewalls list. A regular account (preferably purloined from an unknowing site :-) will suffice. I have however seen a number of people post revealing details of their security setup on the list. Were I interested in cracking systems, I would be sure to read those posts to learn who does not yet have the knowledge to protect themselves, and then target those sites. Posting anonymously is a good way to get information on how to protect yourself without letting 'them' know how little you know. -- ericm ericm@microunity.com From firewalls-owner Fri Feb 10 10:53:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07374 for firewalls-outgoing; Fri, 10 Feb 1995 10:44:23 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07369 for ; Fri, 10 Feb 1995 10:44:19 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id NAA25807; Fri, 10 Feb 1995 13:38:24 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502101838.NAA25807@schoolnet.carleton.ca> Subject: Re: Address translation To: pedriali@deneb.it (Roberto Pedriali) Date: Fri, 10 Feb 1995 13:38:24 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Roberto Pedriali" at Feb 10, 95 05:46:27 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1219 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Roberto Pedriali mumbled something vague about: > With "illegal" addresses on internal network I will come out in a situation > where I have the same address on both network (internal/external) of the > firewall: the sw running on the firewall has to make routing decision > based on the direction of the connection..... > > I can draw an example like this: a internal machine with IP address, let > say 161.53.3.1(an "illegal" not registred address), want to connect to some > Internet machine. It will telnet to Application Proxy on Firewall and after > the validation, it will ask to connect to the machine exthost.extnet.com. > The sw on the firewall will do name resolution and will come out with an > address 161.53.3.1 (a official registered address). Now start the > trouble:how can the sw decide the routing path to external host? The best solution I can think of is to use the addresses specified in RFC 1754 (I think... check the number) as for interal use only. These addresses (192.something... boy, am I helpful) are never routed through the internet, so there will never be an ambiguous case. All interal addresses will be from the inside, and all external addresses will be from the outside. Mike From firewalls-owner Fri Feb 10 10:55:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06723 for firewalls-outgoing; Fri, 10 Feb 1995 10:20:33 -0800 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA06693 for ; Fri, 10 Feb 1995 10:20:12 -0800 Message-Id: <199502101817.LAA17452@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id LAA17452; Fri, 10 Feb 1995 11:17:52 -0700 Subject: split DNS (was Re: Firewall Product Review) To: mjr@tis.com (Marcus J Ranum) Date: Fri, 10 Feb 95 11:17:51 MST Cc: jwk@s-s-s.com, firewalls@GreatCircle.COM In-Reply-To: <9502100335.AA00744@tis.com>; from "Marcus J Ranum" at Feb 9, 95 10:43 pm From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Splitting DNS is mostly done for "information hiding" > reasons rather than for traffic control. I'll save the list my > usual "3 reasons why DNS hiding is useless in spite of what ches sez" > rant. [Last time, someone actually *DID* come up with a good reason: if > you're using non-issued addresses and want to hide them] I can think of another reason. As usual, politics is involved :-( But we have users that send mail out with return addresses that are of the form user@host.subdomain.ucar.edu. I want people on the net to be able to reply to those messages, but I don't want to leave our internal hosts' SMTP ports open to connections initiated from the outside. So, I want to send out a wildcard MX record for *.ucar.edu which would direct all inbound mail to our relay host (which would run "smap", be secured in a manner as close as possible to a "bastion host", etc.). This host then needs to be able to resolve the *real* MX/A information in order to deliver the mail. This is another reason for going to a "split DNS" configuration. I know that someone will probably suggest rewriting the addresses on the way out so that they are just "user@ucar.edu". We actually even have a central aliases database that might make this possible. Unfortunately, we cannot control what logins are assigned to the users on the divisional systems (which is where the politics comes in), and there are a number of conflicts where different users in different divisions have the same login name. Thus, we can't guarantee that the "user" part in "user@host.subdomain.ucar.edu" is the same as it is in "user@ucar.edu", so rewriting the addresses this way would be a non-trivial undertaking to say the least. Using a split DNS is easier. --Greg From firewalls-owner Fri Feb 10 11:22:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA07860 for firewalls-outgoing; Fri, 10 Feb 1995 11:07:48 -0800 Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA07854 for ; Fri, 10 Feb 1995 11:07:40 -0800 Received: from q950.bvl.pt by relay.puug.pt with UUCP id AA22649 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Fri, 10 Feb 1995 20:05:16 +0100 Received: from q950 (q950.bvl.pt) by jessica.bvl.pt with SMTP id AA08496 (5.65c/IDA-1.4.4); Fri, 10 Feb 1995 19:49:29 GMT Message-Id: <199502101949.AA08496@jessica.bvl.pt> Date: 10 Feb 1995 19:57:12 +0000 From: "Antonio Vasconcelos" Subject: RE: Address translation To: "Robert Moskowitz" Cc: "FireWalls Mailing List" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>I think that my unofficial addresses are from the RFC1597 range >>(192.168.x.x). But I *DON'T* want that those addresses are known as I >>don't want them to be called from the outside, and I want to set a >>rule in the incoming router that cut's EVERYTHING that don't have a >>destination addr in our external (and official) net, ACK packets >>included. >Most Internet providers are already dropping any packets that are addressed >to or from an RFC 1597 address. That was part of the plan for deploying it. >It is only private if nothing public carries it. >I am sure that some ISP somewhere does not have this set up, so of course >don't count on it until you talk to your provider... I'll have to check that. Thanks. From firewalls-owner Fri Feb 10 11:37:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07115 for firewalls-outgoing; Fri, 10 Feb 1995 10:34:02 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07110 for ; Fri, 10 Feb 1995 10:33:59 -0800 Received: by maily1.prodigy.com id AA08508 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 10 Feb 1995 13:28:04 -0500 Date: Fri, 10 Feb 1995 13:28:04 -0500 (EST) From: Frank Wortner To: firewalls@greatcircle.com Subject: Re: CERN httpd vs http-gw In-Reply-To: <9502101806.AA03105@tidtest.total.fr> Message-Id: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-Fax: 1-914-448-1946 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is an example of me mounting a soapbox, so if you don't want to read a short speech, just hit the delete button now ... Let's face it: the all-or-nothing privilege scheme of UNIX just isn't suited to the threats that face it today. For example, "sendmail" isn't a particularly bad or buggy piece of code, and most of its vulnerabilities don't stem from its size or complexity; the fact is, it is a target because it runs under the root user id. Attacks on sendmail and other programs running at privileged ports are popular because they can pay a big reward: access to the omnipotent "root" user id. Retrofitting some sort of ACL scheme that controlled access to ports, mail folders, etc., wouldn't be a bad idea. A better idea might be to start from scratch with a new, better OS that builds on the knowledge gained over the past 25 years. I'll refrain from pouring gasoline on the fire by not stating any preference for any particular brand/type of "new OS." ;-) Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Fri Feb 10 11:40:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06801 for firewalls-outgoing; Fri, 10 Feb 1995 10:22:39 -0800 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA06796 for ; Fri, 10 Feb 1995 10:22:35 -0800 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id NAA25169; Fri, 10 Feb 1995 13:18:30 -0500 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199502101818.NAA25169@schoolnet.carleton.ca> Subject: Re: CERN httpd vs http-gw To: lavondes@tidtest.total.fr Date: Fri, 10 Feb 1995 13:18:29 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9502101806.AA03105@tidtest.total.fr> from "Michel Lavondes" at Feb 10, 95 06:06:56 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 826 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes mumbled something vague about: > > Michael Richardson wrote : > > > > [snip] > > > > Actually, I'd rather make chroot() and <1024 priveledges be > > contingeant on being in group "daemon" and never run these servers as > > root as at all. > > > > Wouldn't that increase the ease of opening privileged ports on a machine > and thus doing such things as denial of service, password capture, and > so on ? Not really. Becoming a member of group daemon is still quite difficult, or should be. Actually, it *should* be as hard as getting root. Of course, you run into problems like the fact that while root is "protected" over NFS, GID 0 is not, and such. Really, the best solution to that kind of thing would be a real multi-level permission system. On Unix, you'll just have to be careful. =) Mike From firewalls-owner Fri Feb 10 11:52:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08428 for firewalls-outgoing; Fri, 10 Feb 1995 11:30:54 -0800 Received: from dg-webo.webo.dg.com (dg-webo.us.dg.com [128.221.131.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08423 for ; Fri, 10 Feb 1995 11:30:50 -0800 Received: from oakhill by dg-webo.webo.dg.com (5.4R2.10/dg-webo-v1) id AA13607; Fri, 10 Feb 1995 14:28:14 -0500 Message-Id: <9502101928.AA13607@dg-webo.webo.dg.com> X-Sender: dlehman@banditos.webo.dg.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Feb 1995 14:32:43 -0400 To: firewalls@greatcircle.com From: dlehman@banditos.webo.dg.com (Donald B. Lehman) Subject: Multiple http proxies X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With all the discussion of fwtk http-gw and CERN proxy, a conservative approach seems to be to have http-gw on the firewall and the CERN proxy on a DMZ machine to provide caching and perhaps serve as a outside server. The question I have is how do you set up your inside clients to go through two proxies (one for firewall and another for caching)? I know how to manually do it, but is there anyway to configure Netscape or any of the other popular clients to automatically go through two proxies? Or can you configure http-gw to use another proxy? Thanks in advance. -Don Donald B. Lehman Data General Corporation Systems Integration Internet Specialist 4400 Computer Drive email: dlehman@banditos.webo.dg.com Westboro, MA 01580 Voice: (508)898-7282 Fax: (508)898-4496 From firewalls-owner Fri Feb 10 12:22:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08291 for firewalls-outgoing; Fri, 10 Feb 1995 11:24:51 -0800 Received: from muse.microunity.com (muse1.microunity.com [192.216.206.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08280 for ; Fri, 10 Feb 1995 11:24:47 -0800 Received: from gaea.microunity.com by muse.microunity.com (4.1/ericm1.1) id AA09346; Fri, 10 Feb 95 11:20:53 PST Received: from dockmaster.microunity.com by gaea.microunity.com (4.1/muse1.3) id AA14909; Fri, 10 Feb 95 11:20:51 PST Received: from localhost by dockmaster.microunity.com (8.6.4/muse-sw.3) id LAA00373; Fri, 10 Feb 1995 11:20:51 -0800 From: ericm@MicroUnity.com (Eric Murray) Message-Id: <199502101920.LAA00373@dockmaster.microunity.com> Subject: Re: Anon subscriber to firewalls@greatcircle.com To: lavondes@tidtest.total.fr Date: Fri, 10 Feb 95 11:20:49 GMT Cc: Mike.Geipel@Controls.Eurotherm.COM, firewalls@greatcircle.com In-Reply-To: <9502101802.AA03095@tidtest.total.fr>; from "Michel Lavondes" at Feb 10, 95 6:02 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes wrote: > > Mike Geipel wrote : > > > > [snip] > > > > On the subject of whether anonymous subscribers should be allowed: > > I have absolutely no problem with anonymous subscribers to a security > > list. I completely understand the desire to do so. I certainly hope > > that we do NOT start censoring people who read this list! > > > > ++flame; > Sorry, I can't follow you there. True, I have no problem with lurkers (ie, > people who stay quiet and just listen), but I still want to know who > subscribes to the list, or at list their (assumed) site, so I have someone > to complain to, just in case. Just in case you wonder, I do the same with > direct messages to me - delete without reading if anonymous, complain to > someone supposedly responsible at their site if I feel it necessary. fine. if you don't like anonymous mail, then delete anon messages sent to you that originate from the firewalls list. problem solved. you're telling us that it's ok to have 'lurkers', who may be system crackers looking for posts from clueless admins. but that the clueless admins who are trying to GET a clue must advertise the fact rather than post anonymously. of course, any one with the knowledge can forge mail, so you should treat ALL mail From: lines as advisory at best. in effect we're all anonymous, should we wish to be. unfortunately the admins who don't understand firewalls and who need to secure their site probably don't know how to forge email either. so an anon posting is, for them, the only way to ask a potentially embarassing question without giving away the knowledge that their site is less than perfectly secure. why is it so difficult for people to grasp this conecpt? -- ericm ericm@microunity.com From firewalls-owner Fri Feb 10 12:33:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08816 for firewalls-outgoing; Fri, 10 Feb 1995 11:43:47 -0800 Received: from sgigate.sgi.com (sgigate.SGI.COM [204.94.209.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA08805 for ; Fri, 10 Feb 1995 11:43:42 -0800 Received: from sgihub.corp.sgi.com (sgihub.corp.sgi.com [192.26.51.188]) by sgigate.sgi.com (940519.SGI.8.6.9/8.6.4) with ESMTP id LAA16497; Fri, 10 Feb 1995 11:41:27 -0800 Received: from yeager.corp.sgi.com by sgihub.corp.sgi.com via ESMTP (940519.SGI.8.6.9/911001.SGI) id LAA13233; Fri, 10 Feb 1995 11:41:26 -0800 Received: by yeager.corp.sgi.com (940816.SGI.8.6.9/930416.SGI) id LAA29938; Fri, 10 Feb 1995 11:43:19 -0800 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9502101143.ZM29936@yeager.corp.sgi.com> Date: Fri, 10 Feb 1995 11:43:18 -0800 In-Reply-To: Frode Hoem "http-proxy through SOCKS or not ?" (Feb 9, 9:03pm) References: <199502092003.VAA15263@alv.nada.kth.se> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: Frode Hoem , Firewalls@GreatCircle.COM Subject: Re: http-proxy through SOCKS or not ? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A firewall is a machine on which you try to run as little as possible. HTTPDs are programs in which the goal seems to have been to link as much code in as possible. The two are not compatable (*IMHO*). -- Eliot Lear [lear@sgi.com] From firewalls-owner Fri Feb 10 12:52:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09758 for firewalls-outgoing; Fri, 10 Feb 1995 12:37:27 -0800 Received: from joy.jsc.nasa.gov (joy.jsc.nasa.gov [139.169.137.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09751 for ; Fri, 10 Feb 1995 12:37:23 -0800 Received: from msmtp-out.jsc.nasa.gov ([139.169.94.6]) by joy.jsc.nasa.gov (4.1/25-eef) id AA24017; Fri, 10 Feb 95 14:37:56 CST Received: by msmtp-out.jsc.nasa.gov with Microsoft Mail id <2F3BCE77@msmtp-out.jsc.nasa.gov>; Fri, 10 Feb 95 14:37:11 cst From: "McMullen, Michael K." To: greatcircle Subject: Raptor rmck ? Date: Fri, 10 Feb 95 14:34:00 cst Message-Id: <2F3BCE77@msmtp-out.jsc.nasa.gov> Encoding: 15 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey rmck, You captor'd my curiosity with your Raptor response. Would you mind telling me who at GSFC did the eval ? Thanks, Mike M. K. McMullen IPSO/DC 713/244-5432 mmcmulle@gp801.jsc.nasa.gov "better to try something and fail, than to try nothing and succeed" From firewalls-owner Fri Feb 10 13:16:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09873 for firewalls-outgoing; Fri, 10 Feb 1995 12:44:08 -0800 Received: from chsun.eunet.ch (chsun.eunet.ch [146.228.10.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09868 for ; Fri, 10 Feb 1995 12:44:04 -0800 Received: from mozart.UUCP by chsun.eunet.ch (8.6.4/1.34) id VAA11532; Fri, 10 Feb 1995 21:41:05 +0100 Received: from santana.ergon.ch by mozart.ergon.ch (4.1/SMI-4.1) id AA27099; Fri, 10 Feb 95 21:39:25 +0100 Date: Fri, 10 Feb 95 21:39:25 +0100 From: sten@ergon.CH (Sten Gunterberg) Message-Id: <9502102039.AA27099@mozart.ergon.ch> To: dlehman@banditos.webo.dg.com Subject: Re: Multiple http proxies Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Donald B. Lehman asks: > > [...] is there anyway to configure Netscape or any of the other popular > clients to automatically go through two proxies? Or can you configure > http-gw to use another proxy? > I have not actually tried this, but I think it should work: On the "firewall" proxy host instead of http-gw use plug-gw on port 80 to plug to the CERN-httpd running on a DMZ host which then acts as the HTTP proxy. (wow, what a monster sentence :) ---------------------------------------------------------------------------- Sten Gunterberg Phone: +41 1 251 2102, Fax: +41 1 261 2750 Ergon Informatik AG Internet: gunterberg@ergon.ch Zuerich, Switzerland X.400: /S=Gunterberg/O=Ergon/P=EUnet/A=EUnet/C=CH/ From firewalls-owner Fri Feb 10 13:17:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09393 for firewalls-outgoing; Fri, 10 Feb 1995 12:13:57 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09388 for ; Fri, 10 Feb 1995 12:13:54 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id OAA29964; Fri, 10 Feb 1995 14:06:19 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma029962; Fri Feb 10 14:06:14 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA08486 (5.67b/IDA-1.5); Fri, 10 Feb 1995 14:13:20 -0600 Date: Fri, 10 Feb 1995 14:13:20 -0600 From: Ken Hardy Message-Id: <199502102013.AA08486@ignatz.bridge.com> To: dlehman@banditos.webo.dg.com Subject: Re: Multiple http proxies Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >proxies (one for firewall and another for caching)? I know how to manually >do it, but is there anyway to configure Netscape or any of the other popular >clients to automatically go through two proxies? Or can you configure >http-gw to use another proxy? Netscape et al. only need to know about the first proxy. Where that proxy gets its service is its own business. You can use plug-gw on the firewall to direct the proxy requests to the proxy on the httpd on the machine in the DMZ. I experimented with this and had no problems, though I didn't bang on it for too long. Can't think of why it shouldn't be robust, though. Don't know if http-gw can be directed to a proxy, but you don't need it if this is the way you're going to do it. -KH From firewalls-owner Fri Feb 10 13:32:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10409 for firewalls-outgoing; Fri, 10 Feb 1995 13:06:36 -0800 Received: from emamv1.orl.mmc.com (ccmail.orl.mmc.com [141.240.60.144]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA10404 for ; Fri, 10 Feb 1995 13:06:33 -0800 From: Randy_Riley@ccmail.orl.mmc.com Received: from ccmail.orl.mmc.com by emamv1.orl.mmc.com (PMDF V4.3-9 #5230) id <01HMW21REOIO009FNF@emamv1.orl.mmc.com>; Fri, 10 Feb 1995 16:02:46 -0400 (EDT) Date: Fri, 10 Feb 1995 14:59 -0400 (EDT) Subject: Re[2]: Anon subscribers To: ericm@microunity.com, wolfgang.kuehnel@cp-nbg.philips.de Cc: firewalls@greatcircle.com Message-id: <01HMW21V4DEE009FNF@emamv1.orl.mmc.com> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eddi Spittlebut, Said this anonymous user certainly has something to lose by making him/herself known. It takes guts to make yourself available and open to others scrutinizing eyes and waves. Either chunk FTP or bring them all on - FTP could be all an196844@anon.penet.fi has. Let's just get on with business as usual. >Wolfgang Kuehnel wrote: >> >> >> Greg Broiles: >> >A check of the subscription list reveals that an196844@anon.penet.fi >> >is subscribed to 'firewalls'. >> >> My personal opinion ist that this >> subscriber should be removed from >> the list. Why does this person try >> to hide behind that anon service? > > >Perhaps they want to ask questions and gain knowledge without >revealing their site's lack of security? > >-- > ericm ericm@microunity.com > rwr randy_riley@ccmail.orl.mmc.com -- Looking for skurfers,slalomers and other ws phenom ^/^__ From firewalls-owner Fri Feb 10 13:43:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09584 for firewalls-outgoing; Fri, 10 Feb 1995 12:26:26 -0800 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09577 for ; Fri, 10 Feb 1995 12:26:22 -0800 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-0 #7935) id <01HMUY630Q7K8WVZQ1@Badger.Arnold.Com>; Fri, 10 Feb 1995 14:23:57 -0600 (CST) Date: Fri, 10 Feb 1995 14:14:59 -0600 (CST) Subject: Re: Anyone read these books? In-reply-to: "Your message dated Fri, 10 Feb 1995 14:39:03 -0500" <9502101939.AA10418@tis.com> To: Frederick M Avolio Cc: Firewalls@GreatCircle.Com, Stephen.L.Arnold@Arnold.Com Message-id: 01HMVYLCPF3C8WVZQ1@Badger.Arnold.Com Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT References: 01HMPHKE1DOK8WW0T5@Badger.Arnold.Com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Do you have any mor einformation on this book, such as publisher? Our > librarian cannot find it anywhere, but then perhaps she isn't looking > in the right places. > Thanks > Fred They're new: Internet Firewalls and Network Security, 450 pp., softcover, New Riders Publishing (I never heard of 'em either!), January 1995, publisher's price $35.00. E-Mail Security, 288 pp., softcover, John Wiley & Sons, February 1995, publisher's price $24.95 Disclaimer: I haven't seen these. No endorsement implied! Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Fri Feb 10 13:46:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08838 for firewalls-outgoing; Fri, 10 Feb 1995 11:43:56 -0800 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA08826 for ; Fri, 10 Feb 1995 11:43:51 -0800 Received: from [192.0.2.1] (crl7.crl.com [165.113.1.18]) by world1.worldbit.com (8.6.4.1/A/UX 3.1) with SMTP id LAA07326; Fri, 10 Feb 1995 11:47:56 -0800 Date: Fri, 10 Feb 1995 11:47:56 -0800 X-Sender: blast@worldbit.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Lawrence Beasley From: Tim Keanini (Tim Keanini) Subject: Re: apple macs Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On 9 Feb 1995 BERNI@erc.ie wrote: > >> Is there any software out there to password protect standalone Apple >> Macs? > FolderBolt Pro protects folders from prying eyes... > NightWatch protects the HD from unauthorized access (password > There's FileGuard and DiskGuard to protect files/folders and > ultraShield, ultraSecure, and cypherPad which pretty much do > and then there's Empower and Empower II. I like these better > than the rest (I use Empower II). Protects the machine at the [snip snip snip] Also, FWB's Hard Disk Tool kit has a very nice way to give the partitions password at the driver level. Very very helpful. --blast +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | "The limits of my language, are the limits of my world" | | --Wittgenstein | | | | | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Fri Feb 10 13:52:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08572 for firewalls-outgoing; Fri, 10 Feb 1995 11:36:19 -0800 Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08562 for ; Fri, 10 Feb 1995 11:36:11 -0800 Received: from q950.bvl.pt by relay.puug.pt with UUCP id AA23171 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Fri, 10 Feb 1995 20:33:43 +0100 Received: from q950 (q950.bvl.pt) by jessica.bvl.pt with SMTP id AA08634 (5.65c/IDA-1.4.4); Fri, 10 Feb 1995 20:05:28 GMT Message-Id: <199502102005.AA08634@jessica.bvl.pt> Date: 10 Feb 1995 20:13:09 +0000 From: "Antonio Vasconcelos" Subject: RE: Address translation To: "Roberto Pedriali" Cc: "FireWalls Mailing List" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In the case where there are already run (or plan to run) a Application >Proxy Firewall (for all the good reason to do it) seems to me that I don't >need anymore an address translator, that is already "supplied" by >Application Proxy, but what I need is to solve the "routing" problem on the >firewall itself. I'm starting to reach that conclusion too. >I can draw an example like this: a internal machine with IP address, let >say 161.53.3.1(an "illegal" not registred address), want to connect to some >Internet machine. It will telnet to Application Proxy on Firewall and after >the validation, it will ask to connect to the machine exthost.extnet.com. >The sw on the firewall will do name resolution and will come out with an >address 161.53.3.1 (a official registered address). Now start the >trouble:how can the sw decide the routing path to external host? Hopefully that will never happen if using private addresses as defined by rfc1597, ie, between the ranges: 10.0.0.0 / 10.255.255.255 172.16.0.0 / 172.31.255.255 192.168.0.0 / 192.168.255.255 And I'm using 192.168.x.x for my internal (non-public) nets. As someone has said before, most Internet providers should be droping this ranges in every router. From firewalls-owner Fri Feb 10 14:08:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09831 for firewalls-outgoing; Fri, 10 Feb 1995 12:40:58 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09826 for ; Fri, 10 Feb 1995 12:40:50 -0800 Received: by maily1.prodigy.com id AA66703 (5.65c/IDA-1.4.4); Fri, 10 Feb 1995 15:31:06 -0500 Date: Fri, 10 Feb 1995 15:31:06 -0500 (EST) From: Frank Wortner To: Greg Woods Cc: firewalls@greatcircle.com Subject: Re: split DNS (was Re: Firewall Product Review) In-Reply-To: <199502101817.LAA17452@ncar.ucar.EDU> Message-Id: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-Fax: 1-914-448-1946 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Feb 1995, Greg Woods wrote: > But we have users that send mail out with return addresses that are of > the form user@host.subdomain.ucar.edu. I want people on the net to be > able to reply to those messages, but I don't want to leave our internal > hosts' SMTP ports open to connections initiated from the outside. So, I > want to send out a wildcard MX record for *.ucar.edu which would direct > all inbound mail to our relay host (which would run "smap", be secured > in a manner as close as possible to a "bastion host", etc.). This host > then needs to be able to resolve the *real* MX/A information in order > to deliver the mail. This is another reason for going to a "split DNS" > configuration. But wouldn't it also be possible to build a heirarchy of MX records like this: host.domain.ucar.edu MX 100 bastion.ucar.edu MX 1 host.domain.ucar.edu and avoid the split DNS altogether? Hosts that can't get to "host.domain.ucar.edu" would send mail to "bastion.ucar.edu", while the bastion would send the mail to "host.domain.ucar.edu". Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Fri Feb 10 14:14:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09369 for firewalls-outgoing; Fri, 10 Feb 1995 12:12:56 -0800 Received: from chsun.eunet.ch (chsun.eunet.ch [146.228.10.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09364 for ; Fri, 10 Feb 1995 12:12:51 -0800 Received: from mozart.UUCP by chsun.eunet.ch (8.6.4/1.34) id VAA09951; Fri, 10 Feb 1995 21:11:04 +0100 Received: from santana.ergon.ch by mozart.ergon.ch (4.1/SMI-4.1) id AA27019; Fri, 10 Feb 95 21:03:26 +0100 Date: Fri, 10 Feb 95 21:03:26 +0100 From: sten@ergon.CH (Sten Gunterberg) Message-Id: <9502102003.AA27019@mozart.ergon.ch> To: pedriali@deneb.it Subject: Re: Address translation Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > pedriali@deneb.it (Roberto Pedriali) writes: > > I can draw an example like this: a internal machine with IP address, let > say 161.53.3.1(an "illegal" not registred address), want to connect to some > Internet machine. It will telnet to Application Proxy on Firewall and after > the validation, it will ask to connect to the machine exthost.extnet.com. > The sw on the firewall will do name resolution and will come out with an > address 161.53.3.1 (a official registered address). Now start the > trouble:how can the sw decide the routing path to external host? > > By the way this is a real problem that I am also facing just now, so any > suggestion or pointer to a solution will be very appreciate. > If you *absolutely cannot* renumber to either a registered or to a RFC1597 network number, there is always the -- somewhat ugly and costly -- possibility to run *two* dual-homed, non-routing, proxying (sp?) gateways "in a row" as follows: Internet | | Router Outer-GW Inner-GW | | | | | +------------+ +-------------+ +----------------------- Perimeter net "Isolation" net Internal (illegal) net The perimeter and isolation nets would use registered addresses, probably a sub-netted class C address would suffice. The internal net could remain using the unregisted "illegal" address. The inner gateway would just run "straight forwarding" proxies (e.g. plug-gw from the TIS FWTK). The outer gateway would be configured like any "standard" proxy gateway host. ---------------------------------------------------------------------------- Sten Gunterberg Phone: +41 1 251 2102, Fax: +41 1 261 2750 Ergon Informatik AG Internet: gunterberg@ergon.ch Zuerich, Switzerland X.400: /S=Gunterberg/O=Ergon/P=EUnet/A=EUnet/C=CH/ From firewalls-owner Fri Feb 10 14:24:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10764 for firewalls-outgoing; Fri, 10 Feb 1995 13:30:37 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA10758 for ; Fri, 10 Feb 1995 13:30:24 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id QAA07179 for firewalls@greatcircle.com; Fri, 10 Feb 1995 16:25:18 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502102125.QAA07179@all.net> Subject: anon To: firewalls@greatcircle.com Date: Fri, 10 Feb 1995 16:25:07 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1039 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It doesn't seem to occur to any of the posters that some people just want to be anonymous. In my case, it would probably be beneficial to be anonymous when I post things that offend some of you, while other people just think of it as a basic right of privacy. The idea that firewalls should not be available to anyone is a real leap. Consider that it is available via anonymous FTP, can be searched from this machine, and is likely posted by readers to other places. Furthermore, firewalls has listed the ftp sites of numerous openly available programs that automate various aspects of system attacks! It seems to me that the least of our worries is an anonymous poster. HOWEVER - I wish that the anonymous server was a little bit better at telling a legitimate request for an account than it is. Furthermore, since it seems to give out accounts in sequence, I can look at the firewalls digest and readily determine who has what account number based on my account number from a previous posting. So much for being anonymous. FC From firewalls-owner Fri Feb 10 14:24:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10951 for firewalls-outgoing; Fri, 10 Feb 1995 13:47:04 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10939 for ; Fri, 10 Feb 1995 13:46:59 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA09521 (5.67b8/IDA-1.5 for ); Fri, 10 Feb 1995 16:44:50 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA02996; Fri, 10 Feb 95 16:46:01 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00639; Fri, 10 Feb 1995 16:43:53 +0500 Date: Fri, 10 Feb 1995 16:43:53 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9502102143.AA00639@ Paragon-Systems.COM> To: Firewalls@greatcircle.com, mmcmulle@gp801.jsc.nasa.gov Subject: Re: Raptor rmck ? X-Sun-Charset: US-ASCII Content-Length: 862 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Fri Feb 10 16:19 EST 1995 > From: "McMullen, Michael K." > To: greatcircle > Subject: Raptor rmck ? > Date: Fri, 10 Feb 95 14:34:00 cst > Encoding: 15 TEXT > > > Hey rmck, > > You captor'd my curiosity with your Raptor response. > > Would you mind telling me who at GSFC did the eval ? > > Thanks, Mike > > M. K. McMullen > IPSO/DC > 713/244-5432 > mmcmulle@gp801.jsc.nasa.gov > > "better to try something and fail, than to try nothing and succeed" > Mike - I got your note but sorry I gotta run out the door. My wife is standin' an waitin'by a broken automobile. If I don't deal with her now, getting back to you is going to be the least of my problems. I'll probably be on net tomorrow so check yur mail either over the weekend or Monday. Bob From firewalls-owner Fri Feb 10 14:46:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11199 for firewalls-outgoing; Fri, 10 Feb 1995 14:01:58 -0800 Received: from tango.rahul.net (root@tango.rahul.net [192.160.13.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA11194 for ; Fri, 10 Feb 1995 14:01:55 -0800 Received: from bolero.rahul.net by tango.rahul.net with SMTP id AA05539 (5.67b8/IDA-1.5 for ); Fri, 10 Feb 1995 13:59:59 -0800 Received: by bolero.rahul.net id AA25912 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Fri, 10 Feb 1995 13:59:58 -0800 Date: Fri, 10 Feb 1995 13:59:58 -0800 From: Rahul Dhesi Message-Id: <199502102159.AA25912@bolero.rahul.net> To: firewalls@greatcircle.com Subject: Re: CERN httpd vs http-gw References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Wortner writes: >Retrofitting some sort of ACL scheme that controlled access to ports, >mail folders, etc., wouldn't be a bad idea. A better idea might be to >start from scratch with a new, better OS that builds on the knowledge >gained over the past 25 years. 1. MULTICS had it all in rather graceful ways: The idea of degrees of trust. I don't know what happened to it, other than that nobody uses it any more, but everybody studies it so they can do what it did. 2. VMS: They did pretty much that (except for the 25 years figure) when they designed VAX/VMS in the early eighties. Access control lists galore. Quotas for outstanding I/O operations, physical memory, swap space, and just about every shared resource, ad infinitum. The OS spends most of its time maintaining the huge context carried around by each process and very little time doing any real work. Process creation under VAX/VMS is painfully slow. No flame war intended, but access controls are not free. -- Rahul Dhesi From firewalls-owner Fri Feb 10 14:46:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10987 for firewalls-outgoing; Fri, 10 Feb 1995 13:50:46 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10982 for ; Fri, 10 Feb 1995 13:50:43 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA28927; Fri, 10 Feb 95 13:47:14 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA20111; Fri, 10 Feb 95 13:47:59 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F3BE056@ushqgw.sequent.com>; Fri, 10 Feb 95 13:53:26 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: Re: CERN httpd vs http-gw Date: Fri, 10 Feb 95 13:47:00 PST Message-Id: <2F3BE056@ushqgw.sequent.com> Encoding: 47 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are UNIX based systems with Least Privilege features! There are compartmented mode workstations (CMW) and B2 (if I remember my orange book) evaluated systems which will have it . IMHO, Least Privilege is more important to commercial users than is mandatory access control (MAC) features. I guess this makes a case for ITSEC evaluations; which gives you credit for putting least privilege in an otherwise Cx or B1 system. Regards, Ned Smith nedbob@sequent.com ---------- |From: firewalls-owner |To: firewalls |Subject: Re: CERN httpd vs http-gw |Date: Friday, February 10, 1995 1:28PM | |----------------------------------------------------------------- |This message is an example of me mounting a soapbox, so if you don't |want to read a short speech, just hit the delete button now ... | |Let's face it: the all-or-nothing privilege scheme of UNIX just isn't |suited to the threats that face it today. For example, "sendmail" isn't a |particularly bad or buggy piece of code, and most of its vulnerabilities |don't stem from its size or complexity; the fact is, it is a target |because it runs under the root user id. Attacks on sendmail and other |programs running at privileged ports are popular because they can pay a |big reward: access to the omnipotent "root" user id. | |Retrofitting some sort of ACL scheme that controlled access to ports, |mail folders, etc., wouldn't be a bad idea. A better idea might be to |start from scratch with a new, better OS that builds on the knowledge |gained over the past 25 years. | |I'll refrain from pouring gasoline on the fire by not stating any |preference for any particular brand/type of "new OS." ;-) | | Frank | |-- |"Outside of a dog, a book is a man's best friend; | inside of a dog, it's too dark to read." -- Groucho Marx | | From firewalls-owner Fri Feb 10 14:52:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11904 for firewalls-outgoing; Fri, 10 Feb 1995 14:30:10 -0800 Received: from uu.psi.com (uu.psi.com [136.161.128.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA11892 for ; Fri, 10 Feb 1995 14:30:04 -0800 Received: from gigi.UUCP by uu.psi.com (5.65b/4.0.061193-PSI/PSINet) via UUCP; id AA09562 for ; Fri, 10 Feb 95 17:05:56 -0500 Received: by gigi.Gigadactyl.COM (4.1/SMI-4.1) id AA21595; Fri, 10 Feb 95 16:44:15 EST Date: Fri, 10 Feb 95 16:44:15 EST From: chuck@gigadactyl.com (Chuck Ocheret) Message-Id: <9502102144.AA21595@gigi.Gigadactyl.COM> To: ericm@microunity.com, wolfgang.kuehnel@cp-nbg.philips.de Subject: Re: Anon subscribers Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner@GreatCircle.COM Fri Feb 10 14:05:50 1995 Posting anonymously is a good way to get information on how to protect yourself without letting 'them' know how little you know. Or how much you know. ~chuck From firewalls-owner Fri Feb 10 15:22:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA12295 for firewalls-outgoing; Fri, 10 Feb 1995 14:42:04 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA12290 for ; Fri, 10 Feb 1995 14:42:01 -0800 Received: from bwnmr5.bwh.harvard.edu (bwnmr5.bwh.harvard.edu [134.174.81.35]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id RAA10804; Fri, 10 Feb 1995 17:39:20 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: from localhost (adam@localhost) by bwnmr5.bwh.harvard.edu (8.6.4/8.6.4) id RAA15755; Fri, 10 Feb 1995 17:39:26 -0500 Message-Id: <199502102239.RAA15755@bwnmr5.bwh.harvard.edu> Subject: Re: anon To: fc@all.net (Dr. Frederick B. Cohen) Date: Fri, 10 Feb 1995 17:39:26 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199502102125.QAA07179@all.net> from "Dr. Frederick B. Cohen" at Feb 10, 95 04:25:07 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 741 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fred Cohen wrote: | HOWEVER - I wish that the anonymous server was a little bit better at | telling a legitimate request for an account than it is. Furthermore, | since it seems to give out accounts in sequence, I can look at the | firewalls digest and readily determine who has what account number based | on my account number from a previous posting. So much for being | anonymous. The server can deal just fine; the subscriber simply didn't subscribe properly. Had he listed his address as NA.... instead of AN..., replies would not be anonymized. Other than that, you're right, the account numbers should be given out in a random order. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Feb 10 15:25:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA12458 for firewalls-outgoing; Fri, 10 Feb 1995 14:46:17 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA12453 for ; Fri, 10 Feb 1995 14:46:14 -0800 Received: from GATEV4.SEMATECH.ORG by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id QAA07774; Fri, 10 Feb 1995 16:44:05 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HMW3GSOP689I4XTV@GateV1.SEMATECH.Org>; Fri, 10 Feb 1995 16:43:51 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id QAA20405; Fri, 10 Feb 1995 16:43:39 -0600 Date: Fri, 10 Feb 1995 16:43:37 -0600 From: Quentin Fennessy Subject: Re: split DNS (was Re: Firewall Product Review) To: Frank Wortner Cc: Greg Woods , firewalls@greatcircle.com Message-id: <199502102243.QAA20405@thecount.eng.sematech.org> X-Mailer: exmh version 1.5.3 12/28/94 Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank- I do something similar. I recently de-split (joined) our two DNS worlds. Our MXs look like this (with no wildcards). thecount.eng.sematech.org. 86400 MX 0 thecount.eng.sematech.org. thecount.eng.sematech.org. 86400 MX 10 gatev4.sematech.org. thecount.eng.sematech.org. 86400 MX 20 gatev3.sematech.org. thecount.eng.sematech.org. 86400 MX 30 gater3.sematech.org. thecount.eng.sematech.org. 86400 MX 40 gater2.sematech.org. Email to thecount from inside will go first to thecount directly, otherwise to one of gatev4 or gatev3. If all else fails internal mail goes to one of the two firewalls (gater3 or gater2). External mail to thecount will try thecount, then gatev4, then gatev3 and fail because they are all on the inside of our firewall. And then the mail will get sent through the firewalls. Works for us. Quentin F From firewalls-owner Fri Feb 10 15:57:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12984 for firewalls-outgoing; Fri, 10 Feb 1995 15:04:46 -0800 Received: from clavin (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12979 for ; Fri, 10 Feb 1995 15:04:42 -0800 Received: from cygnus.uprc.com by clavin (4.1/3.2.012693-Union Pacific Resources Company); id AA01068 for firewalls@greatcircle.com; Fri, 10 Feb 95 17:01:51 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA13398; Fri, 10 Feb 1995 17:01:48 +0600 Date: Fri, 10 Feb 1995 17:01:48 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9502102301.AA13398@cygnus.uprc.com> To: firewalls@greatcircle.com, fc@all.net Subject: Re: anon X-Sun-Charset: US-ASCII Content-Length: 1861 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It doesn't seem to occur to any of the posters that some people > just want to be anonymous. In my case, it would probably be beneficial > to be anonymous when I post things that offend some of you, while other > people just think of it as a basic right of privacy. > > The idea that firewalls should not be available to anyone is a > real leap. Consider that it is available via anonymous FTP, can be > searched from this machine, and is likely posted by readers to other > places. Furthermore, firewalls has listed the ftp sites of numerous > openly available programs that automate various aspects of system attacks! > It seems to me that the least of our worries is an anonymous poster. > > HOWEVER - I wish that the anonymous server was a little bit better at > telling a legitimate request for an account than it is. Furthermore, > since it seems to give out accounts in sequence, I can look at the > firewalls digest and readily determine who has what account number based > on my account number from a previous posting. So much for being > anonymous. > FC I think everyone has missed the original point. Anonymous addresses subscribed to the list should not be forwarded by majordomo. Brent? [awaiting my inevitable reply from petit.fi] Personally I couldn't care less if anonymous people listen, lurk, post, or whatever, just as long as I don't have to get a bunch of "secret code" mail from the anon site when _I_ post. Its as annoying as receiving all the bounces from bad subscribed addresses (although this seems to have gotten better lately). ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Fri Feb 10 15:57:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA14120 for firewalls-outgoing; Fri, 10 Feb 1995 15:49:40 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA19343 for ; Thu, 9 Feb 1995 16:00:17 -0800 Received: from iss.net by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id PAA00984; Thu, 9 Feb 1995 15:33:52 -0800 Received: (from cklaus@localhost) by iss.net (8.6.9/8.6.9) id SAA07217 for firewalls@greatcircle.com; Thu, 9 Feb 1995 18:37:17 -0800 From: Christopher Klaus Message-Id: <199502100237.SAA07217@iss.net> Subject: Sniffers FAQ To: firewalls@greatcircle.com Date: Thu, 9 Feb 1995 18:37:16 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 12197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have put together a FAQ (Frequently Asked Questions) file about Sniffers. I tried covering all topics related to sniffers and mentioned some companies that provide products for solutions for sniffer attacks. Unfortunately, I have not evaluated any of the products except for using Skey, but I would appreciate it if you have had the chance to play with the product, please send me a small review and Ill stick it under the companies product. I would like unbiased reviews, good and bad. Mostly, what features did you like and what were missing. Also, I am sure I may have missed a few companies that offer similiar solutions and if you know of any of them, please email me. I would like feedback on this, Thank you. This Sniffer FAQ will hopefully give administrators a clear understanding of sniffing problems and hopefully possible solutions to follow up with. Sniffers is one of the main causes of mass break-ins on the Internet today. This FAQ will be broken down into: What a sniffer is and how it works Where are sniffers available How to detect if a machine is being sniffed Stopping sniffing attacks: Active hubs Encryption Kerberos One-time password technology Non-promiscuous interfaces ------------------------------------------------------------------------ What a sniffer is and how it works Unlike telephone circuits, computer networks are shared communication channels. It is simply too expensive to dedicate local loops to the switch (hub) for each pair of communicating computers. Sharing means that computers can receive information that was intended for other machines. To capture the information going over the network is called sniffing. Most popular way of connecting computers is through ethernet. Ethernet protocal works by sending packet information to all the hosts on the same circuit. The packet header contains the proper address of the destination machine. Only the machine with the matching address is suppose to accept the packet. A machine that is accepting all packets, no matter what the packet header says, is said to be in promiscuous mode. Because account and password information is passed along ethernet in clear-text, it is not hard for an intruder to put a machine into promiscuous mode and by sniffing, compromise all the machines on the net. ------------------------------------------------------------------------ Where are sniffers available Sniffing is one of the most popular forms of attacks used by hackers. One special sniffer, called Esniff.c, is very small, designed to work on Sunos, and only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It was published in Phrack, one of the most widely read freely available underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c is also available on many FTP sites such as coombs.anu.edu.au:/pub/net/log. You may want to run Esniff.c on an authorized network to quickly see how effective it is in compromising local machines. Other sniffers that are widely available which are intended to debug network problems are: Etherfind on SunOs4.1.x Snoop on Solaris 2.x Tcpdump 2.0 uses bpf for a multitude of platforms. Gobbler for IBM DOS Machines Commercial Sniffers are available at: Network General. ------------------------------------------------------------------------ How to detect a sniffer running. To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections. It is also impossible to remotely check by sending a packet or ping if a machine is sniffing. A sniffer running on a machine puts the interface into promiscuous mode, which accepts all the packets. On some Unix boxes, it is possible to detect a promiscuous interface. For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command "ifconfig -a" that will tell you information about all the interfaces and if they are in promiscuous mode. Intruders often replace commands such as ifconfig to avoid detection. Make sure you verify its checksum. There is a program called cpm available on ftp.cert.org:/pub/tools/cpm that only works on Sunos and is suppose to check the interface for promiscuous flag. Ultrix can possibly detect someone running a sniffer by using the commands pfstat and pfconfig. pfconfig allows you to set who can run a sniffer pfstat shows you if the interface is in promiscuous mode. These commands only work if sniffing is enabled by linking it into the kernel. by default, the sniffer is not linked into the kernel. Most other Unix systems, such as Irix, Solaris, SCO, etc, do not have any flags indication whether they are in promiscuous mode or not, therefore an intruder could be sniffing your whole network and there is no way to detect it. Often a sniffer log becomes so large that the file space is all used up. On a high volume network, a sniffer will create a large load on the machine. These sometimes trigger enough alarms that the administrator will discover a sniffer. I highly suggest using lsof (LiSt Open Files) available from coast.cs.purdue.edu:/pub/Purdue/lsof for finding log files. There is no commands I know of to detect a promiscuous IBM PC compatible machine, but they atleast usually do not allow command execution unless from the console, therefore remote intruders can not turn a PC machine into a sniffer without inside assistance. ------------------------------------------------------------------------ Stopping sniffing attacks Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T. The following vendors have available active hubs: 3Com HP ------------------------------------------------------------------------ Encryption There are several packages out there that allow encryption between connections therefore an intruder could capture the data, but could not decypher it to make any use of it. Some packages available are: deslogin is one package available at ftp coast.cs.purdue.edu:/pub/tools/unix/deslogin . swIPe is another package available at ftp.csua.berkeley.edu:/pub/cypherpunks/swIPe/ ------------------------------------------------------------------------ Kerberos Kerberos is another package that encrypts account information going over the network. Some of its draw backs are that all the account information is held on one host and if that machine is compromised, the whole network is vulnerable. It is has been reported a major difficulty to set up. It does not stop an intruder from capturing what you did after you logged in. ------------------------------------------------------------------------ One time password technology S/key and other one time password technology makes sniffing account information almost useless. S/key concept is having your remote host already know a password that is not going to go over insecure channels and when you connect, you get a challenge. You take the challenge information and password and plug it into an algorithm which generates the response that should get the same answer if the password is the same on the both sides. Therefore the password never goes over the network, nor is the same challenge used twice. Unlike SecureID or SNK, with S/key you do not share a secret with the host. S/key is available on ftp:thumper.bellcore.com:/pub/nmh/skey Other one time password technology is card systems where each user gets a card that generates numbers that allow access to their account. Without the card, it is improbable to guess the numbers. The following are companies that offer solutions that are provide better password authenication (ie, handheld password devices): Secure Net Key (SNK) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487 Secure ID Security Dynamics, One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836 Secure ID uses time slots as authenication rather than challenge/response. WatchWord and WatchWord II Racal-Guardata 480 Spring Park Place Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217 SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: (510)827-2593 Secure Computing Corporation: 2675 Long Lake Road Roseville, MN 55113 Tel: (612) 628-2700 Fax: (612) 628-2701 debernar@sctc.com ------------------------------------------------------------------------ Non-promiscuous Interfaces You can try to make sure that most IBM DOS compatible machines have interfaces that will not allow sniffing. Here is a list of cards that do not support promiscuous mode: Test the interface for promiscuous mode by using the Gobbler. If you find a interface that does do promiscuous mode and it is listed here, please e-mail cklaus@iss.net so I can remove it ASAP. 3Com 3C501 EtherLink 3Com 3C507 EtherLink 16 3Com 3C507 EtherLink 16 TP IBM Token-Ring Network PC Adapter IBM Token-Ring Network PC Adapter II (short card) IBM Token-Ring Network PC Adapter II (long card) IBM Token-Ring Network 16/4 Adapter IBM Token-Ring Network PC Adapter/A IBM Token-Ring Network 16/4 Adapter/A IBM Token-Ring Network 16/4 Busmaster Server Adapter/A Microdyne (Excelan) EXOS 205 Microdyne (Excelan) EXOS 205T Microdyne (Excelan) EXOS 205T/16 Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8 Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8 Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16 Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32 Compaq 32-bit DualSpeed Token-Ring Controller Novell/Eagle NE3200 Novell/Eagle NE2000 AMD Am2110-SM AT Ethernet 7998 AMD Am1500T/2 PCnet-ISA AMD Am1500T PCnet-ISA HP 27247B EtherTwist Adapter Card/16 TP Plus HP 27252A EtherTwist Adapter Card/16 TP Plus HP J2405A EtherTwist PC LAN Adapter NC/16 TP IBM LAN Adapter for Ethernet IBM LAN Adapter for Ethernet TP IBM LAN Adapter for Ethernet CX Intel EtherExpress 16 Intel EtherExpress 16TP Intel EtherExpress 16C Intel EtherExpress FlashC Intel EtherExpress 16 MCA Intel EtherExpress 16 MCA TP ------------------------------------------------------------------------ Acknowledgements I would like to thank the following people for the contribution to this FAQ that has helped to update and shape it: Padgett Peterson (padgett@tccslr.dnet.mmc.com) Steven Bellovin (smb@research.att.com) Wietse Venema (wietse@wzv.win.tue.nl) ------------------------------------------------------------------------ Copyright This paper is Copyright (c) 1994, 1995 by Christopher Klaus of Internet Security Systems, Inc. Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium (ie magazines, books, etc) excluding electronic medium, please ask the author for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Address of Author Please send suggestions, updates, and comments to: Christopher Klaus of Internet Security Systems, Inc. -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 From firewalls-owner Fri Feb 10 16:41:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15299 for firewalls-outgoing; Fri, 10 Feb 1995 16:19:14 -0800 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA15294 for ; Fri, 10 Feb 1995 16:19:10 -0800 Message-Id: <199502110017.RAA14819@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id RAA14819; Fri, 10 Feb 1995 17:17:08 -0700 Subject: Re: split DNS (was Re: Firewall Product Review) To: firewalls@greatcircle.com Date: Fri, 10 Feb 95 17:17:07 MST In-Reply-To: ; from "Frank Wortner" at Feb 10, 95 3:31 pm From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > But wouldn't it also be possible to build a heirarchy of MX records like > this: > > host.domain.ucar.edu MX 100 bastion.ucar.edu > MX 1 host.domain.ucar.edu > > and avoid the split DNS altogether? Hosts that can't get to > "host.domain.ucar.edu" would send mail to "bastion.ucar.edu" > bastion would send the mail to "host.domain.ucar.edu". Two problems with this. First of all, I don't control the DNS for every subdomain. I would have to rely on every group sysadmin to install the proper MX. Granted, if they didn't then their users couldn't get mail, but this isn't very appetizing. Second, even if I did this, it would require every outside machine that wants to send mail to one of our hosts to first fail to initiate a direct connection to the host before sending to the bastion. This is at best rather unfriendly to the sites trying to send us mail. I'd rather not do that. Again, the split DNS is easier. --Greg From firewalls-owner Fri Feb 10 16:52:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15796 for firewalls-outgoing; Fri, 10 Feb 1995 16:41:28 -0800 Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15786 for ; Fri, 10 Feb 1995 16:41:24 -0800 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA04710; Sat, 11 Feb 95 00:38:56 GMT Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma004708; Sat Feb 11 00:38:00 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA17505; Sat, 11 Feb 95 00:37:57 GMT From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9502110037.AA17505@zeus.london.micrognosis.com> Subject: Re: split DNS (was Re: Firewall Product Review) To: Quentin.Fennessy@SEMATECH.Org (Quentin Fennessy) Date: Sat, 11 Feb 1995 00:37:56 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199502102243.QAA20405@thecount.eng.sematech.org> from "Quentin Fennessy" at Feb 10, 95 04:43:37 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 513 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quentin Fennessy writes: > External mail to thecount will try thecount, then gatev4, then gatev3 and > fail because they are all on the inside of our firewall. [...] Works for us. It works, but it's IMNSHO Evil and Rude because it forces everyone else to try connections to 3 machines that will never be reachable before trying one of the machines that are on the external net. Neil. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Fri Feb 10 17:10:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15250 for firewalls-outgoing; Fri, 10 Feb 1995 16:15:40 -0800 Received: from [198.102.244.40] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15245; Fri, 10 Feb 1995 16:15:29 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Feb 1995 19:13:25 -0500 To: "Antonio Vasconcelos" , "Roberto Pedriali" From: Brent@GreatCircle.COM (Brent Chapman) Subject: RE: Address translation Cc: "FireWalls Mailing List" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:13 2/10/95, Antonio Vasconcelos wrote: >Hopefully that will never happen if using private addresses as defined by >rfc1597, ie, between the ranges: > > 10.0.0.0 / 10.255.255.255 > 172.16.0.0 / 172.31.255.255 > 192.168.0.0 / 192.168.255.255 > >And I'm using 192.168.x.x for my internal (non-public) nets. > >As someone has said before, most Internet providers should be droping this >ranges in every router. Nice theory, but most of the Internet service providers I've talked to are dead set against doing ANY packet filtering in ANY of their routers, because of the performance implications. Packets with these addresses that get into their system are going to go through them (following default routes) until they reach one of the various cores. For instance, here's what I get on Alternet: miles 101 % traceroute 10.0.0.1 traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 40 byte packets 1 mv-irx.greatcircle.com (198.102.244.33) 2 ms 2 ms 2 ms 2 uu-irx-fr.greatcircle.com (198.102.244.4) 30 ms 33 ms 445 ms 3 uu-irx-fr.greatcircle.com (198.102.244.4) 32 ms 30 ms 30 ms 4 San-Jose3.CA.ALTER.NET (137.39.27.1) 60 ms 40 ms 31 ms 5 Vienna1.VA.ALTER.NET (137.39.12.1) 130 ms 108 ms 118 ms 6 en-0.ENSS136.t3.ANS.NET (192.41.177.253) 140 ms !H 128 ms !H 132 ms !H The packet doesn't get rejected until it gets all the way to the ANS core. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Fri Feb 10 17:22:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15711 for firewalls-outgoing; Fri, 10 Feb 1995 16:35:01 -0800 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15706 for ; Fri, 10 Feb 1995 16:34:57 -0800 Received: from elf.wang.com by tuna.wang.com with SMTP id AA10060 (5.67b/IDA-1.5 for ); Fri, 10 Feb 1995 19:33:01 -0500 Received: from fnord.wang.com by elf.wang.com with SMTP id AA28999 (5.67a/IDA-1.5 for ); Fri, 10 Feb 1995 18:11:18 -0500 Received: by fnord.wang.com (5.67a/TF8) id AA08697; Fri, 10 Feb 1995 19:32:47 -0500 Date: Fri, 10 Feb 1995 19:32:47 -0500 From: Tom Fitzgerald Message-Id: <199502110032.AA08697@fnord.wang.com> To: firewalls@greatcircle.com Subject: CERN httpd vs http-gw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >CERN httpd runs fine in a chrooted environment, and is perfectly willing to >> >relinquish root privs (both real and effective) once it's opened port 80. >> ^^^^ >> This is the key word. It has to run as root for awhile. This makes >> me nervous. I'd rather have a program that opens port 80, chroots, and >> invokes httpd. Httpd does very little between startup and the setuid(). This part of the code is simple and easy to read (regardless of what you could say about all the rest of the code). mshaver@schoolnet.carleton.ca (Mike Shaver) said: > Even just changing uid right after the bind would be better. > I know NCSA waits until after the accept *and* the logging to change, which > is OK, but still not warm and fuzzy. CERN supports setuid in the parent (immediately after binding port 80) using the ParentUserId and ParentGroupId parameters in the config file. The thing has lost root privs by the time it accepts any incoming connection, or opens any file other than its config file and logfiles. > Actually, I'd rather make chroot() and <1024 priveledges be > contingeant on being in group "daemon" and never run these servers as > root as at all. This would be nice for reserved ports (especially for things like rcmd!) but anybody who can run chroot can become root, so it doesn't really save you anything to reduce the privilege level needed to run chroot. (I don't like systems that pretend to add security by setting up all sorts of different privelege levels like bin, auth, cron, etc, all of which are equivalent to root since they can be used to become root at any time.) -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Fri Feb 10 17:27:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15882 for firewalls-outgoing; Fri, 10 Feb 1995 16:47:40 -0800 Received: from css1.css.edu (css1.css.edu [143.110.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15875 for ; Fri, 10 Feb 1995 16:47:37 -0800 Received: from [143.110.11.7] (slip7.css.edu) by css1.css.edu (5.0/SMI-SVR4) id AA06154; Fri, 10 Feb 1995 18:47:13 -0600 From: "deb treacy" Date: Fri, 10 Feb 95 18:47:25 CST Message-Id: <754.dtreacy@css1.css.edu_POPMail/PC_3.2.3_Beta_2> X-Popmail-Charset: English To: firewalls@greatcircle.com Subject: Lurkers content-length: 1039 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think we understand the populace's general impression regarding anonymous participants in this listserv. Excellent feedback was provided, however, it's time to move on. You may interpret my participation in this forum as a lurker, but I am new to this platform and are using your discussions as a learning tool. In the short time I have been "lurking" in the background, I have learned immensely from your trials and tribulations. At this point, I can't provide any valid input to your questions or concerns. Thank you. ----- Forwarded message begins here ----- From: Chuck Ocheret Fri, 10 Feb 95 16:44:15 EST To: ericm@microunity.com, wolfgang.kuehnel@cp-nbg.philips.de Cc: firewalls@greatcircle.com Subject: Re: Anon subscribers From firewalls-owner@GreatCircle.COM Fri Feb 10 14:05:50 1995 Posting anonymously is a good way to get information on how to protect yourself without letting 'them' know how little you know. Or how much you know. ~chuck ------ Forwarded message ends here ------ From firewalls-owner Fri Feb 10 17:50:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA14250 for firewalls-outgoing; Fri, 10 Feb 1995 15:53:38 -0800 Received: from [198.102.244.40] (pm-ppp-1.greatcircle.com [198.102.244.39]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA14238; Fri, 10 Feb 1995 15:53:25 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Feb 1995 18:51:22 -0500 To: David Miller From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: CERN httpd vs http-gw Cc: rens@imsi.com, Ken Hardy , tpaquett@aec.ca, firewalls@GreatCircle.COM, bdrennin@plaind.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:46 2/10/95, David Miller wrote: >On Thu, 9 Feb 1995, Brent Chapman wrote: >> At 17:23 2/1/95, Rens Troost wrote: >> Why? And are we talking about using it ONLY for proxying here, not for also >> serving external users (i.e., surfers from the Internet)? I'd be very >>nervous >> about having an HTTP server accessed by the outside world live anywhere >> EXCEPT on my bastion host. >> > >Tell me you didn't say that, Brent, or explain how the bastion host is >not the hard shell around the soft chewy center. You wouldn't really >contemplate running a BHPC like httpd on your firewall would you? >Apologies in advance if bastion host != firewall in your statement:) Bastion host != firewall. I tend to _assume_ that the bastion host will be compromised (if not by HTTP, then by something else), and use another layer of security between it and the internal systems: typically a packet filtering router to control what services it can access on which internal systems, coupled with careful configuration of those services/systems to guard against attack from the bastion host. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Fri Feb 10 17:52:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16224 for firewalls-outgoing; Fri, 10 Feb 1995 17:04:53 -0800 Received: from bos1d.delphi.com (SYSTEM@bos1d.delphi.com [192.80.63.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA16219 for ; Fri, 10 Feb 1995 17:04:49 -0800 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HMWAF2XJCK9C1MQQ@delphi.com>; Fri, 10 Feb 1995 20:02:40 -0500 (EST) Date: Fri, 10 Feb 1995 20:02:40 -0500 (EST) From: Network Security Observations Subject: Re: Anyone read these books? To: Stephen.L.Arnold@Arnold.Com, firewalls@greatcircle.com, avolio@tis.com Message-id: <01HMWAF2XJCM9C1MQQ@delphi.com> X-VMS-To: INTERNET"Stephen.L.Arnold@Arnold.Com" X-VMS-Cc: INTERNET"firewalls@greatcircle.com" INTERNET"avolio@tis.com" ,NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk re: > > Do you have any mor einformation on this book, such as publisher? Our > > librarian cannot find it anywhere, but then perhaps she isn't looking > > in the right places. > > Thanks > > Fred > > They're new: > > Internet Firewalls and Network Security, 450 pp., softcover, New Riders > Publishing (I never heard of 'em either!), January 1995, publisher's > price $35.00. > > E-Mail Security, 288 pp., softcover, John Wiley & Sons, February 1995, > publisher's price $24.95 > > Disclaimer: I haven't seen these. No endorsement implied! Fred/Stephen: I've seen an early manuscript some time ago of: E-Mail Security. Is authored by Bruce Schneier. It's to be expected somewhere late March. It's sound stuff, good reading. I'll dig the other one up for you. I know I got something on it. Cheers Bertil NSO/ISM From firewalls-owner Fri Feb 10 18:20:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA16000 for firewalls-outgoing; Fri, 10 Feb 1995 16:53:58 -0800 Received: from [198.102.244.40] (pm-ppp-1.greatcircle.com [198.102.244.39]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15990; Fri, 10 Feb 1995 16:53:45 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Feb 1995 19:51:41 -0500 To: lavondes@tidtest.total.fr, Mike.Geipel@Controls.Eurotherm.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Anon subscriber to firewalls@greatcircle.com Cc: firewalls@greatcircle.com, mcb@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:02 2/10/95, Michel Lavondes wrote: >++flame; >Sorry, I can't follow you there. True, I have no problem with lurkers (ie, >people who stay quiet and just listen), but I still want to know who >subscribes to the list, or at list their (assumed) site, so I have someone >to complain to, just in case. Just in case you wonder, I do the same with >direct messages to me - delete without reading if anonymous, complain to >someone supposedly responsible at their site if I feel it necessary. >--flame; Official position of the list manager: anonymous subscribers are OK, if and only if they don't cause list management problems like every poster to the list being assigned an anonymous address when they post something. Michael Berch (mcb@GreatCircle.COM, who handles the day-to-day management of all GreatCircle.COM mailing lists) is going to fix the address that's causing the current problems, and post something on how to subscribe anonymously without causing such problems in the future (if that's possible) -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Fri Feb 10 18:22:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16355 for firewalls-outgoing; Fri, 10 Feb 1995 17:16:05 -0800 Received: from sunrise.gv.ssi1.com (gdonl@sunrise.gv.ssi1.com [146.252.44.191]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA16349 for ; Fri, 10 Feb 1995 17:16:01 -0800 Received: (from gdonl@localhost) by sunrise.gv.ssi1.com (8.6.9/8.6.9) id RAA28995; Fri, 10 Feb 1995 17:13:39 -0800 Message-Id: <199502110113.RAA28995@sunrise.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Fri, 10 Feb 1995 17:13:38 -0800 In-Reply-To: Adam Shostack "Re: anon" (Feb 10, 5:39pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Adam Shostack , fc@all.net (Dr. Frederick B. Cohen) Subject: Re: anon Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Feb 10, 5:39pm, Adam Shostack wrote: } Subject: Re: anon } Fred Cohen wrote: } } | HOWEVER - I wish that the anonymous server was a little bit better at } | telling a legitimate request for an account than it is. Furthermore, } | since it seems to give out accounts in sequence, I can look at the } | firewalls digest and readily determine who has what account number based } | on my account number from a previous posting. So much for being } | anonymous. } } The server can deal just fine; the subscriber simply didn't } subscribe properly. Had he listed his address as NA.... instead of } AN..., replies would not be anonymized. And because he didn't Mr. Anon can easily find the anon ID's of all the posters to this list. All he has to do is subscribe to this list with his real email address and he will get two copies of each message. One copy will have the poster's real email address, and the other will have his anonymous address. That makes it real easy to construct a cross reference list. If you normally post with your real address and then post an anonymous question because you think your network might be vulnerable, Mr. Anon knows right where attack if he is malicious. -- Don "Truck" Lewis Silicon Systems Internet: gdonl@gv.ssi1.com 138 New Mohawk Road Phone: +1 916 478-8284 FAX: +1 916 478-8251 Nevada City, CA 95959 From firewalls-owner Fri Feb 10 18:49:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16535 for firewalls-outgoing; Fri, 10 Feb 1995 17:30:26 -0800 Received: (mcb@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16529 for firewalls; Fri, 10 Feb 1995 17:30:24 -0800 Message-Id: <199502110130.RAA16529@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Fri, 10 Feb 1995 17:30:24 +0000 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: ADMIN/POLICY: Anonymous/pseudonymous accounts on firewalls list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent and I have discussed the issues involved, and we both agree that the best policy is as follows: 1. Anonymous and pseudonymous postings and subscriptions are permitted on the list. Readers should remember that in the absence of personal knowledge of the poster or the use of authentication software, *all* postings are subject to forgery, spoofing, ficticious identities, falsely-assumed affilliations, etc. Internet mail is not inherently secure, and readers should act prudently before taking action relying on a specific posting. HOWEVER: 2. Anonymous and pseudonymous addresses will be purged if they cause problems for the list software or membership. This includes everything from spam to posting cracking code to causing the anon-address allocation for every poster problem as noted by several people here. 3. Each server works slightly differently, but in the case of the anon.penet.fi server, subscriptions to the list must be in the form "naNNNNNN@anon.penet.fi" form, not the normal "anNNNNNN@anon.penet.fi" form. This means that (1) the return address of people sending mail to the anon poster will be known to the poster, AND (2), more importantly, the server will NOT try to allocate an anon address to senders of messages (including those posting via mailing lists). As the volume of the list is already high, I don't see the need to make this into a discussion topic. There have been literally hundreds if not thousands of messages on the topic of anon/nym postings in various mailing lists and newsgroups, and the result is basically that they're not going to go away, they have positive and negative effects, and that people who object to these postings are free to suppress them individually in their mail program or newsreader. Also: the an196844@anon.penet.fi address was unsubscribed today from the firewalls list by the user's request to Majordomo. It was not bounced. Presumably the user realized the problem with the anNNNNNN address and will re-subscribe some other way. -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Fri Feb 10 18:52:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16679 for firewalls-outgoing; Fri, 10 Feb 1995 17:41:44 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA16674 for ; Fri, 10 Feb 1995 17:41:40 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29605; Fri, 10 Feb 95 20:23:49 -0500 Date: Fri, 10 Feb 95 20:23:49 -0500 Message-Id: <9502110123.AA29605@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Anon Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fred the C rites: > It doesn't seem to occur to any of the posters that some people >just want to be anonymous. In my case, it would probably be beneficial >to be anonymous when I post things that offend some of you, while other >people just think of it as a basic right of privacy. Not really firewalls related other than being the cause (and I have griped before about this being the only group I am in in which the posters get the bounces, similarly is the only one to have this anon problem). However the point is one of *my* privacy. I did not request nor want an anonymous account or any account for that matter on anon.penet.fi. Why I feel that way is complex - partly because I believe that such are an exercise in futility, and partly because if I wanted to be anonymous *I would be* and not rely on amateurs in foreign countries (no offense meant - more an observation on intercontinental monitoring) for that privacy. Now "unsolicited merchandise" has a special meaning in the US but I do not know how to "return to sender" this account hence I repudiated it the only way I knew how, by posting the account number publicly and stating that it was unsolicited (wonder how many news groups constitutes a "public announcement" - new laws being written as we speak 8*). Bottom line: if *you* want an anonymous account in Finland, fine. But do not inflict one on me as a result of posting to a less-than-optimal listserver. Think of it this way: how many junk faxes constitutes harassment ? Warmly, Padgett From firewalls-owner Fri Feb 10 19:06:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA17525 for firewalls-outgoing; Fri, 10 Feb 1995 18:39:45 -0800 Received: from [198.102.244.40] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA17506; Fri, 10 Feb 1995 18:39:35 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Feb 1995 21:37:31 -0500 To: jwk@s-s-s.com, firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewall Product Review Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 17:10 2/9/95, jwk@s-s-s.com wrote: >Gentlepersons, > >The January 30th, 1995 Copy of Infoworld has a product comparison between >various Firewall solutions. I am particularly concerned by the review of >Firewall-1 (since one of my clients is using it). The troubling paragraph >states: > >"...routers and Firewall-1 pass traffic without examining the contents, making >it possible to "tunnel" data right through the router. And Firewall-1 lets >the FSP command - used by hackers to transport their electronic tools - run on >any port whatsoever, which is a dangerous situation. By running FSP on the >DNS port, they can tunnel right through a router." Well, sure, if the attackers are already inside and are tunnelling OUT. I haven't seen the article, but if that's not the situation the were talking about (i.e., if they were saying the above applies to tunnelling IN to a site), then it's just plain wrong. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Fri Feb 10 19:13:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA17030 for firewalls-outgoing; Fri, 10 Feb 1995 18:05:33 -0800 Received: from outside.mediavis.com (mediavis.com [204.30.229.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA17024 for ; Fri, 10 Feb 1995 18:05:28 -0800 Received: from MediaVis.com by outside.mediavis.com with smtp (Smail3.1.28.1 #64) id m0rd6zx-000U0qC; Fri, 10 Feb 95 17:51 PST Received: from mvimail.mediavis.com by MediaVis.com (Media Vision, Inc.) with SMTP (1.37.109.4/16.2) id AA13821; Fri, 10 Feb 95 17:46:10 -0800 (Send to firstname_lastname@MediaVis.com) Received: by MVIMAIL.MEDIAVIS.COM with Microsoft Mail id <2F3C17AE@MVIMAIL.MEDIAVIS.COM>; Fri, 10 Feb 95 17:49:34 PST From: Alan Millar To: firewalls-digest Subject: RE: http proxies Date: Fri, 10 Feb 95 17:49:00 PST Message-Id: <2F3C17AE@MVIMAIL.MEDIAVIS.COM> Encoding: 56 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > With all the discussion of fwtk http-gw and CERN proxy, a conservative > approach seems to be to have http-gw on the firewall and the CERN proxy on a > DMZ machine to provide caching and perhaps serve as a outside server. The > question I have is how do you set up your inside clients to go through two > proxies (one for firewall and another for caching)? I know how to manually > do it, but is there anyway to configure Netscape or any of the other popular > clients to automatically go through two proxies? Or can you configure > http-gw to use another proxy? I'm doing this currently: CERN httpd on the inside machine for caching, and http-gw on the firewall machine. You point Netscape/other browser at the inside proxy. The browser never knows or cares about any more proxies beyond that. The inside proxy then must be configured to pass requests to the outside proxy, but that's simple in CERN httpd. Do something like this in your /etc/httpd.conf on the inside CERN httpd: ------------------------------------------------------------ http_proxy http://outside.mysite.com:80/ ftp_proxy http://outside.mysite.com:80/ gopher_proxy http://outside.mysite.com:80/ wais_proxy http://outside.mysite.com:80/ no_proxy mysite.com # Pass http:* Pass ftp:* Pass gopher:* Pass wais:* ------------------------------------------------------------ Assuming "outside.mysite.com" is the machine running http-gw. The outside proxy http-gw is configured to reject proxy requests from outside (or redirect them somewhere helpful). There is a strange interaction, however, between the two proxies that sometimes causes problems with FTP requests. I haven't fully diagnosed it, but when an FTP retrieval fails, the browser often receives an empty document but *no* error message. This happens when an anonymous FTP site hits its user limit and refuses the login, etc. Other than that, it works great. Because of the FTP minor problem, I am now considering dropping the outer http-gw in favor of a SOCKS-ified CERN httpd, but I haven't done it yet. Can anyone share their experiences with the SOCKS-ified CERN? - Alan Millar Computer Network/Operations Manager AMillar@MediaVis.com From firewalls-owner Fri Feb 10 19:22:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18546 for firewalls-outgoing; Fri, 10 Feb 1995 19:21:38 -0800 Received: (mcb@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18540 for firewalls; Fri, 10 Feb 1995 19:21:36 -0800 Message-Id: <199502110321.TAA18540@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Fri, 10 Feb 1995 19:21:36 +0000 In-Reply-To: X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: RE: Address translation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent writes: > At 15:13 2/10/95, Antonio Vasconcelos wrote: > >Hopefully that will never happen if using private addresses as defined by > >rfc1597, ie, between the ranges: > > > > 10.0.0.0 / 10.255.255.255 > > 172.16.0.0 / 172.31.255.255 > > 192.168.0.0 / 192.168.255.255 > > > >And I'm using 192.168.x.x for my internal (non-public) nets. > > > >As someone has said before, most Internet providers should be droping this > >ranges in every router. > > Nice theory, but most of the Internet service providers I've talked to are > dead set against doing ANY packet filtering in ANY of their routers, > because of the performance implications. [etc. ] Which leads to the policy discussion about the private address space issue in general -- probably not a good idea here in specific, but I would urge anyone interested to check out RFC1627, which provides an alternative point of view of the issues covered in (and in my personal opinion, effectively rebuts) RFC1597. RFC1627 can be retrieved at URL http://ds.internic.net/rfc/rfc1627.txt -- Michael C. Berch mcb@greatcircle.com From firewalls-owner Fri Feb 10 19:52:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18580 for firewalls-outgoing; Fri, 10 Feb 1995 19:23:12 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA18572 for ; Fri, 10 Feb 1995 19:23:09 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id VAA11917; Fri, 10 Feb 1995 21:21:13 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HMWD58IXF49I51MD@GateV1.SEMATECH.Org>; Fri, 10 Feb 1995 21:20:52 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id VAA02751; Fri, 10 Feb 1995 21:20:34 -0600 Date: Fri, 10 Feb 1995 21:20:32 -0600 From: Quentin Fennessy Subject: Re: split DNS (was Re: Firewall Product Review) In-reply-to: Your message of "Sat, 11 Feb 1995 00:37:56 GMT." <9502110037.AA17505@zeus.london.micrognosis.com> To: nreadwin@london.micrognosis.com (Neil Readwin) Cc: Quentin.Fennessy@SEMATECH.Org (Quentin Fennessy), firewalls@greatcircle.com Message-id: <199502110320.VAA02751@thecount.eng.sematech.org> Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Neil- I wonder if anyone has ever noticed my MX configuration before I described it. Of course, anyone who looked at the MX records, then the A records, and then tried to connect to the systems could figure it out -- but it is not obvious. You mention that this is an evil/rude configuration because it forces everyone else to try connections to 3 machines before succeeding. Actually, no person does that -- just machines. Computers don't complain about that sort of stuff - they just follow the rules (mostly) and get the job done. If I thought my configuration would inconvenience individuals then I would agree with you. But computers are made to be slaves for humans. (And I think it would be a rare case where the sleep while a process waits for an SMTP response results in significant system load). Quentin From firewalls-owner Fri Feb 10 20:22:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA19428 for firewalls-outgoing; Fri, 10 Feb 1995 20:07:24 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA19422; Fri, 10 Feb 1995 20:07:18 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id VAA02562; Fri, 10 Feb 1995 21:58:19 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma002560; Fri Feb 10 21:58:12 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA14203 (5.67b/IDA-1.5); Fri, 10 Feb 1995 22:05:20 -0600 Date: Fri, 10 Feb 1995 22:05:19 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: David Miller Cc: Brent Chapman , rens@imsi.com, tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Subject: Re: CERN httpd vs http-gw In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Feb 1995, David Miller wrote: > > Why wouldn't you use simple software created for the task of access > control to secure access control, like tcp_wrappers or netacl? > It is possible but not recommended to run the CERN httpd from inetd because of the overhead to spawn it so often; it's more efficient to have it running in daemon mode and have it fork itself for new connections as it's already processed its config file, and the image is already in core. This is even more important now, IMHO, with the proliferation of Netscape, which asks for _lots_ of URLs at once. Http-gw & plug-gw are much more lightweight, so it's not _as_much_ a concern running them from inetd. Don't have any empirical measurements, though. -- KH From firewalls-owner Fri Feb 10 23:52:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA20652 for firewalls-outgoing; Fri, 10 Feb 1995 23:22:33 -0800 Received: from bos1b.delphi.com (SYSTEM@bos1b.delphi.com [192.80.63.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA20647 for ; Fri, 10 Feb 1995 23:22:30 -0800 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HMWNKSYO5Y91RZVR@delphi.com>; Sat, 11 Feb 1995 02:20:11 -0500 (EST) Date: Sat, 11 Feb 1995 02:20:11 -0500 (EST) From: Network Security Observations Subject: new book pre announcement To: firewalls@GreatCircle.com, cypherpunks@toad.com, Information.Security@STANFORD.BITNET, UNINFSEC@CUVMC.BITNET Message-id: <01HMWNKSYO6091RZVR@delphi.com> X-VMS-To: INTERNET"firewalls@GreatCircle.com" X-VMS-Cc: INTERNET"cypherpunks@toad.com" INTERNET"Information.Security@STANFORD.BITNET" INTERNET"cypherpunks@toad.com" INTERNET"UNINFSEC@CUVMC.BITNET" ,NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ISM/NSO received the manuscript of 'Cryptography: Theory and Practice' Author is Doug Stinson (Comp. Science/Eng. dept. University of Nebraska). Publisher is CRC Press Inc. Pages: 434 Chapters: 13 Format: Hardbound trimmed book 8,5 x 5,5 ISBN: not available yet Expected release: within 3 months Price: not available yet Preliminary review (a full review will be published in Internet Security Monthly) The book starts - obvious - with classical cryptography. Hopping from shift cipher, to substitution, to affine, to vigenere, to hill, to permutation, and ending in the range of simple cryptosystems with stream ciphers. A mature subchapter is devoted to cryptanalysis, covering the affine, the substitution and the vigenere. And providing a known plaintext attack on the hill cipher. The subchapter ends with the cryptanalysis of the LFSR-based stream cipher. A next chapter discusses in depth Shannon's theory. This is followed by the inevitable discussion of the DES, its modes of operation and includes an attack on a 3 round DES, and an attack on a 6 round DES. Chapter 4 discusses RSA and factoring. Touching also the not much discussed Chinese Remainder theorem.. The Rabin scheme is reviewed. And within factoring Doug pays attention to Dixon's Algorithm and the quadratic sieve. Of course other public key cryptosystems, as El Gamal, finite field, Merkle Hellman and McEliece are discussed. Doug explains signature schemes, as El Gamal and DSS and touches undeniable and fail-stop. In Hash functions, after the basics, among others MD4 and timestamping are issues of interest. In key distribution and key agreement Blom's scheme, D-H, Kerberos, station to station, MIT key agreement are noteworthy stops. Another chapter goes into identification scheme's discussing Schnorr, Okamoto, Guillou-Quisquater, and a general overview of conversion processes from identification to signature. In authentication codes a good discussion on computing deception probabilities, and combinatorial bounds. In the latter orthogonal arrays are a topic of interest. Doug also views the entropy bounds on deception probabilities. A next chapter introduces the Shamir treshold, the monotone circuit construction and Ernie Brickell's vector space, among others. A separate chapter is devoted to pseudo-random numbers, giving examples. The indistinguishable probability distributions and the Blum/Blum/Shub generator are noteworthy. Extra attention for probabilistic encryption. As common fur the subject, close to the end of the book, zero-knowledge proofs are discussed in depth. The book is basically organized in three parts: private key cryptography, public key cryptography and the introduction to four active research area's. It's comprehensive in the 'core' area's of cryptography. Although Cryptography: Theory and Practice is a text book, it certainly provides researchers and practitioners in the field with material on less discussed topics, and certainly invites for the development of new idea's. The work contains also a comprehensive reference section and the good workable index. Each chapter ends with exercise material. For the reader: It is necessary to have at least some familiarity with basic linear algebra and modular arithmetic. Compliments to Doug Stinson who sat many hours behind his terminal to get it all straightened out, and to a professional publisher that is up to the job of putting it all in print in such a layout that student, researcher and professional are encouraged. 11 February 1995 Internet Security Monthly Network Security Observations Editorial Office ------ Note: if you want to copy this short review, distribute it on the net, please do so at will. This review is not copyrighted. If you want more information on the book, consider sending us an email. ------ From firewalls-owner Sat Feb 11 03:22:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA22951 for firewalls-outgoing; Sat, 11 Feb 1995 03:15:38 -0800 Received: from venere.inet.it (root@venere.inet.it [194.20.8.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA22945 for ; Sat, 11 Feb 1995 03:15:30 -0800 Received: from deneb.UUCP (uudeneb@localhost) by venere.inet.it (8.6.9/8.6.9) with UUCP id LAA24311 for firewalls@GreatCircle.COM; Sat, 11 Feb 1995 11:47:13 +0100 Date: Sat, 11 Feb 1995 11:47:13 +0100 Received: from deneb by deneb.it with UUPC; Sat, 11 Feb 95 11:42:21 +0100 (MET) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: pedriali@deneb.it (Roberto Pedriali) Subject: Re: Address translation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Again regarding my last post on "routing" problem on a firewall when we have the same address on internal and external network. I have received some suggestion/comment giving advice to use the RC 1587 addresses (I agree, but not always feasible) or to have "complicate" firewall systems based on two proxy connected in serial. On the mean time I have tried to go trough the documentation of several free and commercial firewall product, but I din't find any product able to solve the problem. There are any comment/experience on free or commercial product out of there relating to this problem? Thanks, Roberto ------------------------------------------------------------------------ Roberto Pedriali Tel.+39 (39) 6084076 Deneb srl Fax.+39 (39) 6084076 Piazza Unita' d'Italia 3/F/3 20059 Vimercate Italy e-mail: pedriali@deneb.it From firewalls-owner Sat Feb 11 14:52:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28579 for firewalls-outgoing; Sat, 11 Feb 1995 14:33:37 -0800 Received: from pjl53ig.i-p.attmail.com (PJL53IG.I-P.MAIL.ATT.NET [198.152.2.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA28574 for ; Sat, 11 Feb 1995 14:33:34 -0800 Date: Sat, 11 Feb 1995 22:30:08 +0000 From: billc@pegasus.attmail.com (WJCarpenter) Received: from pegasus by attmail; Sat Feb 11 22:30 GMT 1995 Subject: RE: split DNS (was Re: Firewall Product Review) In-Reply-To: Quentin Fennessy's note of 21:20:32, 10 February 1995 To: Quentin.Fennessy@SEMATECH.Org Cc: firewalls@greatcircle.com Message-ID: References: <9502110037.AA17505@zeus.london.micrognosis.com> <199502110320.VAA02751@thecount.eng.sematech.org> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [["best MX" can't be reached from outside]] fennessy> If I thought my configuration would inconvenience fennessy> individuals then I would agree with you. But computers are fennessy> made to be slaves for humans. (And I think it would be a fennessy> rare case where the sleep while a process waits for an SMTP fennessy> response results in significant system load). If you operate a small SMTP outbound site, this won't make much difference to you. But, if you operate a large site, it actually can make a big difference if lots of folks use your configuration method. The difference is significant additional queuing delay. In an ideal world, an attempt to connect to an unreachable host would result in an ICMP "host unreachable" response within a second or so. My observation from watching outbound logs of a large SMTP place is that those ICMPs often don't come. (I speculate that lots of sites that use screening routers as firewalls don't have ICMPs enabled on those routers. I further speculate that lots of sites using the MX trick also use screening routers.) Anyhow, without the ICMP, the sending SMTP has to wait for the connection attempt to time out. Since connections that succeed to out of the way places can take 30-40 seconds or longer, the timeout period is probably at least a minute or so. For a large queue, the minutes add up. It's hard to balance the queuing delay versus how many simultaneous queues to run versus the load on your outbound machine. Mail is delayed some. -- Bill@attmail.com billc@pegasus.ATT.COM or +1 908 576 2932, Fax x6406 William_J_Carpenter@ATT.COM AT&T Bell Labs / AT&T Consumer Interactive Services LZ 1C-320 From firewalls-owner Sat Feb 11 15:24:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA28680 for firewalls-outgoing; Sat, 11 Feb 1995 14:54:53 -0800 Received: from gater3.sematech.org (gater3.sematech.org [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA28675 for ; Sat, 11 Feb 1995 14:54:50 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.9/F-1.8) with ESMTP id QAA13485; Sat, 11 Feb 1995 16:52:52 -0600 Received: from thecount.eng.sematech.org by GateV1.SEMATECH.Org (PMDF V4.3-10 #5463) id <01HMXI317D7K9I536U@GateV1.SEMATECH.Org>; Sat, 11 Feb 1995 16:52:39 -0600 (CST) Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.9/I-1.8) with SMTP id QAA12170; Sat, 11 Feb 1995 16:52:35 -0600 Date: Sat, 11 Feb 1995 16:52:33 -0600 From: Quentin Fennessy Subject: Re: split DNS (was Re: Firewall Product Review) In-reply-to: Your message of "Sat, 11 Feb 1995 22:30:08 GMT." To: billc@pegasus.attmail.com (WJCarpenter) Cc: Quentin.Fennessy@SEMATECH.Org, firewalls@greatcircle.com Message-id: <199502112252.QAA12170@thecount.eng.sematech.org> Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill- The IP addresses of our internal MX hosts are not routed on the Internet. Therefore none of our hardware would offer an ICMP message, I don't think. What I think happens for sites who attempt to connect to our internal MX hosts is that the default route for their Internet connection causes their packets to be sent out to some core internet backbone, and the backbone router reports back that the MX host is unreachable (ICMP message). I think I read in your message that your problem with my configuration is actually with sites who use this technique but do not return ICMP messages. If that is true, then we should pass your litmus test. (As long as the Internet core gateways remember that they don't know how to get to our internal network). Remote sites should get ICMP Host Unreachables as quickly as they can get to a core gateway. Is that a correct restatement of your email? Thanks, Quentin PS I am unsure if 'core gateway' is the correct term. Anybody care to correct me? From firewalls-owner Sat Feb 11 19:22:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA00626 for firewalls-outgoing; Sat, 11 Feb 1995 19:06:45 -0800 Received: from [198.102.244.40] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA00621; Sat, 11 Feb 1995 19:06:34 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 11 Feb 1995 22:04:31 -0500 To: David Miller , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: IP spoofing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:36 2/8/95, David Miller wrote: >If I take the following steps: > > 1. Filter in screening router to drop source route packets Irrelevant to current attacks, but a good idea anyway. > 2. Filter in screening router to drop packets with internal > addresses arriving on external ports. This is the key to blocking the current attacks. > 3. Filter in screening router to drop packets with source > address of 127.0.0.* arriving on external port This is probably not necessary (when the host sends the ack to itself, itself should send a RESET (RST) packet; I don't think a single machine can be both the victim and the fake source), but not a bad idea. > 4. Modify demons to make SYN numbers very difficult to guess This is a kernel modification, not a daemon modification. It's probably a good idea, though. >Am I still subject to IP address spoofing? Under what conditions? >Note I am not trusting DNS services not to be subverted, just asking >about IP addresses. The key to defeating this particular attack is point 2 above, which is fairly easy to do with just about any packet filteirng system. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Sat Feb 11 22:52:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA01952 for firewalls-outgoing; Sat, 11 Feb 1995 22:45:50 -0800 Received: from nic.near.net (nic.near.net [192.52.71.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA01947 for ; Sat, 11 Feb 1995 22:45:47 -0800 Received: from jcurran-ppp.near.net by nic.near.net id aa27884; 12 Feb 95 1:43 EST X-Sender: jcurran@nic.near.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 12 Feb 1995 01:43:52 -0500 To: Quentin Fennessy From: John Curran Subject: Re: split DNS (was Re: Firewall Product Review) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 5:52 PM 2/11/95, Quentin Fennessy wrote: >Bill- > The IP addresses of our internal MX hosts are not routed >on the Internet. Therefore none of our hardware would offer an >ICMP message, I don't think. What I think happens for sites >who attempt to connect to our internal MX hosts is that the >default route for their Internet connection causes their packets >to be sent out to some core internet backbone, and the backbone >router reports back that the MX host is unreachable (ICMP message). > > I think I read in your message that your problem with >my configuration is actually with sites who use this technique but >do not return ICMP messages. If that is true, then we should pass >your litmus test. (As long as the Internet core gateways remember >that they don't know how to get to our internal network). Remote >sites should get ICMP Host Unreachables as quickly as they can >get to a core gateway. Hmm. A packet (destination = your internal network prefix) follows the path of default routes until it reaches an Internet router which runs with complete Internet routing and no default route. These routers (for no apparent reason) are generally quite busy handling thousands of packets _and_ processing significant inter-provider routing updates each minute. You'd like this router to examine its entire routing table to determine that indeed your network prefix is unknown, and then free up sufficient memory and cpu resources to create and queue an ICMP unreachable packet? It may not surprise you to find out that building such replies are not exactly top priority, and you may not ever get that ICMP message if things are too busy... When you combine this situation with the reality that some SMTP gateways are simply broken and will not try a second MX host under any circumstance (one on-line service was notorious for such processing), you can understand why a reachable initial MX host is considered a good idea. /John From firewalls-owner Sun Feb 12 03:52:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA04776 for firewalls-outgoing; Sun, 12 Feb 1995 03:33:16 -0800 Received: from anon.penet.fi (anon.penet.fi [193.64.202.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA04771 for ; Sun, 12 Feb 1995 03:33:11 -0800 Received: by anon.penet.fi (5.67/1.35) id AA11486; Sun, 12 Feb 95 13:23:26 +0200 Message-Id: <9502121123.AA11486@anon.penet.fi> To: lavondes@tidtest.total.fr, firewalls@greatcircle.com From: an1@anon.penet.fi (The Anonymous Administrator) X-Anonymously-To: lavondes@tidtest.total.fr,firewalls@greatcircle.com Organization: Anonymous contact service Reply-To: an1@anon.penet.fi Date: Sun, 12 Feb 1995 11:23:25 UTC Subject: Anon subscriber to firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michel Lavondes writes: > I interpret that message as meaning that anonymous account > an196844 receives messages sent to firewalls@greatcircle.com, > either as a subscriber or through automatic forwarding. Am I > right ? If so, can one of you postmasters/admins do something > about it ? Should I go on bothering every firewalls subscriber > with what may be trivial lack of netiquette ? Am I hopelessly > naive/outdated/ ? Yes, if you send your message to the firewalls mailing list without intending it to go through anon.penet.fi and received the included password failure message, someone with anon.penet.fi user id is subscribed to the list. This is what I send to list owners if I somehow notice an anon.penet.fi user being subscribed to a mailing list: Anon.penet.fi's server is not meant for regular large volume traffic and, unfortunately, we have had very bad experiences what listservers (especially bitnet-servers) generally do to the headers and addresses. Mailing lists also sometimes create a large volume of traffic. If you are a listserver: - - - - - - - - - - - - I have to ask you to block anNUMBER@anon.penet.fi requests to your server. We have done the blocking at our end, but some anon users seem to have faked their address and sent a message your way as you see from below. All listserv replies will bounce to admin@anon.penet.fi and will never reach the anon user, but I still prefer that you would block the access. If you are a mailing list: - - - - - - - - - - - - - If you are a large volume list, I ask you to unsubscribe the anon user from the list as anon.penet.fi's server is not meant for regular large volume traffic. I suggest all subscriptions for an@anon.penet.fi will be changed to na@anon.penet.fi. Answering directly to an, will result an anon id and message will be send anonymized to the requester. This will also result all the people, who send articles to the list, to have an id, which is often unasked for... Answering to na will forward message to the anon user without anonymization. For example, You want to mail a person numbered 60 and you want to do it non-anonymously (so that your real name and address appears at the headers of the mail), send mail to: na60@anon.penet.fi NOT an60@anon.penet.fi If you have any questions, just ask me. Replying to this message will result an anon id, but sending message to admin@anon.penet.fi will not. Sorry about the extra hassle :-/ Zarr ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. From firewalls-owner Sun Feb 12 06:22:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA05762 for firewalls-outgoing; Sun, 12 Feb 1995 06:19:05 -0800 Received: from door.netcs.com (root@door.netcs.com [192.48.224.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA05757; Sun, 12 Feb 1995 06:18:59 -0800 Received: from keks.netcs.com [138.199.0.101] by door.netcs.com with SMTP (8.6.9/25-eef) id PAA10117; Sun, 12 Feb 1995 15:16:54 +0100 Received: by keks.netcs.com (5.67a8+/1.2-eef) id AA27566; Sun, 12 Feb 1995 15:16:52 +0100 Message-Id: <199502121416.AA27566@keks.netcs.com> Subject: Re: Address translation To: Brent@GreatCircle.COM (Brent Chapman) Date: Sun, 12 Feb 1995 15:16:51 +0100 (MET) From: Oliver Korfmacher Cc: antonio_vasconcelos@q950.bvl.pt, pedriali@deneb.it, firewalls@greatcircle.com, csch@keks.netcs.com (Clemens Schrimpe) In-Reply-To: from "Brent Chapman" at Feb 10, 95 07:13:25 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1306 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > routes) until they reach one of the various cores. For instance, here's > what I get on Alternet: > > miles 101 % traceroute 10.0.0.1 > traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 40 byte packets > 1 mv-irx.greatcircle.com (198.102.244.33) 2 ms 2 ms 2 ms > 2 uu-irx-fr.greatcircle.com (198.102.244.4) 30 ms 33 ms 445 ms > 3 uu-irx-fr.greatcircle.com (198.102.244.4) 32 ms 30 ms 30 ms > 4 San-Jose3.CA.ALTER.NET (137.39.27.1) 60 ms 40 ms 31 ms > 5 Vienna1.VA.ALTER.NET (137.39.12.1) 130 ms 108 ms 118 ms > 6 en-0.ENSS136.t3.ANS.NET (192.41.177.253) 140 ms !H 128 ms !H 132 ms !H > > The packet doesn't get rejected until it gets all the way to the ANS core. Situation in europe isn't better, but at least does not leave the continent traceroute 10.0.0.1 traceroute to 10.0.0.1 (10.0.0.1) 30 hops max, 38 byte packets .. 5 gatembx-gw.netmbx.de (192.76.152.201) 50 ms 6 pppgw.Dortmund.DE.EU.net (139.4.66.2) 460 ms 7 ppphost.Dortmund.DE.EU.net (139.4.66.1) 570 ms 8 Dortmund.DE.EU.net (193.96.66.1) 780 ms 9 Dortmund3.DE.EU.net (193.96.66.14) 1140 ms 10 Amsterdam2.NL.EU.net (134.222.1.1) 710 ms 11 Amsterdam2.NL.EU.net (134.222.1.1) * 1560 ms same for 172.16. Looks like at least Amsterdam reads this list. Gruesse, Oliver > > > -Brent > From firewalls-owner Sun Feb 12 13:53:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07039 for firewalls-outgoing; Sun, 12 Feb 1995 13:46:41 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA07027 for ; Sun, 12 Feb 1995 13:46:37 -0800 Received: (from uucp@localhost) by blackhole.milkyway.com (8.6.7/8.6.6) id QAA23277 for ; Sun, 12 Feb 1995 16:44:03 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma023275; Sun Feb 12 16:43:45 1995 Received: from starbuck.milkyway.com.milkyway.com (calisto.milkyway.com [192.168.77.2]) by jupiter.milkyway.com (8.6.7/8.6.6) with SMTP id QAA14758 for ; Sun, 12 Feb 1995 16:47:33 -0500 Received: by starbuck.milkyway.com.milkyway.com (4.1/SMI-4.1) id AA15560; Sun, 12 Feb 95 16:47:06 EST To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: CERN httpd vs http-gw Date: 12 Feb 1995 16:47:06 -0500 Organization: Milkyway Networks Corporation Lines: 32 Distribution: milkyway Message-Id: <3hlvkq$f65@calisto.milkyway.com> References: <199502110032.AA08697@fnord.wang.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199502110032.AA08697@fnord.wang.com>, Tom Fitzgerald wrote: >This would be nice for reserved ports (especially for things like rcmd!) >but anybody who can run chroot can become root, so it doesn't really save >you anything to reduce the privilege level needed to run chroot. (I What does chroot() do that would help me that much? Below is about all I've thought of, and it depends on being able to access the current working directory after the chroot in order to get access to the suid programs there. I think this is a hole in chroot(2), although I currently make use of it. I would prefer to fix this, and provide execfd() to get a program started *after* entering the chroot()'ed area. Why chroot is not for mortal users: I can fool a whole bunch of programs into using my /etc/passwd rather than the system one, and if I do % cd /bin % chroot /my/new/root % su I can get root. But we aren't talking about letting chroot be a general tool, just letting some programs use based on gid rather uid. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun Feb 12 14:22:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07333 for firewalls-outgoing; Sun, 12 Feb 1995 14:03:09 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA07328 for ; Sun, 12 Feb 1995 14:03:01 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id IAA12226; Mon, 13 Feb 1995 08:59:45 +1100 Date: Mon, 13 Feb 1995 08:59:44 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: split DNS (was Re: Firewall Product Review) To: Frank Wortner cc: Greg Woods , firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Feb 1995, Frank Wortner wrote: > On Fri, 10 Feb 1995, Greg Woods wrote: > > > But we have users that send mail out with return addresses that are of > > the form user@host.subdomain.ucar.edu. I want people on the net to be > > able to reply to those messages, but I don't want to leave our internal > > hosts' SMTP ports open to connections initiated from the outside. So, I > > want to send out a wildcard MX record for *.ucar.edu which would direct > > all inbound mail to our relay host (which would run "smap", be secured > > in a manner as close as possible to a "bastion host", etc.). This host > > then needs to be able to resolve the *real* MX/A information in order > > to deliver the mail. This is another reason for going to a "split DNS" > > configuration. > > But wouldn't it also be possible to build a heirarchy of MX records like > this: > > host.domain.ucar.edu MX 100 bastion.ucar.edu > MX 1 host.domain.ucar.edu > > and avoid the split DNS altogether? Hosts that can't get to > "host.domain.ucar.edu" would send mail to "bastion.ucar.edu", while the > bastion would send the mail to "host.domain.ucar.edu". This is a good way to have error messages build up in log files in the outside world. If you run sendmail 8.6.9, you will see in sendmail.cf that there is a macro/switch with the comment "If we are the best MX for a site, send to the site directly, instead of generating local config error". That is the way to do it. You then use host.domain MX 1 bastion The everyone will send the mail to the bastion, and it forwards it. Of course, the catch here is that all internal mail goes through the bastion, too, so give the bastion plenty of grunt. Danny From firewalls-owner Sun Feb 12 15:22:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08692 for firewalls-outgoing; Sun, 12 Feb 1995 15:20:14 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA08686 for ; Sun, 12 Feb 1995 15:19:39 -0800 Received: by taureau.as03.bull.oz.au id AA16041 (5.65c/IDA-1.4.4); Sat, 11 Feb 1995 06:24:39 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id VAA03587; Fri, 10 Feb 1995 21:54:38 +1100 Message-Id: <199502101054.VAA03587@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: Ian Marr Cc: antonio_vasconcelos@q950.bvl.pt (Antonio Vasconcelos), firewalls@greatcircle.com, vasco@bvl.pt Subject: Re: Address translation In-Reply-To: Your message of "Thu, 09 Feb 95 15:34:11 -0000." <9502091534.AA02976@finsbury.co.uk> Date: Fri, 10 Feb 1995 21:54:37 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I need to know if there is some firewall software for unix that over > > the firewall stuff do some addr translation for me. > > Maybe ... but believe me, you *DON'T* want to do it. Bit the bullet > and renumber your network; if you can't get enough registered > addresses then use some from the ranged reserved in RFC1597. That An alternative is a two stage firewall as described by Bellovin & Cheswick... Ie. (inside nets) == [in] ------ [choke] ------ [out] == (internet) | | [inside] [outside] As long as "inside" and "outside" are connected to valid nets or subnets of a valid net _and_ you run totally separate DNS on the inside and outside, your internal illegal nets are taken care of. Ie. the internet can only talk to "outside" and "outside" only knows about "inside" and the internet both of which are all valid addresses. The cost, is an extra router and set of bastions (inside may represent a large number of bastions...). The advantage is you don't have to touch your internal net. Also, you can have _very_ simple routing, "outside" defalults to "out", and "inside" defaults to "in" nets. Except for the ftp-gw which must be split - as described by Bellovin & Cheswick, all the TIS fwtk proxies can be used. Any extra security from setting up "choke" appropriately is a bonus :-) --sjg From firewalls-owner Sun Feb 12 15:55:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08878 for firewalls-outgoing; Sun, 12 Feb 1995 15:37:07 -0800 Received: from ls7354.nsls.bnl.gov (ls7354.nsls.bnl.gov [130.199.194.29]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA08873 for ; Sun, 12 Feb 1995 15:37:02 -0800 Message-Id: <199502122337.PAA08873@miles.greatcircle.com> Received: by ls7354.nsls.bnl.gov (1.37.109.14/16.2) id AA094222109; Sun, 12 Feb 1995 18:35:09 -0500 Date: Sun, 12 Feb 1995 18:35:09 -0500 From: "John D. Smith" To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a problem and would like to get feedback from some Firewall experts. We have has two networks connected to a Cisco router. We want to install a Firewall to protect one of the networks. Computers on the unprotected net now have NFS access to data in a file on a host that will be on the protected net. Since the Firewall vendors we contacted don't seem to pass NFS data, the solution being considered is to have one computer with two ethernets, one on the protected and one on the unprotected network. This computer will make the data available via NFS to hosts on the unsecure net. This computer can have restricted services,(no telnet, rlogin, ftp, mail, etc.) to make it secure and prevent backdoor access to the secure network. From what I gathered by reading this list the forwarding of packets across the interfaces is a potential problem that has to be addressed. Since the workstations are HP, I believe this calls for a patch to the OS. Does anyone see a problem with this approach or see another solution. Does anyone know of a vendor who has a Firewall that passes NFS. If so, would it be considered secure. I have seen references to an NFS proxy but it seems these are used when you build your own firewalls and we would prefer a commercial product. Another solution was to have a process running on a host on the unsecured net collect the data but this would require the firewall to pass UDP data which would be another problem. We may have to provide decnet access to the data. Any comments on a Decnet solution. Thanks in advance for any comments, help. john From firewalls-owner Sun Feb 12 16:52:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09671 for firewalls-outgoing; Sun, 12 Feb 1995 16:51:35 -0800 Received: from [198.102.244.39] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09641; Sun, 12 Feb 1995 16:51:20 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 12 Feb 1995 19:49:21 -0500 To: Oliver Korfmacher From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Address translation Cc: antonio_vasconcelos@q950.bvl.pt, pedriali@deneb.it, firewalls@greatcircle.com, csch@keks.netcs.com (Clemens Schrimpe) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 15:16 2/12/95, Oliver Korfmacher wrote: >> routes) until they reach one of the various cores. For instance, here's >> what I get on Alternet: >> >> miles 101 % traceroute 10.0.0.1 >> traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 40 byte packets >> 1 mv-irx.greatcircle.com (198.102.244.33) 2 ms 2 ms 2 ms >> 2 uu-irx-fr.greatcircle.com (198.102.244.4) 30 ms 33 ms 445 ms >> 3 uu-irx-fr.greatcircle.com (198.102.244.4) 32 ms 30 ms 30 ms >> 4 San-Jose3.CA.ALTER.NET (137.39.27.1) 60 ms 40 ms 31 ms >> 5 Vienna1.VA.ALTER.NET (137.39.12.1) 130 ms 108 ms 118 ms >> 6 en-0.ENSS136.t3.ANS.NET (192.41.177.253) 140 ms !H 128 ms !H 132 ms !H >> >> The packet doesn't get rejected until it gets all the way to the ANS core. > >Situation in europe isn't better, but at least does not leave >the continent I assume you're talking about "Vienna1.VA.Alter.Net" in the traceroute output above. That machine is the USA, in Vienna, Virginia (US state abbreviation "VA"), which is near Washington, DC. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Sun Feb 12 17:52:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA09977 for firewalls-outgoing; Sun, 12 Feb 1995 17:24:11 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA09972; Sun, 12 Feb 1995 17:24:08 -0800 Received: from relay.imsi.com by wintermute.imsi.com id UAA00969; Sun, 12 Feb 1995 20:22:16 -0500 Received: from lorax.imsi.com by relay.imsi.com id UAA21250; Sun, 12 Feb 1995 20:22:07 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA21232; Sun, 12 Feb 95 20:22:06 EST Message-Id: <9502130122.AA21232@lorax.imsi.com> To: Brent@greatcircle.com (Brent Chapman) Cc: David Miller , rens@imsi.com, Ken Hardy , tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Subject: Re: CERN httpd vs http-gw In-Reply-To: Your message of "Fri, 10 Feb 1995 18:51:22 EST." Reply-To: rens@imsi.com Date: Sun, 12 Feb 1995 20:22:05 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Brent" == Brent Chapman writes: >>> At 17:23 2/1/95, Rens Troost wrote: Why? And are we talking >>> about using it ONLY for proxying here, not for also serving >>> external users (i.e., surfers from the Internet)? I'd be very >>> nervous about having an HTTP server accessed by the outside >>> world live anywhere EXCEPT on my bastion host. Sorry to interject a non-sequiter here, but I did not write that. Please watch those attributions! -Rens From firewalls-owner Sun Feb 12 18:22:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA10295 for firewalls-outgoing; Sun, 12 Feb 1995 18:11:27 -0800 Received: from disaster.com (root@eniac136.disaster.com [199.99.205.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA10290 for ; Sun, 12 Feb 1995 18:11:23 -0800 Message-Id: X-Sender: pribik@mailhost.disaster.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 11 Feb 1995 21:02:30 -0500 To: firewalls@greatcircle.com From: labatt@disaster.com (Chris Labatt-Simon - D&D Consulting) Subject: Transparent Proxies (was Address translation) X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >An alternative is a two stage firewall as described by Bellovin & >Cheswick... > >Ie. > >(inside nets) == [in] ------ [choke] ------ [out] == (internet) > | | > [inside] [outside] > Is it possible to deal with transparent firewall software (such as Janus) when you use "illegal" nets on your private network? I can't think of any way to compensate for this, since you don't actually "login" to a proxy agent on a bastion. Or do you just have to deal with not being able to get to hosts on the Internet who have the actual "ownership" of your illegal net #s? Thanks, Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Labatt-Simon Internet: labatt@disaster.com Design & Disaster Recovery Consulting CIS: 73542,2601 Albany, New York PHONE: (518) 495-5474 FAX: (518) 432-1829 Subscribe to the Lotus Notes Mailing List (LNOTES-L) - mail for info.. For info on D&D, mail to info@disaster.com or http://www.disaster.com INTERNET/UNIX/NETWARE/LAN/WAN SPECIALISTS AND MORE ALL UNDER ONE ROOF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Sun Feb 12 19:22:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA10673 for firewalls-outgoing; Sun, 12 Feb 1995 18:52:53 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA10668 for ; Sun, 12 Feb 1995 18:52:50 -0800 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V1.3) id sma014446; Fri Feb 10 21:57:42 1995 From: Marcus J Ranum Message-Id: <9502130226.AA20247@tis.com> Subject: Re: your mail To: jsmith@bnlls1.nsls.bnl.gov (John D. Smith) Date: Sun, 12 Feb 1995 21:34:36 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199502122337.PAA08873@miles.greatcircle.com> from "John D. Smith" at Feb 12, 95 06:35:09 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 1596 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Since the Firewall vendors we contacted don't >seem to pass NFS data, the solution being considered is >to have one computer with two ethernets, one on the >protected and one on the unprotected network. This >computer will make the data available via NFS to >hosts on the unsecure net. Do you want security, or do you want NFS? Pick one. --- Seriously, though, it's probably possible to do what you propose but it might be a lot of work. You'll also need to run portmapper and a bunch of other stuff on that machine, which might have holes in it (I say "might" because they have in the past). You'll also need to make sure filesystems are exported readonly and if possible mounted noexec and nosuid on the server. For what setting the machine up and configuring it right will likely cost, you could probably buy a few gigs of hard disk space and have the inside server periodically shove a complete disposable copy of the dataset to the outside machine via FTP mirroring or whatnot. Obviously, if you have terabytes of data then that's another problem (and if you have terabytes of data you currently make available by NFS you may already have a problem). Generally, the rule of thumb I like to follow is when you're making data available to the public from the inside of the perimeter, have a means of shoving a copy from the inside to the outside automatically. That way it's easy to clean it up and you don't have to have an inside machine trusting some outside machine that connects up to it requesting data. mjr. From firewalls-owner Sun Feb 12 20:52:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA11425 for firewalls-outgoing; Sun, 12 Feb 1995 20:49:18 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA11420 for ; Sun, 12 Feb 1995 20:49:15 -0800 Received: from wallyman (wallynet.dialup.access.net) by panix.com with SMTP id AA24276 (5.67b/IDA-1.5 for ); Sun, 12 Feb 1995 23:47:19 -0500 Message-Id: <199502130447.AA24276@panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Sun, 12 Feb 1995 23:46:13 -0500 To: boutell@netcom.com, Nathan.Torkington%vuw.ac.nz.marca@ncsa.uiuc.edu From: wallynet@panix.com (Walter F. InterNetman) Subject: Bullet Proof Servers and UnderDog Pills Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there: I am searching for commercial FTP and MAIL servers for Unixware, Solaris 1&2, Dec OSF & N3.12 4.x which can be considered bullet proof and not cryptic or overly complex to administer. Do you have any ideas or recommendations? A Windows winsock email application with PGP or other encryption which I could implement globally in a gov agcy would be nice too. FW proxy server compliant is a must.... Thanks, --- Walt PS: How would you stop surfers from injecting your LAN with infected FTP downloads? From firewalls-owner Mon Feb 13 03:22:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA14970 for firewalls-outgoing; Mon, 13 Feb 1995 03:09:59 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA14965 for ; Mon, 13 Feb 1995 03:09:56 -0800 Received: from gdsnl.demon.co.uk by post.demon.co.uk id aa02119; 13 Feb 95 11:05 GMT Received: from arbor by gdsnl.gds.nl with uucp (Smail3.1.28.1 #14) id m0rcfHB-002e10C; Thu, 9 Feb 95 21:15 GMT+0100 Date: Tue, 8 Jan 1980 02:52:44 +6000 From: "J.G.L. Velner" Subject: unsuscribe firewalls To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Mon Feb 13 03:37:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA14957 for firewalls-outgoing; Mon, 13 Feb 1995 03:07:54 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA14952 for ; Mon, 13 Feb 1995 03:07:50 -0800 Received: from avenue.finsbury.co.uk by eros.britain.eu.net via UKIP with SMTP (PP) id ; Mon, 13 Feb 1995 11:01:06 +0000 Received: by finsbury.co.uk (4.1/25-eef) id AA01325; Mon, 13 Feb 95 11:02:49 GMT From: Ian Marr Message-Id: <9502131102.AA01325@finsbury.co.uk> Subject: Re: Address translation To: pedriali@deneb.it (Roberto Pedriali) Date: Mon, 13 Feb 1995 11:02:48 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Roberto Pedriali" at Feb 10, 95 05:46:27 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3347 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Roberto Pedriali writes: > > With "illegal" addresses on internal network I will come out in a situation > where I have the same address on both network (internal/external) of the > firewall: the sw running on the firewall has to make routing decision > based on the direction of the connection..... > > By the way this is a real problem that I am also facing just now, so any > suggestion or pointer to a solution will be very appreciate. Roberto, I understand the problem! (I've got it too, but don't tell anyone ;-). I'm trying to connect a large (10,000 node) network using nearly every registered Class B address there is(!) to the Internet. However, all is not lost ... Simon explained the (potential) workaround below. I'm looking at this as an intermediate solution as I persaude our networking 'gurus' to dig themselves out of a hole by renumbering the network. As Simon describes, a dual proxy firewall configuration can be used to separate the routing problem into two halves; the inside firewall defaults inwards, the outside firewall defaults outwards. Neat eh ? All, Simon implies that ftp needs to be handled carefully, true; but has anyone done this ? Or, as mjr of TIS suggested to me, why not do all ftp's through an http-gw ? (I'm not sure how this would work, can anyone explain ?) And finally, is anyone running a dual firewall config like this ? Especially using the TIS Toolkit or Gauntlet ? I'd really like to know it worked and was secure. Ian. ------------------------------------------------------------------------------ Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK im@finsbury.co.uk +44-732-453-577 ------------------------------------------------------------------------------ Subject: Re: Address translation Date: Fri, 10 Feb 1995 21:54:37 +1100 From: "Simon J. Gerraty" > > I need to know if there is some firewall software for unix that over > > the firewall stuff do some addr translation for me. > > Maybe ... but believe me, you *DON'T* want to do it. Bit the bullet > and renumber your network; if you can't get enough registered > addresses then use some from the ranged reserved in RFC1597. That An alternative is a two stage firewall as described by Bellovin & Cheswick... Ie. (inside nets) == [in] ------ [choke] ------ [out] == (internet) | | [inside] [outside] As long as "inside" and "outside" are connected to valid nets or subnets of a valid net _and_ you run totally separate DNS on the inside and outside, your internal illegal nets are taken care of. Ie. the internet can only talk to "outside" and "outside" only knows about "inside" and the internet both of which are all valid addresses. The cost, is an extra router and set of bastions (inside may represent a large number of bastions...). The advantage is you don't have to touch your internal net. Also, you can have _very_ simple routing, "outside" defalults to "out", and "inside" defaults to "in" nets. Except for the ftp-gw which must be split - as described by Bellovin & Cheswick, all the TIS fwtk proxies can be used. Any extra security from setting up "choke" appropriately is a bonus :-) --sjg From firewalls-owner Mon Feb 13 03:56:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA15235 for firewalls-outgoing; Mon, 13 Feb 1995 03:42:47 -0800 Received: from netserv.com (netserv.com [198.37.128.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA15230 for ; Mon, 13 Feb 1995 03:42:45 -0800 Received: from [198.37.128.120] (smh-ppc.netserv.com [198.37.128.120]) by netserv.com (8.6.9/smh-1.1) with SMTP id DAA20056; Mon, 13 Feb 1995 03:32:32 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 13 Feb 1995 03:41:59 -0800 To: labatt@disaster.com (Chris Labatt-Simon - D&D Consulting), firewalls@GreatCircle.COM From: smh@netserv.com (Scott M. Hinnrichs) Subject: Re: Transparent Proxies (was Address translation) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:02 PM 2/11/95, Chris Labatt-Simon - D&D Consulting wrote: > >Is it possible to deal with transparent firewall software (such as >Janus) when you use "illegal" nets on your private network? I can't >think of any way to compensate for this, since you don't actually >"login" to a proxy agent on a bastion. Or do you just have to deal >with not being able to get to hosts on the Internet who have the >actual "ownership" of your illegal net #s? > I had a client that used an illegal Class A network internally. I set up proxies on a bastion host that was on both the illegal Class A, and on their legal Class B. Yeah, I know, why were they still using the illegal Class A when they had a legal Class B... Nice people, but they had an incredible fear of disaster when it came to changing their addressing. Even though I could show them clients that had done it successfully with anywhere from 100 - 1000+ IP hosts. You should try your best to get them to change to legal addressing. It only gets worse with time. The dual connected Sun had routing turned off and masked the illegal internal Class A. They are stuck using proxies until they change their internal addressing, and after all these years, they still don't seem any closer to changing. It actually was kind of clean in that the internal network was in no way available to the outside, so it was as secure as the bastion host / router was, but they could have done this with legal addressing too. I made this point to them, but they "couldn't afford the downtime required to change the addressing". Of course they could, but they were just large enough that the solution involved advance planning and some timing complexities that scared them off. Now they have merged with a couple of other companies that have legal addressing. Now they still have to go through with the changes, but have more complexities. Still doable over a long weekend with a month of planning, but I expect them to continue into the future with this quirky topology. BTW, the Class A they were using is still not assigned, so they didn't have problems knowing which way to send the packets. I did run into some interesting effects when I first PPP'd into their network, and I was directly on the internet ;) In your case, if you resolved an address to the legal owner of the network you are using a conflict would arise, and the connection would want to go 'inside' instead of 'outside'. I can think of some ways around this, but as long as the internal network the bastion host is on is duplicated somewhere on the internet you will have conflicts. Convince them to change to legal Class C(s). Scott From firewalls-owner Mon Feb 13 04:14:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA15321 for firewalls-outgoing; Mon, 13 Feb 1995 03:51:36 -0800 Received: from hatch.sonalysts.com (hatch.sonalysts.com [198.6.208.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA15315 for ; Mon, 13 Feb 1995 03:51:33 -0800 Message-Id: <199502131151.DAA15315@miles.greatcircle.com> Received: by hatch.sonalysts.com (1.37.109.11/16.2) id AA052426149; Mon, 13 Feb 1995 06:49:09 -0500 From: Randy Dickson Subject: unsuscribe firewalls To: firewalls@GreatCircle.com Date: Mon, 13 Feb 95 6:49:08 EST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls -- *********************************************************************** Randy Dickson Sonalysts, Inc. Email: rdickson@sonalysts.com 215 Parkway North Work: (203)442-4355 Waterford CT 06385 All opinions expressed are purely my own and not my companies except by coincidence "Yield to Temptation..it may not pass your way again" .. LL *********************************************************************** From firewalls-owner Mon Feb 13 06:53:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA17201 for firewalls-outgoing; Mon, 13 Feb 1995 06:28:35 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA17196 for ; Mon, 13 Feb 1995 06:28:33 -0800 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V1.3) id sma017017; Sat Feb 11 00:07:35 1995 From: Marcus J Ranum Message-Id: <9502131420.AA06823@tis.com> Subject: Re: Transparent Proxies (was Address translation) To: smh@netserv.com (Scott M. Hinnrichs) Date: Mon, 13 Feb 1995 09:27:51 -0500 (EST) Cc: labatt@disaster.com, firewalls@GreatCircle.COM In-Reply-To: from "Scott M. Hinnrichs" at Feb 13, 95 03:41:59 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 416 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Nice people, but they had an incredible fear of disaster when it came to >changing their addressing. Even though I could show them clients that had >done it successfully with anywhere from 100 - 1000+ IP hosts. There is one absolutely easy way to cut IP addresses over almost instantly: Change the addresses of the news server and (if you have one) the firewall and everyone will cut over within 24 hours. mjr. From firewalls-owner Mon Feb 13 07:25:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA17459 for firewalls-outgoing; Mon, 13 Feb 1995 06:50:27 -0800 Received: from netserv.com (smh-next.netserv.com [198.37.128.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA17454 for ; Mon, 13 Feb 1995 06:50:24 -0800 Received: from [198.37.128.120] (smh-ppc.netserv.com [198.37.128.120]) by netserv.com (8.6.9/smh-1.1) with SMTP id GAA20498; Mon, 13 Feb 1995 06:40:15 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 13 Feb 1995 06:49:43 -0800 To: Marcus J Ranum From: smh@netserv.com (Scott M. Hinnrichs) Subject: Re: Transparent Proxies (was Address translation) Cc: labatt@disaster.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:27 AM 2/13/95, Marcus J Ranum wrote: >>Nice people, but they had an incredible fear of disaster when it came to >>changing their addressing. Even though I could show them clients that had >>done it successfully with anywhere from 100 - 1000+ IP hosts. > > There is one absolutely easy way to cut IP addresses over >almost instantly: Change the addresses of the news server and (if >you have one) the firewall and everyone will cut over within 24 >hours. I only wish it were that easy. This was a world-wide, far flung company network with close to a 1000 IP addresses. If I did something like you suggest I would have been cussed out in several languages, many times over. As a consultant there is only so much you can do. I have turned down or left clients for coveting ill-advised technical stances, but this company actually seemed like they were going to turn a 180 and do the right thing several times, so I stuck around for a while. They didn't, and as far as I know still haven't. A company that wants to do the right thing, has the knowledge to recognize it, and actually takes action is rare. Fortunately, I have found many companies like this over the years, with a few imperfect ones sprinkled in to provide interesting war stories. Marcus, let us know when you attempt the above some time... we would like to know where to send the flowers ;) Scott From firewalls-owner Mon Feb 13 08:26:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA18495 for firewalls-outgoing; Mon, 13 Feb 1995 07:57:42 -0800 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA18450 for ; Mon, 13 Feb 1995 07:57:32 -0800 Received: from vanity.mitre.org (vanity.mitre.org [129.83.65.15]) by mbunix.mitre.org (8.6.9/8.6.9) with ESMTP id KAA04202; Mon, 13 Feb 1995 10:55:37 -0500 Received: from localhost.mitre.org (localhost.mitre.org [127.0.0.1]) by vanity.mitre.org (8.6.4/8.6.4) with SMTP id KAA07751; Mon, 13 Feb 1995 10:56:49 -0500 Message-Id: <199502131556.KAA07751@vanity.mitre.org> X-Authentication-Warning: vanity.mitre.org: Host localhost.mitre.org didn't use HELO protocol To: firewalls@greatcircle.com Cc: blk@mitre.org, jtw@mitre.org Subject: Re: X anyone ? "McMullen, Michael K." Date: Mon, 13 Feb 1995 10:56:48 -0500 From: "Brian L. Kahn" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a nutshell, security goes out the window (excuse the pun ;0) when an unknown X client connects to your X server across the firewall. Most firewall sites have a binary view dividing the universe into two categories: inside=us, outside=them. The X clients truly share the screen, keyboard, mouse, and CPU. The clients also communicate with each other in a trusting fashion. If you completely trust the integrity of the remote X client, then things are not quite so bad - but how can you be sure which client is connecting? There are still problems of key distribution, TCP session integrity, DNS address resolution, authentication, privacy, etc. A typical site will face risks similar to the risks of TCP with trusted hosts and address-based authentication, like the environment exploited in the recent well publicized break-in at San Diego. There is a nice discussion of issues on this www page: http://ugweb.cs.ualberta.ca/~adrian/X.security Brian L. Kahn "In theory, there is no difference between theory and practice. blk@mitre.org In practice, of course, there is." >From: "McMullen, Michael K." >To: greatcircle >Subject: X anyone ? >Date: Tue, 07 Feb 95 08:21:00 cst > >Greetings, > >Lord knows that there are a variety of opinions. I'm looking for more >information about X in general (how it works and vulnerabilities), then more >specific information about X proxies across ANS+CORE's Interlock 3.0. How >vulnerable or safe is it ? > >If you are an expert or novice, any thoughts on the matter will be >appreciated. > >Thanks, Mike > >M. K. McMullen >IPSO/DC >713/244-5432 >mmcmulle@gp801.jsc.nasa.gov > From firewalls-owner Mon Feb 13 08:52:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18952 for firewalls-outgoing; Mon, 13 Feb 1995 08:43:44 -0800 Received: from mailman.nsf.gov (mailman.nsf.gov [128.150.11.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA18946 for ; Mon, 13 Feb 1995 08:43:41 -0800 From: kdante@nsf.gov Received: from xrelay.nsf.gov by mailman.nsf.gov with SMTP id AA16465 (5.65c/IDA-1.4.4 for ); Mon, 13 Feb 1995 11:41:54 -0500 Received: from cc:Mail by xrelay.nsf.gov id AA792702560; Mon, 13 Feb 95 09:59:37 EST Date: Mon, 13 Feb 95 09:59:37 EST Message-Id: <9501137927.AA792702560@xrelay.nsf.gov> To: firewalls@greatcircle.com Subject: re: SUMMARY: 'smart cards' Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For CryptoCard, 708-471-0892 gets a Cellular 1 phone. For LeeMah DataCom Security Corporation, the number is 510-786-0790. ( suppose the phone company was splitting area codes again.) LeeMah's InfoKey only works with phones, according to the representative I talked to. How valuable is this going to be for a firewall? KJDante From firewalls-owner Mon Feb 13 09:26:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA19308 for firewalls-outgoing; Mon, 13 Feb 1995 09:05:15 -0800 Received: from news.intelsat.int (news.intelsat.int [164.86.100.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA19291 for ; Mon, 13 Feb 1995 09:05:10 -0800 From: sotiris.baxevanis@intelsat.int Received: (from smap@localhost) by news.intelsat.int (8.6.9/8.6.9) id LAA27225 for ; Mon, 13 Feb 1995 11:20:50 -0500 Received: from comsrvpre1.adm.intelsat.int(164.86.33.141) by news via smap (V1.3mjr) id sma027220; Mon Feb 13 11:20:34 1995 Received: by comsrvpr.adm.intelsat.int (1.38.193.5/16.2) id AA23778; Mon, 13 Feb 1995 11:18:10 -0500 Received: by x400gw.adm.intelsat.int via Worldtalk with X400 (3.0.3/1.55) id WT12058.37; Mon, 13 Feb 1995 11:18:09 EST Date: 13 Feb 95 11:18:04 -0500 Reply-To: sotiris.baxevanis@intelsat.int To: firewalls@greatcircle.com Subject: UDP port significance Ua-Content-Id: UDP port signifi P1-Recipient: firewalls%greatcircle.com@news P1-Message-Id: US*MCI*INTELSAT;c\mhsgw\950213111804a Original-Encoded-Information-Types: IA5-Text X400-Trace: US*MCI*INTELSAT; arrival 950213111804-0500 deferred 950213111804-0500 action Relayed Message-Id: P1-Content-Type: P2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, lately I have noticed connection attempts to the folloing UDP ports 33439, 33440, 33501-03, 33459-61, 33465-67, 33474-76, 36870, 36895, 49546-48 anything significant about these ports? thanks From firewalls-owner Mon Feb 13 09:40:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA19679 for firewalls-outgoing; Mon, 13 Feb 1995 09:19:03 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA19524 for ; Mon, 13 Feb 1995 09:12:05 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.9/8.6.9) id LAA13290; Mon, 13 Feb 1995 11:04:08 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma013288; Mon Feb 13 11:04:04 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA21499 (5.67b/IDA-1.5); Mon, 13 Feb 1995 11:11:12 -0600 Date: Mon, 13 Feb 1995 11:11:12 -0600 From: Ken Hardy Message-Id: <199502131711.AA21499@ignatz.bridge.com> To: blk@vanity.mitre.org, mmcmulle@gp801.jsc.nasa.gov Subject: Re: X anyone ? "McMullen, Michael K." Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Brian L. Kahn" wrote: > >In a nutshell, security goes out the window (excuse the pun ;0) when >an unknown X client connects to your X server across the firewall. >Most firewall sites have a binary view dividing the universe into two >categories: inside=us, outside=them. > >The X clients truly share the screen, keyboard, mouse, and CPU. The >clients also communicate with each other in a trusting fashion. I recall seeing an announcement of an X server that ran in a window under your regular X server; all that it could see (and therefore share w/ others connected to it) were windows & events within its own frame: +-------------------------------------------------+ | Main X server's root window = your screen | | | | +----------------------+ | | | 2nd-ary X server's | | | +-------------+ | root window = this | | | | | | window. | | | | local app's | | +----------+ | | | | window | | |remote app| | | | | | | | window | | | | +-------------+ | +----------+ | | | +----------------------+ | | | +-------------------------------------------------+ Comments on the security advantages of this? Or lack thereof? Presumably, an xkey connected to the secondary X server wouldn't be able to directly snoop the password you're typing into your local app window, e.g. I don't recall the product and whether or not is was a commercial offering. Anyone? -- KH From firewalls-owner Mon Feb 13 09:59:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20304 for firewalls-outgoing; Mon, 13 Feb 1995 09:44:46 -0800 Received: from orsun.saic.com (root@orsun.SAIC.COM [139.121.81.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA20299 for ; Mon, 13 Feb 1995 09:44:43 -0800 Received: from tusk.sgt.com (sargent@tusk.SGT.COM [204.107.130.104]) by orsun.saic.com (8.6.9/8.6.9) with ESMTP id MAA28679; Mon, 13 Feb 1995 12:42:43 -0500 Received: (sargent@localhost) by tusk.sgt.com (8.6.9/8.6.9) id MAA00791; Mon, 13 Feb 1995 12:42:41 -0500 Date: Mon, 13 Feb 1995 12:42:41 -0500 From: Robert Sargent Message-Id: <199502131742.MAA00791@tusk.sgt.com> To: firewalls@GreatCircle.COM, sotiris.baxevanis@intelsat.int Subject: Re: UDP port significance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sotiris.baxevanis@intelsat.int wrote: > Hello, lately I have noticed connection attempts to the folloing UDP ports > > 33439, 33440, 33501-03, 33459-61, 33465-67, 33474-76, 36870, 36895, 49546-48 > > anything significant about these ports? traceroute uses UDP port 33434 (by default) for its first hop and then adds one for each hop, so your port 33439 may have been accessed by someone 6 hops away. This may explain 33434 (plus [maybe] 30) if the originator used the defaults for traceroute. Regards- Robert From firewalls-owner Mon Feb 13 10:21:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20245 for firewalls-outgoing; Mon, 13 Feb 1995 09:42:22 -0800 Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA20240 for ; Mon, 13 Feb 1995 09:42:19 -0800 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id MAA01823; Mon, 13 Feb 1995 12:36:48 -0500 Received: from swlpak.msd.ray.com by gatekeeper.ray.com; Mon Feb 13 12:36:52 1995 Received: (from wag@localhost) by swlpak.msd.ray.com (8.6.9/8.6.9) id MAA08246; Mon, 13 Feb 1995 12:36:57 -0500 From: William Gianopoulos {84718} Message-Id: <199502131736.MAA08246@swlpak.msd.ray.com> Subject: Re: UDP port significance To: sotiris.baxevanis@intelsat.int Date: Mon, 13 Feb 1995 12:36:57 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "sotiris.baxevanis@intelsat.int" at Feb 13, 95 11:18:04 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 556 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hello, lately I have noticed connection attempts to the folloing UDP ports > > 33439, 33440, 33501-03, 33459-61, 33465-67, 33474-76, 36870, 36895, 49546-48 > > anything significant about these ports? The ones from 33434 through 33476 are probably traceroute. It talks to port 33434 + hop-count. No idea about the others. -- William A. Gianopoulos; Raytheon Electronic Systems Division wag@swl.msd.ray.com -------------------------------------------------------------------- Any opinions expressed above are my own and not that of my employer. From firewalls-owner Mon Feb 13 10:30:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA21144 for firewalls-outgoing; Mon, 13 Feb 1995 10:10:29 -0800 Received: from access.mbnet.mb.ca (iceman@access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA21139 for ; Mon, 13 Feb 1995 10:10:17 -0800 Received: by access.mbnet.mb.ca id AA25560 (5.67b/IDA-1.4.4 for firewalls@greatcircle.com); Mon, 13 Feb 1995 12:07:24 -0600 Date: Mon, 13 Feb 1995 12:07:24 -0600 (CST) From: Oliver Friedrichs To: sotiris.baxevanis@intelsat.int Cc: firewalls@greatcircle.com Subject: Re: UDP port significance In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 13 Feb 1995 sotiris.baxevanis@intelsat.int wrote: > Hello, lately I have noticed connection attempts to the folloing UDP ports > > 33439, 33440, 33501-03, 33459-61, 33465-67, 33474-76, 36870, 36895, 49546-48 > > anything significant about these ports? This has been discussed here before, it's someone doing a traceroute. - Oliver From firewalls-owner Mon Feb 13 10:44:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20188 for firewalls-outgoing; Mon, 13 Feb 1995 09:39:44 -0800 Received: from mickey.jsc.nasa.gov (mickey.jsc.nasa.gov [139.169.132.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA20182 for ; Mon, 13 Feb 1995 09:39:36 -0800 From: horn@mickey.jsc.nasa.gov Received: from freefall.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA11352; Mon, 13 Feb 1995 11:37:14 -0600 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id LAA21363; Mon, 13 Feb 1995 11:37:13 -0600 Message-Id: <199502131737.LAA21363@freefall.jsc.nasa.gov> Subject: Archie? To: firewalls@greatcircle.com Date: Mon, 13 Feb 1995 11:37:13 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1024 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm interested in providing archie service through our firewall. We've got an application gateway based on TIS' Firewall Toolkit and TAMU's drawbridge package. The problem is that archie uses UDP. Servers sit on port 1525, but clients can be on any random UPD port >1023. So if you want to allow archie via packet filtering only, you have to allow UDP:1525 out, but any UDP >1023 in. Since the list of archie servers is known and small, it seems like I should be able to allow any UDP packets to ports > 1023 from only the archie servers. And that would solve the problem. Unfortunately, the TAMU drawbridge package does not allow that kind of filtering. A preferable situation would be to run an application on the bastion that speaks the archie protocol. This could then act as the archie server for the internal net and speak to the archie servers on the outside. Has anyone seen (or written and are willing to share) an application gateway for Archie? -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov From firewalls-owner Mon Feb 13 10:48:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20152 for firewalls-outgoing; Mon, 13 Feb 1995 09:38:44 -0800 Received: from urhep.pas.rochester.edu (urhep.pas.rochester.edu [128.151.144.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA20141 for ; Mon, 13 Feb 1995 09:38:25 -0800 Received: from URHEP.PAS.ROCHESTER.EDU by URHEP.PAS.ROCHESTER.EDU (PMDF V4.2-11 #4191) id <01HN01KJ6IPS8WWJM0@URHEP.PAS.ROCHESTER.EDU>; Mon, 13 Feb 1995 12:35:42 EST Date: Mon, 13 Feb 1995 12:35:42 -0500 (EST) From: "Bill VanRemmen U. of Rochester (716)275-4825" Subject: SEAL To: firewalls@greatcircle.com Message-id: <01HN01KJ6SCY8WWJM0@URHEP.PAS.ROCHESTER.EDU> X-VMS-To: IN%"firewalls@greatcircle.com" X-VMS-Cc: BILLY MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I asked this question a whila ago about FW-1 and got a negative response, so I'll try it with SEAL... Does SEAL handle DECnet, TCP/IP, Appletalk and IPX? Some of them? Can it be MADE to deal with them? E-mail directly to me is fine if this is too much of a newbie question for the list. Pointers to more info would be helpful, too. Thanks in advance....... -Bill VanRemmen, KA2WFJ billy@urhep.pas.rochester.edu URHEP::billy My opinions. No one in their right mind would claim otherwise. ============================================================================== "Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficient . . . the greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." Justice Louis Brandeis Olmstead vs. United States, United States Supreme Court, 1928 ============================================================================== From firewalls-owner Mon Feb 13 10:52:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA21476 for firewalls-outgoing; Mon, 13 Feb 1995 10:26:46 -0800 Received: from killerbee.jsc.nasa.gov (killerbee.jsc.nasa.gov [139.169.139.53]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA21465 for ; Mon, 13 Feb 1995 10:26:40 -0800 Received: from Ladyred by killerbee.jsc.nasa.gov (8.6.9/Ultrix4.2) id MAA18146; Mon, 13 Feb 1995 12:25:21 -0600 Message-Id: <199502131825.MAA18146@killerbee.jsc.nasa.gov> X-Sender: morrison@killerbee.jsc.nasa.gov Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 13 Feb 1995 12:24:58 -0400 To: Ken Hardy From: morrison@killerbee.jsc.nasa.gov (John A. Morrison) Subject: Re: X anyone ? "McMullen, Michael K." Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I recall seeing an announcement of an X server that ran in a window >under your regular X server; all that it could see (and therefore share >w/ others connected to it) were windows & events within its own frame: > > +-------------------------------------------------+ > | Main X server's root window = your screen | > | | > | +----------------------+ | > | | 2nd-ary X server's | | > | +-------------+ | root window = this | | > | | | | window. | | > | | local app's | | +----------+ | | > | | window | | |remote app| | | > | | | | | window | | | > | +-------------+ | +----------+ | | > | +----------------------+ | > | | > +-------------------------------------------------+ > >Comments on the security advantages of this? Or lack thereof? >Presumably, an xkey connected to the secondary X server wouldn't be able >to directly snoop the password you're typing into your local app >window, e.g. I don't recall the product and whether or not is was a >commercial offering. Anyone? > The product is called xnest, and is included in the distribution for FreeBSD and i think Linux. Don't know about Sun or SGI. Part of the X11R6 release. If I remember right, xnest encapsulates all X-Window connections and passes over one TCP port (some port < 1024 I think). This may provide you with _some_ warm fuzzys, but whatever has to be done to your clients to encrypt the session and pass the Magic_Cookie securely, is beyond me... At least, I don't remember the details....anyone? ____________________________________________________________________ / Something happened in the Quantum Well, | NASA MOD AIS Security \ | An electron escaped & nearly fell | Engineering Team | | Up, it went, partway & stopped, | --==8==-- | | It froze & blinked - outside it popped! | Work : 713-282-3516 | |-----------------------------------------| FAX : 713-282-2948 | | morrison@killerbee.jsc.nasa.gov | --==8==-- | | web: http://aset.rsoc.rockwell.com | Musician for hire | \_________________________________________|__________________________/ From firewalls-owner Mon Feb 13 11:01:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20398 for firewalls-outgoing; Mon, 13 Feb 1995 09:47:45 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA20393; Mon, 13 Feb 1995 09:47:42 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id MAA15083; Mon, 13 Feb 1995 12:32:07 -0500 Date: Mon, 13 Feb 1995 12:32:07 -0500 (EST) From: David Miller Subject: Re: CERN httpd vs http-gw To: Ken Hardy cc: Brent Chapman , rens@imsi.com, tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Feb 1995, Ken Hardy wrote: > On Fri, 10 Feb 1995, David Miller wrote: > > > > Why wouldn't you use simple software created for the task of access > > control to secure access control, like tcp_wrappers or netacl? > > > > It is possible but not recommended to run the CERN httpd from inetd > because of the overhead to spawn it so often; it's more efficient to have > it running in daemon mode and have it fork itself for new connections as > it's already processed its config file, and the image is already in core. > This is even more important now, IMHO, with the proliferation of Netscape, > which asks for _lots_ of URLs at once. Very good point. Twas an oversight on my part, honest:) > > Http-gw & plug-gw are much more lightweight, so it's not _as_much_ a > concern running them from inetd. Don't have any empirical measurements, > though. > > -- KH > > > ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Mon Feb 13 11:22:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA22806 for firewalls-outgoing; Mon, 13 Feb 1995 11:10:40 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA22801 for ; Mon, 13 Feb 1995 11:10:37 -0800 Received: from hsasun by relay1.UU.NET with SMTP id QQycye14666; Mon, 13 Feb 1995 14:08:43 -0500 Received: from msmail by hsasun (4.1/SMI-4.1) id AA06985; Mon, 13 Feb 95 11:08:49 PST Received: by msmail with Microsoft Mail id <2F3FADF7@msmail>; Mon, 13 Feb 95 11:07:35 PST From: Duke Walls To: "'firewalls'" Subject: Re: CERN httpd vs http-gw Date: Mon, 13 Feb 95 11:06:00 PST Message-Id: <2F3FADF7@msmail> Encoding: 12 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'll refrain from pouring gasoline on the fire by not stating any > preference for any particular brand/type of "new OS." ;-) Thanks for your forebearance, Frank. We've got far too much debate over various flavors of UN*X to worry about pretenders to the throne. Besides, UN*X can be reasonably secure, if you know where the holes are (which is why I'm cheerfully lurking). Better the beast we know, than the beast we don't , eh? -- Duke Walls dwalls@hsa.com From firewalls-owner Mon Feb 13 11:53:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA22614 for firewalls-outgoing; Mon, 13 Feb 1995 11:03:32 -0800 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA22604 for ; Mon, 13 Feb 1995 11:03:28 -0800 Message-Id: <199502131901.MAA03793@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id MAA03793; Mon, 13 Feb 1995 12:01:19 -0700 Subject: Re: split DNS (was Re: Firewall Product Review) To: danny@miriworld.its.unimelb.EDU.AU (Daniel O'Callaghan) Date: Mon, 13 Feb 95 12:01:19 MST Cc: firewalls@greatcircle.com In-Reply-To: ; from "Daniel O'Callaghan" at Feb 13, 95 8:59 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > That is the way to do it. You then use > > host.domain MX 1 bastion > > The everyone will send the mail to the bastion, and it forwards it. > Of course, the catch here is that all internal mail goes through the > bastion, too, so give the bastion plenty of grunt. Big catch. One of my goals is to avoid forwarding internal mail through the bastion. The bastion is of course not going to be running sendmail; more probably something like "smap" which will introduce a delay of possibly several minutes in mail delivery. This I would rather avoid for mail which is strictly internal to our organization, in addition to wanting to keep anything off the bastion that does not absolutely have to be there for load purposes. --Greg From firewalls-owner Mon Feb 13 12:07:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA22997 for firewalls-outgoing; Mon, 13 Feb 1995 11:15:18 -0800 Received: from overdrive (overdrive3.ccrl.nj.nec.com [138.15.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA22992 for ; Mon, 13 Feb 1995 11:15:15 -0800 Received: by overdrive (4.1/YDL1.9-920708.13) id AA28201(overdrive); Mon, 13 Feb 95 14:12:40 EST Received: by deimos (4.1/CNC-Client) id AA05765; Mon, 13 Feb 95 14:12:35 EST Date: Mon, 13 Feb 1995 14:12:34 -0500 (EST) From: Ed Strong X-Sender: ems@deimos To: firewalls@greatcircle.com Subject: There can be only one! Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Or: Toward a sustainable model for secure internet access An increasing number of management, at an increasing number of subsidiaries are getting interested in details of network security policy here. (This is good, I think.) I'm looking for phrases to explain firewall policy in the simplest possible terms. For instance: 1. A firewall implies a secure network on the inside, and a less secure, untrusted network on the outside. 2. Opening up IP access from the outside to inside implies reducing network security inside to the same level as outside, due to the "web of trust", and should not be permitted. 3. Zones of the corporate network with differing security policies require firewalls between them. In each zone, like in the Highlander movies, "there can be only one" security policy. 4. Currently the best way of handling the issue of open internet access is to establish buffer networks of more-or-less open hosts outside each internet gateway firewall. My question to the list is, am I missing anything fundamental in these 4 statements? Are any statements wholly or partially false? Can I simplify this any further without losing details? Thanks Ed Strong From firewalls-owner Mon Feb 13 12:23:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22404 for firewalls-outgoing; Mon, 13 Feb 1995 10:58:20 -0800 Received: from hisar.cc.boun.edu.tr (hisar.cc.boun.edu.tr [193.140.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA22384 for ; Mon, 13 Feb 1995 10:57:38 -0800 Received: by hisar.cc.boun.edu.tr (5.65/DEC-Ultrix/4.3) id AA16689; Mon, 13 Feb 1995 20:54:52 -0500 Date: Mon, 13 Feb 1995 20:54:52 -0500 (EST) From: Can Baysal X-Sender: baysalc@hisar.cc.boun.edu.tr To: firewall list Subject: A pc as a router and a firewall (idea needed) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi; For a couple of months I've tried to use a Linux box as a router and gave up :( And then I changed my mind. Is there any simple (as simple as possible) software that I can use as a routing program on a PC. Two things are important, firstly we may need to use it as a firewall, so it should be able to filter packages, and secondly it must (or maybe should only) support modem connection (ppp would be better). Any name even any idea would be helpful. Thanks in advance; Can BAYSAL; From firewalls-owner Mon Feb 13 13:01:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22382 for firewalls-outgoing; Mon, 13 Feb 1995 10:56:52 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA22377 for ; Mon, 13 Feb 1995 10:56:48 -0800 Received: from roverpte.demon.co.uk by post.demon.co.uk id aa24341; 13 Feb 95 17:55 GMT Received: from boiled.rover.com by roverpte.demon.co.uk (5.65c) id AA06916; Mon, 13 Feb 1995 13:03:01 GMT Received: by boiled.rover.com (5.65c) id AA01874; Mon, 13 Feb 1995 13:01:36 GMT Message-Id: <199502131301.AA01874@boiled.rover.com> To: firewalls@greatcircle.com Subject: Firewalls for non UNIX machines Date: Mon, 13 Feb 95 13:01:35 +0000 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some people who have a small PC network running Novell and want to have email running to their users and a dial up connection to the service provider to exchange mail via SMTP. I explained the problems associated with security and said that what they really wanted was a firewall. This could either be contrtucted from a low end workstation or a PC running BSDI. When the costs and complexities were added up it came to a surprising amount of money and a lot of time to set up. They have no UNIX people. What they really want is to be able to use their existing Novell server to do the mail exchanges. Has anyone any ideas as to how this could be done without dropping in a dedicated UNIX box, although from a technical point of view this is the best it is not practical in this situation. Any ideas would be most welcome. Lyndon From firewalls-owner Mon Feb 13 13:23:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA24128 for firewalls-outgoing; Mon, 13 Feb 1995 11:58:58 -0800 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA24123 for ; Mon, 13 Feb 1995 11:58:54 -0800 Received: from elf.wang.com by tuna.wang.com with SMTP id AA27276 (5.67b/IDA-1.5 for ); Mon, 13 Feb 1995 14:57:01 -0500 Received: from fnord.wang.com by elf.wang.com with SMTP id AA09741 (5.67a/IDA-1.5 for ); Mon, 13 Feb 1995 13:55:41 -0500 Received: by fnord.wang.com (5.67a/TF8) id AA02276; Mon, 13 Feb 1995 14:56:44 -0500 Date: Mon, 13 Feb 1995 14:56:44 -0500 From: Tom Fitzgerald Message-Id: <199502131956.AA02276@fnord.wang.com> To: firewalls@greatcircle.com Subject: Re: anon Sender: firewalls-owner@GreatCircle.COM Precedence: bulk } Had he listed his address as NA.... instead of } AN..., replies would not be anonymized. gdonl@gv.ssi1.com (Don Lewis) says: > And because he didn't Mr. Anon can easily find the anon ID's of all > the posters to this list. All he has to do is subscribe to this list > with his real email address and he will get two copies of each message. > One copy will have the poster's real email address, and the other will > have his anonymous address. You can defend against this by getting an anon-ID before you post (if you don't have one already), and then password-locking it. When your post goes to the gateway without the password, the gateway will refuse to anonymize it and Mr Anon will only get one copy (the non-anonymous one). -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Mon Feb 13 13:29:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA23722 for firewalls-outgoing; Mon, 13 Feb 1995 11:35:37 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA23717 for ; Mon, 13 Feb 1995 11:35:34 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id OAA28493; Mon, 13 Feb 1995 14:32:51 -0500 From: Adam Shostack Message-Id: <199502131932.OAA28493@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Archie? To: horn@mickey.jsc.nasa.gov Date: Mon, 13 Feb 1995 14:32:50 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199502131737.LAA21363@freefall.jsc.nasa.gov> from "horn@mickey.jsc.nasa.gov" at Feb 13, 95 11:37:13 am X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 533 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | A preferable situation would be to run an application on the bastion that | speaks the archie protocol. This could then act as the archie server for the | internal net and speak to the archie servers on the outside. Has anyone seen | (or written and are willing to share) an application gateway for Archie? Most archie servers handle mail requests, and this is probably the best way to go, as it involves no new code on the firewall. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Feb 13 13:32:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA24288 for firewalls-outgoing; Mon, 13 Feb 1995 12:07:36 -0800 Received: from travsoft.travsoft.com (travsoft.travsoft.com [198.102.198.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA24282 for ; Mon, 13 Feb 1995 12:07:30 -0800 Received: from msmail.travsoft.com by travsoft.travsoft.com with smtp (Smail3.1.28.1 #9) id m0re2Z6-0002MbC; Mon, 13 Feb 95 07:19 PST Received: by msmail.travsoft.com with Microsoft Mail id <2F3F787C@msmail.travsoft.com>; Mon, 13 Feb 95 07:19:24 PST From: "Michael Wilson (325)" To: Firewalls Subject: Re: Anyone read these books? Date: Mon, 13 Feb 95 07:18:00 PST Message-ID: <2F3F787C@msmail.travsoft.com> Encoding: 48 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I picked up E-Mail Security over the weekend and it seems to be a good primer on the subject. It starts off with general concepts and then moves on to specific discussions about PGP and PEM. The second half of the book consists of the PGP user guide and the PEM RFCs. I found it quite valuable as a starting point. It should be readily available now - I picked mine up at the local Barnes & Noble book store. Mike ---------- From: firewalls-owner To: Stephen.L.Arnold; firewalls; avolio Subject: Re: Anyone read these books? Date: Fri, Feb 10, 1995 8:02PM re: > > Do you have any mor einformation on this book, such as publisher? Our > > librarian cannot find it anywhere, but then perhaps she isn't looking > > in the right places. > > Thanks > > Fred > > They're new: > > Internet Firewalls and Network Security, 450 pp., softcover, New Riders > Publishing (I never heard of 'em either!), January 1995, publisher's > price $35.00. > > E-Mail Security, 288 pp., softcover, John Wiley & Sons, February 1995, > publisher's price $24.95 > > Disclaimer: I haven't seen these. No endorsement implied! Fred/Stephen: I've seen an early manuscript some time ago of: E-Mail Security. Is authored by Bruce Schneier. It's to be expected somewhere late March. It's sound stuff, good reading. I'll dig the other one up for you. I know I got something on it. Cheers Bertil NSO/ISM From firewalls-owner Mon Feb 13 13:52:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25587 for firewalls-outgoing; Mon, 13 Feb 1995 13:05:20 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA25582 for ; Mon, 13 Feb 1995 13:05:15 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Mon, 13 Feb 95 22:03 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0re7Nn-0003elC; Mon, 13 Feb 95 21:28 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 13 Feb 1995 21:29:29 +0100 To: BERNI@erc.ie From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: apple macs Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Berni, >Is there any software out there to password protect standalone Apple >Macs? > There is a package called, errhm, uhmmm :-), MacPassword (I think :-). It=B4= s freeware and can be downloaded from e.g. sumex-aim.stanford.edu. Check it out. >This may not be the correct place to ask...but...if anyone knows??? > Damn right, this IS the wrong place :-). Anyway, hope I helped. Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Mon Feb 13 14:22:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA26942 for firewalls-outgoing; Mon, 13 Feb 1995 13:52:12 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA26936 for ; Mon, 13 Feb 1995 13:52:00 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id IAA01328; Tue, 14 Feb 1995 08:49:42 +1100 Date: Tue, 14 Feb 1995 08:49:41 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Firewalls for non UNIX machines To: Lyndon David cc: firewalls@GreatCircle.COM In-Reply-To: <199502131301.AA01874@boiled.rover.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Feb 1995, Lyndon David wrote: > I have some people who have a small PC network running Novell > and want to have email running to their users and a dial up > connection to the service provider to exchange mail via SMTP. > I explained the problems associated with security and said that > what they really wanted was a firewall. This could either be > contrtucted from a low end workstation or a PC running BSDI. > When the costs and complexities were added up it came to > a surprising amount of money and a lot of time to set up. They > have no UNIX people. What they really want is to be able to > use their existing Novell server to do the mail exchanges. > > Has anyone any ideas as to how this could be done without > dropping in a dedicated UNIX box, although from a technical > point of view this is the best it is not practical in this situation. Contact peter@trumpet.com.au regarding "Fanfare", a MS-Windows based Internet gateway. Fanfare does: * SOCKS proxying * SMTPD * POPD * gopherd * nntpd/nnrpd * named * even does routing if you don't want to do SOCKS * "keep-the-link-up" CSLIP/PPP >From the Trumpet Winsock guy. Still beta testing, though. Danny From firewalls-owner Mon Feb 13 14:26:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25781 for firewalls-outgoing; Mon, 13 Feb 1995 13:15:53 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA25774 for ; Mon, 13 Feb 1995 13:15:50 -0800 Received: from relay.imsi.com by wintermute.imsi.com id QAA07460; Mon, 13 Feb 1995 16:12:26 -0500 Received: from lorax.imsi.com by relay.imsi.com id QAA02689; Mon, 13 Feb 1995 16:12:25 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA22793; Mon, 13 Feb 95 16:12:25 EST Message-Id: <9502132112.AA22793@lorax.imsi.com> To: Ken Hardy Cc: blk@vanity.mitre.org, mmcmulle@gp801.jsc.nasa.gov, firewalls@greatcircle.com Subject: Re: X anyone ? "McMullen, Michael K." In-Reply-To: Your message of "Mon, 13 Feb 1995 11:11:12 CST." <199502131711.AA21499@ignatz.bridge.com> Reply-To: rens@imsi.com Date: Mon, 13 Feb 1995 16:12:24 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Ken" == Ken Hardy writes: Ken> Comments on the security advantages of this? Or lack thereof? Ken> Presumably, an xkey connected to the secondary X server Ken> wouldn't be able to directly snoop the password you're typing Ken> into your local app window, e.g. I don't recall the product Ken> and whether or not is was a commercial offering. Anyone? This is Xnest, which comes (free) with the R6 distribution. -Rens From firewalls-owner Mon Feb 13 14:37:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA27673 for firewalls-outgoing; Mon, 13 Feb 1995 14:14:48 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA27667 for ; Mon, 13 Feb 1995 14:14:45 -0800 From: H Morrow Long Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Mon, 13 Feb 1995 17:12:50 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA01215; Mon, 13 Feb 1995 17:12:48 -0500 Date: Mon, 13 Feb 1995 17:12:48 -0500 Message-Id: <199502132212.AA01215@SPARKY.CF.CS.YALE.EDU> To: Stephen.L.Arnold@Arnold.Com, firewalls@greatcircle.com, avolio@tis.com, NSO@delphi.com Subject: Re: Anyone read these books? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: f7ByF8p03UotNSt5EYNomg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Internet Firewalls and Network Security, 450 pp., softcover, New Riders > Publishing (I never heard of 'em either!), January 1995, publisher's > price $35.00. Corporate geneology: New Riders is an imprint of Macmillan Computer Publishing USA, .... which is part of Macmillan Publishing USA, .... which is a division of Simon & Schuster, .... the publishing operation of Viacom, Inc. If you order this book via the Macmillan Computer Publishing Web site (http://www.mcp.com/) you can get a special price ($28). You can just use the Web to browse it and then call their SuperLibrary 800 number to get the 20% off price as well (you don`t have to use the online form to order if you don't want, but if you do you don't need to worry about your credit card # going out over a TCP connection unencrypted -- you set up an account with them offline before ordering). They also have a special deal which packages the above book with another of their titles (Inside TCP/IP) for another discount (this pkg has a bogus ISBN # of 0.....0-6 for ordering purposes). Disclaimer: I have no connection with these folks except as a customer who should be receiving his copy in a day or two (I paid the seven-something for FeDeX over the five-something for UPS ground cuz I really want to see just how this book compares with Bellovin & Cheswick). - Morrow From firewalls-owner Mon Feb 13 14:53:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25820 for firewalls-outgoing; Mon, 13 Feb 1995 13:17:14 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA25815 for ; Mon, 13 Feb 1995 13:17:11 -0800 Received: from relay.imsi.com by wintermute.imsi.com id QAA07487; Mon, 13 Feb 1995 16:15:06 -0500 Received: from lorax.imsi.com by relay.imsi.com id QAA02708; Mon, 13 Feb 1995 16:15:05 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA22804; Mon, 13 Feb 95 16:15:04 EST Message-Id: <9502132115.AA22804@lorax.imsi.com> To: morrison@killerbee.jsc.nasa.gov (John A. Morrison) Cc: Ken Hardy , firewalls@greatcircle.com Subject: Re: X anyone ? "McMullen, Michael K." In-Reply-To: Your message of "Mon, 13 Feb 1995 12:24:58 -0400." <199502131825.MAA18146@killerbee.jsc.nasa.gov> Reply-To: rens@imsi.com Date: Mon, 13 Feb 1995 16:15:04 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "John" == John A Morrison writes: John> If I remember right, xnest encapsulates all X-Window John> connections and passes over one TCP port (some port < 1024 I John> think). This may provide you with _some_ warm fuzzys, but John> whatever has to be done to your clients to encrypt the session John> and pass the Magic_Cookie securely, is beyond me... Xnest uses an X connection as the "display hardware" instead of a frame buffer. I guess the firewalls application would be to run an Xnest on your firewall displaying to an internal machine, and allow clients from the big bad world outside to connect to the Xnest server. This would protect against things like xkey event sniffing. -Rens From firewalls-owner Mon Feb 13 14:54:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA27992 for firewalls-outgoing; Mon, 13 Feb 1995 14:21:50 -0800 Received: from [198.102.244.39] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA27980; Mon, 13 Feb 1995 14:21:39 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 13 Feb 1995 17:19:42 -0500 To: rens@imsi.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: CERN httpd vs http-gw Cc: David Miller , rens@imsi.com, Ken Hardy , tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 20:22 2/12/95, Rens Troost wrote: >>>>>> "Brent" == Brent Chapman writes: > > >>> At 17:23 2/1/95, Rens Troost wrote: Why? And are we talking > >>> about using it ONLY for proxying here, not for also serving > >>> external users (i.e., surfers from the Internet)? I'd be very > >>> nervous about having an HTTP server accessed by the outside > >>> world live anywhere EXCEPT on my bastion host. > >Sorry to interject a non-sequiter here, but I did not write >that. Please watch those attributions! > >-Rens Not sure how it got quoted that way, since I think I'm the one who wrote the piece in question. Sorry about that. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Mon Feb 13 15:25:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA29633 for firewalls-outgoing; Mon, 13 Feb 1995 15:16:18 -0800 Received: from esri.com (REDLANDS.ESRI.COM [198.102.62.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA29628 for ; Mon, 13 Feb 1995 15:16:11 -0800 Received: from universe ([192.9.155.1]) by esri.com (4.1/SMI-4.1) id AA18766; Mon, 13 Feb 95 15:13:29 PST Received: from therock.universe by universe (4.1/SMI-4.1) id AA18059; Mon, 13 Feb 95 15:12:35 PST Comment: Environmental Systems Research Institute Received: by therock.universe (4.1/SMI-4.1) id AA17617; Mon, 13 Feb 95 15:13:25 PST Date: Mon, 13 Feb 95 15:13:25 PST From: svu@esri.com (Steven Vu [ESRI-Redlands]) Message-Id: <9502132313.AA17617@therock.universe> To: Firewalls@GreatCircle.COM Subject: httpd and firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Is it possible for an httpd daemon to gather information from a client Mosaic browser through a firewall? If a client Mosaic session behind a firewall is browsing another site's homepage through the use of proxies, can the server download critical system information from the client workstation? e.g. /etc/passwd. Steven Vu Systems Administrator ESRI svu@esri.com From firewalls-owner Mon Feb 13 15:52:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA00496 for firewalls-outgoing; Mon, 13 Feb 1995 15:39:22 -0800 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA00490 for ; Mon, 13 Feb 1995 15:39:15 -0800 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA10350 for ; Mon, 13 Feb 95 18:25:55 -0500 Date: Mon, 13 Feb 95 17:14:55 CST From: chris@applied.com (Chris Johnston) Received: by applied.com (4.1/3.2.083191-Applied Financial Management) id AA06572; Mon, 13 Feb 95 17:14:55 CST Message-Id: <9502132314.AA06572@applied.com> To: chris@applied.com, firewalls@greatcircle.com, mgodsey@medio.com Subject: re: SUMMARY: 'smart cards' Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: kdante@nsf.gov > For CryptoCard, 708-471-0892 gets a Cellular 1 phone. The above didn't work for me either. cryptocard 708-776-1108 ansi-x9.9 challenge response (des, rsa, fortezza) best regards, chris From firewalls-owner Mon Feb 13 16:25:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA00770 for firewalls-outgoing; Mon, 13 Feb 1995 15:48:21 -0800 Received: from shadow.dbapic.com.au (shadow.dbapic.com.au [203.2.220.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA00764; Mon, 13 Feb 1995 15:48:12 -0800 Received: from eyrie.dbapic.com.au by shadow.dbapic.com.au (AIX 3.2/UCB 5.64/4.03) id AA14452; Tue, 14 Feb 1995 10:44:10 +1000 Date: Tue, 14 Feb 1995 10:44:10 +1000 Message-Id: <9502140044.AA14452@shadow.dbapic.com.au> X-Sender: bwa@mailhost X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: David Miller , Ken Hardy From: bwa@shadow.dbapic.com.au (Barry Anderson) Subject: Re: CERN httpd vs http-gw Cc: Brent Chapman , rens@imsi.com, tpaquett@aec.ca, firewalls@greatcircle.com, bdrennin@plaind.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:32 PM 13/02/95 -0500, David Miller wrote: >On Fri, 10 Feb 1995, Ken Hardy wrote: > >> On Fri, 10 Feb 1995, David Miller wrote: >> > >> > Why wouldn't you use simple software created for the task of access >> > control to secure access control, like tcp_wrappers or netacl? >> > >> >> It is possible but not recommended to run the CERN httpd from inetd >> because of the overhead to spawn it so often; it's more efficient to have >> it running in daemon mode and have it fork itself for new connections as >> it's already processed its config file, and the image is already in core. >> This is even more important now, IMHO, with the proliferation of Netscape, >> which asks for _lots_ of URLs at once. > > >Very good point. Twas an oversight on my part, honest:) > Why not run run proxy http on one port hand off to the "real" server on another (blocked) port. I mean we all use filtering routers, n'est-ce pas? cheers, __________ \______ \_____ _______ _______ ___.__. | | _/\__ \ \_ __ \\_ __ < | | | | \ / __ \ | | \/ | | \/\___ | |______ /(____ /|__| |__| / ____| \/ \/ \/ Systems Programmer Technical Support Group Asia-Pacific Information Centre Dun & Bradstreet Information Services From firewalls-owner Mon Feb 13 16:26:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA01561 for firewalls-outgoing; Mon, 13 Feb 1995 16:14:24 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA01556 for ; Mon, 13 Feb 1995 16:14:22 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0reAsO-0000YbC; Mon, 13 Feb 95 16:12 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA02128; Mon, 13 Feb 1995 16:12:40 +0800 Date: Mon, 13 Feb 1995 16:12:40 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9502140012.AA02128@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, horn@mickey.jsc.nasa.gov Subject: Re: Archie? X-Sun-Charset: US-ASCII content-length: 1380 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > A preferable situation would be to run an application on the bastion that > speaks the archie protocol. This could then act as the archie server for the > internal net and speak to the archie servers on the outside. Has anyone seen > (or written and are willing to share) an application gateway for Archie? > > -- > Mark Horn (sparkie) > horn@mickey.jsc.nasa.gov > udprelay handles this sort of, and comes with a file called ARCHIE-NOTES. To get the best use out of it you have to rebuild the archie clients. I've heard that the new socks will proxy udp as well. Patrick It's available as (among others,) - ftp://quclab.scn.rain.com/pub/src/security/udprelay-0.2.tar.gz Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Mon Feb 13 17:22:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA02723 for firewalls-outgoing; Mon, 13 Feb 1995 17:07:24 -0800 Received: from nic.cerf.net (root@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA02718 for ; Mon, 13 Feb 1995 17:07:22 -0800 Received: from isis (ISIS.ISISPH.COM [192.65.129.1]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id RAA29275 for ; Mon, 13 Feb 1995 17:05:30 -0800 Received: from [192.65.129.90] (MacHeer) by isis (4.1/SMI-4.0) id AA10215; Mon, 13 Feb 95 16:56:17 PST Date: Mon, 13 Feb 95 16:56:16 PST X-Sender: chris@isis.isisph.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cheer@isisph.com (Christopher D. Heer) Subject: Re: UDP port significance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello, lately I have noticed connection attempts to the folloing UDP ports > >33439, 33440, 33501-03, 33459-61, 33465-67, 33474-76, 36870, 36895, 49546-48 > >anything significant about these ports? Only thing I can think of is someone strobing for an FSP port. . . -- Christopher D. Heer | "The fact that he's proliferate on Usenet, home of cheer@isisph.com | the adult concentration camp for people who want to My opinions are mine! | say, "I know you are, but what am I?" is, I'm sure, Network Admin | not a coincidence." -- David Navas From firewalls-owner Mon Feb 13 17:47:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA02545 for firewalls-outgoing; Mon, 13 Feb 1995 16:58:47 -0800 Received: from uhost.ampex.com (uhost.ampex.com [192.216.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA02535 for ; Mon, 13 Feb 1995 16:58:44 -0800 Received: from ampex.com (amppo.ampex.com) by uhost.ampex.com (4.1/SMI-4.1) id AA06697; Mon, 13 Feb 95 16:58:05 PST Received: from probe. by ampex.com (4.1/SMI-4.1) id AA14688; Mon, 13 Feb 95 16:57:03 PST Received: by probe. (5.x/SMI-SVR4) id AA06443; Mon, 13 Feb 1995 16:57:20 -0800 Date: Mon, 13 Feb 1995 16:57:20 -0800 From: burkema@ampex.com (Martin J. Burke) Message-Id: <9502140057.AA06443@probe.> To: Firewalls@GreatCircle.COM Subject: Firewalls and anonymous ftp access X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently attended Brent Chapman's Firewalls tutorial and found it very enlightening. He sort of touched the subject of Anonymous ftp service. The most important thing I got from his seminar is to have no user accounts on the bastion host. How can I give specific inside users access to place files up on the ftp server without giving them an account? How does the rest of the world out there run their anonymous ftp site? What are the policies of anonymous ftp providers normally? What should I woory about in terms of security? Any help would be appreciated ( as long as someone can tell me where to go look if this is not the right place. ) Thanks Martin Burke burkema@ampex.com From firewalls-owner Mon Feb 13 17:52:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA03170 for firewalls-outgoing; Mon, 13 Feb 1995 17:45:04 -0800 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA03162 for ; Mon, 13 Feb 1995 17:45:01 -0800 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id RAA15589; Mon, 13 Feb 1995 17:43:03 -0800 Date: Mon, 13 Feb 1995 17:43:03 -0800 From: Phil Trubey Message-Id: <199502140143.RAA15589@lykos.netpart.com> To: firewalls@greatcircle.com Subject: Re: America Online VIA TCP/IP In-Reply-To: Organization: NetPartners, Newport Beach, CA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article you write: >Hi everyone, >I am soon going to have to let some people on the inside on my network get >out to America Online via TCP/IP. I was wondering if anyone has set up a >proxy for this or if anyone has crossed this bridge at their site yet. The commercial JANUS Firewall Server has a built in outbound AOL proxy - fully integrated into the admin UI. For more info about JANUS send email to janus@netpart.com -- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Mon Feb 13 18:52:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA04500 for firewalls-outgoing; Mon, 13 Feb 1995 18:51:32 -0800 Received: from kryten.atinc.com (kryten.atinc.com [198.138.38.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA04495 for ; Mon, 13 Feb 1995 18:51:26 -0800 Received: (jmb@localhost) by kryten.atinc.com (8.6.9/8.3) id VAA12787; Mon, 13 Feb 1995 21:47:53 -0500 Date: Mon, 13 Feb 1995 21:47:52 -0500 (EST) From: "Jonathan M. Bresler" Subject: Re: Firewalls-Digest V4 #103 To: Firewalls@GreatCircle.COM In-Reply-To: <199502130900.BAA13009@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Feb 1995 mcr@milkyway.com wrote: > Why chroot is not for mortal users: > I can fool a whole bunch of programs into using my /etc/passwd > rather than the system one, and if I do > % cd /bin > % chroot /my/new/root > % su > > I can get root. But we aren't talking about letting chroot be a > general tool, just letting some programs use based on gid rather uid. chroot(2) is limited to superuser. any other user's invokation fails with EPERM. chroot(8) calls chroot(".") to test the user's privilege level immediately after checking that argc > 1. the above "attack" requires superuser privilege to succeed. this is based upon 4.3BSD and 4.3BSD code as reflected in FreeBSD 1.1.5.1. chroot(8) in FreeBSD 2.0 has been rewritten to use getopt(2) before chroot(2)--no effective change here. SunOS 4.1.3 seems impervious as well. ??? Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346 From firewalls-owner Mon Feb 13 19:24:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA05020 for firewalls-outgoing; Mon, 13 Feb 1995 19:14:02 -0800 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA05009 for ; Mon, 13 Feb 1995 19:13:57 -0800 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-0 #7935) id <01HN0JEYOJJ48WVZU1@Badger.Arnold.Com>; Mon, 13 Feb 1995 21:10:50 -0600 (CST) Date: Mon, 13 Feb 1995 21:09:31 -0600 (CST) Subject: re: SUMMARY: 'smart cards' In-reply-to: "Your message dated Mon, 13 Feb 1995 17:14:55 -0600 (CST)" <9502132314.AA06572@applied.com> To: chris@applied.com Cc: Firewalls@GreatCircle.Com, mgodsey@medio.com, Stephen.L.Arnold@Arnold.Com Message-id: 01HN0JNUYOEW8WVZU1@Badger.Arnold.Com Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From: kdante@nsf.gov > > For CryptoCard, 708-471-0892 gets a Cellular 1 phone. > > The above didn't work for me either. > > cryptocard 708-776-1108 ansi-x9.9 challenge response (des, rsa, fortezza) > > best regards, > chris CRYPTOCards are available from me. Contact information follows. Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Mon Feb 13 21:52:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA06966 for firewalls-outgoing; Mon, 13 Feb 1995 21:34:21 -0800 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA06961 for ; Mon, 13 Feb 1995 21:34:17 -0800 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-0 #7935) id <01HN0NS8RB1C8WW5XZ@Badger.Arnold.Com>; Mon, 13 Feb 1995 23:32:06 -0600 (CST) Date: Mon, 13 Feb 1995 23:23:28 -0600 (CST) Subject: A fine 2.5 page description of "firewalls" To: Firewalls@GreatCircle.Com Cc: Kimberly.L.Arnold@Arnold.Com, Stephen.L.Arnold@Arnold.Com Message-id: 01HN0OLZWWJC8WW5XZ@Badger.Arnold.Com Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've not seen it mentioned here...perhaps others would be interested. In the Feb 3 issue of _Science_ (Vol. 267, pp. 608-610), Ellen Germain ("a science writer in New York City"), does a nice job of describing firewalls, their uses and types, and some user experiences in "Guarding Against Internet Intruders". It's a real breath of fresh air in contrast to what I've been reading in the popular, business, and trade press about "hackers" and the "information superhighway". It does a credible job explaining packet filters, application relays, and the tradeoff between transparancy and security. You might find it useful in educating end users or management about what we do and what we're up against. Thanks to my daughter Kim for pointing out this article to me! (I would never have time to read _Science_.) Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Mon Feb 13 22:25:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA07449 for firewalls-outgoing; Mon, 13 Feb 1995 21:59:16 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA28460 for ; Mon, 13 Feb 1995 14:41:34 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA18684; Mon, 13 Feb 95 14:38:09 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA24569; Mon, 13 Feb 95 14:38:57 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F3FE0F5@ushqgw.sequent.com>; Mon, 13 Feb 95 14:45:09 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: BSDI info Date: Mon, 13 Feb 95 14:37:00 PST Message-Id: <2F3FE0F5@ushqgw.sequent.com> Encoding: 14 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've noticed several firewalls products being offered on the "BSDI" operating system platform. Could someone help me understand what BSDI is? - Is it public domain/commercial product - How is it supported? (e.g. news grous, hotline, ...) - Who controls the src code, development and makes feature enhancement decisions? - Is it different from FreeBSD? - Any other interesting tid-bits of info? Best Regards, Ned Smith nedbob@sequent.com From firewalls-owner Mon Feb 13 23:34:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA09257 for firewalls-outgoing; Mon, 13 Feb 1995 23:08:15 -0800 Received: from ki1.chemie.fu-berlin.de (ki1.chemie.fu-berlin.de [130.133.2.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA09252 for ; Mon, 13 Feb 1995 23:08:11 -0800 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Tue, 14 Feb 95 08:05 MET Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0reHKO-0003gYC; Tue, 14 Feb 95 08:05 MET Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 14 Feb 1995 08:06:35 +0100 To: "Bill VanRemmen U. of Rochester (716)275-4825" From: maass@odb.rhein-main.de (Joerg Maass) Subject: Re: SEAL Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Bill, >I asked this question a whila ago about FW-1 and got a negative response, s= o >I'll try it with SEAL... > >Does SEAL handle DECnet, TCP/IP, Appletalk and IPX? Some of them? Can it = be >MADE to deal with them? > SEAL (now named Digital Firewall Services) is a consulting/software solution for TCP/IP networks. It can interoperate with other network architectures (like DECnet) on an application level, e.g. mail. But the firewall part of it is pure TCP/IP, as with all true firewalls on the market right now (I do not talk about pure packet filters). There=B4s an additional VMS based solution from Digital, named SecurityGate. It is primarily DECnet based, but TCP/IP may have been added by now. Mail Dave Church for details. Or try me if that mail bounces :-). Could you tell us what you want to do with the firewall? Why do you need DECnet, Appletalk and IPX? Kind regards Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Tue Feb 14 00:22:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA10230 for firewalls-outgoing; Tue, 14 Feb 1995 00:19:49 -0800 Received: from nova.unix.portal.com (root@nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA10225 for ; Tue, 14 Feb 1995 00:19:46 -0800 Received: from jobe.shell.portal.com (bwalker@jobe.shell.portal.com [156.151.3.4]) by nova.unix.portal.com (8.6.9/8.6.5) with ESMTP id AAA21404 for ; Tue, 14 Feb 1995 00:17:27 -0800 Received: (bwalker@localhost) by jobe.shell.portal.com (8.6.9/8.6.5) id AAA27045 for firewalls@greatcircle.com; Tue, 14 Feb 1995 00:17:25 -0800 From: Brad - Walker Message-Id: <199502140817.AAA27045@jobe.shell.portal.com> Subject: questions about security & WWW browsers To: firewalls@greatcircle.com Date: Tue, 14 Feb 1995 00:17:24 -0800 (PST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 365 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My questions concern HTML and Web browsers. Is it possible for a WWW server to issue HTML commands to the browsers to do things like delete a file, spawn a process or some other anti-social behavior (much like `deletefile' in Display PostScript). I'm in a discussion about firewalls and their limitations when it comes to application filtering. Thanks. -brad w. From firewalls-owner Tue Feb 14 01:55:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA12262 for firewalls-outgoing; Tue, 14 Feb 1995 01:48:41 -0800 Received: from mailgate.ericsson.se (mailgate.ericsson.se [130.100.2.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA12257 for ; Tue, 14 Feb 1995 01:48:33 -0800 Received: from ere.ericsson.se (ere.ericsson.se [136.225.97.10]) by mailgate.ericsson.se (8.6.9/1.0) with SMTP id KAA14053; Tue, 14 Feb 1995 10:45:41 +0100 Received: from tempest.nis.gsunix by ere.ericsson.se (4.1/SMI-4.1-LME1.6) id AA21991; Tue, 14 Feb 95 10:47:23 +0100 Date: Tue, 14 Feb 95 10:47:23 +0100 From: eremf@ere.ericsson.se (Martin Fredriksson) Message-Id: <9502140947.AA21991@ere.ericsson.se> To: billy@urhep.pas.rochester.edu Subject: Re: SEAL Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding DECnet, you might want to check out the product "Phase/IP" from TGV. It "provides DECnet to TCP/IP integration without tunneling". Haven't checked it out myself yet, but it may be interesting to not having to run DECnet through the FW at all (depends on what DECnet- machines you need to talk to of course...). DEC has a security product for DECnet. Don't know the name of it, but I'm sure the DEC folks will be happy to tell you. BTW, do you really need Appletalk and IPX through the FW? I would consider switching to IP(!?). Good Luck, // Martin F, Ericsson Microwave Systems AB, Molndal, Sweden From firewalls-owner Tue Feb 14 02:23:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA12842 for firewalls-outgoing; Tue, 14 Feb 1995 02:12:44 -0800 Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA12788 for ; Tue, 14 Feb 1995 02:09:58 -0800 Received: from champagne.inria.fr (champagne.inria.fr [128.93.2.15]) by concorde.inria.fr (8.6.9/8.6.9) with ESMTP id LAA11730; Tue, 14 Feb 1995 11:07:17 +0100 Received: from localhost (touvet@localhost) by champagne.inria.fr (8.6.8/8.6.6) with SMTP id LAA18286; Tue, 14 Feb 1995 11:07:10 +0100 Message-Id: <199502141007.LAA18286@champagne.inria.fr> From: Jean-Christophe Touvet To: Brad - Walker Cc: firewalls@greatcircle.com Subject: Re: questions about security & WWW browsers In-reply-to: <199502140817.AAA27045@jobe.shell.portal.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 14 Feb 1995 11:07:08 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm quite new to this list, but quite old to the Web, thus I'll take this one ;-) > Date: Tue, 14 Feb 1995 00:17:24 -0800 > From: Brad - Walker > To: firewalls@GreatCircle.COM > > My questions concern HTML and Web browsers. Is it possible for a WWW > server to issue HTML commands to the browsers to do things like > delete a file, spawn a process or some other anti-social behavior (much > like `deletefile' in Display PostScript). Today, HTML doesn't allow such things. Some discussions are occuring in WWW lists about "client side processing" and such funny things, and we can guess that first implementations will almost certainly create new security holes ;-) However, HTTP permits today exchange of any MIME data type, and browsers use external viewers to process them. Typical command spawned is: "/bin/sh -c viewer /tmp/fileAA001234 ; /bin/rm -f /tmp/fileAA001234" Virtually everything can be run that way. External viewers are configured with mailcap files. If a user puts in $HOME/.mailcap: application/x-sh; sh %s your system is wide open. An HTTP server can be configured to send shell scripts hidden behind .gif embedded images etc... Mosaic 2.5 has also CCI (common client interface) which purpose is to control remotely browsers behiavior, through a TCP port opened on client side. It seems quite secure, but who knows ? Finally, here is a funny URL which fills /tmp or /var/tmp very fast if a user clicks on it: http://localhost:19/ Hope this helps, -JCT- From firewalls-owner Tue Feb 14 03:52:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA13983 for firewalls-outgoing; Tue, 14 Feb 1995 03:45:10 -0800 Received: from haegar.k.mup.de (haegar.k.MuP.de [193.26.249.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA13978 for ; Tue, 14 Feb 1995 03:45:05 -0800 Received: from slip.k.MuP.DE by haegar.k.mup.de (AIX 3.2/UCB 5.64/4.03) id AA11351; Tue, 14 Feb 1995 12:42:46 +0100 Message-Id: <9502141142.AA11351@haegar.k.mup.de> From: "Henning Stams" Organization: Mummert+Partner Unternehmensberatung GmbH To: Firewalls@GreatCircle.COM Date: Tue, 14 Feb 1995 12:46:58 WET Subject: Wellfleet router and packet filters? Priority: normal X-Mailer: Pegasus Mail/Windows (v2.0b2) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, soon I will have to deal with some Wellfleet routers in a firewall environment. All I want from those routers are the following capabilities: * reject source routed packets * ignore any ICMP messages * don't advertise ARP entries * don't advertise any routes (BGP, RIP...) * purely static routes * No SNMP-daemon like stuff * packet filters selective PER INTERFACE which will at least give me the possibility to only allow addresses that belong to that interface to pass in/out Especially the last topic is important to me. The routers will have the newest software release in it (which is, I believe 7.80) Has anybody made experiences with those routers? Thanks, Henning ---------------------------------------------------------------------- Henning Stams Mummert + Partner Unternehmensberatung GmbH Internet: hstams@k.mup.de Phone: +49 (221) 92404-131 (-0 from the U.S.) FAX: +49 (221) 92404-199 (-33 from the U.S.) ---------------------------------------------------------------------- From firewalls-owner Tue Feb 14 05:22:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA14973 for firewalls-outgoing; Tue, 14 Feb 1995 05:19:18 -0800 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA14966 for ; Tue, 14 Feb 1995 05:19:13 -0800 Received: from mts-gw.pa.dec.com by inet-gw-1.pa.dec.com (5.65/10Aug94) id AA13274; Tue, 14 Feb 95 05:13:10 -0800 Received: by mts-gw.pa.dec.com (5.65/09May94) id AA02203; Tue, 14 Feb 95 05:13:08 -0800 Received: from umc by mts-gw.pa.dec.com via MR/WRLMTS with conversational-MRIF; Tue, 14 Feb 95 05:13:07 -0800 Posted: Tue, 14 Feb 95 13:05:01 -0800 Date: Tue, 14 Feb 95 07:59:01 -0800 From: "MARC CHATEL @AEO" Message-Id: <15703141205991/8289987@VALMTS> To: firewalls-digest@greatcircle.com Subject: Proxy gateways for illegal network hiding Msg-Class: ALL-IN-1 IOS Server for VMS V3.0 PBL123A (US) ENGLISH 21-MAR-1992 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This message is converted from WPS-PLUS to ASCII] ABOUT ILLEGAL ADDRESSING Just to make things clear for the readers who have had trouble following the "illegal address" thread... Assume you have two "planets" (Mars and Venus) that need to communicate. They bought IPv4 technology (used and cheap) from the Earth several years ago (Earth is running IPv13 at this time). I know, this is borderline to plagiarism of an RFC... They set up a bidirectional communication link between Mars and Venus (probably can't be done with Ethernet :-)). There are zillions of IP network numbers that have been used up on BOTH planets. Furthermore, they need a firewall in between (the Martians don't trust the Venusians; the Venusians are too busy with "other pursuits" to care). How can the firewall on Mars be set up? Here is one alternative (I have COMPLETELY ignored packet-filtering issues for this example): Mars IP --------------- Network ----| Application | | Gateway |---| --------------- ---------- | "A" | | | Application | | Router | --------------- |---| Gateway |------| 1 | | | "B" | N1 ---------- | --------------- | | | Small | Ethernet | Mars-Venus segment | comm. link (one class C | (N2) network) | | | | | ---------- | Router | | 2 | ---------- | | Venus IP Network Assuming you have IP application gateway software for all the applications you need to run across the firewall, this will work EVEN if you need to interconnect a Mars computer and a Venus computer that have the exact same IP address... The minimum requirements for this to work are: a) The Ethernet segment between the two application gateways must have an IP network number that is unique to BOTH planets. b) Network numbers N1 and N2 should be taken from Venus' addressing space. The application gateways can be based on any operating system that runs a reasonably standard TCP/IP stack (of course, I suggest Alpha AXPs running at 125Mhz or more, you will have trouble killing those with the load, and OSF is a good platform in my opinion :-)). IP packet forwarding is turned off (reliably...) in both application gateways, and both gateways use static routing. Application gateway A has a default route to the Mars network, and the normal class C route that allows it to reach Application gateway B. Application gateway B has a default route to Router 1 and the normal class C route that allows it to reach Application gateway A. Services that run normally on a single TCP connection (TELNET, HTTP, SMTP, etc.) can be configured indeed by running two proxies (either two standard ones, or one "big" proxy and one "small" proxy) back to back. Services that require multiple TCP connections (e.g. FTP) require two "big" proxies back to back (both proxies must be able to open TCP connections on demand as the FTP protocol requires). UDP (or mostly-UDP) services (DNS, NTP, etc.) have to be treated individually depending on the exact goal that must be achieved. The whole trick relies on the fact that application proxies introduce IP addressing "boundaries". If you do not EVER need to interconnect equipments with colliding network numbers, you only need one proxy. If you MAY need to interconnect equipments with colliding network numbers, you will not be able to do it on ONE proxy system running a "classical" TCP/IP stack. That's why you need TWO systems. I fully agree with the approach "it is better to get registered network numbers and fix your network". However, it is a fact of business that you can tell your customers what they "should do" only to a certain extent. If you want their business, you may have to consider what they need badly now instead... On the other hand, I feel very unsure of myself telling a customer "you must clean up NOW, then you won't have problems again" only to tell the customer, in maybe less than a year's time "OK, now, to handle some IPv6, we will need to change this, this, and this" I prefer to tell customers that they are better off starting to look at V6 issues now (at least get some RFCs and drafts), to plan what they will have to do when they'll need some V6 here and there, and when it starts to spread on the backbone and when they need V6 to the Internet... I am not proud enough to claim that ANY firewall installation is "routine". Last time (believe it or not), I got in trouble because of a new SCSI card that I was CONVINCED had auto-termination support, so I plugged the external disks straight into it. Nope. Had to open the manual, and open the machine back to remove terminators. :-( But dual-proxy firewalls work and are only slightly harder to install (i.e. take more installation time) than a "classical" (what's that?) firewall. --==--==--==--==-- People worry about performance a lot these days, so here are a few things to discuss (just theories of mine based on rough observations on real installations, I have not measured this properly in a lab so I may be completely off-base): - creating a two-proxy chain adds a bit to "connection setup time" (especially if your two proxies do full reverse DNS lookup checks, which does not sound justified for the "inside-firewall" connection setup). On the other hand, over the Internet, the average connection setup time will make the "added" bit proportionally small. Furthermore, users tend to tolerate connection setup delays, if kept within limits. - adding a second proxy introduces extra data "transit delay". this is probably only user-visible on terminal-type (telnet, rlogin if you absolutely have to support it) connections, when you watch "character echo" delay. This type of traffic is usually not the main type of traffic on a firewall. Again, the average Internet transit delay will make the "added" transit delay look small. Nobody cares about extra transit delay for mail (except maybe Marcus with his IP-over-mail implementation :-)). - maximum amount of steady-state throughput that the firewall can handle should not be reduced significantly by the addition of a second proxy. I suspect that two correct TCP implementations (one on each side of a firewall) just view the whole connection as a transport and will attempt to fill that transport up. Say you run an FTP session through a double-proxy firewall. FTP connection setup time may be slightly longer, getting replies from FTP commands may be slightly longer. But I do not see why the time required to transfer a large file would be affected by the addition of a second proxy... Any comments on this? Anybody has taken the time to measure this in a controlled environment? --==--==--==--==--== To summarize: 1. Illegal address setups CAN be connected to the Internet using double-proxy techniques. Most of the "basic" Internet functionalities organizations need CAN be put in place without problems. Performance impact is small enough to be ignored in many configurations. 2. If you want, you can build such a firewall yourself, using software available on the Internet, UNIX-like platforms, and maybe some "glue code" here and there... 3. Of course, Digital Firewall Service consultants (like me) will be pleased to evaluate your security needs and, if desired, setup a firewall that implements the security policy you require. We do double-proxy setups when needed. 4. Some commercial products mentioned on the list also offer IP-address-translation capabilities. You can also check those offerings. Regards, Marc Chatel Digital Equipment Annecy, France E-mail: try Marc.Chatel@aeo.mts.dec.com or chatel_m@annecy.enet.dec.com or mchatel@pax.eunet.ch FAX: (33) 50.64.01.39 From firewalls-owner Tue Feb 14 06:22:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15589 for firewalls-outgoing; Tue, 14 Feb 1995 06:14:31 -0800 Received: from relay.Ieunet.ie (relay.Ieunet.ie [192.111.39.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA15584 for ; Tue, 14 Feb 1995 06:14:23 -0800 Received: from erc by relay.Ieunet.ie via Ieunet with UUCP id aa17978; 14 Feb 95 14:09 +0000 Received: by erc.erc.ie (UUPC/extended 1.11z); Tue, 14 Feb 1995 10:22:23 EST From: BERNI@erc.ie Message-ID: <2f40caaf.erc@erc.erc.ie> To: firewalls@greatcircle.com Date: 14 Feb 95 10:22:22 Subject: apple macs Priority: normal X-pmrqc: 1 X-mailer: Pegasus Mail v2.3 (R5). Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all who recommended security software for apple macs. Regards, Berni. From firewalls-owner Tue Feb 14 06:40:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15681 for firewalls-outgoing; Tue, 14 Feb 1995 06:19:10 -0800 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA15673 for ; Tue, 14 Feb 1995 06:19:03 -0800 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA26777 for ; Tue, 14 Feb 95 09:04:38 -0500 Received: from shellgate.shell.com by shell.com SHELLGATE-X1.4 id AA25920; Tue, 14 Feb 95 07:52:15 -0600 Received: from kelly by shellgate.shell.com SHELLGATE-I1.3 id AA25914; Tue, 14 Feb 95 07:52:06 -0600 Received: from localhost by kelly.ic.shell.com (4.1/BRC-2.0) id AA22457; Tue, 14 Feb 95 07:51:20 CST Message-Id: <9502141351.AA22457@kelly.ic.shell.com> To: Firewalls@greatcircle.com Subject: JANUS Date: Tue, 14 Feb 95 07:51:20 -0600 From: "Anh-Huy (Steve) T. Ton" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone had any experience dealing with the JANUS firewall product, good or bad? I would like to hear any comments you've had. Please, no plugs from JANUS/Netpartners!! .............................................................................. . Anh-Huy (Steve) T. Ton Shell Oil Company . . Network Systems Projects 1500 O.S.T., Rm. 2P18I . . E-mail : ton@shell.com Houston, TX 77054 . . Skypage : 1(800)SKY-GRAM, PIN : 8841224 (713)245-2636 . .............................................................................. From firewalls-owner Tue Feb 14 06:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15581 for firewalls-outgoing; Tue, 14 Feb 1995 06:14:10 -0800 Received: from gate3.fmr.com (gate3.FMR.Com [192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA15576 for ; Tue, 14 Feb 1995 06:14:07 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id JAA09633; Tue, 14 Feb 1995 09:07:47 -0500 Message-Id: <199502141407.JAA09633@gate3.fmr.com> Received: from mbsb01.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma009627; Tue Feb 14 14:07:06 1995 Date: Tue, 14 Feb 1995 09:09:11 -0500 From: Joe Judge Subject: Re: Firewalls and anonymous ftp access To: Firewalls@GreatCircle.COM, burkema@ampex.com Content-transfer-encoding: 7BIT X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1 I hate to propose running large complicated daemons on your firewall ... but if you have an "external" machine, on the "outside" of the firewall, dedicated to just doing "services" and then you put the wu-ftpd -- then you can use their guest-account features to give users access without login access. 2 Or -- an internal FTP site that automatically mirrors to some similar external machine ? (where is that mirror.pl software anyway ? or some application level NFS-type thing? or proxyFTP to it ? or ... :) I'd done #1 before -- that "public" machine ran the ftp daemon (chrooted) and a web server (chrooted) ... and that machine was marked as untrusted with no production email or proxy traffic flying through (impossible anyway because there was no internal connection) - joe > > I recently attended Brent Chapman's Firewalls tutorial and found it very > enlightening. He sort of touched the subject of Anonymous ftp service. > The most important thing I got from his seminar is to have no user accounts > on the bastion host. How can I give specific inside users access to place > files up on the ftp server without giving them an account? How does the rest > of the world out there run their anonymous ftp site? What are the policies > of anonymous ftp providers normally? What should I woory about in terms of > security? Any help would be appreciated ( as long as someone can tell me > where to go look if this is not the right place. ) > > Thanks > > Martin Burke > burkema@ampex.com > From firewalls-owner Tue Feb 14 07:05:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA15414 for firewalls-outgoing; Tue, 14 Feb 1995 05:55:20 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA15409 for ; Tue, 14 Feb 1995 05:55:03 -0800 Received: by taureau.as03.bull.oz.au id AA29240 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 15 Feb 1995 01:21:06 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id VAA23645; Tue, 14 Feb 1995 21:24:40 +1100 Message-Id: <199502141024.VAA23645@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: Ian Marr Cc: firewalls@greatcircle.com Subject: fw tools (was Re: Address translation) In-Reply-To: Your message of "Mon, 13 Feb 95 11:02:48 -0000." <9502131102.AA01325@finsbury.co.uk> Date: Tue, 14 Feb 1995 21:24:37 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Simon implies that ftp needs to be handled carefully, true; but has > anyone done this ? Or, as mjr of TIS suggested to me, why not do > all ftp's through an http-gw ? (I'm not sure how this would work, > can anyone explain ?) > > And finally, is anyone running a dual firewall config like this ? > Especially using the TIS Toolkit or Gauntlet ? I'd really like to > know it worked and was secure. Funny you should ask... the answer is yes to both. I have split the TIS ftp-gw in two. Works the same as the TIS one except there a a couple of new entries in netperm-table. I took the added step of implementing a bindport facility (again as suggested by Bellovin & Cheswick) such that the proxy can run as non-root, yet bind reserved ports if required by the config of the choke router. It is implemented via a function that checks if euid==0 and does the job itself if so. Both the lib function and program come from the same file... I was planning to mail the patches to TIS but I've been busy... :-) I'm also about ready to release my modified version of the Linux NFS server. It is intended to run under inetd and without the port mapper. The client s/w registers a local UDP NFS service and shuffles RPC's via TCP to the server. The server can be told to require authentication via TIS's authsrv before accepting a mount request (TCP transport only). Performance is about 1/4 native filesystem but who cares? Can any one offer an FTP site for this? Note my build tree requires the new BSD make and macros - but I've a version that runs on SunOS,HP/UX etc. If I could work out how to implement Bellovin & Merritt's A-EKE protocol, I could release my encrypted telnet too.. (no need for kerberos or smart cards etc to store keys). --sjg From firewalls-owner Tue Feb 14 07:15:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15786 for firewalls-outgoing; Tue, 14 Feb 1995 06:25:48 -0800 Received: from urhep.pas.rochester.edu (urhep.pas.rochester.edu [128.151.144.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA15781 for ; Tue, 14 Feb 1995 06:25:45 -0800 Received: from URHEP.PAS.ROCHESTER.EDU by URHEP.PAS.ROCHESTER.EDU (PMDF V4.2-11 #4191) id <01HN198QIZ8M8WWJM0@URHEP.PAS.ROCHESTER.EDU>; Tue, 14 Feb 1995 09:23:21 EST Date: Tue, 14 Feb 1995 09:23:21 -0500 (EST) From: "Bill VanRemmen U. of Rochester (716)275-4825" Subject: Re: SEAL To: firewalls@greatcircle.com Message-id: <01HN198QIZ8O8WWJM0@URHEP.PAS.ROCHESTER.EDU> X-VMS-To: IN%"firewalls@greatcircle.com" MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joerg: Thanks for the info... >Could you tell us what you want to do with the firewall? Why do you need >DECnet, Appletalk and IPX? I manage the Physics Department systems at the Univ of Rochester and we have TCP/IP, DECnet, Appletalk and IPX being routed to us over one ethernet connection from the Campus E-LAN. I would like to secure my part of the network by a couple methods. First, I would like to force users logging in from outside to authenticate themselves to a single machine (preferably with SecurID or something similar)before being allowed to connect to any inside machines. I would like to have that machine accept mail (IP and DECnet) from outside and forward it to machines on the inside, thereby protecting us from attackers probing sendmail. I would like to block incoming connections of any sort that don't authenticate themselves to the 'firewall/bastion', but allow users on the inside to connect OUT to the 'net, ie I want my users to be able to connect to ftp, WWW and gopher servers on the outside, but block those types of connections from coming in. Maybe this isn't *strictly* a firewall, but I guess I have to start looking somewhere... Any suggestions? -Bill VanRemmen, KA2WFJ billy@urhep.pas.rochester.edu URHEP::billy My opinions. No one in their right mind would claim otherwise. ============================================================================== "Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficient . . . the greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." Justice Louis Brandeis Olmstead vs. United States, United States Supreme Court, 1928 ============================================================================== From firewalls-owner Tue Feb 14 07:28:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA15550 for firewalls-outgoing; Tue, 14 Feb 1995 06:09:22 -0800 Received: from orion.symplex.com ([198.153.219.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA15545 for ; Tue, 14 Feb 1995 06:09:17 -0800 From: auch@symplex.com Received: from pluto.symplex.com by orion.symplex.com with smtp (Smail3.1.28.1 #4) id m0reNu3-000ukgC; Tue, 14 Feb 95 09:06 EST Received: from earth.symplex.com by pluto.symplex.com (4.1/SMI-4.1) id AA05268; Tue, 14 Feb 95 09:06:55 EST Date: Tue, 14 Feb 95 09:06:55 EST Message-Id: <9502141406.AA05268@pluto.symplex.com> Received: by earth.symplex.com (4.1/SMI-4.1) id AA08424; Tue, 14 Feb 95 09:06:55 EST To: Firewalls@GreatCircle.COM Subject: Looking for some firewall advice Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was looking for a bit of constructive criticism, but not too much outright flaming, so I thought this was the place to post :) I have tried to do my homework, but when your all alone... We want to set up a public information server (WWW, anon ftp, etc.) We also want to be able to continue to access the Internet from the inside in a transparent way. Of course, we want good security. And finally, eventually we will want to be able to access the inside from the outside. This is our current access diagram: +--------+ +--------+ ====| Modem |=====| Inside |----->>> +--------+ ^ +--------+ | ^ PPP link ----/ | from our provider \---- One host in our Class C network running a packet filter on the PPP interface The current proposal goes like this: /-- 1 address in our network v +--------+ +-------------+ =========| Router |-----+-----| Info Server | ^ +--------+ | +-------------+ | ^ | 56k or ISDN | | +---------+ +--------+ from provider | \-----| Gateway |------| Inside |--->>> | +---------+ +--------+ Packet filtering -/ ^ | Run SOCKs to get -----/ out; fwtk to get in Questions: 1) Does this make sense? 2) Is this in violation of KISS? 3) Can this be done without subnetting? 4) Is it too much to want transparent access outbound? 5) Any other comments/questions? ----------------------------------------------------------------------- Timothy A. Auch Symplex Communications Corp. Software Development Engineer & 5 Research Drive Sun Network Manager Ann Arbor, MI 48103 __o telephone: (313) 995-1555 _ \<,_ e-mail: auch@symplex.com FAX: (313) 995-3350 (_)/ (_) ----------------------------------------------------------------------- From firewalls-owner Tue Feb 14 08:09:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA17401 for firewalls-outgoing; Tue, 14 Feb 1995 07:38:47 -0800 Received: from eas (root@eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA17396 for ; Tue, 14 Feb 1995 07:38:42 -0800 From: estutes@eas.westend.frus.com Message-Id: To: billy@urhep.pas.rochester.edu Cc: firewalls@greatcircle.com Subject: Re: SEAL Reply-To: estutes@frus.com In-Reply-To: Your message of "Tue, 14 Feb 1995 09:23:21 -0500 (EST)" References: <01HN198QIZ8O8WWJM0@URHEP.PAS.ROCHESTER.EDU> X-Mailer: Mew beta version 0.86 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 14 Feb 1995 07:32:38 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BILLY said in [Re: SEAL] on Tue, 14 Feb 1995 09:23:21 -0500 (EST) BILLY> Maybe this isn't *strictly* a firewall, but I guess I have to start looking BILLY> somewhere... BILLY> BILLY> Any suggestions? Sounds like a firewall to me. fwtk should be able to handle all of you problems on the tcp-ip stack. I have no experience with appletalk or DECNET. =eas= Firewall Security Corporation A Professional Internet Security Provider. http://www.frus.com/ From firewalls-owner Tue Feb 14 08:25:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA17937 for firewalls-outgoing; Tue, 14 Feb 1995 08:06:09 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA17928 for ; Tue, 14 Feb 1995 08:06:04 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id LAA13063; Tue, 14 Feb 1995 11:03:16 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma013061; Tue Feb 14 11:03:13 1995 Received: from prophet.concorde.com (jna@prophet.concorde.com [198.242.54.15]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id LAA26656; Tue, 14 Feb 1995 11:03:14 -0500 From: John Adams Received: (jna@localhost) by prophet.concorde.com (8.6.8.1/8.6.6) id LAA11918; Tue, 14 Feb 1995 11:02:29 -0500 Date: Tue, 14 Feb 1995 11:02:29 -0500 Message-Id: <199502141602.LAA11918@prophet.concorde.com> To: firewalls@GreatCircle.COM, horn@mickey.jsc.nasa.gov Subject: Re: Archie? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd be willing to put an archie proxy together, it should take _that_ long. From firewalls-owner Tue Feb 14 08:41:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA17482 for firewalls-outgoing; Tue, 14 Feb 1995 07:41:45 -0800 Received: from cressida.mis.amat.com (cressida.mis.amat.com [199.171.188.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA17477 for ; Tue, 14 Feb 1995 07:41:42 -0800 Received: from romeo.mis.amat.com by cressida.mis.amat.com with SMTP (1.38.193.4/16.2) id AA14644; Tue, 14 Feb 1995 07:44:50 -0800 Received: from [152.135.207.190] by romeo.mis.amat.com with SMTP (1.37.109.6/16.2) id AA12438; Tue, 14 Feb 95 07:38:03 -0800 Received: from scla10.acetsw by acetsw.amat.com (4.1/SMI-4.1-DNI-ACET-941021) id AA23194; Tue, 14 Feb 95 07:39:50 PST Date: Tue, 14 Feb 95 07:39:50 PST From: reynolds@acetsw.amat.com (John Reynolds) Message-Id: <9502141539.AA23194@acetsw.amat.com> Organization: Applied Materials Inc., ACET Division To: firewalls@greatcircle.com Subject: connection refused? Cc: jeffrey@crl.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. You may insert your favorite self-effacing newbie statement here. I'm trying to telnet from my company's net to Sunsolve. I get : telnet sunsolve1.sun.com Trying 192.9.9.24 ... Connected to sunsolve1.sun.com. Escape character is '^]'. Connection closed by foreign host. ftp to the same site works OK. telnet from another part of the company, through another firewall, works OK. We also get "connection refused" message returns on some e-mail sent outside. Our firewall is running on an HP UNIX box. The person running the firewall (a Brent Chapman Firewalls Tutorial graduate) and I have a feeling that it is related to identd; the HP box doesn't have identd. He's working on getting it. I'm waiting for a callback from Sun, but not holding my breath. I'm hoping that the collective consciousness can tell me if we're looking in the wrong direction, or point out some other avenues to investigate. Humble thanks. John Reynolds i never think at all when i write Applied Materials nobody can do two things at the same time 3320 Scott Blvd. MS 1119 and do them both well Santa Clara CA 95054 -archy reynolds@acetsw.amat.com From firewalls-owner Tue Feb 14 08:53:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18487 for firewalls-outgoing; Tue, 14 Feb 1995 08:38:13 -0800 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA18482 for ; Tue, 14 Feb 1995 08:38:10 -0800 Received: by mail.Germany.EU.net with UUCP (8.6.5:29/EUnetD-2.5.1.d) via EUnet id RAA20215; Tue, 14 Feb 1995 17:37:29 +0100 Received: from sit03.cp-nbg.philips.de by scax18.philips.de (4.1/PKI-3.0 (Domain)) id AA27159; Tue, 14 Feb 95 17:29:31 +0100 From: wolfgang.kuehnel@cp-nbg.philips.de (Wolfgang Kuehnel ) Date: Tue, 14 Feb 1995 17:29:24 --100 Message-Id: <9502141629.AA27124@sit03.cp-nbg.philips.de> Received: by sit03.cp-nbg.philips.de (5.0/PKI-3.0 (Domain)) id AA27124; Tue, 14 Feb 1995 17:29:24 --100 To: stevel@autodesk.com Subject: Re: Problem with SOCKS_NS under Solaris 2.X Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 274 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Check your /etc/nsswitch.conf. You have to include "dns" in the "hosts:"-line there. Example: hosts: nis files dns [NOTFOUND=return] I assumed that linking with the resolver-Library would do, but it doesn't. the hint abovw works. Anyone better clues? W. From firewalls-owner Tue Feb 14 09:22:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18819 for firewalls-outgoing; Tue, 14 Feb 1995 08:49:50 -0800 Received: from stargate.concorde.com (smap@stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA18808 for ; Tue, 14 Feb 1995 08:49:46 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id LAA13293 for ; Tue, 14 Feb 1995 11:47:11 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma013290; Tue Feb 14 11:47:05 1995 Received: from prophet.concorde.com (jna@prophet.concorde.com [198.242.54.15]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id LAA27096 for ; Tue, 14 Feb 1995 11:47:06 -0500 From: John Adams Received: (jna@localhost) by prophet.concorde.com (8.6.8.1/8.6.6) id LAA22741 for Firewalls@GreatCircle.COM; Tue, 14 Feb 1995 11:46:20 -0500 Date: Tue, 14 Feb 1995 11:46:20 -0500 Message-Id: <199502141646.LAA22741@prophet.concorde.com> To: Firewalls@GreatCircle.COM Subject: Re: Looking for some firewall advice Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a good list of commands that should be applied to a Cisco 2501 Router (Blocking spoofing / etc) and know the command I can use to currently display the status of the router's settngs? -john From firewalls-owner Tue Feb 14 09:33:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18671 for firewalls-outgoing; Tue, 14 Feb 1995 08:44:31 -0800 Received: from adeskgate.autodesk.com (adeskgate.autodesk.com [198.93.152.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA18666 for ; Tue, 14 Feb 1995 08:44:27 -0800 Received: from autodesk.autodesk.com by adeskgate.autodesk.com (8.6.8/4.4BSD) with ESMTP id IAA25364; Tue, 14 Feb 1995 08:39:42 -0800 Received: from skynet.autodesk.com by autodesk.autodesk.com (8.6.8/4.4BSD) with ESMTP id IAA14569; Tue, 14 Feb 1995 08:41:34 -0800 Received: from localhost by skynet.autodesk.com (8.6.8/SMI-5.3) with SMTP id IAA13730; Tue, 14 Feb 1995 08:41:31 -0800 Message-Id: <199502141641.IAA13730@skynet.autodesk.com> To: wolfgang.kuehnel@cp-nbg.philips.de (Wolfgang Kuehnel ) cc: stevel@autodesk.com, firewalls@greatcircle.com Subject: Re: Problem with SOCKS_NS under Solaris 2.X In-reply-to: Your message of "Tue, 14 Feb 1995 17:29:24." <9502141629.AA27124@sit03.cp-nbg.philips.de> Date: Tue, 14 Feb 1995 08:41:29 -0800 From: "Steven W. Litras" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk dns is already in the hosts line, it's just ignoring the SOCKS_DEFAULT_NS and going through the /etc/resolv.conf (which only has "local" resolving DNS servers in it). In message <9502141629.AA27124@sit03.cp-nbg.philips.de> writes: :: :: ::Hi! :: ::Check your /etc/nsswitch.conf. You have to include "dns" in the ::"hosts:"-line there. ::Example: :: :: ::hosts: nis files dns [NOTFOUND=return] :: :: ::I assumed that linking with the resolver-Library would do, ::but it doesn't. the hint abovw works. :: ::Anyone better clues? :: :: ::W. :: From firewalls-owner Tue Feb 14 09:50:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA19082 for firewalls-outgoing; Tue, 14 Feb 1995 08:55:19 -0800 Received: from igor.tamri.com (igor.tamri.com [192.65.214.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA19074 for ; Tue, 14 Feb 1995 08:55:07 -0800 Received: from indurain.tamri.com by igor.tamri.com via SMTP (931110.SGI/911001.SGI) for firewalls@greatcircle.com id AA17419; Tue, 14 Feb 95 08:53:10 -0800 Received: by indurain.tamri.com (931110.SGI/930416.SGI.AUTO) for @igor.tamri.com:firewalls@greatcircle.com id AA05195; Tue, 14 Feb 95 08:53:08 -0800 Date: Tue, 14 Feb 95 08:53:08 -0800 From: ark@tamri.com (Alene Kercheval) Message-Id: <9502141653.AA05195@indurain.tamri.com> To: nedbob@sequent.com Cc: firewalls@greatcircle.com In-Reply-To: <2F3FE0F5@ushqgw.sequent.com> (nedbob@sequent.com) Subject: Re: BSDI info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The BSDI operating system platform is a commercial port of the Net2 release of UC, Berkeley to the 386 and above architecture. It is supported by the company, a mailing list ( that is gated to a news group somewhere ), and an email and|or phone hotline. The company controls the code ( you can buy a source license ) and makes the relevant decisions. It is a very solid product. I have been running it for years and I am very happy with it. For more information, they have a web page: http://www.bsdi.com ( just tested it ). ftp access: ftp ftp.bsdi.com email questions: info@bsdi.com -Alene Kercheval ark@tamri.com From firewalls-owner Tue Feb 14 09:52:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18728 for firewalls-outgoing; Tue, 14 Feb 1995 08:46:24 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA18660 for ; Tue, 14 Feb 1995 08:44:24 -0800 Posted-Date: Tue, 14 Feb 1995 11:41:49 -0500 From: "Bryan D. Boyle" Message-Id: <9502141141.ZM11473@maverick.erenj.com> Date: Tue, 14 Feb 1995 11:41:49 -0500 X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@GreatCircle.COM Subject: firewall vendor list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Appropos nothing, Cathy Fulmer at PNC has pulled together a list of firewall vendor information and built an html page with all the stuff in there...it is at URL http://www.digimark.net/bdboyle/fulmer/firewall.vendor.html if anyone wants to put this in their hotlist/bookmarks. Standard disclaimers, etc, ad nauseam, apply. She has assured me that she is updating it on a regular sked...based on input and so forth. Thanks, Cathy... -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Tue Feb 14 10:28:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18848 for firewalls-outgoing; Tue, 14 Feb 1995 08:50:18 -0800 Received: from Getty.edu ([153.10.97.97]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA18842 for ; Tue, 14 Feb 1995 08:50:15 -0800 Received: from Getty-Message_Server by Getty.edu with Novell_GroupWise; Tue, 14 Feb 1995 08:47:29 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 14 Feb 1995 08:46:39 -0800 From: Wulf Losee To: firewalls@GreatCircle.com Subject: definitions for two acronyms used in past threads? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if someone out there could define two acronyms that I've seen bandied about on the Firewalls list. I realize that this is not Firewalls question per se (sorry, Brent), so please feel free to email your answer to me personally (to conserve the Firewall bandwidth). The terms are: (1) FSP (Neither Comer nor Stevens discuss this service in their respective TCP/IP text books). What does FSP stand for, and how is it implemented? When would FSP be used? Is there an RFC that describes FSP? (2) HTTP-GW (I've got the 'HyperText Transport Protocol' part of the acronym). What does the GW stand for? How does HTTP-GW differ from HTTP? Again, is there an RFC that describes it? Thanks in advance, Wulf ^-^ / = , / | ( ( / } \ \ =/ = \ \ ******************************************** Disclaimer: All opinions expressed here are my own and not the Getty's. Any similarity between my opinions and those of the Getty are purely coincidental. ******************************************** Wulf Losee Network Analyst J. Paul Getty Trust Vox: 310.451.6321 Fax: 310.451.5570 Internet: wlosee@getty.edu ******************************************** From firewalls-owner Tue Feb 14 10:29:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA20313 for firewalls-outgoing; Tue, 14 Feb 1995 09:51:50 -0800 Received: from danpost.uni-c.dk (danpost.uni-c.dk [129.142.6.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA20308 for ; Tue, 14 Feb 1995 09:51:46 -0800 Received: from cert.uni-c.dk (cert.uni-c.dk [129.142.6.90]) by danpost.uni-c.dk (8.6.4/8.6) with ESMTP id SAA26629 for ; Tue, 14 Feb 1995 18:49:55 +0100 Message-Id: <199502141749.SAA26629@danpost.uni-c.dk> Received: by cert.uni-c.dk (1.37.109.11/16.2) id AA251524194; Tue, 14 Feb 1995 18:49:54 +0100 From: Jorgen Bo Madsen Subject: Deny IP-spoofing filter on 3Com To: Firewalls@GreatCircle.COM Date: Tue, 14 Feb 1995 18:49:54 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 229 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello firewall users. It is not trivial to configurate a 3Com router, with several physical Ethernet interfaces, to deny IP-spoofing. Any ideas? Is there any examples any where? Thanks in advance Jorgen.Bo.Madsen@uni-c.dk From firewalls-owner Tue Feb 14 10:48:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA20883 for firewalls-outgoing; Tue, 14 Feb 1995 10:09:14 -0800 Received: from mail.sni.co.uk (mail.sni.co.uk [193.116.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA20873 for ; Tue, 14 Feb 1995 10:09:08 -0800 Received: from innergate.sni.co.uk (argon.sni.co.uk) by mail.sni.co.uk (4.1/SNI-5.5) id AA02073; Tue, 14 Feb 95 18:04:58 GMT Received: from zippy.sni.co.uk (zippy) by innergate.sni.co.uk; Tue, 14 Feb 95 18:13:15 +0100 From: Ignatius Tan Message-Id: <26374.9502141804@zippy.sni.co.uk> Subject: SOCKS + WINSOCK.DLL To: Firewalls@GreatCircle.COM Date: Tue, 14 Feb 1995 19:04:39 +0100 (MET) In-Reply-To: <199502141734.JAA20029@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Feb 14, 95 09:34:39 am X-Mailer: ELM [version 2.4 PL17] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 804 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Can anyone tell me where to find a 'socksified' winsock.dll for Novell LWP's tcp/ip (ie. wlibsock.dll) ? We have a Bastion Host as the Internet Gateway, and the only way for clients to reach the rest of the world is via a SOCKS server. I've socksified various Unix apps to do so, but would like the Windows PCs to be able to reach out as well. I know there are Beta versions of socksified winsock.dll for packet drivers. Perhaps there are 'shim' dll's that will interface? Any help would be gratefully accepted. Cheers! =:-0 --------------------------------------------------------------------------- Ignatius Tan Internet: I.Tan@sni.co.uk Phone: +44 1344 850476 Siemens Nixdorf Information Systems Ltd. BS&SI. Siemens House. Oldbury. Bracknell, Berks, RG12 8FZ, England From firewalls-owner Tue Feb 14 10:56:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA19901 for firewalls-outgoing; Tue, 14 Feb 1995 09:30:22 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA19896 for ; Tue, 14 Feb 1995 09:30:20 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0reR2y-0000fYC; Tue, 14 Feb 95 09:28 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA02853; Tue, 14 Feb 1995 09:28:33 +0800 Date: Tue, 14 Feb 1995 09:28:33 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9502141728.AA02853@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, bwalker@shell.portal.com Subject: Re: questions about security & WWW browsers X-Sun-Charset: US-ASCII content-length: 2584 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My questions concern HTML and Web browsers. Is it possible for a WWW > server to issue HTML commands to the browsers to do things like > delete a file, spawn a process or some other anti-social behavior (much > like `deletefile' in Display PostScript). > > I'm in a discussion about firewalls and their limitations when it > comes to application filtering. > > Thanks. > > -brad w. The big problem we've seen so far is with cgi-scripts. (There were some problems in earlier browsers themselves, similar to what I'm about to describe, but they're all better;) If anything in a cgi-script (which can be a script, a program, etc...) executes something someone typed in a form, or executes a command which has as part of it something someone typed at a prompt, or executes a command containing information derived from information put in the packets at the sending end, you can have trouble. For example, suppose that you provide a form that allowed someone to enter their hostname, and you would run a security audit for them (a real example.) Suppose that you then used the hostname as part of a command. Perhaps something as simple as: ping hostname Now, if they filled in the hostname blank in the form like this: myhost.mydomain.com ; echo >> /.rhosts "+ +" and you pass that field unaltered to ping as it's argument, they've just taken control of your machine. There's ways to fix this. First you should never run cgi-scripts as root. Second, you shouldn't pass things unaltered to commands either through executing from a script, or as part of the arguments for a popen() or system() in a program. So...can it be done safely? Yes it can. Is it usually? I don't think so. I've seen many cases where novices are making pages (and most people doing it now are novices,) with no knowledge of the security implications. Caveat Emptor. Ya gets what ya pays fer! Patrick These opinions are mine, and not Amdahl's (except by coincidence;). ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ / | | (\ \ | Patrick J. Horgan | Amdahl Corporation | \\ Have | | patrick@oes.amdahl.com | 1250 East Arques Avenue | \\ _ Sword | | Phone : (408)992-2779 | P.O. Box 3470 M/S 316 | \\/ Will | | FAX : (408)773-0833 | Sunnyvale, CA 94088-3470 | _/\\ Travel | \ | O16-2294 | \) / ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Feb 14 11:03:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22087 for firewalls-outgoing; Tue, 14 Feb 1995 10:46:48 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA22082 for ; Tue, 14 Feb 1995 10:46:44 -0800 From: H Morrow Long Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 14 Feb 1995 13:44:49 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA04303; Tue, 14 Feb 1995 13:44:48 -0500 Date: Tue, 14 Feb 1995 13:44:48 -0500 Message-Id: <199502141844.AA04303@SPARKY.CF.CS.YALE.EDU> To: firewalls@GreatCircle.com, WLosee@Getty.Edu Subject: Re: definitions for two acronyms used in past threads? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: 9rOF/NbOSey78rbZC+Mhtg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Tue Feb 14 13:34:23 1995 > I was wondering if someone out there could define two acronyms that I've > seen bandied about on the Firewalls list. I realize that this is not Firewalls > question per se (sorry, Brent), so please feel free to email your answer to me > personally (to conserve the Firewall bandwidth). > > The terms are: > (1) FSP (Neither Comer nor Stevens discuss this service in their respective > TCP/IP text books). What does FSP stand for, and how is it implemented? > When would FSP be used? Is there an RFC that describes FSP? FSP doesn't stand for anything in particular although File Stealing Protocol comes to mind. While similar in purpose to FTP (there are anonymous FSP sites on the Internet) it has gained a reputation as an outlaw or hacker protocol since many of the FSP sites have been used for nefarious purposes (ie. pirated software, etc.). It is UDP based (vs. the TCP based ftp), which would tend to make it a bad network neighbor (no flow nor congestion control) but it supposedly has some logic to reduce its effect on network load (pacing itself, using a lockstep protocol with delays inserted, perhaps a RTT calc, etc.) > (2) HTTP-GW (I've got the 'HyperText Transport Protocol' part of the > acronym). What does the GW stand for? How does HTTP-GW differ from > HTTP? Again, is there an RFC that describes it? GW == "gateway" ? Sounds like one of the TIS proxies to me. Rather than act as an HTTP server I would presume that it just passes HTTP protocol commands and output from one side of the firewall to a machine on the other and vice-versa (like plug-gw but with, perhaps, a few customizations for HTTP). - Morrow From firewalls-owner Tue Feb 14 11:22:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22397 for firewalls-outgoing; Tue, 14 Feb 1995 10:56:14 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA22391 for ; Tue, 14 Feb 1995 10:56:11 -0800 Received: from juts.ccc.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0reSO2-0000oeC; Tue, 14 Feb 95 10:54 PST Received: by juts.ccc.amdahl.com (/\../\ Smail3.1.14.4 #14.6) id ; Tue, 14 Feb 95 10:54 PST Message-Id: Date: Tuesday, 14 February 1995 07:15 PT To: firewalls@greatcircle.com From: bryan.webb@amail.amdahl.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Tue Feb 14 11:41:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA22351 for firewalls-outgoing; Tue, 14 Feb 1995 10:54:42 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA22346 for ; Tue, 14 Feb 1995 10:54:39 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA26028; Tue, 14 Feb 95 13:52:40 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9502141852.AA26028@hawksbill.sprintmrn.com> Subject: Re: definitions for two acronyms used in past threads? To: WLosee@Getty.Edu (Wulf Losee) Date: Tue, 14 Feb 1995 13:52:40 -0500 (EST) Cc: firewalls@GreatCircle.com In-Reply-To: from "Wulf Losee" at Feb 14, 95 08:46:39 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 608 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > (2) HTTP-GW (I've got the 'HyperText Transport Protocol' part of the > acronym). What does the GW stand for? How does HTTP-GW differ from > HTTP? Again, is there an RFC that describes it? > I'll wager that 'gw' is an acronym for gateway. :-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Feb 14 12:17:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA23284 for firewalls-outgoing; Tue, 14 Feb 1995 11:23:53 -0800 Received: from nuchat.sccsi.com (nuchat.sccsi.com [198.65.128.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA23279 for ; Tue, 14 Feb 1995 11:23:49 -0800 From: ted@gw.lsli.com Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Tue, 14 Feb 95 13:25 CST Received: from gw.lsli.com by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA11321; Tue, 14 Feb 1995 13:20:00 -0600 Date: Wed, 14 Feb 96 13:12:56 PST Subject: LSLI WEB PAGE To: firewalls@GreatCircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is to let everyone know that LSLI now has a web page with information on the PORTUS firewall system. The URL is: http://www.sccsi.com/lsli/lsli.homepage.html if you have any suggestions let fletch know...his address is fletch@gw.lsli.com. enjoy Ted Airedale ------------------------------------- ted@gw.lsli.com "Look, strange women lying on their backs in ponds handing out swords ... that's no basis for a system of government. Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony." - Dennis, "Monty Python and the Holy Grail" ------------------------------------- From firewalls-owner Tue Feb 14 12:24:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA24569 for firewalls-outgoing; Tue, 14 Feb 1995 12:16:39 -0800 Received: from arl-img-2.compuserve.com (arl-img-2.compuserve.com [198.4.7.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA24564 for ; Tue, 14 Feb 1995 12:16:36 -0800 Received: by arl-img-2.compuserve.com (8.6.9/5.941228sam) id PAA23456; Tue, 14 Feb 1995 15:14:19 -0500 Date: 14 Feb 95 15:11:30 EST From: John Tannahill <70641.3502@compuserve.com> To: Firewalls Subject: re: there can only be one! Message-ID: <950214201130_70641.3502_EHM28-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Comments from a 'lurker' - apologies in advance for non-firewall comments and certain motherhoods. In terms of firewall policy, this should not be considered synonymous with network security policy. 1. Security policy and subsequent standards and implementation should be derived from the security REQUIREMENTS that are specific to the environment. 2. The policy/standards/implementation should deal with ALL network entry points. In most environments I encounter (being a consultant) TCP/IP is growing in use but is not yet the dominant communications protocol. Focussing on firewalls & TCP/IP smacks of the 'maginot line' - If I attack your environment it will be at, to my knowledge, the weakest network entry point, which could for example be one of the following: physical access to programmable/non-programmable terminals; X.25; direct-dial to host; dial to LAN/WAN; dial to PC; vendor specfic host dial-in etc. The attack may focus on popular communications protocol re SDLC; DECNET; IPX/SPX; NetBEUI etc (e.g. password sniffing is not specific to TCP/IP). There are also weaknesses associated with specific protocols which need to be addressed. 3. A firewall does not imply a secure inside network. For me, a firewall protects a specific entry point (if it is properly understood and implemented) 4. The term 'network security' should be separated from 'host security' regarding such things as encryption; level of trust in IP address authentication etc. Can I have adequate host security assuming that the network is hostile??. Also in terms of host security, there is a need to separate different TCP/IP services implementations e.g. NFS on a unix variant versus NFS on an IBM MVS environment. 5. The key elements of determining security requirements are : who might wish to attack my environment (random or specific attempts) ? what kind of attack and what level of knowledge about the environment will be held by a likely attacker. This should drive the level of security that you may require. Overall, security policy should be based on the value of my information to me and to others who dont have access to it. Regards, John Tannahill From firewalls-owner Tue Feb 14 12:56:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA25027 for firewalls-outgoing; Tue, 14 Feb 1995 12:48:16 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA25022 for ; Tue, 14 Feb 1995 12:48:11 -0800 Received: (from fc@localhost) by all.net (8.6.9/8.6.9) id PAA17941 for firewalls@greatcircle.com; Tue, 14 Feb 1995 15:43:30 -0500 From: "Dr. Frederick B. Cohen" Message-Id: <199502142043.PAA17941@all.net> Subject: not line (for example) a scanning service To: firewalls@greatcircle.com Date: Tue, 14 Feb 1995 15:43:27 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 728 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Accurately stated (about taking over W3 sites), except that we do it right (or pretty close to it at least). We verify addresses as to form, don't execute arbitrary garbage, and don't run httpd as root (hence the :8080 at the end of our URL). We also tested this attack rather extensively before allowing our forms service to go on-line. We have been working on adding some sample test cases for the various ways W3 can be exploited, and welcome any other examples. By the way, we decided not to do the test that fills /tmp since it could do real harm rather than simply demonstrate flaws. The same is true for many of the other disruptive attacks. Does anyone know a good way to test for this without wreaking havoc? FC From firewalls-owner Tue Feb 14 13:20:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA24001 for firewalls-outgoing; Tue, 14 Feb 1995 11:51:11 -0800 Received: from nic.cerf.net (root@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA23996 for ; Tue, 14 Feb 1995 11:51:09 -0800 Received: from isis (ISIS.ISISPH.COM [192.65.129.1]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id LAA17928 for ; Tue, 14 Feb 1995 11:49:16 -0800 Received: from [192.65.129.90] (MacHeer) by isis (4.1/SMI-4.0) id AA11203; Tue, 14 Feb 95 11:40:02 PST Date: Tue, 14 Feb 95 11:40:01 PST X-Sender: chris@isis.isisph.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cheer@isisph.com (Christopher D. Heer) Subject: Re: definitions for two acronyms used in past threads? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I was wondering if someone out there could define two acronyms that I've >seen bandied about on the Firewalls list. I realize that this is not Firewalls >question per se (sorry, Brent), so please feel free to email your answer to me >personally (to conserve the Firewall bandwidth). > >The terms are: >(1) FSP (Neither Comer nor Stevens discuss this service in their respective >TCP/IP text books). What does FSP stand for, It actually doesn't stand for anything. It was just meant to sound similar to FTP. >and how is it implemented? >When would FSP be used? Is there an RFC that describes FSP? No RFC AFAIK. It's a UDP-based file transfer that is designed to tax the server a whole lot less than FTP. Implementations are a bit wobbly, and, because it has so little effect on system resources, it's very popular amongst pirates, etc. -- Christopher D. Heer | "The fact that he's proliferate on Usenet, home of cheer@isisph.com | the adult concentration camp for people who want to My opinions are mine! | say, "I know you are, but what am I?" is, I'm sure, Network Admin | not a coincidence." -- David Navas From firewalls-owner Tue Feb 14 13:26:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25473 for firewalls-outgoing; Tue, 14 Feb 1995 13:18:08 -0800 Received: from eas (root@eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA25468 for ; Tue, 14 Feb 1995 13:18:04 -0800 From: estutes@eas.westend.frus.com Message-Id: To: 70641.3502@compuserve.com Cc: firewalls@greatcircle.com Subject: re: there can only be one! Reply-To: estutes@frus.com In-Reply-To: Your message of "14 Feb 95 15:11:30 EST" References: <950214201130_70641.3502_EHM28-1@CompuServe.COM> X-Mailer: Mew beta version 0.86 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 14 Feb 1995 13:11:59 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Comments from a 'lurker' - apologies in advance for non-firewall comments and > certain motherhoods. In terms of firewall policy, this should not be considered > synonymous with network security policy. > > 1. Security policy and subsequent standards and implementation should be derived > from the security REQUIREMENTS that are specific to the environment. > You are correct in all you say, including the stuff I deleted. We in the Internet security business only address the portion that we can get our hands around. I certainly advise my clients that they must consider the whole security picture and not just the part of it I am working directly for them. I recently wrote a report for the County of San Mateo CA that addressed that very issue. Their network was relatively secure, but they had a number of PC's connected to it with modems on them that had no security on them at all, and as soon as a hacker dialed in to one of them. He had the whole net in his hands, so to speak. Cheers. =eas= From firewalls-owner Tue Feb 14 13:53:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25449 for firewalls-outgoing; Tue, 14 Feb 1995 13:16:14 -0800 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA25436 for ; Tue, 14 Feb 1995 13:15:55 -0800 Received: by yarrina.connect.com.au with UUCP id AA23766 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Wed, 15 Feb 1995 08:13:31 +1100 Received: from pc1635.cmutual.com.au ([140.168.128.43]) by redbaron.cmutual.com.au with SMTP id AA18574 (5.65c/IDA-1.5); Wed, 15 Feb 1995 07:55:32 +1100 To: Lyndon David From: iwaters@cmutual.com.au (Ian Waters) Subject: Re: Firewalls for non UNIX machines Date: Wed, 15 Feb 1995 07:54:40 Cc: firewalls@greatcircle.com Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David, What youve just described sounds more suited to a gateway application than a firewall. See that the connection would most probably be UUCP based, I wouldnt have thought a firewall would be justified. Depending on the mail product that your using, may products are available such as MHS gateways or a simple SMTP gateway product. Microsoft Mail have such gateways, they are available for LOTUS NOTES and just about all other popular PC LAN based mail systems. Regards [-----------------------------------------------------------------] | - Ian Waters (iwaters@cmutual.com.au) | - Technical Projects Manager | 'These words are - Colonial Group IT Facilities Management | mine and not the - Melbourne Victoria Australia 3000 | views of my - Voice : +61-3-607-6865 Fax: +61-3-283-1096 | employer ' - Mobile: 0419-309-056 Vmail : +61-3-607-6000 | | [-----------------------------------------------------------------] From firewalls-owner Tue Feb 14 14:27:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25800 for firewalls-outgoing; Tue, 14 Feb 1995 13:31:49 -0800 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA25795 for ; Tue, 14 Feb 1995 13:31:46 -0800 Received: from alcove.randomc.com by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.12) via SMTP id AA02948 ; Tue, 14 Feb 95 16:29:48 -0500 Received: from wittsend.wittsend.com by alcove via smtp (/\oo/\ Smail3.1.29.1 #29.3) for <> id ; Tue, 14 Feb 95 16:23 EST Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Tue, 14 Feb 95 16:21 EST Message-Id: Subject: Re: A pc as a router and a firewall (idea needed) To: firewalls@greatcircle.com Date: Tue, 14 Feb 1995 16:21:04 -0500 (EST) From: "Michael H. Warfield" In-Reply-To: from "Can Baysal" at Feb 13, 95 08:54:52 pm X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1927 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Hi; > For a couple of months I've tried to use a Linux box as a router and > gave up :( And then I changed my mind. Is there any simple (as simple as > possible) software that I can use as a routing program on a PC. Two > things are important, firstly we may need to use it as a firewall, so it > should be able to filter packages, and secondly it must (or maybe should > only) support modem connection (ppp would be better). I've been using Linux and very happy with it. EArlier kernels may have sucked wind on an Olymic scale but the new one's seem to do great. Their only limitation is in filtering based on interface, which they lack as yet. I thought it was funny that when the latest hacking craze hit (the phoney from with a cross flood) we had patches to make that hack more difficult within a day or too. Try that with a commercial system! Back to the program at hand. The cheapest routing solution that I know of is PC-ROUTE available from your favorite archive site. It is available from the SIMTEL archives. I have not used it so this is just hearsay but I understand that is makes a respectable firewall. It will work with multiple ethernet cards and/or mulitiple serial cards but not much else is required. It will run with multiple PDS packet driver interfaces, although a bit slower. Since you do get the sources, you can really make it do what you like. I was almost ready to crank PC-ROUTE up when I got my LINUX PC routing with PPP working (SCO UNIX was abysmal - ALL HOPE ABANDON YEA WHO ENTER THERE!). > Any name even any idea would be helpful. > Thanks in advance; > Can BAYSAL; Regards, Mike -- Michael H. Warfield | (404) 925-8248 | mhw@WittsEnd.com (The Mad Wizard) | NIC whois: MHW9 | mathcs.emory.edu!wittsend!mhw An optimist believes we live in the best of all possible worlds. A pessimist is sure of it! | http://www.wittsend.com/mhw/ From firewalls-owner Tue Feb 14 14:31:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA26913 for firewalls-outgoing; Tue, 14 Feb 1995 14:17:24 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA26893 for ; Tue, 14 Feb 1995 14:16:56 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id JAA18653; Wed, 15 Feb 1995 09:14:56 +1100 Date: Wed, 15 Feb 1995 09:14:55 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: questions about security & WWW browsers To: Jean-Christophe Touvet cc: Brad - Walker , firewalls@GreatCircle.COM In-Reply-To: <199502141007.LAA18286@champagne.inria.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Feb 1995, Jean-Christophe Touvet wrote: > > Finally, here is a funny URL which fills /tmp or /var/tmp very fast if a > user clicks on it: > > http://localhost:19/ > > Hope this helps, Hmm. That's interesting. I have just added Map http://*:19/* /nono.html to my proxy server configuration file. (/nono.html does not exist.) Thanks. Danny From firewalls-owner Tue Feb 14 14:57:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA27225 for firewalls-outgoing; Tue, 14 Feb 1995 14:31:19 -0800 Received: from panix.com (panix.com [198.7.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA27220 for ; Tue, 14 Feb 1995 14:31:15 -0800 Received: from wallyman (wallynet.dialup.access.net) by panix.com with SMTP id AA05014 (5.67b/IDA-1.5 for ); Tue, 14 Feb 1995 17:29:16 -0500 Message-Id: <199502142229.AA05014@panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Tue, 14 Feb 1995 17:29:11 -0500 To: Firewalls@greatcircle.com From: wallynet@panix.com (Walter F. InterNetman) Subject: Bullet Proof Servers and UnderDog Pills Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there: I am searching for commercial FTP and MAIL servers for Unixware, Solaris 1&2, Dec OSF & N3.12 4.x which can be considered bullet proof and not cryptic or overly complex to administer. Do you have any ideas or recommendations? A Windows winsock email application with PGP or other encryption which I could implement globally in a gov agcy would be nice too. FW proxy server compliant is a must.... Thanks, --- Walt PS: How would you stop surfers from injecting your LAN with infected FTP downloads? From firewalls-owner Tue Feb 14 14:59:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA26583 for firewalls-outgoing; Tue, 14 Feb 1995 13:59:22 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA26569 for ; Tue, 14 Feb 1995 13:59:00 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id IAA18126; Wed, 15 Feb 1995 08:54:54 +1100 Date: Wed, 15 Feb 1995 08:54:51 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: BSDI info To: "Ned Smith (nedbob)" cc: "'Firewalls Alias(firewalls@greatcircle.com)'" In-Reply-To: <2F3FE0F5@ushqgw.sequent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Feb 1995, Ned Smith (nedbob) wrote: > I've noticed several firewalls products being offered on > the "BSDI" operating system platform. Could someone > help me understand what BSDI is? > - Is it public domain/commercial product > - How is it supported? (e.g. news grous, hotline, ...) > - Who controls the src code, development and > makes feature enhancement decisions? > - Is it different from FreeBSD? > - Any other interesting tid-bits of info? The BSD4.3 and 4.4lite code has been ported to i386. Originally there was one project, but then it split into NetBSD, FreeBSD and BSDi. BSDi is commercial, supported, software. NetBSD is more developmental freeware FreeBSD is close to BSDi, but is unsupported freeware. FreeBSD 2.0 and BSDi both come with packet filtering for use as routers. BSDi comes with screend, which we have ported to FreeBSD 1.1 (minimal changes). You can get the src for FreeBSD and modify it if you want. src for BSDi is available, but at extra cost over binaries. Danny From firewalls-owner Tue Feb 14 15:36:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA26883 for firewalls-outgoing; Tue, 14 Feb 1995 14:15:12 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA26878 for ; Tue, 14 Feb 1995 14:15:10 -0800 Received: from miriworld.its.unimelb.edu.au by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id OAA15790; Tue, 14 Feb 1995 14:09:05 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id JAA18540; Wed, 15 Feb 1995 09:10:07 +1100 Date: Wed, 15 Feb 1995 09:10:06 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: questions about security & WWW browsers To: Brad - Walker cc: firewalls@GreatCircle.COM In-Reply-To: <199502140817.AAA27045@jobe.shell.portal.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This should go in the FAQ, I think. On Tue, 14 Feb 1995, Brad - Walker wrote: > My questions concern HTML and Web browsers. Is it possible for a WWW > server to issue HTML commands to the browsers to do things like > delete a file, spawn a process or some other anti-social behavior (much > like `deletefile' in Display PostScript). A WWW browser does lots of things, but basically, they fall into the following categories: * Display HTML pages (internal) * Print HTML pages ((internal) * Download a file and leave it on disk * Download a file and start an application using the file as a data file The last is the important one here. Usually, the application is xv or mpegplay or something like that, to view/hear/play GIFs, sounds, video, etc. It could be ghostscript, which executes (displays) a postscript application (document). If someone defined a mime type application/c-src on their browser, it might even be possible for a server to send a document which is C source code, and have the browser invoke a compiler. Anything you can do with a single data file and an application, you can do using the WWW browsers and servers, but the browser has to be told about how to process the incoming document/datafile. One possibly more common hole (I have not tested this) is application/ms-word with a document which is actually a wordbasic program, which runs on startup. cf application/ms-excel etc. regards, Danny From firewalls-owner Tue Feb 14 15:54:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA28591 for firewalls-outgoing; Tue, 14 Feb 1995 15:45:28 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA28586 for ; Tue, 14 Feb 1995 15:45:26 -0800 From: smb@research.att.com Message-Id: <199502142345.PAA28586@miles.greatcircle.com> Received: by gryphon; Tue Feb 14 18:16:28 EST 1995 To: firewalls@greatcircle.com Subject: non-English security references Date: Tue, 14 Feb 95 18:16:28 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for non-English security references -- ftp sites, Web pages, organizations such as CERT, etc. -- for forthcoming translations of the Cheswick/Bellovin firewalls book. Japanese and German are of immediate interest, but I expect that I'll want others as well. --Steve Bellovin From firewalls-owner Tue Feb 14 16:23:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA28280 for firewalls-outgoing; Tue, 14 Feb 1995 15:28:27 -0800 Received: from mordor.cs.du.edu (mordor.cs.du.edu [130.253.192.87]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA28274 for ; Tue, 14 Feb 1995 15:28:00 -0800 Received: from nyx10.cs.du.edu by mordor.cs.du.edu with SMTP id AA03887 (5.65c/IDA-1.4.4 for ); Tue, 14 Feb 1995 16:13:26 -0700 Received: by nyx10.cs.du.edu (4.1/SMI-4.1) id AA20251; Tue, 14 Feb 95 18:22:06 EST From: Mark@nyx10.cs.du.edu (Mark R. Lindsey) Date: Tue, 14 Feb 1995 18:22:02 -0700 X-Disclaimer: I do not speak for Denver U, nor do any other Nyxers. X-Url: http://nox.cs.du.edu:8001/~mlindsey Reply-To: X-Mailer: Mail User's Shell (7.2.4 2/2/92) To: cheer@isisph.com (Christopher D. Heer), firewalls@greatcircle.com Subject: Re: definitions for two acronyms used in past threads? Message-Id: <19950214.182204.nyx10.15.591.cheer@isisph.com firewalls@greatcircle.com..mailsend.0.10.Aug94> X-Verification: Email me with this message-id and I'll verify it; include a snail-mail or telephone number if you're serious. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk #>and how is it implemented? #>When would FSP be used? Is there an RFC that describes FSP? # #No RFC AFAIK. It's a UDP-based file transfer that is designed to tax the #server a whole lot less than FTP. Implementations are a bit wobbly, and, #because it has so little effect on system resources, it's very popular #amongst pirates, etc. Well, that's not the only reason it's popular; both the server and the client(s) provide for easy methods to locate on any port. Thus, it (a) sits anywhere, is (b) easy to implement, and is (c) not a cpu hog. -- Mark R. Lindsey, mark@nox.cs.du.edu From firewalls-owner Tue Feb 14 16:44:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA28733 for firewalls-outgoing; Tue, 14 Feb 1995 15:51:35 -0800 Received: from nic.cerf.net (root@nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA28720 for ; Tue, 14 Feb 1995 15:51:29 -0800 Received: from isis (ISIS.ISISPH.COM [192.65.129.1]) by nic.cerf.net (8.6.9/8.6.9) with SMTP id PAA26931; Tue, 14 Feb 1995 15:49:35 -0800 Received: from [192.65.129.90] (MacHeer) by isis (4.1/SMI-4.0) id AA11657; Tue, 14 Feb 95 15:40:21 PST Date: Tue, 14 Feb 95 15:40:20 PST X-Sender: chris@isis.isisph.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: , firewalls@greatcircle.com From: cheer@isisph.com (Christopher D. Heer) Subject: Re: definitions for two acronyms used in past threads? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:22 PM 2/14/95, Mark R. Lindsey wrote: >#>and how is it implemented? >#>When would FSP be used? Is there an RFC that describes FSP? ># >#No RFC AFAIK. It's a UDP-based file transfer that is designed to tax the >#server a whole lot less than FTP. Implementations are a bit wobbly, and, >#because it has so little effect on system resources, it's very popular >#amongst pirates, etc. > >Well, that's not the only reason it's popular; both the server and the >client(s) provide for easy methods to locate on any port. Thus, it (a) sits >anywhere, is (b) easy to implement, and is (c) not a cpu hog. Oh, agreed. It's actually fairly nifty, if one overlooks the inherent problems with UDP. But it certainly has become "tarred" with the hacker/pirate label. -- Christopher D. Heer | "The fact that he's proliferate on Usenet, home of cheer@isisph.com | the adult concentration camp for people who want to My opinions are mine! | say, "I know you are, but what am I?" is, I'm sure, Network Admin | not a coincidence." -- David Navas From firewalls-owner Tue Feb 14 16:57:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA29188 for firewalls-outgoing; Tue, 14 Feb 1995 16:07:45 -0800 Received: from emr1.emr.ca (emr1.emr.ca [132.156.36.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA29183 for ; Tue, 14 Feb 1995 16:07:42 -0800 Received: by emr1.emr.ca (4.1/SMI-4.1) id AA01655; Tue, 14 Feb 95 19:05:39 EST From: fillmore@emr.ca (Bob Fillmore 992-2832) Message-Id: <9502150005.AA01655@emr1.emr.ca> Subject: Re: definitions for two acronyms used in past threads? To: cheer@isisph.com (Christopher D. Heer) Date: Tue, 14 Feb 1995 19:05:38 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Christopher D. Heer" at Feb 14, 95 11:40:01 am X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1230 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christopher D. Heer writes: > > >When would FSP be used? Is there an RFC that describes FSP? > > No RFC AFAIK. It's a UDP-based file transfer that is designed to tax the > server a whole lot less than FTP. Implementations are a bit wobbly, and, > because it has so little effect on system resources, it's very popular > amongst pirates, etc. One of the dangers with FSP is that any of your users can download it, compile it, and install it on an unprivileged port number on their account. This turns their account into a public file server. If you aren't using shadow password files it's an easy way to give out copies of your password file (and, therefore, your accounts). Most naive users aren't aware of this, and can be sucked in by hackers asking them to do this "neat thing". Similar to the hacker ruse where they ask an innocent IRC user to send them the password file by using the /DCC command. - Bob -- Bob Fillmore, Technical Services Division email: fillmore@NRCan.gc.ca Information Management Branch, BIX: bfillmore Natural Resources Canada, Voice: (613) 992-2832 580 Booth St., Ottawa, Ontario, Canada K1A 0E4 FAX: (613) 996-2953 From firewalls-owner Tue Feb 14 17:36:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00308 for firewalls-outgoing; Tue, 14 Feb 1995 16:56:39 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA00303 for ; Tue, 14 Feb 1995 16:56:33 -0800 Received: from relay.imsi.com by wintermute.imsi.com id TAA18097; Tue, 14 Feb 1995 19:49:58 -0500 Received: from lorax.imsi.com by relay.imsi.com id TAA20077; Tue, 14 Feb 1995 19:49:57 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA05164; Tue, 14 Feb 95 19:49:56 EST Message-Id: <9502150049.AA05164@lorax.imsi.com> To: "Daniel O'Callaghan" Cc: "Ned Smith (nedbob)" , "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: Re: BSDI info In-Reply-To: Your message of "Wed, 15 Feb 1995 08:54:51 +1100." Reply-To: rens@imsi.com Date: Tue, 14 Feb 1995 19:49:56 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Daniel" == Daniel O'Callaghan writes: Daniel> On Mon, 13 Feb 1995, Ned Smith (nedbob) wrote: Daniel> The BSD4.3 and 4.4lite code has been ported to i386. Daniel> Originally there was one project, but then it split into Daniel> NetBSD, FreeBSD and BSDi. BSDi is commercial, supported, Daniel> software. NetBSD is more developmental freeware FreeBSD is NetBSD also runs on sparc, hp300, amiga, macintosh, sun3, i386, pmax, alpha (soon) and others. BSDI and FreeBSD only run on i386. All three platforms are good for running firewalls! -Rens From firewalls-owner Tue Feb 14 17:50:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA00284 for firewalls-outgoing; Tue, 14 Feb 1995 16:55:54 -0800 Received: from oldman.eikon.e-technik.tu-muenchen.de (oldman.eikon.e-technik.tu-muenchen.de [192.48.107.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA12040 for ; Tue, 14 Feb 1995 01:23:06 -0800 Received: (from arne@localhost) by oldman.eikon.e-technik.tu-muenchen.de (8.6.9/8.6.9) id KAA10288; Tue, 14 Feb 1995 10:20:12 +0100 From: Arne Steinkamm Message-Id: <199502140920.KAA10288@oldman.eikon.e-technik.tu-muenchen.de> Subject: Re: BSDI info To: nedbob@sequent.com (Ned Smith) Date: Tue, 14 Feb 1995 10:20:11 +0100 (MET) Cc: firewalls@GreatCircle.COM In-Reply-To: <2F3FE0F5@ushqgw.sequent.com> from "Ned Smith" at Feb 13, 95 02:37:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1289 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've noticed several firewalls products being offered on > the "BSDI" operating system platform. Could someone > help me understand what BSDI is? > - Is it public domain/commercial product commercial > - How is it supported? (e.g. news grous, hotline, ...) Fax/Voice/E-Mail hotline. There's also a mailinglist bsdi-users@bsdi.com which is also helpful. > - Who controls the src code, development and > makes feature enhancement decisions? Only BSDi. In names: Mike Karels, Polk, Torek, Borman and many other names known from the old CSRG at Berkeley and other main unix vendors. > - Is it different from FreeBSD? Yes. This operating systems have the same root (the net/2 tape) and both are now BSD 4.4 lite based, but BSD/OS is a commercial, very very good supported system. > - Any other interesting tid-bits of info? I have never seen a better support hotline and a more stable system... This includes all the Unix workstations i worked with. Greetings .//. Arne -- Arne Steinkamm | Smart: arne@oldman.eikon.e-technik.tu-muenchen.de Tel.: +49.89.299.756 | IRC: Arne Robert-Koch-Str. 4 |\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ D-80538 Muenchen |/////////////////////////////////////////////////// From firewalls-owner Tue Feb 14 17:52:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA00761 for firewalls-outgoing; Tue, 14 Feb 1995 17:03:28 -0800 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA00755 for ; Tue, 14 Feb 1995 17:03:24 -0800 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id RAA25538; Tue, 14 Feb 1995 17:00:08 -0800 Date: Tue, 14 Feb 1995 17:00:08 -0800 From: Phil Trubey Message-Id: <199502150100.RAA25538@lykos.netpart.com> To: labatt@disaster.COM Subject: Re: Transparent Proxies (was Address translation) In-Reply-To: Organization: NetPartners, Newport Beach, CA Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article you write: > >Is it possible to deal with transparent firewall software (such as >Janus) when you use "illegal" nets on your private network? I can't >think of any way to compensate for this, since you don't actually >"login" to a proxy agent on a bastion. Or do you just have to deal >with not being able to get to hosts on the Internet who have the >actual "ownership" of your illegal net #s? Transparent firewalls such as JANUS can deal with illegal net numbers on the inside network since all outgoing packets out to the Internet have a source address of the external firewall interface - internal net numbers are completely hidden and effectively translated. However, you are correct, you won't be able to connect to the site that has the 'legal' ownership of the IP net numbers if you are using illegal numbers internally. -- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Tue Feb 14 18:22:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA02626 for firewalls-outgoing; Tue, 14 Feb 1995 18:16:50 -0800 Received: from Aptech.com (rama.aptech.com [199.29.185.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA02620 for ; Tue, 14 Feb 1995 18:16:44 -0800 Received: from naomi.Aptech.com by Aptech.com (5.x/SMI-SVR4) id AA22689; Tue, 14 Feb 1995 16:22:46 -0800 Received: by naomi.Aptech.com (5.x/SMI-SVR4) id AA07058; Tue, 14 Feb 1995 16:22:46 -0800 Date: Tue, 14 Feb 1995 16:22:46 -0800 From: sam@Aptech.com (Samuel D. Jones) Message-Id: <9502150022.AA07058@naomi.Aptech.com> To: firewalls@GreatCircle.COM Subject: Solaris 2.4 x86 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone used auditing packages like COPS or the Tiger scripts, etc. on Solaris 2.4 x86? ========================================================= | Samuel D. Jones Phone: 206 432 7855 | | Aptech Systems, Inc. Fax: 206 432 7832 | | 23804 SE Kent-Kangley Rd. Email: jones@Aptech.com | | Maple Valley, WA 98038 | ========================================================= From firewalls-owner Tue Feb 14 18:41:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA02618 for firewalls-outgoing; Tue, 14 Feb 1995 18:16:17 -0800 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA02613 for ; Tue, 14 Feb 1995 18:16:14 -0800 Received: from hpindavg.ptp.hp.com (hpindyz.ptp.hp.com) by hp.com with SMTP (1.37.109.14/15.5+ECS 3.3) id AA073764467; Tue, 14 Feb 1995 18:14:27 -0800 Received: by hpindavg.ptp.hp.com with SMTP (1.38.193.4/15.5+IOS 3.22) id AA15740; Tue, 14 Feb 1995 18:16:16 -0800 Message-Id: <9502150216.AA15740@hpindavg.ptp.hp.com> To: firewalls@greatcircle.com Cc: fatimayu@ptp.hp.com Subject: Dynamic filtering routers? Date: Tue, 14 Feb 1995 18:16:15 -0800 From: Fatima Yu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a few questions about IP packet filtering routers: (1) Are there any IP packet filtering routers that allow the user to change the filters dynamically without shut-down? (2) What is the maximum number of IP addresses that a router can filter in one direction? What is the performance impact to filter say, on 500 IP addresses for inbound? (3) Which routers can filter on inbound? How good/bad do they perform? I appreciate any help. Fatima Yu (fatimayu@ptp.hp.com) From firewalls-owner Tue Feb 14 18:56:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA02670 for firewalls-outgoing; Tue, 14 Feb 1995 18:18:03 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA02665 for ; Tue, 14 Feb 1995 18:18:00 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA28256; Tue, 14 Feb 95 21:15:52 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9502150215.AA28256@hawksbill.sprintmrn.com> Subject: Re: Transparent Proxies (was Address translation) To: phil@netpart.com (Phil Trubey) Date: Tue, 14 Feb 1995 21:15:52 -0500 (EST) Cc: labatt@disaster.COM, firewalls@greatcircle.com In-Reply-To: <199502150100.RAA25538@lykos.netpart.com> from "Phil Trubey" at Feb 14, 95 05:00:08 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1267 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Transparent firewalls such as JANUS can deal with illegal > net numbers on the inside network since all outgoing packets > out to the Internet have a source address of the external > firewall interface - internal net numbers are completely > hidden and effectively translated. However, you are correct, you won't > be able to connect to the site that has the 'legal' ownership > of the IP net numbers if you are using illegal numbers > internally. One popular way to do this is to implement a perimeter network, with a registered network number, which you would place your firewall and (proxy) DNS server. You could also place other (proxy) services on this perimeter network, such as an FTP server, mail-tosser, etc. In this manner, you could retain your bogus IP addressed internal network and let the services on the (regsitered) perimeter network handle interconnectivity to the Internet-at-large. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Feb 14 19:22:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA03483 for firewalls-outgoing; Tue, 14 Feb 1995 18:53:45 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA03469 for ; Tue, 14 Feb 1995 18:53:40 -0800 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id SAA19555 for ; Tue, 14 Feb 1995 18:49:44 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA16304; Tue, 14 Feb 95 18:48:47 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@greatcircle.com id AA22045; Tue, 14 Feb 95 18:50:05 -0800 Date: Tue, 14 Feb 95 18:50:05 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9502150250.AA22045@abulafia.genmagic.com> To: firewalls@greatcircle.com Subject: comprimising clients... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Well, Hell", as my grandma says.. What else, I wonder, will it browse and report back? -- from our internal news clipping service o KING BILL: THE CURTAIN MUST FALL (Digital Media, 2/10, p. 2) Mitch Ratcliffe: "The most powerful arrow in Microsoft's quiver is the "browser" object that scans the contents of initialization strings of a PC when the PC logs onto the Microsoft Network... will give MS a complete dossier on the consumer's hardware and software... Since software is largely an upgrade business, MS can selectively target categories of software and undercut its competitors' prices at will. --- cut here--- -- J. Eric Townsend vox #: USA 408.774.4252 work: jet@genmagic.com AT&T PersonaLink: A5803643645@attpls.net play: jet@well.sf.ca.us or get my card from directory information From firewalls-owner Tue Feb 14 19:52:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06325 for firewalls-outgoing; Tue, 14 Feb 1995 19:40:30 -0800 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA06314 for ; Tue, 14 Feb 1995 19:40:27 -0800 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id TAA26519; Tue, 14 Feb 1995 19:38:34 -0800 Date: Tue, 14 Feb 1995 19:38:34 -0800 From: Phil Trubey Message-Id: <199502150338.TAA26519@lykos.netpart.com> To: kdante@nsf.GOV Subject: Re: SUMMARY: 'smart cards' In-Reply-To: <9501137927.AA792702560@xrelay.nsf.gov> Organization: NetPartners, Newport Beach, CA Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9501137927.AA792702560@xrelay.nsf.gov> you write: > For CryptoCard, 708-471-0892 gets a Cellular 1 phone. I missed the original message - for what it's worth, we resell CRYPTOCard authentication devices. We're at 800-723-1166, or see our web server at http://www.netpart.com/crypto which talks about this card. They're nice cards. From firewalls-owner Tue Feb 14 20:52:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA13574 for firewalls-outgoing; Tue, 14 Feb 1995 20:50:15 -0800 Received: from iss100.b400.cbe.ab.ca (ISS100.B400.CBE.AB.CA [164.166.4.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA13566 for ; Tue, 14 Feb 1995 20:50:10 -0800 Received: from CBE.AB.CA by CBE.AB.CA (PMDF V4.3-10 #5915) id <01HN1NS3QOYO9KMC9K@CBE.AB.CA>; Tue, 14 Feb 1995 16:19:34 -0700 (MST) Date: Tue, 14 Feb 1995 16:19:33 -0700 (MST) From: Glen Larwill Subject: Cisco 2514 To: firewalls@greatcircle.com Reply-to: Glen Larwill Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was just looking over Cisco's CIO product catalog and stumbled across the description of a 2514. Has anyone investigated the possibilities of using a Cisco 2514 (dual ethernet ports and dual sync ports) to create a screened subnet firewall with only a single router? Does the latest version of IOS (10.2?) contain the filters that would be required to implement this correctly? We don't have 10.2 here so I can't check myself. What kind of problems would one have to lookout for with this type of a setup? Is this even worth considering? Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ Network Programmer Analyst _/ _/_/_/_/ _/_/_/ Calgary Board of Education _/ _/ _/ _/ Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ From firewalls-owner Wed Feb 15 02:33:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA17907 for firewalls-outgoing; Wed, 15 Feb 1995 02:18:39 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA17902 for ; Wed, 15 Feb 1995 02:18:31 -0800 Received: from avenue.finsbury.co.uk by eros.britain.eu.net via UKIP with SMTP (PP) id ; Wed, 15 Feb 1995 10:16:24 +0000 Received: by finsbury.co.uk (4.1/25-eef) id AA02582; Wed, 15 Feb 95 10:17:56 GMT From: Ian Marr Message-Id: <9502151017.AA02582@finsbury.co.uk> Subject: Re: Transparent Proxies (was Address translation) To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Wed, 15 Feb 1995 10:17:55 +0000 (GMT) Cc: phil@netpart.com, labatt@disaster.COM, firewalls@greatcircle.com In-Reply-To: <9502150215.AA28256@hawksbill.sprintmrn.com> from "Paul Ferguson" at Feb 14, 95 09:15:52 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2291 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson writes: > > > Transparent firewalls such as JANUS can deal with illegal > > net numbers on the inside network since all outgoing packets > > out to the Internet have a source address of the external > > firewall interface - internal net numbers are completely > > hidden and effectively translated. However, you are correct, you won't > > be able to connect to the site that has the 'legal' ownership > > of the IP net numbers if you are using illegal numbers > > internally. > > One popular way to do this is to implement a perimeter network, with > a registered network number, which you would place your firewall > and (proxy) DNS server. You could also place other (proxy) services > on this perimeter network, such as an FTP server, mail-tosser, etc. > > In this manner, you could retain your bogus IP addressed internal > network and let the services on the (regsitered) perimeter network > handle interconnectivity to the Internet-at-large. Chaps, ... Sorry but neither of these suggestions is good enough. OK, so JANUS would work because it is a proxy application firewall (I think) but it is unacceptable to be cut off from a random set of hosts on the Internet .. how could I explain such intermitent problems to my users ?! I'd be lynched. And anyway this is a routing problem ... you'd have to point the JANUS firewall's default route out into the net ... so how's it going to know to route to your illegal internal networks ? Would you manually configure them ? (Admittedly this might be OK if you've only got one Class C ... but if that's the scale of your problem you might as well register and renumber!). A perimeter network isn't good enough either for the same reasons. OK so your "mail-tosser" (or should that be "male-tosser" :-) will have a a valid external interface address but how would it decide which way to route to your illegal internal addresses ? As I've said before, and will say again: bite the bullet and renumber your network ... Ian. ------------------------------------------------------------------------------ Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK im@finsbury.co.uk +44-732-453-577 From firewalls-owner Wed Feb 15 12:12:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA00460 for firewalls-outgoing; Wed, 15 Feb 1995 12:06:50 -0800 Received: from relay2.UU.NET ([192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA00454 for ; Wed, 15 Feb 1995 12:06:47 -0800 Received: from cixgate by relay2.UU.NET with SMTP id QQydfs06180; Wed, 15 Feb 1995 15:02:15 -0500 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA17261; Wed, 15 Feb 95 20:06:57 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA19592; Wed, 15 Feb 95 11:55:45 PST Date: Wed, 15 Feb 95 11:55:45 PST From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9502151955.AA19592@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: Re: Spoofing Filters on a 3Com Router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm replying to this with a bit of uncertainty, since I didn't see the original post, but someone else forwarded it to me. So please understand that this is in the order of a reply, not a shameless advertisement. In setting up any firewall, it is considered good practice to limit the firewall to 2 interfaces; the inside and the outside. It is certainly possible to do a firewall with multiple interfaces, but it's not recommended. If that is impossible, then the router to the internet itself (assuming that you have a perimiter net) should carry the anti-spoofing filters, rather than the internet firewall itself. Another possibility is that if your router with multiple ethernet interfaces has a DIFFERENT NETWORK NUMBER (Not just subnet) then you can set up filters which protect each of them. The drawback here is that you have to protect Inside net#1 from the outside, and Inside net#2 from the outside, but you have to allow Inside net#1 to talk with Inside net#2, and THAT can be spoofed. That said, if you limit yourself to two interfaces on a 3Com router, setting up the filters (Filter Addresses really) to deny spoofing attacks is actually pretty easy. You can only use multiple interfaces if only ONE interface is for the internal network, and all others are considered OUTSIDE. If you IP Address is (using ours for example) 129.213.x.y, the filter setup would look like this: add -ip FilterAddr 129.213.0.0/0.0.255.255 <> 129.213.0.0/0.0.255.255 Discard The <> will cause the FilterAddr to be counted for traffic both directions, and the overall prohibition is to check the source and destination addresses, and discard anything which looks like inside-to-inside traffic. If your particular perimiter net uses the same basic IP Address, then you will have to add Filters and FilterAddrs tp specifically allow the inside (or specific hosts inside) to talk with your bastion host for maintenance work. I hope that helps, BobK From firewalls-owner Wed Feb 15 12:48:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA00767 for firewalls-outgoing; Wed, 15 Feb 1995 12:18:56 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA00756 for ; Wed, 15 Feb 1995 12:18:51 -0800 From: H Morrow Long Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Wed, 15 Feb 1995 10:36:37 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA08808; Wed, 15 Feb 1995 10:36:36 -0500 Date: Wed, 15 Feb 1995 10:36:36 -0500 Message-Id: <199502151536.AA08808@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, NETMGR02@CBE.AB.CA Subject: Re: Cisco 2514 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: AG2Awh+9F6A2cBiI5ZtCcQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Tue Feb 14 23:56:05 1995 > I was just looking over Cisco's CIO product catalog and stumbled across > the description of a 2514. Has anyone investigated the possibilities of > using a Cisco 2514 (dual ethernet ports and dual sync ports) to create a > screened subnet firewall with only a single router? Does the latest > version of IOS (10.2?) contain the filters that would be required to > implement this correctly? We don't have 10.2 here so I can't check myself. > > What kind of problems would one have to lookout for with this type of a > setup? Is this even worth considering? In theory it is a bit less secure since there is now only one router to subvert rather than two (or more) to lay exposed and bare your internal net. Someone would only have to grab the public and enable password once as they are passed across the Internet in the clear when the network admin decides to telnet back to the company net across the Internet from InterOp '95 to fix up a few router filters.... You give up some of the multiple layers of defense that are a side effect (if not a central design goal) of a screened subnet firewall (when the outer wall is breached by the intruder the internal screening router and bastion stand firm (as you are alerted and run to the ramparts to fire with bow and arrow down up upon the rampaging marauders, etc.etc....). Of course if you are one to put the same public and enable password in all of your Cisco routers then you don't really have that benefit anyway! Better yet, you should disable telnet access to any of the Cisco routers involved in the screened subnet firewall to the Internet and require that maintainance be done only from their physical consoles! - Morrow From firewalls-owner Wed Feb 15 13:12:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01726 for firewalls-outgoing; Wed, 15 Feb 1995 12:34:23 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA01720 for ; Wed, 15 Feb 1995 12:34:21 -0800 Received: from gate.hosp.ohio-state.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id MAA19388; Wed, 15 Feb 1995 12:28:07 -0800 Message-Id: <199502152028.MAA19388@mycroft.GreatCircle.COM> Date: 15 Feb 95 13:12:00 EST From: "NORSE::SMALL_DO" Subject: Connecting to a pop mail server via firewall To: "firewalls" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: I haven't seen this discussed here before and I have had some requests from users who want to connect to a pop mail server that is on the untrusted side of our firewall. Are there any proxy servers available for pop mail? What implications would there be in opening up ports 109 (pop2) or 110 (pop3) on the firewall and routing the packets through? Is this even possible? One concern would possibly be with address spoofing I suppose but I believe we have that covered with the router (on the untrusted side) not allowing source routing. Am I wrong? Any help would be much appreciated. =Doug Small Doug Small: The Ohio State University Medical Center small_do@gate.hosp.ohio-state.edu Work: (614) 293-3860 From firewalls-owner Wed Feb 15 13:28:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01532 for firewalls-outgoing; Wed, 15 Feb 1995 12:28:36 -0800 Received: from mercury.chadwyck.co.uk (mercury.chadwyck.co.uk [193.119.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA01515 for ; Wed, 15 Feb 1995 12:28:29 -0800 From: David Worthington Date: Wed, 15 Feb 1995 17:31:47 GMT Message-Id: <199502151731.RAA17775@mercury.chadwyck.co.uk> Received: by mercury.chadwyck.co.uk (8.6.9) id RAA17775; Wed, 15 Feb 1995 17:31:47 GMT To: firewalls@greatcircle.com Subject: MODEMS - SOURCES OF INFORMATION Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could anyone suggest good sources of general information on using modems in a secure environment? Thank you in advance. Dave Worthington From firewalls-owner Wed Feb 15 13:38:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01366 for firewalls-outgoing; Wed, 15 Feb 1995 12:26:11 -0800 Received: from birch.ims.disa.mil (root@birch.ims.disa.mil [164.117.176.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA01358 for ; Wed, 15 Feb 1995 12:26:04 -0800 Received: from CC.IMS.DISA.MIL ([164.117.176.106]) by birch.ims.disa.mil (8.6.9/DISA 0.5.2) with SMTP id MAA20340 for ; Wed, 15 Feb 1995 12:14:47 -0500 Received: from cc:Mail by CC.IMS.DISA.MIL id AA792879280; Wed, 15 Feb 95 12:12:30 EST Date: Wed, 15 Feb 95 12:12:30 EST From: "Dion Stempfley" Message-Id: <9501157928.AA792879280@CC.IMS.DISA.MIL> To: firewalls@greatcircle.com Subject: Dynamic Routing: Security Problems? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was asked by a coworker if it was possible for Joe Badguy to reroute some traffic from a network, let's say whitehouse.gov, by using the whitehouse.gov ip address and forcing dynamic route updates to each router in a path up to the level of the router that the desired source uses. My gut feeling is, "no that shouldn't work," but I don't have a good grasp of the security issues involved. Is is normal to allow dynamic route updates from routers across your firewall or should route tables contain only internal hosts/nets and the next hop on the dirty side. Can someone point me to a good place to look for information on the topic or maybe address the issue personally. I appreciate the help. Dion Stempfley From firewalls-owner Wed Feb 15 13:41:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01605 for firewalls-outgoing; Wed, 15 Feb 1995 12:30:44 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01593 for ; Wed, 15 Feb 1995 12:30:40 -0800 Received: from avenue.finsbury.co.uk by eros.britain.eu.net via UKIP with SMTP (PP) id ; Wed, 15 Feb 1995 17:36:18 +0000 Received: by finsbury.co.uk (4.1/25-eef) id AA03188; Wed, 15 Feb 95 17:37:53 GMT From: Ian Marr Message-Id: <9502151737.AA03188@finsbury.co.uk> Subject: Re: Address translation To: mrm@alpharel.com (Mike Murphy) Date: Wed, 15 Feb 1995 17:37:53 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9502151702.AA20526@optisun17.optigfx.com> from "Mike Murphy" at Feb 15, 95 09:02:04 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 985 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Murphy writes: > > I don't think the complexity of a dual proxy firewall is required. Here > is a diagram of our network (give or take). > > The Dirty Net is a registered class C. The inside nets, which happen to > be registered, are not visible to the external world in any way except > the NIC registration. There are no routes from the Internet or the > Dirty Net to the Inside Nets. > > Do you need anything more complicated than this? Yes, I think you do. OK so there aren't any routes or direct IP path in a single proxy solution but *routing* is still a problem. Your firewall's default route *must* be external and it then follows that your internal network must be unique if you want to talk to them. Ian. ------------------------------------------------------------------------------ Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK im@finsbury.co.uk +44-732-453-577 From firewalls-owner Wed Feb 15 13:51:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01530 for firewalls-outgoing; Wed, 15 Feb 1995 12:28:34 -0800 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA01497 for ; Wed, 15 Feb 1995 12:28:15 -0800 Received: from comet.aeinet.com by scruz.net (8.6.9/1.34) id IAA26958; Wed, 15 Feb 1995 08:58:50 -0800 Date: Wed, 15 Feb 95 08:40:38 PST From: Johnathan Corgan Subject: Newbie question about implementing a firewall at home To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a 3 bit subnet issued to me by my ISP, accessed via PPP over an ISDN terminal adapter. I am currently just using my PC with Windows and Netmanage Chameleon to generate the PPP link, providing my PC with standard IP access to the 'net. What I would like to accomplish is to have a dedicated box running something like Linux that would serve as a router between my home ethernet and my ISP connection. The software router should also be able to be configured to demand dial the ISDN connection when it has packets to forward, and take down the link after some period of inactivity. ISDN isn't quite free :) Of course, a connection like this would be wide open to attack from the 'net. For the time being, I would not be making available any services whatsoever to the outside, so a firewall that discarded everything but that necessary for internal machines to access the standard Telnet, FTP, NNTP, finger, etc. is all that is necessary. Of course, I could do all this (I don't know about the firewalling though) with an Ascend or Combinet type box, but for now I need a cheaper solution. And I expect hacking a Linux box to do the above would be rather educational. Suggestions? == Johnathan Corgan "Cypherpunks will make networks safe for privacy." jcorgan@aeinet.com -Eric Hughes WWW: ftp://ftp.netcom.com/pub/jc/jcorgan/home.html From firewalls-owner Wed Feb 15 14:11:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03510 for firewalls-outgoing; Wed, 15 Feb 1995 13:46:34 -0800 Received: from sol.aa.hcia.com (sol.hcia.com [157.199.5.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA03505 for ; Wed, 15 Feb 1995 13:46:26 -0800 Received: by sol.aa.hcia.com (Smail3.1.29.1 #1) id m0rerTu-001t73C; Wed, 15 Feb 95 16:41 EST Message-Id: Date: Wed, 15 Feb 95 16:41 EST From: eprie@hcia.com (Eric W. Priebe) To: Firewalls@GreatCircle.COM Subject: Re: Firewalls Digest V3 #126 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Feb 15 14:27:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03254 for firewalls-outgoing; Wed, 15 Feb 1995 13:34:32 -0800 Received: from gate3.fmr.com (gate3.FMR.Com [192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA03249 for ; Wed, 15 Feb 1995 13:34:28 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id QAA19954; Wed, 15 Feb 1995 16:27:04 -0500 Message-Id: <199502152127.QAA19954@gate3.fmr.com> Received: from mbsb01.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma019952; Wed Feb 15 21:26:32 1995 Date: Wed, 15 Feb 1995 16:28:41 -0500 From: Joe Judge Subject: Re: comprimising clients... To: firewalls@GreatCircle.COM, jet@abulafia.genmagic.com Content-transfer-encoding: 7BIT X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wasn't there a Sears/Prodigy broohaha some years ago... The client program (that connected one to their online service) was noticed sending info to the online service. (hazy memory mode on) There were claims that it was telling the service what software was on the PC ... they claimed it was accidental info past an end-of-file pointer (or something like that). -- joe > From firewalls-owner@GreatCircle.COM Tue Feb 14 22:50 EST 1995 > Date: Tue, 14 Feb 1995 18:50:05 -0800 > From: jet@abulafia.genmagic.com (J. Eric Townsend) > Subject: comprimising clients... > To: firewalls@GreatCircle.COM > Content-transfer-encoding: 7BIT > > > "Well, Hell", as my grandma says.. > > What else, I wonder, will it browse and report back? > > -- from our internal news clipping service > o KING BILL: THE CURTAIN MUST FALL (Digital Media, 2/10, p. 2) > Mitch Ratcliffe: "The most powerful arrow in Microsoft's quiver is the > "browser" object that scans the contents of initialization strings of a PC > when the PC logs onto the Microsoft Network... will give MS a complete dossier > on the consumer's hardware and software... Since software is largely an > upgrade business, MS can selectively target categories of software and > undercut its competitors' prices at will. > --- cut here--- > > -- > J. Eric Townsend vox #: USA 408.774.4252 > work: jet@genmagic.com AT&T PersonaLink: A5803643645@attpls.net > play: jet@well.sf.ca.us or get my card from directory information > > From firewalls-owner Wed Feb 15 14:41:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03530 for firewalls-outgoing; Wed, 15 Feb 1995 13:46:58 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA03525 for ; Wed, 15 Feb 1995 13:46:56 -0800 Received: from sol.aa.hcia.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id NAA19809; Wed, 15 Feb 1995 13:40:37 -0800 Received: by sol.aa.hcia.com (Smail3.1.29.1 #1) id m0rerTz-001t76C; Wed, 15 Feb 95 16:41 EST Message-Id: Date: Wed, 15 Feb 95 16:41 EST From: eprie@hcia.com (Eric W. Priebe) To: Firewalls@GreatCircle.COM Subject: Re: Firewalls Digest V3 #125 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Feb 15 15:07:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03612 for firewalls-outgoing; Wed, 15 Feb 1995 13:50:47 -0800 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA03607 for ; Wed, 15 Feb 1995 13:50:41 -0800 From: H Morrow Long Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Wed, 15 Feb 1995 16:46:33 -0500 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA10168; Wed, 15 Feb 1995 16:46:31 -0500 Date: Wed, 15 Feb 1995 16:46:31 -0500 Message-Id: <199502152146.AA10168@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, SMALL_DO%NORSE.decnet@gate.hosp.ohio-state.edu Subject: Re: Connecting to a pop mail server via firewall Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: V8OMMvB23g7tg8Oe04LM9g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: "NORSE::SMALL_DO" > Subject: Connecting to a pop mail server via firewall > > I haven't seen this discussed here before and I have had some > requests from users who want to connect to a pop mail server that is > on the untrusted side of our firewall. Are there any proxy servers > available for pop mail? What implications would there be in opening up > ports 109 (pop2) or 110 (pop3) on the firewall and routing the packets > through? Is this even possible? One concern would possibly be with > address spoofing I suppose but I believe we have that covered with the > router (on the untrusted side) not allowing source routing. Am I wrong? > Any help would be much appreciated. POP clients send usernames and passwords in the clear, and often these are the user names and passwords to real accounts on Unix machines (so gaining the acct/password pair via sniffing yield something potentially even more interesting than just the ability to read someone else's E-Mail remotely). There is a kerberized POP spec and (I believe) implementations for machines such as the Mac called KPOP which would not send this information over the net but which would however need to authenticate with a Kerberos server over the Internet. - Morrow From firewalls-owner Wed Feb 15 15:12:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA04271 for firewalls-outgoing; Wed, 15 Feb 1995 14:21:14 -0800 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA04265 for ; Wed, 15 Feb 1995 14:21:11 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA30713; Wed, 15 Feb 1995 17:18:24 -0500 Date: Wed, 15 Feb 1995 17:18:24 -0500 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9502152218.AA30713@oxygen.house.gov> To: firewalls@greatcircle.com, stempfld@CC.IMS.DISA.MIL Subject: Re: Dynamic Routing: Security Problems? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... if it was possible for Joe Badguy to reroute some traffic from a network by using the ip address and forcing dynamic route updates to each router in a path up to the level of the router that the desired source uses. Dion, The principle of spoofing IP addresses by manipulating the route tables is correct, which is why any Internet Service Provider (ISP) takes great care to control what route information updates they trust. Coding the policy of which Autonomous Systems can route through which others was one of the reasons BGP was created. Most ISPs also use filtering of some kind on the route updates also (multiple lines of defense). Notice that this filtering applies to route updates rather than to transit traffic, which is an entirely different matter ;-) In the old days (actually last year, but consider the age of the Internet :-) ANS/Merit applied administrative control over changing the routes accepted in the NSF backbone. IE: there were actual people controlling these issues. Now I understand the multiple backbone Internet has an official Routing Arbiter. For the paranoid: if a bad-guy gets control of core routes for your ISP, you're toast. Actually, judicious use of default routes and packet filtering for "impossible" route paths limits the damage to denial of service. Do not believe routing updates unless the damage to the other guy is much worse than the damage to you if they are bogus. (Why ISPs take good care.) Worry about this only after all reusable passwords are gone from your hosts. -- John From firewalls-owner Wed Feb 15 16:11:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA05693 for firewalls-outgoing; Wed, 15 Feb 1995 15:48:39 -0800 Received: from genesis.swbts.edu (root@[198.22.145.30]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA05688 for ; Wed, 15 Feb 1995 15:48:32 -0800 Received: (from wam@localhost) by genesis.swbts.edu (8.6.9/8.6.9) id RAA01075 for firewalls@greatcircle.com; Wed, 15 Feb 1995 17:41:32 -0600 Date: Wed, 15 Feb 1995 17:41:32 -0600 From: Bill McIntyre Message-Id: <199502152341.RAA01075@genesis.swbts.edu> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubsrcibe firewalls From firewalls-owner Wed Feb 15 16:40:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA05641 for firewalls-outgoing; Wed, 15 Feb 1995 15:43:37 -0800 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA05635 for ; Wed, 15 Feb 1995 15:43:30 -0800 Received: from comet.aeinet.com by scruz.net (8.6.9/1.34) id PAA06137; Wed, 15 Feb 1995 15:41:18 -0800 Date: Wed, 15 Feb 95 15:34:33 PST From: Johnathan Corgan Subject: Re: comprimising clients... To: firewalls@GreatCircle.COM, jet@abulafia.genmagic.com, Joe Judge X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Wasn't there a Sears/Prodigy broohaha some years ago... > The client program (that connected one to their online service) > was noticed sending info to the online service. > > (hazy memory mode on) > There were claims that it was telling the service what software > was on the PC ... they claimed it was accidental info past an > end-of-file pointer (or something like that). What actually happened was that the Prodigy client software created a large (a meg or so) disk cache file it used to store temporary transaction objects. This file was created out of unused space on the users hard drive, which often contained information previously allocated to other files. When some uneducated user made the claim that "Prodigy is stealing my data", it caused an incident that was subsequently completely blown out of proportion. It was demonstrated that the client software never made use of the data (it only transmitted blocks in this temp file that had been written there by the client), and the broohaha subsided. I'm not sure of the eventual outcome, but I expect Prodigy revved their software to create this temp file by actually writing a meg of empty data into the file. == Johnathan Corgan "Violence is the last refuge of the incompetent." jcorgan@aeinet.com -Isaac Asimov WWW: ftp://ftp.netcom.com/pub/jc/jcorgan/home.html From firewalls-owner Wed Feb 15 16:41:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06537 for firewalls-outgoing; Wed, 15 Feb 1995 16:35:02 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA06532 for ; Wed, 15 Feb 1995 16:34:51 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id LAA02195; Thu, 16 Feb 1995 11:32:56 +1100 Date: Thu, 16 Feb 1995 11:32:55 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Dynamic Routing: Security Problems? To: Dion Stempfley cc: firewalls@GreatCircle.COM In-Reply-To: <9501157928.AA792879280@CC.IMS.DISA.MIL> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Feb 1995, Dion Stempfley wrote: > I was asked by a coworker if it was possible for Joe Badguy to reroute > some traffic from a network, let's say whitehouse.gov, by using the > whitehouse.gov ip address and forcing dynamic route updates to each > router in a path up to the level of the router that the desired source > uses. It is normal for routers to be configured to only accept updates from trusted sources. For example, with my service provider business, I have customers who connect their LANs traniently. I ask that they supply me with RIP for their LAN, but I only accept RIP from them *about* their LAN. That way, they can't masquerade as a different customer, thus avoiding the volume charges which we apply to excess traffic. Danny --------------------------------------------------------------------- Daniel O'Callaghan | Phone : +61-3-344 8128 ITS - CSG1 | Fax : +61-3-347 4803 The University of Melbourne | E-mail: danny@www.unimelb.edu.au Parkville, Vic 3052, Australia | http://www.unimelb.edu.au/~danny From firewalls-owner Wed Feb 15 17:11:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06785 for firewalls-outgoing; Wed, 15 Feb 1995 16:54:29 -0800 Received: from miriworld.its.unimelb.edu.au (miriworld.its.unimelb.EDU.AU [128.250.20.187]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA06774 for ; Wed, 15 Feb 1995 16:54:07 -0800 Received: (from danny@localhost) by miriworld.its.unimelb.edu.au (8.6.9/8.6.9) id LAA03232; Thu, 16 Feb 1995 11:50:53 +1100 Date: Thu, 16 Feb 1995 11:50:52 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: your mail To: Bill McIntyre cc: firewalls@GreatCircle.COM In-Reply-To: <199502152341.RAA01075@genesis.swbts.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Saw your posting. Thought you might find the following handy. Danny Internet Users' Guide to Subscription Mailing Lists --------------------------------------------------- 1. The List and the List Controller An important thing to remember with mailing lists is that messages for everyone to see and messages to control your subscription are sent to different places. The list name is usually a mailing address like pharm@de-montfort.ac.uk, or GO4LIB-L@UCSBVM.BITNET. The control address is usually something like pharm-request@de-montfort.ac.uk, or LISTSERV@UCSBVM.BITNET 2. Finding the mailing list's home To subscribe to a mailing list, you need to know the host on which it lives. When you get the name of the mailing list, you should also get the name of the machine where it lives. Guides like Diane Kovacs Guide to Academic Mailing Lists give this information. If you have received a message from the list, read the header of the message to find out who sent it. Look at the very top line of the header which begins "From " (not "From:") 3. BITNET vs Internet BITNET/EARN mailing lists are a bit easier to work with than Internet mailing lists, because they all function in the same way. The first step to working with a BITNET mailing list is identifying it as one. Some rules: 1. If the hostname ends in .BITNET, it is a BITNET mailing list. 2. If the From line at the top of the message looks like: From @UBVM.CC.BUFFALO.EDU:owner-gophern@UBVM.CC.BUFFALO.EDU then it is probably a BITNET list. 3. If the name of the list ends in "-L" then it is probably a BITNET list, e.g. GO4LIB-L, PACS-L 4. If the name is longer that 8 chars, or is written in lower case, then it is probably an Internet list. 4. BITNET Lists Having decided that the host is a BITNET host, you need to test this out. Simply send an e-mail message to LISTSERV@host.BITNET, with just the word HELP in the body of the message and see what comes back. For BITNET users: To: LISTSERV@UBVM Subject: --- HELP or for Internet users: To: LISTSERV@UBVM.BITNET (or LISTSERV%UBVM@cunyvm.cuny.edu) Subject: ----- HELP If you get a meaningful message back, then you have found the right way to subscribe to the mailing list. Subscribe by sending a message: To: LISTSERV@HOSTVM.BITNET Subject: ---- subscribe LIST-L Your Real Name Substitute the correct hostname, listname and your name. For example To: LISTSERV@UCSBVM.BITNET Subject: ---- SUBSCRIBE GO4LIB-L Daniel O'Callaghan To remove yourself from the list, send a message like: To: LISTSERV@UCSBVM.BITNET Subject: ---- UNSUBSCRIBE GO4LIB-L Daniel O'Callaghan 5. Internet Lists There are several software packages available for operating mailing lists on Internet hosts, and as a result, there are several ways of subscribing to the lists. The following tips will help if you can examine mail messages, but can't telnet. If you can telnet, a more efficient way of finding out the correct address it detailed in section 7 below. Look at the header of the message from the list. If it contains the line: X-Listserver-Version: 6.0 -- UNIX ListServer by Anastasios Kotsikonas Then the list operates in a similar manner to the BITNET listserver program. Send a message, with the appropriate hostname To: listserv@list.host.edu Subject: ---- HELP Because there are so many types of listserv software for Internet computers, there is a standard which most list operators follow. If you send a message to list-name-request@list.host.edu, subsituting the appropriate names, you should get a helpful message which tells you how to subscribe. For example, for list pharm@de-montfort.ac.uk try sending: To: pharm-request@de-montfort.ac.uk Subject: ---- HELP Some small lists are not controlled by a program, but by a human, who receives all mail sent to list-request. Because of this, don't expect to get a reply within 30 seconds of sending the message. If you don't get a reply promptly, it probably means that the address is correct, but human controlled, so be patient before trying the next step. Many listserver programs for the Internet operate in a similar manner to BITNET lists. Some listserver have different names, however. If sending mail to list-name-request@list.host.edu returns an error message, the simplest method to find out who you are dealing with is to send a message to all the possible program names at the list home: For example, if "pharm-request@de-montfort.ac.uk" returns an error message, try: To: listserv@de-montfort.ac.uk, mailserv@de-montfort.ac.uk, listproc@de-montfort.ac.uk, majordomo@de-montfort.ac.uk Subject: ---- HELP Hopefully, one of those will work. When you have the HELP file from the list server, simply read the instructions to find out how to subscribe. Most programs accept subscriptions of the form: To: pharm-request@de-montfort.ac.uk Subject: ---- subscribe Daniel O'Callaghan or To: majordomo@greatcircle.com Subject: ---- subscribe firewalls Daniel O'Callaghan 6. List Archives Most mailing lists maintain archives. The rules for accessing these vary, but should be available from the HELP file which you were sent on request from the listserv software. 7. Finding out the right Internet address for Internet connected mail systems. The following instructions assume you know how to use telnet. The steps are: (a) telnet to the mail server machine and connect to the mail server program. This is done by connecting to port 25 on the mailserver machine: unix% telnet mailhost.univ.edu 25 VMS$ TELNET MAILHOST.UNIV.EDU /PORT=25 (b) ask the mail server program to verify possible recipient names; (c) examine the results of (b) and decide which recipient names are useful and which are not. Example (1): for the list gopher-news@boombox.micro.umn.edu unix% telnet boombox.micro.umn.edu. 25 Trying 134.84.132.2 ... Connected to boombox.micro.umn.edu. Escape character is '^]'. 220 boombox.micro.umn.edu Sendmail 5.64/3.14 ready at Fri, 13 May 94 20:16:30 CDT vrfy gopher-news 250 <"|/usr/local/bin/bm -lgopher-news -mnotify"> vrfy gopher-news-request 250 <"|/usr/local/bin/bm -lgopher-news -msubscribe"> vrfy listserv 250 <"|/usr/local/bin/bm -mlistserv"> vrfy mailserv 550 mailserv... User unknown: Not a typewriter vrfy majordomo 550 majordomo... User unknown: Not a typewriter quit 221 boombox.micro.umn.edu closing connection Connection closed by foreign host. unix% Here you can see that the mail program on boombox understands listserv and gopher-news-request, but not mailserv or majordomo. So send a subscribe command to gopher-news-request, and more complex management commands to listserv@boombox.micro.umn.edu Example (2): for the list firewalls@greatcircle.com unix% telnet greatcircle.com. 25 greatcircle.com.: unknown host Hmm, problem. People on unix machines with the 'nslookup' command can do the following, and look for the 'mail exchanger' with the lowest number preference: unix% nslookup Default Server: pet1.austin.unimelb.EDU.AU Address: 128.250.186.4 > set type=mx > greatcircle.com. Server: pet1.austin.unimelb.EDU.AU Address: 128.250.186.4 Non-authoritative answer: greatcircle.com preference = 150, mail exchanger = mycroft.greatcircle.com Authoritative answers can be found from: GreatCircle.COM nameserver = APACHE.TELEBIT.COM GreatCircle.COM nameserver = BIONET.IG.COM mycroft.greatcircle.com internet address = 143.191.19.67 APACHE.TELEBIT.COM internet address = 143.191.3.1 BIONET.IG.COM internet address = 134.172.2.146 > unix% So now we know that mail for greatcircle.com is handled by mycroft.greatcircle.com, we try again: unix% telnet mycroft.greatcircle.com. 25 Trying 143.191.19.67 ... Connected to mycroft.greatcircle.com. Escape character is '^]'. 220-mycroft.GreatCircle.COM Sendmail 8.6.5/SMI-4.1/Brent-931103 ready at Fri, 13 May 1994 18:20:32 -0700 220 ESMTP spoken here vrfy firewalls-request 250 vrfy listserv 250 vrfy majordomo 250 vrfy mailserv 550 mailserv... User unknown quit 221 mycroft.GreatCircle.COM closing connection Connection closed by foreign host. unix% So we see that the command controller for the list firewalls is reachable as listserv or majordomo@mycroft.greatcircle.com From firewalls-owner Wed Feb 15 17:41:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA07272 for firewalls-outgoing; Wed, 15 Feb 1995 17:27:06 -0800 Received: from www2.software.net (www2.software.net [204.69.144.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA07267 for ; Wed, 15 Feb 1995 17:27:03 -0800 Received: from localhost (jpp@localhost) by www2.software.net (8.6.5+2.3W/3.2W4) id RAA03181 for Firewalls@GreatCircle.COM; Wed, 15 Feb 1995 17:24:52 -0800 From: John Pettitt Message-Id: <199502160124.RAA03181@www2.software.net> Subject: Well, netcom and others compromised - Mitnick arrested To: Firewalls@GreatCircle.COM Date: Wed, 15 Feb 1995 17:24:52 -0800 (PST) In-Reply-To: <199502160111.RAA07051@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Feb 15, 95 05:11:49 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 214 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI - see tomorrow (2/16) New York Times for a story on the arrest of Kevin Mitnick and the compromise of a number of well known systems (somebody told me my *old* nectom/well password at lunch time today). From firewalls-owner Wed Feb 15 18:11:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA07820 for firewalls-outgoing; Wed, 15 Feb 1995 17:54:45 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA07815 for ; Wed, 15 Feb 1995 17:54:43 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA13973; Wed, 15 Feb 95 17:51:03 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA21021; Wed, 15 Feb 95 17:51:56 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F42B150@ushqgw.sequent.com>; Wed, 15 Feb 95 17:58:40 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: Getting info about Janus Date: Wed, 15 Feb 95 17:50:00 PST Message-Id: <2F42B150@ushqgw.sequent.com> Encoding: 8 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is JANUS a firewall product or the name of a company? Anybody have their phone number or email address (or web URL)? Regards, Ned Smith nedbob@sequent.com From firewalls-owner Wed Feb 15 18:41:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA07780 for firewalls-outgoing; Wed, 15 Feb 1995 17:51:34 -0800 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA07775 for ; Wed, 15 Feb 1995 17:51:31 -0800 Received: from elf.wang.com by tuna.wang.com with SMTP id AA26942 (5.67b/IDA-1.5 for ); Wed, 15 Feb 1995 20:49:28 -0500 Received: from fnord.wang.com by elf.wang.com with SMTP id AA09669 (5.67a/IDA-1.5 for ); Wed, 15 Feb 1995 20:35:53 -0500 Received: by fnord.wang.com (5.67a/TF8) id AA23252; Wed, 15 Feb 1995 20:49:11 -0500 Date: Wed, 15 Feb 1995 20:49:11 -0500 From: Tom Fitzgerald Message-Id: <199502160149.AA23252@fnord.wang.com> To: firewalls@greatcircle.com Subject: Re: Dynamic Routing: Security Problems? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk stempfld@CC.IMS.DISA.MIL ("Dion Stempfley") writes: > I was asked by a coworker if it was possible for Joe Badguy to reroute > some traffic from a network, let's say whitehouse.gov, by using the > whitehouse.gov ip address and forcing dynamic route updates to each > router in a path up to the level of the router that the desired source > uses. It won't work across the Internet, because the Internet routers use BGP (border gateway protocol) which is fairly picky about authenticating the source of routing updates. Internet service providers generally don't even trust each other unless they've got a bilateral arrangement. On the other hand, if you're already inside a private net that's lax about routing security, you can do a pretty good job of messing them up. You can send RIP updates to routers forcing traffic addressed to any given node to come to you instead. RIP has no authentication capability. OSPF does but I bet lots of sites don't use it. This is mostly a denial-of-service attack since once you've got the routes pointing to you, it's real hard to get the traffic back to the node it was supposed to go to. I guess if you wanted to monitor traffic noninvasively, you could try to do it with source-routing, but it doesn't sound easy. There's another good denial-of-service attack that can be made on somebody's Internet connection from the outside, by feeding them routing updates over the Internet, to tie their border network's route into a knot. You can't actually get packets out of the organization using this, but you can stop people inside the organization from accessing their own firewall (or stop the firewall from getting traffic out to the Internet). The moral of this story is, if your firewall or your router to the Internet participate in your own network's internal routing protocol, it's a real good idea to filter out routing updates (UDP port 520 for RIP) coming in from the Internet. Needless to say, filtering on source address doesn't do much good, and that's all you can do with RIP once it's on the local net. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Wed Feb 15 19:09:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA08155 for firewalls-outgoing; Wed, 15 Feb 1995 18:14:02 -0800 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA08150 for ; Wed, 15 Feb 1995 18:13:58 -0800 Received: from berthc0.shore.net by northshore.ecosoft.com with SMTP id AA26221 (5.67a/IDA-1.5 for ); Wed, 15 Feb 1995 21:11:12 -0500 Message-Id: <199502160211.AA26221@northshore.ecosoft.com> Date: Wed, 15 Feb 1995 09:12:57 -0500 From: vin@shore.net (Vin McLellan) To: firewalls@greatcircle.com Subject: CIAC: Unix NCSA Httpd Vulnerability Newsgroups: comp.security.unix Organization: Technical Translators Guild Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe this CIAC alert on a prominent Web Server will be of interest to this group. It seems to have gotten little attention thus far. _Vin McLellan The Privacy Guild ////////////////////CIAC TEXT FOLLOWS //////////////// Date: Tue, 14 Feb 1995 11:14:09 -0800 Errors-To: listmanager@cheetah.llnl.gov Reply-To: weeber@eek.llnl.gov Originator: ciac-bulletin@cheetah.llnl.gov Sender: ciac-bulletin@cheetah.llnl.gov Precedence: bulk From: Steve Weeber To: vin@shore.net Subject: CIAC Advisory F-11: Unix NCSA httpd Vulnerability X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-UIDL: 792789868.000 _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Unix NCSA httpd Vulnerability February 14, 1995 1030 PST Number F-11 _____________________________________________________________________________ PROBLEM: A vulnerability has been discovered in the NCSA WWW server software (httpd). PLATFORMS: Unix systems running NCSA httpd version 1.3. DAMAGE: Remote users may gain unauthorized access. SOLUTION: Implement workaround as described below. _____________________________________________________________________________ VULNERABILITY This vulnerability, along with an automated exploitation ASSESSMENT: script, has been announced in public forums on the Internet. CIAC recommends that sites install the workaround on affected systems as soon as possible. _____________________________________________________________________________ Critical Information about the NCSA httpd Vulnerability CIAC has learned of a serious vulnerability in the NCSA WWW server software, httpd. By sending a carefully constructed request to the WWW server, an intruder can cause an internal buffer overflow and push arbitrary instructions onto the program stack. These new instructions may allow the intruder unauthorized access to the WWW server. Until official patches are available from NCSA, CIAC recommends the following temporary fix be installed. In the file httpd.h, change the string length definitions from: /* The default string lengths */ #define MAX_STRING_LEN 256 #define HUGE_STRING_LEN 8192 to: /* The default string lengths */ #define HUGE_STRING_LEN 8192 #define MAX_STRING_LEN HUGE_STRING_LEN Then rebuild, install, and restart the new httpd server. It is likely that these attacks will generate unusual server log entries. The httpd access_log file should be examined for unusual requests, especially those containing control characters. Note that while this workaround addresses the vulnerability currently being exploited, there are likely to be other similar vulnerabilities present in this and other WWW server software. To lessen the chance of compromise, it is strongly recommended that WWW servers run as unprivileged users (e.g. user "nobody") and that they be locked into a restricted filesystem via the chroot() system call. For more information, please see CIAC Document 2308, "Securing Internet Information Servers," which is available via anonymous FTP from ciac.llnl.gov in the directory /pub/ciac/ciacdocs/. _____________________________________________________________________________ CIAC wishes to acknowledge the contributions of the DFN-CERT in the construction of this bulletin. _____________________________________________________________________________ For emergencies and off-hour assistance, DOE and DOE contractor sites can contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to ciac@llnl.gov. Previous CIAC notices, anti-virus software, and other info