From firewalls-owner Wed Mar 1 00:23:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA00383 for firewalls-outgoing; Wed, 1 Mar 1995 00:14:39 -0800 Received: from lager.cisco.com (lager.cisco.com [171.69.1.148]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA00378 for ; Wed, 1 Mar 1995 00:14:36 -0800 Received: (tli@localhost) by lager.cisco.com (8.6.8+c/CISCO.SERVER.1.1) id AAA06377; Wed, 1 Mar 1995 00:11:20 -0800 Date: Wed, 1 Mar 1995 00:11:20 -0800 From: Tony Li Message-Id: <199503010811.AAA06377@lager.cisco.com> To: cjolley@iac.net Cc: cisco@spot.colorado.edu, firewalls@GreatCircle.COM In-Reply-To: Carl Jolley's message of Wed, 1 Mar 1995 01:49:47 -0500 (EST) Subject: Announcing cisco omega test of 10.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What is the expected duration of the omega test period? I'm not asking for you to predict the future, just your expectation. That depends on what bugs are found. If no bugs are found, mebbe a week. Is this use of a test period something new? I don't remember seeing it for recent past releases. Do you expect to do this sort of thing on future released or is 10.3 "special"? Yes, omega test is new with 10.3. It's not clear if it will be carried forward or not. You've pointed out how to report problems with 10.3. Will there be any attempt by cicso to solicit reports from users, even if they have not had any problems, like their use of 10.3 features and/or performance observations, the operating environment e.g. particular router model and particular mix of IP, etc.? Are there any particular diagonistic/debug settings that you would like to have in effect? Sorry, we don't have the staff in Engineering for polling the entire Internet. Please abuse it however you like. Tony From firewalls-owner Wed Mar 1 02:02:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA01869 for firewalls-outgoing; Wed, 1 Mar 1995 01:39:29 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA01860 for ; Wed, 1 Mar 1995 01:39:23 -0800 Received: from notes.worldcom.com (notes.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id DAA20669 for ; Wed, 1 Mar 1995 03:33:09 -0600 Received: by notes.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.13/3.3) id AA6178; Wed, 01 Mar 95 03:28:33 -0800 Message-Id: <9503011128.AA6178@notes.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 04D5F61FB78350458625617200340103; Wed, 1 Mar 95 03:28:33 To: firewalls , David Miller From: Aaron Schmiedel Date: 28 Feb 95 20:02:36 EDT Subject: RE: 60 Minutes Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> If this isn't the right place to share information sources, I'll not post >> anything further on the matter and find a list that does encourage >> dissemination of information that allows us to protect OUR information. > > >Uhm, the charter for firewalls is discussion of firewalls, not general >security. Ah, then mea culpa. My apologies to the list users. ------------------------------------------------------------------------------------------- I could pick up my toys and go aaron@tritonenergy.com home. But my 5 year old has first dibs on the living room. I don't have thoughts.... ------------------------------------------------------------------------------------------ From firewalls-owner Wed Mar 1 05:31:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA04101 for firewalls-outgoing; Wed, 1 Mar 1995 05:15:45 -0800 Received: from infi.net (larry.infi.net [198.22.1.107]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA04096 for ; Wed, 1 Mar 1995 05:15:42 -0800 From: kpresser@infi.net Received: from h-elbow.nr.infi.net by infi.net with smtp (Smail3.1.28.1 #13) id m0rjoE0-000087C; Wed, 1 Mar 95 08:13 EST Received: by h-elbow.nr.infi.net (IBM OS/2 SENDMAIL VERSION 1.3.10/1.0um) id AA0076; Wed, 01 Mar 95 08:08:07 -0800 Message-Id: <9503011608.AA0076@h-elbow.nr.infi.net> Mime-Version: 1.0 Date: Wed, 01 Mar 95 08:04:53 -0500 To: firewalls@greatcircle.com Reply-To: kpresser@infi.net Subject: Multiple Posts X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Type: text/plain; charset="US-ASCII" Content-Id: <57_109_1_794063094> Content-Transfer-Encoding: 7Bit Content-Description: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the multiple posts, my mailer hiccupped. Need to look for an update to this sorry thing. (OS/2 Ultimail Lite) Hope this only shows up once. ---------------------------------------------------------------------------- Ken Presser kpresser@infi.net Mgr Tech Support Sara Lee Intimates From firewalls-owner Wed Mar 1 06:32:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA05008 for firewalls-outgoing; Wed, 1 Mar 1995 06:27:48 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA05003 for ; Wed, 1 Mar 1995 06:27:45 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id JAA04568 for ; Wed, 1 Mar 1995 09:25:33 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA05061; Wed, 1 Mar 95 09:24:57 EST Date: Wed, 1 Mar 95 09:24:56 EST Message-Id: <9503011424.AA05061@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Firewall-to-Firewall Encryption Cc: mckenney@smiley.mitre.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for information on commercial off-the-shelf (COTS) encryption products that can be used to provide firewall-to-firewall encryption (node-to-node). The device would encrypt based on source/destination address and if possible by network service (port). One of our customers has a network of firewalls and they would like to protect their network traffic over the Internet (firewall-to-firewall) but still be able to communicate with the outside world. The firewall configuration is the same at each of the nodes. At the present time, a user must go through a challenge/response sequence at each firewall. The customer is exploring security technologies that could eliminate the need for a challenge/response dialogue at each firewall. Inbound connections (e.g., TELNET, FTP, dial-in) from a user that is not behind a node firewall would still be required to go through a challenge/response dialogue (strong authentication) at the firewall. I am aware of the following products that are available or plan to be available to perform this functionality. 1. swIPe (publicly available, however I am looking for COTS products) 2. TIS Gauntlet (available in next release, est. May time frame) 3. UUNET Technologies LANGuardian 4. ANS Interlock 5. MorningStar Technologies, Inc. EXPRESS Router 6. Hughes NetLOCK 7. Motorola Network Encryption System (NES) 8. Cisco/Cylink (future) If there are other products, could you please send me e-mail or fax me the information. I am not looking for information on secure E-Mail, FTP, etc. software packages. I can post a summary if people are interested. -Brian Respectfully, Brian W. McKenney Mail Stop: Z-202 The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 Voice: 703-883-5463 Fax: 703-883-1397 From firewalls-owner Wed Mar 1 07:35:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA06002 for firewalls-outgoing; Wed, 1 Mar 1995 07:15:52 -0800 Received: from damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA05997 for ; Wed, 1 Mar 1995 07:15:49 -0800 Received: by damark.com (5.65/1.2-eef) id AA11103; Wed, 1 Mar 95 09:07:37 -0600 Message-Id: <9503011507.AA11103@damark.com> From: "william.wells" To: FIREWALLS Subject: Re: Firewall-to-Firewall Encryption Date: Wed, 01 Mar 95 09:08:00 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Brian W. McKenney wrote: >I am looking for information on commercial off-the-shelf (COTS) encryption products that can be used to provide firewall-to-firewall encryption (node-to-node). The device would encrypt based on source/destination address and if possible by network service (port). >One of our customers has a network of firewalls and they would like to protect their network traffic over the Internet (firewall-to-firewall) but still be able to communicate with the outside world. The firewall configuration is the same at each of the nodes. At the present time, a user must go through a challenge/response sequence at each firewall. The customer is exploring security technologies that could eliminate the need for a challenge/response dialogue at each firewall. ---- Careful here. In my conversations with various vendors, it is not certain that firewall-to-firewall encryption, as currently designed, will work between different vendors of firewalls. This probably isn't a concern for your customer as you imply that all of their firewalls are identical (same vendor). William Wells Manager, Technical Support Damark International From firewalls-owner Wed Mar 1 07:53:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA05995 for firewalls-outgoing; Wed, 1 Mar 1995 07:15:22 -0800 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA05990 for ; Wed, 1 Mar 1995 07:15:14 -0800 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id KAA19128; Wed, 1 Mar 1995 10:10:08 -0500 From: Ted Doty Message-Id: <199503011510.KAA19128@kgbvax.network.com> Subject: Re: Firewall-to-Firewall Encryption To: mckenney@smiley.mitre.org (Brian W. McKenney) Date: Wed, 1 Mar 1995 10:10:08 -0500 (EST) Cc: firewalls@greatcircle.com, mckenney@smiley.mitre.org In-Reply-To: <9503011424.AA05061@smiley.mitre.org.sit> from "Brian W. McKenney" at Mar 1, 95 09:24:56 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1559 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for information on commercial off-the-shelf (COTS) encryption > products that can be used to provide firewall-to-firewall encryption > (node-to-node). The device would encrypt based on source/destination > address and if possible by network service (port). Network Systems is shipping a product called The Security Router, which offers encryption using IDEA, DES, Tripple-DES, and a high speed proprietary algorithm suitable for export. In addition, it provides Digital Signatures via MD5, data compression via IBM's ALDC compression algorithm, and Replay Prevention. We use Diffie-Hellman for key exchange and RSA for key authentication. Key lifetimes are user definable, can can be set to automatically change every minute if you want (kind of ridiculous, but your choice). It can encrypt based on any pattern in the network or transport header. It is currently installed in 5 countries on 3 continents. Check out our Web server (www.network.com) for more info on The Security Router and the encryption capability, Data Provacy Facility (DPF). - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Mar 1 08:08:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA06122 for firewalls-outgoing; Wed, 1 Mar 1995 07:29:21 -0800 Received: from mickey.jsc.nasa.gov (mickey.jsc.nasa.gov [139.169.132.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA06117 for ; Wed, 1 Mar 1995 07:29:18 -0800 Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA14023; Wed, 1 Mar 1995 09:23:55 -0600 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA14431; Wed, 1 Mar 1995 09:23:54 -0600 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma014427; Wed Mar 1 09:23:25 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id JAA07494; Wed, 1 Mar 1995 09:23:23 -0600 From: horn@mickey.jsc.nasa.gov Message-Id: <199503011523.JAA07494@freefall.jsc.nasa.gov> Subject: Node based security (Was: Re: No Out-Of-The-Box Security) To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Wed, 1 Mar 1995 09:23:23 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9503010239.AA08458@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Feb 28, 95 09:39:21 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 952 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk padgett@tccslr.dnet.mmc.com wrote: >So my feeling is that the nodes really do not need any security except as >a second line of defense (I like defense in depth - preferably three levels >deep) because the problem packets should never reach the nodes if I have >done my job properly. Wow! That's quite a statement. I think that our network perimiter provides us the lion's share of our security, but that doesn't mean that I don't make node based security a priority. Do all of you out there really put that much confidence in your firewalls that you feel you could comfortably ignore the security of individual nodes? To the extent that just about any unix box can be a router and do SLIP/PPP, don't I have to worry about a node creating another point of contact from the Internet? Or is that kind of awareness not considered node based security? -- Mark Horn (sparkie) EMAIL: horn@mickey.jsc.nasa.gov WWW: http://tommy.jsc.nasa.gov/~horn From firewalls-owner Wed Mar 1 08:45:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07024 for firewalls-outgoing; Wed, 1 Mar 1995 08:09:23 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA07019 for ; Wed, 1 Mar 1995 08:09:20 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (V1.3) id sma006056; Wed Mar 1 11:06:05 1995 Received: by (4.1/illuminati) id AA02982; Wed, 1 Mar 95 11:11:22 EST From: "Marcus J. Ranum" Message-Id: <2982.9503011611@illuminati> Subject: Re: Firewall-to-Firewall Encryption To: william.wells@damark.com (william.wells) Date: Wed, 1 Mar 1995 11:11:22 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9503011507.AA11103@damark.com> from "william.wells" at Mar 1, 95 09:08:00 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 728 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk william.wells writes: >Careful here. In my conversations with various vendors, it is not certain >that firewall-to-firewall encryption, as currently designed, will work >between different vendors of firewalls. There are 2 issues here. One is key management and the other is protocol and encryption algorithms. I suspect that most vendors who are doing firewall to firewall crypto are basing their work on the draft standards IETF is working towards. So, any standard-track firewall crypto should interoperate just fine. The other guys will lose. :) Key management is another problem, but as long as you can exchange keys in a manner that lets your firewalls interoperate using a standard packet format then you're OK. mjr. From firewalls-owner Wed Mar 1 09:02:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07879 for firewalls-outgoing; Wed, 1 Mar 1995 08:49:26 -0800 Received: from paranor.ca.cch.com (paranor.ca.cch.com [192.139.248.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA07874 for ; Wed, 1 Mar 1995 08:49:21 -0800 Received: by paranor.ca.cch.com id AA16674; Wed, 1 Mar 95 11:51:32 EST Received: from cchtor.ca.cch.com(192.139.241.2) by paranor.ca.cch.com via smap (V1.3) id sma016671; Wed Mar 1 11:51:23 1995 Received: (from larry@localhost) by cchtor.ca.cch.com (8.6.9/8.6.9) id LAA02273; Wed, 1 Mar 1995 11:50:22 -0500 Date: Wed, 1 Mar 1995 11:50:22 -0500 From: Larry Chin Message-Id: <199503011650.LAA02273@cchtor.ca.cch.com> To: mckenney@smiley.mitre.org Subject: Re: Firewall-to-Firewall Encryption Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> > I am looking for information on commercial off-the-shelf (COTS) encryption >> > products that can be used to provide firewall-to-firewall encryption >> > (node-to-node). The device would encrypt based on source/destination >> > address and if possible by network service (port). You could check out LanGuardian from UUNET. It encrypts data outbound based on destination, the caveat being that the destination must also have a LanGuardian machine Wed Mar 1 11:50:08 EST 1995 =========================================================================== Larry Chin {Larry_Chin@ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== Abstainer, n.: A weak person who yields to the temptation of denying himself a pleasure. -- Ambrose Bierce, "The Devil's Dictionary" From firewalls-owner Wed Mar 1 09:32:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08186 for firewalls-outgoing; Wed, 1 Mar 1995 09:05:04 -0800 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08181 for ; Wed, 1 Mar 1995 09:04:58 -0800 From: tws@wh.bayer.com Received: by wh.bayer.com (4.1/SMI-4.1) id AA15141; Wed, 1 Mar 95 11:59:13 EST Received: by mrcs1 (5.64/X1.00) id AA15571; Wed, 1 Mar 95 11:59:09 -0500 Date: Wed, 1 Mar 95 11:59:09 -0500 Message-Id: <9503011659.AA15571@mrcs1> To: horn@mickey.jsc.nasa.gov, padgett@tccslr.dnet.mmc.com Subject: Re: Node based security (Was: Re: No Out-Of-The-Box Security) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> From firewalls-owner@GreatCircle.COM Wed Mar 1 11:14:31 1995 >> From: horn@mickey.jsc.nasa.gov >> Subject: Node based security (Was: Re: No Out-Of-The-Box Security) >> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) >> Cc: firewalls@greatcircle.com >> padgett@tccslr.dnet.mmc.com wrote: >> >So my feeling is that the nodes really do not need any security except as >> >a second line of defense (I like defense in depth - preferably three levels >> >deep) because the problem packets should never reach the nodes if I have >> >done my job properly. >> >> Wow! That's quite a statement. I think that our network perimiter provides >> us the lion's share of our security, but that doesn't mean that I don't make >> node based security a priority. >> >> Do all of you out there really put that much confidence in your firewalls that >> you feel you could comfortably ignore the security of individual nodes? To >> the extent that just about any unix box can be a router and do SLIP/PPP, don't >> I have to worry about a node creating another point of contact from the >> Internet? Or is that kind of awareness not considered node based security? >> -- >> Mark Horn (sparkie) >> EMAIL: horn@mickey.jsc.nasa.gov >> WWW: http://tommy.jsc.nasa.gov/~horn >> I think the issue of how you control what goes onto your network is a fundamental one. If someone you don't know can plug his/her machine (say, to the wall plate) and be on the network, all the bets are off. A question: does your boss understand that? Regards, Tenna Sakai Miles Research Center (Soon to be Bayer Research Center) From firewalls-owner Wed Mar 1 09:37:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07008 for firewalls-outgoing; Wed, 1 Mar 1995 08:08:14 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA07003 for ; Wed, 1 Mar 1995 08:08:11 -0800 Received: from smiley.mitre.org.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id LAA20413; Wed, 1 Mar 1995 11:05:58 -0500 Received: from [128.29.140.130] (mckenney-mac) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA13035; Wed, 1 Mar 95 11:05:22 EST Date: Wed, 1 Mar 95 11:05:22 EST Message-Id: <9503011605.AA13035@smiley.mitre.org.sit> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "william.wells" From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: Firewall-to-Firewall Encryption Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Brian W. McKenney wrote: >>I am looking for information on commercial off-the-shelf (COTS) encryption >products that can be used to provide firewall-to-firewall encryption >(node-to-node). The device would encrypt based on source/destination >address and if possible by network service (port). > >>One of our customers has a network of firewalls and they would like to >protect their network traffic over the Internet (firewall-to-firewall) but >still be able to communicate with the outside world. The firewall >configuration is the same at each of the nodes. At the present time, a >user must go through a challenge/response sequence at each firewall. The >customer is exploring security technologies that could eliminate the need >for a challenge/response dialogue at each firewall. > ---- >Careful here. In my conversations with various vendors, it is not certain >that firewall-to-firewall encryption, as currently designed, will work >between different vendors of firewalls. This probably isn't a concern for >your customer as you imply that all of their firewalls are identical (same >vendor). Bill, as my note stated, each of the nodes have the same firewall configuration (same firewall hardware, software). We don't have to worry about a product that has to work with heterogeneous firewall configurations. -Brian From firewalls-owner Wed Mar 1 09:49:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08616 for firewalls-outgoing; Wed, 1 Mar 1995 09:25:29 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08605 for ; Wed, 1 Mar 1995 09:25:17 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13075; Wed, 1 Mar 95 12:04:31 -0500 Date: Wed, 1 Mar 95 12:04:31 -0500 Message-Id: <9503011704.AA13075@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "mail@mickey.jsc.nasa.gov"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: RE: Node based security (Was: Re: No Out-Of-The-Box Security) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk padgett@tccslr.dnet.mmc.com wrote: >So my feeling is that the nodes really do not need any security except as >a second line of defense (I like defense in depth - preferably three levels >deep) because the problem packets should never reach the nodes if I have >done my job properly. Mark respondeth: >Wow! That's quite a statement. I think that our network perimiter provides >us the lion's share of our security, but that doesn't mean that I don't make >node based security a priority. Do not disagree but with over a million square feet under roof at this site, thousands of nodes, even multiple tenants/companies, I cannot touch every node and some would take offense if I did. The simple fact is that with so many even 1% vulnerable becomes a sizable number. Not to say that I do not provide guidelines for those to follow, I do, but *cannot IMPO depend on them as the primary line of defense*. Instead I have pulled it back to concentrate on manageable perimeters - subnets, nets, and points at which communications "cross the fence". Closed areas control access *to the area* but rely on internal controls for protection within that area, controls based on the need of that population. My view of my job is to control the area access itself and to provide advice to those inside. If you consider my favorite example of a walled city, the responsibilities, skills, and training of those charged with protection of the walls are different from those whose duty is to keep peace on the streets. Further one of the duties of those on the walls is to keep the brigands from attacking in the first place. Among other things this is done by creating a "killing ground" in front of the wall and providing instant response to threats. Those on the inside (nodes) have the luxury of needing merely to repulse the occasional threat *as they see it*. Warmly, Padgett From firewalls-owner Wed Mar 1 10:09:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08154 for firewalls-outgoing; Wed, 1 Mar 1995 09:02:55 -0800 Received: from cressida.mis.amat.com (cressida.mis.amat.com [199.171.188.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08145 for ; Wed, 1 Mar 1995 09:02:48 -0800 Received: from romeo.mis.amat.com by cressida.mis.amat.com with SMTP (1.38.193.4/16.2) id AA06759; Wed, 1 Mar 1995 09:06:00 -0800 Received: from [152.135.207.190] by romeo.mis.amat.com with SMTP (1.37.109.6/16.2) id AA20666; Wed, 1 Mar 95 08:59:40 -0800 Received: from scla10.acetsw by acetsw.amat.com (4.1/SMI-4.1-DNI-ACET-941021) id AA01294; Wed, 1 Mar 95 09:00:29 PST Date: Wed, 1 Mar 95 09:00:29 PST From: reynolds@acetsw.amat.com (John Reynolds) Message-Id: <9503011700.AA01294@acetsw.amat.com> Organization: Applied Materials Inc., ACET Division To: firewalls@greatcircle.com Subject: Re: Node based security (Was: Re: No Out-Of-The-Box Security) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Up periscope : > From: horn@mickey.jsc.nasa.gov > Date: Wed, 1 Mar 1995 09:23:23 -0600 (CST) > > padgett@tccslr.dnet.mmc.com wrote: > >So my feeling is that the nodes really do not need any security except as > >a second line of defense (I like defense in depth - preferably three levels > >deep) because the problem packets should never reach the nodes if I have > >done my job properly. > > Wow! That's quite a statement. I think that our network perimiter provides > us the lion's share of our security, but that doesn't mean that I don't make > node based security a priority. > > Do all of you out there really put that much confidence in your firewalls that > you feel you could comfortably ignore the security of individual nodes? To > the extent that just about any unix box can be a router and do SLIP/PPP, don't > I have to worry about a node creating another point of contact from the > Internet? Or is that kind of awareness not considered node based security? I'm sure someone will remind us soon that this is a firewalls discussion, and node-centric security is off-topic. Having 2 cents burning a hole in my pocket, though... I think node-based security checks are critical as a defense against the interior threat. Network protocol analysis will not tell me that someone has created a bogus root account, or point to illicit setuid files. I agree with Padgett on the defense-in-depth. The hard-outside-and-soft-center analogy is misleading; it implies one layer is enough. A firewall protects us from the world, and tiger et. al. protects us from ourselves, and both are justifiably necessary. down 'scope, rig for silent running... John Reynolds When action is unprofitable, Applied Materials gather information. 3320 Scott Blvd. MS 1119 When information is unprofitable, Santa Clara CA 95054 sleep. (408) 235-6352 - Ursula K. LeGuin reynolds@acetsw.amat.com From firewalls-owner Wed Mar 1 10:10:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA08427 for firewalls-outgoing; Wed, 1 Mar 1995 09:17:50 -0800 Received: from mickey.jsc.nasa.gov (mickey.jsc.nasa.gov [139.169.132.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA08421 for ; Wed, 1 Mar 1995 09:17:42 -0800 Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA15325; Wed, 1 Mar 1995 11:15:08 -0600 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA15381; Wed, 1 Mar 1995 11:15:07 -0600 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma015379; Wed Mar 1 11:15:05 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id LAA07676; Wed, 1 Mar 1995 11:15:04 -0600 From: horn@mickey.jsc.nasa.gov Message-Id: <199503011715.LAA07676@freefall.jsc.nasa.gov> Subject: Re: Node based security (Was: Re: No Out-Of-The-Box Security) To: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Date: Wed, 1 Mar 1995 11:07:19 -0600 (CST) In-Reply-To: <9503011656.AA00364@ Paragon-Systems.COM> from "Bob McKisson" at Mar 1, 95 11:56:31 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 482 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >As long as all nodes are on the "black side" of a well >thoughtout and implemented perimeter, you should be good to go. Yes, but part of the question is can you guarantee that all nodes are on the "black side"? SLIP/PPP and cheap modems have made this question a real one. Don't you need individual host security in order to make the claim that all nodes are on the "black side"? -- Mark Horn (sparkie) EMAIL: horn@mickey.jsc.nasa.gov WWW: http://tommy.jsc.nasa.gov/~horn From firewalls-owner Wed Mar 1 10:33:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA09990 for firewalls-outgoing; Wed, 1 Mar 1995 10:08:00 -0800 Received: from sdwsys (sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA09984 for ; Wed, 1 Mar 1995 10:07:54 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rjo6B-0009xyC; Wed, 1 Mar 95 13:05 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Node based security (Was: Re: No Out-Of-The-Box Security) To: tws@wh.bayer.com Date: Wed, 1 Mar 1995 13:05:49 +0000 (GMT) Cc: horn@mickey.jsc.nasa.gov, padgett@tccslr.dnet.mmc.com, firewalls@greatcircle.com In-Reply-To: <9503011659.AA15571@mrcs1> from "tws@wh.bayer.com" at Mar 1, 95 11:59:09 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1253 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > I think the issue of how you control what goes onto your > network is a fundamental one. If someone you don't know > can plug his/her machine (say, to the wall plate) and be > on the network, all the bets are off. > A question: does your boss understand that? Any machine or network port you can get physical access to is a potential end to your security. In most cases, it's a very trivial problem. This will only be solved by proper authentication (kerberos, etc. to a certain level) and encryption of everything (to another level). You have to trust your employees to some extent. It's more important, usually, to get work done than to hamper work with false security measures. When real security is available, it'll be a different story. > Regards, > Tenna Sakai > Miles Research Center > (Soon to be Bayer Research Center) > sdw -- Stephen D. Williams 25Feb1965 VW,OH sdw@lig.net http://www.lig.net/sdw Senior Consultant 513-865-9599 FAX/LIG 513.496.5223 OH Page BA Aug94-Feb95 OO R&D AI:NN/ES crypto By Buggy: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs ICBM/GPS: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.28Jan95 From firewalls-owner Wed Mar 1 11:04:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA10868 for firewalls-outgoing; Wed, 1 Mar 1995 10:47:53 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA10863 for ; Wed, 1 Mar 1995 10:47:50 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rjtOn-0000XZC; Wed, 1 Mar 95 10:45 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA05453; Wed, 1 Mar 1995 10:45:32 +0800 Date: Wed, 1 Mar 1995 10:45:32 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503011845.AA05453@brittany.oes.amdahl.com> To: lyndond@roverpte.demon.co.uk Subject: Re: satan Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 937 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Can anyone tell me where I can get a copy of Satan? > > I have searched archie and came up with a long list of > things with satan in the name but only one that looked > promising at sune.stacken.kth.se but when I got there > the cupboard was bare :( > > Any pointers ? > It's due to be released April 1 Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Wed Mar 1 11:36:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11531 for firewalls-outgoing; Wed, 1 Mar 1995 11:21:44 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA11526 for ; Wed, 1 Mar 1995 11:21:38 -0800 Received: from hermes.intel.com by relay2.UU.NET with SMTP id QQyffg22164; Wed, 1 Mar 1995 14:13:24 -0500 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Wed, 1 Mar 95 11:12:48 -0800 Received: by argus.intel.com (5.65/10.0i); Wed, 1 Mar 95 11:12:47 -0800 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9503011912.AA26323@argus.intel.com> Subject: Re: satan To: patrick@oes.amdahl.com (Patrick Horgan) Date: Wed, 1 Mar 95 11:12:46 PST Cc: lyndond@roverpte.demon.co.uk, firewalls@greatcircle.com In-Reply-To: <9503011845.AA05453@brittany.oes.amdahl.com> from "Patrick Horgan" at Mar 1, 95 10:45:32 am X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 1109 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Can anyone tell me where I can get a copy of Satan? > > I have searched archie and came up with a long list of > > things with satan in the name but only one that looked > > promising at sune.stacken.kth.se but when I got there > > the cupboard was bare :( > > Any pointers ? > It's due to be released April 1 You can check out http://www.sjmercury.com/ for a story on Satan and Dan Farmer. > Patrick > _______________________________________________________________________ > / These opinions are mine, and not Amdahl's (except by coincidence;). \ > | (\ | > | Patrick J. Horgan Amdahl Corporation \\ Have | > | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | > | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | > | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | > \___________________________O16-2294________________________\)__________/ > -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Wed Mar 1 12:02:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11976 for firewalls-outgoing; Wed, 1 Mar 1995 11:52:21 -0800 Received: from pp (pp.ksc.nasa.gov [128.159.174.102]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA11971 for ; Wed, 1 Mar 1995 11:52:18 -0800 Received: from escact.ksc.nasa.gov.ksc.nasa.gov (actually escact.ksc.nasa.gov) by pp with SMTP (PP); Wed, 1 Mar 1995 14:51:27 -0500 Received: by escact.ksc.nasa.gov.ksc.nasa.gov (4.1/SMI-4.1) id AA05015; Wed, 1 Mar 95 14:49:30 EST Date: Wed, 1 Mar 95 14:49:30 EST From: Mark.Gibbons-1@kmail.ksc.nasa.gov (Mark E. Gibbons) Message-Id: <9503011949.AA05015@escact.ksc.nasa.gov.ksc.nasa.gov> To: firewalls@greatcircle.com Subject: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Patrick Horgan > It's due to be released April 1 How painfully appropriate. meg From firewalls-owner Wed Mar 1 12:19:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11946 for firewalls-outgoing; Wed, 1 Mar 1995 11:51:13 -0800 Received: from infi.net (larry.infi.net [198.22.1.107]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA11935 for ; Wed, 1 Mar 1995 11:51:08 -0800 From: Received: from h-froth.nr.infi.net by infi.net with smtp (Smail3.1.28.1 #13) id m0rjuOg-0000BcC; Wed, 1 Mar 95 14:49 EST Received: by localhost (IBM OS/2 SENDMAIL VERSION 1.3.10/1.0um) id AA0064; Wed, 01 Mar 95 08:07:24 -0800 Message-Id: <9503011607.AA0064@localhost> Mime-Version: 1.0 Date: Wed, 01 Mar 95 08:04:53 -0500 To: firewalls@greatcircle.com Reply-To: kpresser@infi.net Subject: Multiple Posts X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Type: text/plain; charset="US-ASCII" Content-Id: <57_109_1_794063094> Content-Transfer-Encoding: 7Bit Content-Description: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the multiple posts, my mailer hiccupped. Need to look for an update to this sorry thing. (OS/2 Ultimail Lite) Hope this only shows up once. ---------------------------------------------------------------------------- Ken Presser kpresser@infi.net Mgr Tech Support Sara Lee Intimates From firewalls-owner Wed Mar 1 12:35:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11931 for firewalls-outgoing; Wed, 1 Mar 1995 11:50:44 -0800 Received: from infi.net (larry.infi.net [198.22.1.107]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA11926 for ; Wed, 1 Mar 1995 11:50:41 -0800 From: Received: from h-froth.nr.infi.net by infi.net with smtp (Smail3.1.28.1 #13) id m0rjuOF-0000BcC; Wed, 1 Mar 95 14:48 EST Received: by localhost (IBM OS/2 SENDMAIL VERSION 1.3.10/1.0um) id AA0058; Wed, 01 Mar 95 08:06:50 -0800 Message-Id: <9503011606.AA0058@localhost> Mime-Version: 1.0 Date: Wed, 01 Mar 95 08:04:53 -0500 To: firewalls@greatcircle.com Reply-To: kpresser@infi.net Subject: Multiple Posts X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Type: text/plain; charset="US-ASCII" Content-Id: <57_109_1_794063094> Content-Transfer-Encoding: 7Bit Content-Description: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the multiple posts, my mailer hiccupped. Need to look for an update to this sorry thing. (OS/2 Ultimail Lite) Hope this only shows up once. ---------------------------------------------------------------------------- Ken Presser kpresser@infi.net Mgr Tech Support Sara Lee Intimates From firewalls-owner Wed Mar 1 12:46:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA11817 for firewalls-outgoing; Wed, 1 Mar 1995 11:40:01 -0800 Received: from gate3.fmr.com (gate3.FMR.Com [192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA11812 for ; Wed, 1 Mar 1995 11:39:58 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id OAA20495 for ; Wed, 1 Mar 1995 14:36:38 -0500 Message-Id: <199503011936.OAA20495@gate3.fmr.com> Received: from mbsb01.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id smab20480; Wed Mar 1 19:36:12 1995 Date: Mon, 27 Feb 1995 16:25:04 -0500 From: "J. T. Judge" Subject: Re: DNS on firewall?? To: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those of you with split DNS ( small external DNS primary for XXX.com, resolv.conf points to internal DNS servers who are primary for XXX.com and have forwarders to the gateway to resolve external names) Is your firewall a network level firewall ? So, joe_user@yy.XXX.com can 'ftp foo.com' and it connects ? or is your firewall an application level firewall ? So, joe_user@yy.XXX.com can NOT 'ftp foo.com', they have to 'ftp gateway.XXX.com' (TIS) or SOCKS their way out ? If you are application level, how do you deal with the problem that internal mailers, network client programs, etc can resolve A and MX records for "out there" -- but these same client programs can NOT connect to those addresses ? advTHANKSance - joe From firewalls-owner Wed Mar 1 13:01:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA13009 for firewalls-outgoing; Wed, 1 Mar 1995 12:44:54 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA13004 for ; Wed, 1 Mar 1995 12:44:48 -0800 From: hcb@clark.net Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14669; Wed, 1 Mar 95 15:42:29 -0500 Date: Wed, 1 Mar 95 15:42:29 -0500 Message-Id: <9503012042.AA14669@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "mail@mickey.jsc.nasa.gov"@uvs1.dnet.mmc.com, "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Node based security (Was: Re: No Out-Of-The-Box Security) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do I hear, then, that the correct model is a hard, crunchy shell around a soft crunchy onion? :-) Howard From firewalls-owner Wed Mar 1 13:32:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA12898 for firewalls-outgoing; Wed, 1 Mar 1995 12:39:26 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA12891 for ; Wed, 1 Mar 1995 12:39:23 -0800 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA06972; Wed, 1 Mar 95 12:37:11 PST Received: from sunlanl.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA12920; Wed, 1 Mar 1995 12:37:10 +0800 Received: from avalon.West.Sun.COM by sunlanl.West.Sun.COM (5.0/SMI-SVR4) id AA20311; Wed, 1 Mar 1995 13:38:10 +0700 Received: by avalon.West.Sun.COM (5.x/SMI-SVR4) id AA13805; Wed, 1 Mar 1995 13:38:06 -0700 Date: Wed, 1 Mar 1995 13:38:06 -0700 From: Jean.Lehman@West.Sun.COM (Jean Lehman [Sun Los Alamos Consultant]) Message-Id: <9503012038.AA13805@avalon.West.Sun.COM> To: Firewalls@greatcircle.com Subject: packet filtering vs application based firewalls X-Sun-Charset: US-ASCII Content-Length: 607 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please reply to me directly since I am not on this alias.... does anyone have a strong opinion about the advantages/disadvantages of a packet filtering firewall system (e.g. checkpoint) over an application based firewall (e.g. sidewinder)? thanks in advance, jean ---------------------------------------------------------------------- Jean Lehman, SE, Sun Microsystems jean.lehman@west.sun.com 505-662-4767 2075 Trinity Drive Suite 300 Los Alamos, NM 87544 Teach children to be polite and courteous in the home, and, when they grow up, they will never be able to edge their car onto a freeway. From firewalls-owner Wed Mar 1 13:49:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13885 for firewalls-outgoing; Wed, 1 Mar 1995 13:28:20 -0800 Received: from dee.retix.com (dee.retix.com [163.182.4.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA13880 for ; Wed, 1 Mar 1995 13:28:17 -0800 Received: from sleepy.retix.com (sleepy.retix.com [163.182.52.17]) by dee.retix.com (8.6.9/8.6.4) with ESMTP id NAA07833; Wed, 1 Mar 1995 13:26:01 -0800 From: joshua geller Received: (joshua@localhost) by sleepy.retix.com (8.6.7/8.6.4) id NAA13753; Wed, 1 Mar 1995 13:26:00 -0800 Date: Wed, 1 Mar 1995 13:26:00 -0800 Message-Id: <199503012126.NAA13753@sleepy.retix.com> To: Mark.Gibbons-1@pp.ksc.nasa.gov CC: firewalls@GreatCircle.COM In-reply-to: <9503011949.AA05015@escact.ksc.nasa.gov.ksc.nasa.gov> (Mark.Gibbons-1@pp.ksc.nasa.gov) Subject: Re: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk meg: > > Patrick Horgan > > It's due to be released April 1 > How painfully appropriate. daddy, tell me about regret.... josh From firewalls-owner Wed Mar 1 14:01:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA14417 for firewalls-outgoing; Wed, 1 Mar 1995 13:43:38 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA14412 for ; Wed, 1 Mar 1995 13:43:35 -0800 Received: from ingress.com by relay2.UU.NET with SMTP id QQyffq26891; Wed, 1 Mar 1995 16:40:51 -0500 Received: by ingress.com (4.1/SMI-4.1) id AA05725; Wed, 1 Mar 95 16:33:46 EST Date: Wed, 1 Mar 95 16:33:46 EST From: cbk@ingress.com (Charles Kaplan) Message-Id: <9503012133.AA05725@ingress.com> To: mckenney@smiley.mitre.org Subject: point to point (PPP) encryptor Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian, while this doesn't solve your PPP encryption problem, as you already have a series of firewalls, Blackhole by Milkyway technology presently supports encryption between its own firewalls. Additionally Janus by BNTi is expecting to release this functionality by 'summertime'. -Charles Kaplan 'A biased systems integrator of the above products' From firewalls-owner Wed Mar 1 14:19:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA14052 for firewalls-outgoing; Wed, 1 Mar 1995 13:33:38 -0800 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA14047 for ; Wed, 1 Mar 1995 13:33:36 -0800 Received: from ingress.com by relay2.UU.NET with SMTP id QQyffq24702; Wed, 1 Mar 1995 16:30:44 -0500 Received: by ingress.com (4.1/SMI-4.1) id AA05129; Wed, 1 Mar 95 16:23:36 EST Date: Wed, 1 Mar 95 16:23:36 EST From: cbk@ingress.com (Charles Kaplan) Message-Id: <9503012123.AA05129@ingress.com> To: firewalls@greatcircle.com Subject: Netware passwords Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was a thread here yesterday on Netware security/bindery password changing, etc. Whomever these guys in CA are for $300 have quite a scam. There is a free NLM (I have it somewhere around here, but I believe I found it on netwire) that loads and wipes the supervisor pw. Verry usefull if you truly do loose your password, or have a client who does so. For lengthy discussions on this look towards the netware news group or mailing list. --- Charles B. Kaplan Ingress Commmunications From firewalls-owner Wed Mar 1 14:31:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15586 for firewalls-outgoing; Wed, 1 Mar 1995 14:18:27 -0800 Received: from quack.kfu.com ([204.147.226.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA15581 for ; Wed, 1 Mar 1995 14:18:23 -0800 Received: from phoenix (phoenix.kfu.com) by quack.kfu.com with SMTP id AA02966 (5.65c8/IDA-1.4.4 for ); Wed, 1 Mar 1995 14:16:10 -0800 Received: by phoenix (5.x//ident-1.0) id AA22263; Wed, 1 Mar 1995 14:16:08 -0800 Newsgroups: quack.firewalls Path: quack.kfu.com!nsayer From: nsayer@quack.kfu.com (Nick Sayer) Subject: Re: Firewalls replying with ICMP packets. Message-Id: Organization: The Duck Pond public unix: +1 408 249 9630, log in as 'guest'. References: <199502282035.MAA15520@miles.greatcircle.com> Date: 1 Mar 1995 22:15:59 UTC Lines: 22 Content-Type: text Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk firewalls-digest-owner@greatcircle.com writes: >A related question is, should your firewall send back anything at all or >should you leave the sender wondering what happened to his nastygrams ? Consider the case where sendmail does an RFC-931 query before presenting it's 200 banner on port 25 connections. If a firewall on the sender just eats the port 113 connect attempts, then the sender will probably timeout waiting for the welcome mat. What makes this worse is that many sendmails, having gotten a connection, then having it time out waiting for a welcome, will NOT go back and try secondary MX hosts, so the mail will be forever undeliverable. If instead the firewall bounced a host unreachable back, then the IDENT query fails much more quickly and the sendmail can then put out the welcome mat in time and the SMTP transaction continues normally. -- Nick Sayer | "Post and the world posts with you. N6QQQ @ N0ARY.#NOCAL.CA.USA.NOAM | Browse the web and you browse alone." +1 408 249 9630, log in as 'guest' | URL: http://www.kfu.com/~nsayer/ | -- The Usenet Oracle From firewalls-owner Wed Mar 1 14:50:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15510 for firewalls-outgoing; Wed, 1 Mar 1995 14:13:32 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA15505 for ; Wed, 1 Mar 1995 14:13:29 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA01029 (5.67b8/IDA-1.5 for ); Wed, 1 Mar 1995 17:11:02 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA02435; Wed, 1 Mar 95 17:12:26 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00556; Wed, 1 Mar 1995 17:09:54 +0500 Date: Wed, 1 Mar 1995 17:09:54 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9503012209.AA00556@ Paragon-Systems.COM> To: Firewalls@greatcircle.com, Jean.Lehman@west.sun.com Subject: Re: packet filtering vs application based firewalls X-Sun-Charset: US-ASCII Content-Length: 1516 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Wed Mar 1 16:47 EST 1995 > Date: Wed, 1 Mar 1995 13:38:06 -0700 > From: Jean.Lehman@West.Sun.COM (Jean Lehman [Sun Los Alamos Consultant]) > To: Firewalls@greatcircle.com > Subject: packet filtering vs application based firewalls > > > please reply to me directly since I am not on this alias.... > > does anyone have a strong opinion about the advantages/disadvantages > of a packet filtering firewall system (e.g. checkpoint) over > an application based firewall (e.g. sidewinder)? > > thanks in advance, > > jean > > ---------------------------------------------------------------------- > Jean Lehman, SE, Sun Microsystems > jean.lehman@west.sun.com 505-662-4767 > 2075 Trinity Drive Suite 300 > Los Alamos, NM 87544 > > Teach children to be polite and courteous in the home, and, when > they grow up, they will never be able to edge their car onto a > freeway. Well, I guess it depends on what level of protection you need. In my opinion packet filtering firewalls are not worth much beyond a tinkers damn. Application firewalls can also be dangerous unless you keep everything but the OS and the firewall code, off the machine, but by far better that the others. If you are serious (and IMNSHO you can't be too serious if you are considering FW-1) about security I'd look at: SCC's Sidewinder ~ $40K DEC's SEAL ~ $35K (I think) Raptor's Eagle ~ $25K TIS's Gauntlet ~ $15K My opinion is that the best value lies in the bottom two. rmck From firewalls-owner Wed Mar 1 15:05:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15496 for firewalls-outgoing; Wed, 1 Mar 1995 14:12:54 -0800 Received: from quack.kfu.com ([204.147.226.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA15491 for ; Wed, 1 Mar 1995 14:12:50 -0800 Received: from phoenix (phoenix.kfu.com) by quack.kfu.com with SMTP id AA02855 (5.65c8/IDA-1.4.4 for ); Wed, 1 Mar 1995 14:10:36 -0800 Received: by phoenix (5.x//ident-1.0) id AA22032; Wed, 1 Mar 1995 14:10:30 -0800 Newsgroups: quack.firewalls Path: quack.kfu.com!nsayer From: nsayer@quack.kfu.com (Nick Sayer) Subject: Re: Sendmail bug Message-Id: Organization: The Duck Pond public unix: +1 408 249 9630, log in as 'guest'. References: <199502280900.BAA00552@miles.greatcircle.com> Date: 1 Mar 1995 22:10:19 UTC Lines: 39 Content-Type: text Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk firewalls-digest-owner@greatcircle.com writes: >> From firewalls-owner@GreatCircle.COM Sat Feb 25 10:16 EST 1995 >> From: "Dr. Frederick B. Cohen" >> Subject: Sendmail bug >> To: firewalls@greatcircle.com >> Date: Fri, 24 Feb 1995 16:36:27 -0500 (EST) >> >> I just discovered that the sendmail bug (new) works from outside on >> SunOS - CONTRARY TO WHAT THE CERT ADVISORY SAYS!!! >> >As a matter of interest, are we talking SunOS or Solaris, as from the CERT >advisory, it says SOLARIS isn't vulnerable, yet it publishes details of >a patch.... I'm confused........ Without adding the version numbers, none of the above statements make any sense at all. Solaris 1.x contains SunOS 4.x. That is, Solaris 1.0 contains SunOS 4.1, Solaris 1.0.1 contains SunOS 4.1.1. Solaris 1.1 contains SunOS 4.1.2, Solaris 1.1.1 contains SunOS 4.1.3, Solaris 1.1.1B contains SunOS 4.1.3_U1, and Solairs 1.1.2 contains SunOS 4.1.4. Solaris 2.x contains SunOS 5.x. That is, Solaris 2.0 contains SunOS 5.0. Solaris 2.1 contains SunOS 5.1. Solaris 2.2 contains SunOS 5.2. Solaris 2.3 contains SunOS 5.3. Solaris 2.4 contains SunOS 5.4. The word 'contains' is carefully chosen. A particular rev of Solaris is a superset, containing a version of SunOS, Openwindows, the Deskset crap, and probably a few other things. Just tossing out the word SunOS or Solaris has no differentiating power at all, except that it excludes SunOS revs <4.1. -- Nick Sayer | Anita Hill then, Paula Jones now. N6QQQ @ N0ARY.#NOCAL.CA.USA.NOAM | +1 408 249 9630, log in as 'guest' | What goes around, comes around. URL: http://www.kfu.com/~nsayer/ | From firewalls-owner Wed Mar 1 15:34:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA16082 for firewalls-outgoing; Wed, 1 Mar 1995 14:33:16 -0800 Received: from Aptech.com (rama.aptech.com [199.29.185.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA16077 for ; Wed, 1 Mar 1995 14:33:11 -0800 Received: from amos.Aptech.com by Aptech.com (5.x/SMI-SVR4) id AA14772; Wed, 1 Mar 1995 14:31:01 -0800 Received: by amos.Aptech.com (5.x/SMI-SVR4) id AA06826; Wed, 1 Mar 1995 14:31:01 -0800 Date: Wed, 1 Mar 1995 14:31:01 -0800 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <9503012231.AA06826@amos.Aptech.com> To: firewalls@greatcircle.com Subject: Cisco X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone give me address and such for Cisco? From firewalls-owner Wed Mar 1 15:48:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA17090 for firewalls-outgoing; Wed, 1 Mar 1995 15:02:24 -0800 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA17080 for ; Wed, 1 Mar 1995 15:02:21 -0800 Received: from chiba (chiba.Tadpole.COM [160.104.1.6]) by tadpole.tadpole.com (8.6.10/8.6.10) with SMTP id QAA17995; Wed, 1 Mar 1995 16:58:45 -0600 From: Jim Thompson Received: by chiba (5.x/SPARCbook_POP1.3) id AA07185; Wed, 1 Mar 1995 16:58:44 -0600 Date: Wed, 1 Mar 1995 16:58:44 -0600 Message-Id: <9503012258.AA07185@chiba> To: Firewalls@GreatCircle.COM, Jean.Lehman@west.sun.com, rmck@sandfiddler.paragon-systems.com Subject: Re: packet filtering vs application based firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If you are serious (and IMNSHO you can't be too serious if you are > considering FW-1) about security I'd look at: > > SCC's Sidewinder ~ $40K > DEC's SEAL ~ $35K (I think) > Raptor's Eagle ~ $25K > TIS's Gauntlet ~ $15K Smallworks NetGate ~ $5k (for source!) > My opinion is that the best value lies in the bottom two. And how. Jim From firewalls-owner Wed Mar 1 16:01:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA17302 for firewalls-outgoing; Wed, 1 Mar 1995 15:08:49 -0800 Received: from amisk.cs.ualberta.ca (amisk.cs.ualberta.ca [129.128.13.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA17297 for ; Wed, 1 Mar 1995 15:08:45 -0800 Received: by amisk.cs.ualberta.ca id <138916-2>; Wed, 1 Mar 1995 16:06:18 -0700 Subject: Re: Firewalls replying with ICMP packets. From: Bob Beck To: nsayer@quack.kfu.com (Nick Sayer) Date: Wed, 1 Mar 1995 16:06:13 -0700 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Nick Sayer" at Mar 1, 95 10:15:59 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1094 Message-Id: <95Mar1.160618-0700_(mst).138916-2@amisk.cs.ualberta.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Consider the case where sendmail does an RFC-931 query before presenting > it's 200 banner on port 25 connections. If a firewall on the sender just > eats the port 113 connect attempts, then the sender will probably > timeout waiting for the welcome mat. What makes this worse is that many > sendmails, having gotten a connection, then having it time out waiting > for a welcome, will NOT go back and try secondary MX hosts, so the mail > will be forever undeliverable. > > If instead the firewall bounced a host unreachable back, then the IDENT > query fails much more quickly and the sendmail can then put out the > welcome mat in time and the SMTP transaction continues normally. > Then in this case, rather than having the firewall bounce a host unreachable, wouldn't it be just as easy to allow the port 113 ident connection? At least for any machine behind the firewall that is likely to be sending mail on to the outside. Unless of course, you're able to set it up so that for certain destination ports you'll send an ICMP reply when you drop it, and others you won't. -Bob From firewalls-owner Wed Mar 1 16:21:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA18507 for firewalls-outgoing; Wed, 1 Mar 1995 16:00:08 -0800 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA18458 for ; Wed, 1 Mar 1995 15:59:58 -0800 From: pat@loc201.tandem.com Received: from admin_01 (admin_01.loc201.tandem.com) by suntan.Tandem.com (4.1/suntan5.940222) for firewalls@greatcircle.com id AA07093; Wed, 1 Mar 95 15:57:46 PST Received: from vern.loc201.tandem.com.loc201.tandem.com by admin_01 (4.1/6main.940209) id AA08979; Wed, 1 Mar 95 15:57:46 PST Received: by vern.loc201.tandem.com.loc201.tandem.com (4.1/6nospool.930120) id AA25670; Wed, 1 Mar 95 15:57:45 PST Date: Wed, 1 Mar 95 15:57:45 PST Message-Id: <9503012357.AA25670@vern.loc201.tandem.com.loc201.tandem.com> To: firewalls@greatcircle.com, sjones@aptech.com Subject: Re: Cisco Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can someone give me address and such for Cisco? Cisco Systems Inc Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA 408-526-4000 800-553-6387 http://www.cisco.com From firewalls-owner Wed Mar 1 16:32:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA18891 for firewalls-outgoing; Wed, 1 Mar 1995 16:15:00 -0800 Received: from Aptech.com (rama.aptech.com [199.29.185.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA18875 for ; Wed, 1 Mar 1995 16:14:54 -0800 Received: from amos.Aptech.com by Aptech.com (5.x/SMI-SVR4) id AA15114; Wed, 1 Mar 1995 16:12:39 -0800 Received: by amos.Aptech.com (5.x/SMI-SVR4) id AA07178; Wed, 1 Mar 1995 16:12:40 -0800 Date: Wed, 1 Mar 1995 16:12:40 -0800 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <9503020012.AA07178@amos.Aptech.com> To: Firewalls@GreatCircle.COM Subject: FW-1, etc. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> If you are serious (and IMNSHO you can't be too serious if you are >> considering FW-1) about security I'd look at: >> >> SCC's Sidewinder ~ $40K >> DEC's SEAL ~ $35K (I think) >> Raptor's Eagle ~ $25K >> TIS's Gauntlet ~ $15K > > Smallworks NetGate ~ $5k (for source!) > >> My opinion is that the best value lies in the bottom two. > >And how. What makes these better than FW-1? Just asking, I have no argument with this, I just don't know. sjones@Aptech.com From firewalls-owner Wed Mar 1 17:00:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA19283 for firewalls-outgoing; Wed, 1 Mar 1995 16:30:49 -0800 Received: from casbah.acns.nwu.edu (casbah.acns.nwu.edu [129.105.16.52]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA19276 for ; Wed, 1 Mar 1995 16:30:45 -0800 Received: from [129.105.110.129] (socrates.acns.nwu.edu) by casbah.acns.nwu.edu with SMTP (1.37.109.15/20.3) id AA094414110; Wed, 1 Mar 1995 18:28:30 -0600 Date: Wed, 1 Mar 1995 18:28:30 -0600 X-Sender: lunde@casbah.acns.nwu.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 4 (Low) To: firewalls@GreatCircle.COM From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:12 AM 3/1/95, sedayao@argus.intel.com wrote: >> > Can anyone tell me where I can get a copy of Satan? [...] >> It's due to be released April 1 > >You can check out > >http://www.sjmercury.com/ > >for a story on Satan and Dan Farmer. Dan Farmer has a personal home page at: http://www.fish.com/dan.html There's a link to a page on SATAN there, that doesn't say anything about release dates, etc. but it might be worth checking these occasionally. --- Albert Lunde Albert-Lunde@nwu.edu From firewalls-owner Wed Mar 1 17:31:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA20058 for firewalls-outgoing; Wed, 1 Mar 1995 17:02:11 -0800 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA20052 for ; Wed, 1 Mar 1995 17:02:05 -0800 From: tws@wh.bayer.com Received: by wh.bayer.com (4.1/SMI-4.1) id AA17235; Wed, 1 Mar 95 19:57:25 EST Received: by mrcs1 (5.64/X1.00) id AA24065; Wed, 1 Mar 95 19:57:09 -0500 Date: Wed, 1 Mar 95 19:57:09 -0500 Message-Id: <9503020057.AA24065@mrcs1> To: firewalls@greatcircle.com, sjones@Aptech.com Subject: Re: Cisco Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Wed Mar 1 18:38:52 1995 > From: sjones@Aptech.com (Samuel D. Jones) > To: firewalls@greatcircle.com > Subject: Cisco > Can someone give me address and such for Cisco? I got URL if that helps: http://www.cisco.com/ Tenna Sakai Miles Research Center From firewalls-owner Wed Mar 1 18:01:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA20991 for firewalls-outgoing; Wed, 1 Mar 1995 17:47:42 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA20986 for ; Wed, 1 Mar 1995 17:47:39 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 Mar 1995 17:45:50 -0800 To: firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: CERT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let's drop this non-disclosure vs. disclosure thread, eh? It comes up every time a new advisory comes out, and nobody ever changes their mind; we just get the same arguments over and over again. Let it rest. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 1 18:18:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA20857 for firewalls-outgoing; Wed, 1 Mar 1995 17:39:06 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA20852 for ; Wed, 1 Mar 1995 17:39:01 -0800 Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16404; Wed, 1 Mar 95 20:36:45 -0500 Date: Wed, 1 Mar 95 20:36:45 -0500 Message-Id: <9503020136.AA16404@uvs1.orl.mmc.com> From: Brent@greatcircle.com To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), ("firewalls@greatcircle.com"@uvs1.dnet.mmc.com) Subject: Re: Access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:08 2/27/95, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Informat wrote: >>2. Turn off modem access at your PBX. Draconian, but it should work. > >I also periodically sweep our phone lines looking for autoanswer modems >and we have a policy requiring registration of all modems. With the next >switch (in the capital plan) we will have the capability to turn modem >capability on and off of individual lines. Until some VP/Sales says "I wanna fax modem!!!" -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 1 18:31:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA20751 for firewalls-outgoing; Wed, 1 Mar 1995 17:34:39 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA20746; Wed, 1 Mar 1995 17:34:35 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 Mar 1995 17:32:46 -0800 To: David Miller , Aaron Schmiedel From: Brent@GreatCircle.COM (Brent Chapman) Subject: RE: 60 Minutes Cc: firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:40 2/28/95, David Miller wrote: >On 28 Feb 1995, Aaron Schmiedel wrote: > >> >>>Why is this stuff being posted to firewalls? > >> If this isn't the right place to share information sources, I'll not post >> anything further on the matter and find a list that does encourage >> dissemination of information that allows us to protect OUR information. > >Uhm, the charter for firewalls is discussion of firewalls, not general >security. Yes. >> And if there is another list that does, I'd certainly like to know about it! >> >> -Aaron > >bugtraq is probably better suited for discussion of specific items >relating to unix security. Several usenet groups, comp.unix.security >among them are well suited for general discussions. If there are more >general security related lists out there, I'd like to know as well:) Yes. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 1 18:36:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA21096 for firewalls-outgoing; Wed, 1 Mar 1995 17:56:12 -0800 Received: from lancelot.st.nepean.uws.edu.au (lancelot.st.nepean.uws.EDU.AU [137.154.148.30]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA21084 for ; Wed, 1 Mar 1995 17:55:49 -0800 Received: from wizard.st.nepean.uws.edu.au by lancelot.st.nepean.uws.edu.au with SMTP id AA10616 (5.65c/IDA-1.5 for ); Thu, 2 Mar 1995 12:54:00 +1100 Received: by wizard.st.nepean.uws.edu.au id AA15851 (5.67a/IDA-1.4.4 for firewalls@greatcircle.com); Thu, 2 Mar 1995 12:56:04 +1100 Date: Thu, 2 Mar 1995 12:56:03 +1100 (EST) From: AAng Kusnadi X-Sender: akusnadi@wizard To: firewalls@greatcircle.com Subject: unsubcribe Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubcribe firewalls akusnadi@st.nepean.uws.edu.au From firewalls-owner Wed Mar 1 18:55:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA21139 for firewalls-outgoing; Wed, 1 Mar 1995 17:59:11 -0800 Received: from wolfe.wimsey.com ([204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA21134 for ; Wed, 1 Mar 1995 17:59:08 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #7) id m0rk06a-000EdaC; Thu, 2 Mar 95 01:55 WET Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Wed, 1 Mar 95 17:54 PST Message-Id: Received: by miro.ilinx.com id ; Wed, 1 Mar 95 17:55:42 -0800 From: brian@imcon.ilinx.com To: sy71703@public.fmr.com Subject: Re[2]: DNS on firewall?? Cc: firewalls@greatcircle.com Date: Wed, 1 Mar 1995 17:55:41 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of "J. T. Judge" > > If you are application level, how do you deal with the > problem that internal mailers, network client programs, etc > can resolve A and MX records for "out there" -- but these > same client programs can NOT connect to those addresses ? > Ah, yes. I had to deal with this one over the weekend. I was fortunate in my decision to dump sendmail for smail a long time ago. With smail, you can tell it only to do a hostname lookup if the domain is known (i.e. I can list which domains to do a hostname lookup of) and I specify only our internal domain as known. This way mail to the inside domain gets looked up and passed via SMTP but mail to all other domains is routed to the smarthost. Very slick, thanx Smail guys. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Wed Mar 1 19:01:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA22275 for firewalls-outgoing; Wed, 1 Mar 1995 18:35:35 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA22270; Wed, 1 Mar 1995 18:35:31 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 Mar 1995 18:33:42 -0800 To: David Buchanan , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: JANUS Cc: dbuchana@unitedis.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 14:00 2/21/95, David Buchanan wrote: > We are considering moving an existing class B subnet to a Class C behind the >JANUS gateway. One requirement is that our client doesn't want people >to have to learn new e-mail addresses. Our concern is over "dumb" >mailers which might not pay attention to MX records or DNS altogether. >How many "dumb" mailers actually exist on the Internet, (ie. how much of >a problem is this really) ? Has anyone had to face a simular situation. It's really not a problem. There is no IP address assigned to "GreatCircle.COM", for instance (only a couple of MX records), and that's try of many domains on the Internet (many domains have ONLY MX records, because they're connected via UUCP to a service provider, for example). If this were a significant problem, a LOT of sites would be unreachable by email. Anybody whose mailer is that dumb generally configures it to send _all_ their outgoing mail to their service provider (who presumably has a smarter mailer). -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 1 19:16:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA21532 for firewalls-outgoing; Wed, 1 Mar 1995 18:12:20 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA21522; Wed, 1 Mar 1995 18:12:16 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 Mar 1995 18:10:27 -0800 To: lavondes@tidtest.total.fr, avalon@coombs.anu.edu.au (Darren Reed) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewalls replying with ICMP packets. Cc: firewalls@greatcircle.com (fw) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:21 2/28/95, Michel Lavondes wrote: >Darren Reed wrote : >> >> As some firewalls can be configured to reply to various packets with >> ICMP messages, I'm wondering, which do they use ? Just host unreachable ? > >If you have a filtering router as (part of) your firewall, you're limited >to what the router will do (eg, ciscos will send HOST UNREACHABLE only, >whether the packets is filtered out due to its addresses, protocol, port >or just because of a true unknown destination.) > >A related question is, should your firewall send back anything at all or >should you leave the sender wondering what happened to his nastygrams ? I don't think the filtering router should send back ICMP messages in response to packets dropped by filtering. First, doing so gives an attacker a way to probe your filtering system, to determine what it will and won't allow through; as we've seen in the recent TCP sequence number attacks, there are things you can do if you can just get packets into a network, even if you can't get answers back out directly. Second, your filters shouldn't get triggered that often anyway. They're only going to be triggered by things that violate your security policy, and there just shouldn't be many such connections. Letting these few attempted connections simply time out isn't going to cause that many more packets to flow as things retry before they time out. Every packet dropped by filtering here at GreatCircle.COM is logged; it amounts to a handful of packets per day (usually less than a dozen). It would be nice if you could return ICMP codes to only your internal hosts, so that your users got immediate errors rather than timeouts, but I don't think it's critical; it's more critical to keep attackers from having a tool to probe your filtering. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 1 19:38:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA21860 for firewalls-outgoing; Wed, 1 Mar 1995 18:23:40 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA21855; Wed, 1 Mar 1995 18:23:34 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 Mar 1995 18:21:48 -0800 To: Eric.Salome@siege.cnes.fr, Firewalls@GreatCircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FW: questions about security & WWW browsers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:26 2/25/95, Eric.Salome@siege.cnes.fr wrote: >Brent said : >> >>They aren't holes, they're features. :-) They're features when the >>various programs (troff, ghostscript, etc.; all the things that have shell >>escapes and other built-in system access features) are used as their >>authors intended (i.e., they're fed files created by their users). They're >>only security holes when the programs are fed files created by attackers. >>Mosaic merely provides a more convenient way for users to do that; they >>could feed the files to the programs by hand, and have the same problems. >> >> >My main concern is not Users breatching through their own system's security, >but prevent Strangers from doing it. > >If any bad guy can feed special files to featured programs running on my own >system, while I am loosing time from Web to Web, I could find out the living >has runaway when I come back home. I didn't mean to imply that the users would do it intentionally. They would probably be unwitting accomplices of the attacker. All the attacker has to do is get them to run the attacker's code; I can think of all sorts of interesting ways that an attacker could present something in such a way that users are going to think "oh, cool, I'll try that" and run it. Mosaic, et al, doesn't make this _possible_ (it's been possible all along; the user could have downloaded the trojanned code by FTP), it just makes it much _easier_ for the users to fall into these traps (with a single mouse click). >I can't strip all the "features" off troff, ghostscripts and others. >So what's left. Should we filter any Mosaic communications ? Could we ? Teach your users safe surfing. >And even if we can think of pretty good filters (tell me if we can), is it a >good idea that somebody has to maintain a list of external WWW servers we >just don't want to know about anymore. >We might want to forbide Mosaic connexion to those servers and this is a >very simple thing to do. This approach ("list the problem sites/protocols/whatever, then block them") to any security problem is doomed to failure. There will always be one more dangerous serer that isn't on your list (yet). -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 1 22:01:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA26357 for firewalls-outgoing; Wed, 1 Mar 1995 22:00:31 -0800 Received: from rambone.psi.net (rambone.psi.net [38.145.250.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA26352 for ; Wed, 1 Mar 1995 22:00:28 -0800 From: uusr445!bock!daves@rambone.psi.net Received: from uusr445!bock.UUCP by rambone.psi.net (4.1/SMI-4.1.3-PSI) id AA03049; Thu, 2 Mar 95 00:46:37 EST Received: from bock. (bock.ARPA) by sd.microage.com (4.1/3.2.083191-microage san diego) id AA25841; Wed, 1 Mar 95 15:51:16 PST Received: by bock. (5.0/SMI-SVR4) id AA13137; Wed, 1 Mar 1995 15:46:17 +0800 Date: Wed, 1 Mar 1995 15:46:17 +0800 Message-Id: <9503012346.AA13137@bock.> To: pokey@maddie.atlantic.com, kovar@NDA.COM Subject: Re: Prolems w/Firewall-1 and SPARC1000.... Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 1032 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Tue Feb 28 13:25:50 1995 > From: David Kovar > Subject: Re: Prolems w/Firewall-1 and SPARC1000.... > To: pokey@maddie.atlantic.com (Rick Romkey) > Date: Tue, 28 Feb 1995 14:44:31 -0500 (EST) > Cc: firewalls@GreatCircle.COM > Mime-Version: 1.0 > Content-Transfer-Encoding: 7bit > > > Has anyone one this group experienced any problems with running > > Firewall-1 on a SPARC1000 (running Solaris 2.3)? Our customer > > is experiencing random crashes. > > > > -Rick > > Yep, we are still experiencing this sort of behavior on a Sparc Classic. > It seems to be a problem on the Sun, not on FW-1. > > Look at your logs and see if the crash is happening right after you > initiate a file transfer. > > -David > > I'd check to make sure all needed Solaris patches are applied, in the proper order :)..... -Daves ------------------------------------------------------------ David Schiffrin Systems Engineer MicroAge, San Diego (619)566-1900 x7692 daves@sd.microage.com From firewalls-owner Wed Mar 1 23:01:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA26911 for firewalls-outgoing; Wed, 1 Mar 1995 22:35:51 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA26906 for ; Wed, 1 Mar 1995 22:35:49 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rk4Rx-0000XiC; Wed, 1 Mar 95 22:33 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA06583; Wed, 1 Mar 1995 22:33:37 +0800 Date: Wed, 1 Mar 1995 22:33:37 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503020633.AA06583@brittany.oes.amdahl.com> To: Firewalls@GreatCircle.COM, sjones@Aptech.com Subject: Re: FW-1, etc. Content-Length: 690 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Wed Mar 1 22:12 PST 1995 >Date: Wed, 1 Mar 1995 16:12:40 -0800 >From: sjones@Aptech.com (Samuel D. Jones) >To: Firewalls@GreatCircle.COM >Subject: FW-1, etc. > >>> If you are serious (and IMNSHO you can't be too serious if you are >>> considering FW-1) about security I'd look at: Let's hear your reasons for not liking Firewall-1. We don't have the product, I have no connection with the product, but I've done an extensive evaluation of it. I know it's strengths and weaknesses very well. I'd love to discuss it. Do you have real complaints, or is this another, "Oh it does packet filtering, it can't be a real firewall." complaint? Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Wed Mar 1 23:26:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA26954 for firewalls-outgoing; Wed, 1 Mar 1995 22:42:13 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA26949; Wed, 1 Mar 1995 22:42:09 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 Mar 1995 22:40:21 -0800 To: widner@uchicago.edu, Firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: something else about sendmail Cc: mcb@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 00:54 2/28/95, Michael R. Widner wrote: >Since this is pretty damn well known already, and since I felt slightly >disappointed by Niel's and Karl's change of position on full disclosure, I'll >send along a couple of quick hacks. > >There are two progs attached, both very short. You should be sure to read >them carefully and make sure you understand them before you run them. They >are not quite as innocuous as Hobbit's example. They also may need slight >modifications depending on your system. They should work on 4.1.x as is, >but your mileage will vary depending on the location of your inetd and such. Please don't do this again. One of the very few hard and fast guidelines that the Firewalls mailing list operates under is "don't post cracking code". This is one of the very few hard and fast policies that the Firewalls mailing list operates under, and it is in the info that every subscriber gets when they join the list. The code in question has been removed from the Firewalls archives. I'm not willing to take the liability risk of having this software distributed through my systems. This is not open for discussion; if you don't like it, go somewhere else. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Thu Mar 2 00:01:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA27652 for firewalls-outgoing; Wed, 1 Mar 1995 23:38:59 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA27642; Wed, 1 Mar 1995 23:38:54 -0800 From: mulligan@incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.10/94082501) id XAA04211; Wed, 1 Mar 1995 23:36:14 -0800 Received: from coslabs.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA04213; Wed, 1 Mar 1995 23:33:57 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA02518; Thu, 2 Mar 1995 00:29:28 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA06921; Thu, 2 Mar 1995 00:28:45 -0700 Message-Id: <9503020728.AA06921@future.incog.com> To: Brent@GreatCircle.COM (Brent Chapman) Cc: lavondes@tidtest.total.fr, avalon@coombs.anu.edu.au (Darren Reed), firewalls@greatcircle.com (fw) Subject: Re: Firewalls replying with ICMP packets. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Wed, 01 Mar 95 18:10:27 PST." Date: Thu, 02 Mar 95 00:28:45 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >A related question is, should your firewall send back anything at all or > >should you leave the sender wondering what happened to his nastygrams ? > > I don't think the filtering router should send back ICMP messages in > response to packets dropped by filtering. > I disagree. I think that this should be configurable. If for some reason you want to send icmp's on a per rule/port/service and per interface basis, you should be able. In addition, you should be able to set the type of unreachable message that you send. > Second, your filters shouldn't get triggered that often anyway. They're > only going to be triggered by things that violate your security policy, and > there just shouldn't be many such connections. Letting these few attempted > connections simply time out isn't going to cause that many more packets to > flow as things retry before they time out. Every packet dropped by > filtering here at GreatCircle.COM is logged; it amounts to a handful of > packets per day (usually less than a dozen). I have seen a couple of sites that have continued to send packets for days, even though a firewall was silently dropping the packets. A simple icmp host unreachable sent back stopped it. As long as it is flexible and configurable, you should have the option to send back icmps. geoff From firewalls-owner Thu Mar 2 00:31:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA28391 for firewalls-outgoing; Thu, 2 Mar 1995 00:15:47 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA28386; Thu, 2 Mar 1995 00:15:44 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 2 Mar 1995 00:13:55 -0800 To: mulligan@incog.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewalls replying with ICMP packets. Cc: lavondes@tidtest.total.fr, avalon@coombs.anu.edu.au (Darren Reed), firewalls@greatcircle.com (fw) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 00:28 3/2/95, mulligan@incog.com wrote: >> >A related question is, should your firewall send back anything at all or >> >should you leave the sender wondering what happened to his nastygrams ? >> >> I don't think the filtering router should send back ICMP messages in >> response to packets dropped by filtering. >> > >I disagree. I think that this should be configurable. If for some >reason you want to send icmp's on a per rule/port/service and per >interface basis, you should be able. In addition, you should be able to >set the type of unreachable message that you send. I meant that filtering routers shouldn't AUTOMATICALLY send back ICMP messages for blocked packets, as some do. A configurable option (particularly if it's settable on a per-rule basis) would definitely be a good thing. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Thu Mar 2 00:44:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA28583 for firewalls-outgoing; Thu, 2 Mar 1995 00:24:32 -0800 Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA28578 for ; Thu, 2 Mar 1995 00:24:26 -0800 Received: from cvitoa by sun4nl.NL.net via EUnet id AA09555 (5.65b/CWI-3.3); Thu, 2 Mar 1995 09:22:14 +0100 Message-Id: <9503020822.AA09555@sun4nl.NL.net> Received: by donar.cvi.ns.nl (1.37.109.8/16.2 NS/CVI) id AA09020; Thu, 2 Mar 1995 09:16:10 +0100 From: Richard Voorintholt Subject: Re: FW-1, etc. To: patrick@oes.amdahl.com Date: Thu, 2 Mar 95 9:16:10 MEZ Cc: Firewalls@greatcircle.com In-Reply-To: <9503020633.AA06583@brittany.oes.amdahl.com>; from "Patrick Horgan" at Mar 1, 95 10:33 pm Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick writes: > > Let's hear your reasons for not liking Firewall-1. We don't have the > product, I have no connection with the product, but I've done an extensive > evaluation of it. I know it's strengths and weaknesses very well. I'd > love to discuss it. Do you have real complaints, or is this another, "Oh > it does packet filtering, it can't be a real firewall." complaint? > > Could you share this knowlegde with us. Someone advised us to use FW-1 so some extra input on its strenghts and weaknesses is very welcome. -- Regards, Richard Voorintholt ("Speaking for himself") Richard@cvi.ns.nl * NS Netwerk Services, PO box 2247, 3500 GE Utrecht, the Netherlands * telephone: +31-30-355764, fax: +31-30-356555 * From firewalls-owner Thu Mar 2 07:02:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA02895 for firewalls-outgoing; Thu, 2 Mar 1995 06:37:37 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA02890 for ; Thu, 2 Mar 1995 06:37:34 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA05396; Thu, 2 Mar 1995 09:31:23 -0500 Date: Thu, 2 Mar 1995 09:31:23 -0500 (EST) From: David Miller Subject: Re: FW-1, etc. To: "Samuel D. Jones" cc: Firewalls@GreatCircle.COM In-Reply-To: <9503020012.AA07178@amos.Aptech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Mar 1995, Samuel D. Jones wrote: > >> If you are serious (and IMNSHO you can't be too serious if you are > >> considering FW-1) about security I'd look at: > >> > >> SCC's Sidewinder ~ $40K > >> DEC's SEAL ~ $35K (I think) > >> Raptor's Eagle ~ $25K > >> TIS's Gauntlet ~ $15K > > > > Smallworks NetGate ~ $5k (for source!) > > > >> My opinion is that the best value lies in the bottom two. > > > >And how. > > What makes these better than FW-1? Just asking, I have no argument > with this, I just don't know. FW-1 is a fancy packet filter. The others are firewalls with application proxies and the like. Perhaps others here feel a packet filter mechanism can be a firewall and provide real security, but I don't:) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Mar 2 07:31:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA03171 for firewalls-outgoing; Thu, 2 Mar 1995 07:05:37 -0800 Received: from BComeau.Hydro.Qc.CA (darwin.BComeau.Hydro.Qc.CA [131.195.40.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA03161 for ; Thu, 2 Mar 1995 07:05:31 -0800 Received: by BComeau.Hydro.Qc.CA (5.x/SMI-SVR4) id AA00699; Thu, 2 Mar 1995 10:02:11 -0500 Date: Thu, 2 Mar 1995 10:02:11 -0500 From: Yves_Morin@BComeau.Hydro.Qc.CA (Yves Morin) Message-Id: <9503021502.AA00699@BComeau.Hydro.Qc.CA> To: paul@digpath.com Subject: SNK004 Cc: firewalls-relay@BComeau.Hydro.Qc.CA X-Sun-Charset: US-ASCII X-Signmail-Version: 1.0a by Clay Luther Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! We have received an SNK004 (that's what we ordered) MODEL No: SNK-010 My problem is : How can I get it to display anything else than "E0 ---" ?! I've read the booklet and it says to contact my supervisor :-) I ain't got no "Super visor" on this project :)- What do I need to do to make it work?! Yves Morin '---------------------------------------------------------------------------` | Yves_Morin@BComeau.Hydro.Qc.CA System Administrator | | Tel:418-294-3531 Fax:418-294-3307 | | I speak for myself! | `---------------------------------------------------------------------------' From firewalls-owner Thu Mar 2 07:46:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA03158 for firewalls-outgoing; Thu, 2 Mar 1995 07:05:17 -0800 Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA03148 for ; Thu, 2 Mar 1995 07:05:12 -0800 Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.9) id KAA04340; Thu, 2 Mar 1995 10:09:53 -0500 From: Rick Romkey Message-Id: <199503021509.KAA04340@maddie.atlantic.com> Subject: Re: FW-1, etc. To: sjones@Aptech.com (Samuel D. Jones) Date: Thu, 2 Mar 1995 10:09:53 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9503020012.AA07178@amos.Aptech.com> from "Samuel D. Jones" at Mar 1, 95 04:12:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 586 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> If you are serious (and IMNSHO you can't be too serious if you are > >> considering FW-1) about security I'd look at: > >> > >> SCC's Sidewinder ~ $40K > >> DEC's SEAL ~ $35K (I think) > >> Raptor's Eagle ~ $25K > >> TIS's Gauntlet ~ $15K > > > > Smallworks NetGate ~ $5k (for source!) > > > >> My opinion is that the best value lies in the bottom two. > > > >And how. > > What makes these better than FW-1? Just asking, I have no argument > with this, I just don't know. > > sjones@Aptech.com > Gee...I really think Janus should be in there somewhere too. -Rick From firewalls-owner Thu Mar 2 08:03:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA03157 for firewalls-outgoing; Thu, 2 Mar 1995 07:05:16 -0800 Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA03147 for ; Thu, 2 Mar 1995 07:05:12 -0800 Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.9) id KAA04340; Thu, 2 Mar 1995 10:09:53 -0500 From: Rick Romkey Message-Id: <199503021509.KAA04340@maddie.atlantic.com> Subject: Re: FW-1, etc. To: sjones@Aptech.com (Samuel D. Jones) Date: Thu, 2 Mar 1995 10:09:53 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9503020012.AA07178@amos.Aptech.com> from "Samuel D. Jones" at Mar 1, 95 04:12:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 586 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> If you are serious (and IMNSHO you can't be too serious if you are > >> considering FW-1) about security I'd look at: > >> > >> SCC's Sidewinder ~ $40K > >> DEC's SEAL ~ $35K (I think) > >> Raptor's Eagle ~ $25K > >> TIS's Gauntlet ~ $15K > > > > Smallworks NetGate ~ $5k (for source!) > > > >> My opinion is that the best value lies in the bottom two. > > > >And how. > > What makes these better than FW-1? Just asking, I have no argument > with this, I just don't know. > > sjones@Aptech.com > Gee...I really think Janus should be in there somewhere too. -Rick From firewalls-owner Thu Mar 2 08:05:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA03216 for firewalls-outgoing; Thu, 2 Mar 1995 07:09:11 -0800 Received: from lknsun.llnl.gov (lknsun.llnl.gov [128.115.33.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA03211 for ; Thu, 2 Mar 1995 07:09:08 -0800 Received: (from lkn@localhost) by lknsun.llnl.gov (8.6.10/llnl-lkn-1.5) id HAA12180; Thu, 2 Mar 1995 07:06:51 -0800 Date: Thu, 2 Mar 1995 07:06:51 -0800 From: Lee Neely Message-Id: <199503021506.HAA12180@lknsun.llnl.gov> To: brian@imcon.ilinx.com, firewalls@greatcircle.com Subject: Re: Re[2]: DNS on firewall?? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: brian@imcon.ilinx.com > > from the quill of "J. T. Judge" > > > > If you are application level, how do you deal with the > > problem that internal mailers, network client programs, etc > > can resolve A and MX records for "out there" -- but these > > same client programs can NOT connect to those addresses ? > > > Ah, yes. I had to deal with this one over the weekend. I was fortunate in > my decision to dump sendmail for smail a long time ago. With smail, you > can tell it only to do a hostname lookup if the domain is known (i.e. I can > list which domains to do a hostname lookup of) and I specify only our > internal domain as known. This way mail to the inside domain gets looked > up and passed via SMTP but mail to all other domains is routed to the > smarthost. > I contend that Sendmail 8.6.x is now able to do this too. I am not slamming smail here, but, rather, offering the solution to those still using sendmail. There are several hooks for this, and they include: 1) The ability to define a mailertable this is an external database of hosts or subnets and the place to send their mail. This allows one to circumvent a wildcard mx for a distributed domain, or, avoid mx mailers that are broken. (PSI comes to mind.) I had a client where he was in California, on one internet provider, and his parent domain was in DC. The parent had a wildcard mx for out bound email. The problem was that this host was A) Undersized and B) the smtp implementation wasn't smtp compliant! The mailertable allowed me to re-route mail destined for west-coast systems properly, and save about 24 hours on average delivery time. 2) The definition of a smart host this is used to deliver non-local mail, unless there is a wildcard mx mailer defined for your domain. 3) Fallback MX host, when all else fails, this is a nice feature to get the queueing off the local host and onto something that can deal with delivery problems.... Happy mailing! Lee -- _______ ______________ | | | | Leland K. Neely | ________ | | | | | U.C.L.L.N.L | |` | | | | | |_____ P.O. Box 808 L-613 | |________| | | | \______/ Livermore CA 94551 |____________| | \_______/ Email: lkn@llnl.gov ___|______|___ \________/ Voice: (510) 422-0140 |____________| \ / || From firewalls-owner Thu Mar 2 08:26:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA03822 for firewalls-outgoing; Thu, 2 Mar 1995 07:47:08 -0800 Received: from nuchat.sccsi.com (nuchat.sccsi.com [198.65.128.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA03817 for ; Thu, 2 Mar 1995 07:47:05 -0800 From: ted@gw.lsli.com Received: by nuchat.sccsi.com (/\==/\ Smail3.1.25.1 #25.2) id ; Thu, 2 Mar 95 09:44 CST Received: from gw.lsli.com by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA14382; Thu, 2 Mar 1995 09:42:37 -0600 Date: Thu, 2 Mar 95 09:32:49 CST Subject: RE: FW-1, etc. To: "Samuel D. Jones" , firewalls@GreatCircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>> If you are serious (and IMNSHO you can't be too serious if you are >>> considering FW-1) about security I'd look at: >>> >>> SCC's Sidewinder ~ $40K >>> DEC's SEAL ~ $35K (I think) >>> Raptor's Eagle ~ $25K >>> TIS's Gauntlet ~ $15K >> >> Smallworks NetGate ~ $5k (for source!) >> >>> My opinion is that the best value lies in the bottom two. >> >>And how. >sjones@Aptech.com LSLI sells turn key firewall solutions for $25k or simply the software package for around $15k. ------------------------------------- ted@gw.lsli.com Livermore Software Laboratories, Inc. Houston, Texas Department of Redundancy Department 03/02/95 "It was the nineties and thanks to the internet,the whole world could hear what some nerd thinks about Star Trek." - Homer Simpson ------------------------------------- From firewalls-owner Thu Mar 2 08:49:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA04097 for firewalls-outgoing; Thu, 2 Mar 1995 08:01:05 -0800 Received: from overdrive (overdrive3.ccrl.nj.nec.com [138.15.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA04092 for ; Thu, 2 Mar 1995 08:01:01 -0800 Received: by overdrive (4.1/YDL1.9-920708.13) id AA00989(overdrive); Thu, 2 Mar 95 10:58:17 EST Received: by deimos (4.1/CNC-Client) id AA03769; Thu, 2 Mar 95 10:58:16 EST Date: Thu, 2 Mar 1995 10:58:16 -0500 (EST) From: Ed Strong X-Sender: ems@deimos To: David Miller Cc: "Samuel D. Jones" , Firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David is not telling the whole story. If, like in many orgranizations, a small fraction of one person's time is devoted to the firewall issue, FW-1 gives good security at low overhead. Proxy-type firewalls are much more labor intensive, and much less flexible, for relatively little improvement in security. If you don't have time/resources to install special client software on every machine (as required by most proxy firewalls), or develop custom proxies wherever needed, then FW-1 is the best solution. Of course the trusted users inside can tunnel out through FW-1 if they want to. But trusted users who want to leak information will not be stopped by an application level firewall either, unless you body search everyone for bootleg media and also cut off all modem access. (Pretty draconian.) You have to decide what level of security is right for your organization and apply the same level consistently. FW-1 may be right for you. Disclaimer: I don't speak for NEC, Checkpoint, or Sun in any capacity. ----------------------------------------------------------------------- Ed Strong EMAIL: ems@ccrl.nj.nec.com ----------------------------------------------------------------------- From firewalls-owner Thu Mar 2 09:10:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA04797 for firewalls-outgoing; Thu, 2 Mar 1995 08:20:45 -0800 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA04785 for ; Thu, 2 Mar 1995 08:20:42 -0800 From: tws@wh.bayer.com Received: by wh.bayer.com (4.1/SMI-4.1) id AA19700; Thu, 2 Mar 95 11:15:39 EST Received: by mrcs1 (5.64/X1.00) id AA06812; Thu, 2 Mar 95 11:15:11 -0500 Date: Thu, 2 Mar 95 11:15:11 -0500 Message-Id: <9503021615.AA06812@mrcs1> To: isdmill@gatekeeper.ddp.state.me.us, sjones@Aptech.com Subject: Re: FW-1, etc. Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk }From firewalls-owner@GreatCircle.COM Thu Mar 2 10:06:39 1995 }From: David Miller }Subject: Re: FW-1, etc. }To: "Samuel D. Jones" }Cc: Firewalls@GreatCircle.COM }On Wed, 1 Mar 1995, Samuel D. Jones wrote: }> >> If you are serious (and IMNSHO you can't be too serious if you are }> >> considering FW-1) about security I'd look at: }> >> }> >> SCC's Sidewinder ~ $40K }> >> DEC's SEAL ~ $35K (I think) }> >> Raptor's Eagle ~ $25K }> >> TIS's Gauntlet ~ $15K }> > }> > Smallworks NetGate ~ $5k (for source!) }> > }> >> My opinion is that the best value lies in the bottom two. }> > }> >And how. }> What makes these better than FW-1? Just asking, I have no argument }> with this, I just don't know. }FW-1 is a fancy packet filter. The others are firewalls with application }proxies and the like. Perhaps others here feel a packet filter mechanism }can be a firewall and provide real security, but I don't:) }--- David I believe FW-1 is a black box, not a crystal box. Someone correct me, if I am wrong. Tenna Sakai Miles Research Center From firewalls-owner Thu Mar 2 09:54:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA04630 for firewalls-outgoing; Thu, 2 Mar 1995 08:15:43 -0800 Received: from ns.stibo.dk (ns.stibo.dk [193.88.170.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA04618 for ; Thu, 2 Mar 1995 08:15:35 -0800 Received: by ns.stibo.dk (8.6.9/8.6.9) id RAA28648; Thu, 2 Mar 1995 17:09:39 +0100 Received: from stibo_net by ns.stibo.dk via smap (V1.3) id sma028646; Thu Mar 2 17:09:13 1995 Received: by per.stibo.dk (8.6.9/8.6.9) id RAA08168; Thu, 2 Mar 1995 17:08:56 +0100 Date: Thu, 2 Mar 1995 17:08:56 +0100 (MET) From: Per Hagen To: Yves Morin cc: paul@digpath.com, firewalls@GreatCircle.COM Subject: Re: SNK004 In-Reply-To: <9503021502.AA00699@BComeau.Hydro.Qc.CA> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=USASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Mar 1995, Yves Morin wrote: > Hi! > > We have received an SNK004 (that's what we ordered) > > MODEL No: SNK-010 > The same model I have got! > > My problem is : How can I get it to display anything else than "E0 ---" ?! > You have to prepare it. This is the adminitrators job, which is why you will need to order the administrators manual, since Digital Pathways does not ship the admin guide, unless you have specificly orderd it or ordered it though a D.P. Defender system. > > I've read the booklet and it says to contact my supervisor :-) > > > I ain't got no "Super visor" on this project :)- When the SNK shows E0 --- then you have to select mode of operation, followed bye your snk-des key. Since I dont have my manual here with me, I think that you have about 4 different modes. Destructive-decimal(mode1), just decimal(mode 2), Destructive-hexadecimal(mode3) and just hexadecimal.(mode 4) I am positive of mode 2, since I've just setup two keys today! So when the SNK shows E0 --- Enter mode ex. 2 followed by ENT Then it prompts you for your des key with E1 --- though E7 --- I think! At each prompt you enter the corresponding 3 digit number of your key. When you have enteret number for E7 you press ENT, then the SNK will display a checksum. Make sure this fits with your keygenerators checksum; If it does press ENT, otherwise pres ON to escape. If the above went ok, then your SNK should now display E2. Which is where your Usermanual starts on page 2. (installing your PIN) > > What do I need to do to make it work?! > > I am not completely positive about the actual prompts the key will present you with in the keyentry section. > > Yves Morin > > > '---------------------------------------------------------------------------` > | Yves_Morin@BComeau.Hydro.Qc.CA System Administrator | > | Tel:418-294-3531 Fax:418-294-3307 | > | I speak for myself! | > `---------------------------------------------------------------------------' > Good luck, Per L. Hagen, Network Administrator ------------------------------------------------------------------------ Advanced Catalogue Solutions The Stibo Technology Group... Since 1794 |_// | Stibo Sletvej 34, DK-8310 Tranbjerg J, Denmark Datagraphics, Phone: +45 86 29 55 11, Fax: +45 86 29 51 03 Research Department E-mail: per@stibo.dk or postmaster@stibo.dk ------------------------------------------------------------------------ From firewalls-owner Thu Mar 2 09:57:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA05298 for firewalls-outgoing; Thu, 2 Mar 1995 08:34:41 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA05293 for ; Thu, 2 Mar 1995 08:34:39 -0800 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id LAA24474; Thu, 2 Mar 1995 11:26:04 -0500 Date: Thu, 2 Mar 1995 11:26:04 -0500 (EST) From: Frank Wortner To: Jim Thompson cc: Firewalls@GreatCircle.COM, Jean.Lehman@west.sun.com, rmck@sandfiddler.paragon-systems.com Subject: Re: packet filtering vs application based firewalls In-Reply-To: <9503012258.AA07185@chiba> Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 Mar 1995, Jim Thompson wrote: > > TIS's Gauntlet ~ $15K > > Smallworks NetGate ~ $5k (for source!) > We might as well add the obvious: TIS's FTWK ~ $0 (for source!) Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Thu Mar 2 10:25:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06046 for firewalls-outgoing; Thu, 2 Mar 1995 09:05:44 -0800 Received: from alexander.erg.sri.com (alexander.erg.sri.com [128.18.110.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06040 for ; Thu, 2 Mar 1995 09:05:41 -0800 Received: from localhost.erg.sri.com by alexander.erg.sri.com (5.65/2.7davy) id AA07348; Thu, 2 Mar 95 09:02:13 -0800 Message-Id: <9503021702.AA07348@alexander.erg.sri.com> To: firewalls@greatcircle.com Subject: Re: FW-1, etc. In-Reply-To: Your message of Thu, 02 Mar 95 09:32:49 -0600. Date: Thu, 02 Mar 95 09:02:12 -0800 From: Bryan McDonald Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Before I spend the next week reading a whole series of "me-too's", has anyone compiled a list of all the firewalls on the market, both commercial and public-domain? If not, perhaps we can turn the shower of "me-too's" into a constructive list... Bryan >>>> If you are serious (and IMNSHO you can't be too serious if you are >>>> considering FW-1) about security I'd look at: >>>> >>>> SCC's Sidewinder ~ $40K >>>> DEC's SEAL ~ $35K (I think) >>>> Raptor's Eagle ~ $25K >>>> TIS's Gauntlet ~ $15K >>> >>> Smallworks NetGate ~ $5k (for source!) >>> >>>> My opinion is that the best value lies in the bottom two. >>> >>>And how. >>sjones@Aptech.com > > >LSLI sells turn key firewall solutions for $25k or simply the software >package for around $15k. From firewalls-owner Thu Mar 2 10:36:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06180 for firewalls-outgoing; Thu, 2 Mar 1995 09:13:38 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA06175 for ; Thu, 2 Mar 1995 09:13:35 -0800 From: mulligan@incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.10/94082501) id JAA13109; Thu, 2 Mar 1995 09:11:52 -0800 Received: from coslabs.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA06729; Thu, 2 Mar 1995 09:11:05 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA05612; Thu, 2 Mar 1995 10:08:40 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA07907; Thu, 2 Mar 1995 10:07:59 -0700 Message-Id: <9503021707.AA07907@future.incog.com> To: Ed Strong Cc: David Miller , "Samuel D. Jones" , Firewalls@GreatCircle.COM Subject: Re: FW-1, etc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Thu, 02 Mar 95 10:58:16 EST." Date: Thu, 02 Mar 95 10:07:58 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course the trusted users inside can tunnel out through FW-1 if they want > to. But trusted users who want to leak information will not be stopped > by an application level firewall either, unless you body search everyone for > bootleg media and also cut off all modem access. (Pretty draconian.) Can't you also tunnel out over a telnet proxy? Heck, Marcus wants to layer NFS on mail! geoff From firewalls-owner Thu Mar 2 10:58:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06251 for firewalls-outgoing; Thu, 2 Mar 1995 09:19:26 -0800 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA06245 for ; Thu, 2 Mar 1995 09:19:23 -0800 Received: by little-miami.iac.net id MAA17736; Thu, 2 Mar 1995 12:17:07 -0500 Date: Thu, 2 Mar 1995 12:17:06 -0500 (EST) From: Carl Jolley To: ted@gw.lsli.com cc: "Samuel D. Jones" , firewalls@GreatCircle.COM Subject: RE: FW-1, etc. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh, I was not aware of the LSLI product. What hardware is provided with this turnkey solution? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Thu, 2 Mar 1995 ted@gw.lsli.com wrote: > > > > >>> If you are serious (and IMNSHO you can't be too serious if you are > >>> considering FW-1) about security I'd look at: > >>> > >>> SCC's Sidewinder ~ $40K > >>> DEC's SEAL ~ $35K (I think) > >>> Raptor's Eagle ~ $25K > >>> TIS's Gauntlet ~ $15K > >> > >> Smallworks NetGate ~ $5k (for source!) > >> > >>> My opinion is that the best value lies in the bottom two. > >> > >>And how. > >sjones@Aptech.com > > > LSLI sells turn key firewall solutions for $25k or simply the software > package for around $15k. > > ------------------------------------- > ted@gw.lsli.com > Livermore Software Laboratories, Inc. Houston, Texas > Department of Redundancy Department > 03/02/95 > > "It was the nineties and thanks to the internet,the whole world could hear > what some nerd thinks about Star Trek." - Homer Simpson > ------------------------------------- > > > From firewalls-owner Thu Mar 2 11:03:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06578 for firewalls-outgoing; Thu, 2 Mar 1995 09:34:17 -0800 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA06570 for ; Thu, 2 Mar 1995 09:34:14 -0800 Received: from hpindda.cup.hp.com by hp.com with ESMTP (1.37.109.14/15.5+ECS 3.3) id AA153795516; Thu, 2 Mar 1995 09:31:57 -0800 Received: from localhost by hpindda.cup.hp.com with SMTP (1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA009365453; Thu, 2 Mar 1995 09:30:53 -0800 Message-Id: <199503021730.AA009365453@hpindda.cup.hp.com> To: Firewalls@GreatCircle.COM, sjones@Aptech.com, patrick@oes.amdahl.com Subject: Re: FW-1, etc. Date: Thu, 02 Mar 1995 09:30:52 -0800 From: Abraham Lui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Re: FW-1, etc. >From: patrick@oes.amdahl.com (Patrick Horgan) >Date: Wed, 01 Mar 1995 22:33:37 +0800 >To: Firewalls@GreatCircle.COM, sjones@Aptech.com > ---------------------------------------- > >>From firewalls-owner@GreatCircle.COM Wed Mar 1 22:12 PST 1995 >>Date: Wed, 1 Mar 1995 16:12:40 -0800 >>From: sjones@Aptech.com (Samuel D. Jones) >>To: Firewalls@GreatCircle.COM >>Subject: FW-1, etc. >> >>>> If you are serious (and IMNSHO you can't be too serious if you are >>>> considering FW-1) about security I'd look at: > >Let's hear your reasons for not liking Firewall-1. We don't have the >product, I have no connection with the product, but I've done an extensive >evaluation of it. I know it's strengths and weaknesses very well. I'd >love to discuss it. Do you have real complaints, or is this another, "Oh >it does packet filtering, it can't be a real firewall." complaint? I've looked into FW-1 (without actually running the software) and got the following picture: Strength: 1) Everyone I have talked to give his thumb up on the product's GUI. Based on my experience, Security Administrators see a good user interface just as important as any other part of the product. 2) It is flexible. Its programmable filter module supposingly can be used to adapt to many application protocols (ftp, HTTP, WAIS etc.) including site specific ones. Weaknesses: 1) It is not capable of doing User Authentication, which severely limits the access control module. Current rules are created based on service and host address, which may not have the granularity of many of us need. 2) Because the product is based on the "packet-filtering", it inherits the limitation of the technology. Although I believe CheckPoint did a good job on attempting to break the barrier. Does the above evaluation agree with what you have? Abe +-------------------------------------------+---------------------------------+ |Abraham Lui (Member, Technical Staff) |Bldg: 43L; MS 43LM; Pillar P7 | |Information Networks Division |Phone: 408-447-2403 | |Hewlett-Packard Company |Telnet: 1-447-2403 | |19420 Homestead Road, MS 43LM |Fax: 408-447-3660 | |Cupertino, CA 95014-9807 |Email: abraham@cup.hp.com | +-------------------------------------------+---------------------------------+ From firewalls-owner Thu Mar 2 11:38:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06989 for firewalls-outgoing; Thu, 2 Mar 1995 09:53:38 -0800 Received: from services.more.net (services.MORE.Net [128.206.1.214]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06984 for ; Thu, 2 Mar 1995 09:53:30 -0800 Received: by services.more.net (4.1/SMI-4.1) id AA12201; Thu, 2 Mar 95 11:49:56 CST Date: Thu, 2 Mar 1995 11:49:55 -0600 (CST) From: David Johnson Subject: Re: FW-1, etc. To: Rick Romkey Cc: "Samuel D. Jones" , Firewalls@GreatCircle.COM In-Reply-To: <199503021509.KAA04340@maddie.atlantic.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And what about IBM NetSP Firlewall, is it not a one as ewll? Dave Johnson Missouri Highway and Transportation Department PO Box 270 Jefferson City, MO 65102 (314)751-9201 On Thu, 2 Mar 1995, Rick Romkey wrote: > > > > >> If you are serious (and IMNSHO you can't be too serious if you are > > >> considering FW-1) about security I'd look at: > > >> > > >> SCC's Sidewinder ~ $40K > > >> DEC's SEAL ~ $35K (I think) > > >> Raptor's Eagle ~ $25K > > >> TIS's Gauntlet ~ $15K > > > > > > Smallworks NetGate ~ $5k (for source!) > > > > > >> My opinion is that the best value lies in the bottom two. > > > > > >And how. > > > > What makes these better than FW-1? Just asking, I have no argument > > with this, I just don't know. > > > > sjones@Aptech.com > > > > Gee...I really think Janus should be in there somewhere too. > > -Rick > From firewalls-owner Thu Mar 2 11:38:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA06972 for firewalls-outgoing; Thu, 2 Mar 1995 09:52:37 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA06967 for ; Thu, 2 Mar 1995 09:52:33 -0800 Posted-Date: Thu, 2 Mar 1995 12:50:17 -0500 From: "Bryan D. Boyle" Message-Id: <9503021250.ZM6168@maverick.erenj.com> Date: Thu, 2 Mar 1995 12:50:17 -0500 In-Reply-To: Ed Strong "Re: FW-1, etc." (Mar 2, 10:58am) References: X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: FW-1, etc. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mar 2, 10:58am, Ed Strong wrote: > Subject: Re: FW-1, etc. > > David is not telling the whole story. If, like in many orgranizations, a > small fraction of one person's time is devoted to the firewall issue, > FW-1 gives good security at low overhead. Proxy-type firewalls are much > more labor intensive, and much less flexible, for relatively little > improvement in security. If you don't have time/resources to install special > client software on every machine (as required by most proxy firewalls), or > develop custom proxies wherever needed, then FW-1 is the best solution. Oh? I don't seem to recall having to install special software on any end-user machine in an environment of over 1500 users to get thru the SEAL/TIS firewall here. I also don't have to worry about a 'black box' software package running on a known-insecure operating system that has a failure mode of "everything open". All of the >useful< tools know about application proxy firewalls, and security schemes in use today. If they don't, then the producer of the software is not interested in business uses of their wares, and should probably concentrate on the education and non-profit markets where security is not a concern. If anyone thinks there is a simple, plug-in and forget about it approach to security and network access, then they are deluding their management. If you don't have time to do it to an auditably correct position, then perhaps you shouldn't be doing security. Security is a full-time mind set. FW-1 is a panacea for companies that think you can put in equipment and software and trust it blindly without understanding the principles or threats, since it is sold as a 'you just click on this, doodle that, and you are secure'. That scares me. > > Of course the trusted users inside can tunnel out through FW-1 if they want > to. But trusted users who want to leak information will not be stopped > by an application level firewall either, unless you body search everyone for > bootleg media and also cut off all modem access. (Pretty draconian.) We control both here. We have policies in place for both of those instances. I know some government sites that do a pat search on the way out the door while they rifle your briefcase/pocketbook/whatever. Depends on the company and their view of the threats. > > You have to decide what level of security is right for your organization > and apply the same level consistently. FW-1 may be right for you. > You get what you pay for. A packet filter is not a firewall. UDP can not be handled securely (or with anything approaching predictable security anyway...) with the current technology or the base protocol itself (upd was designed to not depend on predictable connection capabilities, which makes it incredibly easy to intercept or spoof, not that tcp is necessarily without its vulnerabilities...). IMHO, you start with the basic services you want to provide, and allow only those. Shut off everything else. Log everything, provide a demilitarized zone, and _then_ slowly open the spigot. Oh, yeah, make sure the base operating system has a history of being able to be secured. Isolate, seperate, and delegate. Or else, what you have, in essence, is a fancy router with filtering. And that provides minimal security. Just my $.02. -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Thu Mar 2 11:39:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07642 for firewalls-outgoing; Thu, 2 Mar 1995 10:16:32 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07637 for ; Thu, 2 Mar 1995 10:16:25 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (V1.3) id sma013642; Thu Mar 2 13:13:38 1995 Message-Id: <9503021813.AA00681@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Frank Wortner Cc: Firewalls@greatcircle.com Subject: Re: packet filtering vs application based firewalls In-Reply-To: Your message of Thu, 02 Mar 95 11:26:04 -0500. Date: Thu, 02 Mar 95 13:13:33 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We might as well add the obvious: > TIS's FTWK ~ $0 (for source!) Since Frank brought up the FWTK, the Gauntlet Internet Firewall has source as well. Oh, and yes the FWTK is freely available (LICENSED though) but you do have to work harder to get it installed properly than commercial firewall products. Fred From firewalls-owner Thu Mar 2 11:40:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA08406 for firewalls-outgoing; Thu, 2 Mar 1995 10:49:27 -0800 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA08401 for ; Thu, 2 Mar 1995 10:49:24 -0800 Received: from chiba (chiba.Tadpole.COM [160.104.1.6]) by tadpole.tadpole.com (8.6.10/8.6.10) with SMTP id MAA01195; Thu, 2 Mar 1995 12:46:11 -0600 From: Jim Thompson Received: by chiba (5.x/SPARCbook_POP1.3) id AA08610; Thu, 2 Mar 1995 12:46:11 -0600 Date: Thu, 2 Mar 1995 12:46:11 -0600 Message-Id: <9503021846.AA08610@chiba> To: Firewalls@GreatCircle.COM Subject: Re: FW-1, etc. Cc: ems@ccrl.nj.nec.com, isdmill@gatekeeper.ddp.state.me.us, mulligan@incog.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can't you also tunnel out over a telnet proxy? Heck, Marcus wants to > layer NFS on mail! Sorry, its already been done (mostly). I've seen RPC over UUCP... Jim From firewalls-owner Thu Mar 2 11:40:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA08130 for firewalls-outgoing; Thu, 2 Mar 1995 10:38:41 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA08124 for ; Thu, 2 Mar 1995 10:38:38 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (V1.3) id sma013981; Thu Mar 2 13:35:55 1995 Received: by (4.1/illuminati) id AA00232; Thu, 2 Mar 95 13:40:41 EST From: "Marcus J. Ranum" Message-Id: <232.9503021840@illuminati> Subject: Re: packet filtering vs application based firewalls To: frank@prodigy.com (Frank Wortner) Date: Thu, 2 Mar 1995 13:40:40 -0500 (EST) Cc: jim@Tadpole.COM, Firewalls@GreatCircle.COM, Jean.Lehman@west.sun.com, rmck@sandfiddler.paragon-systems.com In-Reply-To: from "Frank Wortner" at Mar 2, 95 11:26:04 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 1015 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We might as well add the obvious: > > TIS's FTWK ~ $0 (for source!) I'd like to mention, of course, that the toolkit is not a commercial offering, is unsupported, requires expertise to install, etc, etc. Since the toolkit is just a bunch of policy-free components, it can be set up to be very secure, but if not set up carefully, it could leave you open. TIS includes a DISCLAIMER with the toolkit that we urge people to read. [We don't want someone setting the toolkit up on a firewall running NFS and blaming us. :)] For folks who don't understand UNIX/network security, we'd rather see them buy a firewall from our *competitors* than build a firewall with the toolkit, get broken into, and complain. :) So, while it's "free" it assumes you already have some fairly expensive expertise already on your staff. If so, then you're in good shape. The toolkit is also not a commercial product. For what it's worth, support, documentation, bug-fixes, and integration make a big difference to some users. mjr. From firewalls-owner Thu Mar 2 11:42:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07737 for firewalls-outgoing; Thu, 2 Mar 1995 10:20:44 -0800 Received: from sdwsys (sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07732 for ; Thu, 2 Mar 1995 10:20:39 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rkAlc-0009tGC; Thu, 2 Mar 95 13:18 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Using Linux for a firewall. To: avalon@coombs.anu.edu.au Date: Thu, 2 Mar 1995 13:18:08 +0000 (GMT) Cc: mhw@wittsend.atl.ga.us, firewalls@greatcircle.com In-Reply-To: <199502250121.RAA00939@miles.greatcircle.com> from "Darren Reed" at Feb 25, 95 12:18:35 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2112 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > > If you are interested in using Linux as a firewall, then you > > need to be working with the latest kernels and keeping up to date. > > 1.1.88 is way WAY too far behind on the curve. Especially in this > > sensitive area. > > This pretty much summarises the problem. Having to recompile a kernel, > once a week even, is not what you want to be doing with a firewall. The > bugs are still in 1.1.94 which is after 1.1.91. I'm sure someone will ... > myself, but that's an unreasonable thing to expect of people). > > I find it amusing, that 1.1.88 is WAY too far behind the curve which is > only currently 1.1.94. Maybe in a year or two Linux will be stable > enough for use in mission critical situations and firewalls. > > darren The Linux developers should mention with each release which parts are considered stable and which are being upgraded. In any case, instability doesn't last long in any area of the kernel. Of course major new additions are going to cause problems, but anyone working on the Beta code is supposed to be able to determine, by reading the patches if necessary, what's going on. You know if the serial code has been stable and perfect for 50 patchlevels and nothing modifies that, you're most likely safe. A simple stress test then gives a high degree of confidence. Waiting a couple of days for reports from early adopters helps too. I agree that Beta code isn't the same as an infrequent release of a commercially supported release, however it's not a problem for a developer. Since you often have to do integration development as a firewall consultant, it's not an intolerable situation. Now, would I use it in a large corporation? No way.... Yet. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Senior Consultant, Manhattan Feb95- | 513-865-9599 FAX/LIG 513.496.5223 OH Page OO R&D AI:NN/ES crypto DBMS RPC/CS |2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs|ICBM/GPS: 39 38 34N 84 17 12W home, 40 47 00N 73 58 00W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;1Mar95 From firewalls-owner Thu Mar 2 13:03:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09415 for firewalls-outgoing; Thu, 2 Mar 1995 12:25:35 -0800 Received: from dee.retix.com (dee.retix.com [163.182.4.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA09410 for ; Thu, 2 Mar 1995 12:25:33 -0800 Received: from alkahest.UUCP (uucp@localhost) by dee.retix.com (8.6.9/8.6.4) with UUCP id LAA13927 for greatcircle.com!firewalls; Thu, 2 Mar 1995 11:41:20 -0800 Received: (from joshua@localhost) by alkahest.isas.com (8.6.9/8.6.6) id LAA14495; Thu, 2 Mar 1995 11:35:27 -0800 Date: Thu, 2 Mar 1995 11:35:27 -0800 From: joshua geller Message-Id: <199503021935.LAA14495@alkahest.isas.com> To: firewalls@greatcircle.com Subject: tis toolkit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sorry for not paying attention, I know this has been repeatedly mentioned, but where is the public domain TIS toolkit? josh From firewalls-owner Thu Mar 2 13:28:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09135 for firewalls-outgoing; Thu, 2 Mar 1995 12:16:05 -0800 Received: from quack.kfu.com ([204.147.226.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09130 for ; Thu, 2 Mar 1995 12:15:59 -0800 Received: from phoenix (phoenix.kfu.com) by quack.kfu.com with SMTP id AA14410 (5.65c8/IDA-1.4.4 for ); Thu, 2 Mar 1995 11:09:48 -0800 Received: by phoenix (5.x//ident-1.0) id AA19808; Thu, 2 Mar 1995 11:09:42 -0800 Newsgroups: quack.firewalls Path: quack.kfu.com!nsayer From: nsayer@quack.kfu.com (Nick Sayer) Subject: Re: Sendmail bug Message-Id: Organization: The Duck Pond public unix: +1 408 249 9630, log in as 'guest'. References: <199503020339.TAA24272@miles.greatcircle.com> Date: 2 Mar 1995 19:09:36 UTC Lines: 33 Content-Type: text Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: >Solaris 1.x contains SunOS 4.x. That is, Solaris 1.0 contains SunOS >4.1, Solaris 1.0.1 contains SunOS 4.1.1. Solaris 1.1 contains SunOS >4.1.2, Solaris 1.1.1 contains SunOS 4.1.3, Solaris 1.1.1B contains >SunOS 4.1.3_U1, and Solairs 1.1.2 contains SunOS 4.1.4. I've been corrected and re-checked the CDs, and sure enough, Solaris 1.0.1 contains SunOS 4.1.2 Solaris 1.1 contains SunOS 4.1.3 Solaris 1.1.1 contains SunOS 4.1.3_U1 (there was a rev A and B of both) Solaris 1.1.2 contains SunOS 4.1.4 Axil and Ross were also distributing an unofficial 1.1.1B_H containing SunOS 4.1.3_U1_H, which was patched to accept the 50 and 66 MHz Hypersparc CPU modules. It was just 1.1.1B (which you applied with a Supersparc module installed) and a patch CD you applied before installing the new CPUs. No rev of Solaris was made available for sun3. SunOS 4.1.1_U1 was the last sun3 release (which was just 4.1.1 with some patches). Solaris 2.4 will be the last release for the really old sparc machines as well as the sun4e karch. But now we're veering seriously off topic. -- Nick Sayer | "What are we gonna do, Stimpy?" N6QQQ @ N0ARY.#NOCAL.CA.USA.NOAM | "We could get some work..." +1 408 249 9630, log in as 'guest' | "Work?! Have you lost your MIND?!" URL: http://www.kfu.com/~nsayer/ | -- Ren & Stimpy From firewalls-owner Thu Mar 2 13:33:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09514 for firewalls-outgoing; Thu, 2 Mar 1995 12:27:49 -0800 Received: from central.darpa.mil (central.darpa.mil [158.63.1.28]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09505 for ; Thu, 2 Mar 1995 12:27:46 -0800 Received: from mail.arpa.mil by central.darpa.mil (NeXT-1.0 (From Sendmail 5.52)/NeXT-2.0) id AA02979; Thu, 2 Mar 95 15:25:25 EST Message-Id: Date: 2 Mar 1995 15:23:14 -0500 From: "sangelo" Subject: unsuscribe To: firewalls@greatcircle.com X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Thu Mar 2 13:52:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09962 for firewalls-outgoing; Thu, 2 Mar 1995 12:35:33 -0800 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09948 for ; Thu, 2 Mar 1995 12:35:16 -0800 Received: by taureau.as03.bull.oz.au id AA11302 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 3 Mar 1995 07:21:12 +1100 Received: from localhost (sjg@localhost [127.0.0.1]) by zen.void.oz.au (8.6.9/8.6.9) with SMTP id XAA16241; Thu, 2 Mar 1995 23:39:57 +1100 Message-Id: <199503021239.XAA16241@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: "J. T. Judge" Cc: firewalls@greatcircle.com Subject: Re: DNS on firewall?? In-Reply-To: Your message of "Mon, 27 Feb 95 16:25:04 CDT." <199503011936.OAA20495@gate3.fmr.com> Date: Thu, 02 Mar 1995 23:39:54 +1100 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > For those of you with split DNS > ( small external DNS primary for XXX.com, resolv.conf points to > internal DNS servers who are primary for XXX.com and have > forwarders to the gateway to resolve external names) Nope. Split DNS where they really are _split_ ie. _no_ DNS traffic through the firewall. I decided on this not so much to hide info, but to not make the internal network (which has been running unconnected for years) suddenly dependent on external services. Given that after a week of being connected to the local corner of the Internet, we can still only reach half the root servers named in named.cache and that there are _no_ root servers in this country! - and the link from U.S. to OZ was down the day we connected, the above choice seems pretty sound :-) Also the client wants to be able to simply shutdown the interface to the Internet if they feel threatened. This would be tricky to do if that meant they suddenly could not resolve their own internal hosts :-) > or is your firewall an application level firewall ? > So, joe_user@yy.XXX.com can NOT 'ftp foo.com', they > have to 'ftp gateway.XXX.com' (TIS) or SOCKS their > way out ? Yep. We use TIS, SOCKS currently appears to require the internal hosts be able to resolve names even though they cannot reach them. > If you are application level, how do you deal with the > problem that internal mailers, network client programs, etc > can resolve A and MX records for "out there" -- but these > same client programs can NOT connect to those addresses ? No problem at all. If sendmail cannot resolve a name it just forwards it to a relay host. That relay host _knows_ that anything not bound for a domain on the inside net, must be passed to the relay on the other side of the firewall, who then uses normal MX's to work out delivery. To do this, you must configure internal root servers to claim authority for each domain above your own. Eg, for foo.com.au, you need to claim authority for .,au. and com.au. as well as foo.com.au. Thus when nameservers lookup host.bar.com.au. they quickly get a no-such guy type answer and sendmail punts to the relay host. Of course you also need to make sure that your external mailhost is setup to not lookup MX records for the internal domains, but to just forward to the inside relay. So, no big deal. The sendmail setup is pretty straight forward, and keeping the DNS's _totally_ split is simplicity itself. Now (one day) I just have to modify SOCKS such that if the client can resolve a name it knows it can connect directly, otherwise it uses goes to sockd on the proxy host. This would allow a single client to work inside and out, without unnecessary load on the proxy... --sjg From firewalls-owner Thu Mar 2 14:03:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10616 for firewalls-outgoing; Thu, 2 Mar 1995 12:50:36 -0800 Received: from BComeau.Hydro.Qc.CA (socrates.BComeau.Hydro.Qc.CA [131.195.40.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10606 for ; Thu, 2 Mar 1995 12:50:28 -0800 Received: from mais.hydro.qc.ca (glock.mais.hydro.qc.ca) by bcomeau.hydro.qc.ca (5.0/SMI-SVR4) id AA22416; Thu, 2 Mar 1995 15:47:35 -0500 Received: by mais.hydro.qc.ca id AA01714 (5.67b8/IDA-1.5 for firewalls-relay@bcomeau.hydro.qc.ca); Thu, 2 Mar 1995 15:45:29 -0500 Date: Thu, 2 Mar 1995 15:45:29 -0500 From: Benoit Dicaire Message-Id: <199503022045.AA01714@mais.hydro.qc.ca> To: firewalls-relay@BComeau.Hydro.Qc.CA Subject: Firewalls : do have some stats X-Sun-Charset: US-ASCII content-length: 1005 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, my management is worried about security issues. I'm working on a memo that will explain WHY we need a firewall I'm looking for number : - How many sites on the internet - How many sites have a firewall (a corporate, or one by site) - How many sites plan to have a firewall And now *YOU* the firewall expert : - Are you in charge of a firewall - How many Firewalls have you installed so far ? - What kind of firewall is it ? Packet filter, Application Gateway ? - Have you bought a Firewall package ? Which one ? - How long did it took you to install one ? - How many hours/month do you spend on firewall maintenance ? - Which qualities & lacks do you find on Application Gateways ? - Which qualities & lacks do you find on Packet filters ? A summary will be post, please reply directly to me to keep the bandwith to a minimum. --- Benoit Dicaire | bdicaire@mais.hydro.qc.ca System Administrator / WebMaster | www.mais.hydro.qc.ca/bdicaire.html Hydro-Quebec | (514)289-7916 From firewalls-owner Thu Mar 2 14:10:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11938 for firewalls-outgoing; Thu, 2 Mar 1995 13:14:40 -0800 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA11933 for ; Thu, 2 Mar 1995 13:14:34 -0800 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA17689 (5.67b8/IDA-1.5 for ); Thu, 2 Mar 1995 16:11:39 -0500 Received: from Paragon-Systems.COM (sandfiddler) by paragon-systems.com (4.1/SMI-4.1) id AA01409; Thu, 2 Mar 95 16:13:04 EST Received: by Paragon-Systems.COM (5.0/SMI-SVR4) id AA00733; Thu, 2 Mar 1995 16:10:33 +0500 Date: Thu, 2 Mar 1995 16:10:33 +0500 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9503022110.AA00733@ Paragon-Systems.COM> To: Firewalls-Digest@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 397 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, Homer Simpson was right. Now I understood why the advertising agencies jump for joy when one of their clients gets flamed, trashed or drug through the mud. FW-1 starts out as the object of electronic brutality, and now everyone in the business is shoutin' for air time. "Ah, yeah is this Merrill Lynch? Yeah, I'd like another hundred shares of Checkpoint please." What a country! rmck From firewalls-owner Thu Mar 2 14:32:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13166 for firewalls-outgoing; Thu, 2 Mar 1995 13:53:54 -0800 Received: from gate.globalx.net (gate.globalx.net [204.50.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA13161 for ; Thu, 2 Mar 1995 13:53:50 -0800 Received: from customerd.globalx.net (customerd.globalx.net [204.50.9.13]) by gate.globalx.net (8.6.9/8.6.9) with SMTP id QAA00021 for ; Thu, 2 Mar 1995 16:51:11 -0500 Date: Thu, 2 Mar 1995 16:51:11 -0500 Message-Id: <199503022151.QAA00021@gate.globalx.net> X-Sender: pteeple@mail.globalx.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: pteeple@globalx.net (Paul Teeple) Subject: firewalls subscribe X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks. From firewalls-owner Thu Mar 2 14:58:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA13837 for firewalls-outgoing; Thu, 2 Mar 1995 14:04:55 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA13832 for ; Thu, 2 Mar 1995 14:04:52 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (V1.3) id sma017544; Thu Mar 2 17:02:16 1995 Received: by (4.1/illuminati) id AA00625; Thu, 2 Mar 95 17:07:21 EST From: "Marcus J. Ranum" Message-Id: <625.9503022207@illuminati> Subject: Re: tis toolkit To: alkahest!joshua@dee.retix.com (joshua geller) Date: Thu, 2 Mar 1995 17:07:20 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199503021935.LAA14495@alkahest.isas.com> from "joshua geller" at Mar 2, 95 11:35:27 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 585 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >sorry for not paying attention, I know this has been >repeatedly mentioned, but where is the public domain >TIS toolkit? There is *NO* "public domain" TIS toolkit. The TIS Internet Firewall toolkit is freely available under license for non-commercial use, from ftp.tis.com: pub/firewalls/toolkit fwtk-doc-only.tar.Z - docs fwtk-v1.3.tar.Z - sources LICENSE - the license DISCLAIMER - you should read this, too Not quite the same as "public domain" - we need to make sure everyone understands the difference in order to protect our ownership of the software. mjr. From firewalls-owner Thu Mar 2 15:05:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15600 for firewalls-outgoing; Thu, 2 Mar 1995 14:44:56 -0800 Received: from gate3.fmr.com (gate3.FMR.Com [192.223.170.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA15595 for ; Thu, 2 Mar 1995 14:44:53 -0800 Received: (from adm@localhost) by gate3.fmr.com (8.6.9/8.6.9) id RAA01557 for ; Thu, 2 Mar 1995 17:41:23 -0500 Message-Id: <199503022241.RAA01557@gate3.fmr.com> Received: from mbsb01.fmr.com(155.1.75.10) by gate3 via smap (V1.3mjr) id sma001555; Thu Mar 2 22:40:54 1995 Date: Thu, 02 Mar 1995 17:40:44 -0500 From: Joseph Judge Subject: that DNS question again To: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think I might not have explained the query well enough ... so I'll try to do better this time: We have an application (using TIS proxies) based firewall. We have an external DNS (small) and an internal DNS (larger). The external machines share their small info to the world and use /etc/resolv.conf to query DNS internally. Internal DNS uses 'forwarders' to be able to access the DNS server on the firewall (and therefore able to get answers for xxx.foo.com where foo != us). I've done mailer rules, mailertables, smart hosts, etc... I really have the (send)mail area covered. We hand out our company licensed copies of Netscape preconfigured to point to http-gw socket on gateway. We put out info (as best we can) to let people know the "how-to"s of ftp'ing out and telnet'ing out. But, I worry about those folks who try to 'ftp ftp.foo.com', 'telnet archie.internic.net', and even 'xpilot -join xxx.pilot.no' :) I think this might be a bit silly -- since I've recently found that the routing in the company is sucking the packets that have no where to go. They suck them in on a screend host to help track down the 'bad address' folks. This is the 'route of last resort' destination on the net. If I get them to send back ICMP reject/notify packets, these users I worry about will get 'no route to host' (as they should!) as opposed to the 'Trying ...timeout' that they do now. My mistake -- I queried you all about a network routing goober. - cheers - - joe From firewalls-owner Thu Mar 2 15:41:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15419 for firewalls-outgoing; Thu, 2 Mar 1995 14:40:17 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA15409 for ; Thu, 2 Mar 1995 14:40:13 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkJVH-0000caC; Thu, 2 Mar 95 14:37 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA07208; Thu, 2 Mar 1995 14:37:45 +0800 Date: Thu, 2 Mar 1995 14:37:45 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503022237.AA07208@brittany.oes.amdahl.com> To: ems@ccrl.nj.nec.com Subject: Re: FW-1, etc. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 2007 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > David is not telling the whole story. If, like in many orgranizations, a > small fraction of one person's time is devoted to the firewall issue, > FW-1 gives good security at low overhead. Proxy-type firewalls are much > more labor intensive, and much less flexible, for relatively little > improvement in security. If you don't have time/resources to install special > client software on every machine (as required by most proxy firewalls), or > develop custom proxies wherever needed, then FW-1 is the best solution. This seems to assume that you can't secure your perimeter with FW-1, that it has holes that a proxy machine doesn't. Can anyone say what they are? > > Of course the trusted users inside can tunnel out through FW-1 if they want > to. But trusted users who want to leak information will not be stopped > by an application level firewall either, unless you body search everyone for > bootleg media and also cut off all modem access. (Pretty draconian.) Trusted users can tunnel out through socks. This is no different. > > You have to decide what level of security is right for your organization > and apply the same level consistently. FW-1 may be right for you. Again the implication that FW-1 provides less security...in what way? Please talk about holes through FW-1 that don't exist with machines running protocol and application proxies. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Thu Mar 2 16:05:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15737 for firewalls-outgoing; Thu, 2 Mar 1995 14:49:00 -0800 Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA15732 for ; Thu, 2 Mar 1995 14:48:57 -0800 From: carson@cs.columbia.edu Received: from pizza.cs.columbia.edu (pizza.cs.columbia.edu [128.59.26.43]) by cs.columbia.edu (8.6.10/8.6.6) with ESMTP id RAA16449; Thu, 2 Mar 1995 17:46:46 -0500 Received: (from carson@localhost) by pizza.cs.columbia.edu (8.6.10/8.6.6) id RAA21241; Thu, 2 Mar 1995 17:46:41 -0500 Date: Thu, 2 Mar 1995 17:46:41 -0500 Message-Id: <199503022246.RAA21241@pizza.cs.columbia.edu> To: "Simon J. Gerraty" Cc: "J. T. Judge" , firewalls@GreatCircle.COM Subject: Re: DNS on firewall?? In-Reply-To: <199503021239.XAA16241@zen.void.oz.au> References: <199503011936.OAA20495@gate3.fmr.com> <199503021239.XAA16241@zen.void.oz.au> Reply-To: carson@cs.columbia.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> On Thu, 02 Mar 1995 23:39:54 +1100, "Simon J. Gerraty" said: Simon> Nope. Split DNS where they really are _split_ ie. _no_ DNS traffic Simon> through the firewall. I decided on this not so much to hide info, but Simon> to not make the internal network (which has been running unconnected Simon> for years) suddenly dependent on external services. From firewalls-owner Thu Mar 2 16:19:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA16290 for firewalls-outgoing; Thu, 2 Mar 1995 15:05:39 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA16285 for ; Thu, 2 Mar 1995 15:05:37 -0800 Received: from aragon.bb.bawue.de by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id OAA15547; Thu, 2 Mar 1995 14:52:17 -0800 Received: by mail.bb.bawue.de from aragon.bb.bawue.de with smtp (3.1.28.1-vaxima/ESMTP/popmail-hack/bind-4.8.3/ns.bb.bawue.de) id m0rkHXB-001UPiC; Thu, 2 Mar 95 21:31 MET Message-Id: Subject: unsubcribe To: firewalls@greatcircle.com Date: Thu, 2 Mar 1995 21:31:40 +0100 (MET) From: "Alexander Horn" Reply-To: ahorn@aragon.bb.bawue.de Organization: Novalis Internet Services (Private On-Line TeleCommunication) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 46 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubcribe firewalls ahorn@aragon.bb.bawue.de From firewalls-owner Thu Mar 2 16:32:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15980 for firewalls-outgoing; Thu, 2 Mar 1995 14:57:37 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA15975 for ; Thu, 2 Mar 1995 14:57:34 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkJm4-0000bjC; Thu, 2 Mar 95 14:55 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA07222; Thu, 2 Mar 1995 14:55:17 +0800 Date: Thu, 2 Mar 1995 14:55:17 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503022255.AA07222@brittany.oes.amdahl.com> To: Firewalls@GreatCircle.COM, sjones@Aptech.com, patrick@oes.amdahl.com, abraham@hpindda.cup.hp.com Subject: Re: FW-1, etc. X-Sun-Charset: US-ASCII content-length: 1891 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll write something up in the next couple of days, but for now I have a couple of questions. > > I've looked into FW-1 (without actually running the software) and got > the following picture: > > Strength: > > 1) Everyone I have talked to give his thumb up on the product's GUI. Based > on my experience, Security Administrators see a good user interface just > as important as any other part of the product. > > 2) It is flexible. Its programmable filter module supposingly can be used to > adapt to many application protocols (ftp, HTTP, WAIS etc.) including site > specific ones. > > Weaknesses: > > 1) It is not capable of doing User Authentication, which severely limits > the access control module. Current rules are created based on service > and host address, which may not have the granularity of many of us need. Good point. > > 2) Because the product is based on the "packet-filtering", it inherits the > limitation of the technology. Although I believe CheckPoint did a good job > on attempting to break the barrier. This is vague. What holes exist that don't exist with protocol or application proxies? > > Does the above evaluation agree with what you have? I'll get it out. Some of it agrees with what I have. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Thu Mar 2 16:35:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA17218 for firewalls-outgoing; Thu, 2 Mar 1995 15:53:03 -0800 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA17212 for ; Thu, 2 Mar 1995 15:53:00 -0800 Received: by wabash.iac.net id SAA28497; Thu, 2 Mar 1995 18:50:42 -0500 Date: Thu, 2 Mar 1995 18:50:39 -0500 (EST) From: Carl Jolley To: Bryan McDonald cc: firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: <9503021702.AA07348@alexander.erg.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest: http://www.digimark.net/bdboyle/fulmer/firewall.vendor.html The Firewall Vendors list **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Thu, 2 Mar 1995, Bryan McDonald wrote: > > Before I spend the next week reading a whole series of "me-too's", > has anyone compiled a list of all the firewalls on the market, both > commercial and public-domain? If not, perhaps we can turn the shower > of "me-too's" into a constructive list... > > Bryan > > >>>> If you are serious (and IMNSHO you can't be too serious if you are > >>>> considering FW-1) about security I'd look at: > >>>> > >>>> SCC's Sidewinder ~ $40K > >>>> DEC's SEAL ~ $35K (I think) > >>>> Raptor's Eagle ~ $25K > >>>> TIS's Gauntlet ~ $15K > >>> > >>> Smallworks NetGate ~ $5k (for source!) > >>> > >>>> My opinion is that the best value lies in the bottom two. > >>> > >>>And how. > >>sjones@Aptech.com > > > > > >LSLI sells turn key firewall solutions for $25k or simply the software > >package for around $15k. > From firewalls-owner Thu Mar 2 17:01:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA18769 for firewalls-outgoing; Thu, 2 Mar 1995 16:41:33 -0800 Received: from kirin.clinicom.com ([204.131.245.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA18764 for ; Thu, 2 Mar 1995 16:41:29 -0800 Received: (from uucp@localhost) by kirin.clinicom.com (8.6.9/8.6.6) id TAA00952; Thu, 2 Mar 1995 19:48:06 -0700 Received: from clinicom(10.0.0.60) by kirin.clinicom.com via smap (V1.3) id sma000950; Thu Mar 2 19:47:38 1995 Received: (from leo@localhost) by clinicom.clinicom.com (8.6.9/8.6.9) id RAA38969; Thu, 2 Mar 1995 17:38:57 -0700 From: Leo Plotkin Message-Id: <199503030038.RAA38969@clinicom.clinicom.com> To: "Simon J. Gerraty" cc: firewalls@GreatCircle.COM Subject: SOCKS w/ split DNS (was Re: DNS on firewall??) In-reply-to: (Your message of Thu, 02 Mar 95 23:39:54 X.) <199503021239.XAA16241@zen.void.oz.au> Date: Thu, 02 Mar 95 17:38:56 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Simon J. Gerraty" writes: >Now (one day) I just have to modify SOCKS such that if the client can >resolve a name it knows it can connect directly, otherwise it uses >goes to sockd on the proxy host. This would allow a single client to >work inside and out, without unnecessary load on the proxy... It's been done. There is a split DNS patch for cstc4.2beta as well as a stand alone Rgethostbyname.c on ftp.nec.com in /pub/security/socks.cstc. I wrote my own version in about 15 minutes before I heard about those. The logic is very simple -- first use standard gethostbyname to resolve hosts using a local policy (NIS, DNS, hosts, what have you) and upon failure use the code already present in Rconnect.c to check the Internet aware name server. SOCKS can be told to use 'direct' rather than 'sockd' connections using IP addresses & masks in socks.conf. --leo p.s. this subject has more to do with SOCKS than firewalls in general, and should probably move to the socks mailing list. From firewalls-owner Thu Mar 2 17:25:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA18622 for firewalls-outgoing; Thu, 2 Mar 1995 16:38:05 -0800 Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA18617 for ; Thu, 2 Mar 1995 16:38:03 -0800 Received: from hpindda.cup.hp.com by relay.hp.com with ESMTP (1.37.109.14/15.5+ECS 3.3) id AA081830953; Thu, 2 Mar 1995 16:35:53 -0800 Received: from localhost by hpindda.cup.hp.com with SMTP (1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA131020890; Thu, 2 Mar 1995 16:34:50 -0800 Message-Id: <199503030034.AA131020890@hpindda.cup.hp.com> To: patrick@oes.amdahl.com (Patrick Horgan), Firewalls@GreatCircle.COM Date: Thu, 02 Mar 1995 16:34:49 -0800 From: Abraham Lui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: FW-1, etc. In-reply-to: Your message of "Thu, 02 Mar 1995 14:55:17 +0800." <9503022255.AA07222@brittany.oes.amdahl.com> -------- >> >> 2) Because the product is based on the "packet-filtering", it inherits the >> limitation of the technology. Although I believe CheckPoint did a good job >> on attempting to break the barrier. > >This is vague. What holes exist that don't exist with protocol or >application proxies? "Packet-filtering" by nature does not have the user-level context with which it can use to make access control decision and/or special processing. Therefore most packet-filtering products can only filter on host address and port only. Application gateway does not suffer from this limitation because each gateway has total (well..almost) control over the traffic that passes through the gateway, and can be written as sophisticated as one want it to be. FW-1 attempts to break the "packet-filtering" barrier by doing what application gateway does, ie. looking into the application level data and maintain a state (eg. FTP and UDP). IMHO, an application gateway written specifically to control the traffic that uses a particular application is far more flexible and secure than a generic filtering module as offered by FW-1. Abe +-------------------------------------------+---------------------------------+ |Abraham Lui (Member, Technical Staff) |Bldg: 43L; MS 43LM; Pillar P7 | |Information Networks Division |Phone: 408-447-2403 | |Hewlett-Packard Company |Telnet: 1-447-2403 | |19420 Homestead Road, MS 43LM |Fax: 408-447-3660 | |Cupertino, CA 95014-9807 |Email: abraham@cup.hp.com | +-------------------------------------------+---------------------------------+ From firewalls-owner Thu Mar 2 17:32:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA20170 for firewalls-outgoing; Thu, 2 Mar 1995 17:16:10 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA20163 for ; Thu, 2 Mar 1995 17:16:06 -0800 Posted-Date: Thu, 2 Mar 1995 20:13:55 -0500 (EST) Date: Thu, 2 Mar 1995 20:13:55 -0500 (EST) From: "Bryan D. Boyle" Subject: Re: your mail To: Bob McKisson Cc: Firewalls-Digest@greatcircle.com In-Reply-To: <9503022110.AA00733@ Paragon-Systems.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well, Homer Simpson was right. Now I understood why the advertising > agencies jump for joy when one of their clients gets flamed, trashed or > drug through the mud. FW-1 starts out as the object of electronic > brutality, and now everyone in the business is shoutin' for air time. > > "Ah, yeah is this Merrill Lynch? Yeah, I'd like another hundred shares > of Checkpoint please." > Except that you can't buy shares of checkpoint since the company is Israeli. > What a country! Hey, most companies have made a bundle selling stuff that isn't what it purports to be, through the use of cleaver advertising and FUD. This is no different. Companies with no clue will buy expensive packet filters and think they are secure. As long as it is not your company that travels down that garden path, and you are secure becuase you have actually thought thru the stages of risk analysis, threat management, and so forth, and come up with a solution that works, regardless of all the glossy advertising and slick GUIs, it will be ok. And think, if you are not on _that_ platform's OS, when the weekly CERT advisory comes out about that OS, you can shrug it off and do more important things. My $.02, obviously. From firewalls-owner Thu Mar 2 18:01:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA21254 for firewalls-outgoing; Thu, 2 Mar 1995 17:53:38 -0800 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA21210 for ; Thu, 2 Mar 1995 17:52:58 -0800 Message-Id: <199503030152.RAA21210@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.15/16.2) id AA052775391; Fri, 3 Mar 1995 12:49:51 +1100 From: Darren Reed Subject: Re: FW-1, etc. To: bdboyle@maverick.erenj.com (Bryan D. Boyle) Date: Fri, 3 Mar 1995 12:49:51 +1100 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9503021250.ZM6168@maverick.erenj.com> from "Bryan D. Boyle" at Mar 2, 95 12:50:17 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1099 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some email I received from Bryan D. Boyle, they wrote: [...] > security schemes in use today. If they don't, then the producer of the > software is not interested in business uses of their wares, and should > probably concentrate on the education and non-profit markets where > security is not a concern. Just a minor point, quite a few of us who work in education orientated environments care quite a deal about security and it is beginning to become a concern for dialup-IP people too. Security is peace of mind (when it works :-) if nothing else. Tell me any sys-admin who wouldn't desire that. However, depending on the application gateway, your level of `pain' may be higher than others. For example, using ftp-gw from TIS is much easier for 9/10 ftp clients than using SOCKS. (Exception being some stupid pc-nfs windows version which had a very short limit on the username string and otherwise didn't allow you to interact with the login). I don't need to fiddle with ftp for Unix or DOS or Macs. But neither were any of those clients originally written with this in mind. darren From firewalls-owner Thu Mar 2 19:01:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA22533 for firewalls-outgoing; Thu, 2 Mar 1995 18:39:01 -0800 Received: from itd.nrl.navy.mil (itd-fddi.nrl.navy.mil [132.250.198.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA22526 for ; Thu, 2 Mar 1995 18:38:58 -0800 Received: by itd.nrl.navy.mil (4.1/SMI-4.1) id AA08964; Thu, 2 Mar 95 21:36:48 EST Date: Thu, 2 Mar 95 21:36:48 EST From: bowyer@itd.nrl.navy.mil (J.) Message-Id: <9503030236.AA08964@itd.nrl.navy.mil> To: firewalls@greatcircle.com Subject: Janus Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd be interested in hearing from anyone who has experience with Janus (i.e. people who actually have it installed). Email me directly if possible; thanks. -J. From firewalls-owner Thu Mar 2 23:02:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA27430 for firewalls-outgoing; Thu, 2 Mar 1995 22:49:24 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA27425 for ; Thu, 2 Mar 1995 22:49:22 -0800 Received: from orpheus.amdahl.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id WAA16665; Thu, 2 Mar 1995 22:42:31 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkR7O-0000VGC; Thu, 2 Mar 95 22:45 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA07415; Thu, 2 Mar 1995 22:45:55 +0800 Date: Thu, 2 Mar 1995 22:45:55 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503030645.AA07415@brittany.oes.amdahl.com> To: Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com, patrick@oes.amdahl.com Subject: Re: FW-1, etc. Content-Length: 1563 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Abraham Lui said: > >IMHO, an application gateway written specifically to control the traffic >that uses a particular application is far more flexible and secure >than a generic filtering module as offered by FW-1. In what ways? What holes appear in FW-1 that don't appear in an application gateway? I don't mean to be a broken record here, but it seems that when I ask in what way FW-1 is less secure that application and protocol proxies, I am told it's because application proxies are more secure...how? I've been told via private email that it's because an administrator could make a mistake and open the firewall, but misconfiguring socks can be a drag too. I'm really looking for a difference here. I'm surprised that no one's jumped in with the argument that proxies hide your internal addresses. I don't believe that this yields any real security, it's sort of the security through obscurity argument. I'm looking for solutions that work whether someone knows your stuff or not. Firewall-1 is flexible, secure and cool:) It's also not IMHO a complete solution, lacking many of the things that you'd want, but it does provide security. Anyone heard of a properly configured one being hacked? It's had bug problems with crashing, but that's not a flaw in the technology, the paradigm is good. (I can't believe that I'm spending so much time defending their product...we don't have it ourselves, but most of the arguments I've seen haven't had any logic behind them...it just seems to be irrational packet-filtering prejudice...) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Mar 3 00:31:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA28858 for firewalls-outgoing; Fri, 3 Mar 1995 00:15:28 -0800 Received: from actp.andersen.fr (actp.andersen.fr [193.104.68.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA28853 for ; Fri, 3 Mar 1995 00:15:24 -0800 Received: by actp.andersen.fr (5.65c/1.34) id AA10241; Fri, 3 Mar 1995 09:16:54 +0100 Organization: Andersen Consulting , Technology Park , France Received: from leonardo.acesc.andersen.fr(193.51.106.6) by actp via smap (V1.3mjr) id sma010239; Fri Mar 3 09:16:12 1995 Received: by leonardo.acesc.andersen.fr, Fri, 3 Mar 1995 09:09:29 +0100 Date: Fri, 3 Mar 1995 09:09:29 +0100 From: Denis ROZERON Message-Id: <199503030809.AA14239@leonardo.acesc.andersen.fr> To: firewalls@greatcircle.com Subject: unsuscribe Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Fri Mar 3 01:31:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA29937 for firewalls-outgoing; Fri, 3 Mar 1995 01:03:45 -0800 Received: from hadrian.sbil.co.uk (sbil.co.uk [193.116.107.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA29932 for ; Fri, 3 Mar 1995 01:03:37 -0800 Received: from europe.sbil.co.uk (europe.sbil.co.uk [129.14.115.12]) by hadrian.sbil.co.uk (8.6.9/8.6.6) with ESMTP id JAA29563 for ; Fri, 3 Mar 1995 09:01:25 GMT Received: from trident.sbil.co.uk (trident [129.14.114.238]) by europe.sbil.co.uk (8.6.9/8.6.6) with ESMTP id JAA10884 for ; Fri, 3 Mar 1995 09:01:24 GMT From: Jason Crow Received: (crow@localhost) by trident.sbil.co.uk (8.6.9/8.6.6) id JAA00884 for firewalls@greatcircle.com; Fri, 3 Mar 1995 09:01:01 GMT Date: Fri, 3 Mar 1995 09:01:01 GMT Message-Id: <199503030901.JAA00884@trident.sbil.co.uk> To: firewalls@greatcircle.com Subject: TIS X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could somebody please explain to me the benefits of using the TIS Gauntlet package over the TIS FWTK. I know that FWTK is free whereas you have to pay for Gauntlet but what are the technical advantages and the reasons for going to the commercial product. Thanks in adavnce ---------------------------------------------------------- Jason Crow Salomon Brothers International Limited ---------------------------------------------------- Business Technology Organisation Tel: +44 (0)171-721-2580 From firewalls-owner Fri Mar 3 08:35:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01145 for firewalls-outgoing; Fri, 3 Mar 1995 08:14:10 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00695 for ; Fri, 3 Mar 1995 08:11:43 -0800 Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id FAA17945; Fri, 3 Mar 1995 05:52:10 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (V1.3) id sma022420; Fri Mar 3 08:45:26 1995 Message-Id: <9503031345.AA08139@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Jason Crow Cc: firewalls@greatcircle.com Subject: Re: TIS In-Reply-To: Your message of Fri, 03 Mar 95 09:01:01 +0000. <199503030901.JAA00884@trident.sbil.co.uk> Date: Fri, 03 Mar 95 08:45:17 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Could somebody please explain to me the benefits of using the TIS Gauntlet > package over the TIS FWTK. Well, Trusted Informatiin Systems, Inc. gets paid for the one... Oh, you mean benefits to you? :-) The FWTK is... a toolkit. You build it, you configure it, you install it. It has the *basics* needed for a firewall. There is almost no support -- best effort basis -- and, as the license says, is meant for single organization installations where the people there are expert enough to install it. It is not for resale nor may people build a business from it -- installing FWTK for end users, for example. It is provided "as is." The Gauntlet Internet Firewall has enhanced proxies, enhanced user permissions, management tools, reporting tools, kernel mods, alarms on unsupported ports, comes configured on a hardware platform, comes with source code and software support. It is a commercial product that shares the same *core* functionality as the FWTK and the same design philosophy and goals. See our web page on www.tis.com for more information. We will soon announce version 3.0 of the Gauntlet Internet Firewall, and will post a one-liner here pointing people to our web server for more details. Neither has a multicolored, X-based, GUID interface. Fred From firewalls-owner Fri Mar 3 08:41:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00846 for firewalls-outgoing; Fri, 3 Mar 1995 08:12:54 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00561 for ; Fri, 3 Mar 1995 08:10:16 -0800 Received: from mickey.jsc.nasa.gov by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA18244; Fri, 3 Mar 1995 07:16:17 -0800 From: horn@mickey.jsc.nasa.gov Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA25625; Fri, 3 Mar 1995 09:17:21 -0600 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA27267; Fri, 3 Mar 1995 09:17:20 -0600 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma027265; Fri Mar 3 09:17:16 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id JAA09333; Fri, 3 Mar 1995 09:17:15 -0600 Message-Id: <199503031517.JAA09333@freefall.jsc.nasa.gov> Subject: Re: FW-1, etc. To: patrick@oes.amdahl.com (Patrick Horgan) Date: Fri, 3 Mar 1995 07:29:33 -0600 (CST) In-Reply-To: <9503022237.AA07208@brittany.oes.amdahl.com> from "Patrick Horgan" at Mar 2, 95 02:37:45 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2164 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick J. Horgan wrote: >Again the implication that FW-1 provides less security...in what way? >Please talk about holes through FW-1 that don't exist with machines >running protocol and application proxies. FW-1 is a packet filter, and the authentication that such a firewall uses is IP based authentication. The problem with this is that it is NOT strong and it is NOT user authentication. What matters is not who you are, but where you're coming from. Suppose that you have a user who goes on travel and wants to telnet in to his machine FOO from remote host BAR. To allow this, the packet filtering firewall must allow in port 23 from BAR to FOO. Now, there are two ways to get around this type of authentication: a) IP address spoofing - i.e. pretend that you are host BAR b) Get access to host BAR, and telnet in The latter of the two is particularly nasty because it's probably not that difficult. Using a packet filter, and IP based authentication, when you trust host BAR you also implicitly trust all of the hosts that BAR trusts, and all that those hosts trust, etc, etc. Breaking into any one of the hosts in that web of trust means access to your inside machines. The biggest problem with packet filter based firewalls is the basic trust in IP addresses for authentication. Now, I don't know anything particular about FW-1, although I've been told several times that it handles UDP in a reasonable fashion (OK, so call me skeptical). Nevertheless, without strong USER authentication at the firewall, it isn't anything more than a fancy GUI packet filter, which is inherently less secure than an application level gateway. Of course, if your packet filter is one where absolutely NO inbound traffic is allowed, and you trust your internal users, then I'd be inclined to say that a packet filter is no less secure than an app-gateway. However, as soon as you want to allow inbound traffic, the game is up, and the security of the packet filter breaks down. -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn mark.horn1@jsc.nasa.gov From firewalls-owner Fri Mar 3 08:48:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00646 for firewalls-outgoing; Fri, 3 Mar 1995 08:11:20 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00511 for ; Fri, 3 Mar 1995 08:09:34 -0800 Received: from sol.aa.hcia.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id GAA18046; Fri, 3 Mar 1995 06:19:25 -0800 Received: by sol.aa.hcia.com (Smail3.1.29.1 #1) id m0rkYDv-001t74C; Fri, 3 Mar 95 09:20 EST Message-Id: Date: Fri, 3 Mar 95 09:20 EST From: eprie@hcia.com (Eric W. Priebe) To: Firewalls@GreatCircle.COM Subject: DES encrytion Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Im reading in the MST ppp manual that you can specify DES encrytion for specific sites. Does anyone know of other products that also support encryption? Seems like a nice way to permit access from specific sites without having to worry about packets being hijacked or addresses spoofed. Products for PC based PPP encytion would be nice to know anout too. Thanks, Eric ----------------------------------------------------------------------- If I could afford a good .sig, it's be here. ----------------------------------------------------------------------- From firewalls-owner Fri Mar 3 08:57:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00550 for firewalls-outgoing; Fri, 3 Mar 1995 08:10:26 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00342 for ; Fri, 3 Mar 1995 08:08:51 -0800 Received: from beaumont.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA18283; Fri, 3 Mar 1995 07:34:04 -0800 Received: from localhost (mgalati@localhost) by beaumont.edu (8.6.5/8.6.5) id KAA16984; Fri, 3 Mar 1995 10:37:03 -0500 Date: Fri, 3 Mar 1995 10:31:27 -0500 (EST) From: Mike Galati - Information Services Subject: Re: FW-1, etc. To: Bryan McDonald cc: firewalls@GreatCircle.COM In-Reply-To: <9503021702.AA07348@alexander.erg.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could try this location, it was posted here a while ago. Has quite a few firewalls along with information,address, phone ect.. Unsure if any are "public" though.... Sorry if message is short am very ! new to this type of mail list. Location : http://www.cis.ohio-state.edu/hypertext/faq/usenet/firewalls-faq/faq.html On Thu, 2 Mar 1995, Bryan McDonald wrote: > > Before I spend the next week reading a whole series of "me-too's", > has anyone compiled a list of all the firewalls on the market, both > commercial and public-domain? If not, perhaps we can turn the shower > of "me-too's" into a constructive list... > > Bryan > > >>>> If you are serious (and IMNSHO you can't be too serious if you are > >>>> considering FW-1) about security I'd look at: > >>>> > >>>> SCC's Sidewinder ~ $40K > >>>> DEC's SEAL ~ $35K (I think) > >>>> Raptor's Eagle ~ $25K > >>>> TIS's Gauntlet ~ $15K > >>> > >>> Smallworks NetGate ~ $5k (for source!) > >>> > >>>> My opinion is that the best value lies in the bottom two. > >>> > >>>And how. > >>sjones@Aptech.com > > > > > >LSLI sells turn key firewall solutions for $25k or simply the software > >package for around $15k. From firewalls-owner Fri Mar 3 09:00:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01832 for firewalls-outgoing; Fri, 3 Mar 1995 08:34:14 -0800 Received: from BComeau.Hydro.Qc.CA (socrates.BComeau.Hydro.Qc.CA [131.195.40.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01824 for ; Fri, 3 Mar 1995 08:34:06 -0800 Received: from mais.hydro.qc.ca (glock.mais.hydro.qc.ca) by bcomeau.hydro.qc.ca (5.0/SMI-SVR4) id AA26090; Fri, 3 Mar 1995 11:30:54 -0500 Received: by mais.hydro.qc.ca id AA02441 (5.67b8/IDA-1.5 for firewalls-relay@bcomeau.hydro.qc.ca); Fri, 3 Mar 1995 11:28:47 -0500 Date: Fri, 3 Mar 1995 11:28:47 -0500 From: Benoit Dicaire Message-Id: <199503031628.AA02441@mais.hydro.qc.ca> To: firewalls-relay@BComeau.Hydro.Qc.CA Subject: Firewalls : some answers X-Sun-Charset: US-ASCII content-length: 1515 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Benoit Dicaire wrote : BD> Hi, my management is worried about security issues. BD> I'm working on a memo that will explain WHY we need a firewall BD> I'm looking for number : BD> - How many sites on the internet BD> - How many sites have a firewall (a corporate, or one by site) BD> - How many sites plan to have a firewall Steven Tepper wrote : ST> I doubt very much that reliable numbers exist, and even if they did, how much ST> value would they have? If most net sites don't have any protection from the ST> Internet, it's probably because they aren't aware of the risks. Also, as has ST> been discussed recently on the firewalls list, there is no clear definition of ST> a firewall. Still, I need to find the tendance - trends. For me a firewall is something who can secure a site. Bob McKisson wrote : BM> Is it safe to assume that your organization has in place a BM> corporate Automated Information Systems Security Policy? My organisation is *HUGE*, maybe there is that kind of policy somewhere. We provide electricity for province of Quebec and some part of New-York, etc ... I'll provide a firewall only for my project. Do you know where I can find template for this policy. Oh BTW I'll have my firewall, it's only a matter of doing the paper works. A prototype with tis toolkit is in work ... Someone have a proxy for SQL Net ? --- Benoit Dicaire | bdicaire@mais.hydro.qc.ca System Administrator / WebMaster | www.mais.hydro.qc.ca/bdicaire.html Hydro-Quebec | (514)289-7916 From firewalls-owner Fri Mar 3 09:00:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01863 for firewalls-outgoing; Fri, 3 Mar 1995 08:37:01 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01858 for ; Fri, 3 Mar 1995 08:36:59 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkaJE-0000cgC; Fri, 3 Mar 95 08:34 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA07719; Fri, 3 Mar 1995 08:34:43 +0800 Date: Fri, 3 Mar 1995 08:34:43 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503031634.AA07719@brittany.oes.amdahl.com> To: jhill@srd.bt.co.uk Subject: Re: set group id on directories Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII content-length: 1545 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I'd like to know if a sgid bit on a directory represents a security risk, > > given the fact that the directory is not world or group writable. > > I inherited an old SunOS 4.1 box a while ago like this - dunno if that is > what the distribution was like, but I didn't like the look so I just reset > all the sgid bits with no nasty side effects. > > Jake. > Man! You should have understood it before you made the decision...you can't trust security to whether you like the look of something or not! This can actually help security sometimes by being an alternative to, "Well my group needs root so we can change each other's files." You give them a group, you give them a directory owned by that group and writeable by the group, put them all in the group, and tell them to set their umasks to 002. Voila! We manage a lot of stuff like that...it has no security risk, and is better than the alternative. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Mar 3 09:01:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA02095 for firewalls-outgoing; Fri, 3 Mar 1995 08:47:50 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA02090 for ; Fri, 3 Mar 1995 08:47:48 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkaTh-0000d4C; Fri, 3 Mar 95 08:45 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA07731; Fri, 3 Mar 1995 08:45:29 +0800 Date: Fri, 3 Mar 1995 08:45:29 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503031645.AA07731@brittany.oes.amdahl.com> To: patrick@oes.amdahl.com, horn@mickey.jsc.nasa.gov Subject: Re: FW-1, etc. Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII content-length: 3201 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Suppose that you have a user who goes on travel and wants to telnet in to his > machine FOO from remote host BAR. The easiest way to fix this is by policy;) No incoming connections. > To allow this, the packet filtering > firewall must allow in port 23 from BAR to FOO. Now, there are two ways to > get around this type of authentication: > > a) IP address spoofing - i.e. pretend that you are host BAR > b) Get access to host BAR, and telnet in > > The latter of the two is particularly nasty because it's probably not that > difficult. Using a packet filter, and IP based authentication, when you > trust host BAR you also implicitly trust all of the hosts that BAR trusts, > and all that those hosts trust, etc, etc. Breaking into any one of the hosts > in that web of trust means access to your inside machines. > > The biggest problem with packet filter based firewalls is the basic trust in > IP addresses for authentication. Now, I don't know anything particular about > FW-1, although I've been told several times that it handles UDP in a > reasonable fashion (OK, so call me skeptical). Nevertheless, without strong > USER authentication at the firewall, it isn't anything more than a fancy GUI > packet filter, which is inherently less secure than an application level > gateway. So what if you had something that listened on port 23 on the firewall, did reasonable authentication either via an encrypted channel with exchange of public keys, or via a single key method. Once authenticated you'd be able to back proxy to where you wanted to go. This, I believe is a good way to go, there's a real synergy between things like this and a "I hate to say just packet filter, since FW-1 does some application stuff," packet filter. > > Of course, if your packet filter is one where absolutely NO inbound traffic is > allowed, and you trust your internal users, then I'd be inclined to say that a > packet filter is no less secure than an app-gateway. However, as soon as you > want to allow inbound traffic, the game is up, and the security of the packet > filter breaks down. I'd like a combination of free outgoing via the packet filter, and incoming via some sort of authenticated channels. Nothing here shows any hole implicit in FW-1 though. (You know it's funny that FW-1 is most often complemented for their GUI in reviews, but I found it completely non-intuitive. I thought it was one of the worst designed user interfaces...just trying to figure out how to apply a change to a filter was bizarre.) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Mar 3 09:06:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00513 for firewalls-outgoing; Fri, 3 Mar 1995 08:09:42 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00319 for ; Fri, 3 Mar 1995 08:08:46 -0800 Received: from maily1.prodigy.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA18263; Fri, 3 Mar 1995 07:28:51 -0800 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id KAA32234; Fri, 3 Mar 1995 10:05:43 -0500 Date: Fri, 3 Mar 1995 10:05:43 -0500 (EST) From: Frank Wortner To: Firewalls Subject: Re: FW-1, etc. In-Reply-To: <9503030645.AA07415@brittany.oes.amdahl.com> Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The only sensible argument *I* can come up with in the "packet filters vs. application gateways" debate is that given the "available" software, it is easier for someone who wants to "roll her own" to build and configure an application gateway than a packet filter. The general design is at a higher level: shut everything off, and then decide what *services* to allow as opposed to shut everything off then decide what ranges of ports to allow. It's just plain easier to do the former correctly than the latter --- given available "freeware." Additional ways to flog this dead horse are left as an exercise for the reader. :-) Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Fri Mar 3 09:22:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00524 for firewalls-outgoing; Fri, 3 Mar 1995 08:09:49 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00326 for ; Fri, 3 Mar 1995 08:08:47 -0800 Received: from relay.tis.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id HAA18364; Fri, 3 Mar 1995 07:50:08 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (V1.3) id sma023676; Fri Mar 3 10:52:16 1995 Received: by (4.1/illuminati) id AA02066; Fri, 3 Mar 95 10:57:20 EST From: "Marcus J. Ranum" Message-Id: <2066.9503031557@illuminati> Subject: Re: FW-1, etc. To: patrick@oes.amdahl.com (Patrick Horgan) Date: Fri, 3 Mar 1995 10:57:20 -0500 (EST) Cc: Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com, patrick@oes.amdahl.com In-Reply-To: <9503030645.AA07415@brittany.oes.amdahl.com> from "Patrick Horgan" at Mar 2, 95 10:45:55 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 941 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In what ways? What holes appear in FW-1 that don't appear in an application >gateway? I don't mean to be a broken record here, but it seems that when >I ask in what way FW-1 is less secure that application and protocol proxies, >I am told it's because application proxies are more secure...how? One observation: you're dividing the implementation of your security when you're using a network-level firewall. Suppose that you have a network-level firewall, and it's configured to allow SMTP on port 25 to 2 main mail hubs, and telnet in, no rlogin in, and anything out ("established"). You now have to worry about 2 systems with 2 versions of sendmail + N machines with N potential telnetd holes. Sure, you can reduce the scope of possible attack by further reducing the number of "inside" services that "outside" machines can reach, but by the time you've reduced them to a point, you've just implemented a proxy bastion host. :) mjr. From firewalls-owner Fri Mar 3 09:43:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02994 for firewalls-outgoing; Fri, 3 Mar 1995 09:21:43 -0800 Received: from sys1.ic.ncs.com (sys1.ic.ncs.com [159.182.38.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02989 for ; Fri, 3 Mar 1995 09:21:40 -0800 Received: from sys1.ic.ncs.com by sys1.ic.ncs.com (AIX 3.2/UCB 5.64/4.03) id AA06422; Fri, 3 Mar 1995 11:18:10 -0600 Received: by tiffin.ic.ncs.com (AIX 3.2/UCB 5.64/4.03) id AA15441; Fri, 3 Mar 1995 11:18:36 -0600 From: stagda@sys1.ic.ncs.com (Dave Stagner) Message-Id: <9503031718.AA15441@tiffin.ic.ncs.com> Subject: IPX traffic through a firewall To: firewalls@greatcircle.com Date: Fri, 3 Mar 1995 11:18:34 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 912 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can plug-gw or some other wrapper program be used to pass IPX traffic through a firewall? We have users who want to access their Novell network from the outside, and the option is either let them have a modem inside (insecure), or send them through the firewall, which is TCP-based. I suppose they could run Netware sessions over TCP somehow, but I know very little about Novell myself (lucky me, I'm paid to write unix software!), so I don't know about configuring such a beast, or even if it's possible. Does anyone have experience with this sort of thing? It's not critical or urgent at this point; I just want to sort out the options. -- * David Faron Stagner * National Computer Systems david-stagner@ic.ncs.com * 2510 N Dodge St vox 319 354 9200 ext 6884 * Iowa City, IA 52244 fax 319 339 6555 I disclaim my employer and I'm sure they'd disclaim me too. From firewalls-owner Fri Mar 3 09:59:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03384 for firewalls-outgoing; Fri, 3 Mar 1995 09:38:21 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA03379 for ; Fri, 3 Mar 1995 09:38:18 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA15860; Fri, 3 Mar 95 09:36:06 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA14983; Fri, 3 Mar 95 09:23:50 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F575427@ushqgw.sequent.com>; Fri, 03 Mar 95 09:38:47 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: Re: CERT Date: Fri, 03 Mar 95 09:35:00 PST Message-Id: <2F575427@ushqgw.sequent.com> Encoding: 26 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Put it in the FAQ! -------------------------------------------------------------------- |Let's drop this non-disclosure vs. disclosure thread, eh? It comes up |every time a new advisory comes out, and nobody ever changes their mind; we |just get the same arguments over and over again. Let it rest. | | |-Brent | |-- |== For info about the Internet Security Firewalls Tutorial and a schedule == |== of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == |=========================================================================== === |== Brent Chapman Great Circle Associates == |== Brent@GreatCircle.COM 1057 West Dana Street == |== +1 415 962 0841 Mountain View, CA 94041 == | | | From firewalls-owner Fri Mar 3 10:59:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04178 for firewalls-outgoing; Fri, 3 Mar 1995 10:31:09 -0800 Received: from equipe.rain.com (equipe.rain.com [199.2.98.120]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04163 for ; Fri, 3 Mar 1995 10:30:26 -0800 From: root@equipe.rain.com Received: by equipe.rain.com (Smail3.1.27.1 #3) id m0rkc3g-000HBzC; Fri, 3 Mar 95 10:26 PST Message-Id: Date: Fri, 3 Mar 95 10:26 PST To: firewalls@greatcircle.com Subject: unsuscribe firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls From firewalls-owner Fri Mar 3 11:29:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04392 for firewalls-outgoing; Fri, 3 Mar 1995 10:59:59 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA04387 for ; Fri, 3 Mar 1995 10:59:57 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkcXa-0000Z3C; Fri, 3 Mar 95 10:57 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA08167; Fri, 3 Mar 1995 10:57:43 +0800 Date: Fri, 3 Mar 1995 10:57:43 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503031857.AA08167@brittany.oes.amdahl.com> To: firewalls@greatcircle.com Subject: FW-1 X-Sun-Charset: US-ASCII content-length: 1865 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Amusingly enough I just had mail from someone who's argument about the inherent security or lack thereof of packet filtering was: (paraphrased) 1) We're having a failure to communicate which he could fix if he had time. 2) I don't understand the nature of electronic threats or how to counter them, which he couldn't fix because he used to be in the business of educating people for free but isn't anymore. 3) If I like pretty buttons and think FW-1 is flexible and cool my mind is made up. 4) If I "still do not yet understand the inherent problems in the use of pack filtering substraight devices as a defense against electronic attack without any other controls that what they offer up for that product then again it is unlikely that further discussion on the this forum will be productive." I put this one in verbatim because I'm not quite sure what he meant, but I think it's that if I don't understand something, then I can't learn anything by discussing it. 5) Where serious information systems security is concerned this is basic stuff, so people aren't interested in discussing it. 6) If I want he'll set me up with a consultant. I feel much better now that I understand the holes in FW-1;) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Mar 3 11:29:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04682 for firewalls-outgoing; Fri, 3 Mar 1995 11:11:53 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04676; Fri, 3 Mar 1995 11:11:50 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Mar 1995 11:09:59 -0800 To: Frank Wortner , Firewalls From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FW-1, etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:05 AM 3/3/95, Frank Wortner wrote: >The only sensible argument *I* can come up with in the "packet filters vs. >application gateways" debate is that given the "available" software, it is >easier for someone who wants to "roll her own" to build and configure an >application gateway than a packet filter. > >The general design is at a higher level: shut everything off, and then >decide what *services* to allow as opposed to shut everything off then >decide what ranges of ports to allow. It's just plain easier to do the >former correctly than the latter --- given available "freeware." > >Additional ways to flog this dead horse are left as an exercise for >the reader. :-) Look, I don't want to have this argument either, but I don't want folks to get the impression that everyone agrees that packet filtering is a dead horse. I, for one, don't agree; I think that packet filtering is a very useful TOOL, as are application gateways. Nothing more, nothing less; you have to understand the tools and their relevance, application, and implications in your environment. Packet filtering doesn't work for everything, it doesn't solve all the world's problems, it can be kinda hard to understand and make work; however, if you _do_ take the time to understand it, there are some things it can do much better and more transparently than any application gateway. For instance, it lets you provide access to certain services (it's not appropriate for all services) without regard to which particular client a user is running (they don't have to run a proxy-capable client that understands YOUR particular proxying system), completely transparently to the user (they don't have to learn and follow special procedures to access the application gateway and tell it what they _really_ want to do). These considerations may not be relevant for all environments (for instance, if you have good control over what software folks run, or you're working with relatively technical users who can understand and follow non-standard procedures for dealing with outside machines), but for some environments they are KEY considerations. Everybody is different; every site has different concerns and different constraints. Packet filtering vs. application gateway is not an either-or issue. You need to understand both, and use both as appropriate; this means figuring out what will work best for each of the services that YOU want to offer in YOUR environment at YOUR site under YOUR particular constraints. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Fri Mar 3 11:30:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04729 for firewalls-outgoing; Fri, 3 Mar 1995 11:20:57 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04724; Fri, 3 Mar 1995 11:20:53 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Mar 1995 11:19:02 -0800 To: "Marcus J. Ranum" , patrick@oes.amdahl.com (Patrick Horgan) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FW-1, etc. Cc: Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com, patrick@oes.amdahl.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:57 AM 3/3/95, Marcus J. Ranum wrote: >>In what ways? What holes appear in FW-1 that don't appear in an application >>gateway? I don't mean to be a broken record here, but it seems that when >>I ask in what way FW-1 is less secure that application and protocol proxies, >>I am told it's because application proxies are more secure...how? > > One observation: you're dividing the implementation of your >security when you're using a network-level firewall. Suppose that you >have a network-level firewall, and it's configured to allow SMTP on >port 25 to 2 main mail hubs, and telnet in, no rlogin in, and anything >out ("established"). You now have to worry about 2 systems with 2 >versions of sendmail + N machines with N potential telnetd holes. >Sure, you can reduce the scope of possible attack by further reducing >the number of "inside" services that "outside" machines can reach, >but by the time you've reduced them to a point, you've just implemented >a proxy bastion host. :) And what's wrong with that? Bastion host does not imply dual-homed. There are significant advantages to having a packet filtering system between your internal systems and your own bastion host; it's a way of protecting your site against attack from your own bastion host, if it's compromised. You imply above that putting all your services on one machine is more secure than splitting them between multiple machines; there are cases where that is just plain wrong, though. For instance, if you've got both an anonymous FTP server and an HTTP server on the same machine, you've got to worry about interactions between the two; can someone upload something to the anonymous FTP server (because you or someone else left a writable directory in the anonymous FTP area), and then execute it via the HTTP server (making the HTTP server think it's a CGI script or something)? You can avoid this through careful configuration of the FTP and HTTP servers (don't create a writable directory in the anonymous FTP area; make both FTP and HTTP run chroot to different parts of the filesystem, etc.), but you can also avoid it much more simply (though more expensively) by running the two servers on two different machines. There is no one box that provides be-all end-all firewall functionality for most sites today, although there are some boxes that provide appropriate solutions for some sites. Most sites today need to use multi-machine firewalls (a combination of bastion host for proxy servers and application gateways, and filtering routers for packet filtering, for instance) in order to get the best reasonable security for the services they want to offer their users. If you start putting constraints on it (like that it's got to all be bundled into a single box), you reduce your flexibility, and you're going to have to give up a certain amount of either security or service or both. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Fri Mar 3 12:29:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05623 for firewalls-outgoing; Fri, 3 Mar 1995 12:04:33 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA05618 for ; Fri, 3 Mar 1995 12:04:29 -0800 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id OAA79656; Fri, 3 Mar 1995 14:38:38 -0500 Date: Fri, 3 Mar 1995 14:38:38 -0500 (EST) From: Frank Wortner To: Firewalls Subject: Re: FW-1, etc. In-Reply-To: Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Mar 1995, Brent Chapman wrote: > Look, I don't want to have this argument either, but I don't want folks to > get the impression that everyone agrees that packet filtering is a dead > horse. I didn't mean to leave the impression that *packet filtering* was a dead horse; I was refering to the futility of the argument. Individual circumstances and goals for any firewall can make packet filtering an attractive (and correct) option in many cases. However, I still do think that if one is going to build a home brew firewall, application gateways are *easier to build* and understand --- at least for access to "popular" services. This discounts issues of specialized clients, relative inconvenience to users, performance, etc. Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Fri Mar 3 13:00:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05923 for firewalls-outgoing; Fri, 3 Mar 1995 12:42:11 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA05917 for ; Fri, 3 Mar 1995 12:42:08 -0800 Received: from West.Sun.COM (west.West.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA02596; Fri, 3 Mar 95 12:39:48 PST Received: from zeppo.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA29957; Fri, 3 Mar 1995 12:39:46 +0800 Received: from twiddle.West.Sun.COM by zeppo.West.Sun.COM (5.0/SMI-5.3-900117) id AA02827; Fri, 3 Mar 1995 12:39:45 -0800 Received: by twiddle.West.Sun.COM (5.x/SMI-SVR4) id AA22601; Fri, 3 Mar 1995 12:40:02 -0800 Date: Fri, 3 Mar 1995 12:40:02 -0800 From: Paul.Danielson@West.Sun.COM (Paul Danielson) Message-Id: <9503032040.AA22601@twiddle.West.Sun.COM> To: paul.danielson@west.West.Sun.COM Subject: Re: FW-1, etc. Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 1467 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Horn wrote: > Suppose that you have a user who goes on travel and wants to telnet in to his > machine FOO from remote host BAR. To allow this, the packet filtering > firewall must allow in port 23 from BAR to FOO. Now, there are two ways to > get around this type of authentication: > > a) IP address spoofing - i.e. pretend that you are host BAR > b) Get access to host BAR, and telnet in It seems to me that if you accept inbound connections, it doesn't matter what type of firewall you have, only what type of authentication is performed by the services you let in. If you assume that the external host(s) are compromised (which seems reasonable :), then neither where the connection comes from nor who the connection claims to be representing can be trusted. If the connection knows the magic words to open the gate, it gets in. A proxy might restrict the amount of havoc able to be wreaked once inside, but maybe not. I'm not an expert on either technology, but I agree with Patrick that the discussion so far has involved more religion than fact. It would be very useful to understand the strengths and weaknesses of filters vs. proxies so that the appropriate technology can be used in the appropriate places. I think that filters are fairly self-explanatory. Would any of the proponents of proxies care to put forth an example of a situation in which proxies are more effective? Paul Disclaimer: I don't speak for Sun; Sun doesn't speak for me From firewalls-owner Fri Mar 3 16:30:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08581 for firewalls-outgoing; Fri, 3 Mar 1995 16:24:22 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA08576 for ; Fri, 3 Mar 1995 16:24:20 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rkhbV-0000nRC; Fri, 3 Mar 95 16:21 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA08353; Fri, 3 Mar 1995 16:21:59 +0800 Date: Fri, 3 Mar 1995 16:21:59 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503040021.AA08353@brittany.oes.amdahl.com> To: patrick@oes.amdahl.com, mjr@tis.com Subject: Re: FW-1, etc. Cc: Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com X-Sun-Charset: US-ASCII content-length: 1667 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > One observation: you're dividing the implementation of your > security when you're using a network-level firewall. Suppose that you > have a network-level firewall, and it's configured to allow SMTP on > port 25 to 2 main mail hubs, and telnet in, no rlogin in, and anything > out ("established"). You now have to worry about 2 systems with 2 > versions of sendmail + N machines with N potential telnetd holes. > Sure, you can reduce the scope of possible attack by further reducing > the number of "inside" services that "outside" machines can reach, > but by the time you've reduced them to a point, you've just implemented > a proxy bastion host. :) > > mjr. > Good points, and that brings me to my favorite implementation...filtering ala FW-1 plush proxies. I like the apparent outgoing transparency of FW-1, but I want split dns, and a telnet proxy you have to go through on the firewall to get to the inside, one that uses real authentication. Does this mean that it's a proxy bastion host? In part, but really it's a hybrid. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Mar 3 17:29:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA09210 for firewalls-outgoing; Fri, 3 Mar 1995 17:12:06 -0800 Received: from deltanet.com (delta1.deltanet.com [199.171.190.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA09205 for ; Fri, 3 Mar 1995 17:12:03 -0800 Received: by deltanet.com (5.65/1.2-eef) id AA27002; Fri, 3 Mar 95 17:09:47 -0800 From: John Lombardo Message-Id: <9503040109.AA27002@deltanet.com> Subject: Dual ported pc's To: Firewalls@greatcircle.com Date: Fri, 3 Mar 1995 17:09:44 -0800 (PST) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2772 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our company has a firewall that provides very limited access to the Internet for inside machines. We've been kicking around the idea of setting up proxy servers within the gateway, but since we have so many old and diverse unix boxes on the internal network, it would not be a pleasent thing to do. Since most users have windows pcs on their desks, what I'm considering is as follows: ------- | | Internet ------- | ------- | | Router ------- | Unsecured network [--------------------------------------------------------------------] | | | | | | | | | | | | ------ ------ ------ ---------- ------ ------ | | | | | | | Gateway| | | | | |win | |win | |win | | | |win | |win | | pc | | pc | | pc | | | | pc | | pc | ------ ------ ------ ---------- ------ ------ | | | | | | | | | | | | [--------------------------------------------------------------------] | | | | Secured network | | | | ----------------- ------- ------ ------ | production | |linux| |unix| |unix| | unix box | | | | | | | ----------------- ------- ------ ------ I am making some assumptions: 1) I trust my users not to fiddle with routing on their pc's 2) There are no services running on the pc's that'll get me into trouble 3) This will be less time consuming than comming up with custom clients for all the machines 4) I give up the abiliy to telnet/ftp/etc from one of the unix boxes on the internal network The windows pc users would then have access to both the internet (which they want), and to the internal machines (which they need). They would still receive email through the gateway but could ftp/telnet/www/gopher/... with standard pc tools. I'll have to make sure they run only "approved" client software, but I won't have to change it to work with SOCKS or such. Am I all wet? Cheswick & Bellovin don't mention this type of configuration at all. John Lombardo john@deltanet.com From firewalls-owner Fri Mar 3 18:30:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA10216 for firewalls-outgoing; Fri, 3 Mar 1995 18:04:46 -0800 Received: from paranor.ca.cch.com (paranor.ca.cch.com [192.139.248.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA04508 for ; Wed, 1 Mar 1995 05:51:09 -0800 Received: by paranor.ca.cch.com id AA14177; Wed, 1 Mar 95 08:53:17 EST Received: from cchtor.ca.cch.com(192.139.241.2) by paranor.ca.cch.com via smap (V1.3) id sma014175; Wed Mar 1 08:53:07 1995 Received: (from larry@localhost) by cchtor.ca.cch.com (8.6.9/8.6.9) id IAA02004; Wed, 1 Mar 1995 08:52:06 -0500 Date: Wed, 1 Mar 1995 08:52:06 -0500 From: Larry Chin Message-Id: <199503011352.IAA02004@cchtor.ca.cch.com> To: frank@darwin.sfbr.org Subject: Re: DNS on firewall?? Cc: firewalls@GreatCircle.COM Content-Type: X-sun-attachment Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Content-Lines: 32 >> Read your comments on setting up DNS on a firewall machine and believe >> this is the way for us to go. Unfortunately, example.dns.tar came through >> garbled at this end - not sure if this happened to anyone else, but there >> must be other lurkers out there who would really like to see the example. >> >> If you don't repost and if you can find a spare minute to send me another >> copy, I would appreciate it. >> >> Thanks >> >> W. Frank Lowe Sorry 'bout that, don't know what happened to the original stuff, I took at look and the tar file is indeed gobley-gook. Hopefully the following will be better. As before I have tried to make this stuff generic, but caveat lector. If anyone finds an error, please let me know, as I am want to maintain my notes as close to perfect as possible. Hopefully this will make somebody's life a bit easier. Wed Mar 1 08:18:14 EST 1995 =========================================================================== Larry Chin {Larry_Chin@ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== Horngren's Observation: Among economists, the real world is often a special case. ---------- X-Sun-Data-Type: default X-Sun-Data-Description: default X-Sun-Data-Name: internal.dns.tar X-Sun-Encoding-Info: uuencode X-Sun-Content-Lines: 186 begin 600 internal.dns.tar M9&(N,3(W+C N, M M " @(#8T," (" @,S$U( @(" @,3(@ " @(" @(" @-# V M(" U-S(U,#7EM;61D=F5R2 S M(&AO=7)S"@D),S8P, D[(')E=')Y(&EN(#$@:&]U<@H)"38P-#@P," ).R!E M>'!I2!O9B Q M(&1A>0H)"2D*"@E)3@E.4PEN6]U0D),"XP M+C$R-RYI;BUA9&1R+F%R<&$)"61B+C$R-RXP+C *.PH[('1H92!N97AT('1W M;R!L:6YE6]U6]U2!I;B Q(&AO=7(*"0DV,#0X,# @"3L@ M97AP:7)E(&EN(#$@=V5E:PH)"3@V-# P"3L@9&5F875L="!E>'!I6]U6]U6]U6]U6]U0H)"3,V,# ).R!R971R>2!I;B Q(&AO=7(*"0DV M,#0X,# @"3L@97AP:7)E(&EN(#$@=V5E:PH)"3@V-# P"3L@9&5F875L="!E M>'!I6]U6]U6]U6]U7EM;61D=F5R2 S M(&AO=7)S"@D),S8P, D[(')E=')Y(&EN(#$@:&]U<@H)"38P-#@P," ).R!E M>'!I2!O9B Q M(&1A>0H)"2D*"@E)3@E.4PEB87-T:6]N+GEO=7(N9&]M86EN+@HQ"4E."5!4 M4@EL;V-A;&AO6]U6]U0H) M"3,V,# ).R!R971R>2!I;B Q(&AO=7(*"0DV,#0X,# @"3L@97AP:7)E(&EN M(#$@=V5E:PH)"3@V-# P"3L@9&5F875L="!E>'!I0DO971C+V1N6]U(&%C="!A2YD;VUA:6X)/&EP(&%D9')E2!O9B Q(&1A>0H)"2D*.PH[(&1E9FEN92!N86UE('-E M6]U6]U6]U6]U3(N6]U M6]U6]U6]U&EE+"!F;W)K960@;V9F M(&]N(#DM1&5C96UB97(M.3 *(R,C(R,@(%!A=6P@5FEX:64L(&UA:F]R($U! M24PQ,2]-4B!W;W)K(&]N(#$W+4IU;'DM,3DY,0HC(R,C(R @4&%U;"!6:7AI M92P@5&]D9"!+865H;&5R(&%N9"!&2UQ=6%L:69I960@:&]S=&YA;64@ M;W(@;F]T+BXN(&1E<&5N9',@;VX@2!N86UE"D1N34%)3$52+41!14U/3@HC(%5.25@@ M:&5A9&5R(&9O/2];70HC(&9O" D+CPD9SX*1%8R-D%51SDS+69M82]D879E+3$N M,0HC(%--5% @;&]G:6X@;65S2!F M:6QE(&UO9&4*3T8P-C P"B,@9&5F875L="!5240*3W4Q"B,@9&5F875L="!' M240*3V0I/42]V87(O#]&=6QL M+4YA;64Z("1X"DA3=6)J96-T.@I(/TT_4F5S96YT+4UE0H*(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*(R @ M4F5C:7!I96YT($9I96QD(%!R92UR97=R:71I;F<@(",*(R,C(R,C(R,C(R,C M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*4S(*(R!E;7!T>0H*(R,C(R,C(R,C M(R,C(R,C(R,C(R,C(R,C(R,C"B,@($YA;64@0V%N;VYI8V%L:7IA=&EO;B @ M(PHC(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*4S,*"B,@:&%N9&QE(")F M2!C M86YO;FEC86P_"E(D*CQ )"L^)"H))$ D/C I2)"M )"L))#HD,3Q )#(^"69O8W5S(&]N(&1O;6%I;@I2)"L\)"M M)"L^"20Q)#(\0"0S/@EM;W9E(&=A>F4@2!T;R!E870*4B0K/$ D*SX))$ D M/C2!C86QL M:6YG(%,S('-I;F-E(&]N('1H92!S=6)S97%U96YT(')E8W5R2!Y;W4G9"!E>'!E8W0N"71H92!C;W-T"B,@:&5R92!I2!3,R=S(")N;R!C:&%N9V4@;F5E9&5D(B!C;VYD:71I M;VX@:7,@F4@;&]C86P@9&]M86EN M(" C"B,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,* M4SD*"E(D*CQ )"T^)"H))#HD,3Q )#(N)$X^)#,)"0EQ=6%L:69Y"E(D*CQ M)"LN)#U4/B0J"21 )#$\0"0R+B0S/B0T"0D)=')A2!R=6YN:6YG(%,Q,2!O;B!R96-I<&EE M;G1S+"!W92!G970@=&AE(&%B;W9E(&)E:&%V:6]U6]U M(&AA=F4@=&\@9&\@:68@>6]U2!H;W-T"B,C(R,C"B,C M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C M(R,C(R,C(R,C(R,C(PHC(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*"DUS;71P6]U('=I;&P@;F5E9"!A;B!U;'1R:7@@;W(@;W-F,2!S96YD;6%I;"!B M:6YA0I2)"T))$ D>3HZ)#$)=&%C:R!O;B!O=7(@;F]D96YA;64*4B0K"21 M)#XQ-"0Q"6YO=&AI;F<@6]U6]U2!I M;B Q(&AO=7(*"0DV,#0X,# @"3L@97AP:7)E(&EN(#$@=V5E:PH)"3@V-# P M"3L@9&5F875L="!E>'!I&-H86YG97)S"CL* M"4E."4U8"34)8F%S=&EO;BYY;W5R+F1O;6%I;BX*"4E."4U8"3$U"6UA:6PN M3$N3(N6]U3$N M2!T;R!P97)S;VY 9&]M86EN"CL*>6]U6]U6]U; Fri, 3 Mar 1995 20:11:54 -0800 Received: by NE.MAIL.UFL.EDU (Soft*Switch Central V4L380P6) id 121905220095062FNE; 03 Mar 1995 22:05:22 GMT Message-Id: Date: 03 Mar 1995 22:05:22 GMT From: "Postmaster" Subject: DISTRIBUTION STATUS To: Firewalls@GREATCIRCLE.COM Comment: MEMO 03.03.95 22.05 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk UFNET.FIREWALL DISTRIBUTION STATUS INFORMATION 03/03/95 22:05: 00 ======================================================================= DISTRIBUTION ID: UFNET.FIREWALL.4092 SUBJECT : Firewalls-Digest V4 #151 DATE SENT : 03/03/95 TIME SENT: 22:04:00 ======================================================================= YOUR MAIL WAS NOT DELIVERED FOR THE FOLLOWING REASON: SNADS STATUS : 0401 EXPLANATION : INVALID DOCUMENT CLASS ======================================================================= RECIPIENT : DMS.MARTINT LAST NAME : FIRST NAME : MIDDLE INITIAL : INITIALS : NATIVE NAME : COUNTRY : ADMD : PRMD : ORGANIZATION : ORG UNIT 1 : ORG UNIT 2 : ORG UNIT 3 : ORG UNIT 4 : DDA : TITLE : DESCRIPTION : USERDATA : TELEPHONE : From firewalls-owner Fri Mar 3 22:59:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA14619 for firewalls-outgoing; Fri, 3 Mar 1995 22:49:52 -0800 Received: from st-james.comp.vuw.ac.nz (st-james.comp.vuw.ac.nz [130.195.5.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA14614 for ; Fri, 3 Mar 1995 22:49:45 -0800 Received: from gopher.dosli.govt.nz (adm@localhost) by st-james.comp.vuw.ac.nz (8.6.10/8.6.9-VUW) with UUCP/gopher id TAA21982 for firewalls@greatcircle.com; Sat, 4 Mar 1995 19:40:12 +1300 Date: Sat, 4 Mar 1995 18:14:16 +1300 Message-Id: <9503040514.AA09402@gopher.dosli.govt.nz> From: mikew@gopher.dosli.govt.nz (Mike Williams) To: firewalls@greatcircle.com In-Reply-To: Joseph Judge's message of Thu, 02 Mar 1995 17:40:44 -0500 Subject: split-DNS ... would this work? References: <199503022241.RAA01557@gate3.fmr.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joseph Judge is using (Brent Chapman's ?) split-DNS scheme with an application-gateway, and notes some problems steming from the fact that host inside the firewall can resolve external names, but can't connect to the addresses in question. You could stuff around with various things (sendmail, socks, even the resolver library) to somehow prevent external names being used. However, it seems to me that a general solution is simply to prevent internal hosts from being able to resolve external names. If you're just running an application- or circuit-level gateway, you don't need access to the external DNS internally. But, we still want the bastion host to be able to resolve both internal & external names. So, would the following work? ... (For simplicity, I'm assuming a single dual-homed bastion host.) - An external DNS runs on the `bastion' host, claiming to be a primary for the domain (as before). - The internal DNS (running on `dnsmaster') also claims to be primary for the domain. However, it does NOT set `forwarders' to the bastion host. - A second internal DNS server (running on `dnsfwd') is a secondary for the domain. This is where you set `forwarders' to the bastion. - Internal hosts resolve using `dnsmaster'. Hence they can't resolve external names. - The bastion host (only) resolves using `dnsfwd', which can resolve both internal & external names. Disclaimer: I haven't tried this (yet). I have a funny feeling it might not work, but can't see where my logic is wrong. The alternative, I suppose, is to somehow hack the resolver library on the bastion host so it uses `dnsmaster' for internal queries, and `localhost' otherwise. Would this be difficult? - Mike W. From firewalls-owner Sat Mar 4 00:59:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA15208 for firewalls-outgoing; Sat, 4 Mar 1995 00:48:17 -0800 Received: from texaco.com (texaco.com [144.5.1.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA15201 for ; Sat, 4 Mar 1995 00:48:13 -0800 Received: by texaco.com (4.1/SMI-4.1) id AA04824; Sat, 4 Mar 95 02:43:30 CST From: gracefe@texaco.com (Frank E. Grace) Message-Id: <9503040843.AA04824@texaco.com> Subject: Who needs CD-ROM? To: antonio_vasconcelos@q950.bvl.pt (Antonio Vasconcelos) Date: Sat, 4 Mar 1995 02:43:29 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199502232152.AA22133@jessica.bvl.pt> from "Antonio Vasconcelos" at Feb 23, 95 10:00:05 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1404 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Concerning CDROM based systems, I believe the discussion turned to - > >why not just mount the root and usr file systems read-only. On a > >Solaris machine /tmp and /var can, and usually are, seperate file > >systems from / and /usr - so there wouldn't be a problem with writing > >to the files in /tmp, etc if need be. The problem with this - anyone > >who can get root could remount the filesystems read/write... > > If someone gets root access, I'm sure they can be remounted RW. > > But what I'm really sure is that NO ONE can re-write files stored > in a cdrom, at least when it's inside a normal cdrom drive. > > -- > vasco > > Who needs CD-ROM anyways? As someone has pointed out, what happens when you need to change the root password? Why not build a floppy-based Firewall? BSDI has had a semi-operational OS on floppy since v1.1; besides, how much space do truly secure binary versions of daemons need? Without physical access to the system, all file systems would be R/O, including the floppy disk. / would mount off floppy; anything else could be placed in the virtual file-system which is created in memory. I also liked the R/O jumper on the hard drive suggestion (for people who don't like to build everything from scratch); also, don't Bernoulli and Syquest make relatively fast products that may be write-protected? Or all we all Intelphobic? Just my $.02 worth. From firewalls-owner Sat Mar 4 13:29:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11534 for firewalls-outgoing; Sat, 4 Mar 1995 13:03:54 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA11525 for ; Sat, 4 Mar 1995 13:03:51 -0800 Received: from moose.usmcs.maine.edu by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-950108) id MAA21845; Sat, 4 Mar 1995 12:56:54 -0800 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA09802; Sat, 4 Mar 95 15:59:06 -0500 Received: by doc.usmcs.maine.edu; (5.65/1.1.8.2/27Feb95-0952AM) id AA04050; Sat, 4 Mar 1995 15:58:52 -0500 From: Edward Maillet Message-Id: <9503042058.AA04050@doc.usmcs.maine.edu> Subject: Need to modify clients programs to use firewall questions To: firewalls@greatcircle.com Date: Sat, 4 Mar 1995 15:58:51 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 745 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey all, Reading the FW-1 debate I came up with some questions that I don't quite understand. Why would you need to modify client software in order to use an Application level firewall? What do the proxies do that require change? And if there is no way to use client software without modification, what do typical people do when they have software that can't be easily modified? The reason I ask (besides wanting to know for curiosity sake) that my company is thinking about going Internet and we have a bunch of Windows NT workstation PCs. If the NT ftp clients don't work with the firewall that gets bought, I doubt we could convince Microsoft to make special versions or give us the source code. ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Sat Mar 4 22:29:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA16374 for firewalls-outgoing; Sat, 4 Mar 1995 22:20:43 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA16360; Sat, 4 Mar 1995 22:20:38 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rl9dt-0000ZVC; Sat, 4 Mar 95 22:18 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA08998; Sat, 4 Mar 1995 22:18:27 +0800 Date: Sat, 4 Mar 1995 22:18:27 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503050618.AA08998@brittany.oes.amdahl.com> To: Brent@GreatCircle.COM, mjr@tis.com, patrick@oes.amdahl.com Subject: Re: FW-1, etc. Cc: Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com Content-Length: 1407 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >To: "Marcus J. Ranum" , patrick@oes.amdahl.com (Patrick Horgan) >From: Brent@GreatCircle.COM (Brent Chapman) >Subject: Re: FW-1, etc. > . . . lots of interesting stuff chopped out here . . . > >There is no one box that provides be-all end-all firewall functionality for >most sites today, although there are some boxes that provide appropriate >solutions for some sites. Most sites today need to use multi-machine >firewalls (a combination of bastion host for proxy servers and application >gateways, and filtering routers for packet filtering, for instance) in >order to get the best reasonable security for the services they want to >offer their users. If you start putting constraints on it (like that it's >got to all be bundled into a single box), you reduce your flexibility, and >you're going to have to give up a certain amount of either security or >service or both. I agree almost entirely with what you've said. But I don't think that there's anything inherent in the problem of having multiple services on one machine that causes a tradeoff between security and service. Given the design constraints, the machine could be designed to them with the desired security and service whether the services lived on one, two, or many machines. Admit- tibly, the problem gets difficult on any machine without access to the kernel, but where there's a will, there's a way;) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Sun Mar 5 17:07:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06844 for firewalls-outgoing; Sun, 5 Mar 1995 16:41:28 -0800 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA06839 for ; Sun, 5 Mar 1995 16:41:25 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id TAA27388; Sun, 5 Mar 1995 19:38:14 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma027386; Sun Mar 5 19:37:44 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id TAA05686; Sun, 5 Mar 1995 19:37:46 -0500 Date: Sun, 5 Mar 1995 19:37:46 -0500 From: John Adams Message-Id: <199503060037.TAA05686@galaxy.concorde.com> To: 74774.1326@compuserve.com, firewalls@GreatCircle.COM Subject: Re: Security on the I-Way Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wonder why NCSA ( National Computer Security Association ) has the same initalize as NCSA (National Center for Supercomputing Applications)... Isn't NCSA trademarked? -john From firewalls-owner Sun Mar 5 17:07:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06871 for firewalls-outgoing; Sun, 5 Mar 1995 16:44:59 -0800 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA06866 for ; Sun, 5 Mar 1995 16:44:55 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id TAA27427; Sun, 5 Mar 1995 19:41:44 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma027425; Sun Mar 5 19:41:27 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id TAA05739; Sun, 5 Mar 1995 19:41:29 -0500 Date: Sun, 5 Mar 1995 19:41:29 -0500 From: John Adams Message-Id: <199503060041.TAA05739@galaxy.concorde.com> To: Mark.Gibbons-1@pp.ksc.nasa.gov, firewalls@GreatCircle.COM Subject: Re: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I thought the current rumor was is that "Satan, is for the most part, outdated." It's been too long since they discussed it, and anyway, lots of programs that do the same things already exist. -john From firewalls-owner Sun Mar 5 17:07:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06863 for firewalls-outgoing; Sun, 5 Mar 1995 16:44:01 -0800 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA06858 for ; Sun, 5 Mar 1995 16:43:58 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id TAA27422; Sun, 5 Mar 1995 19:40:44 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma027420; Sun Mar 5 19:40:17 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id TAA05721; Sun, 5 Mar 1995 19:40:19 -0500 Date: Sun, 5 Mar 1995 19:40:19 -0500 From: John Adams Message-Id: <199503060040.TAA05721@galaxy.concorde.com> To: Paul.Danielson@West.Sun.COM, frankw@su1.in.net Subject: Re: Out of the box "security" was: Dual homed VAXen..... Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd have to say would of the most secure O/s'es out of the box is the Slackware Distribution of Linux. It comes with the latest sendmail, everything wrapped with TCP wrappers, and large amounts of change (plus alll of the source code so you can go in and audit yourself...) Except lots of people say there's a bug in the procfs, but I haven't heard much about that security hole... -john From firewalls-owner Sun Mar 5 17:07:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06855 for firewalls-outgoing; Sun, 5 Mar 1995 16:42:56 -0800 Received: from metro.ucc.su.OZ.AU (metro.ucc.su.OZ.AU [129.78.64.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA06850 for ; Sun, 5 Mar 1995 16:42:49 -0800 Received: from AODC.gov.au (beluga.aodc.gov.au) by metro.ucc.su.OZ.AU with SMTP id AA13661 (5.65c/IDA-1.4.4 for ); Mon, 6 Mar 1995 10:39:57 +1000 Received: by AODC.gov.au (5.0/SMI-SVR4) id AA03207; Mon, 6 Mar 1995 10:39:37 --1000 Date: Mon, 6 Mar 1995 10:39:37 --1000 From: peter@aodc.gov.au (Peter Edward Voss) Message-Id: <9503060039.AA03207@AODC.gov.au> To: nsayer@quack.kfu.com Subject: Re: Sendmail bug Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Content-Length: 1589 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Fri Mar 3 08:57 EST 1995 > From: nsayer@quack.kfu.com (Nick Sayer) > I wrote: > > >Solaris 1.x contains SunOS 4.x. That is, Solaris 1.0 contains SunOS > >4.1, Solaris 1.0.1 contains SunOS 4.1.1. Solaris 1.1 contains SunOS > >4.1.2, Solaris 1.1.1 contains SunOS 4.1.3, Solaris 1.1.1B contains > >SunOS 4.1.3_U1, and Solairs 1.1.2 contains SunOS 4.1.4. > > I've been corrected and re-checked the CDs, and sure enough, > > Solaris 1.0.1 contains SunOS 4.1.2 > Solaris 1.1 contains SunOS 4.1.3 > Solaris 1.1.1 contains SunOS 4.1.3_U1 (there was a rev A and B of both) > Solaris 1.1.2 contains SunOS 4.1.4 > > Axil and Ross were also distributing an unofficial 1.1.1B_H containing > SunOS 4.1.3_U1_H, which was patched to accept the 50 and 66 MHz > Hypersparc CPU modules. It was just 1.1.1B (which you applied with a > Supersparc module installed) and a patch CD you applied before > installing the new CPUs. > > No rev of Solaris was made available for sun3. SunOS 4.1.1_U1 was the > last sun3 release (which was just 4.1.1 with some patches). > > Solaris 2.4 will be the last release for the really old sparc machines as well > as the sun4e karch. > Yep, my original point that the CERT advisory was unclear seems to hold...... Also, it would seem for a good time for SUN to sync. their Revision identifiers with each product, ie. SOLARIS / SUNOS, as they are obviously related (subset) > But now we're veering seriously off topic. Maybe comp.sun.sources.confusing would be better #include standard.disclaimer "I said it for me " From firewalls-owner Sun Mar 5 18:06:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA08392 for firewalls-outgoing; Sun, 5 Mar 1995 18:01:32 -0800 Received: (mcb@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA08386 for firewalls; Sun, 5 Mar 1995 18:01:30 -0800 Message-Id: <199503060201.SAA08386@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Sun, 5 Mar 1995 18:01:30 +0000 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: ADMIN: Firewalls list restored due to system problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Due to a system problem at GreatCircle.COM, the Firewalls list (but not the Firewalls Digest) was offline from Friday morning, 3 March 1995 until a little while ago (6:00 PM California time, Sunday, 5 March 1995). The problem has been fixed (so far as I can tell). Messages sent to the list during that period were not seen by most list subscribers. The messages were archived, however, and will be re-posted by Brent this evening. We apologize for any repeated messages if anyone sees them twice; this shouldn't happen again. *** If you re-subscribed over the weekend because you thought you had been dropped from the list, please check this with Majordomo and/or contact me at mcb@greatcircle.com. In this case, you will be receiving two copies of *new* messages, so you'll know if this is the case. *** We regret the inconvenience and hope that things will be back to normal shortly. To Firewalls Digest subscribers: your feed was not affected by this; please excuse the reposted messages. Regards, -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Sun Mar 5 18:35:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA08923 for firewalls-outgoing; Sun, 5 Mar 1995 18:26:04 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA08916; Sun, 5 Mar 1995 18:26:00 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 5 Mar 1995 18:24:09 -0800 To: mcb@greatcircle.com (Michael C. Berch), Firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: ADMIN: Firewalls list restored due to system problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:01 AM 3/5/95, Michael C. Berch wrote: >Due to a system problem at GreatCircle.COM, the Firewalls list >(but not the Firewalls Digest) was offline from Friday morning, >3 March 1995 until a little while ago (6:00 PM California time, >Sunday, 5 March 1995). The problem has been fixed (so far as I >can tell). Messages sent to the list during that period were not >seen by most list subscribers. The messages were archived, however, >and will be re-posted by Brent this evening. > >To Firewalls Digest subscribers: your feed was not affected by this; >please excuse the reposted messages. Actually, I was able to figure out a way to repost the messages only to the main list subscribers, so the Firewalls-Digest subscribers shouldn't see any duplicates. The messages should trickle out over the next hour or so. Again, our apologies for any inconvenience. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Sun Mar 5 22:10:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA00169 for firewalls-outgoing; Sun, 5 Mar 1995 19:49:24 -0800 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA00164 for ; Sun, 5 Mar 1995 19:49:18 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0rlTjE-000EeQC; Sun, 5 Mar 95 19:45 PST Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Sun, 5 Mar 95 19:35 PST Message-Id: From: brian@ilinx.com (Brian J. Murrell) Subject: FW-1 better than a router?? To: firewalls@greatcircle.com Date: Sun, 5 Mar 1995 19:35:51 -0800 (PST) X-Phone: '1 604 983 UNIX' Organization: 'InterLinx Support Services, Inc.' X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 986 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope not to start any religous wars here but I had the opportunity to get a brief look at FireWall-1 last week. I was also talking to the person setting it up, and hope to get another look this week. It seemed to me that FW-1 was nothing more than a router with a GUI interface and logging, and now most router software does the latter. Would those of you who have had more extensive experience with FW-1 agree with my observation?? If not, what do find FW-1 can do that a screening router can't?? I actually didn't even see a way for FW-1 to "look into" packets for things like the SYN bit, which would make it actually less functional than a router. Comments?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sun Mar 5 22:14:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA03341 for firewalls-outgoing; Sun, 5 Mar 1995 20:38:28 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA03153 for ; Sun, 5 Mar 1995 20:37:54 -0800 Received: from janus.jnl.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id TAA27631; Sun, 5 Mar 1995 19:22:30 -0800 Received: from [199.245.106.3] (vernal.jnl.com [199.245.106.3]) by janus.jnl.com (8.6.9/8.6.9) with SMTP id TAA18532; Sun, 5 Mar 1995 19:08:00 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 5 Mar 1995 19:10:30 -0800 To: "Marcus J. Ranum" From: John Larson Subject: Re: FW-1, etc. Cc: patrick@oes.amdahl.com (Patrick Horgan), Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Sure, you can reduce the scope of possible attack by further reducing >the number of "inside" services that "outside" machines can reach, >but by the time you've reduced them to a point, you've just implemented >a proxy bastion host. :) There are certain applications that require direct UDP connectivity. From my reading of product, it looks like it would be possible to support these types of applications with reasonable security using FW-1. For these UDP-based applications, you often cannot configure the client code (eg PC/Mac clients) to send the traffic via a proxy gateway and you may not have source code either. The proxy bastion host approach does not work to support these kinds of applications. The FW-1 approach does. John From firewalls-owner Sun Mar 5 22:21:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA07060 for firewalls-outgoing; Sun, 5 Mar 1995 21:37:57 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA07049; Sun, 5 Mar 1995 21:37:52 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 5 Mar 1995 21:36:00 -0800 To: Edward Maillet , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Need to modify clients programs to use firewall questions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 3:58 PM 3/4/95, Edward Maillet wrote: >Hey all, > Reading the FW-1 debate I came up with some questions that I don't quite >understand. Why would you need to modify client software in order to use >an Application level firewall? What do the proxies do that require change? >And if there is no way to use client software without modification, what do >typical people do when they have software that can't be easily modified? > The reason I ask (besides wanting to know for curiosity sake) that my >company is thinking about going Internet and we have a bunch of Windows NT >workstation PCs. If the NT ftp clients don't work with the firewall that >gets bought, I doubt we could convince Microsoft to make special versions or >give us the source code. You either have to use modified clients that know how to contact and deal with the proxy server, or you you have to teach your users how to do it with standard clients. If you have a small and relatively technical user base, then teaching them how to do it may not be that big a deal. If your user base is relatively untechnical, or undergoes rapid turnover, however (as is the case in many Universities), then it can be a big deal; your procedures will be completely at odds with whatever prior knowledge the users have about how to use their tools, whatever their vendor-provided documentation says, and whatever hundreds of books, thousands of magazine articles, and tens of thousands of netnews postings they might have read that tell them "how to use the Internet". -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Sun Mar 5 22:44:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA05487 for firewalls-outgoing; Sun, 5 Mar 1995 21:07:12 -0800 Received: from sdwsys (sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA05481 for ; Sun, 5 Mar 1995 21:07:07 -0800 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rlQHw-0009tGC; Mon, 6 Mar 95 00:04 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Need to modify clients programs to use firewall questions To: maillet@doc.usmcs.maine.edu (Edward Maillet) Date: Mon, 6 Mar 1995 00:04:40 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9503042058.AA04050@doc.usmcs.maine.edu> from "Edward Maillet" at Mar 4, 95 03:58:51 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2290 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hey all, > Reading the FW-1 debate I came up with some questions that I don't quite > understand. Why would you need to modify client software in order to use > an Application level firewall? What do the proxies do that require change? > And if there is no way to use client software without modification, what do > typical people do when they have software that can't be easily modified? > The reason I ask (besides wanting to know for curiosity sake) that my > company is thinking about going Internet and we have a bunch of Windows NT > workstation PCs. If the NT ftp clients don't work with the firewall that > gets bought, I doubt we could convince Microsoft to make special versions or > give us the source code. > ----- Ed Maillet > maillet@usmcs.maine.edu The basic problem is that most clients (ftp, telnet, etc.) expect to receive one or two arguments (hostname/ip and optional alternate port number). An application level gateway (proxy) service on a 'non-transparent' firewall requires that instead of the desired hostname/ip, you must first specify the firewall bastion host. The proxy on that host then asks you in some way where you really want to go. Unfortunately, this wasn't thought of in most of the original design. For Telnet, you have to give a command like 'connect bla.bla.com'. For FTP, the de jure 'standard' is to use 'userid@intended.system.bla' as the userid and the intended password as the remote password. FTP is less troublesome because it technically has added nothing to the protocol. Some PC clients (it's rumored) are building this capability in. Others provide scripting. Socks was an attempt to deal with this, but it's often considered to open and dangerous unfortunately. Telnet's the one that's really a pain for Web browsers: everything else is handled by the proxy server. Telnet URL's will always fail with timeouts. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Senior Consultant, Manhattan Feb95- | 513-865-9599 FAX/LIG 513.496.5223 OH Page OO R&D AI:NN/ES crypto DBMS RPC/CS |2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs|ICBM/GPS: 39 38 34N 84 17 12W home, 40 47 00N 73 58 00W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;1Mar95 From firewalls-owner Sun Mar 5 23:47:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA11367 for firewalls-outgoing; Sun, 5 Mar 1995 23:44:30 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA11362 for ; Sun, 5 Mar 1995 23:44:27 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rlXQU-0000edC; Sun, 5 Mar 95 23:41 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA09639; Sun, 5 Mar 1995 23:42:09 +0800 Date: Sun, 5 Mar 1995 23:42:09 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503060742.AA09639@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, maillet@doc.usmcs.maine.edu Subject: Re: Need to modify clients programs to use firewall questions Content-Length: 2427 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hey all, > Reading the FW-1 debate I came up with some questions that I don't quite >understand. Why would you need to modify client software in order to use >an Application level firewall? What do the proxies do that require change? When you use proxies, either the software, or the user has to be aware that the proxy is interposed between the client and the server. In transport level proxies, such as socks, the clients are modified to do the request in a new way, connecting to the proxy, but supplying it with the information it needs to proxy the connection to the final destination. One advantage of this is the the user need not be aware that the proxy exists. They can use the modified software just as they would if they didn't have a firewall between them and the internet. If you wanted to ftp the ftp.uu.net, you'd only have to type "ftp ftp.uu.net" and you could get connected. (Leaving out the passive mode problems;) Many application proxies require you to explicitely connect to the proxy, and ask it to connect further for you, so for example, I might do, ftp proxy.amdahl.com to get to our proxy, then have to type further commands to connect from there to ftp.uu.net. In this case the user has to modify his behavior, he has to do an extra step each time. Of course it's possible to modify the client code, i.e. have a modified ftp client that would transparently do the neccessary commands to proxy through the firewall. So, you see the tradeoff. The user, or the client, must be modified to work with proxies. >And if there is no way to use client software without modification, what do >typical people do when they have software that can't be easily modified? > The reason I ask (besides wanting to know for curiosity sake) that my >company is thinking about going Internet and we have a bunch of Windows NT >workstation PCs. If the NT ftp clients don't work with the firewall that >gets bought, I doubt we could convince Microsoft to make special versions or >give us the source code. There's two things I've seen commonly done here, either go with something like Janus or FireWall-1 which each gets the stuff through transparently to you (albeit in wildely different ways,) or get a new winsock stack for each machine that's modified for socks, and run a socks server on the gateway machine. Either way normal clients will work just fine. Either one can provide security. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Mar 6 00:17:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA11481 for firewalls-outgoing; Sun, 5 Mar 1995 23:53:12 -0800 Received: from aun.uninett.no (aun.uninett.no [129.241.1.99]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA11471 for ; Sun, 5 Mar 1995 23:53:07 -0800 From: terje.engebretsen@TMS.telemax.no X400-Received: by mta aun.uninett.no in /PRMD=uninett/ADMD= /C=no/; Relayed; Mon, 6 Mar 1995 08:50:44 +0100 X400-Received: by /ADMD=TELEMAX/C=NO/; Relayed; Mon, 6 Mar 1995 08:52:43 +0100 X400-Received: by /PRMD=TMS/ADMD=TELEMAX/C=NO/; Relayed; Mon, 6 Mar 1995 08:54:31 +0100 Date: Mon, 6 Mar 1995 08:54:31 +0100 X400-Originator: terje.engebretsen@TMS.telemax.no X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=TMS/ADMD=TELEMAX/C=NO/;1859 95/03/06 08:54] X400-Content-Type: P2-1984 (2) Message-ID: <"1859 95/03/06 08:54*/G=terje/S=engebretsen/PRMD=TMS/ADMD=TELEMAX/C=NO/"@MHS> To: firewalls@greatcircle.com (Non Receipt Notification Requested) Subject: Janus Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anyone who has any experience with the Janus Firewall Server from Border Technologies Inc. ? Terje Engebretsen, Telematikksystemer AS, X.400 : G=Terje; S=Engebretsen; P=TMS; A=TELEMAX; C=NO E-Mail: Terje.Engebretsen@tms.telemax.no From firewalls-owner Mon Mar 6 00:34:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA11429 for firewalls-outgoing; Sun, 5 Mar 1995 23:49:22 -0800 Received: from gwx.teledata.co.at (teledata-eunet.AT.EU.net [193.80.63.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA11424 for ; Sun, 5 Mar 1995 23:49:18 -0800 Received: from ws61.teledata.co.at (ws61.teledata.co.at [193.80.185.61]) by gwx.teledata.co.at (8.6.10/8.6.10) with SMTP id IAA03466; Mon, 6 Mar 1995 08:46:04 +0100 Date: Mon, 6 Mar 1995 08:43:09 MET From: Mazinger Peter Reply-To: pmazinge@teledata.co.at Subject: Re: IPX traffic through a firewall To: Dave Stagner cc: firewalls@greatcircle.com Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could use ipx-iptunnel on the workstation, or install netware-ip on the server. Both are using TCP/IP as network-protocol. Though I haven't tried it through a firewall. On Fri, 3 Mar 1995 11:18:34 -0600 (CST) Dave Stagner wrote: > From: Dave Stagner > Date: Fri, 3 Mar 1995 11:18:34 -0600 (CST) > Subject: IPX traffic through a firewall > To: firewalls@greatcircle.com > > Can plug-gw or some other wrapper program be used to pass IPX traffic > through a firewall? We have users who want to access their Novell > network from the outside, and the option is either let them have a > modem inside (insecure), or send them through the firewall, which is > TCP-based. I suppose they could run Netware sessions over TCP > somehow, but I know very little about Novell myself (lucky me, I'm > paid to write unix software!), so I don't know about configuring such > a beast, or even if it's possible. > > Does anyone have experience with this sort of thing? It's not > critical or urgent at this point; I just want to sort out the options. > -- > * David Faron Stagner > * National Computer Systems david-stagner@ic.ncs.com > * 2510 N Dodge St vox 319 354 9200 ext 6884 > * Iowa City, IA 52244 fax 319 339 6555 > > I disclaim my employer and I'm sure they'd disclaim me too. -------------------------------------------------------- Mazinger Peter-Sandor pmazinge@teledata.co.at Teledata Consulting & Systemmanagement GmbH. A-6840 Goetzis, Austria, Vorarlberger Wirtschaftspark Tel. +43/(0)5523/52623-0 Fax. +43/(0)5523/52623-9 From firewalls-owner Mon Mar 6 02:47:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA15025 for firewalls-outgoing; Mon, 6 Mar 1995 02:45:26 -0800 Received: from mail-server.surrey.ac.uk (mail-server.surrey.ac.uk [131.227.102.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA15018 for ; Mon, 6 Mar 1995 02:45:19 -0800 Received: from central.surrey.ac.uk by mail-server.surrey.ac.uk with SMTP (PP); Mon, 6 Mar 1995 10:38:45 +0000 Received: by central.surrey.ac.uk (1.37.109.8/16.2) id AA04837; Mon, 6 Mar 1995 10:38:42 GMT Date: Mon, 6 Mar 1995 10:38:41 +0000 (GMT) From: Mr Martin J Hargreaves To: John Adams Cc: Paul.Danielson@West.Sun.COM, frankw@su1.in.net, Firewalls@GreatCircle.COM Subject: Re: Out of the box "security" was: Dual homed VAXen..... In-Reply-To: <199503060040.TAA05721@galaxy.concorde.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 5 Mar 1995, John Adams wrote: > I'd have to say would of the most secure O/s'es out of the box is the > Slackware Distribution of Linux. I would say this needed some work (about half a day or so) to set up securely. > > It comes with the latest sendmail, everything wrapped with TCP wrappers, > and large amounts of change (plus alll of the source code so you can > go in and audit yourself...) > The one I got on CD-ROM (Slackware 2.0) came with smail, not sendmail (which may be bonus), and an incorrect inetd.conf (with the wrong path to tcpd, which disabled inetd-based services until fixed). The really good thing about it, IMHO is that it is just a collection of separate software packages, and it's quite possible to remove any or all of them conveniently (with the pkgtool utility - though this has rm'd /etc before now, but that's what backups are for :-), and removing a package will almost certainly not affect any other package, within reason. > Except lots of people say there's a bug in the procfs, but I haven't heard > much about that security hole... I've heard nothing about this apart from rumours it was fixed a while back. Regards, Martin. ---------------------------------------------------------------- | Martin Hargreaves, ch11mh@surrey.ac.uk| | Undergraduate Computational Chemist | | WWW Server Admin http://www.chem.surrey.ac.uk| ---------------------------------------------------------------- From firewalls-owner Mon Mar 6 04:27:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA16264 for firewalls-outgoing; Mon, 6 Mar 1995 04:14:09 -0800 Received: from relay2.pipex.net (relay2.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA16259 for ; Mon, 6 Mar 1995 04:14:05 -0800 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Mon, 6 Mar 1995 12:11:26 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2F5AF8DD@smtpgty.saicuk.co.uk>; Mon, 06 Mar 95 11:58:21 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewalls : some answers Date: Mon, 06 Mar 95 11:51:00 GMT Message-ID: <2F5AF8DD@smtpgty.saicuk.co.uk> Encoding: 66 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Benoit Dicaire wrote : BD> Hi, my management is worried about security issues. BD> I'm working on a memo that will explain WHY we need a firewall BD> I'm looking for number : BD> - How many sites on the internet BD> - How many sites have a firewall (a corporate, or one by site) BD> - How many sites plan to have a firewall Steven Tepper wrote : ST> I doubt very much that reliable numbers exist, and even if they did, how much ST> value would they have? If most net sites don't have any protection from the ST> Internet, it's probably because they aren't aware of the risks. Also, as has ST> been discussed recently on the firewalls list, there is no clear definition of ST> a firewall. Still, I need to find the tendance - trends. For me a firewall is something who can secure a site. Bob McKisson wrote : BM> Is it safe to assume that your organization has in place a BM> corporate Automated Information Systems Security Policy? My organisation is *HUGE*, maybe there is that kind of policy somewhere. We provide electricity for province of Quebec and some part of New-York, etc ... I'll provide a firewall only for my project. Do you know where I can find template for this policy. Oh BTW I'll have my firewall, it's only a matter of doing the paper works. A prototype with tis toolkit is in work ... Someone have a proxy for SQL Net ? ------------------------------ The answer to 'how many firewalls?' is impossible. 'Firewall' is a broad concept and covers a wide range of technologies and approaches. Any figure for the number in use is therefore likely to be wrong. Producing a security policy for a small part of an organisation is not very difficult to do but could be meaningless because the protection you implement may be subverted by actions in other parts of your organisation which are linked on internal networks. The larger the organisation, the more likely this is. The other factor to consider is what you really want the Inet link for. If you are only planning to use the Inet for mail between different remote parts of your organisation and maybe some selected trading partners, the type of firewall usually discussed by this group may not be appropriate and alternative technology may be much better and safer. If your main requirement is designated mail, but you also have users who wish/need to access a broad range of Inet facilities, you may need two systems rather than just one simple firewall. If you dont know what is behind you inside your organisation, you may need to protect the back door also. A better solution is a single corporate policy into which each part of the organisation slots. Ian J-B From firewalls-owner Mon Mar 6 04:47:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA16340 for firewalls-outgoing; Mon, 6 Mar 1995 04:31:17 -0800 Received: from uhea001.gb.ec.ps.net (uhea001.gb.ec.ps.net [160.109.232.19]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA16335 for ; Mon, 6 Mar 1995 04:31:14 -0800 Message-Id: <199503061231.EAA16335@miles.greatcircle.com> Subject: Please add me to your mailing list To: firewalls@greatcircle.com Date: Mon, 6 Mar 1995 12:28:25 +0000 (GMT) From: "frosta" X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 40 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan J Frost PEROT SYSTEMS EUROPE LTD From firewalls-owner Mon Mar 6 05:05:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA16640 for firewalls-outgoing; Mon, 6 Mar 1995 04:45:49 -0800 Received: from foxtrot.worldcom.com (foxtrot.worldcom.com [198.64.193.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA16630 for ; Mon, 6 Mar 1995 04:45:46 -0800 Received: from worldcom-18.worldcom.com (worldcom-18.worldcom.com [198.64.193.9]) by foxtrot.worldcom.com (8.6.9/8.6.9) with SMTP id GAA15577 for ; Mon, 6 Mar 1995 06:25:10 -0600 Received: by worldcom-18.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.13/3.3) id AA8205; Mon, 06 Mar 95 06:22:06 -0800 Message-Id: <9503061422.AA8205@worldcom-18.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id C4C69AFD472A0FB8862561770043EDBB; Mon, 6 Mar 95 06:22:06 To: firewalls From: Kenneth Smith Date: 6 Mar 95 1:33:51 EDT Subject: Re: IPX traffic through a firewall Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Stagner wrote: > Can plug-gw or some other wrapper program be used to pass IPX traffic > through a firewall? We have users who want to access their Novell > network from the outside, and the option is either let them have a > modem inside (insecure), or send them through the firewall, which is > TCP-based. I suppose they could run Netware sessions over TCP > somehow, but I know very little about Novell myself (lucky me, I'm > paid to write unix software!), so I don't know about configuring such > a beast, or even if it's possible. Have you considered Netware Connect? It's modem-based, so "insecure" in that fashion, but it does at least have user-level security. And because it's configured at the server, you would be able to retain control over the modems and over the server's security procedures: you wouldn't have to give each user a modem, load pcAnywhere and then hope for the best, at any rate. I believe the new version of Netware connect supports a Windows-based client, standard PPP, and perhaps either PAP or CHAP security. I haven't actually used it much myself, preferring to steer clear of Netware whenever I have the chance, but Microsoft's version (RAS) is pretty slick. (RAS *does* support IPX, by the way.) From firewalls-owner Mon Mar 6 05:17:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA16992 for firewalls-outgoing; Mon, 6 Mar 1995 05:03:13 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA16987 for ; Mon, 6 Mar 1995 05:03:09 -0800 Posted-Date: Mon, 6 Mar 1995 08:00:46 -0500 From: "Bryan D. Boyle" Message-Id: <9503060800.ZM9416@maverick.erenj.com> Date: Mon, 6 Mar 1995 08:00:46 -0500 In-Reply-To: Edward Maillet "Need to modify clients programs to use firewall questions" (Mar 4, 3:58pm) References: <9503042058.AA04050@doc.usmcs.maine.edu> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Need to modify clients programs to use firewall questions Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mar 4, 3:58pm, Edward Maillet wrote: > Subject: Need to modify clients programs to use firewall questions > Hey all, > Reading the FW-1 debate I came up with some questions that I don't quite > understand. Why would you need to modify client software in order to use > an Application level firewall? What do the proxies do that require change? > And if there is no way to use client software without modification, what do > typical people do when they have software that can't be easily modified? > The reason I ask (besides wanting to know for curiosity sake) that my > company is thinking about going Internet and we have a bunch of Windows NT > workstation PCs. If the NT ftp clients don't work with the firewall that > gets bought, I doubt we could convince Microsoft to make special versions or > give us the source code. It depends on the level of user interaction (intervention? inconvenience?) you want to have. For instance, (and this is based on experience here...) telnet, while used inside here, is not the _MAIN_ service people here use. Yes, we log hundreds of hours a month, but there are few connections for a long period of time (relatively speaking...). OTOH, FTP, Web, and Mail consume billions of bits of bandwidth. But, our internal design (design as in the support infrastructure) paradigm was to provide as >transparent< an application layer as possible, while still using the firewall proxies as support and gating mechanisms for the browsers and other net applications. Did this mean that we could instantly put Mosaic up when it first became available back in '92 (only that long ago???? sheesh...)? No. It meant that we had to evaulate (and we meaning 2 of us here...) the security implications, examine how it used the network, and develop our experience while the net was developing an ongoing security paradigm to support the architecture. The three converged at some point early last year, and we were able, with little code modification, to offer our users the same application that worked, to the user, the same way it would if we had no security on our gate to the net. Did this mean when Andreesen et al jumped ship and went to MCC (or Netscape, whatever...) and came out with their browser, that it took the same development cycle to get the next generation working? No. They applied the lessons learned from dealing with commercial establishments and other experiences as well as we learned how to support the users effectively in an auditable manner. The support was already there for using proxies, application gateways, and firewalls. It was almost a no-brainer to set it up. What we are all seeing is that vendors (although, one only wonders if Micro$oft even knows that the world outside of the 8080-derivative machines exists...sure they do...:)) are actually beginning to understand that customers are taking matters into their own hands, and demanding services that are secure, and work within the commonly accepted methods of securing a network. Those that don't run the risk of becoming superfluous, and those that can, well, those that can are doing it now, and are responsive. Just my $.02 -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Mon Mar 6 05:47:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA17673 for firewalls-outgoing; Mon, 6 Mar 1995 05:32:19 -0800 Received: from chenas.inria.fr (chenas.inria.fr [192.134.192.136]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA17668 for ; Mon, 6 Mar 1995 05:32:15 -0800 Received: from diva.fr (phoenix.diva.fr) by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet id AA02727; Mon, 6 Mar 1995 14:29:40 +0100 (MET) Received: from diva.diva.fr by diva.fr (4.1/SMI-4.1) id AA03980; Mon, 6 Mar 95 14:29:21 +0100 Received: from galaxia.diva.fr by diva.diva.fr (4.1/SMI-4.1) id AA18688; Mon, 6 Mar 95 14:27:17 +0100 Received: by galaxia.diva.fr (5.x/SMI-SVR4) id AA12720; Mon, 6 Mar 1995 14:25:08 +0100 Date: Mon, 6 Mar 1995 14:25:08 +0100 From: Eric.Deschamps@diva.fr (Eric Deschamps) Message-Id: <9503061325.AA12720@galaxia.diva.fr> To: Firewalls@GreatCircle.COM Subject: Tunneling Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What does tunneling exactly mean ? Eric Deschamps From firewalls-owner Mon Mar 6 06:52:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA18769 for firewalls-outgoing; Mon, 6 Mar 1995 06:38:57 -0800 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA18764 for ; Mon, 6 Mar 1995 06:38:53 -0800 Received: (from steve@localhost) by ford.gbnet.org (8.6.10/8.6.10) id OAA23419; Mon, 6 Mar 1995 14:35:47 GMT From: Steve Kennedy Message-Id: <199503061435.OAA23419@ford.gbnet.org> Subject: Re: Tunneling To: Eric.Deschamps@diva.fr (Eric Deschamps) Date: Mon, 6 Mar 1995 14:35:47 +0000 (GMT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9503061325.AA12720@galaxia.diva.fr> from "Eric Deschamps" at Mar 6, 95 02:25:08 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1035 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Eric Deschamps > What does tunneling exactly mean ? Tunneling can also be thought of as encapsulation, whereby the packet of the original protocol (generally including header info) is put into the data portion of the protocol that you wish to tunnel inside. You obviously require a pair of tunnelers which 'know' about tunneling so that when an encapuslated packet hits the 2nd device it is de-encapsulated and returned to its original format. Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Mon Mar 6 07:11:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA18813 for firewalls-outgoing; Mon, 6 Mar 1995 06:40:23 -0800 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA18798 for ; Mon, 6 Mar 1995 06:40:13 -0800 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA03712; Mon, 6 Mar 1995 09:33:46 -0500 Date: Mon, 6 Mar 1995 09:33:45 -0500 (EST) From: David Miller Subject: Re: Dual ported pc's To: John Lombardo cc: Firewalls@greatcircle.com In-Reply-To: <9503040109.AA27002@deltanet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Mar 1995, John Lombardo wrote: > > Our company has a firewall that provides very limited access to the > Internet for inside machines. We've been kicking around the idea of > setting up proxy servers within the gateway, but since we have so many > old and diverse unix boxes on the internal network, it would not be > a pleasent thing to do. There are two choices when connecting from the inside to the outside: modify the programs somewhat, or modify the user behavior. Unix clients on the inside can get to the outside by first connecting to the gateway, then entering where they wish to go. > > Since most users have windows pcs on their desks, what I'm considering > is as follows: > > ------- > | | Internet > ------- > | > ------- > | | Router > ------- > | Unsecured network > [--------------------------------------------------------------------] > | | | | | | > | | | | | | > ------ ------ ------ ---------- ------ ------ > | | | | | | | Gateway| | | | | > |win | |win | |win | | | |win | |win | > | pc | | pc | | pc | | | | pc | | pc | > ------ ------ ------ ---------- ------ ------ > | | | | | | > | | | | | | > [--------------------------------------------------------------------] > | | | | Secured network > | | | | > ----------------- ------- ------ ------ > | production | |linux| |unix| |unix| > | unix box | | | | | | | > ----------------- ------- ------ ------ > > I am making some assumptions: > 1) I trust my users not to fiddle with routing on their pc's > 2) There are no services running on the pc's that'll get me into trouble I think this is a big assumption. It may be true now, but what happens in a year when a user (It's on;y a PC so it can't cause security problems) loads the spiffy XYZ package that nfs exports everything to everyone by default? > 3) This will be less time consuming than comming up with custom clients > for all the machines > 4) I give up the abiliy to telnet/ftp/etc from one of the unix boxes on > the internal network Is this a requirement? If you are willing to give up all access to the unix boxes wouldn't the unix users be happier to have *some* ability to get out, even if it's a two step process? > > The windows pc users would then have access to both the internet (which > they want), and to the internal machines (which they need). They would > still receive email through the gateway but could ftp/telnet/www/gopher/... > with standard pc tools. I'll have to make sure they run only "approved" > client software, but I won't have to change it to work with SOCKS or such. You don't say how here, but it look's like two network cards. Is this what you intend? > > Am I all wet? Cheswick & Bellovin don't mention this type of configuration > at all. If you trust users not to ever, even accidentally, misconfigure something to reduce security you may not be paranoid enough to run a firewall. I would suggest an easier alternative if your comfort level is that high. Setup the IP addresses so that one bit is an "Internet access bit". Have the perimeter router simply drop all packets not destined for an address if that bit's not set. You still have to trust those "on" the Internet not to gateway packets to others, but you seem willing to try that. > > > John Lombardo > john@deltanet.com > My @.02 worth, hope it helps:) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Mon Mar 6 07:27:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA18672 for firewalls-outgoing; Mon, 6 Mar 1995 06:29:18 -0800 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA18667 for ; Mon, 6 Mar 1995 06:29:16 -0800 Received: from mwmgate2.mitre.org (mwmgate2.mitre.org [128.29.155.13]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id JAA27180; Mon, 6 Mar 1995 09:26:54 -0500 Message-Id: <199503061426.JAA27180@mwunix.mitre.org> Date: Mon, 06 Mar 95 09:28:11 EST From: D_Bauer%huac@MWMGATE1.mitre.org To: Eric.Deschamps@diva.fr (Eric Deschamps), Firewalls@GreatCircle.COM Subject: Re: Tunneling Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tunneling (a.k.a. encapsulation) is the insertion of one protocol's packet into another protocol's packet. The inserted packet is piggy-backed on the native protocol's packet for a ride over the native protocol's network. _______________________________________________________________________________ Subject: Tunneling From: Eric.Deschamps@diva.fr (Eric Deschamps) at -smtp- Date: 3/6/95 2:25 PM What does tunneling exactly mean ? Eric Deschamps From firewalls-owner Mon Mar 6 07:30:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA18574 for firewalls-outgoing; Mon, 6 Mar 1995 06:20:59 -0800 Received: from gatekeeper.hcc.com (gatekeeper.hcc.com [148.163.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA18569 for ; Mon, 6 Mar 1995 06:20:50 -0800 Received: by gatekeeper.hcc.com (5.65/jj-092193); id AA04151; Mon, 6 Mar 95 09:17:15 -0500 Received: by mailgate.bridgewater.ne.hcc.com (5.65/ejc-092393< Who Loves Class M Planets>); id AA07313; Mon, 6 Mar 1995 09:16:30 -0500 Received: from ahcenter.bridgewater.ne.hcc.com by diogenes.bridgewater.ne.hcc.com with SMTP (1.38.193.4/16.2) id AA02958; Mon, 6 Mar 95 09:13:55 -0500 Received: from BWMAIL1.HCC.COM by SSWP.HCC.COM (Soft*Switch Central V4L380P6) id 615315090095065FBWMAIL1; 06 Mar 1995 09:15:09 GMT Message-Id: Date: 06 Mar 1995 09:15:09 GMT From: "CARLEY, EDWARD" Subject: RE: Tunneling To: Firewalls@GreatCircle.COM Comment: MEMO 03/06/95 09:11:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric Writes >What does tunneling exactly mean ? > >Eric Deschamps Eric Tunneling is the act of encapsulating one protocol inside another. Common methods are SNA inside TCP/IP and IPX inside TCP/IP... The effectiveness of tunneling is a fairly well debated subject. Cheers Ed From firewalls-owner Mon Mar 6 08:17:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA21028 for firewalls-outgoing; Mon, 6 Mar 1995 07:53:10 -0800 Received: from alv.nada.kth.se (alv.nada.kth.se [130.237.223.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA21023 for ; Mon, 6 Mar 1995 07:53:05 -0800 Received: (from x-frode@localhost) by alv.nada.kth.se (8.6.10/8.6.9) id QAA29299 for firewalls@greatcircle.com; Mon, 6 Mar 1995 16:50:42 +0100 Date: Mon, 6 Mar 1995 16:50:42 +0100 From: Frode Hoem Message-Id: <199503061550.QAA29299@alv.nada.kth.se> To: firewalls@greatcircle.com Subject: Inbound TCP-connect through firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all I have questions regarding the security problems from letting a CGI-script on a public WWW-server connect inbound to an Ingres-server behind a firewall. Here's a logic picture : Internal-net---Ingres-server---FIREWALL---WWW-server---Router---Internet The Ingres-server is considered part of the internal net and thus has to be secure. The WWW-server is considered compromised since it is serving the public. The WWW-server contains a script to let users perform queries via forms and send the queries inbound to the Ingres-server. The results from the queries are sent out through the firewall for further formatting on the WWW-server. Consider the script on the Ingres-server receiving SQL-queries and responding with results having control (i.e. read and write) over only a sub-part of the file system on the Ingres-machine. On the firewall I will run a relay to permit the TCP-connection, preferably plug-gw from TIS which only allows this single connection. 1) If the WWW-server is compromised, are there any ways to get a toehold on the Ingres-server (and other internal machines). If so.. 2) ...how can this be protected against ? 3) Are there anybody out there doing the same thing ? Any suggestions, advice and dontdoits on this is strongly appreciated, Frode From firewalls-owner Mon Mar 6 08:48:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA21806 for firewalls-outgoing; Mon, 6 Mar 1995 08:31:48 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA21801; Mon, 6 Mar 1995 08:31:45 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Mar 1995 08:29:54 -0800 To: John Larson , "Marcus J. Ranum" From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FW-1, etc. Cc: patrick@oes.amdahl.com (Patrick Horgan), Firewalls@GreatCircle.COM, abraham@hpindda.cup.hp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:10 PM 3/5/95, John Larson wrote: >>Sure, you can reduce the scope of possible attack by further reducing >>the number of "inside" services that "outside" machines can reach, >>but by the time you've reduced them to a point, you've just implemented >>a proxy bastion host. :) > >There are certain applications that require direct UDP connectivity. From >my reading of product, it looks like it would be possible to support these >types of applications with reasonable security using FW-1. For these >UDP-based applications, you often cannot configure the client code (eg >PC/Mac clients) to send the traffic via a proxy gateway and you may not >have source code either. The proxy bastion host approach does not work to >support these kinds of applications. The FW-1 approach does. This is all true. The good new is, there aren't many UDP-based services on the Internet; almost everything is TCP-based (UDP is used much more within your LAN, for things like YP/NIS and NFS, than across the Internet). About the only major UDP-based Internet services that come to mind are DNS, NTP, and Archie. DNS and NTP are relatively straightforward to deal with, because the UDP traffic that flows across your firewall is not usually generated by users directly; it's servers on either side of the firewall talking to each other. You can provide this safely through careful configuration of the firewall and the servers involved. For instance, you set up a DNS and NTP servers on your bastion host, outside your packet filtering system. These are the servers that talk to the outside world, and that the outside world talks to. You set up your internal NTP and DNS servers to talk only to the servers on your bastion host. Therefore, the only UDP traffic that has to be allowed through your filters are DNS and NTP packets between your internal and bastion servers. Archie is trickier, because it's a user-driven service. Fortunately, there are several good ways to access the Archie databases besides using a dedicated Archie client that speaks the native Archie protocol. You can access most Archie servers via telnet (telnet to the server, log in as "archie") or via email (send email to "archie" at the server). You can also access the servers interactively via WWW gateway pages like http://www.nexor.co.uk/archie.html and http://hoohoo.ncsa.uiuc.edu/archie.html and http://www.lerc.nasa.gov/Doc/archieplex-httpd.html . If you simply must have access via the native Archie protocol, you can probably use the UDP-Relay package, which is available from ftp://coast.cs.purdue.edu/pub/tools/unix/udprelay-0.2.tar.gz . -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Mon Mar 6 09:15:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA21956 for firewalls-outgoing; Mon, 6 Mar 1995 08:42:41 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA21949; Mon, 6 Mar 1995 08:42:37 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Mar 1995 08:40:46 -0800 To: brian@ilinx.com (Brian J. Murrell), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FW-1 better than a router?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:35 PM 3/5/95, Brian J. Murrell wrote: >I hope not to start any religous wars here but I had the opportunity to >get a brief look at FireWall-1 last week. I was also talking to the >person setting it up, and hope to get another look this week. It seemed >to me that FW-1 was nothing more than a router with a GUI interface and >logging, and now most router software does the latter. This is a more or less accurate assessment, though very simplistic. The logging on FW-1 is more flexible than on most routers. Most routers simply report their filtering exceptions via syslog; I believe that FW-1 can be configured to execute arbitrary shell scripts (for instance, to send you email or page you) in response to certain filtering exceptions. Now, whether or not you WANT your filtering system to have that much flexibility (because flexibility often brings a tradeoff in complexity and thus risk) is a different issue that's been thrashed to death before on this list. >Would those of you who have had more extensive experience with FW-1 >agree with my observation?? If not, what do find FW-1 can do that a >screening router can't?? I actually didn't even see a way for FW-1 to >"look into" packets for things like the SYN bit, which would make it >actually less functional than a router. It has that capability, and several others that screening routers lack. For instance, it has the ability to notice outgoing UDP packets and allow in only corresponding incoming UDP packets; this gives you a way to provide for UDP much the same functionality that examining the SYN bit lets you provide for TCP (that is, the ability to say "connections started from the inside is OK, but connections started from the outside aren't"). It also has the capability to look "inside" the data segments of packets for certain protocols like FTP, and respond to the protocol-level commands seen there (the PORT command in the FTP protocol, for example), which gives you a way to handle FTP safely without requiring your users to use PASV-mode clients and without leaving all your TCP ports above 1023 open to attack from the outside. People disagree about the utility of the GUI, and about whether it contributes to security by making it easier to configure or detracts from it by making the system more complex and failure-prone. People disagree about whether the product is worth the cost. People disagree about the quality of the implementation and support (although just about everybody agrees that the current documentation really sucks). All of these issues have been thrashed to death here already; if you're interested in researching them, you should check the Firewalls WAIS archive (host WAIS.GreatCircle.COM, database "firewalls-digest"; look for keywords "checkpoint", "firewall-1", and "fw-1"). -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Mon Mar 6 09:20:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22173 for firewalls-outgoing; Mon, 6 Mar 1995 08:53:00 -0800 Received: from gabriel.resudox.net (gabriel.resudox.net [198.96.220.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA22168 for ; Mon, 6 Mar 1995 08:52:57 -0800 Received: from localhost (nuvo005@localhost) by gabriel.resudox.net (8.6.4/8.6.4) id LAA27886 for firewalls@GreatCircle.COM; Mon, 6 Mar 1995 11:53:40 -0500 From: "J. Latour" Message-Id: <199503061653.LAA27886@gabriel.resudox.net> Subject: unsuscribe firewalls To: firewalls@GreatCircle.COM Date: Mon, 6 Mar 1995 11:53:39 -0500 (EST) X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 50 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls nuvo005@gabriel.resudox.net From firewalls-owner Mon Mar 6 09:59:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA23130 for firewalls-outgoing; Mon, 6 Mar 1995 09:34:57 -0800 Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA23125 for ; Mon, 6 Mar 1995 09:34:54 -0800 From: CV1852@inetgate.capvolmac.nl Received: from openi by sun4nl.NL.net via EUnet id AA19612 (5.65b/CWI-3.3); Mon, 6 Mar 1995 18:32:37 +0100 Received: from inetgate.capvolmac.nl by uud01.capvolmac.nl (uud01 3.2/UCB 5.64/4.03) id AA24857; Mon, 6 Mar 1995 17:38:35 +0100 Received: from WUD00-Message_Server by inetgate.capvolmac.nl with WordPerfect_Office; Mon, 06 Mar 1995 17:33:49 +0100 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Mon, 06 Mar 1995 17:34:41 +0100 To: firewalls@greatcircle.com Subject: Eagle firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Is there anyone on this list that has experience with the Eagle firewall product from Raptor Systems Inc? Regards, Jos Noteboom Cap Volmac From firewalls-owner Mon Mar 6 10:17:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA23553 for firewalls-outgoing; Mon, 6 Mar 1995 10:04:34 -0800 Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA23543 for ; Mon, 6 Mar 1995 10:04:31 -0800 Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.10) id KAA01433; Mon, 6 Mar 1995 10:00:55 -0800 Received: from octela.eng.octel.com(148.147.200.7) by gw1.octel.com via smap (V1.3) id sma001414; Mon Mar 6 10:00:36 1995 Received: from curly.eng.octel.com by octela.octel.com (4.1/SMI-4.0) id AA21592; Mon, 6 Mar 95 10:01:54 PST Received: from laura.octel (laura.eng.octel.com [148.147.206.4]) by curly.eng.octel.com (8.6.10/8.6.10) with SMTP id KAA25004; Mon, 6 Mar 1995 10:01:53 -0800 Received: by laura.octel (4.1/SMI-4.1) id AA08689; Mon, 6 Mar 95 10:01:53 PST Date: Mon, 6 Mar 95 10:01:53 PST From: hbo@octel.com (Howard B Owen) Message-Id: <9503061801.AA08689@laura.octel> To: jna@concorde.com Cc: firewalls@GreatCircle.COM In-Reply-To: <199503060041.TAA05739@galaxy.concorde.com> (uunet!concorde.com!jna) Subject: Re: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I thought the current rumor was is that "Satan, is for the most part, outdated." >It's been too long since they discussed it, and anyway, lots of programs >that do the same things already exist. I think the problem with SATAN is not so much the security threats it embodies (those are problems on their own) but the high profile and wide distribution it gives to those threats. I'd rather not debate "security through obscurity" on the firewalls list. (I'd be glad to take up the topic in email.) As a practical matter however, SATAN makes firewall manager's lives more difficult by increasing the number of unskilled individuals with access to and knowledge of sophisticated cracking tools. The net effect will probably be enhanced security in the long run, but in the short term I get to worry about a proliferation of casual crackers. -- Howard Owen, System Administrator internet: hbo@octel.com Octel Communications Corporation I am not a pay TV service! 1001 Murphy Ranch Rd. Mail Stop C2-1N I've had the initials longer. Milpitas CA 95035-7912 Tel. 408-324-6576 ///////////////////////////// From firewalls-owner Mon Mar 6 10:49:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA23696 for firewalls-outgoing; Mon, 6 Mar 1995 10:16:37 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA23683 for ; Mon, 6 Mar 1995 10:16:14 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA02360; Mon, 6 Mar 95 19:13:10 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA13192; Mon, 6 Mar 95 19:05:46 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9503061905.AA13192@tidtest.total.fr> Subject: Re: Dual ported pc's To: isdmill@gatekeeper.ddp.state.me.us (David Miller) Date: Mon, 6 Mar 95 19:05:45 GMT Cc: john@deltanet.com, firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: ; from "David Miller" at Mar 6, 95 9:33 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Miller wrote : > > [snip] > > If you trust users not to ever, even accidentally, misconfigure something > to reduce security you may not be paranoid enough to run a firewall. > > I would suggest an easier alternative if your comfort level is that > high. Setup the IP addresses so that one bit is an "Internet access > bit". Have the perimeter router simply drop all packets not destined for > an address if that bit's not set. You still have to trust those "on" the > Internet not to gateway packets to others, but you seem willing to try that. > Why not make the "Internet allowed" bit the LSB of the IP address ? This way, it becomes harder to compromise security by enabling routing on Windoze PCs, since Internet-allowed PCs are on the same subnet as the would-be unprotected routers, unless you happen to allow source routing. But then you don't, do you ? Not that the whole scheme can be made really secure, but if you don't care, why should I ? :-) -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Tel : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Mon Mar 6 11:20:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA23157 for firewalls-outgoing; Mon, 6 Mar 1995 09:37:41 -0800 Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA23149 for ; Mon, 6 Mar 1995 09:37:37 -0800 Received: from hpindda.cup.hp.com by relay.hp.com with ESMTP (1.37.109.14/15.5+ECS 3.3) id AA224231316; Mon, 6 Mar 1995 09:35:17 -0800 Received: from localhost by hpindda.cup.hp.com with SMTP (1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA257791243; Mon, 6 Mar 1995 09:34:04 -0800 Message-Id: <199503061734.AA257791243@hpindda.cup.hp.com> To: brian@ilinx.com (Brian J. Murrell), firewalls@GreatCircle.COM Subject: Re: FW-1 better than a router?? In-Reply-To: Your message of "Sun, 05 Mar 1995 19:35:51 PST." Date: Mon, 06 Mar 1995 09:34:03 -0800 From: Abraham Lui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | Subject: FW-1 better than a router?? | From: brian@ilinx.com (Brian J. Murrell) | Date: Sun, 05 Mar 1995 19:35:51 PST | To: firewalls@GreatCircle.COM | ---------------------------------------- | I hope not to start any religous wars here but I had the opportunity to | get a brief look at FireWall-1 last week. I was also talking to the | person setting it up, and hope to get another look this week. It seemed | to me that FW-1 was nothing more than a router with a GUI interface and | logging, and now most router software does the latter. | | Would those of you who have had more extensive experience with FW-1 | agree with my observation?? If not, what do find FW-1 can do that a | screening router can't?? I actually didn't even see a way for FW-1 to | "look into" packets for things like the SYN bit, which would make it | actually less functional than a router. 1) It has a mechanism which introduces "state" into UDP packets; it caches the UDP request and a UDP reply will be allowed to pass through only if there is a corresponding request entry in the cache. 2) It has a mechanism with which the user can "teach" the filter about the application protocol. Comes with the product are the popular filtering rules for http, ftp, wais, archie etc.) | | Comments?? -Abe +-------------------------------------------+---------------------------------+ |Abraham Lui (Member, Technical Staff) |Bldg: 43L; MS 43LM; Pillar P7 | |Information Networks Division |Phone: 408-447-2403 | |Hewlett-Packard Company |Telnet: 1-447-2403 | |19420 Homestead Road, MS 43LM |Fax: 408-447-3660 | |Cupertino, CA 95014-9807 |Email: abraham@cup.hp.com | +-------------------------------------------+---------------------------------+ From firewalls-owner Mon Mar 6 11:26:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA24544 for firewalls-outgoing; Mon, 6 Mar 1995 11:03:05 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA24538 for ; Mon, 6 Mar 1995 11:03:01 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rli19-0000t1C; Mon, 6 Mar 95 11:00 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA10315; Mon, 6 Mar 1995 11:00:41 +0800 Date: Mon, 6 Mar 1995 11:00:41 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503061900.AA10315@brittany.oes.amdahl.com> To: patrick@oes.amdahl.com, Firewalls@greatcircle.com, root@mmp.com Subject: Re: FW-1, etc. X-Sun-Charset: US-ASCII content-length: 1751 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From mmp.com!mmp.com!root@news.cts.com Mon Mar 6 09:10 PST 1995 > > Multicasted packets also pose serious threat to IP filtering as the > architecture of the packet is an IP packet WITHIN another IP packet. The > outside header information is the only header a router will look @ when > traversing your access control lists. So, on the outside packet you could say > 'hey I'm a trusted host' and the inside could say something entirely different > , IE: "I'm localhost now!" You know I don't think you really understand how multicasting works. It's just another ip packet with a class D address, and routers that know how to route them. They don't contain the list of members within them. There is an area of concern here, in that a really good packet-filtering firewall should understand IGMP. The administrator needs to decide if multicasting is supported, and which direction. Thankfully class D's are never allowed to be in the source field of a packet, and your should probably reject any packets like that. This means that we can still tell if a connection origination is from the inside or the outside. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Mar 6 11:40:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA23722 for firewalls-outgoing; Mon, 6 Mar 1995 10:18:09 -0800 Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA23714 for ; Mon, 6 Mar 1995 10:18:05 -0800 Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.10) id KAA02001; Mon, 6 Mar 1995 10:14:30 -0800 Received: from octela.eng.octel.com(148.147.200.7) by gw1.octel.com via smap (V1.3) id sma001987; Mon Mar 6 10:14:17 1995 Received: from curly.eng.octel.com by octela.octel.com (4.1/SMI-4.0) id AA21651; Mon, 6 Mar 95 10:15:34 PST Received: from laura.octel (laura.eng.octel.com [148.147.206.4]) by curly.eng.octel.com (8.6.10/8.6.10) with SMTP id KAA25271; Mon, 6 Mar 1995 10:15:33 -0800 Received: by laura.octel (4.1/SMI-4.1) id AA08713; Mon, 6 Mar 95 10:15:33 PST Date: Mon, 6 Mar 95 10:15:33 PST From: hbo@octel.com (Howard B Owen) Message-Id: <9503061815.AA08713@laura.octel> To: mikew@gopher.dosli.govt.nz Cc: firewalls@greatcircle.com In-Reply-To: <9503040514.AA09402@gopher.dosli.govt.nz> (uunet!gopher.dosli.govt.nz!mikew) Subject: Re: split-DNS ... would this work? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > - The internal DNS (running on `dnsmaster') also claims to be primary for > the domain. However, it does NOT set `forwarders' to the bastion host. > > - A second internal DNS server (running on `dnsfwd') is a secondary for > the domain. This is where you set `forwarders' to the bastion. > > - Internal hosts resolve using `dnsmaster'. Hence they can't resolve > external names. > > - The bastion host (only) resolves using `dnsfwd', which can resolve both > internal & external names. > >Disclaimer: I haven't tried this (yet). I have a funny feeling it might >not work, but can't see where my logic is wrong. That's what we are planning to do here. I haven't tried it, but I'm morally certain it will work. Currently I'm running a split DNS with an external and internal primary. All the internal name servers forward to the firewall in slave mode. This means they never consult their internal roots, and so delegation of in-addr.arpa domains doesn't work as it should. I get around this by having everyone secondary everyone else's zones. This works, but won't scale. I figure limiting forwarding to one or two internal name servers as above will work, but I'm curious as to how others are dealing with this problem. -- Howard Owen, System Administrator internet: hbo@octel.com Octel Communications Corporation I am not a pay TV service! 1001 Murphy Ranch Rd. Mail Stop C2-1N I've had the initials longer. Milpitas CA 95035-7912 Tel. 408-324-6576 ///////////////////////////// From firewalls-owner Mon Mar 6 11:53:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25062 for firewalls-outgoing; Mon, 6 Mar 1995 11:23:51 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA25057 for ; Mon, 6 Mar 1995 11:23:47 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rliLH-0000jJC; Mon, 6 Mar 95 11:21 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA10378; Mon, 6 Mar 1995 11:21:28 +0800 Date: Mon, 6 Mar 1995 11:21:28 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503061921.AA10378@brittany.oes.amdahl.com> To: patrick@oes.amdahl.com, Firewalls@greatcircle.com, root@mmp.com Subject: Re: FW-1, etc. X-Sun-Charset: US-ASCII content-length: 1468 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > This is vague. What holes exist that don't exist with protocol or application > > proxies? > > Well, that's definitely an easy one.. IP filtering is based on TCP > header information, specifically (host,port,dst,port). Authentication of > hosts is very weak. Anyone can claim to be 127.0.0.1, or an IP of any host > on the network, and your packet filtering will believe it just because that's > what in the header.. Obviously this is what is called 'spoofing'. Good, finally some meaningful discussion. This one's fixable if you have some notion of a safe side and a bad side. You just reject packets coming in on the ethernet interface on the bad side, if they claim to come from the good side. You should always reject loopback packets coming in from any interface. They should only be invalid inside your own ip stack. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Mar 6 11:59:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22039 for firewalls-outgoing; Mon, 6 Mar 1995 08:47:13 -0800 Received: from gwx.teledata.co.at (teledata-eunet.AT.EU.net [193.80.63.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA22032 for ; Mon, 6 Mar 1995 08:47:08 -0800 Received: from ws61.teledata.co.at (ws61.teledata.co.at [193.80.185.61]) by gwx.teledata.co.at (8.6.10/8.6.10) with SMTP id RAA03822; Mon, 6 Mar 1995 17:43:58 +0100 Date: Mon, 6 Mar 1995 17:40:54 MET From: Mazinger Peter Reply-To: pmazinge@teledata.co.at Subject: Re: Tunneling To: Eric Deschamps cc: Firewalls@greatcircle.com Message-ID: Priority: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Protocol-bundelling in IP (IPX, AppleTalk, IP itself) On Mon, 6 Mar 1995 14:25:08 +0100 Eric Deschamps wrote: > From: Eric Deschamps > Date: Mon, 6 Mar 1995 14:25:08 +0100 > Subject: Tunneling > To: Firewalls@greatcircle.com > > What does tunneling exactly mean ? > > Eric Deschamps -------------------------------------------------------- Mazinger Peter-Sandor pmazinge@teledata.co.at Teledata Consulting & Systemmanagement GmbH. A-6840 Goetzis, Austria, Vorarlberger Wirtschaftspark Tel. +43/(0)5523/52623-0 Fax. +43/(0)5523/52623-9 From firewalls-owner Mon Mar 6 12:12:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22702 for firewalls-outgoing; Mon, 6 Mar 1995 09:12:05 -0800 Received: from donews.cts.com (donews.cts.com [192.188.72.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22696 for ; Mon, 6 Mar 1995 09:11:59 -0800 Received: from mmp.com by donews.cts.com with uucp (Smail3.1.28.1 #18) id m0rlgHc-0001evC; Mon, 6 Mar 95 09:09 PST Received: by mmp.com (4.1/SMI-4.1) id AA01006; Mon, 6 Mar 95 09:06:53 PST Date: Mon, 6 Mar 95 09:06:53 PST From: root@mmp.com (Operator) Message-Id: <9503061706.AA01006@mmp.com> To: patrick@oes.amdahl.com, Firewalls@greatcircle.com Subject: Re: FW-1, etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 2) Because the product is based on the "packet-filtering", it inherits the > > limitation of the technology. Although I believe CheckPoint did a good > > job on attempting to break the barrier. > > This is vague. What holes exist that don't exist with protocol or application > proxies? Well, that's definitely an easy one.. IP filtering is based on TCP header information, specifically (host,port,dst,port). Authentication of hosts is very weak. Anyone can claim to be 127.0.0.1, or an IP of any host on the network, and your packet filtering will believe it just because that's what in the header.. Obviously this is what is called 'spoofing'. Multicasted packets also pose serious threat to IP filtering as the architecture of the packet is an IP packet WITHIN another IP packet. The outside header information is the only header a router will look @ when traversing your access control lists. So, on the outside packet you could say 'hey I'm a trusted host' and the inside could say something entirely different , IE: "I'm localhost now!" BTW: Just a small plug.. Our organization teaches classes about 'digital crime prevention' that covers everything from PBX fraud & social engineering, to TCP/IP vulnerabilities, as well has host exploit classifications. Jeromie Jackson Garrison Associates jeromie@mmp.com 11772 Sorrento Valley RD #123 Phone: 619-793-8223 San Diego, CA 92121 Fax : 619-793-1124 From firewalls-owner Mon Mar 6 12:17:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA26560 for firewalls-outgoing; Mon, 6 Mar 1995 12:15:01 -0800 Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA26552 for ; Mon, 6 Mar 1995 12:14:57 -0800 Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.10) id MAA06247; Mon, 6 Mar 1995 12:11:21 -0800 Received: from octela.eng.octel.com(148.147.200.7) by gw1.octel.com via smap (V1.3) id sma006241; Mon Mar 6 12:11:04 1995 Received: from curly.eng.octel.com by octela.octel.com (4.1/SMI-4.0) id AA22349; Mon, 6 Mar 95 12:12:22 PST Received: from laura.octel (laura.eng.octel.com [148.147.206.4]) by curly.eng.octel.com (8.6.10/8.6.10) with SMTP id MAA27566; Mon, 6 Mar 1995 12:12:22 -0800 Received: by laura.octel (4.1/SMI-4.1) id AA09863; Mon, 6 Mar 95 12:12:21 PST Date: Mon, 6 Mar 95 12:12:21 PST From: hbo@octel.com (Howard B Owen) Message-Id: <9503062012.AA09863@laura.octel> To: jna@concorde.com Cc: firewalls@GreatCircle.COM In-Reply-To: <199503061954.OAA02073@prophet.concorde.com> (message from John Adams on Mon, 6 Mar 1995 14:54:50 -0500) Subject: Re: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Admas wrote: >Well, Current packages such as COPS and ISS provide the same sort of >high-profile distribution and display of these threats. Even TAMU's tiger >package does a better job than ISS and COPS, and gives you an incredibly >detailed report. Not quite the same high profile. SATAN made the front page of the San Jose Mercury News last week. I think we've entered a new era of media exposure, and SATAN may make a bigger splash than we'd like to see. >I can't say much for the validity or function of satan, as noone I know of >has seen the package, but I can say that similiar tools exist, and that >being as full source code is available for all 3 packages (iss,cops,tiger) >You can easily find out how the packages detect the holes, as well as what >you need to do to exploit them. Yes, those are good sources. Dan Farmer and Wietse Venema's paper "Improving Your Site's Security by Breaking Into it" would seem to be a good source of information regarding SATAN's approach to the problem. One place it is available is "http://www.ugcs.caltech.edu/~werdna/agtc.html". One person who has allegedly seen the package is Keven Mitnick. He probably won't be using it for a while, let us hope. -- Howard Owen, System Administrator internet: hbo@octel.com Octel Communications Corporation I am not a pay TV service! 1001 Murphy Ranch Rd. Mail Stop C2-1N I've had the initials longer. Milpitas CA 95035-7912 Tel. 408-324-6576 ///////////////////////////// From firewalls-owner Mon Mar 6 12:29:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA21731 for firewalls-outgoing; Mon, 6 Mar 1995 08:26:19 -0800 Received: from overdrive (overdrive3.ccrl.nj.nec.com [138.15.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA21726 for ; Mon, 6 Mar 1995 08:26:10 -0800 Received: by overdrive (4.1/YDL1.9-920708.13) id AA19530(overdrive); Mon, 6 Mar 95 11:14:02 EST Received: by deimos (4.1/CNC-Client) id AA16544; Mon, 6 Mar 95 11:14:01 EST Date: Mon, 6 Mar 1995 11:14:01 -0500 (EST) From: Ed Strong X-Sender: ems@deimos To: "Bryan D. Boyle" Cc: firewalls@greatcircle.com Subject: Re: FW-1, etc. In-Reply-To: <9503021250.ZM6168@maverick.erenj.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hesitated in replying to this, for fear of adding to the religious wars, but I felt a few things should be pointed out. On Thu, 2 Mar 1995, Bryan D. Boyle wrote: > On Mar 2, 10:58am, Ed Strong wrote: > > Subject: Re: FW-1, etc. > > > > David is not telling the whole story. If, like in many orgranizations, a > > small fraction of one person's time is devoted to the firewall issue, > > FW-1 gives good security at low overhead. Proxy-type firewalls are much > > more labor intensive, and much less flexible, for relatively little > > improvement in security. If you don't have time/resources to install special > > client software on every machine (as required by most proxy firewalls), or > > develop custom proxies wherever needed, then FW-1 is the best solution. > > Oh? I don't seem to recall having to install special software on any end-user > machine in an environment of over 1500 users to get thru the SEAL/TIS firewall > here. I also don't have to worry about a 'black box' software package running > on a known-insecure operating system that has a failure mode of "everything > open". All of the >useful< tools know about application proxy firewalls, and > security schemes in use today. If they don't, then the producer of the > software is not interested in business uses of their wares, and should probably > concentrate on the education and non-profit markets where security is not a > concern. I didn't get beyond talks/visits with the DEC SEAL people (pricing $$ scared me off) The number of proxy apps is necessarily limited, the number of transparent proxies even more limited. And many of us do not have the option of dismissing all software not written with security in mind. > If anyone thinks there is a simple, plug-in and forget about it approach to > security and network access, then they are deluding their management. If you > don't have time to do it to an auditably correct position, then perhaps you > shouldn't be doing security. Security is a full-time mind set. FW-1 is a > panacea for companies that think you can put in equipment and software and > trust it blindly without understanding the principles or threats, since it is > sold as a 'you just click on this, doodle that, and you are secure'. That > scares me. You make a number of dogmatic statements here. Who says net security must ever remain an incredibly labor-intensive task? Why? Does the ease-of-use of a well-designed GUI (opinion here of course) automatically make a product unfit to use? FW-1 is simply a security tool that works, if used properly. I won't pretend that I haven't studied a lot about security to date, but I won't count that effort as wasted just because a simpler tool becomes available. > > Of course the trusted users inside can tunnel out through FW-1 if they want > > to. But trusted users who want to leak information will not be stopped > > by an application level firewall either, unless you body search everyone for > > bootleg media and also cut off all modem access. (Pretty draconian.) > > We control both here. We have policies in place for both of those instances. > I know some government sites that do a pat search on the way out the door > while they rifle your briefcase/pocketbook/whatever. Depends on the company > and their view of the threats. > One of my working axioms is "Security policy without enforcement is no security policy at all." Telling employees they mustn't smuggle media is not actually controlling such media. Only an actual frisk does this. Since your company apparently does not frisk, then you cannot be controlling media. Referring to government sites where they actually perform the frisk, is not too germane, except to show their security levels are consistent, while yours is not. My main point is that actual control of information, which many firewalls seem to aim at, is quite difficult. (Yes, I've worked in government places where they locked you into a vault, etc. So what?) Our policy is aimed at the much more modest goal of keeping outside hackers, pirates, and snoopers out of our network. FW-1 does this admirably. > > > > You have to decide what level of security is right for your organization > > and apply the same level consistently. FW-1 may be right for you. > > > You get what you pay for. A packet filter is not a firewall. UDP can not > be handled securely (or with anything approaching predictable security > anyway...) with the current technology or the base protocol itself (upd was > designed to not depend on predictable connection capabilities, which makes it > incredibly easy to intercept or spoof, not that tcp is necessarily without its > vulnerabilities...). IMHO, you start with the basic services you want to > provide, and allow only those. Shut off everything else. Log everything, > provide a demilitarized zone, and _then_ slowly open the spigot. > FW-1 is more than just a packet filter, and does a good job of handling udp, I've got the logs to prove it. It handles spoofing as well. Your methodology for developing a firewall makes the assumption you are using proxies. > Oh, yeah, make sure the base operating system has a history of being able to > be secured. Isolate, seperate, and delegate. > > Or else, what you have, in essence, is a fancy router with filtering. And > that provides minimal security. > > Just my $.02. > > -- > Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 > #include |Virtual: bdboyle@erenj.com > World-Wide-Web: http://www.digimark.net/bdboyle/index.html > http://www.digimark.net/bdboyle/pubkey.html for pgp public key > You may want to reconsider some of your assumptions, for instance, assuming that FW-1 is equivalent to something you know is insecure, without knowing it's actual capabilities. I won't pretend FW-1 does everything, if you won't pretend laboriously-designed proxy-type firewalls do everything. The job of security can get easier. ----------------------------------------------------------------------- Ed Strong EMAIL: ems@ccrl.nj.nec.com ----------------------------------------------------------------------- From firewalls-owner Mon Mar 6 12:41:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA21566 for firewalls-outgoing; Mon, 6 Mar 1995 08:15:35 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA21561 for ; Mon, 6 Mar 1995 08:15:32 -0800 From: smb@research.att.com Message-Id: <199503061615.IAA21561@miles.greatcircle.com> Received: by gryphon; Mon Mar 6 11:05:31 EST 1995 To: firewalls@greatcircle.com Subject: application proxies versus packet filters Date: Mon, 06 Mar 95 11:05:30 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is explained at much greater length in the book, but let me take a short swing at the question... The difference is not so much the actual security -- though that, too, can be at issue -- as the assurance of security. Packet filters are in the business of *passing* data; to work at all, they have to let some packets through. Given the complicated nature of most real filter rule sets, the abysmal syntax most filters support, the varying semantics for rule order interpretation, and the potential for interactions between rules, it's plausible -- or perhaps likely -- that there are conversations that are permitted by the rules that were not intended by the firewall administrator. Here's a simple example, taken from Brent Chapman's paper on problems with packet filters. You want to allow inbound and outbound mail, so you have rules that look like this (I'm simplifying Brent's example slightly): in src:external,dst:internal=25 out src:internal,dst:external>=1024 out src:internal,dst:external=25 in src:external,dst:internal>=1024 The first pair of rules permits packets to the inside mailer, and return flow to the client; the second pair permits packets to an outside mailer, and the return flow to an unprivileged port. But the combination of the second and fourth rules permits conversations between any high-numbered inside port and a high-numbered outside port. This may not be evil, but it was not what was intended by the rule set. Again -- what I'm trying to show here is not a specific failing, but simply that interactions can occur, and that they're very hard to eliminate in general because of the context-free nature of the decision process of (static) packet filters. Put another way, a faulty packet filter is able to fail bad. By contrast, application proxies are in the business of listening to requests from the inside. No data is passed except by the proxies themselves; if they cannot be invoked from the outside -- and a simple packet filter that guards against address-spoofing can do the job -- you're a lot safter. The usual failure mode for an application gateway is that nothing gets through, which may be unpleasant but isn't dangerous. I'm not saying that packet filters are evil, or that they shouldn't be used. They certainly provide more transparency. But in my opinion, they're somewhat more risky. --Steve Bellovin From firewalls-owner Mon Mar 6 12:47:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA26112 for firewalls-outgoing; Mon, 6 Mar 1995 12:00:13 -0800 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA26106 for ; Mon, 6 Mar 1995 12:00:10 -0800 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id LAA23623; Mon, 6 Mar 1995 11:54:10 -0800 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA22879; Mon, 6 Mar 95 11:52:29 PST Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:hal@seta.com id AA20086; Mon, 6 Mar 95 11:53:46 -0800 Date: Mon, 6 Mar 95 11:53:46 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9503061953.AA20086@abulafia.genmagic.com> To: smb@research.att.com Cc: hal@seta.com (Hal L. Feinstein), firewalls@GreatCircle.COM Subject: Re: reuse of already assigned IP addresses In-Reply-To: <199502202344.PAA05807@miles.greatcircle.com> References: <199502202344.PAA05807@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "smb" == smb writes: smb> Both. It's ok, in the sense that it's legal -- if nothing leaks, smb> it's no one else's business -- but it's a bad idea, because it leads smb> to all sorts of trouble if you reconfigure, merge with another company, smb> change your firewall strategy, etc. Ha. what a poison pill. "I'm sorry, but if you acquire us, it'll cost millions in network/systems reconfiguration to merger our networks. You're best off just leaving us alone." -- J. Eric Townsend vox #: USA 408.774.4252 work: jet@genmagic.com AT&T PersonaLink: A5803643645@attpls.net play: jet@well.sf.ca.us or get my card from directory information From firewalls-owner Mon Mar 6 12:47:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26040 for firewalls-outgoing; Mon, 6 Mar 1995 11:58:59 -0800 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA26035 for ; Mon, 6 Mar 1995 11:58:56 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id OAA02882; Mon, 6 Mar 1995 14:55:45 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma002880; Mon Mar 6 14:55:39 1995 Received: from prophet.concorde.com (jna@prophet.concorde.com [198.242.54.15]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id OAA18383; Mon, 6 Mar 1995 14:55:41 -0500 From: John Adams Received: (jna@localhost) by prophet.concorde.com (8.6.8.1/8.6.6) id OAA02073; Mon, 6 Mar 1995 14:54:50 -0500 Date: Mon, 6 Mar 1995 14:54:50 -0500 Message-Id: <199503061954.OAA02073@prophet.concorde.com> To: hbo@octel.com, jna@concorde.com Subject: Re: satan Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk touche' : Howard Owen Wrote: > I think the problem with SATAN is not so much the security threats it embodies (those are problems on their own) but the high profile and wide distribution it gives to those threats. Well, Current packages such as COPS and ISS provide the same sort of high-profile distribution and display of these threats. Even TAMU's tiger package does a better job than ISS and COPS, and gives you an incredibly detailed report. I can't say much for the validity or function of satan, as noone I know of has seen the package, but I can say that similiar tools exist, and that being as full source code is available for all 3 packages (iss,cops,tiger) You can easily find out how the packages detect the holes, as well as what you need to do to exploit them. -john From firewalls-owner Mon Mar 6 13:17:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25432 for firewalls-outgoing; Mon, 6 Mar 1995 11:38:26 -0800 Received: from nuvo.magi.com ([198.53.212.90]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA25422 for ; Mon, 6 Mar 1995 11:38:22 -0800 Received: from [198.53.212.61] by nuvo.magi.com via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id OAA01292; Mon, 6 Mar 1995 14:35:14 -0800 Date: Mon, 6 Mar 1995 14:35:14 -0800 Message-Id: <199503062235.OAA01292@nuvo.magi.com> X-Sender: jlatour@nuvo.magi.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: jlatour@gabriel.resudox.net (Jacques Latour) Subject: unsuscribe firewalls Cc: jlatour@nuvo.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsuscribe firewalls jlatour@gabriel.resudox.net _____________________________________________________________________________ Jacques Latour Tel:613-233-0900 Nuvo Network Management Inc. x2224 800-360 Albert Street Fax:613-233-3930 Ottawa, Ontario Canada, K1R 7X7 jlatour@nuvo.com ____________________________________________________________________________ _ From firewalls-owner Mon Mar 6 13:50:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00389 for firewalls-outgoing; Mon, 6 Mar 1995 13:39:57 -0800 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA00384 for ; Mon, 6 Mar 1995 13:39:54 -0800 Received: from chiba (chiba.Tadpole.COM [160.104.1.6]) by tadpole.tadpole.com (8.6.10/8.6.10) with SMTP id PAA20027; Mon, 6 Mar 1995 15:37:25 -0600 From: Jim Thompson Received: by chiba (5.x/SPARCbook_POP1.3) id AA04514; Mon, 6 Mar 1995 15:37:24 -0600 Date: Mon, 6 Mar 1995 15:37:24 -0600 Message-Id: <9503062137.AA04514@chiba> To: hbo@octel.com, jna@concorde.com Subject: Re: satan Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 'satan' has the same author as 'cops'. Dan has just joined the dark side, is all. :-) From firewalls-owner Mon Mar 6 14:28:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA01070 for firewalls-outgoing; Mon, 6 Mar 1995 13:51:16 -0800 Received: from voyager.datatools.com ([192.216.89.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA01054 for ; Mon, 6 Mar 1995 13:51:10 -0800 Message-Id: <199503062151.NAA01054@miles.greatcircle.com> Received: from nova.datatools.com.datatools.com by voyager.datatools.com (4.1/4.7); Mon, 6 Mar 95 13:53:51 PST Date: Mon, 6 Mar 95 13:53:51 PST From: greep@datatools.com (Steven Tepper) Received: by nova.datatools.com.datatools.com (4.1/SMI-4.1) id AA07345; Mon, 6 Mar 95 13:49:19 PST To: Firewalls@GreatCircle.COM Subject: Network World article Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The current (March 6) issue of Network World has an article on page 1 called "Choosing the right firewall to defend your network". It compares several products. From firewalls-owner Mon Mar 6 15:00:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00462 for firewalls-outgoing; Mon, 6 Mar 1995 13:40:58 -0800 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA00449 for ; Mon, 6 Mar 1995 13:40:54 -0800 Resent-From: pd@uit.co.uk Received: from uit.co.uk by eros.britain.eu.net with UUCP id ; Mon, 6 Mar 1995 21:29:30 +0000 Resent-Message-Id: <23973.9503062003@mars.uit.co.uk> Received: from scopc.uit.co.uk by mars.uit.co.uk; Mon, 6 Mar 95 20:03:39 GMT Date: Wed, 15 Feb 1995 09:14:55 +1100 (EST) From: pd@uit.co.uk Subject: Re: questions about security & WWW browsers To: Jean-Christophe Touvet Cc: Brad - Walker , firewalls@greatcircle.com In-Reply-To: <199502141007.LAA18286@champagne.inria.fr> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Date: 6 Mar 1995 20:07:45 +0000 Resent-To: alex@uit.uit.co.uk Message-Id: <9503062007.aa00256@scopc.uit.co.uk> Source-Info: From (or Sender) name not authenticated. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Feb 1995, Jean-Christophe Touvet wrote: > > Finally, here is a funny URL which fills /tmp or /var/tmp very fast if a > user clicks on it: > > http://localhost:19/ > > Hope this helps, Hmm. That's interesting. I have just added Map http://*:19/* /nono.html to my proxy server configuration file. (/nono.html does not exist.) Thanks. Danny From firewalls-owner Mon Mar 6 15:27:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA01226 for firewalls-outgoing; Mon, 6 Mar 1995 13:55:46 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA01221 for ; Mon, 6 Mar 1995 13:55:44 -0800 Received: from blackhole.milkyway.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id NAA01226; Mon, 6 Mar 1995 13:47:56 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id QAA00549 for ; Mon, 6 Mar 1995 16:56:53 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma000545; Mon Mar 6 16:56:40 1995 Received: by calisto.milkyway.com (8.6.7/Sun-Client) id QAA00543; Mon, 6 Mar 1995 16:53:17 -0500 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: IPX traffic through a firewall Date: 6 Mar 1995 16:53:16 -0500 Organization: Milkyway Networks Corporation Lines: 22 Distribution: milkyway Message-ID: <3jg08c$gs@calisto.milkyway.com> References: <9503031718.AA15441@tiffin.ic.ncs.com> Received: from calisto.milkyway.com by jupiter with ESMTP (DumbMail/2.0) id QAA01670 sender calisto.milkyway.com [192.168.77.2]; Mon, 6 Mar 1995 16:53:55 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9503031718.AA15441@tiffin.ic.ncs.com>, Dave Stagner wrote: >Can plug-gw or some other wrapper program be used to pass IPX traffic >through a firewall? We have users who want to access their Novell You'd need an IPX stack in your kernel, and then maybe. Maybe UnixWare provides that kind of thing? We were hoping to support IPX between protected networks by having an IPX capable router tunnel the packets within a TCP connection. Alas, we've since discovered that Cisco's only support GRE, which is an IP level protocol, not a TCP one. We don't let arbitrary IP packets through, so GRE is not an option. Are there router makers that support encapsulating into a TCP session? -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Mon Mar 6 15:30:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01525 for firewalls-outgoing; Mon, 6 Mar 1995 14:14:20 -0800 Received: from netnet1.netnet.net (netnet1.netnet.net [198.70.64.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA01519 for ; Mon, 6 Mar 1995 14:14:13 -0800 Received: (from mouring@localhost) by netnet1.netnet.net (8.6.9/8.6.9) id QAA11605; Mon, 6 Mar 1995 16:11:49 -0600 Date: Mon, 6 Mar 1995 16:11:49 -0600 (CST) From: Ben A Lindstrom Subject: Setting up a firewall To: Firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been reading this group for a few days and I've seen people talk about FW-1 and other methods/software that deals with setup firewalls. But I have not heard anyone really address what is avaliable for packages. Everything that is "free" seems to be utilites for checking security, but no real implementation of firewalls. I'm fairly new to firewalls. I understand the concepts, but as of yet I've not starting doing some 'physical work' with them. (I have the tis.com firewall toolkit and I'm getting tiger as we speak, but any other packages would be helpful). Thanks. From firewalls-owner Mon Mar 6 15:47:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04051 for firewalls-outgoing; Mon, 6 Mar 1995 15:38:47 -0800 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA03913 for ; Mon, 6 Mar 1995 15:33:03 -0800 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA04554 for ; Tue, 7 Mar 1995 09:26:47 +1000 Received: from citecuf.citec.qld.gov.au(147.132.176.10) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma004552; Tue Mar 7 09:26:17 1995 Received: from jaykay.citec.qld.gov.au (jaykay.citec.qld.gov.au [131.242.4.117]) by citecuf.citec.qld.gov.au (8.6.10/8.6.10) with SMTP id IAA16607 for ; Tue, 7 Mar 1995 08:47:11 +1000 Message-Id: <199503062247.IAA16607@citecuf.citec.qld.gov.au> From: "John Kidston" To: firewalls@GreatCircle.com Date: Tue, 7 Mar 1995 08:45:30 +10:0 Subject: ftp - Netscape and TIS fwtk Reply-to: kidstoj@citec.qld.gov.au Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any experience using Netscape as an ftp client behind the TIS fwtk ftp proxy? We have the proxy listening on port 21, and the proxy details configured in Netscape. When we execute an ftp URL, Netscape returns the signon screen from the fwtk ftp proxy and then sits in limbo before eventually timing out. Other ftp clients, configured for proxy without login, work well. Any ideas would be most welcome, thanks. John Kidston j.kidston@citec.qld.gov.au CITEC voice: +61 7 2222356 317 Edward Street fax: +61 7 2277890 Brisbane 4000 Australia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "My opinions and CITEC's are not always the same." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Mon Mar 6 16:03:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA01317 for firewalls-outgoing; Mon, 6 Mar 1995 13:59:58 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA01303 for ; Mon, 6 Mar 1995 13:59:39 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id RAA00575 for ; Mon, 6 Mar 1995 17:02:53 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma000573; Mon Mar 6 17:02:39 1995 Received: by calisto.milkyway.com (8.6.7/Sun-Client) id QAA00589; Mon, 6 Mar 1995 16:59:49 -0500 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Need to modify clients programs to use firewall questions Date: 6 Mar 1995 16:59:48 -0500 Organization: Milkyway Networks Corporation Lines: 31 Distribution: milkyway Message-ID: <3jg0kk$ia@calisto.milkyway.com> References: <9503060742.AA09639@brittany.oes.amdahl.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9503060742.AA09639@brittany.oes.amdahl.com>, Patrick Horgan wrote: >When you use proxies, either the software, or the user has to be aware that >the proxy is interposed between the client and the server. In Well, there is something in between. We used to call it "transparent mode" here, but we overuse that term a bit. I like to call it "IP Absorber mode" --- but that is too technical a term. >level proxies, such as socks, the clients are modified to do the request >in a new way, connecting to the proxy, but supplying it with the information >it needs to proxy the connection to the final destination. One We provide the destination address (as taken from the packet) to the proxy itself. I believe Janus does something similar, but so far I haven't been able to get past their UI to see for myself :-) [An aside: how does one manage the various news config files?] FW-1 is a packet filter, so no proxies are involved. >So, you see the tradeoff. The user, or the client, must be modified to work >with proxies. Or, the firewall. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Mon Mar 6 16:16:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29951 for firewalls-outgoing; Mon, 6 Mar 1995 13:30:28 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA29946 for ; Mon, 6 Mar 1995 13:30:19 -0800 From: mulligan@incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.10/94082501) id NAA27725; Mon, 6 Mar 1995 13:28:16 -0800 Received: from coslabs.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA04721; Mon, 6 Mar 1995 13:28:10 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA15112; Mon, 6 Mar 1995 14:24:14 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA01979; Mon, 6 Mar 1995 14:23:29 -0700 Message-Id: <9503062123.AA01979@future.incog.com> To: root@mmp.com (Operator) Cc: patrick@oes.amdahl.com, Firewalls@greatcircle.com Subject: Re: FW-1, etc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Mon, 06 Mar 95 09:06:53 PST." <9503061706.AA01006@mmp.com> Date: Mon, 06 Mar 95 14:23:28 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well, that's definitely an easy one.. IP filtering is based on TCP > header information, specifically (host,port,dst,port). Authentication of > hosts is very weak. Anyone can claim to be 127.0.0.1, or an IP of any host > on the network, and your packet filtering will believe it just because that's > what in the header.. Obviously this is what is called 'spoofing'. This isn't at all correct. Packet screening is based on IP/TCP/UDP and whatever else header information. A "good" packet screen won't necessarily believe what's in the header. If a packet arrives on an external interface with a source address of a host on the internal network, it can ignore/log it. This is what is called "eliminating spoofing". > Multicasted packets also pose serious threat to IP filtering as > the architecture of the packet is an IP packet WITHIN another IP > packet. What! IP multicast is NOT based on tunnelling IP within IP. While large sections of the MBONE do use tunnelling, this is only necessary because not all routers on the internet support multicast routing - tunnelling isn't required for multicast! > The outside header information is the only header a router > will look @ when traversing your access control lists. So, on the > outside packet you could say 'hey I'm a trusted host' and the inside > could say something entirely different , IE: "I'm localhost now!" Again a "good" packet screen can look at the ip packet that is being tunnelled, just as it can look that the tcp, telnet, rpc, udp, ftp packets, and base it's decision this internal IP multicast packet header if necessary. You also have to specifically allow the multicast tunnelled traffic in the first place. As Brent has said, there places where a bastion host might be sufficient and place where a packet screen might be sufficient and installations where both should be installed. geoff From firewalls-owner Mon Mar 6 16:17:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05708 for firewalls-outgoing; Mon, 6 Mar 1995 16:13:20 -0800 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05696 for ; Mon, 6 Mar 1995 16:13:14 -0800 Received: from raf.sj.scruznet.com by scruz.net (8.6.9/1.34) id QAA28838; Mon, 6 Mar 1995 16:10:53 -0800 Date: Mon, 6 Mar 95 16:12:24 PDT From: Rich Subject: radius To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk other than RFC's, are there any good places to get info on RADIUS??? ADVANCE rich ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ "....I hope life is not a big joke, cause I don't get it..." raf@ezunx.com From firewalls-owner Mon Mar 6 16:21:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04119 for firewalls-outgoing; Mon, 6 Mar 1995 15:41:01 -0800 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA04110 for ; Mon, 6 Mar 1995 15:40:54 -0800 Date: Mon, 6 Mar 1995 18:37:12 -0500 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id SAA28385 for firewalls@greatcircle.com; Mon, 6 Mar 1995 18:37:12 -0500 Message-Id: <199503062337.SAA28385@real.com> To: firewalls@greatcircle.com Subject: Re: satan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think the problem with SATAN is not so much the security threats it > embodies (those are problems on their own) but the high profile and > wide distribution it gives to those threats. I'd rather not debate > "security through obscurity" on the firewalls list. (I'd be glad to > take up the topic in email.) As a practical matter however, SATAN makes > firewall manager's lives more difficult by increasing the number of > unskilled individuals with access to and knowledge of sophisticated > cracking tools. The net effect will probably be enhanced security in > the long run, but in the short term I get to worry about a > proliferation of casual crackers. Perhaps its just me, but... I think that tools like SATAN, COPS, ISS, et al are good.. They point out common weakness on your own system, so that you can fix them.. Sure, in the wrong hands they can be used to break into a system, but if you secure that system first, then they are useless (hey, maybe work this into some sorta marketing ploy :) These tools are going to be created and distributed with or without public knowledge, it is safer for all that they are spread with public knowledge, as then you can prepare for the attacks, without public knowledge you may not know about all the holes that they discover, but a cracker might.. Just a thought.. From firewalls-owner Mon Mar 6 17:01:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04457 for firewalls-outgoing; Mon, 6 Mar 1995 15:51:06 -0800 Received: from damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA04444 for ; Mon, 6 Mar 1995 15:50:59 -0800 Received: by damark.com (5.65/1.2-eef) id AA10882; Mon, 6 Mar 95 17:41:25 -0600 Message-Id: <9503062341.AA10882@damark.com> From: "william.wells" To: FIREWALLS Subject: Re: IPX traffic through a firewall Date: Mon, 06 Mar 95 17:42:00 PST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9503031718.AA15441@tiffin.ic.ncs.com>, Dave Stagner wrote: >Can plug-gw or some other wrapper program be used to pass IPX traffic >through a firewall? We have users who want to access their Novell Novell also supports IP only networks via Novell/IP, but alas, Novell/IP uses UDP packets heavily.... From firewalls-owner Mon Mar 6 17:02:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04818 for firewalls-outgoing; Mon, 6 Mar 1995 15:58:46 -0800 Received: from Smrtstr.smartstar.com (smrtstr.smartstar.com [192.135.139.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA04812 for ; Mon, 6 Mar 1995 15:58:39 -0800 From: dennis@smartstar.com Received: from smartstar.com (marlin.smartstar.com) by Smrtstr.smartstar.com (4.1/SMI-4.1(Smrtstr)) id AA20279; Mon, 6 Mar 95 15:53:59 PST Received: by smartstar.com (5.57/Ultrix3.0-C) id AA07818; Mon, 6 Mar 95 15:52:57 -0800 Message-Id: <9503062352.AA07818@smartstar.com> To: firewalls@greatcircle.com Subject: Frame Relay Filtering vs dds Date: Mon, 06 Mar 95 15:52:55 -0800 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a DEC Brouter90T1 that I currently hook to a service provider via a leased line. We are considering switching to Frame Relay using the same router (according to DEC Frame Relay is supported). My question is how will this will affect perfomance in general and will this affect the packet-filtering capabilities/throughout of the router (it supports cisco 9.1 rules)? My understanding is that we should be able to maintain 56Kbs equally well with either dds or Frame Relay and I was wondering if anyone had any concrete comparisons between the two given that filtering rules have been implemented. Thanks, Dennis My humble apologies if this is too far afield from a "real" FW question. From firewalls-owner Mon Mar 6 17:28:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA09087 for firewalls-outgoing; Mon, 6 Mar 1995 17:11:15 -0800 Received: from mordor.cs.du.edu (mordor.cs.du.edu [130.253.192.87]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA09063 for ; Mon, 6 Mar 1995 17:11:05 -0800 Received: from nyx10.cs.du.edu by mordor.cs.du.edu with SMTP id AA02252 (5.65c/IDA-1.4.4 for ); Mon, 6 Mar 1995 17:59:43 -0700 Received: by nyx10.cs.du.edu (4.1/SMI-4.1) id AA12582; Mon, 6 Mar 95 20:08:43 EST From: Mark@nyx10.cs.du.edu (Mark R. Lindsey) Date: Mon, 6 Mar 1995 20:08:40 -0700 X-Disclaimer: I do not speak for Denver U, nor do any other Nyxers. X-Url: http://nox.cs.du.edu:8001/~mlindsey Reply-To: X-Mailer: Mail User's Shell (7.2.4 2/2/92) To: Rich , firewalls@greatcircle.com Subject: Re: radius Message-Id: <19950306.200841.nyx10.9.222.raf@ezunx.com firewalls@greatcircle.com..mailsend.0.10.Aug94> X-Verification: Email me with this message-id and I'll verify it; include a snail-mail or telephone number if you're serious. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # #other than RFC's, are there any good places to get info on RADIUS??? ftp.livingston.com is supposed to have something. Of course, there's the IETF working group, ietf-radius. -- Mark R. Lindsey, mark@nox.cs.du.edu From firewalls-owner Mon Mar 6 17:48:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA10672 for firewalls-outgoing; Mon, 6 Mar 1995 17:41:22 -0800 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA10658 for ; Mon, 6 Mar 1995 17:41:05 -0800 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id LAA05006; Tue, 7 Mar 1995 11:36:21 +1000 Received: from citecuf.citec.qld.gov.au(147.132.176.10) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma005003; Tue Mar 7 11:35:58 1995 Received: from jaykay.citec.qld.gov.au (jaykay.citec.qld.gov.au [131.242.4.117]) by citecuf.citec.qld.gov.au (8.6.10/8.6.10) with SMTP id LAA24469; Tue, 7 Mar 1995 11:37:45 +1000 Message-Id: <199503070137.LAA24469@citecuf.citec.qld.gov.au> From: "John Kidston" To: James R Grinter Date: Tue, 7 Mar 1995 11:36:04 +10:0 Subject: Re: ftp - Netscape and TIS fwtk Reply-to: kidstoj@citec.qld.gov.au CC: firewalls@GreatCircle.com Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 7 Mar 1995 00:16:20 GMT > From: James R Grinter > To: kidstoj@citec.qld.gov.au > Subject: Re: ftp - Netscape and TIS fwtk > netscape's proxy uses an http style proxy and not a normal ftp proxy. > > James. > > Thanks very much, James I've set the Netscape ftp proxy to port 80 and all is now well. John Kidston j.kidston@citec.qld.gov.au CITEC voice: +61 7 2222356 317 Edward Street fax: +61 7 2277890 Brisbane 4000 Australia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "My opinions and CITEC's are not always the same." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Mon Mar 6 17:50:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA07912 for firewalls-outgoing; Mon, 6 Mar 1995 16:47:28 -0800 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA07902 for ; Mon, 6 Mar 1995 16:47:25 -0800 Date: Mon, 6 Mar 95 19:45 EST Message-ID: <9503061945.AA23403@databus.databus.com> From: Barney Wolff To: Rich , firewalls@greatcircle.com Subject: Re: radius Content-Length: 274 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Mon, 6 Mar 95 16:12:24 PDT > From: Rich > > other than RFC's, are there any good places to get info on RADIUS??? If it's an RFC already, I missed it. Anyway, look in: ftp.livingston.com:/pub/livingston/radius Barney Wolff From firewalls-owner Mon Mar 6 18:09:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA10750 for firewalls-outgoing; Mon, 6 Mar 1995 17:42:31 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA10745 for ; Mon, 6 Mar 1995 17:42:28 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA24296; Mon, 6 Mar 95 20:40:08 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9503070140.AA24296@hawksbill.sprintmrn.com> Subject: Re: IPX traffic through a firewall To: william.wells@damark.com (william.wells) Date: Mon, 6 Mar 1995 20:40:08 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9503062341.AA10882@damark.com> from "william.wells" at Mar 6, 95 05:42:00 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 872 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In article <9503031718.AA15441@tiffin.ic.ncs.com>, > Dave Stagner wrote: > >Can plug-gw or some other wrapper program be used to pass IPX traffic > >through a firewall? We have users who want to access their Novell > > Novell also supports IP only networks via Novell/IP, but alas, Novell/IP > uses UDP packets heavily.... > As I have found out (banging my head against a wall), so does Windows NT. These 'non-standard' IP implemntations are extremely annoying, almost evil. Sigh. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Mar 6 18:12:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA08356 for firewalls-outgoing; Mon, 6 Mar 1995 16:55:52 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA08351 for ; Mon, 6 Mar 1995 16:55:48 -0800 From: smb@research.att.com Message-Id: <199503070055.QAA08351@miles.greatcircle.com> Received: by gryphon; Mon Mar 6 19:52:14 EST 1995 To: patrick@oes.amdahl.com (Patrick Horgan) cc: Firewalls@greatcircle.com Subject: Re: FW-1, etc. Date: Mon, 06 Mar 95 19:52:13 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Multicasted packets also pose serious threat to IP filtering as the >> architecture of the packet is an IP packet WITHIN another IP packet. The >> outside header information is the only header a router will look @ when >> traversing your access control lists. So, on the outside packet you could say >> 'hey I'm a trusted host' and the inside could say something entirely different >> , IE: "I'm localhost now!" > >You know I don't think you really understand how multicasting works. It's >just another ip packet with a class D address, and routers that know how >to route them. They don't contain the list of members within them. You're both right. Pure multicast packets have Class D addresses. But too few routers understand multicasting, so tunneling is often used to carry the packets to a destination that does understand them. Other issues with multicasting include Bad Guys multicasting packets with funny destination port numbers (imagine, if you will, trying file handle guessing by multicasting your guesses to port 2049 on the sd group address), or internal mbone sessions leaking out to the Internet because someone set a TTL too high. From firewalls-owner Mon Mar 6 18:17:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA10320 for firewalls-outgoing; Mon, 6 Mar 1995 17:34:35 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA10313 for ; Mon, 6 Mar 1995 17:34:30 -0800 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA29087 for firewalls@greatcircle.com; Mon, 6 Mar 95 20:28:58 EST Message-Id: <9503070128.AA29087@all.net> Subject: no subject (file transmission) To: bugtraq@fc.net, firewalls@greatcircle.com Date: Mon, 6 Mar 1995 20:28:57 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 756 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To augment our free information security on-line services, we are offering free listings to independent information security consultants. To get listed, just send information on your service via email to fc@all.net. Include the email address you would like listed as well as (up to) 10K of on-line information about your service. Independent info-sec consultants include (for our purposes) any individual or small (under 10 full time employees) business whose primary function is information security consulting. A minimum of 2 continuous years in the info-sec business is required in order to qualify, and specific examples of recent jobs (you don't have to give names of clients) are helpful in demonstrating competence. Email to fc@all.net FC From firewalls-owner Mon Mar 6 18:31:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA10225 for firewalls-outgoing; Mon, 6 Mar 1995 17:33:00 -0800 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.213.78]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA10220 for ; Mon, 6 Mar 1995 17:32:57 -0800 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id TAA04674 for GreatCircle.COM!firewalls; Mon, 6 Mar 1995 19:19:24 -0600 Received: by ris1.nmti.com (smail2.5) id AA07475; 6 Mar 95 17:23:19 CST (Mon) Received: by sonic.nmti.com; id AA17225; Mon, 6 Mar 1995 16:38:28 -0600 Message-Id: <9503062238.AA17225@sonic.nmti.com.nmti.com> To: Ed Strong Cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: Your message of "Mon, 06 Mar 95 11:14:01 EST." X-Mailer: exmh version 1.4.1 7/21/94 Date: Mon, 06 Mar 95 16:38:28 -0600 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How does FW-1 deal with a "trojan horse" attack (user downloads a neat program that opens up a TCP connection to a throwdown server on some freenet somewhere and lets the perp in that way)? At least with a proxy firewall the trojan horse would have to be tailored to the specific site under attack... -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" From firewalls-owner Mon Mar 6 19:47:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA15198 for firewalls-outgoing; Mon, 6 Mar 1995 19:29:36 -0800 Received: from livingston.livingston.com (livingston.livingston.com [149.198.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA15193 for ; Mon, 6 Mar 1995 19:29:34 -0800 Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by livingston.livingston.com (8.6.9/8.6.9) with ESMTP id TAA02174; Mon, 6 Mar 1995 19:27:41 -0800 Received: (from cdr@localhost) by server.livingston.com (8.6.9/8.6.9) id TAA07758; Mon, 6 Mar 1995 19:26:25 -0800 Date: Mon, 6 Mar 1995 19:26:25 -0800 From: Carl Rigney Message-Id: <199503070326.TAA07758@server.livingston.com> To: firewalls@GreatCircle.COM Subject: Re: radius Cc: mark@nyx10.cs.du.edu, raf@ezunx.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Q. I'm looking for information on RADIUS (Remote Authentication Dial In User Service) A. Technical information including server source code and a white paper are at: ftp://ftp.livingston.com/pub/radius The latest Internet-Draft is ftp://ftp.livingston.com/pub/radius/draft-radius-02.txt (The accounting draft it mentions isn't released yet, but an informal description of RADIUS accounting can be found in ftp://ftp.livingston.com/pub/livingston/RELEASE_3.1 ) The latest RADIUS server source is ftp://ftp.livingston.com/pub/radius/radius-1.16.tar.Z Release 1.16 adds support for Accounting, Challenge/Response, Linux, BSD/OS, Unixware, SCO, and Alpha OSF/1. SunOS, Solaris, Ultrix, AIX and HP/UX were already supported in 1.13. "How to use RADIUS" is frequently discussed on the portmaster-users@msen.com mailing list. The RADIUS protocol itself is discussed on ietf-radius@livingston.com (To join, send email to ietf-radius-request@livingston.com with "subscribe ietf-radius" in the subject line or body.) It's sometimes discussed in comp.dcom.servers. a review appeared in Lan Times: *PortMaster 2, LAN Times: Sep 5, 1994 McGraw-Hill Inc. 1994 For more info: info@livingston.com or support@livingston.com. I'm trying to put together a BOF session on RADIUS at the 32nd IETF (in Danvers, Massachusetts April 3-7); I'll announce that on ietf-radius and portmaster-users if I'm successful. -- Carl Rigney cdr@livingston.com From firewalls-owner Mon Mar 6 20:47:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA16113 for firewalls-outgoing; Mon, 6 Mar 1995 20:45:06 -0800 Received: from ritz.mordor.com (ritz.mordor.com [165.254.109.51]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA16108 for ; Mon, 6 Mar 1995 20:45:03 -0800 Received: (from mkellis@localhost) by ritz.mordor.com (8.6.10/8.6.10) id XAA27717; Mon, 6 Mar 1995 23:42:31 -0500 From: Michael Ellis Message-Id: <199503070442.XAA27717@ritz.mordor.com> Subject: Re: ftp - Netscape and TIS fwtk To: kidstoj@citec.qld.gov.au Date: Mon, 6 Mar 1995 23:42:31 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199503062247.IAA16607@citecuf.citec.qld.gov.au> from "John Kidston" at Mar 7, 95 08:45:30 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1493 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Kidston writes: > > Does anyone have any experience using Netscape as an ftp client > behind the TIS fwtk ftp proxy? > > We have the proxy listening on port 21, and the proxy details > configured in Netscape. When we execute an ftp URL, Netscape returns > the signon screen from the fwtk ftp proxy and then sits in limbo > before eventually timing out. Have it proxy to port 80, and all should work fine. Two caveats, though: 1. You can confuse (and hang) the http-gw proxy if you try to retrieve too much at once. I've done this twice on a commercial Gauntlet, and not even restarting inetd and killing off http-gw process on the system would get the bloody thing to restart. (Although I didn't think to run netstat and see what was binding to the port, so I'll have to try that next time.) Just don't get overexcited in your link following. 2. More annoying: http-gw doesn't 'get' Netscape's 'Secure HTTP'. If you try to link in to any site where the URL begins with https://, the proxy will fail. TIS either needs to fix this, or to say why they won't fix it. (ie: egregious licensing fees charged by Netscape's creators or the like.) Until it is fixed, of course, you can't use Secure HTTP, which means you can't do anything with that feature. (Don't go passing your credit card number around.) Any tips on getting a telnet proxy for Netscape working would be nice, too. Any URL requiring a telnet connection seems to fail. -- Michael K. Ellis mkellis@mordor.com From firewalls-owner Mon Mar 6 21:17:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA16556 for firewalls-outgoing; Mon, 6 Mar 1995 21:09:01 -0800 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA16551 for ; Mon, 6 Mar 1995 21:08:58 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0rlrRm-000Ed7C; Tue, 7 Mar 95 05:04 GMT Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Mon, 6 Mar 95 20:56 PST Message-Id: Received: by miro.ilinx.com id ; Mon, 6 Mar 95 20:57:59 -0800 From: brian@imcon.ilinx.com To: peter@nmti.com Subject: Re[2]: FW-1, etc. Cc: ems@ccrl.nj.nec.com, bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Date: Mon, 6 Mar 1995 20:57:59 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of peter@nmti.com on scroll <9503062238.AA17225@sonic.nmti.com.nmti.com> > How does FW-1 deal with a "trojan horse" attack (user downloads a neat > program > that opens up a TCP connection to a throwdown server on some freenet > somewhere > and lets the perp in that way)? At least with a proxy firewall the trojan > horse > would have to be tailored to the specific site under attack... I think I agree that the design of the trojan horse can be more "TCP connection oriented" as packets are routed to and from the user's machine directly instead of being blocked at a bastion host. Of course one can have lot's more fun with an open TCP connection than say simply sending info back by e-mail, but I think this sort of practice (trojan horse) can attack any firewall system that does not have user policy behind it. If a user simply executes something they get from the net, there are all kinds of issues that go beyond any firewalling technologies we have today, would you not agree?? b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Tue Mar 7 01:56:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA19776 for firewalls-outgoing; Tue, 7 Mar 1995 01:20:55 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA19733 for ; Tue, 7 Mar 1995 01:19:45 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA08739; Tue, 7 Mar 95 10:16:47 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA13508; Tue, 7 Mar 95 10:09:23 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9503071009.AA13508@tidtest.total.fr> Subject: Re: FW-1, etc. To: patrick@oes.amdahl.com (Patrick Horgan) Date: Tue, 7 Mar 95 10:09:22 GMT Cc: root@mmp.com, firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9503061900.AA10315@brittany.oes.amdahl.com>; from "Patrick Horgan" at Mar 6, 95 11:00 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Horgan wrote : > > > > From mmp.com!mmp.com!root@news.cts.com Mon Mar 6 09:10 PST 1995 > > > > Multicasted packets also pose serious threat to IP filtering as the > > architecture of the packet is an IP packet WITHIN another IP packet. The > > [snip] > > You know I don't think you really understand how multicasting works. It's > just another ip packet with a class D address, and routers that know how > [snip] I vaguely remember seeing somewhere (in a RFC ?) that IP within IP is used for something, even if not for multicasting. Does that ring a bell with anyone ? -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Tel : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Tue Mar 7 02:47:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA21093 for firewalls-outgoing; Tue, 7 Mar 1995 02:40:41 -0800 Received: from gate.demon.co.uk (gate.demon.co.uk [158.152.1.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA21088 for ; Tue, 7 Mar 1995 02:40:36 -0800 Received: from fusion.demon.co.uk by gate.gate.demon.co.uk id aa06753; 7 Mar 95 10:35 GMT Received: by fsl.com (4.1/1.2) id AA02500; Tue, 7 Mar 95 10:31:42 GMT Date: Tue, 7 Mar 95 10:31:42 GMT From: Dave Hodgkinson Message-Id: <9503071031.AA02500@fsl.com> To: paul@hawksbill.sprintmrn.com Cc: firewalls@greatcircle.com In-Reply-To: <9503070140.AA24296@hawksbill.sprintmrn.com> (message from Paul Ferguson on Mon, 6 Mar 1995 20:40:08 -0500 (EST)) Subject: Re: IPX traffic through a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As I have found out (banging my head against a wall), so does Windows NT. These 'non-standard' IP implemntations are extremely annoying, almost evil. Sigh. Would you care to elaborate as to what you think is non-standard about the TCP/IP stack in Windows NT? Dave From firewalls-owner Tue Mar 7 03:17:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA21404 for firewalls-outgoing; Tue, 7 Mar 1995 03:10:00 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA21393 for ; Tue, 7 Mar 1995 03:09:46 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA09638; Tue, 7 Mar 95 12:07:08 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA13584; Tue, 7 Mar 95 11:59:44 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9503071159.AA13584@tidtest.total.fr> Subject: Re: IPX traffic through a firewall To: mcr@milkyway.com (Michael Richardson) Date: Tue, 7 Mar 95 11:59:43 GMT Cc: stagda@sys1.ic.ncs.com, firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <3jg08c$gs@calisto.milkyway.com>; from "Michael Richardson" at Mar 6, 95 4:53 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Richardson wrote : > > [snip] > > We were hoping to support IPX between protected networks by having > an IPX capable router tunnel the packets within a TCP connection. Alas, > we've since discovered that Cisco's only support GRE, which is an IP > level protocol, not a TCP one. > We don't let arbitrary IP packets through, so GRE is not an option. > Are there router makers that support encapsulating into a TCP session? > Well, I *think* ciscos *may* be able to do it. The trick would be to setup your router to bridge IPX, not route it, and if you're using transparent bridging (ie, Ethernet, not Token-ring,) you must use either SR/TLB (so you can encapsulate source-routed frames in TCP) or X25 switching (so you can encapsulate X25 traffic in TCP.) WARNING : I make no guarantee that this (admittedly hairy) scheme can be made to work, nor to its performance. I didn't try it, and I don't want to :-). Use it at your own risk. -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Tel : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Tue Mar 7 03:47:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA21858 for firewalls-outgoing; Tue, 7 Mar 1995 03:35:57 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA21853 for ; Tue, 7 Mar 1995 03:35:49 -0800 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA18341; Tue, 7 Mar 95 05:50:00 CST Received: from beldar.network.com by anubis.network.com (4.1/SMI-4.1) id AA10183; Tue, 7 Mar 95 05:33:06 CST From: robp@anubis.network.com (Rob Peglar) Message-Id: <9503071133.AA10183@anubis.network.com> Subject: Re: FW-1, etc. To: root@mmp.com (Operator) Date: Tue, 7 Mar 1995 05:36:14 -0600 (CST) Cc: patrick@oes.amdahl.com, Firewalls@greatcircle.com In-Reply-To: <9503061706.AA01006@mmp.com> from "Operator" at Mar 6, 95 09:06:53 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1654 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is just blatantly wrong. > Well, that's definitely an easy one.. IP filtering is based on TCP > header information, specifically (host,port,dst,port). Authentication of > hosts is very weak. Anyone can claim to be 127.0.0.1, or an IP of any host > on the network, and your packet filtering will believe it just because that's > what in the header.. Obviously this is what is called 'spoofing'. > > Multicasted packets also pose serious threat to IP filtering as the > architecture of the packet is an IP packet WITHIN another IP packet. The > outside header information is the only header a router will look @ when > traversing your access control lists. So, on the outside packet you could say > 'hey I'm a trusted host' and the inside could say something entirely different > , IE: "I'm localhost now!" Preventing IP address spoof attacks is quite easy and simple with modern filtering routers. Sure, if you go by just what's in the header, spoofs will pass, but no halfway decent administrator will allow their router to pass that. Most filtering routers have stronger checks than that, relating to both physical (interface) and logical (expected traffic) characteristics. > > BTW: Just a small plug.. Our organization teaches classes about 'digital crime > prevention' that covers everything from PBX fraud & social engineering, to > TCP/IP vulnerabilities, as well has host exploit classifications. Ahh. The true reason behind this misleading post. -- Rob Peglar Network Systems Corporation Channel Strategic Group 7600 Boone Avenue North robp@network.com Minneapolis MN 55428 (612)424-4888 x1028 From firewalls-owner Tue Mar 7 04:21:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA22587 for firewalls-outgoing; Tue, 7 Mar 1995 04:16:47 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA22582 for ; Tue, 7 Mar 1995 04:16:44 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA25152; Tue, 7 Mar 95 07:14:29 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9503071214.AA25152@hawksbill.sprintmrn.com> Subject: Re: IPX traffic through a firewall To: daveh@fusion.hawksbill.sprintmrn.com.sprintmrn.com (Dave Hodgkinson) Date: Tue, 7 Mar 1995 07:14:29 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9503071031.AA02500@fsl.com> from "Dave Hodgkinson" at Mar 7, 95 10:31:42 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 978 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > As I have found out (banging my head against a wall), so does Windows NT. > These 'non-standard' IP implemntations are extremely annoying, almost > evil. > > Sigh. > > Would you care to elaborate as to what you think is non-standard about > the TCP/IP stack in Windows NT? > The requirement for UDP forwarding assistance, in the form of IP HELPER-ADDRESSES, and heavily reliance on UDP broadcast-based services. In fact, let me rephrase it. I don't find it simply annoying, its downright frustrating. Woe be unto thee if you misplace or misdirect your IP HELPER-ADDRESSES. Major broadcast storms. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Mar 7 05:17:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23262 for firewalls-outgoing; Tue, 7 Mar 1995 05:09:24 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23257 for ; Tue, 7 Mar 1995 05:09:16 -0800 Posted-Date: Tue, 7 Mar 1995 08:06:58 -0500 From: "Bryan D. Boyle" Message-Id: <9503070806.ZM10876@maverick.erenj.com> Date: Tue, 7 Mar 1995 08:06:58 -0500 X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: new url for vendor list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the vendor list, capably maintained by Catherine Fulmer, has moved location due to the greed of the previous suppier of web space to a new location (same amount of space plus a full service connection for less...such a deal...:)) the new URL is (and please update any pointers you may have....) http://www.access.digex.net/bdboyle/firewall.vendor.html thanks. (btw, this list is vendor-neutral. Information therein is as supplied by the marketing/sales/etc types and is to be taken as any sales literature, etc. The maintainers make no claims as the the accuracy, etc...) -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Tue Mar 7 05:47:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23729 for firewalls-outgoing; Tue, 7 Mar 1995 05:41:34 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA23724 for ; Tue, 7 Mar 1995 05:41:32 -0800 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma027085; Tue Mar 7 08:38:38 1995 Message-Id: <9503071338.AA25068@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: kidstoj@citec.qld.gov.au Cc: firewalls@greatcircle.com Subject: Re: ftp - Netscape and TIS fwtk In-Reply-To: Your message of Tue, 07 Mar 95 08:45:30. <199503062247.IAA16607@citecuf.citec.qld.gov.au> Date: Tue, 07 Mar 95 08:38:46 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Maybe you should write to the TIS Internet Firewall Toolkit list on this one? I use Netscape fine behind a Gauntlet Internet Firewall. Although there are many differences and enhancements, the HTTP proxy code is basically the same. Fred From firewalls-owner Tue Mar 7 06:05:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23663 for firewalls-outgoing; Tue, 7 Mar 1995 05:38:29 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23626 for ; Tue, 7 Mar 1995 05:36:59 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA10860; Tue, 7 Mar 95 14:33:06 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA13708; Tue, 7 Mar 95 14:25:42 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9503071425.AA13708@tidtest.total.fr> Subject: Re: IPX traffic through a firewall To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Tue, 7 Mar 95 14:25:41 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9503071214.AA25152@hawksbill.sprintmrn.com>; from "Paul Ferguson" at Mar 7, 95 7:14 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote : > > > > > [snip] > > > > Would you care to elaborate as to what you think is non-standard about > > the TCP/IP stack in Windows NT? > > > > The requirement for UDP forwarding assistance, in the form of > IP HELPER-ADDRESSES, and heavily reliance on UDP broadcast-based > services. > AFAIK, that's not a TCP/IP problem, that's a NETBIOS problem. Agreed, NETBIOS is BAD, but mainstream IP-based apps should not suffer from this problem. Or do you know something I don't ? I'm presently trying to repel the NT invasion, so any negative information is welcome :-) -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Tel : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Tue Mar 7 06:21:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA24250 for firewalls-outgoing; Tue, 7 Mar 1995 06:10:20 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA24238 for ; Tue, 7 Mar 1995 06:10:03 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA25661; Tue, 7 Mar 95 09:03:20 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9503071403.AA25661@hawksbill.sprintmrn.com> Subject: Re: IPX traffic through a firewall To: lavondes@tidtest.total.fr Date: Tue, 7 Mar 1995 09:03:19 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9503071425.AA13708@tidtest.total.fr> from "Michel Lavondes" at Mar 7, 95 02:25:41 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 959 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > The requirement for UDP forwarding assistance, in the form of > > IP HELPER-ADDRESSES, and heavily reliance on UDP broadcast-based > > services. > > > > AFAIK, that's not a TCP/IP problem, that's a NETBIOS problem. Agreed, > NETBIOS is BAD, but mainstream IP-based apps should not suffer from > this problem. Or do you know something I don't ? I'm presently trying > to repel the NT invasion, so any negative information is welcome :-) NETBIOS/NETBEUI encapsulated in IP. UDP look-up services that NT uses can cause quite an increase in wide-area traffic if not directed to a single host. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Mar 7 06:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23708 for firewalls-outgoing; Tue, 7 Mar 1995 05:39:52 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23697 for ; Tue, 7 Mar 1995 05:39:47 -0800 Posted-Date: Tue, 7 Mar 1995 08:37:30 -0500 From: "Bryan D. Boyle" Message-Id: <9503070837.ZM10905@maverick.erenj.com> Date: Tue, 7 Mar 1995 08:37:30 -0500 In-Reply-To: "Bryan D. Boyle" "new url for vendor list" (Mar 7, 8:06am) References: <9503070806.ZM10876@maverick.erenj.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: new url for vendor list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mar 7, 8:06am, Bryan D. Boyle wrote: > Subject: new url for vendor list > the vendor list, capably maintained by Catherine Fulmer, has moved location > due to the greed of the previous suppier of web space to a new location (same > amount of space plus a full service connection for less...such a deal...:)) > > the new URL is (and please update any pointers you may have....) dumb me...sheesh, you think I would get this right after 2 years... CORRECTION: http://www.access.digex.net/~bdboyle/firewall.vendor.html is the correct pointer... -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Tue Mar 7 06:42:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA24320 for firewalls-outgoing; Tue, 7 Mar 1995 06:12:15 -0800 Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA24315 for ; Tue, 7 Mar 1995 06:12:11 -0800 Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.9) id JAA11696; Tue, 7 Mar 1995 09:18:01 -0500 From: Rick Romkey Message-Id: <199503071418.JAA11696@maddie.atlantic.com> Subject: Re: FW-1, etc. To: robp@anubis.network.com (Rob Peglar) Date: Tue, 7 Mar 1995 09:18:01 -0500 (EST) Cc: root@mmp.com, patrick@oes.amdahl.com, Firewalls@GreatCircle.COM In-Reply-To: <9503071133.AA10183@anubis.network.com> from "Rob Peglar" at Mar 7, 95 05:36:14 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2119 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > This is just blatantly wrong. > > > Well, that's definitely an easy one.. IP filtering is based on TCP > > header information, specifically (host,port,dst,port). Authentication of > > hosts is very weak. Anyone can claim to be 127.0.0.1, or an IP of any host > > on the network, and your packet filtering will believe it just because that's > > what in the header.. Obviously this is what is called 'spoofing'. > > > > Multicasted packets also pose serious threat to IP filtering as the > > architecture of the packet is an IP packet WITHIN another IP packet. The > > outside header information is the only header a router will look @ when > > traversing your access control lists. So, on the outside packet you could say > > 'hey I'm a trusted host' and the inside could say something entirely different > > , IE: "I'm localhost now!" > > Preventing IP address spoof attacks is quite easy and simple with > modern filtering routers. Sure, if you go by just what's > in the header, spoofs will pass, but no halfway decent administrator > will allow their router to pass that. Most filtering routers have > stronger checks than that, relating to both physical (interface) and > logical (expected traffic) characteristics. > > > > > BTW: Just a small plug.. Our organization teaches classes about 'digital crime > > prevention' that covers everything from PBX fraud & social engineering, to > > TCP/IP vulnerabilities, as well has host exploit classifications. > > Ahh. The true reason behind this misleading post. > It should also be pointed out that there IS an IP spoofing patch for FW-1 that can be installed. Not that I am arguing that it is a better firewall than a proxy box, but at least they DO address spoofing. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (203) 257-7163 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Tue Mar 7 06:52:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA24874 for firewalls-outgoing; Tue, 7 Mar 1995 06:32:28 -0800 Received: from bstgw1.bst.bls.com (bstgw1.bst.bls.com [198.79.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA24869 for ; Tue, 7 Mar 1995 06:32:26 -0800 Received: from bstgw.bst.bls.com by bstgw1.bst.bls.com with smtp (Smail3.1.28.1 #11) id m0rm0L2-0000ewC; Tue, 7 Mar 95 09:34 EST Received: from beavis by bstgw.bst.bls.com (4.1/SMI-4.1) id AA13338; Tue, 7 Mar 95 09:31:09 EST Received: by beavis (5.0/SMI-SVR4) id AA27953; Tue, 7 Mar 1995 08:30:16 -0600 Date: Tue, 7 Mar 1995 08:30:16 -0600 From: mike.richards@bst.bls.com (Mike Richards) Message-Id: <9503071430.AA27953@beavis> To: firewalls@GreatCircle.COM Subject: Re: Suspicious ftpd behavior? X-Sun-Charset: US-ASCII Content-Length: 437 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone, Are these log entries possible breakin attempts or just network failures? The ftpd is running on HP-UX 9.03. Mar 3 23:53:25 ftpd[16204]: connect from slper1p01.ozemail.com.au Mar 3 23:53:25 syslog: getpeername (/etc/ftpd): Socket is not connected Mar 3 13:48:50 ftpd[6663]: connect from COBI180.CBI.MsState.Edu Mar 3 13:48:50 syslog: getpeername (/etc/ftpd): Socket is not connected Mike From firewalls-owner Tue Mar 7 07:07:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA23897 for firewalls-outgoing; Tue, 7 Mar 1995 05:54:31 -0800 Received: from overdrive (overdrive3.ccrl.nj.nec.com [138.15.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA23891 for ; Tue, 7 Mar 1995 05:54:28 -0800 Received: by overdrive (4.1/YDL1.9-920708.13) id AA23369(overdrive); Tue, 7 Mar 95 08:51:54 EST Received: by deimos (4.1/CNC-Client) id AA16916; Tue, 7 Mar 95 08:51:53 EST Date: Tue, 7 Mar 1995 08:51:53 -0500 (EST) From: Ed Strong X-Sender: ems@deimos To: peter@nmti.com Cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: <9503062238.AA17225@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Mar 1995 peter@nmti.com wrote: > How does FW-1 deal with a "trojan horse" attack (user downloads a neat program > that opens up a TCP connection to a throwdown server on some freenet somewhere > and lets the perp in that way)? At least with a proxy firewall the trojan horse > would have to be tailored to the specific site under attack... > -- ...and it doesn't butter your toast either. Are you really worried about this? Transparent proxy-type firewalls would have the same vulnerability. And the sole protection of the non-transparent types is security by obscurity, which you can't count on. Superhacker would probably set up the first trojan horse to email back whatever information is needed, so that the second version could be tailored to complete the conquest. Corporations with serious concerns about such bombs simply do not allow any importing of software. How effective this is remains to be seen, since it is impossible to recognize every covert channel that might be set up. Looks like we have to dismantle the internet, it's too risky. :-) > Peter da Silva `-_-' > Network Management Technology Incorporated 'U` > 1601 Industrial Blvd. Sugar Land, TX 77478 USA > +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" > > ----------------------------------------------------------------------- Ed Strong EMAIL: ems@ccrl.nj.nec.com ----------------------------------------------------------------------- From firewalls-owner Tue Mar 7 07:14:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA24493 for firewalls-outgoing; Tue, 7 Mar 1995 06:19:50 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA24488 for ; Tue, 7 Mar 1995 06:19:46 -0800 Posted-Date: Tue, 7 Mar 1995 09:17:30 -0500 From: "Bryan D. Boyle" Message-Id: <9503070917.ZM11004@maverick.erenj.com> Date: Tue, 7 Mar 1995 09:17:30 -0500 X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: CORRECTED new url for vendor list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > http://www.access.digex.net/bdboyle/firewall.vendor.html Again, brain spasm. http://www.access.digex.net/~bdboyle/firewall.vendor.html forgot the ~ -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.digimark.net/bdboyle/index.html http://www.digimark.net/bdboyle/pubkey.html for pgp public key From firewalls-owner Tue Mar 7 07:17:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA25797 for firewalls-outgoing; Tue, 7 Mar 1995 06:56:43 -0800 Received: from gate.demon.co.uk (gate.demon.co.uk [158.152.1.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA25786 for ; Tue, 7 Mar 1995 06:56:34 -0800 Received: from fusion.demon.co.uk by gate.gate.demon.co.uk id aa12652; 7 Mar 95 14:46 GMT Received: by fsl.com (4.1/1.2) id AA03755; Tue, 7 Mar 95 14:42:42 GMT Date: Tue, 7 Mar 95 14:42:42 GMT From: Dave Hodgkinson Message-Id: <9503071442.AA03755@fsl.com> To: firewalls@greatcircle.com In-Reply-To: <9503071403.AA25661@hawksbill.sprintmrn.com> (message from Paul Ferguson on Tue, 7 Mar 1995 09:03:19 -0500 (EST)) Subject: Re: IPX traffic through a firewall Reply-To: daveh@fsl.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NETBIOS/NETBEUI encapsulated in IP. UDP look-up services that NT uses can cause quite an increase in wide-area traffic if not directed to a single host. Strictly, it's netbios over UDP as spec-ed in rfc1002/1001. NetBEUI is the frame type which cannot be routed. I'd say that if you're trying to implement a LAN over a wide area, which is what you're doing if you don't partition your NT domains or LM workgroups correctly, then you're doing it wrong. Much like trying to do a UDP-oriented LAN service over the Internet. MS have done some work trying to scale Lan Manager up to be an "enterprise" network, and part of this effort is in reining back the broadcasts caused by the nice LAN stuff like browsing. Traffic which should not be propagated over a wide area. Dave From firewalls-owner Tue Mar 7 07:36:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA26110 for firewalls-outgoing; Tue, 7 Mar 1995 07:05:50 -0800 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.213.78]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA26096 for ; Tue, 7 Mar 1995 07:05:47 -0800 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id IAA10503 for GreatCircle.COM!firewalls; Tue, 7 Mar 1995 08:59:42 -0600 Received: by ris1.nmti.com (smail2.5) id AA02501; 7 Mar 95 09:19:27 CST (Tue) Received: by sonic.nmti.com; id AA23350; Tue, 7 Mar 1995 08:34:41 -0600 Message-Id: <9503071434.AA23350@sonic.nmti.com.nmti.com> To: brian@imcon.ilinx.com Cc: ems@ccrl.nj.nec.com, bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Subject: Re: Re[2]: FW-1, etc. In-Reply-To: Your message of "Mon, 06 Mar 95 20:57:59 MST." X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 07 Mar 95 08:34:41 -0600 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course one can have lot's more fun with an open TCP connection than say > simply sending info back by e-mail, Considerably more, and it's harder to trace since email is more generally logged and in more places. Plus, your trojan has to be autonomous... it's much easier to operate a trojan by remote control than to build an agent that can deal with arbitrarily customised environments. As for social engineering and policy, a perp running a con on an insider is really a separate issue from firewalls... a trojan horse isn't any different in kind from calling up the phone company pretending to be a service guy and extracting unpublished numbers. It's like saying "you don't need multiuser security behind your firewall, just establish a policy that people don't access each other's files", or "don't lock up the stockroom and the postage meter", or whatever. Maybe that's appropriate, maybe not, but having the mechanism available is still a good thing. And having a mechanism to prevent bad guys from tunneling out through a trojan horse is a good thing too. It limits the kinds of attacks that can be made, and isn't that after all the whole point? -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" From firewalls-owner Tue Mar 7 07:47:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27152 for firewalls-outgoing; Tue, 7 Mar 1995 07:35:16 -0800 Received: from mickey.jsc.nasa.gov (mickey.jsc.nasa.gov [139.169.132.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27147 for ; Tue, 7 Mar 1995 07:35:12 -0800 From: horn@mickey.jsc.nasa.gov Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA08655; Tue, 7 Mar 1995 09:32:37 -0600 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA16487; Tue, 7 Mar 1995 09:32:35 -0600 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma016483; Tue Mar 7 09:32:31 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id JAA12252; Tue, 7 Mar 1995 09:32:10 -0600 Message-Id: <199503071532.JAA12252@freefall.jsc.nasa.gov> Subject: Re: FW-1, etc. To: robp@anubis.network.com (Rob Peglar) Date: Tue, 7 Mar 1995 09:32:10 -0600 (CST) Cc: root@mmp.com, patrick@oes.amdahl.com, Firewalls@greatcircle.com In-Reply-To: <9503071133.AA10183@anubis.network.com> from "Rob Peglar" at Mar 7, 95 05:36:14 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1361 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk robp@anubis.network.com (Rob Peglar) wrote: >Preventing IP address spoof attacks is quite easy and simple with >modern filtering routers. No, it isn't. You can, quite easily, prevent someone from pretending to be 127.0.0.1. You can also, quite easily, prevent someone from pretending to be on your local network when they're not. But, you can't easily prevent, or detect, if someone is pretending to be an external host that you trust. This is one of the major problems that you get when you're only line of defense is packet filtering. If you decide to allow in ANY inbound traffic through the packet filter you are susceptible to spoofing attacks on the services that you allow in. If that service is SMTP you've probably opened it up for everyone, so spoofing is pointless. But if that service is any of the 'r'-commands or telnet, then spoofing the trusted host can open a huge hole in your security - and the worst part is that your firewall will never detect it, much less prevent it. The other major problem that you get when you're only line of defense is packet filtering is transitive trust. Why spoof the IP address of the trusted host, when you can get access to the trusted host? -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn mark.horn1@jsc.nasa.gov From firewalls-owner Tue Mar 7 07:54:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA26134 for firewalls-outgoing; Tue, 7 Mar 1995 07:06:06 -0800 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.213.78]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA26124 for ; Tue, 7 Mar 1995 07:06:02 -0800 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id IAA10518 for GreatCircle.COM!firewalls; Tue, 7 Mar 1995 08:59:45 -0600 Received: by ris1.nmti.com (smail2.5) id AA02831; 7 Mar 95 09:36:45 CST (Tue) Received: by sonic.nmti.com; id AA24769; Tue, 7 Mar 1995 08:51:59 -0600 Message-Id: <9503071451.AA24769@sonic.nmti.com.nmti.com> To: Ed Strong Cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: Your message of "Tue, 07 Mar 95 08:51:53 EST." X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 07 Mar 95 08:51:58 -0600 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ...and it doesn't butter your toast either. Sarcasm noted. A quick defense of my position, then back to my request... > And the sole protection of the non-transparent types is security by > obscurity, which you can't count on. Superhacker would probably set up the > first trojan horse to email back whatever information is needed, so that > the second version could be tailored to complete the conquest. I don't expect to keep superhacker out, and I don't expect to defend against an inside job. Without someone on the inside, though, I wonder how superhacker plans to figure out what the IP address of my telnet proxy is from whatever his preprogrammed robot mails back to him. There's no standard script out there for proxy telnet, and if he starts mailing en-mass copies of everyone's .cshrc and .login and ~/bin in the hope of figuring it out that's going to show up in the mail logs. And my mail service is through a completely separate channel than my IP service, so looking at sendmail.cf isn't going to help. I'm interested in keeping out the average hackers. If a non-transparent proxy will keep out a carpet-bomb type broadcast attack, akin to the "virus" threat on PCs, then it's a useful tool. If FW-1 has some mechanism that will make this sort of thing harder, then that's useful too. So, back to my request... what does FW-1 or any other filtering firewall do that might be useful in countering this attack? If the answer's "you don't want to counter that attack in your firewall" then I'll take that as "nothing, and we're really defensive about it". -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" From firewalls-owner Tue Mar 7 08:10:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27245 for firewalls-outgoing; Tue, 7 Mar 1995 07:37:35 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27239 for ; Tue, 7 Mar 1995 07:37:30 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13850; Tue, 7 Mar 95 10:16:39 -0500 Date: Tue, 7 Mar 95 10:16:38 -0500 Message-Id: <9503071516.AA13850@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Nasty scripts Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Perhaps its just me, but... I think that tools like SATAN, COPS, ISS, et al >are good.. They point out common weakness on your own system, so that you >can fix them.. I have to agree that a haqueur tool is often also a good security tool because both people want to know the same thing. Often the major difference is that of the difference between a surgical hammer and a ten pound sledge: a professional uses tools designed with the thought "first, do no harm" while the nasty-grams are "first, break that sucker". The problem is that many people are connecting to the net who probably not really qualified to do so (please no flames, am stating what I have observed) and certainly cannot tell th difference between a command that will force entry and one that will just check to see if a forced entry is liable to work. This is the basic proble with many "penetration analysis"s done from the outside: Unless you study what the machines on the inside are doing, any attempt to subvert a machine is liable to disrupt it and *you cannot tell* in advance what will happen (see Turing). Have even been flamed at work by higherups who do not understand when I refuse to break into systems "for a demo" without the system owner/admin knowing about it and agreeing to it. The fact is that all of the above tools have been available for some time to anyone who bothered to look for them (can see it coming from that one) but can probably count on my hands the number of people who have really studied them to the extent of being able to predict what the effect on a particular platform will be *and they do not need the tools*. This is the main reason that I have not released the ones I have written to the net, not because I am holding back information that is not freely available - have even pointed people to the libraries and RFCs - but because they lack the safety features that would be necessary to keep a novice from hurting themselves. And since my programs run on DOS based PCs there are a lot more novices out there than on Unix systems. Warmly, Padgett From firewalls-owner Tue Mar 7 08:17:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA28307 for firewalls-outgoing; Tue, 7 Mar 1995 08:01:01 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA28296 for ; Tue, 7 Mar 1995 08:00:56 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rm1eX-0000nKC; Tue, 7 Mar 95 07:58 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA03468; Tue, 7 Mar 1995 07:58:39 +0800 Date: Tue, 7 Mar 1995 07:58:39 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503071558.AA03468@brittany.oes.amdahl.com> To: ems@ccrl.nj.nec.com, peter@nmti.com Subject: Re: FW-1, etc. Cc: bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII content-length: 1166 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > How does FW-1 deal with a "trojan horse" attack (user downloads a neat program > that opens up a TCP connection to a throwdown server on some freenet somewhere > and lets the perp in that way)? At least with a proxy firewall the trojan horse > would have to be tailored to the specific site under attack... Good point! If I was writing a trojan horse attack I'd look for socks if I couldn't connect. This could be found via an environment variable, or via using strings against rftp, or rtelnet. That would get me into more places;) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue Mar 7 08:47:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29864 for firewalls-outgoing; Tue, 7 Mar 1995 08:41:43 -0800 Received: from voyager.datatools.com ([192.216.89.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA29851 for ; Tue, 7 Mar 1995 08:41:39 -0800 Message-Id: <199503071641.IAA29851@miles.greatcircle.com> Received: from nova.datatools.com.datatools.com by voyager.datatools.com (4.1/4.7); Tue, 7 Mar 95 08:44:22 PST Date: Tue, 7 Mar 95 08:44:22 PST From: greep@datatools.com (Steven Tepper) Received: by nova.datatools.com.datatools.com (4.1/SMI-4.1) id AA05928; Tue, 7 Mar 95 08:39:46 PST To: firewalls@greatcircle.com Cc: greep@datatools.com In-Reply-To: <9503071009.AA13508@tidtest.total.fr> (lavondes@tidtest.total.fr) Subject: Re: FW-1, etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: lavondes@tidtest.total.fr (Michel Lavondes) > I vaguely remember seeing somewhere (in a RFC ?) that IP within IP is > used for something, even if not for multicasting. Does that ring a bell > with anyone ? I think this was in an RFC that was enclosed in another RFC :-) From firewalls-owner Tue Mar 7 09:26:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01000 for firewalls-outgoing; Tue, 7 Mar 1995 09:05:55 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA00995 for ; Tue, 7 Mar 1995 09:05:52 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rm2fN-0000eVC; Tue, 7 Mar 95 09:03 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA03565; Tue, 7 Mar 1995 09:03:35 +0800 Date: Tue, 7 Mar 1995 09:03:35 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503071703.AA03565@brittany.oes.amdahl.com> To: robp@anubis.network.com, horn@mickey.jsc.nasa.gov Subject: Re: FW-1, etc. Cc: root@mmp.com, patrick@oes.amdahl.com, Firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1366 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: horn@mickey.jsc.nasa.gov > > This is one of the major problems that you get when you're only line of > defense is packet filtering. If you decide to allow in ANY inbound traffic > through the packet filter you are susceptible to spoofing attacks on the > services that you allow in. If that service is SMTP you've probably opened it > up for everyone, so spoofing is pointless. But if that service is any of the > 'r'-commands or telnet, then spoofing the trusted host can open a huge hole in > your security - and the worst part is that your firewall will never detect it, > much less prevent it. I agree entirely...that's why I like a combination. Freely allow outgoing traffic, but allow only authenticated incoming traffic. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue Mar 7 09:47:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01210 for firewalls-outgoing; Tue, 7 Mar 1995 09:17:22 -0800 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.213.78]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA01205 for ; Tue, 7 Mar 1995 09:17:19 -0800 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA22922 for GreatCircle.COM!firewalls; Tue, 7 Mar 1995 11:02:03 -0600 Received: by ris1.nmti.com (smail2.5) id AA04951; 7 Mar 95 10:56:45 CST (Tue) Received: by sonic.nmti.com; id AA02854; Tue, 7 Mar 1995 10:11:59 -0600 Message-Id: <9503071611.AA02854@sonic.nmti.com.nmti.com> To: patrick@oes.amdahl.com (Patrick Horgan) Cc: ems@ccrl.nj.nec.com, bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: Your message of "Tue, 07 Mar 95 07:58:39 +0800." <9503071558.AA03468@brittany.oes.amdahl.com> X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 07 Mar 95 10:11:58 -0600 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Good point! If I was writing a trojan horse attack I'd look for socks if > I couldn't connect. This could be found via an environment variable, or > via using strings against rftp, or rtelnet. That would get me into more > places;) Good reason not to run socks, or anything else that has proxies compiled in or saves them in a config file. Netscape, for example (I guess you could tunnel IP through HTTP POST requests, though it'd be a trifle slow). It's an awful lot of work to go through for the cybernetic equivalent of strolling through a parking lot looking for unlocked doors, though. I'll put The Club on my car, but not a Denver Boot. -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" From firewalls-owner Tue Mar 7 09:55:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00647 for firewalls-outgoing; Tue, 7 Mar 1995 08:56:31 -0800 Received: from gate.demon.co.uk (gate.demon.co.uk [158.152.1.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA00642 for ; Tue, 7 Mar 1995 08:56:28 -0800 Received: from fusion.demon.co.uk by gate.gate.demon.co.uk id aa16069; 7 Mar 95 16:48 GMT Received: by fsl.com (4.1/1.2) id AA10345; Tue, 7 Mar 95 16:44:57 GMT Date: Tue, 7 Mar 95 16:44:57 GMT From: Dave Hodgkinson Message-Id: <9503071644.AA10345@fsl.com> To: daveh@fsl.com Cc: firewalls@greatcircle.com In-Reply-To: <9503071442.AA03755@fsl.com> (message from Dave Hodgkinson on Tue, 7 Mar 95 14:42:42 GMT) Subject: Re: IPX traffic through a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NETBIOS/NETBEUI encapsulated in IP. UDP look-up services that NT uses can cause quite an increase in wide-area traffic if not directed to a single host. Strictly, it's netbios over UDP as spec-ed in rfc1002/1001. And TCP... From firewalls-owner Tue Mar 7 10:04:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01586 for firewalls-outgoing; Tue, 7 Mar 1995 09:36:54 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA01581 for ; Tue, 7 Mar 1995 09:36:51 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rm39M-0000fSC; Tue, 7 Mar 95 09:34 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA03630; Tue, 7 Mar 1995 09:34:39 +0800 Date: Tue, 7 Mar 1995 09:34:39 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503071734.AA03630@brittany.oes.amdahl.com> To: peter@nmti.com Subject: Re: FW-1, etc. Cc: firewalls@GreatCircle.COM, socks@inoc.dl.nec.com X-Sun-Charset: US-ASCII content-length: 1500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It's an awful lot of work to go through for the cybernetic equivalent of > strolling through a parking lot looking for unlocked doors, though. I'll > put The Club on my car, but not a Denver Boot. The "nice" thing though is that you only have to write it once, and the computer (and the victem's computer at that), does the work. I just did a quick hack of a sample socket communications server/client pair I had. I "socksified" it, and wrote a routine that looks in /usr/local/bin for rftp. I used regexpr(3G) routines to search through it for dots. Then I took the results and used putenv on each in turn to try them as the SOCKS_SERVER...it worked almost instantly:( It's a frightening trojan possibility. Ying-Da Lee recommends in the README that comes with socks that for convenience SOCKS_DEFAULT_SERVER be set in include/socks.h. For security it shouldn't. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue Mar 7 10:20:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01768 for firewalls-outgoing; Tue, 7 Mar 1995 09:43:00 -0800 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA01763 for ; Tue, 7 Mar 1995 09:42:52 -0800 From: Paul Crossley To: firewalls@GreatCircle.com Subject: application proxies versus packet filters X-Mailer: ScoMail 1.0 Date: Tue, 7 Mar 1995 17:25:34 +0000 (GMT) Message-ID: <9503071725.aa14112@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded by paul with comment: >From relay3.uu.net!greatcircle.com!firewalls-owner Mon Mar 6 20:59:50 1995 >From: smb@research.att.com >Message-Id: <199503061615.IAA21561@miles.greatcircle.com> >To: firewalls@greatcircle.com >Subject: application proxies versus packet filters >Date: Mon, 06 Mar 95 11:05:30 EST >Sender: firewalls-owner@greatcircle.com >Here's a simple example, taken from Brent Chapman's paper on problems >with packet filters. You want to allow inbound and outbound mail, so >you have rules that look like this (I'm simplifying Brent's example >slightly): > in src:external,dst:internal=25 > out src:internal,dst:external>=1024 > out src:internal,dst:external=25 > in src:external,dst:internal>=1024 >The first pair of rules permits packets to the inside mailer, and return >flow to the client; the second pair permits packets to an outside mailer, >and the return flow to an unprivileged port. But the combination of the >second and fourth rules permits conversations between any high-numbered >inside port and a high-numbered outside port. This may not be evil, but >it was not what was intended by the rule set. Part of our firewall uses a NAT router, this has what I consider to be a nice facility in that you can filter on both source and destination port hence rule 2 becomes out src:internal port=25, dst:external port>=1024 and rule 4 becomes in src:external port=25, dst:internal port>=1024 I'm still no expert, and checking which source ports are used has been a question of watching the connections with netstat whilst filtering is off, but it does seem more specific and therefore to my mind more secure than destination port filtering alone. Alas the NAT does not support static arp entries or filtering for Established connections (this may be possible using a generic filter to the ethernet packet but I've not tried this yet) however I'm not quite sure how much of a loss this is given that I can check the incoming port for telnet is 23 and then let it through. What I would love to see is filtering for both source and destination port as well as established connections. i.e so that I could allow incoming connections from port 23 where the packet can be seen to be a response. The CISCO that we also have allows all established tcp packets through or none, to my mind this is a shame. Themore specific I can be with the filters the more I feel in control (and yes the more likely I am to mess up whilst building the filters but thats a small price to pay). Does anyone know of a router that allows filtering such as I describe or have I missed something that makes the idea unsound ? ___ (' ') ---------------------------oOO--(_)--OOo--------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Tue Mar 7 10:40:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02399 for firewalls-outgoing; Tue, 7 Mar 1995 09:58:54 -0800 Received: from doug.med.utah.edu (doug.med.utah.edu [155.100.60.25]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02394 for ; Tue, 7 Mar 1995 09:58:50 -0800 Received: from cortez.mirl (cortez.med.utah.edu [155.100.60.21]) by doug.med.utah.edu (8.6.10/8.6.6-don-c) with SMTP id LAA29375 for ; Tue, 7 Mar 1995 11:00:53 -0700 Received: by cortez.mirl (5.x/SMI-SVR4) id AA08631; Tue, 7 Mar 1995 11:00:50 -0700 Date: Tue, 7 Mar 1995 11:00:50 -0700 From: don@doug.med.utah.edu (Don Baune 581-6088 MIRL) Message-Id: <9503071800.AA08631@cortez.mirl> To: firewalls@GreatCircle.COM Subject: mail through fwtk X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, I currently have a dual homed sparc with the fwtk partially running. I have run into a roadblock attempting to get the mail configured. snmp is configured into the inetd.conf and smapd running from the rc.local. If I telnet to the firewall and send a sample mail message it ends up in the in queue and eventuly the smapd picks up the mail message and delivers it to the error mail queue. Question: As I understand it the smapd uses sendmail to attempt a final delivery of the mail message. So how should the sendmail.cf file be configured? It looks like to me that the firewall is receiving mail both from the outside world that should be delivered to the inside mail host and mail from the inside net that should be delivered to the outside world of the internet. I hope to be able to support several mailhosts/mail domains on the inside net if this make any difference in the sendmail.cf. Does it make senae to use the stock sun sendmail that comes with the SunOS 4.1.3? Any help, sample sendmail.cf or direction would be greatly appreciated. thanks, -don don@doug.med.utah.edu From firewalls-owner Tue Mar 7 11:17:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04882 for firewalls-outgoing; Tue, 7 Mar 1995 11:09:23 -0800 Received: from mailman.nsf.gov (mailman.nsf.gov [128.150.11.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA04877 for ; Tue, 7 Mar 1995 11:09:20 -0800 From: kdante@nsf.gov Received: from xrelay.nsf.gov by mailman.nsf.gov with SMTP id AA22164 (5.65c/IDA-1.4.4 for ); Tue, 7 Mar 1995 14:07:32 -0500 Received: from cc:Mail by xrelay.nsf.gov id AA794606659; Tue, 07 Mar 95 11:43:11 EST Date: Tue, 07 Mar 95 11:43:11 EST Message-Id: <9502077946.AA794606659@xrelay.nsf.gov> To: firewalls@greatcircle.com Subject: Windows95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody looked into the security problems a firewall might have with Windows95? I have seen lots of talk about Windows NT and Windows 3.x, but Windows95 seems to have been overlooked. From firewalls-owner Tue Mar 7 11:37:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04831 for firewalls-outgoing; Tue, 7 Mar 1995 11:05:44 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA04826 for ; Tue, 7 Mar 1995 11:05:42 -0800 Received: from unknown(192.33.112.100) by relay.tis.com via smap (a1.4) id sma003167; Tue Mar 7 14:02:49 1995 Message-Id: <9503071902.AA26044@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: firewalls@greatcircle.com Subject: Re: mail through fwtk In-Reply-To: Your message of Tue, 07 Mar 95 11:00:50 -0700. <9503071800.AA08631@cortez.mirl> Date: Tue, 07 Mar 95 14:02:40 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize to the firewalls mailing list for all of the FWTK related mail. The README files that come with the FWTK clearly point people to the proper mailing lists for FWTK specific questions. What concerns me is that if people aren't reading the README files what else are they not reading as they self-install such a critical piece of security. That said, I can't think of anything else we can do to tighten things up. Fred From firewalls-owner Tue Mar 7 11:47:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05252 for firewalls-outgoing; Tue, 7 Mar 1995 11:27:19 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05247; Tue, 7 Mar 1995 11:27:16 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Mar 1995 11:25:27 -0800 To: Paul Crossley , firewalls@GreatCircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: application proxies versus packet filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:25 AM 3/7/95, Paul Crossley wrote: >>Here's a simple example, taken from Brent Chapman's paper on problems >>with packet filters. You want to allow inbound and outbound mail, so >>you have rules that look like this (I'm simplifying Brent's example >>slightly): > >> in src:external,dst:internal=25 >> out src:internal,dst:external>=1024 > >> out src:internal,dst:external=25 >> in src:external,dst:internal>=1024 > >>The first pair of rules permits packets to the inside mailer, and return >>flow to the client; the second pair permits packets to an outside mailer, >>and the return flow to an unprivileged port. But the combination of the >>second and fourth rules permits conversations between any high-numbered >>inside port and a high-numbered outside port. This may not be evil, but >>it was not what was intended by the rule set. > >Part of our firewall uses a NAT router, this has what I consider to be a >nice facility in that you can filter on both source and destination port >hence rule 2 becomes > > out src:internal port=25, dst:external port>=1024 > >and rule 4 becomes > > in src:external port=25, dst:internal port>=1024 > >I'm still no expert, and checking which source ports are used has been a >question >of watching the connections with netstat whilst filtering is off, but it does >seem more specific and therefore to my mind more secure than destination port >filtering alone. Yes, but... You still have to worry about a slightly smarter attacker who uses port 25 as the _client_ port on their end to attack ports above 1024 on your end (for instance, port 6000, where your X server lives). You have no way of knowing for sure what a remote machine is running on a given port; it's not safe to assume that something is part of an SMTP connection just because it comes from port 25. Trying to block these attacks by trying to block incoming packets to "dangerous" port numbers on your end (like 6000) is probably hopeless; you're almost guaranteed to leave something off your list of "dangerous" port numbers. You really need to look at the "established" state of the connection (i.e., examine the ACK bits of the incoming TCP packets) to safeguard yourself against this type of attack; you can't do it with source/destination filtering alone. To block the attack described above, you simply block incoming packets that DON'T have the ACK bit set (i.e., that are the first packets from a client to a server, attempting to open a connection). Cisco's "established" keyword would be much more useful if it could be combined with port restrictions; even simply being able to say "deny all non-established TCP connections" would be more useful than what you can do now, which is essentially to say "allow all established TCP connections". -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Tue Mar 7 12:02:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA04694 for firewalls-outgoing; Tue, 7 Mar 1995 11:00:34 -0800 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA04689 for ; Tue, 7 Mar 1995 11:00:29 -0800 Received: (from steve@localhost) by ford.gbnet.org (8.6.10/8.6.10) id SAA25347; Tue, 7 Mar 1995 18:57:22 GMT From: Steve Kennedy Message-Id: <199503071857.SAA25347@ford.gbnet.org> Subject: Re: IPX traffic through a firewall To: fusion!daveh@uunet.uu.net (Dave Hodgkinson) Date: Tue, 7 Mar 1995 18:57:21 +0000 (GMT) Cc: daveh@fsl.com, firewalls@GreatCircle.COM In-Reply-To: <9503071644.AA10345@fsl.com> from "Dave Hodgkinson" at Mar 7, 95 04:44:57 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1764 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Dave Hodgkinson > NETBIOS/NETBEUI encapsulated in IP. UDP look-up services that NT > uses can cause quite an increase in wide-area traffic if not directed > to a single host. > Strictly, it's netbios over UDP as spec-ed in rfc1002/1001. > And TCP... It's actually NetBIOS over IP ... and the protocol used is SMB (server message block). SMB is an X/Open protocol and NetBIOS over IP is specified in RFC1000 and 1001. The NetBIOS name service is udp based on port 137, the session service is tcp based on port 139. There is also a NetBIOS datagram service on port 138 (which I think is udp based). SMB type systems use broadcasts to find name servers (or in Windows for WorkGroups browse masters). However you can use things like WINS servers which will do lookups for other machines. These types of discussions should probably move to comp.protocols.smb There is also a nice UNIX SMB server called Samba which allows UNIX hosts to serve SMB clients using tcp/ip (WfWG, LAN Man et al). This is available from ftp://nimbus.anu.edu.au/pub/tridge/samba (home site) ftp://ftp.demon.co.uk/pub/unix/samba ftp://src.doc.ic.ac.uk/pub/packages/samba (I think) Regards Steve -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) GSM 0802 444500 steve@marvin.demon.co.uk Demon Internet Dial-up data 2400 449500 WWW http://www.demon.co.uk/subscribers/m/marvin/ 9600 449501 UNIX/Networking Consulting steve@NetTek.co.uk fax 449502 From firewalls-owner Tue Mar 7 13:47:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08803 for firewalls-outgoing; Tue, 7 Mar 1995 13:38:09 -0800 Received: from doug.med.utah.edu (doug.med.utah.edu [155.100.60.25]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA08793 for ; Tue, 7 Mar 1995 13:38:05 -0800 Received: from cortez.mirl (cortez.med.utah.edu [155.100.60.21]) by doug.med.utah.edu (8.6.10/8.6.6-don-c) with SMTP id OAA00452 for ; Tue, 7 Mar 1995 14:40:08 -0700 Received: by cortez.mirl (5.x/SMI-SVR4) id AA08643; Tue, 7 Mar 1995 14:40:03 -0700 Date: Tue, 7 Mar 1995 14:40:03 -0700 From: don@doug.med.utah.edu (Don Baune 581-6088 MIRL) Message-Id: <9503072140.AA08643@cortez.mirl> To: firewalls@GreatCircle.COM Subject: Re: mail through fwtk X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, PLEASE accept my apologies for posting this request to this group. I can see now (after many of pointed it out to me) that this was entirely inappropriate for this list. As I now can see that is more for a discussion of generic issues and not specifics. back to lurk mode, don From firewalls-owner Tue Mar 7 14:07:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08531 for firewalls-outgoing; Tue, 7 Mar 1995 13:26:21 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA08526 for ; Tue, 7 Mar 1995 13:26:16 -0800 From: jet@abulafia.genmagic.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15906; Tue, 7 Mar 95 16:23:58 -0500 Date: Tue, 7 Mar 95 16:23:58 -0500 Message-Id: <9503072123.AA15906@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Nasty scripts Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "padgett" == A. Padgett Peterson, P.E. Information Security writes: padgett> thing. Often the major difference is that of the difference padgett> between a surgical hammer and a ten pound sledge: a padgett> professional uses tools designed with the thought "first, do padgett> no harm" while the nasty-grams are "first, break that padgett> sucker". You insult system crackers. A good cracker would want to use the surgical tool in hopes of causing as little damage and *not* being noticed. padgett> will happen (see Turing). Have even been flamed at work by padgett> higherups who do not understand when I refuse to break into padgett> systems "for a demo" without the system owner/admin knowing padgett> about it and agreeing to it. ditto, or told I'm doing a bad job because I don't have any "breakins prevented" totals. :-) From firewalls-owner Tue Mar 7 14:19:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08551 for firewalls-outgoing; Tue, 7 Mar 1995 13:27:39 -0800 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA08546 for ; Tue, 7 Mar 1995 13:27:36 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA19496; Tue, 7 Mar 1995 16:25:08 -0500 Date: Tue, 7 Mar 1995 16:25:08 -0500 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9503072125.AA19496@oxygen.house.gov> To: firewalls@GreatCircle.com Subject: Re: application proxies versus packet filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent (the magnanimous) says: > You really need to look at the "established" state of the connection (i.e., > examine the ACK bits of the incoming TCP packets) to safeguard yourself > against this type of attack; you can't do it with source/destination > filtering alone. To block the attack described above, you simply block > incoming packets that DON'T have the ACK bit set (i.e., that are the first > packets from a client to a server, attempting to open a connection). > > Cisco's "established" keyword would be much more useful if it could be > combined with port restrictions; even simply being able to say "deny all > non-established TCP connections" would be more useful than what you can do > now, which is essentially to say "allow all established TCP connections". Actually, you should remember that the lines in a Cisco access-list are in priority of application order. To combine the "established" keyword line with others, you enter the higher priority statements first, e.g. permit tcp from-anybody to-mail-relay to-SMTP-port then, at a lower priority so that others can establish a connection to mail, permit tcp from-anybody to-any-internal established then, unless you want to trust the implicit deny everything deny tcp from-anybody to-anybody. (The student enjoys telling his teacher what he learned ;-) (at the Usenix conference when you offered to set up this list) -- John From firewalls-owner Tue Mar 7 14:49:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08899 for firewalls-outgoing; Tue, 7 Mar 1995 13:43:00 -0800 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA08894 for ; Tue, 7 Mar 1995 13:42:57 -0800 Received: by little-miami.iac.net id QAA01685; Tue, 7 Mar 1995 16:40:39 -0500 Date: Tue, 7 Mar 1995 16:40:38 -0500 (EST) From: Carl Jolley To: Don Baune 581-6088 MIRL cc: firewalls@GreatCircle.COM Subject: Re: mail through fwtk In-Reply-To: <9503071800.AA08631@cortez.mirl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After you have made your telnet connection and logged in are you considered inside the firewall or outside the firewall? When you send your mail are you considered inside the firewall or outside the firewall? Are you sending mail to an "inside" address or an "outside" address. Do you have your system configured so that all mail, including from and to "inside" goes through the firewall? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Tue, 7 Mar 1995, Don Baune 581-6088 MIRL wrote: > All, > > I currently have a dual homed sparc with the fwtk partially running. > I have run into a roadblock attempting to get the mail configured. > snmp is configured into the inetd.conf and smapd running from the rc.local. > If I telnet to the firewall and send a sample mail message it ends up in > the in queue and eventuly the smapd picks up the mail message and delivers > it to the error mail queue. > > Question: > As I understand it the smapd uses sendmail to attempt a final delivery > of the mail message. So how should the sendmail.cf file be configured? > It looks like to me that the firewall is receiving mail both from the > outside world that should be delivered to the inside mail host and > mail from the inside net that should be delivered to the outside world > of the internet. > > I hope to be able to support several mailhosts/mail domains on the > inside net if this make any difference in the sendmail.cf. Does it > make senae to use the stock sun sendmail that comes with the SunOS 4.1.3? > > Any help, sample sendmail.cf or direction would be greatly appreciated. > > thanks, > > -don > don@doug.med.utah.edu > > > From firewalls-owner Tue Mar 7 14:57:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA08760 for firewalls-outgoing; Tue, 7 Mar 1995 13:35:39 -0800 Received: from alcapone.cnes.fr (alcapone.cnes.fr [132.149.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA08755 for ; Tue, 7 Mar 1995 13:35:35 -0800 Received: from paclas01 (paclas01.siege.cnes.fr [132.149.253.197]) by alcapone.cnes.fr (8.6.10/RH-19950228.01) with ESMTP id WAA19275 for ; Tue, 7 Mar 1995 22:32:47 +0100 Received: from paocr07 (paocr05 [132.149.253.18]) by paclas01 (8.6.9/MH-94081601) with SMTP id WAA01142 for ; Tue, 7 Mar 1995 22:34:47 +0100 Message-Id: <199503072134.WAA01142@paclas01> X-Sender: salome@paclas01.siege.cnes.fr Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 07 Mar 1995 22:36:44 +0100 To: firewalls@GreatCircle.COM From: Eric.Salome@siege.cnes.fr (Eric Salomé) Subject: CD-ROM on bastion hosts X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As one of the group suggested, Read Only bootable / root / other file systems can more easily be built out of SCSI disks than from CD-ROM. Some SCSI disks do have a strap preventing / allowing write operations on the disk. It seems to me pretty safe and cann't be overruled by software. I was told QUANTUM (ALTAS series SCSI disks) have a strap for that purpose and they should work on any SCSI (fast / wide and so forth) your Unix system provides (including SUN/Solaris, for what I know). Other brands might do as well. Once the disk has been updated, is bootable and contains root, /usr and other useful partitions, you only have to put the strap on to prevent any further updates of the disk. (We should lobby and have an external switch). -> Next time you need to "burn" a new file system, just put the strap off. Needed writable partitions can to created right from scratch in memory (/tmp) or on other writable disks using new mkfs at boot time. You might as well use programs (residing in your read-only partitions) to "clean" only dirt/nasty files from your writable partitions if you're confident enought. I haven't checked yet if any essential system or security files should reside on a writable file system, and I hope not (the candide side of me). Ensure good policy regarding physical access to the disks (that should not be the hardiest to do :-) Did anybody have an experience in doing so on a Solaris bastion host ? Eric Salome - CERTIX Eric.Salome@siege.cnes.fr (ALTIOR Consultant at the CNES) **** All opinions exporessed are my own and not necessarily those of my employer **** From firewalls-owner Tue Mar 7 15:09:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA09161 for firewalls-outgoing; Tue, 7 Mar 1995 13:53:00 -0800 Received: from donews.cts.com (donews.cts.com [192.188.72.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA09146 for ; Tue, 7 Mar 1995 13:52:56 -0800 Received: from mmp.com by donews.cts.com with uucp (Smail3.1.28.1 #18) id m0rm79L-0001v2C; Tue, 7 Mar 95 13:50 PST Received: by mmp.com (4.1/SMI-4.1) id AA04685; Tue, 7 Mar 95 09:09:52 PST Date: Tue, 7 Mar 95 09:09:52 PST From: root@mmp.com (Operator) Message-Id: <9503071709.AA04685@mmp.com> To: patrick@oes.amdahl.com, Firewalls@greatcircle.com Subject: Re: FW-1, etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You know I don't think you really understand how multicasting works. It's > just another ip packet with a class D address, and routers that know how > to route them. They don't contain the list of members within them. There > is an area of concern here, in that a really good packet-filtering firewall > should understand IGMP. The administrator needs to decide if multicasting > is supported, and which direction. Thankfully class D's are never allowed > to be in the source field of a packet, and your should probably reject > any packets like that. This means that we can still tell if a connection > origination is from the inside or the outside. From what I have gathered (Pg 46 of the FW inet security book, the mbone faq, and this mailing list I have gathered the following. mbone-faq ----------- Security risks depend on the application. Most MBONE applications cannot be coaxed into writing to disk by arriving packets; they also do not run set-uid. One possible exception might be the LBL whiteboard, wb, since it contains a PostScript interpreter. As with any network application, it is possible for users to pick up an attractive-looking multicast application that acts as a Trojan horse or virus. Currently, all MBONE applications use UDP. While only machines that subscribe to a particular multicast address will receive multicast packets, multicast is at the IP layer and thus all UDP packets arriving with a given destination address will be accepted by the kernel. As an example, a host receiving audio on port 3456 at a certain multicast address will also unwittingly receive (possibly malicious) NFS packets sent to the same multicast address and different port. Thus, any filtering routers have to inspect the UDP payload within the IP-over-IP packet for unwanted UDP ports or non-UDP protocols. If a tunnel crosses a protection boundary, IGMP packets (protocol 2) and IP-in-IP (protocol 4) traverse the tunnel. Since IGMP is separate from regular routing, external users cannot influence the internal routing of unicast packets. Sites that restrict incoming TCP and UDP traffic should be aware that MBONE traffic, without any action by internal users, may impose additional load on the network and thus impair the working of the internal network until the appropriate mrouted daemons are terminated. firewall's mailing list summary ------------------------------- From firewalls-owner@GreatCircle.COM Thu Jul 21 09:26:41 1994 From: ems@ccrl.nj.nec.com (Ed Strong) Date: Thu, 21 Jul 94 09:42:35 EDT To: firewalls@GreatCircle.COM Subject: Re: MBONE security Sender: Firewalls-Owner@GreatCircle.COM Content-Length: 1366 A summary of responses of sorts. You probably won't like it. Basically MBONE falls into the "killer app" category, similar to mosaic. It's not secure, no one has a fix for it yet. You accept the important binaries on faith in order to run it. However MBONE (again like mosaic) is in such demand that many sites run it nevertheless. (Those "real-time" space shuttle camera views are too cool to miss.) I was fortunate to be able to commune in person with various firewall "gods" last week, at a local security seminar. No one has a good answer yet. To be consistent about security MBONE should only be available in a DMZ zone or some such. Glamor aside, unless MBONE is critical to your org's mission, it should not be let inside at the present time. The rationale I keep hearing is that important seminars are held via MBONE. My impression though, is that at present most of the traffic is the aforementioned cool video scenes. and I'm sure everyone has the FW I-net security book so I won't throw that into this already large message.. In short, there are security risks. Jeromie Jackson Garrison Associates Phone: 619-793-8223 Fax : 619-793-1124 From firewalls-owner Tue Mar 7 15:25:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA11597 for firewalls-outgoing; Tue, 7 Mar 1995 15:15:37 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA11591 for ; Tue, 7 Mar 1995 15:15:30 -0800 Received: from kmitnb03.kmitnb.ac.th.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id GAA27649; Wed, 8 Mar 1995 06:13:46 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id GAA27649; Wed, 8 Mar 1995 06:13:46 +0700 Received: by kmitnb03.kmitnb.ac.th.kmitnb.ac.th (5.x/SMI-SVR4) id AA19323; Wed, 8 Mar 1995 06:09:31 -0700 Date: Wed, 8 Mar 1995 06:09:31 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Snoop purpose ? To: firewalls@greatcircle.com In-Reply-To: <9503070837.ZM10905@maverick.erenj.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've doubted, what is the purpose of 'snoop' command, I asked the network trainer, He said he don't know. pradit From firewalls-owner Tue Mar 7 15:57:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA11746 for firewalls-outgoing; Tue, 7 Mar 1995 15:19:32 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA11741 for ; Tue, 7 Mar 1995 15:19:19 -0800 Received: from kmitnb03.kmitnb.ac.th.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id GAA27667; Wed, 8 Mar 1995 06:17:19 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id GAA27667; Wed, 8 Mar 1995 06:17:19 +0700 Received: by kmitnb03.kmitnb.ac.th.kmitnb.ac.th (5.x/SMI-SVR4) id AA19333; Wed, 8 Mar 1995 06:13:07 -0700 Date: Wed, 8 Mar 1995 06:13:06 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Re: FW-1, etc. To: Rick Romkey Cc: patrick@oes.amdahl.com, Firewalls@GreatCircle.COM In-Reply-To: <199503071418.JAA11696@maddie.atlantic.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Mar 1995, Rick Romkey wrote: > > This is just blatantly wrong. > > > > > Well, that's definitely an easy one.. IP filtering is based on TCP > > > header information, specifically (host,port,dst,port). Authentication of > > > hosts is very weak. Anyone can claim to be 127.0.0.1, or an IP of any host > > > on the network, and your packet filtering will believe it just because that's > > > what in the header.. Obviously this is what is called 'spoofing'. > > > I'm beginner , I doubt that the above paragraph, Do you mean anyone can set his IPaddress to 127.0.0.1 for his machine ,right ? pradit. From firewalls-owner Tue Mar 7 16:17:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA13963 for firewalls-outgoing; Tue, 7 Mar 1995 16:09:28 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA13958 for ; Tue, 7 Mar 1995 16:09:22 -0800 Received: from kmitnb03.kmitnb.ac.th.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id HAA28153; Wed, 8 Mar 1995 07:04:33 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id HAA28153; Wed, 8 Mar 1995 07:04:33 +0700 Received: by kmitnb03.kmitnb.ac.th.kmitnb.ac.th (5.x/SMI-SVR4) id AA19448; Wed, 8 Mar 1995 07:03:14 -0700 Date: Wed, 8 Mar 1995 07:03:14 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Why UDP cannot be handled security ? To: firewalls@greatcircle.com In-Reply-To: <9503021250.ZM6168@maverick.erenj.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me,why UPD protocol cannot be handled for security access ? pradit. From firewalls-owner Tue Mar 7 16:25:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12119 for firewalls-outgoing; Tue, 7 Mar 1995 15:26:23 -0800 Received: from donews.cts.com (donews.cts.com [192.188.72.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12111 for ; Tue, 7 Mar 1995 15:26:17 -0800 Received: from mmp.com by donews.cts.com with uucp (Smail3.1.28.1 #18) id m0rm8bI-0002wKC; Tue, 7 Mar 95 15:23 PST Received: by mmp.com (4.1/SMI-4.1) id AA06187; Tue, 7 Mar 95 15:20:19 PST Date: Tue, 7 Mar 95 15:20:19 PST From: root@mmp.com (Operator) Message-Id: <9503072320.AA06187@mmp.com> To: marius@CheckPoint.com, firewalls@greatcircle.com Subject: Re: Anti-spoofing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What you are basically saying is the FireWall-1 can be easily spoofed to > think it receives packets from lo0 or other trusted IP addresses. This is > most definetely not the case. We have a powerful anti-spoofing mechanism > that you can get from us for the current release of FW-1. In the next > release, there is going to be an even more powerful mechanism built into > the GUI per interface and into the log viewer so that any attempt would > not only be stopped, but would also trigger a log/alert. > Marius, sorry for the confusion, although here's where I was comming from. IP header info is insecure. My choice of using localhost (127.0.0.1) obviously has caused problems. I was trying to state that when having 'trusted' hosts that lie on the insecure/Inet side can have serious effects on IP filtering technologies. Obviously if you have a 'good side' and a 'bad side' then you can tell where localhost SHOULD BE comming from. This is not the case when you're dealing with a host that is on the outside that is also considered trusted. Here is an example.. Let's say you allow att.com to be the only host who is allowed to access a TCP/IP service (IE: sendmail). Strictly basing the passing of the packet on header information obviously is poor Identification & Authentication of the packet. As we all know, packets are quite easy to spoof. You can always go do DNS & Inverse DNS lookups to futher authenticate, but even still the authentication mechanism is based on insecure data (header data). This being true, IP filtering has inherent weaknesses within' it. IPV6 using the public/private key technology will definitely help this fight, but currentlywe don't have strong authentication of hosts. My comments were not necessarily directly related to FW-1, it also consumes the router market & the rest of the IP filtering hw/sf devices. > As to packet tunneling, again you should have known by now that FW-1 can > very easily be tought to look for such packets and then either drop them > all together or even use the information embeded in the "real" packet for > coming up with the proper security decision. This is the reason why many > application designers are using FW-1 as their firewall when building MBone > applications and others. > As for FW-1 being able to read tunneled packets, well that is something I had not heard of. I don't recall seeing it in any of the documentation that I received with the box, nor do I recall seeing it in any advertisements. Correct me if I'm wrong, I may have overlooked it, but if it's not in the dox I would definitely have to say that it would do great for your company to mention it. It would definitely show a good '+' over using FW-1 for IP filtering in contrast to the current router market that cannot do so! > I would appreciate if you could post a correction to your previous posting > or if you still hold on to your views, we could discuss this and possibly > get to an understanding. How are the relations with Qualix coming along? > For argument's sake, I would refer to Steven Bellovin's "Security Problems in the TCP/IP Protocol Suite" pg 11 "7.1 Authentication Many of the intrustions described above succeed only because the target host used the IP source address for authentication, and assumes it to be genuine. Unfortunately, there are sufficiently many ways to spoof this address that such techniques are all but worthless. Put another way, source address authentication is the equivalent of a file cabinet secure with an S100 lock; it may reduce the temptation level for more-or-less honest passers-by, but will do little or nothing to deter anyone even slightly serious about gaining entry. Some form of cryptographics authentication is needed..." This is basically what I was getting at, although I believe he states it better. So again, for the record, my posts were not necessarily directed @ FW-1, but to IP filtering technology in general. Jeromie Jackson Garrison Associates jeromie@mmp.com 619-793-8223 619-793-1124 From firewalls-owner Tue Mar 7 16:47:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA13629 for firewalls-outgoing; Tue, 7 Mar 1995 15:57:15 -0800 Received: from dee.retix.com (dee.retix.com [163.182.4.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA13624 for ; Tue, 7 Mar 1995 15:57:13 -0800 Received: from sleepy.retix.com (sleepy.retix.com [163.182.52.17]) by dee.retix.com (8.6.9/8.6.4) with ESMTP id PAA22949; Tue, 7 Mar 1995 15:54:59 -0800 From: joshua geller Received: (joshua@localhost) by sleepy.retix.com (8.6.7/8.6.4) id PAA18059; Tue, 7 Mar 1995 15:54:59 -0800 Date: Tue, 7 Mar 1995 15:54:59 -0800 Message-Id: <199503072354.PAA18059@sleepy.retix.com> To: pradit@kmitnb03.kmitnb.ac.th CC: firewalls@GreatCircle.COM In-reply-to: (message from Pradit Pitaksathienkul on Wed, 8 Mar 1995 06:09:31 -0700 (GMT)) Subject: Re: Snoop purpose ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Pradit Pitaksathienkul writes: > I've doubted, what is the purpose of 'snoop' command, I asked > the network trainer, He said he don't know. > pradit to sniff your network. josh From firewalls-owner Tue Mar 7 16:47:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA14404 for firewalls-outgoing; Tue, 7 Mar 1995 16:24:18 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA14399 for ; Tue, 7 Mar 1995 16:24:15 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA28706; Tue, 7 Mar 95 19:21:43 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9503080021.AA28706@hawksbill.sprintmrn.com> Subject: Re: IPX traffic through a firewall To: steve@gbnet.org (Steve Kennedy) Date: Tue, 7 Mar 1995 19:21:43 -0500 (EST) Cc: fusion!daveh@uunet.uu.net, daveh@fsl.com, firewalls@GreatCircle.COM In-Reply-To: <199503071857.SAA25347@ford.gbnet.org> from "Steve Kennedy" at Mar 7, 95 06:57:21 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1954 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > According to Dave Hodgkinson > > > NETBIOS/NETBEUI encapsulated in IP. UDP look-up services that NT > > uses can cause quite an increase in wide-area traffic if not directed > > to a single host. > > Strictly, it's netbios over UDP as spec-ed in rfc1002/1001. > > And TCP... > > It's actually NetBIOS over IP ... and the protocol used is SMB > (server message block). > > SMB is an X/Open protocol and NetBIOS over IP is specified in > RFC1000 and 1001. > > The NetBIOS name service is udp based on port 137, the session service > is tcp based on port 139. There is also a NetBIOS datagram service on > port 138 (which I think is udp based). > > SMB type systems use broadcasts to find name servers (or in Windows for > WorkGroups browse masters). However you can use things like WINS servers > which will do lookups for other machines. > > These types of discussions should probably move to comp.protocols.smb > > There is also a nice UNIX SMB server called Samba which allows > UNIX hosts to serve SMB clients using tcp/ip (WfWG, LAN Man et al). > This is available from > ftp://nimbus.anu.edu.au/pub/tridge/samba (home site) > ftp://ftp.demon.co.uk/pub/unix/samba > ftp://src.doc.ic.ac.uk/pub/packages/samba (I think) > Regardless, its still a broadcast service that has the potential to cause major problems. I use the term 'non-standard' loosely, since the standards for these services have been defined to accomodate broken non-traditional TCP/IP services. Sorry -- I'm a native UNIX TCP/IP bigot at heart. Now, can we get back on topic with _firewalls_? - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Mar 7 17:17:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16268 for firewalls-outgoing; Tue, 7 Mar 1995 17:09:59 -0800 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA16262 for ; Tue, 7 Mar 1995 17:09:55 -0800 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA28980; Tue, 7 Mar 95 20:07:11 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9503080107.AA28980@hawksbill.sprintmrn.com> Subject: Re: Why UDP cannot be handled security ? To: pradit@kmitnb03.kmitnb.ac.th (Pradit Pitaksathienkul) Date: Tue, 7 Mar 1995 20:07:11 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Pradit Pitaksathienkul" at Mar 8, 95 07:03:14 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 664 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Excuse me,why UPD protocol cannot be handled for security access ? > It certainly CAN be handled the same as TCP, on a port-by-port basis. However, in cisco routers, for instance, there is no 'established' mechanism for originating services. That's where IN and OUT access parameters come in handy. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Mar 7 17:41:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16142 for firewalls-outgoing; Tue, 7 Mar 1995 17:05:29 -0800 Received: from volitans.MorningStar.Com (volitans.MorningStar.Com [137.175.2.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA16137 for ; Tue, 7 Mar 1995 17:05:26 -0800 Received: from trigger.MorningStar.Com by volitans.MorningStar.Com (5.65a/94040804) id AA25831; Tue, 7 Mar 95 20:03:12 -0500 Received: by trigger.MorningStar.Com (5.65a/95020801) id AA00512; Tue, 7 Mar 95 20:03:07 -0500 From: Aydin Edguer Message-Id: <9503080103.AA00512@trigger.MorningStar.Com> Subject: Re: Why UDP cannot be handled security ? To: firewalls@greatcircle.com Date: Tue, 7 Mar 1995 20:03:06 -0500 (EST) In-Reply-To: from "Pradit Pitaksathienkul" at Mar 8, 95 07:03:14 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 734 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Excuse me,why UPD protocol cannot be handled for security access ? UDP does not permit a router to differentiate between inbound packets requesting new services and inbound packets returning data to outbound requests. This means that, using static filters, you cannot offer inside users access to services based on UDP without giving outside users access to the same service inside your network. The use of different types of "dynamic" filtering that some vendors offer permits a temporary hole to be created for the return packet(s) in response to an outbound request, thus limiting the vulnerability. In my opinion, this is still not perfect but it is much better. My opinions are not necessarily my company's and vice-versa. From firewalls-owner Tue Mar 7 17:47:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15428 for firewalls-outgoing; Tue, 7 Mar 1995 16:53:19 -0800 Received: from Calvin.musicpen.com ([204.168.14.200]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA15422 for ; Tue, 7 Mar 1995 16:53:13 -0800 Received: (from martin@localhost) by Calvin.musicpen.com (8.6.9/8.6.9) id TAA10396; Tue, 7 Mar 1995 19:56:25 -0500 Date: Tue, 7 Mar 1995 19:56:25 -0500 From: Martin Silbernagl Subject: Re: Windows95 To: kdante@nsf.gov cc: firewalls@GreatCircle.COM In-Reply-To: <9502077946.AA794606659@xrelay.nsf.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Mar 1995 kdante@nsf.gov wrote: > Has anybody looked into the security problems a firewall might > have with Windows95? I have seen lots of talk about Windows NT > and Windows 3.x, but Windows95 seems to have been overlooked. > As far as I understand, Windows95 is using a TCP/IP stack quite similar to the one used in NT3.5 and the one sold by MS as an add on for WfW3.11 . It is configurable (that is from an end user's point of view), it routes (with two or more network cards or RAS), it is capable of utilizing DNS and/or WINS, complies to the DHCP RFC and so forth. I don't think it does anything like running an anonymous FTP server or NFS stack without telling you; the only services that I have discovered are the basic ones (chargen, discard et alia) and the MS-Network over NetBios over WINS-Client (we've had discussions about this earlier on this list). The latter is a little bit dangerous, because the default is not NetBios over NetBEUI, but the binding to UDP/IP, so that you might end up thinking your Windows network traffic is invisible to your Internet Machines/Routers, but it isn't (that goes for NT servers, too). Regarding it's coexisting with firewalls, I can tell you that we are using Netscape and other proxy aware apps and they work quite well. Please note that these statements can only be applied to version M8 of Win95 and earlier. Martin Silbernagl Music Pen Inc. NYC My opinions are mine, unless I sell them. From firewalls-owner Tue Mar 7 19:18:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA18786 for firewalls-outgoing; Tue, 7 Mar 1995 18:58:54 -0800 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA18781 for ; Tue, 7 Mar 1995 18:58:50 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0rmBvP-000Ed3C; Wed, 8 Mar 95 02:56 GMT Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Tue, 7 Mar 95 18:27 PST Message-Id: Received: by miro.ilinx.com id ; Tue, 7 Mar 95 18:28:43 -0800 From: brian@imcon.ilinx.com To: pradit@kmitnb03.kmitnb.ac.th Subject: Re[2]: FW-1, etc. Cc: pokey@maddie.atlantic.com, patrick@oes.amdahl.com, Firewalls@GreatCircle.COM Date: Tue, 7 Mar 1995 18:28:42 -0700 (PST) X-Mailer: Ishmail 1.0-hp-941109 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Pradit Pitaksathienkul on scroll > I'm beginner , I doubt that the above paragraph, Do you mean anyone > can set his IPaddress to 127.0.0.1 for his machine ,right ? > pradit. What it means is that the determined hacker may send packets to you with a source address of 127.0.0.1, which a less than optimal firewall might allow through or process itself. Once it's on an authenticating machine on the firewall some software that is trusting of packets from 127.0.0.1 may process the packet and then... (lesson for the reader). b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Tue Mar 7 19:47:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19026 for firewalls-outgoing; Tue, 7 Mar 1995 19:17:26 -0800 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.213.78]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA19021 for ; Tue, 7 Mar 1995 19:17:23 -0800 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id VAA26530 for GreatCircle.COM!firewalls; Tue, 7 Mar 1995 21:05:54 -0600 Received: by ris1.nmti.com (smail2.5) id AA18859; 7 Mar 95 20:02:52 CST (Tue) Received: by sonic.nmti.com; id AA31414; Tue, 7 Mar 1995 19:18:04 -0600 Message-Id: <9503080118.AA31414@sonic.nmti.com.nmti.com> To: Eric.Salome@siege.cnes.fr (Eric Salomi) Cc: firewalls@GreatCircle.COM Subject: Re: CD-ROM on bastion hosts In-Reply-To: Your message of "Tue, 07 Mar 95 22:36:44 +0100." <199503072134.WAA01142@paclas01> X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 07 Mar 95 19:18:04 -0600 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Needed writable partitions can to created right from scratch in memory > (/tmp) or on other writable disks using new mkfs at boot time. You might as > well use programs (residing in your read-only partitions) to "clean" only > dirt/nasty files from your writable partitions if you're confident enought. You'll need to have at least one file system mounted writable that isn't cleaned on boot to hold logging data. You could use a reduced functionality file system type (MSDOS, for example) for that, one that doesn't have any dangerous bits and can't hold devices. I believe Solaris supports an MS-DOS FS. I know SunOS does, at least on floppies. -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" From firewalls-owner Tue Mar 7 20:47:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA24221 for firewalls-outgoing; Tue, 7 Mar 1995 20:42:18 -0800 Received: from overdrive.ccrl.nj.nec.com (overdrive3.ccrl.nj.nec.com [138.15.104.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA24203 for ; Tue, 7 Mar 1995 20:41:48 -0800 Received: by overdrive.ccrl.nj.nec.com (4.1/YDL1.9-920708.13) id AA26805(overdrive.ccrl.nj.nec.com); Tue, 7 Mar 95 23:38:06 EST Date: Tue, 7 Mar 1995 23:38:05 -0500 (EST) From: Ed Strong X-Sender: ems@overdrive To: peter@nmti.com Cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: FW-1, etc. In-Reply-To: <9503071451.AA24769@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Mar 1995 peter@nmti.com wrote: > I'm interested in keeping out the average hackers. If a non-transparent > proxy will keep out a carpet-bomb type broadcast attack, akin to the "virus" > threat on PCs, then it's a useful tool. If FW-1 has some mechanism that will > make this sort of thing harder, then that's useful too. > I'll try to more succint and rephrase what I wrote earlier. You're trying to do security by obscurity, hoping the unusual flavor of your particular non-transparent firewall cannot be handled by the trojan horse. Since there is no guarantee this will be true, how useful is it? > So, back to my request... what does FW-1 or any other filtering firewall do > that might be useful in countering this attack? If the answer's "you don't want > to counter that attack in your firewall" then I'll take that as "nothing, and > we're really defensive about it". *Shrug* This attack will work on any firewall that provides transparentcy, it is not restricted to just filtering types. It will also work, with some unpredictable probability, on the non-transparent proxy types. You and your company have to decide whether giving up transparentcy for an unknown increment of security against this particular attack is worthwhile. Just educating your user group about trojans will reduce the probability, while also maintaining the ease of use provided by transparent firewalls. > -- > Peter da Silva `-_-' > Network Management Technology Incorporated 'U` > 1601 Industrial Blvd. Sugar Land, TX 77478 USA > +1 713 274 5180 "Hast du Heute schon deinen Wolf umarmt?" > > Let's consider this in the extreme. You could require your internal trusted users to fumble with one-time password cards every time they want to reach out through the firewall. (Rough, but no sacrifice too great for security, etc.) But what if the trojan was designed to steal established connections once it is inside? A reminder, for the best answers re: FW-1, you should contact checkpoint.com, not me. There is also an FW-1 mailing list: firewall-1@applicom.co.il Um, is this trojan horse a dead horse yet? ----------------------------------------------------------------------- Ed Strong EMAIL: ems@ccrl.nj.nec.com ----------------------------------------------------------------------- From firewalls-owner Wed Mar 8 02:17:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA29951 for firewalls-outgoing; Wed, 8 Mar 1995 01:49:20 -0800 Received: from sun2.nsfnet-relay.ac.uk (sun2.nsfnet-relay.ac.uk [128.86.8.45]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA29937 for ; Wed, 8 Mar 1995 01:48:53 -0800 Message-Id: <199503080948.BAA29937@miles.greatcircle.com> Via: uk.co.salford-software-services.e; Wed, 8 Mar 1995 09:42:30 +0000 Received: from pc4 (actually pc4.sss.co.uk) by e.sss.co.uk with SMTP (PP); Wed, 8 Mar 1995 09:36:26 +0000 From: Dave Wade To: firewalls@greatcircle.com Subject: Re: Windows95 X-Mailer: ProntoIP [version 1.01 Beta] Date: Wed, 8 Mar 1995 09:36:30 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Provided you only do what you do today I don't think WIN95 is a risk. However if for example you use the MicroSoft Network who can tell what risks there are as its a closed architecture. However to my mind it violates the standard firewall rules. Perhaps we are going to need a new set of rules which say "You may only connect to MSN when you are not connected to the LAN" However that still doesn't mean it can't hack your LAN off line with a trojan. This isn't the only bit of new networking functionality so the chances are there are other new holes to fall down.!!!! Can one be too paranoid :-) Dave Wade dw@sss.co.uk From firewalls-owner Wed Mar 8 02:48:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA00466 for firewalls-outgoing; Wed, 8 Mar 1995 02:21:34 -0800 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA00446 for ; Wed, 8 Mar 1995 02:20:57 -0800 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA19418; Wed, 8 Mar 95 11:17:38 +0100 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA14210; Wed, 8 Mar 95 11:10:15 GMT From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9503081110.AA14210@tidtest.total.fr> Subject: Re: Nasty scripts To: jet@abulafia.genmagic.com Date: Wed, 8 Mar 95 11:10:14 GMT Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9503072123.AA15906@uvs1.orl.mmc.com>; from "jet@abulafia.genmagic.com" at Mar 7, 95 4:23 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jet@abulafia.genmagic.com wrote : > > [snip] > > You insult system crackers. A good cracker would want to use the > surgical tool in hopes of causing as little damage and *not* being > noticed. > "good cracker" ? I hope what you mean is "careful" :-) -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Tel : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Wed Mar 8 03:47:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA01758 for firewalls-outgoing; Wed, 8 Mar 1995 03:22:19 -0800 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA01753 for ; Wed, 8 Mar 1995 03:22:16 -0800 From: tws@wh.bayer.com Received: by wh.bayer.com (4.1/SMI-4.1) id AA05522; Wed, 8 Mar 95 06:17:51 EST Received: by mrcs1 (5.64/X1.00) id AA26910; Wed, 8 Mar 95 06:15:10 -0500 Date: Wed, 8 Mar 95 06:15:10 -0500 Message-Id: <9503081115.AA26910@mrcs1> To: edguer@MorningStar.Com, firewalls@greatcircle.com Subject: Re: Why UDP cannot be handled security ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Tue Mar 7 21:10:33 1995 > From: Aydin Edguer > Subject: Re: Why UDP cannot be handled security ? > To: firewalls@greatcircle.com > > > Excuse me,why UPD protocol cannot be handled for security access ? > > UDP does not permit a router to differentiate between inbound packets > requesting new services and inbound packets returning data to outbound > requests. This means that, using static filters, you cannot offer inside > users access to services based on UDP without giving outside users access > to the same service inside your network. > > The use of different types of "dynamic" filtering that some vendors > offer permits a temporary hole to be created for the return packet(s) > in response to an outbound request, thus limiting the vulnerability. > > In my opinion, this is still not perfect but it is much better. > My opinions are not necessarily my company's and vice-versa. Now I am starting to understand... This is really based on how vendor (at least cisco) software works rather than how it should be. Would anybody from cisco and others care to comment? Is this likely to change or not change in the future release of software? Regards, Tenna Sakai Miles Research Center From firewalls-owner Wed Mar 8 10:41:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02124 for firewalls-outgoing; Wed, 8 Mar 1995 10:09:59 -0800 Received: from Starbase.NeoSoft.COM (starbase.NeoSoft.COM [198.64.6.26]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA02119 for ; Wed, 8 Mar 1995 10:09:56 -0800 From: ar1@neosoft.com Received: from praline.no.NeoSoft.com (root@praline.no.NeoSoft.COM [198.64.57.253]) by Starbase.NeoSoft.COM (8.6.10/8.6.10) with ESMTP id MAA16349; Wed, 8 Mar 1995 12:07:29 -0600 X-Provider: NeoSoft, Inc.: Internet Service Provider (713) 684-5969 Received: from [198.66.88.3] (lcl.arlaw.com [198.66.88.3]) by praline.no.NeoSoft.com (8.6.10/8.6.10) with SMTP id MAA22534; Wed, 8 Mar 1995 12:07:24 -0600 Date: Wed, 8 Mar 1995 12:07:24 -0600 Message-Id: <199503081807.MAA22534@praline.no.NeoSoft.com> X-Sender: ar1@new-orleans.neosoft.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com Subject: Securing Mac Nets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been following this list for some time and haven't yet seen any discussion on the extent to which Mac networks are more or less susceptible to outside penetration from the Internet. We are running a 100% Mac network and are connected to the Internet via an EtherNet backbone connected to a Rockwell NetHopper router over a 56k line. Can anyone comment on the relative security (or lack thereof) inhherent in such a configuration and perhaps offer recommendations regarding hardware/software products which have been successfully used to secure such networks? Any and all info would be appreciated. From firewalls-owner Wed Mar 8 11:09:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00239 for firewalls-outgoing; Wed, 8 Mar 1995 09:28:19 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00233 for ; Wed, 8 Mar 1995 09:28:16 -0800 From: mulligan@incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.10/94082501) id JAA07772; Wed, 8 Mar 1995 09:15:55 -0800 Received: from coslabs.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA26492; Wed, 8 Mar 1995 09:13:21 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA04773; Wed, 8 Mar 1995 10:04:25 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA10352; Wed, 8 Mar 1995 10:03:42 -0700 Message-Id: <9503081703.AA10352@future.incog.com> To: "Daniel O'Callaghan" Cc: mulligan@incog.com, Markly Dykeman , firewalls@GreatCircle.COM Subject: Re: RE- Cleaning out compilers - Reply Reply-To: mulligan@incog.com In-Reply-To: Your message of "Wed, 01 Feb 95 08:55:13 +1100." Date: Wed, 08 Mar 95 10:03:42 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > On Mon, 30 Jan 1995 mulligan@future.incog.com wrote: > > > This way if someone does try to upload something, it isn't executable > > and can't be set that way. (Especially useful if you have users on your > > bastion host - heaven forbid.) > > Do your mods prevent the following? > > miriworld> ls -l /bin/ls > -rwxr-xr-x 1 root 114688 May 20 1993 /bin/ls > miriworld> ls -l myprog > -rw-rw-r-- 1 danny 1525 Feb 1 08:51 myprog > miriworld> cp /bin/ls . > miriworld> ls -l ls > -rwxr-xr-x 1 danny 114688 Feb 1 08:51 ls > miriworld> cp myprog ls > miriworld> ls -l ls > -rwxr-xr-x 1 danny 1525 Feb 1 08:52 ls > miriworld> Yes, the execute bit would be turned off on the first copy. geoff From firewalls-owner Wed Mar 8 11:19:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01974 for firewalls-outgoing; Wed, 8 Mar 1995 10:02:35 -0800 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01968 for ; Wed, 8 Mar 1995 10:02:30 -0800 Received: by gateway.toploguk.co.uk id aa20577; 8 Mar 95 15:51 GMT From: Paul Crossley To: johns@oxygen.house.gov, firewalls@GreatCircle.com Subject: Re: application proxies versus packet filters X-Mailer: ScoMail 1.0 Date: Wed, 8 Mar 1995 14:48:05 +0000 (GMT) Message-ID: <9503081448.aa20243@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Cisco's "established" keyword would be much more useful if it could be > > combined with port restrictions; even simply being able to say "deny all > > non-established TCP connections" would be more useful than what you can do > > now, which is essentially to say "allow all established TCP connections". > > Actually, you should remember that the lines in a Cisco access-list are > in priority of application order. To combine the "established" keyword line > with others, you enter the higher priority statements first, e.g. > permit tcp from-anybody to-mail-relay to-SMTP-port > then, at a lower priority so that others can establish a connection to mail, > permit tcp from-anybody to-any-internal established > then, unless you want to trust the implicit deny everything > deny tcp from-anybody to-anybody. > > (The student enjoys telling his teacher what he learned ;-) > (at the Usenix conference when you offered to set up this list) I don't quite follow the logic here, what I would need to do is make sure that I'd specifically rejected all the non-established connections that I don't want before adding in the filter to accept established connections - this doesn't allow me to selectively let things through, it forces me to selectively keep things out - a complete turn around in our strategy (and a much less paranoid one). (' ') ---------------------------oOO--(_)--OOo--------------------------------- Paul Crossley (paul@toploguk.co.uk) `-_-' Senior Consultant SCO ACE 'U` TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Wed Mar 8 11:38:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01294 for firewalls-outgoing; Wed, 8 Mar 1995 09:41:41 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA01177 for ; Wed, 8 Mar 1995 09:40:59 -0800 Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id IAA08451; Wed, 8 Mar 1995 08:15:52 -0800 From: mcanizo@hpspnws2.spain.hp.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18613; Wed, 8 Mar 95 09:00:19 -0500 Date: Wed, 8 Mar 95 09:00:17 -0500 Message-Id: <9503081400.AA18613@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sjg rites: >What's wrong with setting up your firewall in a test lab? I mean the >entire DMZ,choke etc etc. You can then test it until you are happy >before letting others have a go... Oh I agree, now everyone out there whose organization *has* a dedicated test lab for firewalls, please stand up (sit down Marcus 8*). The long-running joke around here is that I do all testing at home because I have better equipment there (well, I do have a TCP/IP & IPX system with both 10Base-2 and 10Base-T that son and friends overload with DOOM but no Cisco. Yet.) Warmly, Padgett From firewalls-owner Wed Mar 8 11:40:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01049 for firewalls-outgoing; Wed, 8 Mar 1995 09:39:43 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00900 for ; Wed, 8 Mar 1995 09:38:32 -0800 Received: from trefle.saclay.cea.fr by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id IAA08586; Wed, 8 Mar 1995 08:44:58 -0800 Received: from oeillet.saclay.cea.fr by trefle.saclay.cea.fr (8.6.10/ CEANET-ROUTER-3.0) with ESMTP id PAA10367 for ; Wed, 8 Mar 1995 15:40:01 +0100 Received: from alpha.cad.cea.fr by oeillet.saclay.cea.fr (8.6.10/ CEANET-ROUTER-3.0) with SMTP id PAA14940 ; Wed, 8 Mar 1995 15:40:46 +0100 Received: from localhost by alpha.cad.cea.fr (5.65/CEANET-2.0.1) id AA23816; Wed, 8 Mar 1995 15:39:51 +0100 Message-Id: <9503081439.AA23816@alpha.cad.cea.fr> To: alpha-osf-managers@ornl.gov, decstation-managers@ornl.gov, firewalls@greatcircle.com Cc: demarthe@oeillet.saclay.cea.fr Subject: Screend packet filtering capabilities Date: Wed, 08 Mar 95 15:39:51 +0100 From: Herve DEMARTHE (CEA France) X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear managers, I am considering to use Jeff Mogul's screend sofware as a building block for our firewall system. we are in the process of moving from DecStations MIPS/Ultrix to Alpha/OSF1 and we have got back some 5000/200 boxes with additional Turbo Channel Ethernet adapters as well : so it can be an economically effective choice. Anyway, I have some questions unresolved on this matter and I request your help, here they are (newbee questions as you will see !) : 1) On a 5000/200 under Ultrix 4.4, is there a reason to use the screend package from gatekeeper.dec.com /pub/misc/vixie/screend/screend.tar.Z instead of the screend stuff delivered as part of Ultrix distribution ? The README says : << It is functionally a bit more evolved ... >> What about this evolution ? Does it implies Ultrix kernel modification ? 2) The README file of the package suggest to add the following options to the kernel : options GWSCREEN pseudo-device gwscreen options GATEWAY options IPFORWARDING=1 but the Ultrix screend(8) man page only suggest to add pseudo-device gwscreen Am I missing something ??? Who is right ? I have check with kvar that IPFORWARDING was set by default in my Ultrix kernel ... should I add the other lines ? 3) Does screend protects from source-routing packets ? And how ? Does it block IP options as a whole or selectively ? Is it optional ? 4) Does screend allows filtering based on the source port ? 5) Does screend distinguish between "red" Internet interface and "blue" internal LAN interface on a DecStation with 2 Ethernet attachments ? The purpose of this question is to know if anti-spoofing (ie rejecting "local" packets in disguise which could appear at the inbound "red" interface) can be done on the machine running screend or must be done at our internet provider router level. (as suggested in Cheswick/Bellovin book for the "choke" machine). 6) The README file suggest to run routed. Is it mandatory (and why ?) and even wise ? 7) Can I give to the 2 interfaces IP adresses from the same net (class B in our case) but different subnets or should I use yet another network (class C, hopefully !) ? I once read a reply from Brent Chapman about problems at network boundaries ... 8) I have "played" a little with screend on a 5000/200 in this configuration : --------------------------- ----------------------| 5000/200 |----------------------------- --------------------------- ^ ^ ^ ^ | | | | DMZ or "red" "red" interface "blue" interface local or "blue" network IP name : red IP name : blue network I have configured /etc/screend.conf to allow packets from blue to red and to block traffic from red to blue. Despite of this setting, a machine belonging to the "red" network can still reach (eg telnet) IP address blue. How does it come ? How can we block access to blue ? Perhaps is it due to the fact that screend intercepts packets between ip_intr which determines if the packet is meant for "this host" (regardless of the interface) and ip_forward (which route the packet) ? 9) Finally, is there around commercial routers (Cisco, BayNetworks, ...) which meet all of these criteria (interface distinction, no source-route, destination AND source filtering, logging capabilities, ...) ? This leads in fact to a fairly long list of questions ! If some of them are FAQ, please forgive me and give me the pointers. I post this mail to the firewalls, alpha-osf-managers and decstation-managers lists. Thanks in advance for your help, Regards, +--------------------------------------------------------------+ | Herve DEMARTHE %^) E-Mail: demarthe@alpha.cad.cea.fr | | CEA/DSM/DRFC/STEP Tel: +33 42257527 Fax: +33 42252661 | | CEN Cadarache Bt 506 13108 St Paul Lez Durance FRANCE | | <<< Apprentiz de todo, Maestro de nada ... >>> | | All opinions expressed herein are mine and not those of CEA. | +--------------------------------------------------------------+ From firewalls-owner Wed Mar 8 16:42:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09260 for firewalls-outgoing; Wed, 8 Mar 1995 16:24:29 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03229 for ; Wed, 8 Mar 1995 10:38:13 -0800 Received: from hp.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA09258; Wed, 8 Mar 1995 10:24:24 -0800 Received: from hpspnws2.spain.hp.com by hp.com with SMTP (1.37.109.15/15.5+ECS 3.3) id AA036287319; Wed, 8 Mar 1995 10:28:39 -0800 Received: by hpspnws2.spain.hp.com (1.38.193.4/15.5+ECS 3.3) id AA07149; Wed, 8 Mar 1995 18:29:26 GMT From: Miguel del Canizo Message-Id: <9503081829.AA07149@hpspnws2.spain.hp.com> Subject: Sorry, Sorry, Sorry !! To: firewalls@GreatCircle.com Date: Wed, 8 Mar 95 18:29:26 WET Cc: mcanizo@hpspnws2.spain.hp.com Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, I really apologize for resending that old stuff to the net. I was trying to automatize the organization of my mail and my awk script, mixed with an inappropriate (should I say incorrect?) parameter to the sendmail command, has caused a little?? disaster... Really, really sorry.... I mean it I swear you it will not happen again. Forgive me. Miguel From firewalls-owner Wed Mar 8 16:56:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09167 for firewalls-outgoing; Wed, 8 Mar 1995 16:21:55 -0800 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA28979 for ; Tue, 7 Mar 1995 08:17:51 -0800 Received: by little-miami.iac.net id LAA29651; Tue, 7 Mar 1995 11:15:34 -0500 Date: Tue, 7 Mar 1995 11:15:33 -0500 (EST) From: Carl Jolley To: Frederick M Avolio cc: kidstoj@citec.qld.gov.au, firewalls@GreatCircle.COM Subject: Re: ftp - Netscape and TIS fwtk In-Reply-To: <9503071338.AA25068@tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fred, Please tell us how to "write to the TIS Internet Firewall Toolkit list". All tell us how to subscribe to it. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Tue, 7 Mar 1995, Frederick M Avolio wrote: > Maybe you should write to the TIS Internet Firewall Toolkit list on > this one? I use Netscape fine behind a Gauntlet Internet Firewall. > Although there are many differences and enhancements, the HTTP proxy > code is basically the same. > > Fred > From firewalls-owner Wed Mar 8 17:05:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09183 for firewalls-outgoing; Wed, 8 Mar 1995 16:22:07 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA08553 for ; Tue, 7 Mar 1995 13:27:42 -0800 Received: from snail.Sun.COM ([129.145.1.3]) by Sun.COM (sun-barr.Sun.COM) id AA13386; Tue, 7 Mar 95 13:25:24 PST Received: from Swiss.Sun.COM (isunswis) by snail.Sun.COM (4.1/SMI-4.1) id AA14041; Tue, 7 Mar 95 10:16:53 PST Received: from rocky.Swiss.Sun.COM by Swiss.Sun.COM (4.1/SMI-4.1d) id AA17936; Tue, 7 Mar 95 16:48:17 +0100 Received: from lugano.Swiss.Sun.COM by rocky.Swiss.Sun.COM (5.x/SMI-SVR4 (1/24/94)) id AA22896; Tue, 7 Mar 1995 16:46:17 +0100 Received: by lugano.Swiss.Sun.COM (5.x/SMI-SVR4) id AA07292; Tue, 7 Mar 1995 16:48:15 +0100 Date: Tue, 7 Mar 1995 16:48:15 +0100 From: roberto.jenni@Swiss.Sun.COM (Robert Jenni - Sun Switzerland Zurich - Pre Sales Support) Message-Id: <9503071548.AA07292@lugano.Swiss.Sun.COM> To: firewalls@greatcircle.com Subject: Help: Sun with FireWall-1 route-performance Cc: roberto.jenni@Swiss.Sun.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I would like to use a Sun as the firewall gateway between two FDDI rings (see below). The external FDDI ring passes a data stream of 34Mb/s from the ATM network to the Sun. Does somebody have any performance numbers concerning throughput of a Sun with and without FireWall-1? I would like to know the impact in performance of FireWall. -------------------------------------------------------------------------- external FDDI ring internal FDDI ring ===============================================| |++++++++++++++++++++ ---------- -------- |--------| | | || || ATM Pilot-------| CISCO |-------|| || --------- |Router |-------+| || | | --------- || || | | || ||------| Sun |------- || |+------| fw-1 |------- || || | | -------- || || | | | | || || --------- Internet -------| CISCO |-------|| || |Router |-------+| || --------- |--------| ---------- -------------------------------------------------------------------------- Looking forward to hearing from you. Grazie Mille (=Many Thanks) Salutoni Roberto Please CC me at , since I am not a member of these alias. _______________________________________________________________________________ Roberto Jenni Sun Microsystems (Schweiz) AG Senior Systems Engineer z.H. Herrn Roberto Jenni Tech.Systems Ambassador Switzerland Postfach email: rje@swiss.sun.com Eschenstrasse 8 Tel: +41-1-825 71 11/63 8603 Schwerzenbach +41-77-67 55 67 Switzerland Fax: +41-1-825 72 99 X.400: /PN=roberto.jenni/PRMD=sun/ADMD=arcom/C=ch/ _______________________________________________________________________________ From firewalls-owner Wed Mar 8 18:09:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA11504 for firewalls-outgoing; Wed, 8 Mar 1995 17:50:15 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03272 for ; Wed, 8 Mar 1995 10:38:22 -0800 Received: from hp.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA09266; Wed, 8 Mar 1995 10:26:44 -0800 Received: from hpspnws2.spain.hp.com by hp.com with SMTP (1.37.109.15/15.5+ECS 3.3) id AA026761224; Wed, 8 Mar 1995 06:00:26 -0800 Received: by hpspnws2.spain.hp.com (1.38.193.4/15.5+ECS 3.3) id AA05413; Wed, 8 Mar 1995 14:00:57 GMT From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9502020340.AA26177@lordmuck.itd.uts.edu.au> Subject: Re: Test Labs To: glenn@simba.aero.org (Glenn Bailey) Date: Thu, 2 Feb 1995 14:40:02 +1000 (EST) Cc: firewalls@GreatCircle.COM (Firewalls Mailing List) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Bailey wrote this... > > An automatic firewall tester which can be extended for new attacks > would be nice. i have been thinking about this for somewhile, and im not sure if it is appropriate... one of the guys from plan9 developed an automatic protocol tester for empircally testing protocols (such as task switching on a mutliprocessor machine). in fact they found a few bugs in their code using this piece of software.. i had been thinking lately while this thread has been floating around about automatic testers, that maybe it could be adapted for this sort of work? anyway, just an idea... (if you want more details i can dig them out of the plan9 docs). Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia email: matt@uts.edu.au www: http://milliways.itd.uts.edu.au/~matt/ ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y From firewalls-owner Wed Mar 8 18:29:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA11523 for firewalls-outgoing; Wed, 8 Mar 1995 17:50:23 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03675 for ; Wed, 8 Mar 1995 10:49:58 -0800 Received: from hp.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA09416; Wed, 8 Mar 1995 10:42:49 -0800 Received: from hpspnws2.spain.hp.com by hp.com with SMTP (1.37.109.15/15.5+ECS 3.3) id AA024331144; Wed, 8 Mar 1995 05:59:05 -0800 Received: by hpspnws2.spain.hp.com (1.38.193.4/15.5+ECS 3.3) id AA05229; Wed, 8 Mar 1995 13:59:46 GMT Date: Thu, 2 Feb 1995 09:21:55 +1100 (EST) From: "Daniel O'Callaghan" Subject: Re: Ident server redux To: Steven Tepper Cc: "Ian C. Blenke" , firewalls@GreatCircle.COM Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Date: Tue, 31 Jan 1995 20:22:01 -0500 (EST) > > From: "Ian C. Blenke" > > > > On Tue, 31 Jan 1995, Wes Morgan wrote: > > > Well, there are packages out there that look for Ident info (and can > > > delay processing while waiting for it). If memory serves, both the > > > wuarchive ftpd and Allman's 8.6.x sendmail have this capability. > > > > And TCPD on most systems. Now, you may not use PARANOID, but it still > > tries to look up connections. > ... > > What really gets my goat is the fact most "secure" sites enable PARANOID > > so that poor PC users (that don't run identd servers, mind you) have to > > wait for an excruciating period of time. Is identd so reliable and > > widespread as to REQUIRE its use for logging? I modified an earlier version of tcpd so that it would fork and connect the real daemon immediately if the connection was going to be allowed, and continue trying RFC931 in the background. Worked well, I thought, and I sent the changes to Wietse, but he did not like the fact that you ended up with three copies of tcpd running for a short time - one to exec the real daemon, one to do the rfc931, and one to hold the real connection open while the rfc931 proceeded (for quick connections like finger). Danny From firewalls-owner Wed Mar 8 18:35:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11839 for firewalls-outgoing; Wed, 8 Mar 1995 18:13:47 -0800 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA08553 for ; Tue, 7 Mar 1995 13:27:42 -0800 Received: from snail.Sun.COM ([129.145.1.3]) by Sun.COM (sun-barr.Sun.COM) id AA13386; Tue, 7 Mar 95 13:25:24 PST Received: from Swiss.Sun.COM (isunswis) by snail.Sun.COM (4.1/SMI-4.1) id AA14041; Tue, 7 Mar 95 10:16:53 PST Received: from rocky.Swiss.Sun.COM by Swiss.Sun.COM (4.1/SMI-4.1d) id AA17936; Tue, 7 Mar 95 16:48:17 +0100 Received: from lugano.Swiss.Sun.COM by rocky.Swiss.Sun.COM (5.x/SMI-SVR4 (1/24/94)) id AA22896; Tue, 7 Mar 1995 16:46:17 +0100 Received: by lugano.Swiss.Sun.COM (5.x/SMI-SVR4) id AA07292; Tue, 7 Mar 1995 16:48:15 +0100 Date: Tue, 7 Mar 1995 16:48:15 +0100 From: roberto.jenni@Swiss.Sun.COM (Robert Jenni - Sun Switzerland Zurich - Pre Sales Support) Message-Id: <9503071548.AA07292@lugano.Swiss.Sun.COM> To: firewalls@greatcircle.com Subject: Help: Sun with FireWall-1 route-performance Cc: roberto.jenni@Swiss.Sun.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I would like to use a Sun as the firewall gateway between two FDDI rings (see below). The external FDDI ring passes a data stream of 34Mb/s from the ATM network to the Sun. Does somebody have any performance numbers concerning throughput of a Sun with and without FireWall-1? I would like to know the impact in performance of FireWall. -------------------------------------------------------------------------- external FDDI ring internal FDDI ring ===============================================| |++++++++++++++++++++ ---------- -------- |--------| | | || || ATM Pilot-------| CISCO |-------|| || --------- |Router |-------+| || | | --------- || || | | || ||------| Sun |------- || |+------| fw-1 |------- || || | | -------- || || | | | | || || --------- Internet -------| CISCO |-------|| || |Router |-------+| || --------- |--------| ---------- -------------------------------------------------------------------------- Looking forward to hearing from you. Grazie Mille (=Many Thanks) Salutoni Roberto Please CC me at , since I am not a member of these alias. _______________________________________________________________________________ Roberto Jenni Sun Microsystems (Schweiz) AG Senior Systems Engineer z.H. Herrn Roberto Jenni Tech.Systems Ambassador Switzerland Postfach email: rje@swiss.sun.com Eschenstrasse 8 Tel: +41-1-825 71 11/63 8603 Schwerzenbach +41-77-67 55 67 Switzerland Fax: +41-1-825 72 99 X.400: /PN=roberto.jenni/PRMD=sun/ADMD=arcom/C=ch/ _______________________________________________________________________________ From firewalls-owner Wed Mar 8 18:51:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA11535 for firewalls-outgoing; Wed, 8 Mar 1995 17:50:30 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03693 for ; Wed, 8 Mar 1995 10:50:32 -0800 Received: from hp.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA09429; Wed, 8 Mar 1995 10:43:24 -0800 Received: from hpspnws2.spain.hp.com by hp.com with SMTP (1.37.109.15/15.5+ECS 3.3) id AA024001130; Wed, 8 Mar 1995 05:58:52 -0800 Received: by hpspnws2.spain.hp.com (1.38.193.4/15.5+ECS 3.3) id AA05223; Wed, 8 Mar 1995 13:59:44 GMT Date: Wed, 1 Feb 1995 11:36:07 -0500 From: bret@real.com (Bret McDanel) Message-Id: <199502011636.LAA06110@real.com> To: firewalls@GreatCircle.COM Subject: Re: Nothing New Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Information Week had an article that came up with an 8% figure for this > (this may even be the original source for that number). It's in the April > 12, 1993 issue, page 35. There's a graph of breakin types, where dialup > access was about 34% of breakins, "unknown" got 34% also, and the rest was > divided about equally among Internet access, physical machine access, > direct LAN access, and mainframe port access. It didn't have a figure for > trashing. > trashing would prolly be a mixed bag.. Some people get information on a site, through trashing, and then use dialup or inet access to go further.. > Your conclusion is still 100% right, though.... I bet that the weakest > point in most networks is the number of personal PCs with dial-in lines, > running Carbon Copy or PC-anywhere, or Linux with a getty on the line. Well, here is another point.. And one that I dont think that a lot of people think about.. How many people are in office buidlings with false ceilings? How many of those sites have the physical LAN wire up in the ceiling? How easy would it be for a person to put some sorta sniffer up in the ceiling with a vampire clip? I know that when I installed network wire for a few companies they ran it in the ceiling, and they shared common walls with other business.. Also, with public areas (so someone wouldnt even have to rent space in the building to get physical access to the wire).. They never thought about anything happening like that.. There were also outlets up in the ceiling, which would allow for an easy way for the computer to be powered.. Just a thought... From firewalls-owner Wed Mar 8 18:59:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA11547 for firewalls-outgoing; Wed, 8 Mar 1995 17:50:40 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03327 for ; Wed, 8 Mar 1995 10:38:31 -0800 Received: from oxygen.house.gov by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id JAA08997; Wed, 8 Mar 1995 09:47:05 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA28328; Wed, 8 Mar 1995 12:51:06 -0500 Date: Wed, 8 Mar 1995 12:51:06 -0500 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9503081751.AA28328@oxygen.house.gov> To: firewalls@GreatCircle.com, paul@toploguk.co.uk Subject: Re: application proxies versus packet filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | | > > Cisco's "established" keyword would be much more useful if it could be | > > combined with port restrictions; even simply being able to say "deny all | > > non-established TCP connections" would be more useful than what you can do | > > now, which is essentially to say "allow all established TCP connections". | > | > Actually, you should remember that the lines in a Cisco access-list are | > in priority of application order. To combine the "established" keyword line | > with others, you enter the higher priority statements first, e.g. | > permit tcp from-anybody to-mail-relay to-SMTP-port | > then, at a lower priority so that others can establish a connection to mail, | > permit tcp from-anybody to-any-internal established | > then, unless you want to trust the implicit deny everything | > deny tcp from-anybody to-anybody. | > | I don't quite follow the logic here, what I would need to do is make sure that | I'd specifically rejected all the non-established connections that I don't want | before adding in the filter to accept established connections - this doesn't | allow me to selectively let things through, it forces me to selectively keep | things out - a complete turn around in our strategy (and a much less paranoid one). | I am sorry to have been so brief. Cisco access-lists are not structured in terms of what is most important, but in terms of what is most specific. Because the order of statements in the list determines precedence, the most general statements are at the end. As you prefer, the default at the end of the list is deny everything. There is no need to reject "all the non-established connections ... before adding the filter to accept established connections." Presumably, there is a small set of connections you will permit to be established from addresses outside (non-established in your terms) to inside. Include specifications for them explicitly. If you want to deny access to priviledged ports even if they were established from inside (belt and suspenders theory I prefer), then deny those as a rule. In order to permit packets in response to connections established from inside, specify the permit "established" statement. Then either rely on the implicit deny all statement, or code it explicitly. The advantage of explicit coding is that the list will have to be erased before any permissions can be added to the list. As B&C point out in their book, coding access-lists is not intuitively obvious. The contents of an access-list is more accurately seen as a rule-based, pattern-matching language than as a procedural language, with which most of us have more experience. See who uses the SNOBOL compiler before recruiting a router jocky :-) Now back to the debate as to the ease/efficacy of screens v. proxies. -- John From firewalls-owner Wed Mar 8 19:06:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA13117 for firewalls-outgoing; Wed, 8 Mar 1995 18:49:36 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03327 for ; Wed, 8 Mar 1995 10:38:31 -0800 Received: from oxygen.house.gov by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id JAA08997; Wed, 8 Mar 1995 09:47:05 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA28328; Wed, 8 Mar 1995 12:51:06 -0500 Date: Wed, 8 Mar 1995 12:51:06 -0500 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9503081751.AA28328@oxygen.house.gov> To: firewalls@GreatCircle.com, paul@toploguk.co.uk Subject: Re: application proxies versus packet filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | | > > Cisco's "established" keyword would be much more useful if it could be | > > combined with port restrictions; even simply being able to say "deny all | > > non-established TCP connections" would be more useful than what you can do | > > now, which is essentially to say "allow all established TCP connections". | > | > Actually, you should remember that the lines in a Cisco access-list are | > in priority of application order. To combine the "established" keyword line | > with others, you enter the higher priority statements first, e.g. | > permit tcp from-anybody to-mail-relay to-SMTP-port | > then, at a lower priority so that others can establish a connection to mail, | > permit tcp from-anybody to-any-internal established | > then, unless you want to trust the implicit deny everything | > deny tcp from-anybody to-anybody. | > | I don't quite follow the logic here, what I would need to do is make sure that | I'd specifically rejected all the non-established connections that I don't want | before adding in the filter to accept established connections - this doesn't | allow me to selectively let things through, it forces me to selectively keep | things out - a complete turn around in our strategy (and a much less paranoid one). | I am sorry to have been so brief. Cisco access-lists are not structured in terms of what is most important, but in terms of what is most specific. Because the order of statements in the list determines precedence, the most general statements are at the end. As you prefer, the default at the end of the list is deny everything. There is no need to reject "all the non-established connections ... before adding the filter to accept established connections." Presumably, there is a small set of connections you will permit to be established from addresses outside (non-established in your terms) to inside. Include specifications for them explicitly. If you want to deny access to priviledged ports even if they were established from inside (belt and suspenders theory I prefer), then deny those as a rule. In order to permit packets in response to connections established from inside, specify the permit "established" statement. Then either rely on the implicit deny all statement, or code it explicitly. The advantage of explicit coding is that the list will have to be erased before any permissions can be added to the list. As B&C point out in their book, coding access-lists is not intuitively obvious. The contents of an access-list is more accurately seen as a rule-based, pattern-matching language than as a procedural language, with which most of us have more experience. See who uses the SNOBOL compiler before recruiting a router jocky :-) Now back to the debate as to the ease/efficacy of screens v. proxies. -- John From firewalls-owner Thu Mar 9 18:56:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05029 for firewalls-outgoing; Thu, 9 Mar 1995 18:44:53 -0800 Received: from alexandria-emh2a.army.mil (ALEXANDRIA-EMH2A.ARMY.MIL [198.97.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA06146 for ; Wed, 8 Mar 1995 12:05:44 -0800 Message-Id: <199503082005.MAA06146@miles.greatcircle.com> Date: 8 Mar 95 15:01:00 EST From: "*STUART, FRANK" Subject: VAX Gopher To: "firewalls" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone running Mosaic or Gopher on a VAX/VMS system and can share any security related issues that need to be considered? We are trying to determine whether a firewall is needed and if so, what type. Thanks in advance! Frank. stuart@alexandria-emh2a.army.mil From firewalls-owner Thu Mar 9 19:14:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05044 for firewalls-outgoing; Thu, 9 Mar 1995 18:45:00 -0800 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA06843 for ; Wed, 8 Mar 1995 12:34:55 -0800 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id PAA25380; Wed, 8 Mar 1995 15:30:23 -0500 From: Ted Doty Message-Id: <199503082030.PAA25380@kgbvax.network.com> Subject: Re: Securing Mac Nets To: ar1@neosoft.com Date: Wed, 8 Mar 1995 15:30:22 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199503081807.MAA22534@praline.no.NeoSoft.com> from "ar1@neosoft.com" at Mar 8, 95 12:07:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1746 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have been following this list for some time and haven't yet seen any > discussion on the extent to which Mac networks are more or less susceptible > to outside penetration from the Internet. We are running a 100% Mac > network and are connected to the Internet via an EtherNet backbone > connected to a Rockwell NetHopper router over a 56k line. Can anyone > comment on the relative security (or lack thereof) inhherent in such a > configuration and perhaps offer recommendations regarding hardware/software > products which have been successfully used to secure such networks? Any > and all info would be appreciated. If you're running Appletalk over IP, there are a bunch of TCP ports reserved for Appletalk services: set at-rtmp 201; # AppleTalk Routing Maintenance set at-nbp 202; # AppleTalk Name Binding set at-3 203; # AppleTalk Unused set at-echo 204; # AppleTalk Echo set at-5 205; # AppleTalk Unused set at-zis 206; # AppleTalk Zone Information set at-7 207; # AppleTalk Unused set at-8 208; # AppleTalk Unused (excerpt of NSC's NetSentry Common Filter Library, coming soon to intelligent routers everywhere). If you're tunneling, it's a different story. - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Mar 9 19:31:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06387 for firewalls-outgoing; Thu, 9 Mar 1995 19:15:29 -0800 Received: from gold.interlog.com (gold.interlog.com [198.53.145.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00227 for ; Thu, 9 Mar 1995 10:03:44 -0800 Received: from clm.interlog.com (clm.interlog.com [199.212.156.121]) by gold.interlog.com (8.6.9/8.6.9) with SMTP id KAA09943 for ; Thu, 9 Mar 1995 10:56:54 -0500 Date: Thu, 9 Mar 1995 10:56:54 -0500 Message-Id: <199503091556.KAA09943@gold.interlog.com> X-Sender: clm@gold.interlog.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: clm@interlog.com (clm) Subject: ACF II Assistance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for someone who has knowledge of ACF2 and APPN. I am involved in a project that will ultimately have several users dialing in to Microsoft RAS for comm support and authentication. >From there the RAS servers will be segregated from the corporate backbone by a firewall. The remote users will conduct transactions with a MVS host. ACF2 exists on the host today. We would like to incorporate ACF2 security procedures into both the firewall and ideally into the RAS servers and Microsoft's DNS. RGRDS....clm Craig From firewalls-owner Thu Mar 9 19:32:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05091 for firewalls-outgoing; Thu, 9 Mar 1995 18:45:44 -0800 Received: from arl-img-4.compuserve.com (arl-img-4.compuserve.com [198.4.7.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA08591 for ; Wed, 8 Mar 1995 15:38:18 -0800 Received: by arl-img-4.compuserve.com (8.6.10/5.941228sam) id SAA17932; Wed, 8 Mar 1995 18:36:00 -0500 Date: 08 Mar 95 18:28:00 EST From: To: Subject: Firewall design... Message-ID: <950308232800_702420.204300_BHD48-4@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am relatively new to UNIX security and am have been monitoring this forum for a couple of weeks to see what I could learn. I hope I am not posting this message in the wrong place... if so, I apologize in advance!!!!! We are trying to set up the following... 1. WWW/FTP server 2. SMTP gateway from Internet to cc:Mail 3. Access to the Internet from Windows, Mac and Sun desktops through our NetWare lan. We plan to place some information on the WWW/FTP server that should only be accessible to certain users (with accounts and passwords) and other information that is publicly available. In addition, we want to secure the machine from any malicious users who might just want to nuke the whole thing. We are considering the NETRA Internet Server for this task. As far as allowing access outbound to the Internet, we'd like our users to have access to FTP, TELNET, and WWW (Mosaic). So far, I have investigated FW-1 from Sun and Eagle from Raptor Systems as possible firewall solutions... I guess my questions are: 1. Should there be seperate firewalls for the WWW/FTP server and our internal net? Why? 2. Is there any known way for someone to hack into a Netware server that does not have TCP/IP installed on it via the Internet connection? If so, how? 3. Are there "gateway" or "proxy" type solutions that support outgoing Mosaic access... all the literature I've gotten mentions FTP and Telnet, but no signs of WWW/Mosaic. 4. If someone dials into a service provider (ie. PSI, Netcom, etc.) from their workstation with their modem, is there any way that an intruder would be able to get into our workstation from the outside through this connection? If so, how might one prevent it from happening? Any help that anyone out there could provide would be most appreciated! Roberta Mazzoli Manager, Technical Services Grolier Electronic Publishing, Inc. roberta@grolier.ccmail.compuserve.com (for now...) From firewalls-owner Thu Mar 9 19:46:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05076 for firewalls-outgoing; Thu, 9 Mar 1995 18:45:30 -0800 Received: from shadow.dbapic.com.au (shadow.dbapic.com.au [203.2.220.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA07167 for ; Wed, 8 Mar 1995 13:16:49 -0800 Received: from eyrie.dbapic.com.au by shadow.dbapic.com.au (AIX 3.2/UCB 5.64/4.03) id AA23792; Thu, 9 Mar 1995 08:13:58 +1000 Date: Thu, 9 Mar 1995 08:13:58 +1000 Message-Id: <9503082213.AA23792@shadow.dbapic.com.au> X-Sender: bwa@mailhost X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: tws@wh.bayer.com From: bwa@shadow.dbapic.com.au (Barry Anderson) Subject: Re: Why UDP cannot be handled security ? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> From firewalls-owner@GreatCircle.COM Tue Mar 7 21:10:33 1995 >> From: Aydin Edguer >> Subject: Re: Why UDP cannot be handled security ? >> To: firewalls@greatcircle.com >> >> > Excuse me,why UPD protocol cannot be handled for security access ? >> >> UDP does not permit a router to differentiate between inbound packets >> requesting new services and inbound packets returning data to outbound >> requests. This means that, using static filters, you cannot offer inside >> users access to services based on UDP without giving outside users access >> to the same service inside your network. >> >> The use of different types of "dynamic" filtering that some vendors >> offer permits a temporary hole to be created for the return packet(s) >> in response to an outbound request, thus limiting the vulnerability. >> >> In my opinion, this is still not perfect but it is much better. >> My opinions are not necessarily my company's and vice-versa. > >Now I am starting to understand... >This is really based on how vendor (at least cisco) software >works rather than how it should be. Would anybody from cisco >and others care to comment? Is this likely to change or not >change in the future release of software? >Regards, >Tenna Sakai >Miles Research Center > No, you obviously don't understand. Allowing a temporary hole after seeing an outbound UDP packet is a hack aka kludge (and potential vulnerability?) Anyone with more knowledge feel free to jump in here...(like you really need to say that on the Net...) cheers, __________ \______ \_____ _______ _______ ___.__. | | _/\__ \ \_ __ \\_ __ < | | | | \ / __ \ | | \/ | | \/\___ | |______ /(____ /|__| |__| / ____| \/ \/ \/ Systems Programmer Technical Support Group Asia-Pacific Information Centre Dun & Bradstreet Information Services From firewalls-owner Thu Mar 9 20:00:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07109 for firewalls-outgoing; Thu, 9 Mar 1995 19:26:30 -0800 Received: from london.myra.com (london.myra.com [142.44.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA04469 for ; Thu, 9 Mar 1995 18:07:02 -0800 Received: from rio.myra.com by london.myra.com (4.1/myra-4.9) id AA04837; Thu, 9 Mar 95 18:02:15 PST Received: by rio.myra.com (4.1/SMI-4.1) id AA03029; Thu, 9 Mar 95 18:01:17 PST Date: Thu, 9 Mar 95 18:01:17 PST From: paul@rio.myra.com (Paul Dodd) Message-Id: <9503100201.AA03029@rio.myra.com> To: firewalls@greatcircle.com Subject: chroot httpd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The CERN httpd doesn't seem to do a chroot when it starts up. Is there a publicly available daemon that does, or a list of instructions on how to easily change the source on some httpd to force a chroot? ---- Paul Dodd This is not a black and white world MYRA Systems Corp. You can't afford to believe in your side paul@myra.com - Live, Mental Jewelry From firewalls-owner Thu Mar 9 20:11:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06320 for firewalls-outgoing; Thu, 9 Mar 1995 19:13:45 -0800 Received: from relay.xlink.net (relay.xlink.net [193.141.40.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA19660 for ; Thu, 9 Mar 1995 04:23:48 -0800 Received: from nixe.ISAR.net by relay.xlink.net id <24700-0@relay.xlink.net>; Thu, 9 Mar 1995 13:20:42 +0000 Received: from GeNUA.DE (Ugenua@localhost) by nixe.isar.net (8.6.10/ni-1.2) with UUCP id NAA22451; Thu, 9 Mar 1995 13:20:31 +0100 Received: from localhost.GeNUA.DE by Woozle.GeNUA.DE with SMTP id AA01782 (5.65c/IDA-1.4.4); Thu, 9 Mar 1995 12:32:24 +0100 Message-Id: <199503091132.AA01782@Woozle.GeNUA.DE> To: "Daniel O'Callaghan" Cc: Steven Tepper , "Ian C. Blenke" , firewalls@greatcircle.com Subject: Re: Ident server redux In-Reply-To: Your message of "Thu, 02 Feb 95 09:21:55 +1100." Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Mar 1995 12:32:22 +0100 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message yo u write: > I modified an earlier version of tcpd so that it would fork and connect > the real daemon immediately if the connection was going to be allowed, > and continue trying RFC931 in the background. Worked well, I thought, I've modified the TIS FWTK routines to do async IDENT lookups through an extra daemon (identlookupd) which gets passed the relevant information via an unix domain or UDP socket. As IDENT should (more or less) only be used for fun (if at all), it's not (and probably should never be) in the FWTK distribution. \Bernhard. From firewalls-owner Thu Mar 9 20:23:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06984 for firewalls-outgoing; Thu, 9 Mar 1995 19:24:19 -0800 Received: from NUki (nuki.netuse.de [193.98.110.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00369 for ; Thu, 9 Mar 1995 10:12:21 -0800 Received: by Mail.NetUSE.de (SMail3.1.28.1 #2) ID m0rmmg8-00099vC: Thu, 9 Mar 95 19:11 MET Received: by black.schulung.netuse.de (CrossPoint v3.02 R/C886); 09 Mar 1995 19:06:31 +0100 Date: 09 Mar 1995 19:06:00 +0100 From: kris@black.schulung.netuse.de (=?ISO-8859-1?Q?Kristian_K=F6hntopp?=) To: firewalls@greatcircle.com Message-ID: <5hYo3R6ZnrB@black.schulung.netuse.de> Subject: Packet Monitors for MS-DOS? X-Mailer: XP v3.02 R/C886 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Organization: Orga-what? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am planning to equip a portable PC with DOS and Windows with an Ethernet adapter and use it as a portable packet monitor for network analysis. Thus, I am looking for a rough equivalent of tcpdump, etherman and internet for MS-DOS and Windows. Are there any free or commercial programs you can recommend? Please reply personally, I will sum up to the list, Kristian -- "Peanuts fuer alle!" Marit und Kristian Köhntopp, Harmsstraße 98, 24114 Kiel, +49 431 676689 From firewalls-owner Thu Mar 9 20:34:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07003 for firewalls-outgoing; Thu, 9 Mar 1995 19:24:40 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA00535 for ; Thu, 9 Mar 1995 10:20:12 -0800 Posted-Date: Thu, 9 Mar 1995 12:33:28 -0500 From: "Bryan D. Boyle" Message-Id: <9503091233.ZM14678@maverick.erenj.com> Date: Thu, 9 Mar 1995 12:33:28 -0500 X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: url for vendor list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the CORRECTED URL is ok; just that the service provider is experiencing disk problems on the back end nfs server they use to provide web page storage. they say should be up tonite...so thanks for the patience with the brain spasm compounded by the ISP problems... that CORRECT URL again is http://www.access.digex.net/~bdboyle/firewall.vendor.html tonite being 9 march 1995... -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.access.digex.net/~bdboyle/index.html From firewalls-owner Thu Mar 9 20:41:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06401 for firewalls-outgoing; Thu, 9 Mar 1995 19:15:39 -0800 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00281 for ; Thu, 9 Mar 1995 10:04:28 -0800 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id MAA04899; Thu, 9 Mar 1995 12:58:28 -0800 From: Christopher Klaus Message-Id: <199503092058.MAA04899@iss.net> Subject: Security FAQ info (update) To: bugtraq@fc.net, firewalls@greatcircle.com Date: Thu, 9 Mar 1995 12:58:27 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1194 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, The early versions of the Sniffer FAQ contained some erronous information about non-promiscuous devices and I believe I have updated the list to be the most correct. I have also added some more infomation about various sniffers, etc. I have updated the Patch FAQ so it contains info on the SGI desktop bug, httpd bug, and recent sendmail bugs. If you know of any bugs that I have not addressed, please let me know and I'll update this Patch FAQ. Just incase you gave up trying to connect to http://iss.net/iss a couple of months ago, ISS.NET has gotten a reliable link so you should have no problems connecting to http://iss.net/iss at a reasonable speed. Where to get the FAQes: ftp.iss.net /pub/faq http://www.iss.net/iss mail info@iss.net , with "send index" in body of msg. If you sent e-mail to info@iss.net and didn't get a response, it is because your return-path in your mailer is messed up. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Thu Mar 9 20:51:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07020 for firewalls-outgoing; Thu, 9 Mar 1995 19:24:48 -0800 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00281 for ; Thu, 9 Mar 1995 10:04:28 -0800 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id MAA04899; Thu, 9 Mar 1995 12:58:28 -0800 From: Christopher Klaus Message-Id: <199503092058.MAA04899@iss.net> Subject: Security FAQ info (update) To: bugtraq@fc.net, firewalls@greatcircle.com Date: Thu, 9 Mar 1995 12:58:27 +1494730 (PST) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1194 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, The early versions of the Sniffer FAQ contained some erronous information about non-promiscuous devices and I believe I have updated the list to be the most correct. I have also added some more infomation about various sniffers, etc. I have updated the Patch FAQ so it contains info on the SGI desktop bug, httpd bug, and recent sendmail bugs. If you know of any bugs that I have not addressed, please let me know and I'll update this Patch FAQ. Just incase you gave up trying to connect to http://iss.net/iss a couple of months ago, ISS.NET has gotten a reliable link so you should have no problems connecting to http://iss.net/iss at a reasonable speed. Where to get the FAQes: ftp.iss.net /pub/faq http://www.iss.net/iss mail info@iss.net , with "send index" in body of msg. If you sent e-mail to info@iss.net and didn't get a response, it is because your return-path in your mailer is messed up. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Thu Mar 9 20:53:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07971 for firewalls-outgoing; Thu, 9 Mar 1995 19:42:58 -0800 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07952 for ; Thu, 9 Mar 1995 19:42:52 -0800 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-0 #9822) id <01HNY2NISYR48WVZ1U@Badger.Arnold.Com>; Thu, 09 Mar 1995 21:40:04 -0600 (CST) Date: Thu, 09 Mar 1995 21:11:15 -0600 (CST) Subject: Re: VAX Gopher In-reply-to: "Your message dated Wed, 08 Mar 1995 15:01:00 -0500 (EST)" <199503082005.MAA06146@miles.greatcircle.com> To: "*STUART, FRANK" Cc: firewalls , Stephen.L.Arnold@Arnold.Com Message-id: 01HNY3ODQZ1Y8WVZ1U@Badger.Arnold.Com Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is anyone running Mosaic or Gopher on a VAX/VMS system and can > share any security related issues that need to be considered? > > We are trying to determine whether a firewall is needed and if so, > what type. I don't know what you would be trying to protect, but if its privacy or integrity is of any concern at all, you should be considering some kind of firewall. The level of protection will depend on the results of your risk analysis. OpenVMS is no different from UNIX in that to lock down a bastion, complexity is your enemy. If you have time sharing users and lots of servers, put a firewall in front of it. If it's a special purpose information server with just a few daemons (FTP, Web, etc.), you can put it out on the Internet. You will need an operating system and TCP/IP software in which you're confident. It's important to say it that way, since TCP/IP software is an unbundled product on the OpenVMS platform. You'll want a recent version of OpenVMS with any applicable security patches applied. I recommend MultiNet from TGV for TCP/IP, but then [*disclaimer*] I sell it. So ask some other folks. It seems Digital's TCP/IP Services for OpenVMS VAX (or AXP) (a.k.a. "UCX") is always playing catch-up. In addition to the usual issues, web and gopher servers and clients are subject to the risks inherent in letting possibly naive users fetch live multimedia objects, including PostScript files, command procedures, and executable images. Web is a superset of gopher issues, so consider only web and you'll cover gopher. The risks are not unlike allowing folks to play with floppy disks of uncertain origin: viruses, trojan horses, and other rogue programs/objects. The best discussion of seen of these issues for web users is the Rutgers WWW-Security Reference page (http://www-ns.rutgers.edu/www-security/reference.html). Mosaic is a web client. Gopher includes both client and server. Of course there are also web servers for OpenVMS. In followup questions, do specify whether you intend to run only clients or also servers. (Don't run both on a bastion!) > Thanks in advance! > Frank. > stuart@alexandria-emh2a.army.mil You're welcome. Good luck! Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Thu Mar 9 21:07:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07062 for firewalls-outgoing; Thu, 9 Mar 1995 19:25:17 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01264 for ; Thu, 9 Mar 1995 12:09:18 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rmlsv-0000ngC; Thu, 9 Mar 95 09:20 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA06759; Thu, 9 Mar 1995 09:20:23 +0800 Date: Thu, 9 Mar 1995 09:20:23 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503091720.AA06759@brittany.oes.amdahl.com> To: abraham@hpindda.cup.hp.com, Firewalls@greatcircle.com, sjones@aptech.com, patrick@oes.amdahl.com, mmorse@nsf.gov Subject: Re: FW-1, etc. X-Sun-Charset: US-ASCII content-length: 3067 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: mmorse@nsf.gov (Michael H. Morse) > > If your firewall consists only of a packet filter, no matter how smart, > then you have to decide what kinds of connections you allow to be > initiated from the outside, to which inside hosts. For example, hosts > a and b can receive telnet, and c can receive ftp, and d and e smtp, > and f http. Am I correct, so far, or is there more to a packet filter > that I don't understand? In most situations you wouldn't allow any connections from the outside... how could you trust 'em? > > If I'm correct, and your list is relatively short (you can count them > on one hand), then this might be adequate for some sites. In > particular, if you don't allow any interactive sessions from the > outside, and you have a single SMTP host that doesn't run sendmail, > then I'd say go for it. Well I'd say if you have outside hosts that need to connect, you need to provide secure authentication. You still have the problem of physical compromise of the trusted machines, but you're ahead of the game. > > The problem I see is that if the list is at all interesting, the packet > filter becomes less and less relevant. For example, if you allow > telnet to be initiated from the outside, and any of the accessible > inside hosts use re-usable passwords, then you have no protection at > all because an account can be cracked with a sniffer at some site you > have no control over, and once a hacker has logged in, you cannot, > realistically, stop them, at least on UNIX. You'd have to have them do something like make an authenticated connection to a telnet proxy on the gateway machine, then go from there...without encryption they could still sniff later connections, but they'd need to break your smartcard/S/Key/whatever authentication on the gateway to get to them. > > It strikes me that the use of proxies for connections initiated from > the inside, to outside hosts, is mostly an historical artifact. They > were necessary when routers weren't as smart in filtering based on who > initated the connection. If FW-1 is as good as they say (and I don't > think I've heard anyone say it doesn't do a good job of filtering based > on the direction of the connection), then perhaps it makes sense to use > it or something similar, for all connections initiated from within (FTP > might be an exception), and use the bastion host for connections > initiated from outside. What you said;) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Thu Mar 9 21:08:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07045 for firewalls-outgoing; Thu, 9 Mar 1995 19:24:57 -0800 Received: from birch.ims.disa.mil (birch.ims.disa.mil [164.117.176.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00412 for ; Thu, 9 Mar 1995 10:16:07 -0800 Received: from CC.IMS.DISA.MIL ([164.117.176.106]) by birch.ims.disa.mil (8.6.10/DISA 0.5.3) with SMTP id KAA27190 for ; Thu, 9 Mar 1995 10:06:09 -0500 Received: from cc:Mail by CC.IMS.DISA.MIL id AA794772345; Thu, 09 Mar 95 10:04:48 EST Date: Thu, 09 Mar 95 10:04:48 EST From: "Tu Nguyen" Message-Id: <9502097947.AA794772345@CC.IMS.DISA.MIL> To: firewalls@greatcircle.com Subject: Re[2]: FW-1, etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Below is a summary based on discussion on this subject: Packet Filters/FireWall-1 Vs. Application-level (Transparent/Proxy) Gateways Advantages of FireWall-1: Does not need special client software. Proxy Gateways may (or may not) require installation of special client software on end-user machine. Does not need custom proxies. Proxy Gateways may (or may not) require development of custom proxies. Does not need special procedures. Users may (or may not) have to learn and follow special procedures to access the application-level gateway. Number of proxy applications is limited. Number of transparent proxy applications are even more limited. May have better performance. Since packets are check at the network and transport layers as oppose to the application layer. Easier to configure. GUI interface is used instead of line interface. More flexible. Programmable filter module can be used to adapt to many application protocols (FTP, HTTP, WAIS, etc.) including site specific ones. Can handle UDP based applications (e.g. DNS, NTP, Archie, etc.). FW-1 caches the UDP request and the UDP reply will be allowed to pass through only if there is a corresponding request entry in the cache. Administrators can not configure the client code to send UDP traffic via a proxy gateway. However, the DNS and NTP problem can be resolved using servers on either side of the firewall talking to each other. There are ways to work around the Archie problem as well. Can check IP spoofing of encapsulated packets. Checks the inside IP packet that is being tunnelled. FW-1 has a new IP spoofing patch. Advantages of Application-Level Gateways: May (or may not) provide more security. May (or may not) be easier to build and configure for specialize applications. Non-transparent proxy gateway may (or may not) provide more protection against Trojan Horse attack. Corporation should not allow any import of software. Bugs in FireWall-1: Any hosts using rsh/rlogin that were permitted to pass through the FireWall-1 are treated as if they were trusted (not challenged with a password)). This problem may have been fix. Random crashes. This may be a Sun problem. Non-issues: Attacking host pretend to be on your local network - Fixable with notion of internal networks and external networks and expected traffic characteristics (established connections). Attacking host pretend to be an external host that you trust or attacking host that can get access to trusted host (transitive trust) - Freely allow outgoing traffic, but allow only authenticated incoming traffic. User Authentication - See above paragraph. Proxies hide your internal addresses. Multicast packets. These packets have class D addresses or they are encapsulated. Class D addresses should be rejected. Tu Nguyen DISA From firewalls-owner Thu Mar 9 21:13:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06367 for firewalls-outgoing; Thu, 9 Mar 1995 19:15:07 -0800 Received: from z.nsf.gov (z.nsf.gov [128.150.195.37]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA20382 for ; Thu, 9 Mar 1995 06:34:12 -0800 Received: (from mmorse@localhost) by z.nsf.gov (8.6.10/8.6.10) id JAA07464; Thu, 9 Mar 1995 09:29:42 -0500 Message-Id: <199503091429.JAA07464@z.nsf.gov> From: mmorse@nsf.gov (Michael H. Morse) Date: Thu, 9 Mar 1995 09:29:42 EST In-Reply-To: Abraham Lui "Re: FW-1, etc." (Mar 2, 9:30am) X-Mailer: Mail User's Shell (7.1.1 5/02/90) To: Abraham Lui , Firewalls@greatcircle.com, sjones@aptech.com, patrick@oes.amdahl.com Subject: Re: FW-1, etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Weaknesses: > > 1) It is not capable of doing User Authentication, which severely limits > the access control module. Current rules are created based on service > and host address, which may not have the granularity of many of us need. I am just learning this, but this seems to get at the heart of the matter. The original question asked why a firewall needs an application gateway. To me it seems obvious, but perhaps I'm missing something. If your firewall consists only of a packet filter, no matter how smart, then you have to decide what kinds of connections you allow to be initiated from the outside, to which inside hosts. For example, hosts a and b can receive telnet, and c can receive ftp, and d and e smtp, and f http. Am I correct, so far, or is there more to a packet filter that I don't understand? If I'm correct, and your list is relatively short (you can count them on one hand), then this might be adequate for some sites. In particular, if you don't allow any interactive sessions from the outside, and you have a single SMTP host that doesn't run sendmail, then I'd say go for it. The problem I see is that if the list is at all interesting, the packet filter becomes less and less relevant. For example, if you allow telnet to be initiated from the outside, and any of the accessible inside hosts use re-usable passwords, then you have no protection at all because an account can be cracked with a sniffer at some site you have no control over, and once a hacker has logged in, you cannot, realistically, stop them, at least on UNIX. It strikes me that the use of proxies for connections initiated from the inside, to outside hosts, is mostly an historical artifact. They were necessary when routers weren't as smart in filtering based on who initated the connection. If FW-1 is as good as they say (and I don't think I've heard anyone say it doesn't do a good job of filtering based on the direction of the connection), then perhaps it makes sense to use it or something similar, for all connections initiated from within (FTP might be an exception), and use the bastion host for connections initiated from outside. Comments? --Mike From firewalls-owner Thu Mar 9 21:20:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA11246 for firewalls-outgoing; Thu, 9 Mar 1995 20:53:05 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA11241 for ; Thu, 9 Mar 1995 20:53:02 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.10/8.6.9) id WAA24962; Thu, 9 Mar 1995 22:44:48 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma024960; Thu Mar 9 22:44:38 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA01870 (5.67b/IDA-1.5); Thu, 9 Mar 1995 22:52:29 -0600 Date: Thu, 9 Mar 1995 22:52:28 -0600 (CST) From: Ken Hardy X-Sender: ken@ignatz To: Paul Dodd Cc: firewalls@greatcircle.com Subject: Re: chroot httpd In-Reply-To: <9503100201.AA03029@rio.myra.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 9 Mar 1995, Paul Dodd wrote: > The CERN httpd doesn't seem to do a chroot when it starts up. Is there a > publicly available daemon that does, or a list of instructions on how > to easily change the source on some httpd to force a chroot? /usr/sbin/chroot /jails/httpd /bin/httpd -r /configs/httpd.conf where /bin/httpd and /configs/httpd.conf are really /jails/httpd/bin/httpd and /jails/httpd/configs/httpd.conf. Location of chroot(1) may vary. -- KH From firewalls-owner Thu Mar 9 21:21:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA06227 for firewalls-outgoing; Thu, 9 Mar 1995 19:12:16 -0800 Received: from trefle.saclay.cea.fr (trefle.saclay.cea.fr [132.166.128.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA18845 for ; Thu, 9 Mar 1995 02:38:27 -0800 Received: from oeillet.saclay.cea.fr by trefle.saclay.cea.fr (8.6.10/ CEANET-ROUTER-3.0) with ESMTP id LAA01924 for ; Thu, 9 Mar 1995 11:35:41 +0100 Received: from alpha.cad.cea.fr by oeillet.saclay.cea.fr (8.6.10/ CEANET-ROUTER-3.0) with SMTP id LAA02151 for ; Thu, 9 Mar 1995 11:37:02 +0100 Received: from localhost by alpha.cad.cea.fr (5.65/CEANET-2.0.1) id AA28272; Thu, 9 Mar 1995 11:36:07 +0100 Message-Id: <9503091036.AA28272@alpha.cad.cea.fr> To: firewalls@greatcircle.com Subject: Screend packet filtering capabilities Date: Thu, 09 Mar 95 11:36:07 +0100 From: Herve DEMARTHE (CEA France) X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear managers, I am considering to use Jeff Mogul's screend sofware as a building block for our firewall system. we are in the process of moving from DecStations MIPS/Ultrix to Alpha/OSF1 and we have got back some 5000/200 boxes with additional Turbo Channel Ethernet adapters as well : so it can be an economically effective choice. Anyway, I have some questions unresolved on this matter and I request your help, here they are (newbee questions as you will see !) : 1) On a 5000/200 under Ultrix 4.4, is there a reason to use the screend package from gatekeeper.dec.com /pub/misc/vixie/screend/screend.tar.Z instead of the screend stuff delivered as part of Ultrix distribution ? The README says : << It is functionally a bit more evolved ... >> What about this evolution ? Does it implies Ultrix kernel modification ? 2) The README file of the package suggest to add the following options to the kernel : options GWSCREEN pseudo-device gwscreen options GATEWAY options IPFORWARDING=1 but the Ultrix screend(8) man page only suggest to add pseudo-device gwscreen Am I missing something ??? Who is right ? I have check with kvar that IPFORWARDING was set by default in my Ultrix kernel ... should I add the other lines ? 3) Does screend protects from source-routing packets ? And how ? Does it block IP options as a whole or selectively ? Is it optional ? 4) Does screend allows filtering based on the source port ? 5) Does screend distinguish between "red" Internet interface and "blue" internal LAN interface on a DecStation with 2 Ethernet attachments ? The purpose of this question is to know if anti-spoofing (ie rejecting "local" packets in disguise which could appear at the inbound "red" interface) can be done on the machine running screend or must be done at our internet provider router level. (as suggested in Cheswick/Bellovin book for the "choke" machine). 6) The README file suggest to run routed. Is it mandatory (and why ?) and even wise ? 7) Can I give to the 2 interfaces IP adresses from the same net (class B in our case) but different subnets or should I use yet another network (class C, hopefully !) ? I once read a reply from Brent Chapman about problems at network boundaries ... 8) I have "played" a little with screend on a 5000/200 in this configuration : --------------------------- ----------------------| 5000/200 |----------------------------- --------------------------- ^ ^ ^ ^ | | | | DMZ or "red" "red" interface "blue" interface local or "blue" network IP name : red IP name : blue network I have configured /etc/screend.conf to allow packets from blue to red and to block traffic from red to blue. Despite of this setting, a machine belonging to the "red" network can still reach (eg telnet) IP address blue. How does it come ? How can we block access to blue ? Perhaps is it due to the fact that screend intercepts packets between ip_intr which determines if the packet is meant for "this host" (regardless of the interface) and ip_forward (which route the packet) ? 9) Finally, is there around commercial routers (Cisco, BayNetworks, ...) which meet all of these criteria (interface distinction, no source-route, destination AND source filtering, logging capabilities, ...) ? This leads in fact to a fairly long list of questions ! If some of them are FAQ, please forgive me and give me the pointers. I post this mail to the firewalls, alpha-osf-managers and decstation-managers lists. Thanks in advance for your help, Regards, +--------------------------------------------------------------+ | Herve DEMARTHE %^) E-Mail: demarthe@alpha.cad.cea.fr | | CEA/DSM/DRFC/STEP Tel: +33 42257527 Fax: +33 42252661 | | CEN Cadarache Bt 506 13108 St Paul Lez Durance FRANCE | | <<< Apprentiz de todo, Maestro de nada ... >>> | | All opinions expressed herein are mine and not those of CEA. | +--------------------------------------------------------------+ From firewalls-owner Thu Mar 9 21:24:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA10204 for firewalls-outgoing; Thu, 9 Mar 1995 20:34:42 -0800 Received: from asgard.cs.Colorado.EDU (asgard.cs.Colorado.EDU [128.138.198.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA10181 for ; Thu, 9 Mar 1995 20:34:34 -0800 Message-Id: <199503100434.UAA10181@miles.greatcircle.com> Received: by asgard.cs.Colorado.EDU (1.37.109.4/16.2) id AA07851; Thu, 9 Mar 95 21:31:25 -0700 Date: Thu, 9 Mar 95 21:31:25 -0700 From: Dave Barrett To: Firewalls@GreatCircle.COM Subject: Deslogin-1.3 Now Available Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Announcing Deslogin Release 1.3 ------------------------------- Deslogin is a remote login program which may be used safely across insecure networks. With deslogin, you may log into a secure remote host from a secure local host without worry about your login password or session information being made visible across the network. Deslogin is a simple stand-alone client and server, which may be used on machines which don't have more sophisticated security packages such as SPX or Kerberos. No centralized key distribution package is required. Unlike unix login programs, authentication relies upon arbitrarily long pass phrases rather than eight-character user passwords. Deslogin uses the United States Data encryption standard to implement challenge/response user authentication and, once connected, to encrypt all information flowing to or from your session. This allows you to safely use su or login or edit sensitive information while on the remote host. Deslogin is available via anonymous ftp from: ftp.uu.net:/pub/security/des/deslogin-1.3.tar.gz The 1.3 release fixes bugs with updating utmp and adds support for Sun's Solaris. A new directory, deslogin-client-bins, has been added which contains precompiled clients. This makes it drastically easier when traveling to a remote site which doesn't have deslogin installed. From firewalls-owner Thu Mar 9 21:45:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05514 for firewalls-outgoing; Thu, 9 Mar 1995 18:54:26 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA17642 for ; Thu, 9 Mar 1995 00:54:20 -0800 From: ilinx.com!brian@uucp.wimsey.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22523; Thu, 9 Mar 95 03:51:59 -0500 Date: Thu, 9 Mar 95 03:51:59 -0500 Message-Id: <9503090851.AA22523@uvs1.orl.mmc.com> To: mcanizo@hpspnws2.spain.hp.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: Test labs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As enscripted by mcanizo@hpspnws2.spain.hp.com: > > sjg rites: > >What's wrong with setting up your firewall in a test lab? I mean the > >entire DMZ,choke etc etc. You can then test it until you are happy > >before letting others have a go... > > Oh I agree, now everyone out there whose organization *has* a dedicated > test lab for firewalls, please stand up (sit down Marcus 8*). The long-running > joke around here is that I do all testing at home because I have better > equipment there (well, I do have a TCP/IP & IPX system with both 10Base-2 > and 10Base-T that son and friends overload with DOOM but no Cisco. Yet.) > Wow, did that comment get reguritated or is there a mail loop out there with a giant latency problem?? I seem to remember that comment, word for word at least a month ago. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Thu Mar 9 21:50:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA10849 for firewalls-outgoing; Thu, 9 Mar 1995 20:46:47 -0800 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA10831 for ; Thu, 9 Mar 1995 20:46:41 -0800 Received: by little-miami.iac.net id XAA22830; Thu, 9 Mar 1995 23:44:19 -0500 Date: Thu, 9 Mar 1995 23:44:18 -0500 (EST) From: Carl Jolley To: ROBERTA@grolier.ccmail.compuserve.com cc: firewalls@GreatCircle.COM Subject: Re: Firewall design... In-Reply-To: <950308232800_702420.204300_BHD48-4@CompuServe.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The TIS Firewall Took kit/Gauntlet product does have an http proxy available. Two very common software packages for cc:Mail <--> SMTP are the Lotus product, Link to SMTP (runs under DOS) and the IMA product, Internet Exchange (runs under Windows, supports MIME). **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On 8 Mar 1995 ROBERTA@grolier.ccmail.compuserve.com wrote: > I am relatively new to UNIX security and am have been monitoring this forum for > a couple of weeks to see what I could learn. I hope I am not posting this > message in the wrong place... if so, I apologize in advance!!!!! > > We are trying to set up the following... > > 1. WWW/FTP server > 2. SMTP gateway from Internet to cc:Mail > 3. Access to the Internet from Windows, Mac and Sun desktops through > our NetWare lan. > > We plan to place some information on the WWW/FTP server that should only be > accessible to certain users (with accounts and passwords) and other information > that is publicly available. In addition, we want to secure the machine from any > malicious users who might just want to nuke the whole thing. We are considering > the NETRA Internet Server for this task. > > As far as allowing access outbound to the Internet, we'd like our users to have > access to FTP, TELNET, and WWW (Mosaic). > > So far, I have investigated FW-1 from Sun and Eagle from Raptor Systems as > possible firewall solutions... I suggest you also take a look at Gauntlet from TIS and Janus (can't remember it's company). > > I guess my questions are: > > 1. Should there be seperate firewalls for the WWW/FTP server and our internal > net? Why? I've not heard anyone who has done this or any particular reason for doing this. > > 2. Is there any known way for someone to hack into a Netware server that does > not have TCP/IP installed on it via the Internet connection? If so, how? > > 3. Are there "gateway" or "proxy" type solutions that support outgoing Mosaic > access... all the literature I've gotten mentions FTP and Telnet, but no > signs of WWW/Mosaic. > > 4. If someone dials into a service provider (ie. PSI, Netcom, etc.) from their > workstation with their modem, is there any way that an intruder would be > able to get into our workstation from the outside through this connection? > If so, how might one prevent it from happening? If they were running an IP over dial-up like SLIP or PPP and if their PC was capable of routing then an bad guy could get to the rest of your network. How to stop it, don't allow one or both of the things I mentioned to be used, i.e. a company security policy. > > Any help that anyone out there could provide would be most appreciated! > > Roberta Mazzoli > Manager, Technical Services > Grolier Electronic Publishing, Inc. > roberta@grolier.ccmail.compuserve.com (for now...) > > > From firewalls-owner Thu Mar 9 21:52:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05487 for firewalls-outgoing; Thu, 9 Mar 1995 18:54:05 -0800 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA15286 for ; Wed, 8 Mar 1995 19:49:46 -0800 Received: from raf.sj.scruznet.com by scruz.net (8.6.9/1.34) id TAA09803; Wed, 8 Mar 1995 19:47:18 -0800 Date: Wed, 8 Mar 95 19:39:45 PDT From: Rich Subject: just wondering.... To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, on to a new topic (we have not had one for so long...) Has anyone done any sort of survey to get info on those who have "no sense how dangerous it can be on the net"? In other words, we have all been around for sometime, discussing the in/outs of firewalls and the like, but I sometimes wonder if this group (lurkers included) is so far beyond what the average company/community is seeing. I guess if you think about it, there must be alot of companies unprotected (even though it is easy to protect yourself) given the fact that Mitnick (ugh) got as far as he did. I offer a question -- How do we educate the "real" community (other than 60 minutes) about how to build and utilize an Internet link without opening themselves up for a "heap 'o trouble". Ok, I realize this is a very generic question, but I have seen so many "de-lurkers" asking questions and sometimes they get so MANY answers, some right, some wrong(!), some ?, that you have to wonder where this is all leading. Case in point -- How many Internet Providers give free Firewall Basics Training when you buy their service? Ok, none. Next question, Why Not? Would it not keep you coming back? I know of one provider (national) that continues to lose customers, at least in California due to lack of support AND they have no clue about firewalling and protecting one's network. Oh well, perhaps I have been stuck inside in the rain too long today, and have had too much time to think.... Rich - not into sig files, cause don't you have enough to read - Fitzgerald ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ "....I hope life is not a big joke, cause I don't get it..." raf@ezunx.com Senior Systems Analyst (408) 456-0430 From firewalls-owner Thu Mar 9 22:00:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05500 for firewalls-outgoing; Thu, 9 Mar 1995 18:54:12 -0800 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA16767 for ; Wed, 8 Mar 1995 21:36:57 -0800 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id VAA09553; Wed, 8 Mar 1995 21:41:14 -0800 Date: Wed, 8 Mar 1995 21:41:13 -0800 (PST) From: Tim Keanini To: Jas cc: Glenn Bailey , Firewalls Mailing List Subject: Re: Test Labs In-Reply-To: <9502020340.AA26177@lordmuck.itd.uts.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Feb 1995, Jas wrote: > Glenn Bailey wrote this... > > An automatic firewall tester which can be extended for new attacks > > would be nice. > i have been thinking about this for somewhile, and im not sure if it is > appropriate... one of the guys from plan9 developed an automatic protocol > tester for empircally testing protocols (such as task switching on a > mutliprocessor machine). in fact they found a few bugs in their code using > this piece of software.. i had been thinking lately while this thread has > been floating around about automatic testers, that maybe it could be > adapted for this sort of work? anyway, just an idea... (if you want more > details i can dig them out of the plan9 docs). Hi guys, Mike Shaver and I have been working on something that we call 'siege'. (Mike has done more than I at this point) I just took delivery on a IRX-211 so I can finally start to test. It sure is hard to develop something when you dont have all the resources. My bank account hates me but hey, I could have spent it on something like food. I will keep the list informed as we get closer to the final thing. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Thu Mar 9 22:02:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA05527 for firewalls-outgoing; Thu, 9 Mar 1995 18:54:44 -0800 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA18694 for ; Thu, 9 Mar 1995 02:14:48 -0800 Received: from mts-gw.pa.dec.com by inet-gw-1.pa.dec.com (5.65/24Feb95) id AA16325; Thu, 9 Mar 95 02:05:06 -0800 Received: by mts-gw.pa.dec.com (5.65/09May94) id AA03137; Thu, 9 Mar 95 02:05:04 -0800 Received: from umc by mts-gw.pa.dec.com via MR/WRLMTS with conversational-MRIF; Thu, 09 Mar 95 02:05:03 -0800 Posted: Thu, 09 Mar 95 09:47:01 -0800 Date: Thu, 09 Mar 95 08:24:01 -0800 From: "MARC CHATEL @AEO" Message-Id: <84159090305991/4030060@FRMRC> To: firewalls-digest@greatcircle.com, demarthe@alpha.cad.cea.fr Cc: "Stuart HOTCHKISS @AEO" , "patrick longuet"@mfo.mts Subject: Screend capabilities... Msg-Class: ALL-IN-1 IOS Server for VMS V3.0 PBL123A (US) ENGLISH 21-MAR-1992 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This message is converted from WPS-PLUS to ASCII] Hello, Read with interest your questions about the "screend" utility. I do not want to clog the list with platform-specific details (I promise, only ONE mail on this subject), but here goes... > 1) Is there a reason to use the screend package from gatekeeper.dec.com > instead of the screend stuff delivered as part of ULTRIX? --> I would say "not sufficient reason to justify the additional trouble". screend ships standard with ULTRIX and OSF. It is also the tested and supported version. If you want to completely replace the supported version with the "public" version, you may need kernel source, which may be more hassle than necessary in this case. > 2) what about kernel options? --> One more reason to use the version shipped standard. The manual is accurate in this case. > 3) IP options? --> screend considers IP options to mean that some basic IP fields have unknown values (this is not optional). With a correct filtering configuration, this provides adequate protection. > 4) filtering on the source port --> Yes, screend does this. > 5) Does screend distinguish between interfaces? Does screend protect against > spoofing? --> Screend does not currently distinguish between interfaces. Many kinds of spoofing can still be prevented with proper configuration. Even if screend DID distinguish between interfaces, it could not prevent ALONE certain kinds of spoofing. All depends on the network topology around the "screend" machine. > 6) What about routed? --> We normally don't use routed on Digital installed firewalls. If absolutely forced to (static routing is our preferred choice), we use "gated" with carefully-controlled configurations. > 7) Subnets versus class C on one side? --> There are topological arguments here, related to spoofing and routing tables among other things. > 8) How come screend does not seem to work? --> Screend does what it is told. If not configured properly, you may have problems (this is true for ANY packet-filtering system, as far as I know). > 9) Commercial router solutions? --> Solutions exist that provide most of these capabilities. To my knowledge, no commercial router currently has the option of providing detailed logging of every rejected packet AND sending that to an external system in syslog format. I would dare to say this is the key argument why we stick to screend (along with its IP fragment behavior, and the fact that the source is easily accessible for verification, which of course contradicts my previous statement that it is easier to use the "factory-shipped" version of screend). If somebody from a commercial router manufacturer knows they support real-time syslog output of denied packets NOW, we would be interested to know, as we could make use of commercial routers in certain setups. Reading this list should convince you that correct packet-filtering configuration is non-trivial in all cases (apart from the DENY EVERYTHING case which is cheaply implemented with wire cutters that you can get at your local BHV or Castorama). You may wish to contact us for more info. We are probably the closest readers of this list. We speak French as well, which you may consider a plus. It keeps snowing beyond belief (once every two days on average right now, the slopes are great), so you may want to consider a "customer visit" :-) or you may want us to come configure it for you. Brent, unless all of the Atlantic falls over us in the next three weeks, there will be skiing here until May 1st, I guess. What about setting up some sort of monster FFF gathering (Firewalls/French Alps/French food) here? I am sure there would be takers... Regards, Marc Chatel Digital Equipment Annecy, France E-mail: try Marc.Chatel@aeo.mts.dec.com or chatel_m@annecy.enet.dec.com or mchatel@pax.eunet.ch FAX: (33) 50.64.01.39 From firewalls-owner Thu Mar 9 22:50:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA18562 for firewalls-outgoing; Thu, 9 Mar 1995 22:41:58 -0800 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA18552 for ; Thu, 9 Mar 1995 22:41:55 -0800 Received: from elf.wang.com by tuna.wang.com with SMTP id AA26125 (5.67b/IDA-1.5 for ); Fri, 10 Mar 1995 01:39:36 -0500 Received: from fnord.wang.com by elf.wang.com with SMTP id AA10529 (5.67a/IDA-1.5 for ); Fri, 10 Mar 1995 01:38:17 -0500 Received: by fnord.wang.com (5.67a/TF8) id AA01346; Fri, 10 Mar 1995 01:36:22 -0500 Date: Fri, 10 Mar 1995 01:36:22 -0500 From: Tom Fitzgerald Message-Id: <199503100636.AA01346@fnord.wang.com> To: firewalls@greatcircle.com Subject: Re: chroot httpd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk paul@rio.myra.com writes: > The CERN httpd doesn't seem to do a chroot when it starts up. Is there a > publicly available daemon that does, or a list of instructions on how > to easily change the source on some httpd to force a chroot? CERN httpd doesn't do this on its own, but it's trivial to force: chroot /www /www/bin/httpd Works fine here. Now cgi scripts are a little tricky.... I'm still playing with that. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Fri Mar 10 09:25:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22772 for firewalls-outgoing; Fri, 10 Mar 1995 09:03:44 -0800 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22767 for ; Fri, 10 Mar 1995 09:03:41 -0800 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.28.1 #5) id m0rn83q-0000meC; Fri, 10 Mar 95 09:01 PST Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA08223; Fri, 10 Mar 1995 09:01:20 +0800 Date: Fri, 10 Mar 1995 09:01:20 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9503101701.AA08223@brittany.oes.amdahl.com> To: tws@wh.bayer.com, bwa@shadow.dbapic.com.au Subject: Re: Why UDP cannot be handled security ? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 972 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: bwa@shadow.dbapic.com.au (Barry Anderson) > No, you obviously don't understand. Allowing a temporary hole after seeing > an outbound UDP packet is a hack aka kludge (and potential vulnerability?) Why would you say that? Obviously if you're going to be making the comment, you have a reason for it. Please share your reasoning with us:) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Mar 10 09:26:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22801 for firewalls-outgoing; Fri, 10 Mar 1995 09:09:22 -0800 Received: from zzyzx.com (zzyzx.zzyzx.com [192.215.182.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22796 for ; Fri, 10 Mar 1995 09:09:15 -0800 Received: by zzyzx.com (4.1/CERF0.9:SMI-4.1) id AA03030; Fri, 10 Mar 95 09:09:38 PST From: rodney@zzyzx.com (Rodney P. Rutherford) Message-Id: <9503101709.AA03030@zzyzx.com> Subject: Re: just wondering.... To: firewalls@greatcircle.com Date: Fri, 10 Mar 1995 09:09:37 -0800 (PST) In-Reply-To: from "Rich" at Mar 8, 95 07:39:45 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 4646 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Ok, on to a new topic (we have not had one for so long...) > > Has anyone done any sort of survey to get info on those who have "no > sense how dangerous it can be on the net"? In other words, we have > all been around for sometime, discussing the in/outs of firewalls and > the like, but I sometimes wonder if this group (lurkers included) is > so far beyond what the average company/community is seeing. I believe that you have hit the nail on the head. Even with all the recent publicity, most companies I see still have no idea what to do. I am starting to see a shift at least to where they are AWARE that they need to consider the security aspects. >From what I have seen, I would say there is a handful who KNOW what they are doing, a lot who are at least aware they DON'T KNOW, and all the rest who have no idea and are at the mercy of what the vendors/providers/et al give them. Then there is the typical company problems: time, money, and personel. Many are only willing to try and get by with only the minimal amount of resources. Again, a lot of this has to do with knowledge and awareness of what it really takes. > > I guess if you think about it, there must be alot of companies unprotected > (even though it is easy to protect yourself) given the fact that Mitnick > (ugh) got as far as he did. Define "easy". If anything I think it has gotten harder. I have been working for UNIX VAR's for 7+ years now. What I have been seeing over the past few years is that the design/life cycle being drastically reduced, which means products are obsoleted now before anyway is fully competent on them. It is a nightmare keeping up with all the changes. Now to make matters worse the number of vendors providing "security" products has exploded, making it even more difficult to come up with a stable solution. That is even more difficult when you consider every customer seems to have their own particular quirks. I am also seeing (here as well as elsewhere) that the security vendors are like all other computer products. Lots of less than quality products, with very few solid, stable ones. This is especially true during the initial 12 months of the release of products. > > I offer a question -- How do we educate the "real" community (other than > 60 minutes) about how to build and utilize an Internet link without > opening themselves up for a "heap 'o trouble". > > Ok, I realize this is a very generic question, but I have seen so many > "de-lurkers" asking questions and sometimes they get so MANY answers, some > right, some wrong(!), some ?, that you have to wonder where this is all > leading. > > Case in point -- How many Internet Providers give free Firewall Basics > Training when you buy their service? Ok, none. Next question, Why Not? > Would it not keep you coming back? I know of one provider (national) that > continues to lose customers, at least in California due to lack of support > AND they have no clue about firewalling and protecting one's network. Actually, I think you answered your own question. I think it is going to take the next few years, during which time the vendors are going to weed themselves and their products out. It will be natural evolution as driven by the consumer. As more companies get bit, we will see the vendors, products, and consultants who provide a valuable, dependable service come to the forefront. As the market becomes mature, the consumers will also become knowledgable. At least I certainly hope so. > > Oh well, perhaps I have been stuck inside in the rain too long today, and > have had too much time to think.... No, I don't think so, though the rain isn't getting to us until today. :-) All the above is the main reason why I have been lurking here, attening seminars, and snatching up any info I can on the subject for the past six months. And I still haven't come up with what solution, we as a vendor, or myself as a consultant should offer to our customers. So all you vendors, consultants, etc. lurking here; feel free to email me your suggestions, solutions, etc. > > Rich - not into sig files, cause don't you have enough to read - Fitzgerald > > ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ > "....I hope life is not a big joke, cause I don't get it..." > > raf@ezunx.com > Senior Systems Analyst > (408) 456-0430 Looks like I have rambled on emough myself. Rodney -- | Rodney P. Rutherford Zzyzx Workstation Peripherals 619-558-7800 | | Technical Director 5893 Oberlin Drive 800-876-7818 | | rodney@zzyzx.com San Diego, CA. 92121 FAX: 619-558-8283 | From firewalls-owner Fri Mar 10 09:55:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22897 for firewalls-outgoing; Fri, 10 Mar 1995 09:44:19 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22892 for ; Fri, 10 Mar 1995 09:44:17 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA01190; Fri, 10 Mar 95 09:41:59 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA15692; Fri, 10 Mar 95 09:29:42 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F60906F@ushqgw.sequent.com>; Fri, 10 Mar 95 09:46:23 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: RE: just wondering.... Date: Fri, 10 Mar 95 09:38:00 PST Message-Id: <2F60906F@ushqgw.sequent.com> Encoding: 28 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Create a web page describing what you know about firewalls. Put on your salesman hat and convince providers to make it available on the net - or just do it yourself. (who *really* is the "real" community, I ask you?) :-) Regards, Ned Smith nedbob@sequent.com ---------- [snip] |I offer a question -- How do we educate the "real" community (other than 60 |minutes) about |how to build and utilize an Internet link without opening themselves up for a |"heap 'o |trouble". | [snip] |Case in point -- How many Internet Providers give free Firewall Basics |Training when you |buy their service? [snip] |raf@ezunx.com |Senior Systems Analyst |(408) 456-0430 | | | From firewalls-owner Fri Mar 10 09:56:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA22822 for firewalls-outgoing; Fri, 10 Mar 1995 09:21:08 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA22817 for ; Fri, 10 Mar 1995 09:21:05 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA29829; Fri, 10 Mar 95 09:18:42 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA14490; Fri, 10 Mar 95 09:06:04 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F608AE5@ushqgw.sequent.com>; Fri, 10 Mar 95 09:22:45 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: Re: Why UDP cannot be handled security ? Date: Fri, 10 Mar 95 09:17:00 PST Message-Id: <2F608AE5@ushqgw.sequent.com> Encoding: 69 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- |>> UDP does not permit a router to differentiate between inbound packets |>> requesting new services and inbound packets returning data to outbound |>> requests. This means that, using static filters, you cannot offer inside |>> users access to services based on UDP without giving outside users access |>> to the same service inside your network. |>> |>> The use of different types of "dynamic" filtering that some vendors |>> offer permits a temporary hole to be created for the return packet(s) |>> in response to an outbound request, thus limiting the vulnerability. |>> |>> In my opinion, this is still not perfect but it is much better. |>> My opinions are not necessarily my company's and vice-versa. |> |>Now I am starting to understand... |>This is really based on how vendor (at least cisco) software |>works rather than how it should be. Would anybody from cisco |>and others care to comment? Is this likely to change or not |>change in the future release of software? |>Regards, |>Tenna Sakai |>Miles Research Center |> |No, you obviously don't understand. Allowing a temporary hole after seeing |an outbound UDP packet is a hack aka kludge (and potential vulnerability?) I'm afraid I'm not following your logic. Are you suggesting protocols using UDP are all kludges? My understanding is some protocols dictate a return connect be made to a random port (in the 'high' range). Static filtering techniques either break the protocol by not allowing any return connections or leave the high numbered ports open - statically. Dynamic filtering permits the 'always closed' policy to be overridden when a return connection is needed - as dictated by the protocol. Dynamic filtering seems to me to be a rather elegant solution? It seems to me the closest thing to a hack in all of this is static filtering rules that say "allow udp on all ports > 1023". Best Regards, Ned Smith nedbob@sequent.com |Anyone |with more knowledge feel free to jump in here...(like you really need to say |that on the Net...) |cheers, |__________ |\______ \_____ _______ _______ ___.__. | | | _/\__ \ \_ __ \\_ __ < | | | | | \ / __ \ | | \/ | | \/\___ | | |______ /(____ /|__| |__| / ____| | \/ \/ \/ | |Systems Programmer |Technical Support Group |Asia-Pacific Information Centre |Dun & Bradstreet Information Services | From firewalls-owner Fri Mar 10 11:25:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA23369 for firewalls-outgoing; Fri, 10 Mar 1995 11:04:52 -0800 Received: from quack.kfu.com (quack.kfu.com [204.147.226.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA23364 for ; Fri, 10 Mar 1995 11:04:48 -0800 Received: from phoenix (phoenix.kfu.com) by quack.kfu.com with SMTP id AA16259 (5.65c8/IDA-1.4.4 for ); Fri, 10 Mar 1995 11:02:30 -0800 Received: by phoenix (5.x//ident-1.0) id AA18216; Fri, 10 Mar 1995 11:02:29 -0800 Newsgroups: quack.firewalls Path: quack.kfu.com!nsayer From: nsayer@quack.kfu.com (Nick Sayer) Subject: Re: Deslogin-1.3 Now Available Message-Id: Organization: The Duck Pond public unix: +1 408 249 9630, log in as 'guest'. References: <199503100900.BAA20523@miles.greatcircle.com> Date: 10 Mar 1995 19:02:22 UTC Lines: 23 Content-Type: text Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another alternative is the tucif telnet suite. It uses regular old telnet protocol with extensions to allow SRA login authentication (based on secure RPC source. No kerberos or other 'server' required, just replace the telnet and in.telnetd and go), and then uses the exchanged keys to DES the session. Best of all, you ftp it from Germany, not the US! ftp://ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp (Internet address: 134.109.2.13) Grab the tucif tar, and if you don't already have it, you'll need the libdes and gmp sources in the same directory. I don't know how secure this stuff REALLY is, so I may be getting a false sense of security, but encryption is my security blanket. -- Nick Sayer | TRUE GIANTS OF HISTORY #104 N6QQQ @ N0ARY.#NORCAL.CA.USA.NOAM | +1 408 249 9630, log in as 'guest' | Ezekiel Merrit URL: http://www.kfu.com/~nsayer/ | Raised the first California flag From firewalls-owner Fri Mar 10 15:03:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23701 for firewalls-outgoing; Fri, 10 Mar 1995 12:21:05 -0800 Received: from erenj.com ([159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA23696 for ; Fri, 10 Mar 1995 12:21:01 -0800 Posted-Date: Fri, 10 Mar 1995 09:45:18 -0500 From: "Bryan D. Boyle" Message-Id: <9503100945.ZM16689@maverick.erenj.com> Date: Fri, 10 Mar 1995 09:45:18 -0500 X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Life: Get One X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: vendor list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk service provider is still having problems :( url may still be unavailable. durn. -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.access.digex.net/~bdboyle/index.html From firewalls-owner Fri Mar 10 15:04:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23721 for firewalls-outgoing; Fri, 10 Mar 1995 12:21:29 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA23716 for ; Fri, 10 Mar 1995 12:21:27 -0800 Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id MAA03807; Fri, 10 Mar 1995 12:14:10 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA01685; Fri, 10 Mar 95 10:12:32 -0500 Date: Fri, 10 Mar 95 10:12:32 -0500 Message-Id: <9503101512.AA01685@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: MS-DOS Packet Monitors Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kristian riters: >I am planning to equip a portable PC with DOS and Windows with >an Ethernet adapter and use it as a portable packet monitor for >network analysis. Do it all the time myself with an AT&T/NCR notebook and Megahertz PCMCIA card (plug). Recommended tools are: Beholder/Gobbler for packet capture Ethload for statistical monitoring FTP PCTCP utilities for general use (PING -Q is nice for finding paths and the telnet allows port setting) Waterloo libraries/Borland Turbo C for "rolling your own". other handy stuff: U. Minn Gopher Mosaic Trumpet NNTP reader PKTMUX for multiple simultaneous actions ODIPKT (Daniel Lanciani) - this is particularly important since many notebook LAN adapters - especially PCMCIA cards - do not include packet drivers but just about all come with Novell ODI. With this I can be logged into a Novell LAN, open a SMTP server, and do a backping with intermediate node reporting at the same time. Not all free, some may even be obsolete but is what works for me. Warmly, Padgett From firewalls-owner Fri Mar 10 15:04:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23683 for firewalls-outgoing; Fri, 10 Mar 1995 12:20:38 -0800 Received: from mn.interact.net (mn.interact.net [204.147.80.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA23674 for ; Fri, 10 Mar 1995 12:20:32 -0800 Received: from MAIL.DCC.COM ([204.147.93.69]) by mn.interact.net (8.6.9/8.6.9) with SMTP id IAA12295 for < firewalls@greatcircle.com>; Fri, 10 Mar 1995 08:20:19 -0600 Received: by MAIL.DCC.COM with Microsoft Mail id <2F607C64@MAIL.DCC.COM>; Fri, 10 Mar 95 08:20:52 PST From: "Moubray, Steve" To: "'SMTP: firewalls@greatcircle.com'" Subject: Firewall recommendations Date: Fri, 10 Mar 95 08:20:00 PST Message-ID: <2F607C64@MAIL.DCC.COM> Encoding: 30 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're looking at a firewall solution and have spent some time gathering information about Secure Computing's Sidewinder, the Janus firewall and someone recently recommend Goliath (no other information) to one of my staff. Any one familiar with these products? Can anyone offer any good advice on particular products. I'm not comfortable with just packet filtering. We won't write our own, we need something that requires little maintenance (unless attacked), will create normal logs and provide silent warnings. I've read quite a bit about firewalls but as you can tell I'm not an expert yet and I need some practical feedback. We only have a few hosts running SCO and maybe some mid range running IP in the future in possibly AIX hosts. We need NetScape, Telnet, FTP, E-Mail and News for applications. Any feedback offered directly to my address will be consolidated on the list (if it seems worthy). Thanks. -------------------------------------------------- Steve Moubray DCC, Inc. 10 Second Street NE Minneapolis, MN 55413 (612) 378-4469 (612) 378-4401 Fax smoubray@dcc.com From firewalls-owner Fri Mar 10 15:05:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23809 for firewalls-outgoing; Fri, 10 Mar 1995 12:23:35 -0800 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA23803 for ; Fri, 10 Mar 1995 12:23:31 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA22766; Fri, 10 Mar 1995 09:15:02 -0500 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9503101415.AA22766@oxygen.house.gov> Subject: Re: chroot httpd To: ken@bridge.com (Ken Hardy) Date: Fri, 10 Mar 1995 09:15:01 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Ken Hardy" at Mar 9, 95 10:52:28 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 729 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > The CERN httpd doesn't seem to do a chroot when it starts up. Is there a > > publicly available daemon that does, or a list of instructions on how > > to easily change the source on some httpd to force a chroot? > > /usr/sbin/chroot /jails/httpd /bin/httpd -r /configs/httpd.conf > Weitse Venema wrote chrootuid (available, I think, at ftp.win.tue.nl:/pub/security) which is simple, straightforward code to do a chroot and setuid to nobody (or whatever uid you choose). Its advantage is in its careful error checking. I looked at some gopher server code a while ago and found that it would try to do a setuid to nobody and continue on with nary a complaint if it failed. And it did fail, in our case. dorian From firewalls-owner Fri Mar 10 15:06:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23897 for firewalls-outgoing; Fri, 10 Mar 1995 12:25:37 -0800 Received: from uustar.starnet.net (uustar.starnet.net [128.252.135.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA23878 for ; Fri, 10 Mar 1995 12:24:46 -0800 Received: from boatmens.UUCP by uustar.starnet.net with UUCP id AA02333 (5.67b/IDA-1.5 for Firewalls@GreatCircle.COM); Fri, 10 Mar 1995 09:05:29 -0600 Received: from bkc05000 by boatmens.uucp (4.1/SMI-4.1) id AA08524; Fri, 10 Mar 95 09:05:51 CST Received: by bkc05000 (1.37.109.15/16.2) id AA137847574; Fri, 10 Mar 1995 08:59:34 -0600 Date: Fri, 10 Mar 1995 08:59:33 -0600 (CST) From: "Barry J. Archer" To: Firewalls@greatcircle.com Subject: VMS TCP/IP & bastion host Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve" Stephen L. Arnold writes: >version of OpenVMS with any applicable security patches applied. I >recommend MultiNet from TGV for TCP/IP, but then [*disclaimer*] I sell >it. So ask some other folks. It seems Digital's TCP/IP Services for >OpenVMS VAX (or AXP) (a.k.a. "UCX") is always playing catch-up. Not that there probably aren't other good implementations of TCP/IP for OpenVMS, but from my VMS experience I'd want TGV's MultiNet on any VMS bastion host ( or any others, for that matter ) I was building.. Their integrity and dedication to support is, IMHO, an example for others. I'd also feel as secure with their code as one can with a VMS implementation. I have no vested interest in TGV, just a lot of respect. - Barry =============================================================================== Barry Archer Boatmen's Investment Banking Division /Technology Support - Kansas City 816/691-7826 From firewalls-owner Fri Mar 10 15:07:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23963 for firewalls-outgoing; Fri, 10 Mar 1995 12:27:52 -0800 Received: from gatekeeper.prl.philips.co.uk (gatekeeper.prl.philips.co.uk [193.129.162.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA23948 for ; Fri, 10 Mar 1995 12:27:30 -0800 Received: by gatekeeper.prl.philips.co.uk (4.1/UNIPALM-Vevision: 1.3 gatekeeper.prl.philips.co.uk) id AA10385; Fri, 10 Mar 95 10:19:53 GMT Received: from unknown(130.141.10.82) by gatekeeper via smap (V1.3mjr) id sma010358; Fri Mar 10 10:18:29 1995 Received: from prlhp0 by prlhp1.prl.philips.co.uk; Fri, 10 Mar 95 10:14:41 GMT From: Chris King Message-Id: <9742.9503101014@prlhp0.prl.philips.co.uk> Subject: intelligent interfaces to ftp/telnet/etc To: Firewalls@greatcircle.com Date: Fri, 10 Mar 95 10:14:03 GMT X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have recently installed a dual homed gateway using the TIS firewall toolkit with proxy protection for FTP, Telnet and other services. This works ok for most. An ftp user ftps the firewall and then is prompted for a full login name (eg anonymous@xxxxx.yyyyyy.zz). Now this is ok for most users, but we have some problems with people who are using 3rd party software which provides a nice "friendly" gui front-end to ftp, etc. In one case, there is a ridiculously low limit on the buffer for the address, such that an address such as that above is truncated. In other cases, the front-end software presumably is looking for certain ftp messages (or their numeric equivalent), and not getting them, gives up. Anyone have any comments or experience on this? -- ------------------------------------------------------------------------------ Chris King (ITG Computer Systems Section), Philips Research Laboratories, Cross Oak Lane, Redhill, Surrey, RH1 5HA, U.K. Phone: (DDI) +44 (0)1293 815368 (Switchboard 815000) Fax: +44 (0)1293 815500 E/Mail: Internet - kingcb@prl.philips.co.uk, SERI - kingcb@prlhp0 ------------------------------------------------------------------------------ From firewalls-owner Fri Mar 10 15:08:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23939 for firewalls-outgoing; Fri, 10 Mar 1995 12:26:48 -0800 Received: from netnet1.netnet.net (netnet1.netnet.net [198.70.64.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA23929 for ; Fri, 10 Mar 1995 12:26:40 -0800 Received: (from mouring@localhost) by netnet1.netnet.net (8.6.9/8.6.9) id LAA17912; Fri, 10 Mar 1995 11:38:18 -0600 Date: Fri, 10 Mar 1995 11:38:17 -0600 (CST) From: Ben A Lindstrom Subject: Re: just wondering.... To: Rich cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Mar 1995, Rich wrote: > Ok, on to a new topic (we have not had one for so long...) > > I guess if you think about it, there must be alot of companies unprotected > (even though it is easy to protect yourself) given the fact that > Mitnick (ugh) got as far as he did. > I offer a question -- How do we educate the "real" community (other than 60 > minutes) about how to build and utilize an Internet link without > opening themselves up for a "heap 'o trouble". Could it be that most colleges/Universities have stoped (have not started?) to teach about networking to the CS majors? This is my 3rd year in college and basicly I have nothing besides information from the networks and ONE little Linux box to try out ideas and learn. I know it's not all the schools faults, but with networks getting more in demand you would think that they would start offering it. Even looking through the Novell Cerification stuff (Personal thought: This is a joke now) it talks nothing about firewalls. Just basic setup and maintance of a Novell cluster. It looks like people have put "firewalls" up there with running a network in the Schools. It's all "hush..hush"...Can't tell the students how it works. They might destory our network. BLAH! > Case in point -- How many Internet Providers give free Firewall Basics > Training when you buy their service? Ok, none. Next question, Why > Not? The few providers I know personally have two functions: a) as a network provider b) as a jumping point for users with modems And since they personalyl don't need firewalls they normally don't learn them indept enough to teach it. I never thought about firewalls until I started learning about it for a domain I'm doing work at. Is there a nice FAQ that takes about firewalls indept (theories and pratice?). That might be a good place to start for educating the masses of Admin (or what-a-be/going-to-be Admins). ------ All misspellings are due to my almost full 56kb conect to Netnet.net and I take full credit for my "Creative Speeling class" =-) Also, my thoughts and comments are my own, and can not be blamed on netnet.net or U of Wisconsin, River Falls school. From firewalls-owner Fri Mar 10 15:08:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA24030 for firewalls-outgoing; Fri, 10 Mar 1995 12:30:01 -0800 Received: from dax.sai.com (dax.sai.com [198.137.245.66]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA24022 for ; Fri, 10 Mar 1995 12:29:57 -0800 Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #3) id m0rn7XR-003pMwC; Fri, 10 Mar 95 11:27 EST Date: Fri, 10 Mar 1995 11:27:41 -0500 (EST) From: Darryl Wagoner To: firewalls-digest@GreatCircle.COM Subject: WinSock Security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, We have a need to secure data that comes via the Internet. The system I think will work is to have it emailed to a DOS Winsock pc via POP. The PC has no daemons running on it such as bootp, lpd, etc. I know there is a other things to watch on the Unix side. Those I can handle. I am just worried about data stored on the PC. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies From firewalls-owner Fri Mar 10 15:09:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA23971 for firewalls-outgoing; Fri, 10 Mar 1995 12:28:09 -0800 Received: from relay.puug.pt (relay.puug.pt [193.126.4.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA23955 for ; Fri, 10 Mar 1995 12:27:37 -0800 Received: from q950.bvl.pt by relay.puug.pt with UUCP id AA03141 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Fri, 10 Mar 1995 15:30:46 +0100 Received: from q950 (q950.bvl.pt) by jessica.bvl.pt with SMTP id AA02050 (5.65c/IDA-1.4.4); Fri, 10 Mar 1995 15:04:20 GMT Message-Id: <199503101504.AA02050@jessica.bvl.pt> Date: 10 Mar 1995 15:13:23 +0000 From: "Antonio Vasconcelos" Subject: RE: CD-ROM based bastion (Solaris 2) To: firewalls@greatcircle.com, "Steve Dearth" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I know some of you have already thought of the obvious, however, how about >an OS built on a RO hard drive (using hardware jumpers to render it RO). I haven't seen such beast announced anywhere. But it sure whould be a good thing to have. Well, I know about some removable hard drives with that feature, but not about normal prodution hard disks... You would get the speed that you need and you could re-configure it by resetting the jumper for a short time. As with the CD-ROM solution, you would have to physically secure the machine. Ther's a small glitch, you can't forget to "protect" a cd-rom, but you WILL forget about it with this system (Murphy Says). Another point to raise for both scenarios: How can you guarantee that the code could not be patched after it had been read from the RO drive into RAM? Perhaps this is already taken car of in a "Trusted" system? You can't guarantee that, except indirectlly, for that to be possible, you'll have to execute some kind of program. Programs must be read from or generated by something that is on the disk. If you are sure that such thing is not there you'll be safe because no-one (including you) can place it there. From firewalls-owner Fri Mar 10 15:48:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA25480 for firewalls-outgoing; Fri, 10 Mar 1995 13:03:42 -0800 Received: from paranor.ca.cch.com (paranor.ca.cch.com [192.139.248.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA25456 for ; Fri, 10 Mar 1995 13:03:16 -0800 Received: by paranor.ca.cch.com id AA29793; Fri, 10 Mar 95 16:05:11 EST Received: from cchtor.ca.cch.com(192.139.241.2) by paranor.ca.cch.com via smap (V1.3) id sma029787; Fri Mar 10 16:05:03 1995 Received: from cchtor (cchtor.ca.cch.com [192.139.241.2]) by cchtor.ca.cch.com (8.6.9/8.6.9) with SMTP id PAA03803; Fri, 10 Mar 1995 15:37:57 -0500 Date: Fri, 10 Mar 1995 15:37:53 -0500 (EST) From: Larry Chin Subject: Re: chroot httpd To: Paul Dodd Cc: firewalls@GreatCircle.COM In-Reply-To: <9503100201.AA03029@rio.myra.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The CERN httpd doesn't seem to do a chroot when it starts up. Is there a > publicly available daemon that does, or a list of instructions on how > to easily change the source on some httpd to force a chroot? You could just start the deamon from rc.local ( or whatever ) and issue a chroot CERN_HTTPD, if that's what you are after. Hope this helps, I'm not sure I am entirely clear what you are attempting. =========================================================================== Larry Chin {Larry_Chin@ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== From firewalls-owner Fri Mar 10 16:34:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA27145 for firewalls-outgoing; Fri, 10 Mar 1995 14:00:58 -0800 Received: from trefle.saclay.cea.fr (trefle.saclay.cea.fr [132.166.128.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA27140 for ; Fri, 10 Mar 1995 14:00:45 -0800 Received: from oeillet.saclay.cea.fr by trefle.saclay.cea.fr (8.6.10/ CEANET-ROUTER-3.0) with ESMTP id LAA08406 for ; Fri, 10 Mar 1995 11:04:54 +0100 Received: from alpha.cad.cea.fr by oeillet.saclay.cea.fr (8.6.10/ CEANET-ROUTER-3.0) with SMTP id LAA26732 for ; Fri, 10 Mar 1995 11:06:17 +0100 Received: from localhost by alpha.cad.cea.fr (5.65/CEANET-2.0.1) id AA19043; Fri, 10 Mar 1995 11:05:20 +0100 Message-Id: <9503101005.AA19043@alpha.cad.cea.fr> To: firewalls@greatcircle.com Subject: Screend packet filtering capabilities Date: Fri, 10 Mar 95 11:05:19 +0100 From: Herve DEMARTHE (CEA France) X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear firewalls managers, I am considering to use Jeff Mogul's screend sofware as a building block for our firewall system. we are in the process of moving from DecStations MIPS/Ultrix to Alpha/OSF1 and we have got back some 5000/200 boxes with additional Turbo Channel Ethernet adapters as well : so it can be an economically effective choice. Anyway, I have some questions unresolved on this matter and I request your help, here they are (newbee questions as you will see !) : 1) On a 5000/200 under Ultrix 4.4, is there a reason to use the screend package from gatekeeper.dec.com /pub/misc/vixie/screend/screend.tar.Z instead of the screend stuff delivered as part of Ultrix distribution ? The README says : << It is functionally a bit more evolved ... >> What about this evolution ? Does it implies Ultrix kernel modification ? 2) The README file of the package suggest to add the following options to the kernel : options GWSCREEN pseudo-device gwscreen options GATEWAY options IPFORWARDING=1 but the Ultrix screend(8) man page only suggest to add pseudo-device gwscreen Am I missing something ??? Who is right ? I have check with kvar that IPFORWARDING was set by default in my Ultrix kernel ... should I add the other lines ? 3) Does screend protects from source-routing packets ? And how ? Does it block IP options as a whole or selectively ? Is it optional ? 4) Does screend allows filtering based on the source port ? 5) Does screend distinguish between "red" Internet interface and "blue" internal LAN interface on a DecStation with 2 Ethernet attachments ? The purpose of this question is to know if anti-spoofing (ie rejecting "local" packets in disguise which could appear at the inbound "red" interface) can be done on the machine running screend or must be done at our internet provider router level. (as suggested in Cheswick/Bellovin book for the "choke" machine). 6) The README file suggest to run routed. Is it mandatory (and why ?) and even wise ? 7) Can I give to the 2 interfaces IP adresses from the same net (class B in our case) but different subnets or should I use yet another network (class C, hopefully !) ? I once read a reply from Brent Chapman about problems at network boundaries ... 8) I have "played" a little with screend on a 5000/200 in this configuration : --------------------------- ----------------------| 5000/200 |----------------------------- --------------------------- ^ ^ ^ ^ | | | | DMZ or "red" "red" interface "blue" interface local or "blue" network IP name : red IP name : blue network I have configured /etc/screend.conf to allow packets from blue to red and to block traffic from red to blue. Despite of this setting, a machine belonging to the "red" network can still reach (eg telnet) IP address blue. How does it come ? How can we block access to blue ? Perhaps is it due to the fact that screend intercepts packets between ip_intr which determines if the packet is meant for "this host" (regardless of the interface) and ip_forward (which route the packet) ? 9) Finally, is there around commercial routers (Cisco, BayNetworks, ...) which meet all of these criteria (interface distinction, no source-route, destination AND source filtering, logging capabilities, ...) ? This leads in fact to a fairly long list of questions ! If some of them are FAQ, please forgive me and give me the pointers. I post this mail to the firewalls, alpha-osf-managers and decstation-managers lists. Thanks in advance for your help, Regards, +--------------------------------------------------------------+ | Herve DEMARTHE %^) E-Mail: demarthe@alpha.cad.cea.fr | | CEA/DSM/DRFC/STEP Tel: +33 42257527 Fax: +33 42252661 | | CEN Cadarache Bt 506 13108 St Paul Lez Durance FRANCE | | <<< Apprentiz de todo, Maestro de nada ... >>> | | All opinions expressed herein are mine and not those of CEA. | +--------------------------------------------------------------+ From firewalls-owner Fri Mar 10 16:36:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA26927 for firewalls-outgoing; Fri, 10 Mar 1995 13:47:48 -0800 Received: from ns.draper.com (ns.draper.com [140.102.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA26917 for ; Fri, 10 Mar 1995 13:47:43 -0800 Message-Id: <199503102147.NAA26917@miles.greatcircle.com> Received: from surname.draper.com by ns.draper.com id aa23852; 10 Mar 95 16:45 EST Received: from kss1376.draper.com by surname.draper.com id aa25243; 10 Mar 95 16:45 EST X-Sender: kss1376@pop.draper.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Mar 1995 16:45:20 -0500 To: Paul Dodd , firewalls@greatcircle.com From: Ken Shores Subject: Re: chroot httpd X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:01 PM 3/9/95 PST, Paul Dodd wrote: >The CERN httpd doesn't seem to do a chroot when it starts up. Is there a >publicly available daemon that does, or a list of instructions on how >to easily change the source on some httpd to force a chroot? I prefer to do the chroot in the program, rather than external in the initiation of the program, as this allows you to keep the config file outside the chroot environment. The actual command to chroot can be as simple as: if (chroot("place.path.here") < 0 || chdir("/") < 0) HTLog_error2("Can't set root"); but I prefer to define a "parentroot" directive in the config to go along with the existing parentpid and parentgid ones. The attached code is for CERN 3.0. Note that this breaks "kill -HUP" reloading (since it can't read the config after chrooting). Ken # # diff -e of HTDaemon.c and HTConfig.c for adding ParentRoot. # # HTDaemon.c: # 3122a /* * Set changeroot */ if (sc.parent_root != NULL) { if (chroot(sc.parent_root) < 0 || chdir("/") < 0) { HTLog_error2("Can't set root to",sc.parent_root); } else { CTRACE(stderr, "Doing....... chroot(%s)\n", sc.parent_root); } } From firewalls-owner Fri Mar 10 18:05:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA29924 for firewalls-outgoing; Fri, 10 Mar 1995 17:08:55 -0800 Received: from bos1h.delphi.com (bos1h.delphi.com [192.80.63.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA29914 for ; Fri, 10 Mar 1995 17:08:52 -0800 From: ZTA@delphi.com Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HNZEKMFFWG95RAWO@delphi.com>; Fri, 10 Mar 1995 20:06:29 -0500 (EST) Date: Fri, 10 Mar 1995 20:06:29 -0500 (EST) Subject: [Q]file on 3.2.5 which allows filtering To: firewalls@greatcircle.com Message-id: <01HNZEKMFFWI95RAWO@delphi.com> X-VMS-To: INTERNET"firewalls@greatcircle.com" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I saw a posting while back that covered packet filtering on Aix 3.2.5. Would someone send me the name of the file that needs to be altered... From firewalls-owner Fri Mar 10 18:42:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA28701 for firewalls-outgoing; Fri, 10 Mar 1995 15:41:50 -0800 Received: from freedom.msfc.nasa.gov (FREEDOM.MSFC.NASA.GOV [128.158.1.222]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA28639 for ; Fri, 10 Mar 1995 15:33:54 -0800 Received: by freedom.msfc.nasa.gov (5.61/Silicon-Graphics/90-04-25) id AA27733; Fri, 10 Mar 95 16:50:15 -0600 Date: Fri, 10 Mar 95 16:50:15 -0600 From: roosekj@freedom.msfc.nasa.gov (kathryn Roose) Message-Id: <9503102250.AA27733@freedom.msfc.nasa.gov> To: firewalls@greatcircle.com Subject: DEC's Firewall Service Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently researching various firewall product offerings. If anyone has had experience with the DEC Firewall Service, we would appreciate your opinion of the product - pros and cons. Also, of interest would be information relating to performance. Many thanks in advance for your support. K. Roose kroose@hobbes.msfc.nasa.gov or kroose@freedom.msfc.nasa.gov . From firewalls-owner Fri Mar 10 18:45:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA00832 for firewalls-outgoing; Fri, 10 Mar 1995 18:14:38 -0800 Received: from alcor.twinsun.com (alcor.twinsun.com [198.147.65.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA00822 for ; Fri, 10 Mar 1995 18:14:34 -0800 Received: from twinsun.com (twinsun.twinsun.com [192.54.239.2]) by alcor.twinsun.com (8.6.5/8.6.5) with SMTP id RAA10853 for ; Fri, 10 Mar 1995 17:43:02 -0800 Received: from knee.twinsun.com by twinsun.com (4.1/SMI-4.1) id AA02858; Fri, 10 Mar 95 18:11:18 PST Received: by knee.twinsun.com (5.0/SMI-SVR4) id AA05957; Fri, 10 Mar 1995 18:11:15 -0800 Date: Fri, 10 Mar 1995 18:11:15 -0800 From: dorab@twinsun.com (Dorab Patel) Message-Id: <9503110211.AA05957@knee.twinsun.com> To: firewalls@greatcircle.com Subject: firewall architectures to support an untrusted net Content-Length: 2730 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assume that, for the most part, you want to allow internal users to telnet and ftp out, but to basically allow only email in. Now, however, suppose you need to support an anon FTP server, a WWW server and other reasonably security-less services for outside users. Internal users, perhaps only a selected few, also need access to these servers for maintenance reasons. My thoughts were to isolate these "untrusted" servers on an untrusted subnet. There are several architectures for this and I'd like to generate discussion on the pros and cons of each. If this has already been done, please point me to relevant information. Thanks /-------\ Architecture 1 |www/ftp| -------------- \-------/ | internet | | ------------------------- untrusted net | | | | -------- /-------\ -------- |screen| |bastion| |filter| -------- \-------/ -------- | | | | | | ------------------------------------ dmz | | ------- |choke| ------- | | ----------------------------- internal net Architecture 2 -------------- /-------\ |bastion| \-------/ internet | | ------------------------- dmz | | | | | | -------- /-------\ -------- | |screen| |www/ftp| |filter| | -------- \-------/ -------- | | | | | | | | | ------------------------------------ untrusted net | | | ------- |choke| ------- | | internal net -------------------- Architecture 3 -------------- internet | | | -------- /-------\ |screen| |bastion| -------- \-------/ | | | | | | | ------------------------------- dmz | | | | | ------- | |choke| | ------- | | | | | ----------------------------- internal net | | --------------------------------------- untrusted net | | /-------\ |www/ftp| \-------/ From firewalls-owner Fri Mar 10 20:54:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA03481 for firewalls-outgoing; Fri, 10 Mar 1995 20:33:37 -0800 Received: from uxadbsrv.asiandevbank.org (uxadbsrv.asiandevbank.org [202.0.28.68]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA03471 for ; Fri, 10 Mar 1995 20:33:07 -0800 Received: from mail.asiandevbank.org ([202.0.28.77]) by uxadbsrv.asiandevbank.org (4.1/060295.01-eef) id AA23774; Sat, 11 Mar 95 12:30:50 HKT Received: from cc:Mail by mail.asiandevbank.org id AA794953863; Sat, 11 Mar 95 12:21:56 MNL Date: Sat, 11 Mar 95 12:21:56 MNL From: "George D. Custodio" Encoding: 4 Text Message-Id: <9502117949.AA794953863@mail.asiandevbank.org> To: firewalls@greatcircle.com Subject: IBM's Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is their any user of the IBM's firewall (NetSp Security Gateway)? In one of network security presentation, the speaker said that IBM's firewall implementation includes packet filtering, application proxy, DNS, and socks. Is this true? Is it available now? Does it works? From firewalls-owner Sat Mar 11 03:20:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA14266 for firewalls-outgoing; Sat, 11 Mar 1995 03:02:41 -0800 Received: from sun4nl.NL.net (sun4nl.NL.net [193.78.240.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA14261 for ; Sat, 11 Mar 1995 03:02:38 -0800 Received: from solair1.inter.NL.net by sun4nl.NL.net with SMTP id AA11481 (5.65b/CWI-3.3); Sat, 11 Mar 1995 12:00:21 +0100 Received: by solair1.inter.NL.net (5.65b/NLnet1.2) id AA04592; Sat, 11 Mar 1995 12:00:20 +0100 Date: Sat, 11 Mar 1995 12:00:19 +0100 (MET) From: Peter Kornelisse Subject: auditing firewalls To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Does anybody know about existence of EDP Auditor's literature concerning auditing firewalls? I have to audit a network protected by several internal and external firewalls. The network, incl. the firewalls, are a mixture of Unix systems (OSF/1 versions 3.0B on DEC 2000 AXP 300, some of these machines are bootable with OpenVMS, so the firewalls have to protect two operating systems so to speak) and AS/400 systems. Ad I'm not particular familiar with firewalls, I'm open to any suggestion and tips. Can anybody inform me also about setting up firewalls for the above mentioned systems? My thanks in advance Arjan Vos From firewalls-owner Sat Mar 11 04:50:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA15300 for firewalls-outgoing; Sat, 11 Mar 1995 04:28:07 -0800 Received: from papago.dtcc.edu (papago.dtcc.edu [138.123.64.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA15293 for ; Sat, 11 Mar 1995 04:28:03 -0800 Received: by papago.dtcc.edu (5.4R3.10/200.1.1.4) id AA10591; Sat, 11 Mar 1995 07:25:44 -0500 Date: Sat, 11 Mar 1995 07:25:44 -0500 (EST) From: Ken Weaverling To: Ben A Lindstrom Cc: firewalls@GreatCircle.COM Subject: Re: just wondering.... In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Mar 1995, Ben A Lindstrom wrote: > Could it be that most colleges/Universities have stoped (have not started?) > to teach about networking to the CS majors? This is my 3rd year in college > and basicly I have nothing besides information from the networks and ONE > little Linux box to try out ideas and learn. I taught an experimental course like this once on networking and systems administration. Each student was assigned a 486 in a public lab. We partitioned the hard drive and installed Linux onto each one, made LILO so it would boot into DOS by default (for the sake of "normal" students!). They learned a little about tcp/ip, installing applications, managing file systems, and security. I let them boot their machines before the school closed each night and had a cron entry reboot in the morning (a cold boot which forced LILO to boot DOS back) for normal students. This was about the time the Linux/AIX froot bug came out, so a lot of them started breaking root on each other one weekend! Taught them all a valuable lesson I guess, and I tried to take the attitude that its better for them to get it out of their system on these lab machines, but it was like a fever. When everyone patced login, they went nuts trying to break each other machines until someone located tcpdump. Then *I* freaked because they were sniffing the college's LAN all of a sudden. That was it. I decided not to teach it again until we at least get all secure hubs (these labs were wired ages ago with transceiver cables to MAUs to 10base5. We have one campus in good shape with secure hubs AND TP cards that don't have a promiscuous mode, so its a start.) It was a great class for students, a royal headache for me. Since I was the administrator of all the systems and LANs, it wasn't bad. I would not want a normal instructor having that kind of access. I get asked by the Computer Science department to allow networking classes, like setting up Novells (ZZZZzzzzz....). I won't allow general purpose lab machines on the main net for this. I tell them to buy a set of computers and file servers separated from the campus LAN for this. However this gets way too expensive. You can't dedicate a classroom for a single use like this, nor computers. Also, no one wants to learn to manage a LAN that is an island. So, it's a great idea, but often impractical. -- Ken Weaverling weave@dtcc.edu |*| *** I speak MIME and PGP *** Manager of Computer Services |*| Stanton/Wilmington Campuses of |*| PGP key: finger weave@hopi.dtcc.edu Delaware Technical & Community College |*| fingerprint: finger weave@ssnet.com From firewalls-owner Sat Mar 11 07:20:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA16892 for firewalls-outgoing; Sat, 11 Mar 1995 07:17:56 -0800 Received: from dmso.dmso.dtic.dla.mil (dmso.dmso.dtic.dla.mil [131.84.1.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA16887 for ; Sat, 11 Mar 1995 07:17:54 -0800 Received: (from markjs@localhost) by dmso.dmso.dtic.dla.mil (8.6.9/8.6.9) id KAA02366 for firewalls@greatcircle.com; Sat, 11 Mar 1995 10:07:36 -0500 From: Markku Saarelainen Message-Id: <199503111507.KAA02366@dmso.dmso.dtic.dla.mil> Subject: PC Firewalls - SLIP / PPP To: firewalls@greatcircle.com Date: Sat, 11 Mar 1995 10:07:35 -0500 (EST) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 361 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to find the application(s) that can be used to build the firewall to the PC (winSock), while the PC is used via SLIP/PPP account in the internet. Please, email me any good and useful information in this area. Also, if such an application does not exist, what can be done in this case othervise ... or are my concerns real? My best regards, Mark From firewalls-owner Sat Mar 11 07:41:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA16833 for firewalls-outgoing; Sat, 11 Mar 1995 07:08:03 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA16828 for ; Sat, 11 Mar 1995 07:07:59 -0800 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA28038 for firewalls@greatcircle.com; Sat, 11 Mar 95 10:02:10 EST Message-Id: <9503111502.AA28038@all.net> Subject: Short Course on Protection and Security on the Information Superhighway To: bugtraq@fc.net, firewalls@greatcircle.com, virusl@lehigh.edu, privacy@vortex.com, risks@csl.sri.com Date: Sat, 11 Mar 1995 10:02:10 -0500 (EST) Cc: jerry_fireman@fireman.com X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There will be a short course held on March 29 and 30, in New York (with other cities to follow in the May-June time frame) on protection in the emerging NII (info superhighway) computing environment. For full details, see: URL: http://all.net:8080 email: jerry_fireman@fireman.com call: 810-540-5610 fax: 810-540-3506 The course runs for 2 days and includes a copy of the newly released book: Protection and Security on the Information Superhighway (by Fred Cohen - published by John Wiley and Sons NY) FC From firewalls-owner Sat Mar 11 09:20:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA18745 for firewalls-outgoing; Sat, 11 Mar 1995 09:15:24 -0800 Received: from gater3.sematech.org ([192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA18740 for ; Sat, 11 Mar 1995 09:15:21 -0800 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.10/F-1.8) with ESMTP id LAA11834; Sat, 11 Mar 1995 11:13:05 -0600 Received: from thecount.eng.sematech.org by SEMATECH.Org (PMDF V4.3-10 #5463) id <01HO0ADJ3G9S9I6YR2@SEMATECH.Org>; Sat, 11 Mar 1995 11:12:56 -0600 (CST) Received: from localhost by thecount.eng.sematech.org (8.6.10/I-1.8) with SMTP id LAA20800; Sat, 11 Mar 1995 11:12:53 -0600 Date: Sat, 11 Mar 1995 11:12:51 -0600 From: Quentin Fennessy Subject: Re: intelligent interfaces to ftp/telnet/etc To: Chris King Cc: Firewalls@greatcircle.com Message-id: <199503111712.LAA20800@thecount.eng.sematech.org> X-Mailer: exmh version 1.5.3 12/28/94 Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris asked about non-traditional UNIX ftp clients that cannot deal well with 'anonymous@ftp.uu.net' type ftp proxies. Me too! In particular our internal PCs use Reflections for Windows as a terminal emulator. This includes a GUI ftp client and I cannot get it to deal with either of our ftp proxies. one proxy syntax: ftp anonymous@ftp.uu.net ... the other: ftp -n gateway ftp> quote xcon ftp.uu.net ... I would appreciate stories how others managed to get similar unmodified ftp clients through proxies. Thanks, Quentin From firewalls-owner Sat Mar 11 09:41:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA18733 for firewalls-outgoing; Sat, 11 Mar 1995 09:14:54 -0800 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA18728 for ; Sat, 11 Mar 1995 09:14:51 -0800 Received: from arwen.unibe.ch by chx400.switch.ch with SMTP (PP); Sat, 11 Mar 1995 18:12:29 +0100 From: greulich@math-stat.unibe.ch (Andreas Greulich) Message-Id: <9503111712.AA02554@grimsel> Subject: Re: x-gw proxy To: hyland@utrc.utc.com (Robert M. Hyland) Date: Sat, 11 Mar 1995 18:12:21 +0100 (MET) Cc: firewalls@greatcircle.com In-Reply-To: <9503102206.AA01126@tigger.res.utc.com> from "Robert M. Hyland" at Mar 10, 95 05:06:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1369 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am running a test for the x-gw proxy on all sun workstations running > SunOS 4.1.3 using openwindows. > I will telnet to the tn-gw port and start the x-gw server. On my > workstion (where I have already set xhost + sun2x) screen I get a > window telling Display prot=sun2x.res.utc.com:10. > I telnet to a any old machine and set my Display to sun2x.res.utc.com:10 > and start up xclock. > My workstation window manager completly locks up. I have not yet > tried to run on a workstation that is not running openwindows. I experienced the same - it seems to be a known problem (tis people know about it at least) with OpenWindows. It doesn't work either with OpenWindows 3_414 (the one for SunOS 4.1.4), but it DOES work for OpenWindows running under Solaris 2.3. If anyone knows about a suitable OpenWindoes patch, information would be very welcome. Andy -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Andreas Greulich University of Berne, Switzerland ---------------- Email: greulich@math-stat.unibe.ch, greulich@iam.unibe.ch http://iamwww.unibe.ch/~greulich CIS: 100014,1033 Phone home: (+41 31) 961 7031 Phone office: (+41 31) 631 8809, (+41 31) 631 4497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Sat Mar 11 09:50:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA18918 for firewalls-outgoing; Sat, 11 Mar 1995 09:28:45 -0800 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA18913 for ; Sat, 11 Mar 1995 09:28:41 -0800 Message-Id: X-Mailer: exmh version 1.6alpha 2/16/95 To: Larry Chin cc: Paul Dodd , firewalls@GreatCircle.COM Subject: Re: chroot httpd In-reply-to: Your message of "Fri, 10 Mar 1995 15:37:53 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 11 Mar 1995 09:26:04 -0800 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > The CERN httpd doesn't seem to do a chroot when it starts up. Is there a > > publicly available daemon that does, or a list of instructions on how > > to easily change the source on some httpd to force a chroot? > > You could just start the deamon from rc.local ( or whatever ) and issue a > chroot CERN_HTTPD, if that's what you are after. I don't see anything in the source code that indicates that httpd knows how to chroot itself. I sent Paul Dodd a partial cookbook on how to set it up, I was not aware that it might be of general interest to the list. If folks will send me email, I will forward my response to them. I have web servers running on 3 different machines that all do it as a matter of course. =eas= From firewalls-owner Sat Mar 11 10:09:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA18633 for firewalls-outgoing; Sat, 11 Mar 1995 08:58:52 -0800 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA18628 for ; Sat, 11 Mar 1995 08:58:49 -0800 Received: by wabash.iac.net id LAA10457; Sat, 11 Mar 1995 11:55:11 -0500 Date: Sat, 11 Mar 1995 11:55:09 -0500 (EST) From: Carl Jolley To: "Moubray, Steve" cc: "'SMTP: firewalls@greatcircle.com'" Subject: Re: Firewall recommendations In-Reply-To: <2F607C64@MAIL.DCC.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't heard of Goliath however there is a firewall product call Gauntlet. It's a product of TIS and info is available via: sales@tis.com. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Fri, 10 Mar 1995, Moubray, Steve wrote: > > We're looking at a firewall solution and have spent some time gathering > information about Secure Computing's Sidewinder, the Janus firewall and > someone recently recommend Goliath (no other information) to one of my > staff. > > Any one familiar with these products? > > Can anyone offer any good advice on particular products. I'm not > comfortable with just packet filtering. We won't write our own, we need > something that requires little maintenance (unless attacked), will create > normal logs and provide silent warnings. I've read quite a bit about > firewalls but as you can tell I'm not an expert yet and I need some > practical feedback. We only have a few hosts running SCO and maybe some mid > range running IP in the future in possibly AIX hosts. We need NetScape, > Telnet, FTP, E-Mail and News for applications. > > Any feedback offered directly to my address will be consolidated on the list > (if it seems worthy). > > Thanks. > > -------------------------------------------------- > Steve Moubray > DCC, Inc. > 10 Second Street NE > Minneapolis, MN 55413 > (612) 378-4469 > (612) 378-4401 Fax > smoubray@dcc.com > From firewalls-owner Sat Mar 11 13:23:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA22003 for firewalls-outgoing; Sat, 11 Mar 1995 12:53:49 -0800 Received: from wn1.sci.kun.nl (wn1.sci.kun.nl [131.174.8.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA21998 for ; Sat, 11 Mar 1995 12:53:44 -0800 Received: from gammix.tunix.kun.nl by wn1.sci.kun.nl via leo@gammix.tunix.kun.nl [131.174.20.33] with ESMTP id VAA07406 (8.6.10/2.9) for ; Sat, 11 Mar 1995 21:51:26 +0100 Received: from localhost by gammix.tunix.kun.nl (with SMTP) (8.6.9/SMI-4.1) id VAA19501; Sat, 11 Mar 1995 21:51:45 +0100 Message-Id: <199503112051.VAA19501@gammix.tunix.kun.nl> To: firewalls@greatcircle.com Subject: split-DNS ... would this work? Date: Sat, 11 Mar 1995 21:51:44 +0100 From: Leo Willems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > But, we still want the bastion host to be able to resolve both internal & > external names. So, would the following work? ... > > (For simplicity, I'm assuming a single dual-homed bastion host.) > > - An external DNS runs on the `bastion' host, claiming to be a primary > for the domain (as before). > > - The internal DNS (running on `dnsmaster') also claims to be primary for > the domain. However, it does NOT set `forwarders' to the bastion host. > > - A second internal DNS server (running on `dnsfwd') is a secondary for > the domain. This is where you set `forwarders' to the bastion. > > - Internal hosts resolve using `dnsmaster'. Hence they can't resolve > external names. > > - The bastion host (only) resolves using `dnsfwd', which can resolve both > internal & external names. > > Disclaimer: I haven't tried this (yet). I have a funny feeling it might > not work, but can't see where my logic is wrong. I encountered the same problems. Problems with the ``forwarder'' stuff is that a named that uses this, can not delegate. I came up with the following solution: requirements: - proxies on the firewall must be able to do internal *and* external lookups (TIS double revers lookup needs this). - internal clients using the proxies, are only allowed to do local lookups - internal clients using socks must be able to do local and external lookups - the outside world may only do a limited lookup first (bad, but educational) implementation: - bastion host offers limited dns to the external world - bastion proxy software uses another dns server, called missinglink (via resolv,conf on the bastion host) - for internal lookup a nameserver ns1 acts as a root server - the nameserver ``missinglink'' is setup as follows: - forwarder/slave to bastion host to get external lookup - acting as secondary for most maps from ns1 socks clients and the bastion host itself are pointing to missinglink and normal clients are using ns1. problems with this (tested) implementation: - We need three hosts to make this work. That's a hard selling argument..... - The forwarder/slave on the missinglink named prohibits delegation. This could be solved by making missinglink secondary for *every* internal domain, but this solution was rejected. Another solution was to give missinglink (dns) world access itself, but than only a router would/could block incoming dns requests from the external world. next (tested and satisfactory) implementation: - We had to patch bind. I mailed the idea behind the patch to Paul Vixie and he told me that this patch will be in the next release of bind, since it seems to be useful. The patch is: - extra keyword "interface" in named.boot (with as argument an ip address of one of the hosts interfaces). - when named starts, it binds itself not to INADDR_ANY, but only to the interface specified. - A ``normal'' root server (ns) inside the domain. - On the bastion host we run *2* named's (using the patch): - a limited one for the external world on the outer interface - a secondary for the internal rootserver maps (but not as a rootserver itself) on the internal interface. since this secondary runs on the bastionhost and is not a rootserver, it can resolve internal *and* external lookups *AND* doesn't need forwarder/slave: So internal delegation can be done without affecting the bastion host for every change that ocurs. Normal clients are pointing to ns1 (the internal rootserver) Socks clients are pointing to the bastion hosts internal interface Bastion hosts proxies are pointing the host's internal interface (or to localhost if you bother to set up a third server :-) The external world is using the external bastion host interface. This approach requires one nameserver less than the first solution, and needs no extra router entries. Problems, problems, problems on single homed hosts however. Single homed hosts seem to have one interface (...). Ok, so buy another ethercard and you are ready to go. Yes, but not on a Sun...... under SunOS 4.1.3 all ethercards are using the same ethernet address. Effectively this means that you can not address one of the two interfaces if they are on the same cable. Buying an extra router/hub port could solve this. But hey, mind over matter (it's cheaper too): - we put the VIF loopbackdriver in the Sun's kernel. Now this single homed bastion host can give us as many loopback interfaces as we want. - With this, if we want to, we can run all named's on *one* machine. (we do have a ns2 secondary rootserver (to get rid of these nasty named warnings :-) [ A while ago, I posted a request for discussion on the bind/firewall/socks mailinglist on the topic of DNS on firewalls. I got a few reactions, (thanks, thanks, thanks) but besides some useful and nice thoughts nobody seemed to have a final theorie. (actually, two solutions were mailed to me that both included patches to bind. As far as I can see, these patches are doing a good job for their creators, but are rather complex. (they need modified datastructures). At that time however, I already invented my patch.) Thanks to: Paul A Vixie "Wayne E. Van Pelt" (patch based on targetting data in the cache as being in the local domain or from outer space and forwarding only if from outer space). whna@nexos.com (Heinz Naef) lazear@dockside.mitre.org Morten Hermanrud (patch based on forwarding to some other server if NXDOMAIN is returned, also changes the cache algorithem) sansom@fshops.sfsu.edu jon@nytimes.com (Jon E. Price) ] From firewalls-owner Sat Mar 11 13:52:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA22567 for firewalls-outgoing; Sat, 11 Mar 1995 13:45:32 -0800 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA22562 for ; Sat, 11 Mar 1995 13:45:28 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0rnYwH-000EdFC; Sat, 11 Mar 95 21:43 GMT Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Sat, 11 Mar 95 13:29 PST Received: by ilinx (/\==/\ Smail3.1.28.1 #28.1) id ; Sat, 11 Mar 95 13:28 PST Message-Id: From: brian@ilinx (Brian J. Murrell) To: bwa@shadow.dbapic.com.au Subject: Re[2]: Why UDP cannot be handled security ? Cc: tws@wh.bayer.com, firewalls@greatcircle.com Date: Sat, 11 Mar 1995 13:28:57 -0800 (PST) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-386-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of bwa@shadow.dbapic.com.au (Barry Anderson) on scroll <9503082213.AA23792@shadow.dbapic.com.au> > No, you obviously don't understand. Allowing a temporary hole after > seeing > an outbound UDP packet is a hack aka kludge (and potential > vulnerability?) Please do elaborate on your hypothesis here. Without re-design of UDP/IP, it is the best (and pretty good) you can do. I don't know how tight this hole is with FW-1 (I will be covering that one when I audit FW-1 in the coming weeks) is but there is no reason it can't be closed so tight as to only allow the remote machine (responding to a request) and serivce to talk directly with the instance of the requestor. That is to say that the access hole in the filter can be so tight as to allow only packets from the single instance of the remote server back into your net while still blocking the (and any) remote machine from trying to initiate anything. You can't get any tighter without closing it!! b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sat Mar 11 14:23:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA22810 for firewalls-outgoing; Sat, 11 Mar 1995 13:56:33 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA22805 for ; Sat, 11 Mar 1995 13:56:29 -0800 Posted-Date: Sat, 11 Mar 1995 16:54:12 -0500 (EST) Date: Sat, 11 Mar 1995 16:54:12 -0500 (EST) From: "Bryan D. Boyle" Subject: vendor list (fwd) BACK UP...:) To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk well, digex is back online. Durn sys admins. can't do anything right...;) Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.access.digex.net/~bdboyle/index.html ---------- Forwarded message ---------- Date: Fri, 10 Mar 1995 09:45:18 -0500 From: Bryan D. Boyle To: firewalls@greatcircle.com Subject: vendor list service provider is still having problems :( url may still be unavailable. durn. -- Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.access.digex.net/~bdboyle/index.html From firewalls-owner Sat Mar 11 14:36:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA22774 for firewalls-outgoing; Sat, 11 Mar 1995 13:54:37 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA22769 for ; Sat, 11 Mar 1995 13:54:34 -0800 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id QAA21903; Sat, 11 Mar 1995 16:51:57 -0500 From: Adam Shostack Message-Id: <199503112151.QAA21903@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: IBM's Firewall To: George_D._Custodio@mail.asiandevbank.org (George D. Custodio) Date: Sat, 11 Mar 1995 16:51:57 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9502117949.AA794953863@mail.asiandevbank.org> from "George D. Custodio" at Mar 11, 95 12:21:56 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 449 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are several areas that NetSP is lacking in. See the archives. Adam | Is their any user of the IBM's firewall (NetSp Security Gateway)? In one of | network security presentation, the speaker said that IBM's firewall | implementation includes packet filtering, application proxy, DNS, and socks. Is | this true? Is it available now? Does it works? | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Mar 11 16:20:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA25329 for firewalls-outgoing; Sat, 11 Mar 1995 16:13:51 -0800 Received: from ix2.ix.netcom.com (ix2.ix.netcom.com [199.182.120.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA25324 for ; Sat, 11 Mar 1995 16:13:48 -0800 Received: from by ix2.ix.netcom.com (8.6.9/SMI-4.1/Netcom) id QAA07399; Sat, 11 Mar 1995 16:10:46 -0800 Date: Sat, 11 Mar 1995 16:10:46 -0800 Message-Id: <199503120010.QAA07399@ix2.ix.netcom.com> From: njacknis@ix.netcom.com (Norman Jacknis) Subject: Harris CyberGuard Firewall To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any experience with Harris Computer System's CyberGuard Firewall (and their Secure/Power UNIX)? It seems to cost about $25K. The question is what it might provide that makes it worth it? And have there be an obvious holes it the firewall it provides? Thanks very much, Norm Jacknis For The Westchester Library System From firewalls-owner Sat Mar 11 17:50:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA26948 for firewalls-outgoing; Sat, 11 Mar 1995 17:40:06 -0800 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA26943 for ; Sat, 11 Mar 1995 17:40:03 -0800 Received: by netmail2.microsoft.com (5.65/25-eef) id AA03136; Sat, 11 Mar 95 17:38:44 -0800 Message-Id: <9503120138.AA03136@netmail2.microsoft.com> Received: by netmail2 using fxenixd 1.0 Sat, 11 Mar 95 17:38:44 PST X-Msmail-Message-Id: E1FF92F4 X-Msmail-Conversation-Id: E1FF92F4 X-Msmail-Fixed-Font: 0000 From: Jonathon Tidswell To: firewalls@greatcircle.com, raf@ezunx.com Date: Sun, 12 Mar 95 11:32:50 TZ Subject: RE: just wondering.... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rich wrote: [ ... ] | but I sometimes wonder if | this group (lurkers included) is | so far beyond what the average company/community is seeing. Of course it is. The 'average' community perception is Mitnik breaking into anywhere he chose. | I guess if you think about it, there must be alot of companies | unprotected (even though it is | easy to protect yourself) given the fact that Mitnick (ugh) got as far as he did. How many (percentage) companies have proper backup procedures ? 2nd rate procedures ? 3rd rate procedures ? | I offer a question -- How do we educate the "real" community | (other than 60 minutes) about | how to build and utilize an Internet link without opening themselves up for a "heap 'o | trouble". Educate the managers to the cost differential of prevention compared to recovery. May I suggest someone has a word to one of the staff writers at the major financial journals to do an article on the costs of a breakin versus the costs of protection. | Case in point -- How many Internet Providers give free | Firewall Basics Training when you | buy their service? Ok, none. Next question, Why Not? Would it not keep you coming "There is no such thing as a free lunch." The provider who doesnt include such free service will have cheaper prices, and until management is willing to pay is likely to take business away. - JonT Disclaimer: I am a postgraduate student on a scholarship not an employee of Microsoft ... From firewalls-owner Sat Mar 11 18:07:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA27012 for firewalls-outgoing; Sat, 11 Mar 1995 17:44:28 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA27007 for ; Sat, 11 Mar 1995 17:44:25 -0800 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma014398; Sat Mar 11 20:41:32 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA01468; Sat, 11 Mar 95 20:41:38 EST Received: by (4.1/illuminati) id AA18747; Sat, 11 Mar 95 20:47:05 EST From: "Marcus J. Ranum" Message-Id: <18747.9503120147@illuminati> Subject: Re: split-DNS ... would this work? To: leo@tunix.kun.nl (Leo Willems) Date: Sat, 11 Mar 1995 20:47:04 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199503112051.VAA19501@gammix.tunix.kun.nl> from "Leo Willems" at Mar 11, 95 09:51:44 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 2413 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > (actually, two solutions were mailed to me that both included patches > to bind. As far as I can see, these patches are doing a good job for their > creators, but are rather complex. (they need modified datastructures). The current version of the bind code has a set of #defines for SECURE_ZONES which is also docmented below. Has anyone played with the secure_zone stuff? It seems like it should work OK. As someone who has spent his share of time snarling at the named code, the idea of a common working solution for split brained DNS is very appealing. [Never mind the fact that split brained DNS is only arguably a security feature. So many people seem to think it's a Big Deal and Ches and Steve have published it as a feature, it's now an accepted part of the lore.] mjr. ---- In order to use zone security, named must be com- piled with SECURE_ZONES defined and you must have at least one secure_zone TXT RR. Unless a secure_zone record exists for a given zone, no restrictions will be applied to the data in that zone. The format of the secure_zone TXT RR is: secure_zone addr-class TXT string The addr-class may be either HS or IN. The syn- tax for the TXT string is either "network address:netmask" or "host IP address:H". "network address:netmask" allows queries from an entire network. If the netmask is omitted, named will use the default netmask for the network address speci- fied. "host IP address:H" allows queries from a host. The "H" after the ":" is required to differentiate the host address from a network address. Multiple secure_zone TXT RRs are allowed in the same zone file. For example, you can set up a zone to only answer hesiod requests from the masked class B network 130.215.0.0 and from host 128.23.10.56 by adding the following two TXT RR's: secure_zone HS TXT "130.215.0.0:255.255.0.0" secure_zone HS TXT "128.23.10.56:H" This feature can be used to restrict access to a Hesiod password map or to seperate internal and exter- nal internet address resolution on a firewall machine without needing to run a seperate named for internal and external address resolution. From firewalls-owner Sat Mar 11 18:50:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA27955 for firewalls-outgoing; Sat, 11 Mar 1995 18:29:29 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA27950 for ; Sat, 11 Mar 1995 18:29:26 -0800 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma014587; Sat Mar 11 21:26:11 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA01707; Sat, 11 Mar 95 21:26:18 EST Received: by (4.1/illuminati) id AA18843; Sat, 11 Mar 95 21:31:44 EST From: "Marcus J. Ranum" Message-Id: <18843.9503120231@illuminati> Subject: Re: just wondering.... To: t-jont@microsoft.com (Jonathon Tidswell) Date: Sat, 11 Mar 1995 21:31:44 -0500 (EST) Cc: firewalls@greatcircle.com, raf@ezunx.com In-Reply-To: <9503120138.AA03136@netmail2.microsoft.com> from "Jonathon Tidswell" at Mar 12, 95 11:32:50 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 3771 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >May I suggest someone has a word to one of the staff writers at the >major financial >journals to do an article on the costs of a breakin versus the costs of >protection. Most upper management or MIS management of organizations that have significant holdings at stake are quite cognizant of security and its implications, in my experience. Staff writers at financial journals, auditors, and even NYT reporters seem to be quite clued-in to the tradeoffs with respect to security VS putting one's faith in the kindness of strangers. To be frank, most of the problem seems to be willful blindness in the trenches rather than lack of clues higher up the chain of command. Hardly a day goes by when I fail to see a message or a posting from someone asking about how to get around a firewall "'cuz it's a pain!" or how to talk management out of putting oh-so-burdesome security on their nice, clean, open Internet link. Anyone who has not joined this mailing list in the last 15 minutes should know what I'm talking about. :) Indeed, just today, there was a perfect example in comp.security.unix - see As I've postulated in the past in this venue, I suspect that the majority of sites that are running with little to no security fall into one of two primary categories: 1) Organizations that have distributed paying business partners with political clout, and no centralized authority over computing resources or funding. 2) Organizations that have engineering/research/whatever groups that have decided to install computing systems in the absence of a clear policy from management, in a mode of "it's easier to ask forgiveness than permission." The first category typically includes organizations like universities - where no one department "owns" the network, and even if one did, the others could build their own and connect them without anyone being able to prevent it, because they have their own budgets or grants or whatever. Also in this category are LGOs (Large Government Organizations) which justify their existence by providing data to other LGOs or researchers, and who thereby are subject to political leverage from their user community if they try to secure things. I've heard stories of LGOs that have little or no security because they had to take it out when users complained. And they always do. In other cases, I think LGOs would have lame security because it was always an SEP* (Someone Else's Problem) and everyone knows that it's almost impossible to get fired from an LGO unless you fail a drug test. The second category is a simpler case of human nature. >From what I've seen, it happens more often than you'd like to imagine. Essentially, some bunch of spoiled bozos puts the whole company at risk because they want to play WWW Right Now and don't want to have to explain or justify or worry about the details like protecting the tree under whose branches they lead their comfortable lives. I've seen research labs with patentable molecules possibly worth billions of dollars, with open pipe connections that their bosses bosses don't know about, because there wasn't anything in the policy that said *NOT* to do it, so of course they chose to assume it was OK... I've also seen cases where management directives on security have been watered down to nearly nothing by the time they reach the field. "Oh, we've got to have a firewall if we're going to have an Internet connection? Fine. I'll rig the router to block incoming NFS packets." mjr. [* Re: SEP - that's what someone needs to do! Build an SEP-field based network security system. Or perhaps someone could get Joo-Janta, Inc. to make a peril-sensitive router that would stop forwarding packets whenever trouble loomed.] From firewalls-owner Sat Mar 11 22:20:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA01556 for firewalls-outgoing; Sat, 11 Mar 1995 21:52:14 -0800 Received: from CCA.CAMB.COM (camb.com [140.186.64.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA01549 for ; Sat, 11 Mar 1995 21:52:11 -0800 Received: from camb.com by camb.com (PMDF V4.2-14 #4085) id <01HO1286145S8WWMN8@camb.com>; Sun, 12 Mar 1995 00:32:46 EST Date: Sun, 12 Mar 1995 00:32:45 -0500 (EST) From: PMDF Mail Server Subject: Undeliverable mail: temporarily unable to deliver To: Firewalls@GreatCircle.COM Message-id: <01HO12B5SB0Q8WWMN8@camb.com> MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID GSBLfTQ2YGfDIv0QzU1DhA)" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID GSBLfTQ2YGfDIv0QzU1DhA) Content-type: TEXT/PLAIN; CHARSET=US-ASCII Your message could not be delivered to: del@giant.IntraNet.com Your message has been enqueued and undeliverable for 3 days. The mail system will continue to try to deliver your message for an additional 9 days. --Boundary (ID GSBLfTQ2YGfDIv0QzU1DhA) Content-type: MESSAGE/SAMPLE Received: by camb.com with UUCP/PMDF (DECUS UUCP); Wed, 8 Mar 1995 06:45:34 EST Received: from relay2.UU.NET by camb.com (PMDF V4.2-14 #4085) id <01HNVONPSJ688WX645@camb.com>; Wed, 8 Mar 1995 04:08:06 EST Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQygdo17455; Wed, 8 Mar 1995 04:03:40 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA28964 for firewalls-digest-outgoing; Wed, 8 Mar 1995 01:00:09 -0800 Date: Wed, 08 Mar 1995 01:00:09 -0800 From: firewalls-digest-owner@GreatCircle.COM Subject: Firewalls-Digest V4 #160 Sender: firewalls-digest-owner@GreatCircle.COM To: firewalls-digest@GreatCircle.COM Reply-to: Firewalls@GreatCircle.COM Message-id: <199503080900.BAA28964@miles.greatcircle.com> Content-transfer-encoding: 7BIT >From firewalls-digest-owner@GreatCircle.COM Wed, 8 Mar 1995 06:45:34 EST remote from camb.com Precedence: bulk Firewalls-Digest Wednesday, 8 March 1995 Volume 04 : Number 160 In this issue: Snoop purpose ? Re: FW-1, etc. Why UDP cannot be handled security ? Re: Anti-spoofing Re: Snoop purpose ? --Boundary (ID GSBLfTQ2YGfDIv0QzU1DhA)-- From firewalls-owner Sun Mar 12 04:20:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA06270 for firewalls-outgoing; Sun, 12 Mar 1995 03:58:35 -0800 Received: from elementrix.co.il (sunex.elementrix.co.il [199.203.125.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA06265 for ; Sun, 12 Mar 1995 03:58:28 -0800 From: igal@elementrix.co.il Received: from daisy.elementrix.co.il (daisy.elementrix.co.il [199.203.125.12]) by elementrix.co.il (8.6.9/8.6.9) with SMTP id NAA20850 for ; Sun, 12 Mar 1995 13:55:57 +0300 Date: Sun, 12 Mar 95 13:36:01 PST Subject: RE: Firewalls-Digest V4 #164 To: Firewalls@GreatCircle.COM X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Darryl Wagoner >Date: Fri, 10 Mar 1995 11:27:41 -0500 (EST) >Subject: WinSock Security >Greetings, >We have a need to secure data that comes via the Internet. The system >I think will work is to have it emailed to a DOS Winsock pc via POP. >The PC has no daemons running on it such as bootp, lpd, etc. I know >there is a other things to watch on the Unix side. Those I can handle. >I am just worried about data stored on the PC. >- -- >Darryl Wagoner darryl@sai.com http://www.sai.com/ >Office: 603.672.0736 Fax: 603-672-4846 >Web Pages for hire. Check out NH & MA Movies http://www.sai.com/movies I think there is an only one danger thing on PC: FTP server. If you know user/password pair.... Our company is developing Secure FTP with traffic encryption. If you are interested in you are welcome. Thank You. Regards, Igal *******Elementrix Technolgies Ltd********** Igal Israel E-mail:igal@elementrix.co.il Phone: (972) 4 550 042 Fax: (972) 4 550 356 Advanced Techologies Center bld.20 Haifa 31000 Israel Date: @date@ Time:@time@ ****************************************************** From firewalls-owner Sun Mar 12 05:20:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA07074 for firewalls-outgoing; Sun, 12 Mar 1995 05:08:05 -0800 Received: from relay2.pipex.net (relay2.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA07069 for ; Sun, 12 Mar 1995 05:08:01 -0800 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Sun, 12 Mar 1995 13:05:37 +0000 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2F62EE31@smtpgty.saicuk.co.uk>; Sun, 12 Mar 95 12:50:57 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: RE: just wondering.... Date: Sun, 12 Mar 95 12:45:00 GMT Message-ID: <2F62EE31@smtpgty.saicuk.co.uk> Encoding: 161 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: firewalls-owner To: firewalls Subject: just wondering.... Date: 08 March 1995 19:39 Ok, on to a new topic (we have not had one for so long...) ------------------------ Change is as good as a rest. ------------------------ Has anyone done any sort of survey to get info on those who have "no sense how dangerous it can be on the net"? In other words, we have all been around for sometime, discussing the in/outs of firewalls and the like, but I sometimes wonder if this group (lurkers included) is so far beyond what the average company/community is seeing. ------------------------ Yes. Answers vary (like any survey) on who you ask and if they understood the question. Also depends on how you asked in the first place. Ask a bank if they have security problems and they will say NO. They will also tell you that their IT systems never go wrong, but tell that to the folk who had funds debited through bank employee fraud and system failure at Auto Teller Machines, etc. Ask a senior executive in a major corporation and he may give you a copy of the Corporate Mission Statement which is often a beautiful marketing statement which may mean nothing. Ask a government agency and you may be told that this is all handled by 'security' and they always demand much more at greater cost than is needed. The other danger can be that people talk about 'security' or 'hackers' rather than about risk and this means some very heavy prejudgement. Checking through postings by this group, I see a number of people who have a genuine desire to solve problems and many who are struggling to improve their understanding and the effectiveness of their protective systems. Unfortunately, quite a few are killing 'Gators because they cant get round to draining the Swamp. ----------------------- I guess if you think about it, there must be alot of companies unprotected (even though it is easy to protect yourself) given the fact that Mitnick (ugh) got as far as he did. ---------------------- Thats probably a classic under statement. There are also companies who have some sort of system which is seriously inadequate and they dont realise that. There are also companies who have over protected in one area and created new problems because they have restricted operational use. ---------------------- I offer a question -- How do we educate the "real" community (other than 60 minutes) about how to build and utilize an Internet link without opening themselves up for a "heap 'o trouble". ----------------------- Good question. It assumes that they want to learn and many people would prefer not to know about the risks which face them. The other side of the issue is the matter of what you are trying to educate in. If you concentrate on 'firewalls', or any other risk control technology, you are prejudging a requirement. A firewall is not necessarily the best concept for every occassion and it is an attempted solution, not an identification of requirement. Some people in this group may have already been through a corporate analysis process, defined the risks, judged the percentage reduction necessary/possible, concluded that a firewall is one element and assigned the task of implementing and maintaining a firewall to someone who then wants to exchange information here in an attempt to improve the solution. However, there will be many who have heard about firewalls and accepted that they are a solution, without finding out what the real security risks are in their corporation. Then again, there are a great many other discussions groups on the Inet who deal with different issues and some which deal with broad issues. The only difficulty is that most of us have to pick a small number of groups in which to lurk or participate. ------------------------. Ok, I realize this is a very generic question, but I have seen so many "de-lurkers" asking questions and sometimes they get so MANY answers, some right, some wrong(!), some ?, that you have to wonder where this is all leading. ------------------------ Thats a problem which may be impossible to address. If the question strikes a cord, many will respond. Over a period, we can all decide who gives mostly 'right' answers and who just wants to express an opinion, but that requires us to know something about the subject in the first place. Even a hard copy publication may contain many basic and dangerous errors, although the author and publisher are under some legal pressure to research adequately and check before release. ------------------------ Case in point -- How many Internet Providers give free Firewall Basics Training when you buy their service? Ok, none. Next question, Why Not? Would it not keep you coming back? I know of one provider (national) that continues to lose customers, at least in California due to lack of support AND they have no clue about firewalling and protecting one's network. ------------------------ Thats a bit like expecting banks and IT vendors to tell the potential customer whats wrong with their service. Then again, some providers have realised that they can make a great deal of money by SELLING consultancy and product after you connect. Its hard not to become a cynic over the years, but generally the IT industry has always depended on rapid growth and the customer finding the faults. Its also a lot easier to sell a product/service at $10 and then go back and charge $1000 to make it work. The network providers are there to grab market share quickly and depend on new customers who dont understand the risks. Once the customer is on board, the hope is probably that the benefits will blind to the risks. After all there are corporations which have grown very big by selling a 'sexy' or 'cheap' product which is full of holes. -------------------------- Oh well, perhaps I have been stuck inside in the rain too long today, and have had too much time to think.... Rich - not into sig files, cause don't you have enough to read - Fitzgerald ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ "....I hope life is not a big joke, cause I don't get it..." raf@ezunx.com Senior Systems Analyst (408) 456-0430 --------------------------- Just shows that rain can make the ideas grow as well as the trees. We would probably all benefit from spending some time in reflection before rushing off somewhere. Ian J-B From firewalls-owner Sun Mar 12 06:20:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA08074 for firewalls-outgoing; Sun, 12 Mar 1995 06:16:53 -0800 Received: from NUki (nuki.netuse.de [193.98.110.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA08069 for ; Sun, 12 Mar 1995 06:16:40 -0800 Received: by Mail.NetUSE.de (SMail3.1.28.1 #2) ID m0rnoQy-00099rC: Sun, 12 Mar 95 15:15 MET Received: by black.schulung.netuse.de (CrossPoint v3.02 R/C886); 12 Mar 1995 15:13:47 +0100 Date: 12 Mar 1995 15:13:00 +0100 From: kris@black.schulung.netuse.de (=?ISO-8859-1?Q?Kristian_K=F6hntopp?=) To: firewalls@greatcircle.com cc: kris@pz-oekosys.uni-kiel.d400.de Message-ID: <5hkCSs5ZnrB@black.schulung.netuse.de> Subject: SUMMARY: Packet monitors for MS-DOS X-Mailer: XP v3.02 R/C886 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Organization: Orga-what? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I send the following original inquiry to the firewalls mailing list: > I am planning to equip a portable PC with DOS and Windows with > an Ethernet adapter and use it as a portable packet monitor for > network analysis. Thus, I am looking for a rough equivalent of > tcpdump, etherman and internet for MS-DOS and Windows. Are > there any free or commercial programs you can recommend? Of course I meant interman, not internet. Seems that certain words are already hardcoded into my fingertips. Also, I should have emphasized that I am looking for a packet content monitor as well as for a network load monitor. I received a bunch of answers from the list, most of them within twelve hours after I sent the question. I received mail from the following people (in no particular order): estutes@eas.westend.frus.com (Earl Stutes) paul@toploguk.co.uk (Paul Crossley) JOHNSON@neu.edu pnh1rgr@pnh10.med.navy.mil (Bob Resino) Quentin.Fennessy@SEMATECH.Org (Quentin Fennessy) ericm@microunity.com (Eric Murray) zaphod@cybernetix.com (Kris Allan Kahn) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) anders@cc.uit.no (Anders Baardsgaard) 100436.3361@compuserve.com (Hartmut Pohl) Three people suggested that I don't bother with the troubles of DOS and that I install Linux on the PC. On such a system I were able to use standard UNIX tools such as tcpdump and others. Linux can be made "portable" with a little script that asks for network parameters on startup and sets the system up in a way suitable for the target network. As for commercial DOS programs, nearly all people recommended FTP softwares 'Lanwatch' and 'Lancatch'. FTP software has a WWW server at www.ftp.com (*grin* I wonder what they call their FTP server :-), but I have not yet checked there myself. Lanwatch "is about $500.00 or so" and there should be older PD versions of it around on the net. Two persons recommended network generals 'sniffer' and pointed out that this program has a lot more functionality than the UNIX programs I cited. Both people said the program is "a bit pricey, but well worth the money". Network General is at Network General Corporation 4200 Bohannon Drive Menlo Park, CA 94025 Phone # : (415) 473-2000 as I have been told. Anders Baardsgaard sent me kindly his summary when he was asking a very similar question to the list. It mentions Novells LANalyzer as an additional commercial option. As for free DOS programs, most people recommended ethld (or "ethload" and "etherload" - are these different programs or just names for the same program? According to the descriptions I got, they are pretty much similar). I have been told, that ethld is a traffic analyzer program and does not show packet content. The program should be able work with many types of drivers (ODI and packet should be sufficient for practically any type of card). There should be another program called ethdump that shows packet contents, too. I did not get a complete URL for the program, but one person pointed out he got it from src.doc.ic.ac.uk and from oak.oakland.edu. Another place to look for should be ftp://ftp.huji.ac.il/pub/network/snoop. Anyway, archie should have no problem to locate it. Anders Baardsgaard was the only person mentioning a version number (1.04) for ethload. He also complained that ethload is not able to save or print its info. Quentin Fennessy cited Michael Squires about etherload and possible problems with the program under heavy load: > A cheap solution which breaks down with heavy traffic is to use > the freely distributable monitor ETHERLOAD, available from > oak.oakland.edu in msdos/lan. ETHERLOAD will give you a list > of pairs of sites on the subnet by traffic, as well as sources > and sinks. The problem for me has been that ETHERLOAD will > drop packets when traffic gets heavy; with some Ethernet cards > it crashes. With a 386SX/16 and a SMC 8013EWC using fairly > recent ODI drivers it runs reliably but misses packets during > peaks. > ETHERLOAD will also report MAC addresses associated with CRC errors. These limitations seem to be fairly true for nearly all network monitoring tools under heavy load (minus the crashing on UNIX systems...). You already got Padgett Petersons article with the list digest. His toolbox seems pretty well stuffed with > Beholder/Gobbler for packet capture > Ethload for statistical monitoring > FTP PCTCP utilities for general use (PING -Q is nice for finding paths and > the telnet allows port setting) > Waterloo libraries/Borland Turbo C for "rolling your own". > other handy stuff: > U. Minn Gopher > Mosaic > Trumpet NNTP reader > PKTMUX for multiple simultaneous actions > ODIPKT (Daniel Lanciani) - this is particularly important since many notebook > LAN adapters - especially PCMCIA cards - do not include packet drivers but > just about all come with Novell ODI. Don't let him go near a network connector at your site. :-) Anders Baardsgaard also pointed me to the alt.2600 FAQ for a more complete list of network sniffing tools: > There are some other references to sniffers in the hackers FAQ > posted to usenet news alt.2600. I recommend this reading to > all firewall people--especially to any firewall maintainers > working for schools because this is what the kids are reading!!! Kristian -- "Peanuts fuer alle!" Marit und Kristian Koehntopp, Harmsstrasse 98, 24114 Kiel, +49 431 676689 From firewalls-owner Sun Mar 12 17:20:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA14858 for firewalls-outgoing; Sun, 12 Mar 1995 16:57:14 -0800 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA14853 for ; Sun, 12 Mar 1995 16:57:11 -0800 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id UAA04822 for ; Sun, 12 Mar 1995 20:01:09 -0500 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma004820; Sun Mar 12 20:00:59 1995 Received: by calisto.milkyway.com (8.6.7/Sun-Client) id TAA00483; Sun, 12 Mar 1995 19:57:25 -0500 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: chroot httpd Date: 12 Mar 1995 19:57:24 -0500 Organization: Milkyway Networks Corporation Lines: 37 Distribution: milkyway Message-ID: <3k059k$f0@calisto.milkyway.com> References: <199503102147.NAA26917@miles.greatcircle.com> Received: from calisto.milkyway.com by jupiter with ESMTP (DumbMail/2.0) id TAA16761 sender calisto.milkyway.com [192.168.77.2]; Sun, 12 Mar 1995 19:58:06 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199503102147.NAA26917@miles.greatcircle.com>, Ken Shores wrote: >I prefer to do the chroot in the program, rather than external in the >initiation of the program, as this allows you to keep the config file >outside the chroot environment. The actual command to chroot can be >as simple as: My preference is that the program never run as root, and to not have either program or config file in the arena. This means: stub.c does open(config); open(log); bind(socket=80); chdir("/path/to/prog"); chroot("/www"); setuid(nobody); dup2(socket,0); dup2(log,SOME_KNOWN_FD); dup2(config,SOME_OTHER_KNOWN_FD); exec("httpd"); /* relative to /path/to/prog */ > > if (chroot("place.path.here") < 0 || chdir("/") < 0) > HTLog_error2("Can't set root"); Note: if you don't chdir(), you can access the original file system with relative path names. I'd prefer to do open("httpd"); execfd(); ... -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun Mar 12 18:50:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA15953 for firewalls-outgoing; Sun, 12 Mar 1995 18:22:18 -0800 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA15946 for ; Sun, 12 Mar 1995 18:22:13 -0800 Message-Id: X-Mailer: exmh version 1.6alpha 2/16/95 To: mcr@milkyway.com (Michael Richardson), kshores@draper.com cc: firewalls@greatcircle.com Subject: Re: chroot httpd In-reply-to: Your message of "12 Mar 1995 19:57:24 EST." <3k059k$f0@calisto.milkyway.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 12 Mar 1995 18:19:27 -0800 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In article <199503102147.NAA26917@miles.greatcircle.com>, > Ken Shores wrote: > >I prefer to do the chroot in the program, rather than external in the > >initiation of the program, as this allows you to keep the config file > >outside the chroot environment. The actual command to chroot can be > >as simple as: > Note: if you don't chdir(), you can access the original file system > with relative path names. > I'd prefer to do open("httpd"); execfd(); ... What all of this also means, is that you get to support your own version of the Cern httpd, and every time they rev the code, you get to hack on it before you install it. I much prefer "make all install" to "edit, make, test, edit, make, test, make install". Where the edit-test loop could be several iterations. Even in the last couple of days, where I was forced to become very familiar with the -restart code, because we were not rolling our logs properly, I made sure I did not need to hack on the code, and we eventually found our problem elsewhere. And when Cern goes to 3.x or 4.0 in order to support html 3.0, I will just "make all install". Hacking is the last thing I do. If it ain't broke, don't fix it. And I can tell you as far as chroot goes Cern httpd ain't broke. ;*) =eas= From firewalls-owner Sun Mar 12 19:37:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA16905 for firewalls-outgoing; Sun, 12 Mar 1995 19:16:59 -0800 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA14077 for ; Thu, 9 Mar 1995 21:26:59 -0800 Received: from uucp2.UU.NET by relay3.UU.NET with SMTP id QQygkj23543; Fri, 10 Mar 1995 00:24:25 -0500 Received: from harker.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Fri, 10 Mar 1995 00:24:33 -0500 Received: from science.harker.com (science.harker.com) by harker.com (4.1/simpleuucp1.0a) id AA02167; Thu, 9 Mar 95 17:40:41 PST Date: Thu, 9 Mar 95 17:40:41 PST From: harker@harker.com (Robert Harker) Message-Id: <9503100140.AA02167@harker.com> To: hobbit@avian.org Subject: Re: bug-testing identd NOT available here Cc: bugtraq@fc.net, firewalls@@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It would set a REALLY BAD precedent if the legal system decided that people > attempting to help fix bugs were to be tarred with the same brush as those > trying to exploit them. Think carefully about this. I hate to say it, but there is a legal precedent in regards to this. Caution: I am not a lawer and may have some of the terms wrong. If you have questions, please consult a lawer for clarification It is based on common law and is a tort liability. This is described in the document: csrc.ncsl.nist.gov:/secpubs/stewart.ps >From the index: stewart.ps 11-08-92 Potential Liabilities of Computer Security Response Centers - PostScript only To quote from the document about tort liability: "There is no general common-law duty to rescue a stranger in distress even if the rescue can be accomplished at no cost to the rescuer... But if you do begin to rescue someone, you must complete the rescue in a nonnegligent fashion even though you had no duty of rescue in the first place" The document goes on to state: "Section 323 of the "Restatement of Torts" provides that: One who undertakes, gratuitously or for consideration, to render services to another which he should recognize as necessary for the protection of the other's person or things, is subject to liability to the the other for physical harm resulting from his failure to exercise reasonable care to perform his undertaking, if (a) his failure to exercise care increases the risk of such harm, or (b) the harm is suffered because of the other's reliance upon the undertaking" An example of how this might be applied is that if I see a person bleeding to death and walk on by, I can not be held liable or negligent if the person dies. But if I stop and provide aid, but do not apply everything I learned about first aid 20 years ago, and the person dies, then the victim's family can sue me for negligence in the victim's death. They may not win in court, but the court would find that the suit has merit and would proceed with it. This is the basis for the very un-popular policies that CERT uses when it releases a security alert (please do not discuss problems with CERT, after reading this document, I am amazed that CERT publishes anything at all) Apologies in advance if people do not find this directly related to firewalls or security bug tracking, but I found the document to be a very eye opening document. Again, I am not a lawer. If you have questions, please consult a lawer. RLH > For info about our Sendmail Made Simple and Advanced Sendmail classes and < > a schedule of dates and locations, please send email to info@harker.com < Robert Harker Harker Systems Sendmail and TCP/IP Network Training 1180 Hester Ave Network and Sysadmin Consulting San Jose, CA 95126 harker@harker.com 408-295-9432 From firewalls-owner Sun Mar 12 20:19:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA17419 for firewalls-outgoing; Sun, 12 Mar 1995 19:29:54 -0800 Received: from ios.com (styx.ios.com [198.4.75.44]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA20662 for ; Sat, 11 Mar 1995 10:44:21 -0800 Received: from @ios.com (blumg@ios.com [198.4.75.44]) by ios.com (8.6.9/8.6.9) with SMTP id NAA04537; Sat, 11 Mar 1995 13:42:01 -0500 Date: Sat, 11 Mar 1995 13:42:01 -0500 Message-Id: <199503111842.NAA04537@ios.com> X-Sender: blumg@ios.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: blumg@ios.com (Gary A. Blum) Subject: Firewall Testing Cc: csiegel@interserv.com, siegelc@cbc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone provide me with names of firms that specialize in the testing of firewalls to help verify design integrity and their resistance to intrusion? We're in the planning stages of our first Internet implementation, and recognize that we would not be the best ones to test our own design. We also feel that the firewall vendor would not be the optimum choice, since their knowledge of the product could inadvertantly bias the test. Thanks. Gary From firewalls-owner Sun Mar 12 21:20:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20550 for firewalls-outgoing; Sun, 12 Mar 1995 20:51:35 -0800 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA20543 for ; Sun, 12 Mar 1995 20:51:32 -0800 Received: from chiba (chiba.Tadpole.COM [160.104.1.6]) by tadpole.tadpole.com (8.6.10/8.6.10) with SMTP id WAA13302; Sun, 12 Mar 1995 22:49:16 -0600 From: Jim Thompson Received: by chiba (5.x/SPARCbook_POP1.3) id AA01154; Sun, 12 Mar 1995 22:49:16 -0600 Date: Sun, 12 Mar 1995 22:49:16 -0600 Message-Id: <9503130449.AA01154@chiba> To: harker@harker.com Subject: Re: bug-testing identd NOT available here Cc: bugtraq@fc.net, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > An example of how this might be applied is that if I see a person bleeding > to death and walk on by, I can not be held liable or negligent if the person > dies. But if I stop and provide aid, but do not apply everything I learned > about first aid 20 years ago, and the person dies, then the victim's family > can sue me for negligence in the victim's death. They may not win in court, > but the court would find that the suit has merit and would proceed with it. Many states, (all 50, I think), have what is termed a 'Good Samaratin' law, whereby one can't be sued for ngligence for this type of scenerio. If you're a doctor, EMT, etc, you don't fall under the law. Because of your training, you will be held to a higher standard. A "Good Samaratin" who elects to perform on-site brain-surgery without the training needed can still be sued though. I'm not a lawyer either. (Though I live with two 3rd-year law students, which is a legal education unto itself), but I used to be an EMT. Given the state of the legal system when applied to 'cyberspace' (for lack of a better word), there is good reason to be afraid anyway. Jim From firewalls-owner Sun Mar 12 21:50:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA21225 for firewalls-outgoing; Sun, 12 Mar 1995 21:21:16 -0800 Received: from services.more.net (services.MORE.Net [128.206.1.214]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA21220 for ; Sun, 12 Mar 1995 21:21:12 -0800 Received: by services.more.net (4.1/SMI-4.1) id AA11296; Sun, 12 Mar 95 23:17:39 CST Date: Sun, 12 Mar 1995 23:17:39 -0600 (CST) From: David Johnson Subject: Specifications for Firewall RFP To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't want to get swamped by vendors on this, or harrased either, but we are currently putting together bid specifications for a Firewall Invitation for Bids to allow multiple agencies to purchase. We are interested in firewalls which have the following features: 1. Packet filtering 2. Application Proxies 3. User authentication 4. Allow multiple organizations (networks) to use the same firewall 5. Allow use of "non-assigned" (i.e. private) IP numbering scheams . If anyone has recently put out a request for proposals or invitation for bids, we would very much like to take a look at your bid specifications. We would be particularly interested in any which ave been used by government organizations. Dave Johnson Missouri Highway and Transportation Department PO Box 270 Jefferson City, MO 65102 (314)751-9201 From firewalls-owner Sun Mar 12 23:24:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA23162 for firewalls-outgoing; Sun, 12 Mar 1995 23:01:03 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA23157; Sun, 12 Mar 1995 23:00:59 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 12 Mar 1995 22:59:12 -0800 To: "Marcus J. Ranum" , leo@tunix.kun.nl (Leo Willems) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: split-DNS ... would this work? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:47 PM 3/11/95, Marcus J. Ranum wrote: > [Never mind the fact that split brained DNS is only arguably a >security feature. So many people seem to think it's a Big Deal and Ches >and Steve have published it as a feature, it's now an accepted part of >the lore.] Yeah, I'm actually kind of annoyed that _this_ is the idea that people (including Ches & Steve) seem to associate with me... Of all the ideas I've put forth, why _that_ one?!? :-) I never said it was worth doing (if you check, you'll see that I don't do it with GreatCircle.COM); I just figured out (and published to the Firewalls list) a way to do it because somebody asked... -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Sun Mar 12 23:40:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA23223 for firewalls-outgoing; Sun, 12 Mar 1995 23:09:29 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA23218; Sun, 12 Mar 1995 23:09:26 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 12 Mar 1995 23:07:39 -0800 To: Jim Thompson , harker@harker.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: bug-testing identd NOT available here Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:49 PM 3/12/95, Jim Thompson wrote: >> An example of how this might be applied is that if I see a person bleeding >> to death and walk on by, I can not be held liable or negligent if the person >> dies. But if I stop and provide aid, but do not apply everything I learned >> about first aid 20 years ago, and the person dies, then the victim's family >> can sue me for negligence in the victim's death. They may not win in court, >> but the court would find that the suit has merit and would proceed with it. > >Many states, (all 50, I think), have what is termed a 'Good Samaratin' >law, whereby one can't be sued for ngligence for this type of scenerio. > >If you're a doctor, EMT, etc, you don't fall under the law. Because of >your training, you will be held to a higher standard. > >A "Good Samaratin" who elects to perform on-site brain-surgery without >the training needed can still be sued though. > >I'm not a lawyer either. (Though I live with two 3rd-year law students, >which is a legal education unto itself), but I used to be an EMT. > >Given the state of the legal system when applied to 'cyberspace' (for >lack of a better word), there is good reason to be afraid anyway. > >Jim This has little or nothing to do with firewalls. PLEASE don't cross-post messages to multiple mailing lists (this one was originally cross-posted to both Firewalls & BugTraq; I'm replying only to Firewalls). -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Mon Mar 13 01:20:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA24612 for firewalls-outgoing; Mon, 13 Mar 1995 00:53:23 -0800 Received: from benoni.Uit.No (benoni.Uit.No [129.242.5.254]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA24607 for ; Mon, 13 Mar 1995 00:53:12 -0800 Received: from benoni by ppenoni.uit.no with SMTP (PP) id <04224-0@ppenoni.uit.no>; Mon, 13 Mar 1995 09:50:10 +0000 Received: from spip.cc.uit.no by benoni.uit.no (8.6.10/MLH-1.1/V8/Ultrix) id JAA04220 ; Mon, 13 Mar 1995 09:49:55 +0100 Received: by spip.cc.uit.no (1.37.109.15/ABaa-2.0mini) id AA040704594; Mon, 13 Mar 1995 09:49:54 +0100 Date: Mon, 13 Mar 1995 09:49:54 +0100 (MET) From: Anders Baardsgaard To: =?ISO-8859-1?Q?Kristian_K=F6hntopp?= Cc: firewalls@greatcircle.com Subject: Re: SUMMARY: Packet monitors for MS-DOS In-Reply-To: <5hkCSs5ZnrB@black.schulung.netuse.de> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the record: what I sent you was the summary Wayne Buttles kindly posted to the list on Thu, 3 Nov 1994. I will not take the credit (or blame) for any of his observations. And now back to lurking mode ;-) Anders Baardsgaard -- anders@cc.uit.no (Univ.of Tromso, Norway) From firewalls-owner Mon Mar 13 01:50:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA25999 for firewalls-outgoing; Mon, 13 Mar 1995 01:43:53 -0800 Received: from relay.iunet.it (relay.iunet.it [192.106.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA25985 for ; Mon, 13 Mar 1995 01:43:40 -0800 Received: from cpg-sp1.UUCP by relay.iunet.it with UUCP id AA25447 (5.65c8/IDA-1.4.4 for firewalls@greatcircle.com); Mon, 13 Mar 1995 10:51:08 +0100 Received: from sparc10.cpg.it by cpg.it (4.1/SMI-4.1) id AA01039; Mon, 13 Mar 95 10:26:47 GMT Received: by sparc10.cpg.it (5.0/SMI-SVR4) id AA05584; Mon, 13 Mar 1995 10:26:02 +0100 Date: Mon, 13 Mar 1995 10:26:02 +0100 From: postak@cpg.it (Luca Postacchini) Message-Id: <9503130926.AA05584@sparc10.cpg.it> To: firewalls@greatcircle.com Subject: SMTP proxy X-Sun-Charset: US-ASCII Content-Length: 777 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ciao Is there anyone on this list that knows where to find a SMTP proxy either public domain software or commercial product ? Thanks -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Luca Postacchini _/ _/ _/ _/_/_/ _/_/_/ Consultancy & Projects Group _/ _/ _/ _/ _/ _/ Via P.S. Mancini _/ _/ _/ _/ _/_/_/ 00196 Rome Italy _/_/_/ _/_/_/ _/_/_/ _/ _/ Tel : +39 6 3242301 Fax : +39 6 3210235 postak@cpg.it (Anche io ho la mia firma!) (I, too, have a signature file!) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Mon Mar 13 02:50:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA26989 for firewalls-outgoing; Mon, 13 Mar 1995 02:26:42 -0800 Received: from pekko.ccc.fi (pekko.ccc.fi [192.107.212.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA26978 for ; Mon, 13 Mar 1995 02:26:30 -0800 Message-Id: <199503131026.CAA26978@miles.greatcircle.com> Received: by pekko.ccc.fi (1.37.109.4/16.2) id AA02293; Mon, 13 Mar 95 12:17:11 +0200 From: Esa Hanninen Subject: Identifying computers behind a Firewall ? To: Firewalls@GreatCircle.COM Date: Mon, 13 Mar 95 12:17:10 FIN Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One basic question I can't find answer alone. How to give access to network from just a few computers in other network, when there are firewalls in between ? ------ --- --- --- |server| --|fw1| ---internet ---|fw2|--|--|pc1| ------ --- --- | --- | | --- |--|pc2| --- In this picture, only pc1 shold have access to server. pc2 should not have access to server. But, if I have understood it right, fw1 does not have the information on whether the packet came from pc1 or pc2. packet is seen as coming from fw2? Is there anything that could be done with fw1? -- Esa Hanninen e-mail: esa.hanninen@ccc.fi From firewalls-owner Mon Mar 13 05:50:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA29280 for firewalls-outgoing; Mon, 13 Mar 1995 05:36:02 -0800 Received: from oldspice.pg.com (oldspice.pg.com [192.229.17.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA29275 for ; Mon, 13 Mar 1995 05:35:58 -0800 Received: by oldspice.pg.com (8.6.11/8.6.9) id IAA13519; Mon, 13 Mar 1995 08:28:39 -0500 id IAA13519; Mon, 13 Mar 1995 08:28:39 -0500 Received: from genesis.pg.com(137.182.108.13) by oldspice.pg.com via smap (V1.3) id sma013514; Mon Mar 13 13:28:34 1995 Received: by genesis.pg.com (8.6.11/8.6.9) id IAA24312; Mon, 13 Mar 1995 08:35:26 -0500 id IAA24312; Mon, 13 Mar 1995 08:35:26 -0500 From: The Supreme Commander Message-Id: <199503131335.IAA24312@genesis.pg.com> Subject: Re: intelligent interfaces to ftp/telnet/etc To: Quentin.Fennessy@SEMATECH.Org (Quentin Fennessy) Date: Mon, 13 Mar 1995 08:35:25 -0500 (EST) Cc: kingcb@prl.philips.co.uk, Firewalls@GreatCircle.COM In-Reply-To: <199503111712.LAA20800@thecount.eng.sematech.org> from "Quentin Fennessy" at Mar 11, 95 11:12:51 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2463 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Chris asked about non-traditional UNIX ftp clients that cannot deal > well with 'anonymous@ftp.uu.net' type ftp proxies. Me too! In particular > our internal PCs use Reflections for Windows as a terminal emulator. > This includes a GUI ftp client and I cannot get it to deal with either > of our ftp proxies. > > one proxy syntax: > > ftp anonymous@ftp.uu.net > ... > > the other: > > ftp -n gateway > ftp> quote xcon ftp.uu.net > ... > > I would appreciate stories how others managed to get similar unmodified > ftp clients through proxies. By modifying the ftp-gw code, you can use the "extra" fields in FTP GUI's to allow GUI users to use the proxy. I have modified the code to accept a "CD" command with an embedded "@" to act as if the user typed "user username@remote_host". The GUI user then simply enters the remote host in the "initial directory" field which most FTP GUI's support. Fields are filled in as followed: Remote host: Proxy Host Name Remote username: Username on Proxy Host Remote password: Password_on_Proxy@Password_on_Remote_Host Initial Directory: Username@Remote_Host Note that the password for the remote host is sent along in the standard password field. This allows for echoing back of the password as asterisks etc. so anyone looking over the persons shoulder won't see the password. Note also that the use of the "@" character as the seperator for the two passwords implies that the password on the proxy can not contain this character. However, this isn't a big deal since there are so many other characters to choose from. One of the other minor modifications made was to check for the username "anonymous". In this case the ftp-gw does not require a remote password and instead constructs a password from the proxy username. This way our users can't enter bogus email addresses in the password for anonymous FTP servers and should there be any "problems" we can actually track down the person! There are other ways to solve this problem, but most FTP GUI's have a limit on the length of their fields so trying to use tricks like using just the username and password fields to perform this is problematic. ...Manjit --------------------------------------------------------------------- The Supreme Commander wishes you a Supreme day. I'm a Magic Man, oooh, I got the magic hands, yeah... Don't mind me, I'm just attempting to dock. --------------------------------------------------------------------- From firewalls-owner Mon Mar 13 06:20:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29622 for firewalls-outgoing; Mon, 13 Mar 1995 06:04:24 -0800 Received: from elan.cc.bellcore.com (elan.cc.bellcore.com [128.96.109.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA29612 for ; Mon, 13 Mar 1995 06:04:18 -0800 Received: by elan.cc.bellcore.com id AA16318 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Mon, 13 Mar 1995 09:00:52 -0500 Date: Mon, 13 Mar 1995 09:00:52 -0500 From: 25913-cullen Message-Id: <199503131400.AA16318@elan.cc.bellcore.com> To: firewalls@greatcircle.com Subject: http archive Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anyone have an archive of this mailing lists that is available via http? Thanks Cindy From firewalls-owner Mon Mar 13 06:43:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29996 for firewalls-outgoing; Mon, 13 Mar 1995 06:18:09 -0800 Received: from rambone.psi.net (rambone.psi.net [38.145.250.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA29991 for ; Mon, 13 Mar 1995 06:18:06 -0800 Received: from wgtech.UUCP by rambone.psi.net (4.1/SMI-4.1.3-PSI) id AA24821; Mon, 13 Mar 95 07:44:30 EST Received: from wsi1.wsi.com by wsi.com (4.1/SMI-4.1) id AA04955; Mon, 13 Mar 95 08:47:26 EST Received: from rivendell.wsi.com by wsi1.wsi.com (5.0/SMI-SVR4) id AA03094; Mon, 13 Mar 1995 08:46:52 +0500 Received: by rivendell.wsi.com (5.x/SMI-SVR4) id AA02248; Mon, 13 Mar 1995 08:44:18 -0500 Date: Mon, 13 Mar 1995 08:44:18 -0500 From: david@wsi1.wsi.com (David Flinn) Message-Id: <9503131344.AA02248@rivendell.wsi.com> To: firewalls@GreatCircle.COM Subject: ?? subnetting, firewall-1, routing Cc: david@rivendell.wsi.com X-Sun-Charset: US-ASCII Content-Length: 3050 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, My question concerns the use of an registered IP class C segment (for instance, 192.207.93.0) and making this work with a router (firewall-1). If you can, please reply directly. Thanks. My confusion stems from the fact that the firewall-1 machine does do routing, and thus, requires each physical interface to have a different Class C address. Given this as fact, the problem arises that my internal network must use a "private" IP address which cannot be routed out to the Internet, because the source addresses will be wrong. Thus, I have to put a machine out on the 192.207.93.0 net and have the local folks login to it to use telnet, www, etc. Yuk. 56k WAN link | netcom router connection netra gateway machine w/ firewall-1 (192.207.93.1) (192.207.93.2) (192.207.95.2) | | | | | | ---- 192.207.93.0 ------- | | | -------------- 192.207.95.0 ------------------------ | | | | | | client client client (192.207.95.10) (192.207.95.11) (192.207.95.12) Right now, I can see four solutions: 1) Get two Class C addresses from the NIC. 2) use a proxy program on the firewall-1 machine to handle all telnet, www, and ftp programs. This seems like a lot of work, but may be the only solution. But also defeats the value of firewall-1. 3) Network Address Translation. There is a product called Private Internet Exchange which will solve my problem perfectly. Unfortunately, they sell their own hardware and software to do this. I am only interested in the software. If there is any public or private software that does this, PLEASE let me know. This would be way cool. 4) I would prefer to use subnetting with my valid Class C address. What I would like to do is to use subnet masks to make the firewall-1 machine think that the internal network is private, but when an internal client fires up mosaic, when the packet leaves the netra, it will be able to route the return packet back to the internal client. 56k WAN link | netcom router connection netra gateway machine w/ firewall-1 (192.207.93.1) (192.207.93.2) (192.207.93.3) | | | | | | ---- 192.207.93.0 ------- | netmask (255.255.255.0) | | | netmask (255.255.255.192) | -------------- 192.207.95.0 ------------------------ | | | | | | client client client (192.207.93.10) (192.207.93.11) (192.207.93.12) Is this possible and will it work? Is there another solution to my dilemma ? I don't want to have each client log into a bastion host out on the outside local net. Whaddaya think ? Thanks, david ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | david flinn workgroup solutions | | enterprise technology manager 76 blanchard road | | 617-238-8562 burlington, ma 01803 | | 617-229-9991 (fax) david@wsi.com | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Mon Mar 13 07:50:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA01919 for firewalls-outgoing; Mon, 13 Mar 1995 07:42:05 -0800 Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA01914 for ; Mon, 13 Mar 1995 07:42:00 -0800 From: axel.skough@scb.se Received: by mail.swip.net with UUCP (8.6.8/3.01) id QAA07770; Mon, 13 Mar 1995 16:41:59 +0100 Message-ID: <199503131541.QAA07770@mail.swip.net> Date: Mon, 13 Mar 1995 16:36 +0200 To: Adam Shostack , George_D._Custodio@mail.asiandevbank.org (George D. Custodio) Cc: firewalls@GreatCircle.COM Subject: SV: Re: IBM's Firewall MIME-version: 1.0 (Created by TFS) Content-Type: text/plain ; charset=ISO-8859-1 Content-transfer-encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >There are several areas that NetSP is lacking in. See the archives. > >Adam > > >| Is their any user of the IBM's firewall (NetSp Security Gateway)? In one= =20 of >| network security presentation, the speaker said that IBM's firewall >| implementation includes packet filtering, application proxy, DNS, and=20 socks. >Is >| this true? Is it available now? Does it works? >| We are currently considering the IBM NetSP SNG for the RS6000 and it would=20 be very valuable to know exactly in what areas this product is lacking in.=20 What archives is referenced here? I would be grateful for details either=20 specifically or a reference list. It would help us in making out proper=20 decisions. TIA!!!! Best regards, Axel Skough Statistics Sweden From firewalls-owner Mon Mar 13 08:13:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA01660 for firewalls-outgoing; Mon, 13 Mar 1995 07:24:42 -0800 Received: from clavin.uprc.com (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA01655 for ; Mon, 13 Mar 1995 07:24:36 -0800 Received: from cygnus.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA12648 for firewalls@GreatCircle.COM; Mon, 13 Mar 95 09:21:03 CST Received: by cygnus.uprc.com (5.0/SMI-SVR4) id AA08109; Mon, 13 Mar 1995 09:20:58 +0600 Date: Mon, 13 Mar 1995 09:20:58 +0600 From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9503131520.AA08109@cygnus.uprc.com> To: raf@ezunx.com, mouring@netnet.net Subject: Re: just wondering.... Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 1340 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Case in point -- How many Internet Providers give free Firewall Basics > > Training when you buy their service? Ok, none. Next question, Why > > Not? > The few providers I know personally have two functions: > a) as a network provider > b) as a jumping point for users with modems > FastLane Communications, Inc. is a provider in the Dallas/Ft. Worth area. Not only do we offer firewall courses and security talks for our dedicated customers, the router provided by us for their link (built by FastLane based on FreeBSD and some custom filter software we wrote) is configured as a packet filtering firewall and optionally a full proxy driven bastion host (dual homed, or screened subnet - your choice :) . I realize that this is not the norm, and is truly the reason we are in business. We feel we are the first in the area to fill this niche. I get genuinely upset with the big-money-backed ISP's with very little tech experience starting up all over the place.... the point: not *all* ISP's are firewall unconcious. Sorry for the rant, ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Mon Mar 13 08:34:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA02185 for firewalls-outgoing; Mon, 13 Mar 1995 07:58:57 -0800 Received: from post.demon.co.uk (post.demon.co.uk [158.152.1.72]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA02170 for ; Mon, 13 Mar 1995 07:58:53 -0800 Received: from roverpte.demon.co.uk by post.demon.co.uk id aa11770; 13 Mar 95 15:22 GMT Received: from boiled.rover.com by roverpte.demon.co.uk (5.65c) id AA16207; Mon, 13 Mar 1995 11:05:18 GMT Received: by boiled.rover.com (5.65c) id AA11213; Mon, 13 Mar 1995 11:07:41 GMT Message-Id: <199503131107.AA11213@boiled.rover.com> To: firewalls@greatcircle.com Subject: x-gw proxy Date: Mon, 13 Mar 95 11:07:41 +0000 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am running a test for the x-gw proxy on all sun workstations running > SunOS 4.1.3 using openwindows. > I will telnet to the tn-gw port and start the x-gw server. On my > workstion (where I have already set xhost + sun2x) screen I get a > window telling Display prot=sun2x.res.utc.com:10. > I telnet to a any old machine and set my Display to sun2x.res.utc.com:10 > and start up xclock. > My workstation window manager completly locks up. I have not yet > tried to run on a workstation that is not running openwindows. I experienced the same - it seems to be a known problem (tis people know about it at least) with OpenWindows. It doesn't work either with OpenWindows 3_414 (the one for SunOS 4.1.4), but it DOES work for OpenWindows running under Solaris 2.3. If anyone knows about a suitable OpenWindoes patch, information would be very welcome. I have had the same experience, not with openwindows but with just X server on pcs and apollo workstations. After a bit of a poke it came down to this. X11r4 locks up. X11r5 works. Hope this helps. I dont know what in the TIS code is doing the locking up :( Lyndon From firewalls-owner Mon Mar 13 08:51:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA02747 for firewalls-outgoing; Mon, 13 Mar 1995 08:23:36 -0800 Received: from fshops.sfsu.edu (fshops.sfsu.edu [130.212.45.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA02742 for ; Mon, 13 Mar 1995 08:23:33 -0800 Received: from sansom@fshops.sfsu.edu by fshops.sfsu.edu (5.64/Tenon-1.35.01) id AA05794; Mon, 13 Mar 95 08:22:50 -0800 (PST) Received: by servo.fshops.sfsu.edu (AIX 3.2/UCB 5.64/4.03) id AA25158; Mon, 13 Mar 1995 08:21:11 -0800 Date: Mon, 13 Mar 1995 08:21:08 -0800 (PST) From: Rob Sansom Subject: POP thru packet filter? To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am installing a POP server on our mail machine so people can read their mail via Eudora, etc... As of now, I will only allow POP on our inside net. Any advice, warnings, or whatever concerning POP access thru packet filters? Thanks, Rob S. From firewalls-owner Mon Mar 13 09:31:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA02313 for firewalls-outgoing; Mon, 13 Mar 1995 08:05:40 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA02307 for ; Mon, 13 Mar 1995 08:05:29 -0800 From: smb@research.att.com Message-Id: <199503131605.IAA02307@miles.greatcircle.com> Received: by gryphon; Mon Mar 13 10:54:43 EST 1995 To: mcr@milkyway.com (Michael Richardson) cc: firewalls@greatcircle.com Subject: Re: chroot httpd Date: Mon, 13 Mar 95 10:54:42 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199503102147.NAA26917@miles.greatcircle.com>, Ken Shores wrote: >I prefer to do the chroot in the program, rather than external in the >initiation of the program, as this allows you to keep the config file >outside the chroot environment. The actual command to chroot can be >as simple as: My preference is that the program never run as root, and to not have either program or config file in the arena. This means: stub.c does open(config); open(log); bind(socket=80); chdir("/path/to/prog"); chroot("/www"); setuid(nobody); dup2(socket,0); dup2(log,SOME_KNOWN_FD); dup2(config,SOME_OTHER_KNOWN_FD); exec("httpd"); /* relative to /path/to/prog */ > > if (chroot("place.path.here") < 0 || chdir("/") < 0) > HTLog_error2("Can't set root"); Note: if you don't chdir(), you can access the original file system with relative path names. I'd prefer to do open("httpd"); execfd(); ... Assuming a well-behaved application, and if your system supports /dev/fdN, there's an easy out: write a wrapper that opens the necessary config files, then passes the open file descriptors as file names. But I haven't tried this for exec() yet... From firewalls-owner Mon Mar 13 09:31:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03592 for firewalls-outgoing; Mon, 13 Mar 1995 09:04:58 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA03586; Mon, 13 Mar 1995 09:04:54 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 13 Mar 1995 09:03:09 -0800 To: Rob Sansom , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: POP thru packet filter? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:21 AM 3/13/95, Rob Sansom wrote: >I am installing a POP server on our mail machine so people can read their >mail via Eudora, etc... As of now, I will only allow POP on our inside >net. Any advice, warnings, or whatever concerning POP access thru packet >filters? Standard POP sends their password across the net in plain view, just like most other protocols; anyone snooping on the connection will see not only the user's mail being transferred in that session (which may be sensitive in and of itself), but also the password they would need to access the mail again in the future. Worse, most sites use the same password for each user for both POP and shell access. Even if your POP users are given POP-only accounts, you need to make sure they can't access other password-protected services (like non-anonymous FTP) with that password. There are variants of POP that do challenge-response passwords (called "APOP") and Kerberos authentication (KPOP), but finding clients and servers that support them might be a problem. Eudora supports both from the client side; unfortunately, I don't know of a good APOP server (QualComm, the developers of Eudora, are unwilling to recommend one), and Kerberos is a royal pain in the butt to set up and manage. Again, don't forget about the sensitivity (confidentiality, privacy, whatever you want to call it) of the mail itself, which will probably include internal messages that the sender expected to _stay_ internal to the organization. I don't know if the Kerberos support for Eudora includes Kerberos session encryption in addition to Kerberos authentication, but it would probably be worth looking into. I use POP quite heavily. I gave up on getting POP to work safely across the Internet, and just dial in via PPP to a terminal server on my office LAN when I'm out of the office and want to access POP. It's been several months (maybe a year) since I looked at the problem in detail, though. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Mon Mar 13 09:50:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA04165 for firewalls-outgoing; Mon, 13 Mar 1995 09:36:34 -0800 Received: from eclipse.esr.com (eclipse.esr.com [204.77.128.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA04160 for ; Mon, 13 Mar 1995 09:36:29 -0800 Received: from esig.esr.com by eclipse.esr.com with SMTP (5.65/1.2-eef) id AA19854; Mon, 13 Mar 95 12:38:35 -0500 Received: by esig.esr.com; Mon, 13 Mar 95 12:38:25 EST Date: Mon, 13 Mar 95 12:36:45 EST Message-Id: X-Priority: 3 (Normal) From: "David M. Weaver" To: firewalls@greatcircle.com Subject: Re: just wondering.... X-Incognito-Sn: 484 X-Incognito-Format: VERSION=2.00 EA-2 ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Electronic Systems (I2020Net) is the same. It's the whole reason we added ISP offerings to our existing network integration business. ------------- Original Text >From z056716@uprc.com (LaCoursiere J. D. (Jeff)), on 3/13/95 9:20 AM: > > > Case in point -- How many Internet Providers give free Firewall Basics > > Training when you buy their service? Ok, none. Next question, Why > > Not? > The few providers I know personally have two functions: > a) as a network provider > b) as a jumping point for users with modems > FastLane Communications, Inc. is a provider in the Dallas/Ft. Worth area. Not only do we offer firewall courses and security talks for our dedicated customers, the router provided by us for their link (built by FastLane based on FreeBSD and some custom filter software we wrote) is configured as a packet filtering firewall and optionally a full proxy driven bastion host (dual homed, or screened subnet - your choice :) . I realize that this is not the norm, and is truly the reason we are in business. We feel we are the first in the area to fill this niche. I get genuinely upset with the big-money-backed ISP's with very little tech experience starting up all over the place.... the point: not *all* ISP's are firewall unconcious. Sorry for the rant, ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... ####################################################### # Mike Weaver Electronic Systems, Inc # # Senior Systems Consultant Richmond, Virginia # # mike@esr.com (804) 330-5555 # ####################################################### # Network Integration Services, Consulting, Internet # # A Commercial Internet Exchange Member # ####################################################### From firewalls-owner Mon Mar 13 10:20:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA04657 for firewalls-outgoing; Mon, 13 Mar 1995 09:57:11 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA04647 for ; Mon, 13 Mar 1995 09:57:07 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13475; Mon, 13 Mar 95 12:43:43 -0500 Date: Mon, 13 Mar 95 12:43:42 -0500 Message-Id: <9503131743.AA13475@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: ISPs & Bravo Fastlane Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff rites: >FastLane Communications, Inc. is a provider in the Dallas/Ft. Worth area. >Not only do we offer firewall courses and security talks for our dedicated >customers, the router provided by us for their link (built by FastLane >based on FreeBSD and some custom filter software we wrote) is configured >as a packet filtering firewall and optionally a full proxy driven bastion >host (dual homed, or screened subnet - your choice :) This is the way it should be but needs different marketing: basic service plus "optional" extras. When the ISPs realide that they can sell a SMTP only connection for one price and have CLASS type options such as Gopher, Telnet, FTP, NNTP, and WWW then we will see all providers coming on board the bandwagon because it will be a revenue producer and not a disincentive. Cable TV companies use notch filters for some channels because for a subscriber to have them removed results in a fee to the provider. When ISPs realize that they can do this for little or no cost, what we think of today as a "firewall" will become standard equipment for the ISP. Look for flat rates with "premium" options in the near future. One will try, make a bundle (and a *steady, forcastable* bundle that investors prefer) and you will see what is meant by "avalanche effect". Warmly, Padgett From firewalls-owner Mon Mar 13 10:43:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04880 for firewalls-outgoing; Mon, 13 Mar 1995 10:04:46 -0800 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA04875 for ; Mon, 13 Mar 1995 10:04:43 -0800 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id MAA34224; Mon, 13 Mar 1995 12:41:29 -0500 Date: Mon, 13 Mar 1995 12:41:29 -0500 (EST) From: Frank Wortner To: Firewalls@GreatCircle.COM Subject: Re: Identifying computers behind a Firewall ? In-Reply-To: <199503131026.CAA26978@miles.greatcircle.com> Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Mar 1995, Esa Hanninen wrote: > > ------ --- --- --- > |server| --|fw1| ---internet ---|fw2|--|--|pc1| > ------ --- --- | --- > | > | --- > |--|pc2| > --- > In this picture, only pc1 shold have access to server. > pc2 should not have access to server. > > But, if I have understood it right, fw1 does not have > the information on whether the packet came from pc1 or > pc2. packet is seen as coming from fw2? That depends on the type of firewall. A packet filter would allow that information through, while an application relay wouldn't. > Is there anything that could be done with fw1? The best solution might be some sort of application relay that incorporates authentication based on something other than IP address. As has been mentioned here and in various publications, and shown in real life, you can't entirely trust that information anyway. How hard this would be to do and how much user visibility this has depends on what kind of "access" you are trying to grant. It also depends on the type of firewall in both locations. Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Mon Mar 13 11:24:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06434 for firewalls-outgoing; Mon, 13 Mar 1995 10:59:11 -0800 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA06427 for ; Mon, 13 Mar 1995 10:59:07 -0800 Message-Id: X-Mailer: exmh version 1.6alpha 2/16/95 To: Lyndon David cc: firewalls@greatcircle.com Subject: Re: x-gw proxy In-reply-to: Your message of "Mon, 13 Mar 1995 11:07:41 GMT." <199503131107.AA11213@boiled.rover.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Mar 1995 10:56:27 -0800 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have had the same experience, not with openwindows but with > just X server on pcs and apollo workstations. After a bit of > a poke it came down to this. > > X11r4 locks up. > X11r5 works. X11R4 based OpenWindows was broken. Let me count the ways. ;*) =eas= From firewalls-owner Mon Mar 13 11:55:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA06615 for firewalls-outgoing; Mon, 13 Mar 1995 11:03:32 -0800 Received: from nasirc.hq.nasa.gov (nasirc.hq.nasa.gov [198.116.23.199]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA06610 for ; Mon, 13 Mar 1995 11:03:29 -0800 Received: from localhost.hq.nasa.gov by nasirc.hq.nasa.gov (8.6.10/1.35) id OAA07671; Mon, 13 Mar 1995 14:00:51 -0500 Message-Id: <199503131900.OAA07671@nasirc.hq.nasa.gov> To: mcr@milkyway.com (Michael Richardson) cc: firewalls@greatcircle.com Date: Mon, 13 Mar 1995 14:00:50 -0500 From: Fred Blonder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: mcr@milkyway.com (Michael Richardson) . . . if you don't chdir(), you can access the original file system with relative path names. Yes, but, if you don't chdir(), you lose most of the protection you get by chrooting in the first place. As soon as someone figures out that that's what you're doing, (and they will) they'll find some way to exploit it. I'd prefer to do open("httpd"); execfd(); ... So would I. ------ Fred Blonder fred@nasirc.hq.nasa.gov Hughes STX Corp. (301) 441-4079 7701 Greenbelt Rd. Greenbelt, Md. 20770 From firewalls-owner Mon Mar 13 12:02:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA06919 for firewalls-outgoing; Mon, 13 Mar 1995 11:11:02 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA06908 for ; Mon, 13 Mar 1995 11:10:59 -0800 From: mulligan@incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.10/94082501) id LAA05007; Mon, 13 Mar 1995 11:09:17 -0800 Received: from coslabs.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA27714; Mon, 13 Mar 1995 11:09:05 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA25754; Mon, 13 Mar 1995 11:50:57 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA02078; Mon, 13 Mar 1995 11:47:14 -0700 Message-Id: <9503131847.AA02078@future.incog.com> To: Esa Hanninen Cc: Firewalls@GreatCircle.COM Subject: Re: Identifying computers behind a Firewall ? Reply-To: mulligan@incog.com In-Reply-To: Your message of "Mon, 13 Mar 95 12:17:10 +0100." <199503131026.CAA26978@miles.greatcircle.com> Date: Mon, 13 Mar 95 11:47:14 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > One basic question I can't find answer alone. > > How to give access to network from just a few computers > in other network, when there are firewalls in between ? > > > ------ --- --- --- > |server| --|fw1| ---internet ---|fw2|--|--|pc1| > ------ --- --- | --- > | > | --- > |--|pc2| > --- > In this picture, only pc1 shold have access to server. > pc2 should not have access to server. > > But, if I have understood it right, fw1 does not have > the information on whether the packet came from pc1 or > pc2. packet is seen as coming from fw2? This is dependent on the type of firewalls you are using. If FW2 is a packet screen then the packet sent to FW1 will have a source IP address of PC1 or PC2 and FW1 can screen packets based on source IP address. It is possible to spoof this and I would recommend encryption in addition If FW2 is an application relay then you will have to implement some type of per user authentication on FW1. geoff From firewalls-owner Mon Mar 13 12:18:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA06867 for firewalls-outgoing; Mon, 13 Mar 1995 11:09:58 -0800 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA06862 for ; Mon, 13 Mar 1995 11:09:55 -0800 Received: by wolfe.wimsey.com (Smail3.1.28.1 #9) id m0roFSq-000EdZC; Mon, 13 Mar 95 19:07 GMT Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Mon, 13 Mar 95 11:03 PST Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Mon, 13 Mar 95 11:02 PST Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) To: eha@ccc.fi Subject: Re: Identifying computers behind a Firewall ? Cc: Firewalls@GreatCircle.COM Date: Mon, 13 Mar 1995 11:02:57 -0800 (PST) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-386-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Esa Hanninen on scroll <199503131026.CAA26978@miles.greatcircle.com> > > ------ --- --- --- > |server| --|fw1| ---internet ---|fw2|--|--|pc1| > ------ --- --- | --- > | > | --- > |--|pc2| > --- > In this picture, only pc1 shold have access to server. > pc2 should not have access to server. > > But, if I have understood it right, fw1 does not have > the information on whether the packet came from pc1 or > pc2. packet is seen as coming from fw2? Sure, put a screening router (minimum cost of alternatives) in front of fw2 and stop pc2 before it even gets to fw2. Perhaps you want pc2 to use the internet though. In that case, this all depends on what fw2 is. If it's a filter, you can put a screening router in front of fw1 to screen out pc2. If it's a proxy or address mapping machine, you can't differenciate pc2 from pc1. You really should ask yourself another question though. Do you really want to allow access to "server" based on the fact that "pc1" is allowed. Host based access is weak. You should implent some kind of user based security instead, and do away with the "what machine" false sense of security. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Mon Mar 13 12:27:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08339 for firewalls-outgoing; Mon, 13 Mar 1995 12:08:16 -0800 Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.1.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA08334 for ; Mon, 13 Mar 1995 12:08:13 -0800 Received: by valiant.te.CdnAir.CA id AA14325 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Mon, 13 Mar 1995 12:05:27 -0800 Date: Mon, 13 Mar 1995 12:05:27 -0800 (PST) From: "Grant M. Fengstad" To: firewalls@greatcircle.com Subject: TIS 1.3 on SVR4 In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have installed the TIS toolkit on a SVR4.2 platform (UnixWare 2.0) and have all the wrapper programs and daemons running. I used the solaris-patch file in order to port the toolkit from it's BSD variant to a SYSV acceptable mode. One program that isn't ported is the syslogd program in the tools/server directory. As this is a specialized syslogd, I would appreciate any assistance or suggestions from anyone who may have already faced this situation. From firewalls-owner Mon Mar 13 12:50:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09168 for firewalls-outgoing; Mon, 13 Mar 1995 12:29:18 -0800 Received: from paranor.ca.cch.com (paranor.ca.cch.com [192.139.248.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09162 for ; Mon, 13 Mar 1995 12:29:15 -0800 Received: by paranor.ca.cch.com id AA18480; Mon, 13 Mar 95 15:31:31 EST Received: from cchtor.ca.cch.com(192.139.241.2) by paranor.ca.cch.com via smap (V1.3) id sma018478; Mon Mar 13 15:31:30 1995 Received: from cchtor (cchtor.ca.cch.com [192.139.241.2]) by cchtor.ca.cch.com (8.6.9/8.6.9) with SMTP id PAA27772; Mon, 13 Mar 1995 15:30:23 -0500 Date: Mon, 13 Mar 1995 15:30:19 -0500 (EST) From: Larry Chin Subject: Re: SMTP proxy To: Luca Postacchini Cc: firewalls@GreatCircle.COM In-Reply-To: <9503130926.AA05584@sparc10.cpg.it> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there anyone on this list that knows where to find a > SMTP proxy either public domain software or commercial product ? > Thanks you could try the smap/smapd pair that comes with the TIS firewall toolkit. You can get it from ftp.tis.com. =========================================================================== Larry Chin {Larry_Chin@ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 =========================================================================== From firewalls-owner Mon Mar 13 14:07:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10317 for firewalls-outgoing; Mon, 13 Mar 1995 12:59:45 -0800 Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA10312 for ; Mon, 13 Mar 1995 12:59:42 -0800 From: carson@cs.columbia.edu Received: from pizza.cs.columbia.edu (pizza.cs.columbia.edu [128.59.26.43]) by cs.columbia.edu (8.6.10/8.6.6) with ESMTP id PAA20985; Mon, 13 Mar 1995 15:57:29 -0500 Received: (from carson@localhost) by pizza.cs.columbia.edu (8.6.10/8.6.6) id PAA14964; Mon, 13 Mar 1995 15:57:28 -0500 Date: Mon, 13 Mar 1995 15:57:28 -0500 Message-Id: <199503132057.PAA14964@pizza.cs.columbia.edu> To: "Grant M. Fengstad" Cc: firewalls@GreatCircle.COM Subject: Re: TIS 1.3 on SVR4 In-Reply-To: References: Reply-To: carson@cs.columbia.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> On Mon, 13 Mar 1995 12:05:27 -0800 (PST), "Grant M. Fengstad" said: Grant> syslogd program in the tools/server directory. As this is a specialized Grant> syslogd, I would appreciate any assistance or suggestions from anyone Grant> who may have already faced this situation. The short answer is: "don't use the TIS syslogd, it won't work" The long answer is: SVR4 uses a completely different syslog mechanism - read the man pages for more details. It is possible to replace it using the TIS syslogd, but you'd have to replace the client routines in libc, and then worry about staticaly linked binaries. It might be possible to use the TIS syslogd for udp traffic, and the OS syslogd for local stuff (perhaps setting LOGHOST to localhost to feed through both...) but I wouldn't reccomend it. If you _really_ want the features of the TIS syslogd, you'll have to extensively modify the code to deal with the streams interface in SVR4. I didn't think it was worthwhile - I just use perl to parse my log files. -- -- A Queen Trapped in a Butch Body is: Carson Gaspar -- carson@cs.columbia.edu, carson@lehman.com From firewalls-owner Mon Mar 13 14:15:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09633 for firewalls-outgoing; Mon, 13 Mar 1995 12:42:33 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09623 for ; Mon, 13 Mar 1995 12:42:26 -0800 Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14445; Mon, 13 Mar 95 15:40:05 -0500 Date: Mon, 13 Mar 95 15:40:04 -0500 Message-Id: <9503132040.AA14445@uvs1.orl.mmc.com> From: Brent@greatcircle.com To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), ("firewalls@greatcircle.com"@uvs1.dnet.mmc.com) Subject: Re: ISPs & Bravo Fastlane Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:43 PM 3/13/95, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Informat wrote: >This is the way it should be but needs different marketing: basic service >plus "optional" extras. When the ISPs realide that they can sell a SMTP only >connection for one price and have CLASS type options such as Gopher, Telnet, >FTP, NNTP, and WWW then we will see all providers coming on board the >bandwagon because it will be a revenue producer and not a disincentive. > >Cable TV companies use notch filters for some channels because for a >subscriber to have them removed results in a fee to the provider. When >ISPs realize that they can do this for little or no cost, what we think of >today as a "firewall" will become standard equipment for the ISP. Look >for flat rates with "premium" options in the near future. One will try, >make a bundle (and a *steady, forcastable* bundle that investors prefer) >and you will see what is meant by "avalanche effect". It's cheaper and easier for an ISP to do no filtering than to do any filtering at all. There _is_ going to be a shakeout of ISPs over the next couple of years, but I personally don't think this is the way it's going to go. -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Mon Mar 13 14:21:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA11136 for firewalls-outgoing; Mon, 13 Mar 1995 13:53:50 -0800 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA11131 for ; Mon, 13 Mar 1995 13:53:47 -0800 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id QAA07310; Mon, 13 Mar 1995 16:50:31 -0500 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma007308; Mon Mar 13 16:50:21 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id QAA08467; Mon, 13 Mar 1995 16:50:25 -0500 Date: Mon, 13 Mar 1995 16:50:25 -0500 From: John Adams Message-Id: <199503132150.QAA08467@galaxy.concorde.com> To: firewalls@GreatCircle.COM, njacknis@ix.netcom.com Subject: Re: Harris CyberGuard Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Personally, I wouldn't trust anything with the word "Cyber" in it... -jna From firewalls-owner Mon Mar 13 14:43:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10888 for firewalls-outgoing; Mon, 13 Mar 1995 13:39:10 -0800 Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.1.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10883 for ; Mon, 13 Mar 1995 13:39:07 -0800 Received: by valiant.te.CdnAir.CA id AA19028 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Mon, 13 Mar 1995 13:35:49 -0800 Date: Mon, 13 Mar 1995 13:35:49 -0800 (PST) From: "Grant M. Fengstad" To: carson@cs.columbia.edu Cc: "Grant M. Fengstad" , firewalls@greatcircle.com Subject: Re: TIS 1.3 on SVR4 In-Reply-To: <199503132057.PAA14964@pizza.cs.columbia.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Mar 1995 carson@cs.columbia.edu wrote: > >>>>> On Mon, 13 Mar 1995 12:05:27 -0800 (PST), "Grant M. Fengstad" said: > Grant> syslogd program in the tools/server directory. As this is a specialized > Grant> syslogd, I would appreciate any assistance or suggestions from anyone > Grant> who may have already faced this situation. > > The short answer is: "don't use the TIS syslogd, it won't work" > > The long answer is: > > SVR4 uses a completely different syslog mechanism - read the man pages for > more details. It is possible to replace it using the TIS syslogd, but you'd > have to replace the client routines in libc, and then worry about staticaly > linked binaries. It might be possible to use the TIS syslogd for udp > traffic, and the OS syslogd for local stuff (perhaps setting LOGHOST to > localhost to feed through both...) but I wouldn't reccomend it. > > If you _really_ want the features of the TIS syslogd, you'll have to > extensively modify the code to deal with the streams interface in SVR4. I > didn't think it was worthwhile - I just use perl to parse my log files. > Thanks very much for your response. I appreciate the help. Any chance you'd be willing to send me your perl script(s)? That'd save me from having to re-invent what you obviously have already accomplished. Many thanks. From firewalls-owner Mon Mar 13 15:50:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA14340 for firewalls-outgoing; Mon, 13 Mar 1995 15:29:22 -0800 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA14329 for ; Mon, 13 Mar 1995 15:29:19 -0800 Received: from raf.sj.scruznet.com by scruz.net (8.6.9/1.34) id PAA20859; Mon, 13 Mar 1995 15:27:03 -0800 Date: Mon, 13 Mar 95 14:20:14 PDT From: Rich Subject: RE: just wondering.... To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk my apologies to all for the mis-formatted mail of "just wondering..." That is the last time I use my system for a demo/class and change settings and then forget to reset things. (message width) I should know better (thanks to those pointing it out , or as Homer might say -- "Dohhh!") But for the real vegetables (I am a vegetarian) of this message, I am glad to see it got people talking again about a general "topic" that needs some thought. Rich ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ "....I hope life is not a big joke, cause I don't get it..." raf@ezunx.com From firewalls-owner Mon Mar 13 17:20:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA16830 for firewalls-outgoing; Mon, 13 Mar 1995 16:50:43 -0800 Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.1.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA16824 for ; Mon, 13 Mar 1995 16:50:40 -0800 Received: by valiant.te.CdnAir.CA id AA23668 (5.67b/IDA-1.5 for Firewalls List ); Mon, 13 Mar 1995 16:47:55 -0800 Date: Mon, 13 Mar 1995 16:47:55 -0800 (PST) From: "Grant M. Fengstad" To: Firewalls List Subject: TIS Log processing Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry if this is a FAQ..... What exists out there for processing the system logs and generating meaningful reports. I am unable to implement (easily) the syslogd that comes with TIS 1.3 due to the SysV features on my system. I am showing entries being logged to my "normal" syslog file. Seems to me that Perl should be able to nicely parse these files and do a good job of reporting. I would appreciate any pointers to existing Perl scripts, etc. that would be able to handle this. Thanks.. From firewalls-owner Mon Mar 13 18:20:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA18062 for firewalls-outgoing; Mon, 13 Mar 1995 18:04:46 -0800 Received: from athena.aegean.ariadne-t.gr (athena.aegean.ariadne-t.gr [143.233.91.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA18055 for ; Mon, 13 Mar 1995 18:04:34 -0800 Received: from sprawl.fc.net (sprawl.fc.net [198.6.198.6]) by athena.aegean.ariadne-t.gr (8.6.9/8.6.9) with ESMTP id EAA08396 for ; Tue, 14 Mar 1995 04:02:30 +0200 Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by sprawl.fc.net (8.6.10/8.6.10) with ESMTP id WAA02787 for ; Sun, 12 Mar 1995 22:48:07 -0600 Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id WAA23635 for bugtraq-outgoing; Sun, 12 Mar 1995 22:50:47 -0600 Received: from tadpole.tadpole.com (tadpole.Tadpole.COM [160.104.1.1]) by freeside.fc.net (8.6.10/8.6.6) with ESMTP id WAA23621 for ; Sun, 12 Mar 1995 22:50:40 -0600 Received: from chiba (chiba.Tadpole.COM [160.104.1.6]) by tadpole.tadpole.com (8.6.10/8.6.10) with SMTP id WAA13302; Sun, 12 Mar 1995 22:49:16 -0600 From: Jim Thompson Received: by chiba (5.x/SPARCbook_POP1.3) id AA01154; Sun, 12 Mar 1995 22:49:16 -0600 Date: Sun, 12 Mar 1995 22:49:16 -0600 Message-Id: <9503130449.AA01154@chiba> To: harker@harker.com Subject: Re: bug-testing identd NOT available here Cc: bugtraq@fc.net, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > An example of how this might be applied is that if I see a person bleeding > to death and walk on by, I can not be held liable or negligent if the person > dies. But if I stop and provide aid, but do not apply everything I learned > about first aid 20 years ago, and the person dies, then the victim's family > can sue me for negligence in the victim's death. They may not win in court, > but the court would find that the suit has merit and would proceed with it. Many states, (all 50, I think), have what is termed a 'Good Samaratin' law, whereby one can't be sued for ngligence for this type of scenerio. If you're a doctor, EMT, etc, you don't fall under the law. Because of your training, you will be held to a higher standard. A "Good Samaratin" who elects to perform on-site brain-surgery without the training needed can still be sued though. I'm not a lawyer either. (Though I live with two 3rd-year law students, which is a legal education unto itself), but I used to be an EMT. Given the state of the legal system when applied to 'cyberspace' (for lack of a better word), there is good reason to be afraid anyway. Jim From firewalls-owner Mon Mar 13 18:50:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA18368 for firewalls-outgoing; Mon, 13 Mar 1995 18:35:15 -0800 Received: from random6.randomc.com (random6.randomc.com [166.78.32.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA18363 for ; Mon, 13 Mar 1995 18:35:11 -0800 From: markkus@randomc.com Received: from ([166.78.32.253]) by random6.randomc.com (8.6.9/8.6.9) with ESMTP id VAA01711 for ; Mon, 13 Mar 1995 21:32:54 -0500 Message-Id: <199503140232.VAA01711@random6.randomc.com> Date: Mon, 13 Mar 1995 21:32:15 EST Reply-To: markkus@randomc.com Subject: PC - SLIP Firewall To: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have had some technical difficulties. If you have responded to my original message about the firewalls in PCs (SLIP/PPP) and you have received the message that told "Returned Mail ; Loca....", please, respond again. I appreciate it very much. Thank you. Mark From firewalls-owner Mon Mar 13 20:56:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA19856 for firewalls-outgoing; Mon, 13 Mar 1995 20:23:06 -0800 Received: from ios.com (styx.ios.com [198.4.75.44]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA19851 for ; Mon, 13 Mar 1995 20:23:03 -0800 Received: from @ios.com (blumg@ios.com [198.4.75.44]) by ios.com (8.6.9/8.6.9) with SMTP id XAA08574; Mon, 13 Mar 1995 23:20:40 -0500 Date: Mon, 13 Mar 1995 23:20:40 -0500 Message-Id: <199503140420.XAA08574@ios.com> X-Sender: blumg@ios.com (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: blumg@ios.com (Gary A. Blum) Subject: Router Settings Cc: csiegel@interserv.com, siegelc@cbc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're considering a firewall design that combines a screening router with a dual-homed bastion host running application-level gateways. We recognize the need to configure the router to reject spurious messages e.g., spoofing attempts (ala Cert). My question is as follows... Is it still necessary (or advisable) to also configure the router to reject messages that are directed to potentially dangerous ports, even though no proxies corresponding to those ports exist on the bastion? For example, if tftp is not running on the host, is it still necessary to block UDP Port 69 on the Screening Router? Thanks. Regards, Gary From firewalls-owner Mon Mar 13 23:20:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA22684 for firewalls-outgoing; Mon, 13 Mar 1995 23:15:44 -0800 Received: from shadow.dbapic.com.au (shadow.dbapic.com.au [203.2.220.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA22679 for ; Mon, 13 Mar 1995 23:15:37 -0800 Received: from eyrie.dbapic.com.au by shadow.dbapic.com.au (AIX 3.2/UCB 5.64/4.03) id AA13922; Tue, 14 Mar 1995 18:13:25 +1000 Date: Tue, 14 Mar 1995 18:13:25 +1000 Message-Id: <9503140813.AA13922@shadow.dbapic.com.au> X-Sender: bwa@mailhost X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: bwa@shadow.dbapic.com.au (Barry Anderson) Subject: UDP, security and asbestos Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, my comments about UDP were obviously way off base, however I would like to point out that I learnt far more from this one (and I suspect a lot of other lurkers did too) by having an admittedly suspect hypothesis pounded than by not even thinking about the situation. cheers, __________ \______ \_____ _______ _______ ___.__. | | _/\__ \ \_ __ \\_ __ < | | | | \ / __ \ | | \/ | | \/\___ | |______ /(____ /|__| |__| / ____| \/ \/ \/ Systems Programmer Technical Support Group Asia-Pacific Information Centre Dun & Bradstreet Information Services From firewalls-owner Tue Mar 14 04:20:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA26704 for firewalls-outgoing; Tue, 14 Mar 1995 04:17:13 -0800 Received: from btcgate.btc.uwe.ac.uk (btcgate.btc.uwe.ac.uk [164.11.100.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA26699 for ; Tue, 14 Mar 1995 04:16:36 -0800 Received: by btcgate.btc.uwe.ac.uk (4.1/SMI-4.1) id AA25407; Tue, 14 Mar 95 12:22:25 GMT Received: from unknown(164.11.0.3) by sparky via smap (V1.3mjr) id sma025405; Tue Mar 14 12:22:09 1995 Received: from quicken.uwe.ac.uk (max) by btc.uwe.ac.uk (4.1/SMI-4.1-BTC-06) for andy@hal/firewalls@greatcircle.com id AA25424; Tue, 14 Mar 95 12:12:55 GMT Date: Tue, 14 Mar 95 12:12:55 GMT From: andy@btc.uwe.ac.uk Message-Id: <9503141212.AA25424@btc.uwe.ac.uk> To: patrick@oes.amdahl.com Subject: Re: Why UDP cannot be handled security ? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From: bwa@shadow.dbapic.com.au (Barry Anderson) > > > No, you obviously don't understand. Allowing a temporary hole after seeing > > an outbound UDP packet is a hack aka kludge (and potential vulnerability?) patrick@amdahl.com replied > > Why would you say that? Obviously if you're going to be making the comment, > you have a reason for it. Please share your reasoning with us:) > As I understand it the protocol demands that UDP packets directed to arbitrary ports be recieved by the host originating the UDP using service request. Now the filter can dynamically allow these packets in from IP addresses to which UDP requests have been recently sent. And there is the hole. If the secure host pings some.addr.some.net, for instance, then it is open to all UDP packets from that address for some period of time. There is no way to determine whether the packets received are replies to requests or are generated by a hacker. The kludge is to leave the door open for a while, and hope that nothing bad can find the hole in the time slot. security by hopefullness don't work. Andy Cowley From firewalls-owner Tue Mar 14 07:50:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29046 for firewalls-outgoing; Tue, 14 Mar 1995 07:39:13 -0800 Received: from digex.com (plc.com [204.91.186.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29039 for ; Tue, 14 Mar 1995 07:39:09 -0800 From: sar@plc.com Message-ID: <9503141032.AA23270@plc.com> Date: Tue, 14 Mar 95 10:32 EST Received: from plc by plc.com; Tue, 14 Mar 95 10:32 EST To: "Grant M. Fengstad" Cc: carson@cs.columbia.edu, firewalls@GreatCircle.COM Subject: Re: TIS 1.3 on SVR4 Content-Type: text Content-Length: 910 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The short answer is: "don't use the TIS syslogd, it won't work" > >The long answer is: > >SVR4 uses a completely different syslog mechanism - read the man pages for >more details. It is possible to replace it using the TIS syslogd, but you'd >have to replace the client routines in libc, and then worry about staticaly >linked binaries. It might be possible to use the TIS syslogd for udp >traffic, and the OS syslogd for local stuff (perhaps setting LOGHOST to >localhost to feed through both...) but I wouldn't reccomend it. > >If you _really_ want the features of the TIS syslogd, you'll have to >extensively modify the code to deal with the streams interface in SVR4. I >didn't think it was worthwhile - I just use perl to parse my log files. If you want details about converting syslogd to work in an SVR4 environment, I'd be happy to discuss what it necessary. Steve Rago sar@plc.com From firewalls-owner Tue Mar 14 08:20:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29184 for firewalls-outgoing; Tue, 14 Mar 1995 07:52:46 -0800 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29179 for ; Tue, 14 Mar 1995 07:52:44 -0800 From: "venger::saunier"@venger.enet.dec.com Received: from vbormc.vbo.dec.com by inet-gw-2.pa.dec.com (5.65/24Feb95) id AA02000; Tue, 14 Mar 95 07:46:32 -0800 Received: by vbormc.vbo.dec.com; id AA14737; Tue, 14 Mar 95 16:43:24 +0100 Message-Id: <9503141543.AA14737@vbormc.vbo.dec.com> Received: from venger.enet; by vbormc.enet; Tue, 14 Mar 95 16:43:28 MET Date: Tue, 14 Mar 95 16:43:28 MET To: vbormc::"firewalls@greatcircle.com"@venger.enet.dec.com Apparently-To: firewalls@greatcircle.com Subject: Auto Reply from Watch_Mail for 14-MAR-1995 15:55 to 15-MAR-1995 00:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Replying File From firewalls-owner Tue Mar 14 08:51:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29839 for firewalls-outgoing; Tue, 14 Mar 1995 08:39:33 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA29834 for ; Tue, 14 Mar 1995 08:39:30 -0800 Received: from smtpgate.gannett.com by relay1.UU.NET with SMTP id QQyhaw03815; Tue, 14 Mar 1995 11:36:46 -0500 Received: by smtpgate.gannett.com with Microsoft Mail id <2F65F041@smtpgate.gannett.com>; Tue, 14 Mar 95 11:36:33 PST From: "Robertson, Paul" To: adam@bwh.harvard.edu, George_D._Custodio@mail.asiandevbank.org, axel.skough@scb.se Cc: firewalls@GreatCircle.COM Subject: SV: Re: IBM's Firewall Date: Tue, 14 Mar 95 11:34:00 PST Message-ID: <2F65F041@smtpgate.gannett.com> Encoding: 33 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>There are several areas that NetSP is lacking in. See the archives. >> >>Adam >> >> >>| Is their any user of the IBM's firewall (NetSp Security Gateway)? In one >>| of network security presentation, the speaker said that IBM's firewall >>| implementation includes packet filtering, application proxy, DNS, and >>| socks. Is this true? Is it available now? Does it works? >We are currently considering the IBM NetSP SNG for the RS6000 and it would >be very valuable to know exactly in what areas this product is lacking in. >What archives is referenced here? I would be grateful for details either >specifically or a reference list. It would help us in making out proper >decisions. >TIA!!!! >Best regards, >Axel Skough >Statistics Sweden I only saw two problems during my evaluation (other than making sure AIX was configured properly, and that you filtered out the default TCP/UDP services. 1. It relys on the AIX Sendmail daemon, I would run my mail elsewhere on a different box. 2. You can't filter out 127.0.0.1, so you must do this at the screening router. Paul. From firewalls-owner Tue Mar 14 09:20:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00275 for firewalls-outgoing; Tue, 14 Mar 1995 09:03:48 -0800 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA00264 for ; Tue, 14 Mar 1995 09:03:44 -0800 From: smb@research.att.com Message-Id: <199503141703.JAA00264@miles.greatcircle.com> Received: by gryphon; Tue Mar 14 11:50:51 EST 1995 To: firewalls@greatcircle.com Subject: Re: chroot httpd Date: Tue, 14 Mar 95 11:50:51 EST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yesterday, I posted something about using /dev/fd/N to pass stuff to chroot'ed daemons. Upon further thought, that's probably a bad idea, since it probably means that you're passing the open file descriptors to the exposed environment. From firewalls-owner Tue Mar 14 09:53:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00763 for firewalls-outgoing; Tue, 14 Mar 1995 09:47:51 -0800 Received: from netnet1.netnet.net (netnet1.netnet.net [198.70.64.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00758 for ; Tue, 14 Mar 1995 09:47:48 -0800 Received: (from mouring@localhost) by netnet1.netnet.net (8.6.9/8.6.9) id LAA26320; Tue, 14 Mar 1995 11:45:32 -0600 Date: Tue, 14 Mar 1995 11:45:32 -0600 (CST) From: Ben A Lindstrom Subject: Re: just wondering.... To: Ken Weaverling cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 11 Mar 1995, Ken Weaverling wrote: > On Fri, 10 Mar 1995, Ben A Lindstrom wrote: > > > Could it be that most colleges/Universities have stoped (have not started?) > > to teach about networking to the CS majors? This is my 3rd year in college > > and basicly I have nothing besides information from the networks and ONE > > little Linux box to try out ideas and learn. > [Delete Experience that I would LOVE to have had, but I've learn from Trial and error from my home Linux box/Slip and a public workstation] > So, it's a great idea, but often impractical. It's impractical if your setting up the network to be on Internet. What I was thinking. It would be nice to take 6 machines (386dx+) and have the students network them together with Linux OS. And then setup the configuration in such away that you can have two "workstations" in each domain and use the remaining two like routers. That way you can teach about firewalls, but be protected from the real world to try theories on. Yes, it's impractical still, but it would be a better step. Maybe it's take to split the CS field again. Have Information Systems and Computer Science then take a highbread of the two to make a Managment Computer Systems that would deal with networkings, security risks, etc. From firewalls-owner Tue Mar 14 09:53:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00395 for firewalls-outgoing; Tue, 14 Mar 1995 09:16:38 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00389 for ; Tue, 14 Mar 1995 09:16:35 -0800 Received: from spl.bwh.harvard.edu (spl.bwh.harvard.edu [134.174.81.53]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA11289; Tue, 14 Mar 1995 12:14:09 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: (adam@localhost) by spl.bwh.harvard.edu (8.6.9/8.6.4) id MAA06965; Tue, 14 Mar 1995 12:12:02 -0500 Message-Id: <199503141712.MAA06965@spl.bwh.harvard.edu> Subject: Re: SV: Re: IBM's Firewall To: proberts@moc1.gannett.com (Robertson, Paul) Date: Tue, 14 Mar 1995 12:12:02 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <2F65F041@smtpgate.gannett.com> from "Robertson, Paul" at Mar 14, 95 11:34:00 am X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1073 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | I only saw two problems during my evaluation (other than making sure AIX was | configured properly, and that you filtered out the default TCP/UDP services. | | 1. It relys on the AIX Sendmail daemon, I would run my mail elsewhere on a | different box. | | 2. You can't filter out 127.0.0.1, so you must do this at the screening | router. (This is based on a review of the manual, not the actual code.) Its a SMIT installable image. Theres very little said about cutting down AIX bloat & suid's. The manual does mention cutting whats in inetd.conf. However, I think AIX is way too big to be trusted. Nothing like tripwire seems to be included. AIX does have an audit facility, but making it use a real hash algorithim is quite tricky. The manual didn't cover testing enough. It seemed to say, install this and you're all set. That might be fine for some people on this list, but not for most people who think they're paying IBM for everything they need. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Mar 14 10:34:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00473 for firewalls-outgoing; Tue, 14 Mar 1995 09:27:17 -0800 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00468 for ; Tue, 14 Mar 1995 09:27:14 -0800 From: mulligan@incog.com Received: from osmosys.incog.com by ns.incog.com (8.6.10/94082501) id JAA25855; Tue, 14 Mar 1995 09:25:32 -0800 Received: from coslabs.incog.com by osmosys.incog.com (5.x/SMI-SVR4) id AA04678; Tue, 14 Mar 1995 09:25:19 -0800 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA01952; Tue, 14 Mar 1995 10:23:21 -0700 Received: from localhost by future.incog.com (5.x/SMI-SVR4) id AA02458; Tue, 14 Mar 1995 10:19:36 -0700 Message-Id: <9503141719.AA02458@future.incog.com> To: andy@btc.uwe.ac.uk Cc: patrick@oes.amdahl.com, firewalls@greatcircle.com Subject: Re: Why UDP cannot be handled security ? Reply-To: mulligan@incog.com In-Reply-To: Your message of "Tue, 14 Mar 95 12:12:55 GMT." <9503141212.AA25424@btc.uwe.ac.uk> Date: Tue, 14 Mar 95 10:19:36 MST Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andy wrote: > As I understand it the protocol demands that UDP packets directed to > arbitrary ports be recieved by the host originating the UDP using > service request. This is not how UDP works. When a host sends a UDP packet it has a source and destination port, just like TCP. The response packet is sent to the original source port, not to any arbitrary port. > Now the filter can dynamically allow these packets in from IP > addresses to which UDP requests have been recently sent. And only to the originating host and original source port. > And there is the hole. There is a hole, but not the one you are describing. > If the secure host pings some.addr.some.net, for instance, > then it is open to all UDP packets from that address for some period > of time. First of all pings are not UDP! They are ICMP messages. Second, only UDP packets FROM some.addr.some.net and the original destination port TO the requesting host and the original source port. > There is no way to determine whether the packets received are > replies to requests or are generated by a hacker. And this is the hole, but those packets must be destined for the original requesting host and the original source port. Not just any spoofed UDP packet to any arbitrary internal host and port will be allowed. There are means to make even this more secure. geoff From firewalls-owner Tue Mar 14 11:03:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01311 for firewalls-outgoing; Tue, 14 Mar 1995 10:18:37 -0800 Received: from YMV5.YMP.GOV (ymv5.ymp.gov [192.12.95.55]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01306 for ; Tue, 14 Mar 1995 10:18:34 -0800 From: AK_Shyu@NOTES.YMP.GOV Received: from ccmail.ymppo.ymp.gov by YMV5.YMP.GOV (PMDF V4.3-13 #6398) id <01HO4F8IGEV496W9DZ@YMV5.YMP.GOV>; Tue, 14 Mar 1995 10:15:42 -0800 (PST) Date: Tue, 14 Mar 1995 09:59 -0800 (PST) Subject: subcribe To: firewalls@greatcircle.com Message-id: <01HO4F8MP4JY96W9DZ@YMV5.YMP.GOV> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ak_shyu@notes.ymp.gov From firewalls-owner Tue Mar 14 13:13:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA00421 for firewalls-outgoing; Tue, 14 Mar 1995 11:49:14 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA00416 for ; Tue, 14 Mar 1995 11:49:08 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HO4MMK04LC9OD0CL@wl.aecl.ca>; Tue, 14 Mar 1995 13:46:58 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA16434; Tue, 14 Mar 1995 13:46:22 -0600 Date: Tue, 14 Mar 1995 13:46:21 -0600 (CST) From: system PRIVILEGED account Subject: Lotus Notes Encryption Methods In-reply-to: To: fw Reply-to: system PRIVILEGED account Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been looking at the methods used by Lotus Notes to do encryption on its mail transfers. It seems to use RC4 (Rivest Cipher) for domestic communications and RC2 for international communications. In the tech notes that I have, it would seemt that RC2 uses a 128bit key and RC4 uses a 256bit key. Both these keys seem rather small in comparison to something like PGP's 1028bit key. Is this a valid concern/criticism? Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca From firewalls-owner Tue Mar 14 15:05:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01579 for firewalls-outgoing; Tue, 14 Mar 1995 10:30:39 -0800 Received: from worldcom.com (worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01573 for ; Tue, 14 Mar 1995 10:30:37 -0800 Received: from worldcom-18.worldcom.com (worldcom-18.worldcom.com [198.64.193.9]) by worldcom.com (8.6.9/8.6.9) with SMTP id MAA01385 for ; Tue, 14 Mar 1995 12:07:06 -0600 Received: by worldcom-18.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.13/3.3) id AA0587; Tue, 14 Mar 95 12:03:33 -0800 Message-Id: <9503142003.AA0587@worldcom-18.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 38A7BDAA18E01C138625617F00632909; Tue, 14 Mar 95 12:03:32 To: firewalls From: Kenneth Smith Date: 14 Mar 95 9:14:36 EDT Subject: Re: Why can't UDP be handled securely ? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andy Cowley wrote: >As I understand it the protocol demands that UDP packets directed to arbitrary >ports be recieved by the host originating the UDP using service request. >Now the filter can dynamically allow these packets in from IP addresses >to which UDP requests have been recently sent. And there is the hole. >If the secure host pings some.addr.some.net, for instance, then it is >open to all UDP packets from that address for some period of time. There is >no way to determine whether the packets received are replies to requests or are >generated by a hacker. >The kludge is to leave the door open for a while, and hope that nothing >bad can find the hole in the time slot. >security by hopefullness don't work. >Andy Cowley So what's the alternative? Cut out all UDP packets altogether? It seems to me that while the solution recommended above is not without theoretical holes, if you have let allow UDP packets through it's certainly better than letting *any* UDP packet back. Sure, it's not 100% secure -- but what is? It's a starting assumption of mine that you can never make any site absolutely secure: you can only make it more difficult to break into than it's worth. And it seems that "virtualized UDP connections" is a significant step towards making it that much more difficult to break in. From firewalls-owner Tue Mar 14 15:36:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01122 for firewalls-outgoing; Tue, 14 Mar 1995 12:28:55 -0800 Received: from cybernetics.net (server0.cybernetics.net [198.80.48.52]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA01116 for ; Tue, 14 Mar 1995 12:28:53 -0800 Received: by cybernetics.net (4.1/SMI-4.1) id AA00812; Tue, 14 Mar 95 15:26:29 EST Date: Tue, 14 Mar 95 15:26:29 EST From: ftoth@cybernetics.net (Fred Toth) Message-Id: <9503142026.AA00812@cybernetics.net> To: firewalls@greatcircle.com Subject: firewall vendors Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a question that is on the FAQ, but without an answer! Namely: 7: What are some commercial products or consultants who sell/service firewalls? Since the FAQ side-stepped this one, I'm asking the group. Other than capabilities that come along with a good router, what kind of products are available as turn-key gateways? How quickly can one be acquired and setup, and for what kind of money? If there are firewall sales types reading this, feel free to call. Many thanks, Fred Toth, 704-573-2133 ftoth@cybernetics.net From firewalls-owner Tue Mar 14 16:50:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02136 for firewalls-outgoing; Tue, 14 Mar 1995 10:53:31 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA02131 for ; Tue, 14 Mar 1995 10:53:27 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA10372; Tue, 14 Mar 95 10:51:10 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA17462; Tue, 14 Mar 95 10:37:00 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F65E5C4@ushqgw.sequent.com>; Tue, 14 Mar 95 10:51:48 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: RE: Router Settings Date: Tue, 14 Mar 95 10:50:00 PST Message-Id: <2F65E5C4@ushqgw.sequent.com> Encoding: 53 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think there is a right answer to this. Sorta depends on what is important to you. If you trust your app-gw to do the interface integrity checks on packet source addresses then you don't need to do it in two places. If the router is dropping the would-be spoof packets then you shouldn't get any such packets at the bastion. One benefit of filtering at the bastion is the logging mechanisms are probably better there. If you are paranoid then you could reason that if the router was filtering spoof packets and the bastion recognized spoofed packets then this would be cause for alarm (pun intended). The paranoid case patterns the fundamental principle of firewalling; that being if a fire burns through one barrier there is yet another barrier it must burn through. More barriers translates into more time to put the fire out before any serious damage is done. But you have to know there is a fire burning before you can put it out! You have to weigh the cost of maintenance of multiple barriers (routers, bastions etc...) agenst the perceived improvement in protection. I say *perceived* because there is no formal model (to my knowledge) mathematical or otherwise that can quantify protection in this environment. This is where a security policy is helpful. It gives you a clue as to what data is important and tries to quantify how important it is. Hope this is helpful. Regards, Ned Smith nedbob@sequent.com -------------------------------------------------------------------- |We're considering a firewall design that combines a screening router with a |dual-homed bastion host running application-level gateways. We recognize the |need to configure the router to reject spurious messages e.g., spoofing |attempts (ala Cert). | |My question is as follows... Is it still necessary (or advisable) to also |configure the router to reject messages that are directed to potentially |dangerous ports, even though no proxies corresponding to those ports exist |on the bastion? For example, if tftp is not running on the host, is it still |necessary to block UDP Port 69 on the Screening Router? Thanks. | |Regards, | | Gary | | | From firewalls-owner Tue Mar 14 16:54:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01849 for firewalls-outgoing; Tue, 14 Mar 1995 12:54:38 -0800 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA01844 for ; Tue, 14 Mar 1995 12:54:27 -0800 Received: from smtpgate.gannett.com by relay1.UU.NET with SMTP id QQyhbn25309; Tue, 14 Mar 1995 15:48:28 -0500 Received: by smtpgate.gannett.com with Microsoft Mail id <2F662A87@smtpgate.gannett.com>; Tue, 14 Mar 95 15:45:11 PST From: "Robertson, Paul" To: adam@bwh.harvard.edu Cc: firewalls@greatcircle.com Subject: Re: SV: Re: IBM's Firewall Date: Tue, 14 Mar 95 15:32:00 PST Message-ID: <2F662A87@smtpgate.gannett.com> Encoding: 53 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >| I only saw two problems during my evaluation (other than making sure AIX was >| configured properly, and that you filtered out the default TCP/UDP services. | >| 1. It relys on the AIX Sendmail daemon, I would run my mail elsewhere on a >| different box. >| >| 2. You can't filter out 127.0.0.1, so you must do this at the screening >| router. > (This is based on a review of the manual, not the actual code.) > Its a SMIT installable image. Theres very little said >about cutting down AIX bloat & suid's. The manual does mention >cutting whats in inetd.conf. However, I think AIX is way too big to >be trusted. They haven't cut AIX's bloat at all, though a lot of that depends on how you install AIX. I don't see a problem with it being SMIT installable. I think they did a good job of cutting off the access points, while I do agree that in a perfect world the OS would have been trimmed as well. I also think the manual should have been much larger, and discussed what inetd.conf and rc.tcpip should NOT contain, and how the default AIX installation differs. > Nothing like tripwire seems to be included. AIX does have an >audit facility, but making it use a real hash algorithim is quite >tricky. All I looked at was dropping the syslog stuff to disk, and awking and greping through it. > The manual didn't cover testing enough. It seemed to say, >install this and you're all set. That might be fine for some people >on this list, but not for most people who think they're paying IBM for >everything they need. The test scripts in the appendix aren't bad. I agree that it isn't a turnkey system however. We also had one of the developers in to discuss it, which was very helpfull in setting it up. I'm not sure that this isn't true of the other major vendor's stuff that I've looked at as well though. >Adam Paul. >-- >"It is seldom that liberty of any kind is lost all at once." > -Hume From firewalls-owner Tue Mar 14 16:56:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03210 for firewalls-outgoing; Tue, 14 Mar 1995 13:59:44 -0800 Received: from uu7.psi.com (uu7.psi.com [38.145.204.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA03205 for ; Tue, 14 Mar 1995 13:59:41 -0800 Received: from cspc13.unos.org by uu7.psi.com (8.6.9/SMI-4.1.3-PSI) id QAA22138; Tue, 14 Mar 1995 16:49:47 -0500 Date: Tue, 14 Mar 95 16:48:45 EST From: "Kurt S. Plowman" Subject: Ethermon PC Software To: firewalls@GreatCircle.Com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've misplaced the ftp sites for the Ethermon PC software. Could someone please drop me a note where to find this. Thanks in advance. From firewalls-owner Tue Mar 14 17:04:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA03957 for firewalls-outgoing; Tue, 14 Mar 1995 15:00:50 -0800 Received: from access.mbnet.mb.ca (access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA03952 for ; Tue, 14 Mar 1995 15:00:46 -0800 Received: from gwl.ca by access.mbnet.mb.ca with UUCP id AA21292 (5.67b/IDA-1.4.4 for greatcircle.com!firewalls); Tue, 14 Mar 1995 16:57:12 -0600 Message-Id: <199503142257.AA21292@access.mbnet.mb.ca> Received: by bmw.gwl.ca (1.37.109.15/16.2) id AA028411734; Tue, 14 Mar 1995 16:55:34 -0600 From: Nick VanderZweep Subject: Financial Institutions connecting to the Internet To: firewalls@greatcircle.com Date: Tue, 14 Mar 95 16:55:34 CST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for other financial institutions who have have connected to the Internet. The reason being we (Great-West Life) are considering connecting to the Internet and we would like to get a feel for how many other institutions have connected and what experiences they have had. Any info appreciated. -- -------------------------------------------------------------------------------- Nick van der Zweep Assistant Technical Support Manager Phone: (204) 946-7934 The Great-West Life Assurance Company Fax: (204) 946-4567 60 Osborne Street North Internet: nicv@gwl.ca Winnipeg, Manitoba, Canada X.400: C=CA;A=MARK400;P=GWL;OU=SSW; R3C 3A5 S=VANDERZWEEP;G=NICK From firewalls-owner Tue Mar 14 17:33:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04940 for firewalls-outgoing; Tue, 14 Mar 1995 16:14:13 -0800 Received: from grape.epix.net (grape.epix.net [199.224.64.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA04935 for ; Tue, 14 Mar 1995 16:14:10 -0800 Received: (msangrey@localhost) by grape.epix.net (8.6.10/950112.08ccg) id TAA07877 for firewalls@GreatCircle.COM; Tue, 14 Mar 1995 19:12:18 -0500 From: Mike Sangrey Message-Id: <199503150012.TAA07877@grape.epix.net> Subject: Re: Router Settings To: firewalls@GreatCircle.COM (Mike Sangrey) Date: Tue, 14 Mar 1995 19:12:17 -0500 (EST) In-Reply-To: <199503140420.XAA08574@ios.com> from "Gary A. Blum" at Mar 13, 95 11:20:40 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1222 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary A. Blum relates in a previous message: > ... > My question is as follows... Is it still necessary (or advisable) to also > configure the router to reject messages that are directed to potentially > dangerous ports, even though no proxies corresponding to those ports exist > on the bastion? For example, if tftp is not running on the host, is it still > necessary to block UDP Port 69 on the Screening Router? Thanks. > In an paper from research.att.com (I think??), the authors suggest that one should consider logging such attempts and then handle it just as if the service is not provided. That way the log may give more clues regarding breakin attempts. If I remember rightly, they tacitly encourage this method during the set up of a firewall, so that you can train yourself as to how crackers attempt a breakin. After a while, this method becomes less important. But by then, you can make a more intelligent decision. I apologize for not being able to remember the name of the paper(s). They (it) had something to do with ``buferd''. I also hope I have the information correct. Others, please step in if neccessary. -- "Gigabyte here, gigabyte there, pretty soon you're talking real memory." From firewalls-owner Tue Mar 14 19:42:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA08003 for firewalls-outgoing; Tue, 14 Mar 1995 19:23:43 -0800 Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA07993 for ; Tue, 14 Mar 1995 19:23:39 -0800 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id WAA22646 for ; Tue, 14 Mar 1995 22:20:08 -0500 Date: Tue, 14 Mar 1995 22:20:08 -0500 Message-Id: <199503150320.WAA22646@psyche.the-wire.com> X-Sender: anton@psyche.the-wire.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: anton@the-wire.com (Anton J Aylward) Subject: Re: Why UDP cannot be handled security ? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why doesn't someone just say "Finite State Machine" ? There are other magic phrases as well, but that's a starting point. Anton J Aylward Advanced Systems and Consulting Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Tue Mar 14 20:32:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA09079 for firewalls-outgoing; Tue, 14 Mar 1995 20:11:24 -0800 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA09074 for ; Tue, 14 Mar 1995 20:11:20 -0800 Message-Id: To: msangrey@epix.net Cc: firewalls@greatcircle.com Subject: Re: Router Settings Reply-To: estutes@frus.com In-Reply-To: Your message of "Tue, 14 Mar 1995 19:12:17 -0500 (EST)" References: <199503150012.TAA07877@grape.epix.net> X-Mailer: Mew beta version 0.89 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 14 Mar 1995 20:08:36 -0800 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk msangrey said in [Re: Router Settings] on Tue, 14 Mar 1995 19:12:17 -0500 (EST) msangrey> Gary A. Blum relates in a previous message: msangrey> msangrey> I apologize for not being able to remember the name of the paper(s). msangrey> They (it) had something to do with ``buferd''. I also hope I have msangrey> the information correct. Others, please step in if neccessary. It's in the book man. C & B Firewalls and Internet Security. ;*) =eas= From firewalls-owner Wed Mar 15 00:02:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA14138 for firewalls-outgoing; Tue, 14 Mar 1995 23:43:00 -0800 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA14132; Tue, 14 Mar 1995 23:42:56 -0800 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 14 Mar 1995 23:41:02 -0800 To: blumg@ios.com (Gary A. Blum), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Router Settings Cc: csiegel@interserv.com, siegelc@cbc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:20 PM 3/13/95, Gary A. Blum wrote: >We're considering a firewall design that combines a screening router with a >dual-homed bastion host running application-level gateways. We recognize the >need to configure the router to reject spurious messages e.g., spoofing >attempts (ala Cert). > >My question is as follows... Is it still necessary (or advisable) to also >configure the router to reject messages that are directed to potentially >dangerous ports, even though no proxies corresponding to those ports exist >on the bastion? For example, if tftp is not running on the host, is it still >necessary to block UDP Port 69 on the Screening Router? Thanks. You should be thinking in terms of what you're going to _allow_, not what you're going to _block_. You want to start with everything is blocked (i.e., "default deny"), and then allow only those things that you understand and intend to support. This is a belt-and-suspenders approach; an error of omission (leaving something out of the filtering rules) will result in a service being unintentionally unavailable; this is fail-safe. With the opposite approach (that is, permit everything by default, and then deny the things that are problems), an error of omission will result in a service being unintentionally available, which is fail-unsafe. In other words, don't ask what you're should block; block everything, then ask what you should allow (answer: only those things that you understand and intend to support). -Brent -- == For info about the Internet Security Firewalls Tutorial and a schedule == == of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM == ============================================================================== == Brent Chapman Great Circle Associates == == Brent@GreatCircle.COM 1057 West Dana Street == == +1 415 962 0841 Mountain View, CA 94041 == From firewalls-owner Wed Mar 15 00:32:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA15115 for firewalls-outgoing; Wed, 15 Mar 1995 00:27:20 -0800 Received: from gatekeeper.icl.co.uk (gatekeeper.icl.co.uk [192.188.132.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA15106 for ; Wed, 15 Mar 1995 00:27:11 -0800 From: x.gosselin.rea0803@oasis.icl.co.uk Received: by gatekeeper.icl.co.uk (4.1/UNIPALM-VRevision: 1.3@gatekeeper.icl.co.uk) id AA02334; Wed, 15 Mar 95 08:27:09 GMT Received: from unknown(145.227.14.59) by gatekeeper via smap (V1.3mjr) id sma002304; Wed Mar 15 08:26:09 1995 Received: from trojan.oasis.icl.co.uk by ming.oasis.icl.co.uk over SMTP id IAA08345; Wed, 15 Mar 1995 08:25:10 GMT Message-Id: <9503150827.AA12836@getafix.oasis.icl.co.uk> Date: Wed, 15 Mar 95 08:27:08 GMT Reply-To: x.gosselin.rea0803@oasis.icl.co.uk Subject: Firewalls books and souces To: firewalls@greatcircle.com Priority: URGENT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me if the following is a FAQ, but I'm very new in this list. Does anyone know some good books explaining how building his own firewall? Where can I find firewalls sources? Xavier (research student) From firewalls-owner Wed Mar 15 05:02:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA19445 for firewalls-outgoing; Wed, 15 Mar 1995 04:34:46 -0800 Received: from hawk.csd.harris.com (hawk.hcsc.com [204.5.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA19440 for ; Wed, 15 Mar 1995 04:34:43 -0800 Received: from london.hcsc.com by hawk.csd.harris.com (5.61/harris-5.1) id AA28781; Wed, 15 Mar 95 07:32:17 -0500 Received: by london.csd.harris.com (5.61/HARRIS-4.0) id AA12976; Wed, 15 Mar 95 12:32:08 GMT From: keithg@london.csd.harris.com (Keith Grayson) Message-Id: <9503151232.AA12976@london.csd.harris.com> Subject: Brief delurk... To: firewalls@greatcircle.com Date: Wed, 15 Mar 95 12:32:07 GMT Cc: keithg@london.csd.harris.com (Keith Grayson) X-Mailer: ELM [version 2.2 PL10] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I heard a rumour that someone mentioned a UK firewalls/security mailing list sometime in the recent past. Please would someone repost an address/joining instructions. Thanks Keith Grayson, Harris Computer Systems Corporation email ---> kgrayson@mail.hcsc.com Tel -----> +44 (0) 1276 686886 ext 248 Fax -----> +44 (0) 1276 678733 From firewalls-owner Wed Mar 15 07:02:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA21232 for firewalls-outgoing; Wed, 15 Mar 1995 06:45:28 -0800 Received: from gatekeeper.icl.co.uk (gatekeeper.icl.co.uk [192.188.132.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA21227 for ; Wed, 15 Mar 1995 06:45:10 -0800 From: x.gosselin.rea0803@oasis.icl.co.uk Received: by gatekeeper.icl.co.uk (4.1/UNIPALM-VRevision: 1.3@gatekeeper.icl.co.uk) id AA18922; Wed, 15 Mar 95 14:45:01 GMT Received: from unknown(145.227.14.59) by gatekeeper via smap (V1.3mjr) id sma018874; Wed Mar 15 14:44:16 1995 Received: from trojan.oasis.icl.co.uk by ming.oasis.icl.co.uk over SMTP id OAA13148; Wed, 15 Mar 1995 14:43:18 GMT Message-Id: <9503151445.AA09057@getafix.oasis.icl.co.uk> Date: Wed, 15 Mar 95 14:45:13 GMT Reply-To: x.gosselin.rea0803@oasis.icl.co.uk Subject: Re: Re :firewalls books and sources To: firewalls@greatcircle.com Priority: URGENT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks a lot to everyone who has answered my FAQ. Xavier From firewalls-owner Wed Mar 15 07:26:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA21096 for firewalls-outgoing; Wed, 15 Mar 1995 06:33:08 -0800 Received: from ttis.thomtech.com (ttis.thomtech.com [204.183.36.124]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA21091 for ; Wed, 15 Mar 1995 06:33:05 -0800 Received: from astra.thomtech.com.thomtech.com (astra.thomtech.com [204.183.36.127]) by ttis.thomtech.com (8.6.9/8.6.9) with SMTP id JAA03441 for ; Wed, 15 Mar 1995 09:30:39 -0500 Received: by astra.thomtech.com.thomtech.com (4.1/SMI-4.1) id AA00220; Wed, 15 Mar 95 09:29:27 EST Date: Wed, 15 Mar 95 09:29:27 EST From: suresh@astra.thomtech.com (Suresh Srinivasan) Message-Id: <9503151429.AA00220@astra.thomtech.com.thomtech.com> To: firewalls@greatcircle.com Subject: Difference between "proxies" and "application gateways" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gentlepersons: I'm reading the Firewall book (Cheswick & Bellovin) and the documentation that comes with the TIS toolkit but I'm confused about the correct usage of the terms "proxy" and "application gateway". Am I correct in understanding that an application gateway is a more specific instance of a proxy in that it operates only at the application layer whereas a proxy is a generic term for a program that operates at any layer (above IP)? For example, is "socks" a proxy since it operates at the TCP layer? Clearly an appl. gateway has to understand the protocols it was designed for gateway'ing whereas a generic proxy only(!) acts as a relay. I would appreciate a gentle education. Thanks, --Suresh From firewalls-owner Wed Mar 15 07:41:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA22032 for firewalls-outgoing; Wed, 15 Mar 1995 07:26:12 -0800 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA22027 for ; Wed, 15 Mar 1995 07:26:09 -0800 Received: from relay.imsi.com by wintermute.imsi.com id KAA18351; Wed, 15 Mar 1995 10:23:35 -0500 Received: from lorax.imsi.com by relay.imsi.com id KAA01682; Wed, 15 Mar 1995 10:23:35 -0500 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA09542; Wed, 15 Mar 95 10:23:34 EST Message-Id: <9503151523.AA09542@lorax.imsi.com> To: Nick VanderZweep Cc: firewalls@greatcircle.com Subject: Re: Financial Institutions connecting to the Internet In-Reply-To: Your message of "Tue, 14 Mar 1995 16:55:34 CST." <199503142257.AA21292@access.mbnet.mb.ca> Reply-To: rens@imsi.com Date: Wed, 15 Mar 1995 10:23:33 -0500 From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Nick" == Nick VanderZweep writes: Nick> I am looking for other financial institutions who have have Nick> connected to the Internet. The reason being we (Great-West Nick> Life) are considering connecting to the Internet and we would Nick> like to get a feel for how many other institutions have Nick> connected and what experiences they have had. I've run firewalls and net connections at a bunch of large and small Wall Street places. Aside from what seems to be a fairly large amount of doorknob-twisting, I have had relatively little trouble. Be very sure that your candidate firewall is not connected to the internet before it is clamped down, 'cause the doorknob twisters will usually find it within a half-hour or so of plugging it in, especially at bigger places. Since the Internet security business is essentially an arms race, it's important to keep up to date on developments in cracking and firewalls. Thus, plan on treating the firewall as an ongoing project and job description, rather than as a software product. Read the firewalls and bugtraq lists and so forth. That said, the firewall is the least of your worries in keeping your shop secure. Various past sendmail holes, for example, can allow attacks on machines behind the firewall. It's very hard to keep all the machines on a large internal network secure; what bugs lurk in the WANG SMTP product? There's a tendency among the savvy UNIX staff to write off such issues, until you pause and think that the only really confidential information (accounts, positions, customer tracking, etc.) often reside on such legacy systems. Watch out for back doors that may spring into being as a result of internet connectivity. Often the Mainframes have external connections via PDNs like tymenet - the predecessor to the dialback PPP connections lots of shops use today. While inbound access on such links is often tightly monitored and controlled, someone who has circumvented your firewall might take advantage of such channels to ship data out, (lots of 'frames run TCP/IP now) and dont count on the Mainframe Datacenter people being trained enough to recognize when this is happening. There are lots of parallels to this situation. While these kinds of problems have always existed, they get exacerbated once you have an internet connection. Then there will be still more attacks and more opportunities for damage. Make sure that any tape backups of your firewall and other important configuration information is kept secure. If you are unfortunate enough to be attacked by a determined and skilled cracker, this might make the difference between knowing you are being attacked and never finding out at all. If you store your logs on a very secure machine, make sure that that machine is not so secure that the day-to-day operations people stop backing it up when you go on vacation! This sounds laughable, but it happens. Make sure you do not have a single person knowlegable about security at your site. This can happen even in organizations where a bunch of people are supposedly on the project, as you no doubt realize. Another important gotcha is that once you get a connection, people start doing all kinds of things with it that it may not be intended for. Internet email (encrypted, of course!) is a great way to get things like research and numbers from your counterparties. The people who write the jobs that load these numbers into their databases are inevitably NOT writing with security in mind; make sure that the business and development managers all understand the importance of security; they should also sign on to ensure they assume a share of responsibility. A related problem: the quality of Internet Service Providers, even the better ones, is just not up to the level of service expected in a Trading Room! Your connection is going to go down, so either plan to have several different proviers and your own BGP4 AS number, or make sure that no mission-critical processes depend on it. The Internet, for example, might not be the best place to be getting your 8:30 FRB numbers from! But your developers may not see it that way... Well, this was longer than I thought...I hope it's the sort of info you were looking for. -Rens From firewalls-owner Wed Mar 15 09:33:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA24562 for firewalls-outgoing; Wed, 15 Mar 1995 09:28:01 -0800 Received: from unix.sri.com (UNIX.sri.com [128.18.30.66]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA24557 for ; Wed, 15 Mar 1995 09:27:58 -0800 Received: from qm.sri.com by unix.sri.com (4.1/SMI-4.0) id AA08748; Wed, 15 Mar 95 09:24:21 PST Message-Id: Date: 15 Mar 1995 09:19:13 U From: "Terry Bernstein" Subject: Re: firewall vendors To: "Fred Toth" Cc: firewalls@greatcircle.com X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have you checked out the list of firewalls at "http://www.digimark.net/bdboyle/fulmer/firewall.vendor.html". This appears to be a pretty good list of commerical firewalls and partial firewall products. - - Terry Bernstein -- SRI International terry_bernstein@sri..com ----------- I have a question that is on the FAQ, but without an answer! Namely: 7: What are some commercial products or consultants who sell/service firewalls? Since the FAQ side-stepped this one, I'm asking the group. Other than capabilities that come along with a good router, what kind of products are available as turn-key gateways? How quickly can one be acquired and setup, and for what kind of money? If there are firewall sales types reading this, feel free to call. Many thanks, Fred Toth, 704-573-2133 ftoth@cybernetics.net From firewalls-owner Wed Mar 15 10:14:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA24944 for firewalls-outgoing; Wed, 15 Mar 1995 09:50:38 -0800 Received: from tamiya.llnl.gov (tamiya.llnl.gov [128.115.28.37]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA24925 for ; Wed, 15 Mar 1995 09:50:06 -0800 Received: from [128.115.9.46] (sourdough-chocolate-cake.llnl.gov) by tamiya.llnl.gov (4.1/LLNL-1.18) id AA20387; Wed, 15 Mar 95 09:16:03 PST X-Sender: swift@tamiya.llnl.gov Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 15 Mar 1995 09:14:45 -0800 To: Nick VanderZweep From: uncl@llnl.gov (Frank Swift (510-422-1463)) Subject: Internet Connections and "Good Business Practices" Cc: Firewalls@greatcircle.com, academic-firewalls@net.tamu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nick, I saw your posting to Firewalls Digest and would be interested in not= so much the experiences of other institutions since we have had at least= one each of all, but in whether any of the various companies have had= established connection and use policies before they let their employees= jump out on the net with Mosaic, Gopher, IRC, Email, etc., etc., etc.... = =20 At Lawrence Livermore we are exploring the issues relative to what "Good= Business Practices" dictate versus what compliance directives demand. This= is very difficult in an academic environment since the former assumes some= sort of risk assessment management exercise utilizing cost benefit analysis= the results of which may restrict ones "academic freedom". We have been a= compliance driven program for many years and are now faced with a real= dichotomy: acting like a business while maintaining academic freedom in a= world-class R&D laboratory. As an example, the mere mention of Firewalls= will spark exchanges that run the gauntlet of invading one's privacy,= decrementing data throughput, and stifling research and development = discussions among the scientific community. frank THE WORLD IS NOT INTERESTED IN THE STORMS YOU ENCOUNTERED,=20 BUT WHETHER YOU BROUGHT IN THE SHIP .=20 \ | / =20 | 0 0 | Frank Swift L-321 (510)-422-1463 ~^~ LLNL 7000 East Avenue ( fax) 423-0913=20 \O/ Livermore CA 94550-9516_____________uncl@llnl.gov________+ Unclassified Computer Security Lawrence Livermore National Lab Observing and Reacting to "the Net of a Million Lies" From firewalls-owner Wed Mar 15 10:34:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA25382 for firewalls-outgoing; Wed, 15 Mar 1995 10:03:18 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA25377 for ; Wed, 15 Mar 1995 10:03:11 -0800 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA03393 for firewalls@greatcircle.com; Wed, 15 Mar 95 12:57:28 EST Message-Id: <9503151757.AA03393@all.net> Subject: vendor listings To: firewalls@greatcircle.com Date: Wed, 15 Mar 1995 12:57:27 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 203 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall vendors are listed (for free) under our vendor listing service which can be searched via WWW. If there are vendors missing from this listing, they are welcomed to contact me to get listed. FC From firewalls-owner Wed Mar 15 10:55:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA25902 for firewalls-outgoing; Wed, 15 Mar 1995 10:26:20 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA25897 for ; Wed, 15 Mar 1995 10:26:18 -0800 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma016369; Wed Mar 15 13:23:02 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA04021; Wed, 15 Mar 95 13:23:22 EST Message-Id: <9503151823.AA04021@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: uncl@llnl.gov (Frank Swift (510-422-1463)) Cc: Nick VanderZweep , Firewalls@greatcircle.com, academic-firewalls@net.tamu.edu Subject: Re: Internet Connections and "Good Business Practices" In-Reply-To: Your message of Wed, 15 Mar 95 09:14:45 -0800. Date: Wed, 15 Mar 95 13:23:20 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > world-class R&D laboratory. As an example, the mere mention of Firewalls= > will spark exchanges that run the gauntlet of invading one's privacy,= Hey! Gauntlet is a trademark of Trusted Information Systems, Inc.! :-) Fred From firewalls-owner Wed Mar 15 12:45:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA27589 for firewalls-outgoing; Wed, 15 Mar 1995 11:03:27 -0800 Received: from Sun.COM (koriel.Sun.COM [192.9.9.64]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA27584 for ; Wed, 15 Mar 1995 11:03:21 -0800 Received: from Eng.Sun.COM (engmail2.Eng.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA08184; Wed, 15 Mar 95 11:00:35 PST Received: from belfast2.eng.sun.com by Eng.Sun.COM (5.x/SMI-5.3) id AA14729; Wed, 15 Mar 1995 11:00:01 -0800 Received: by belfast2.eng.sun.com (5.0/SMI-SVR4) id AA15003; Wed, 15 Mar 1995 10:59:28 +0800 Date: Wed, 15 Mar 1995 10:59:28 +0800 From: Thomas.Clark@Eng.Sun.COM (Tom Clark) Message-Id: <9503151859.AA15003@belfast2.eng.sun.com> To: ftoth@cybernetics.net, Terry_Bernstein@qm.sri.com Subject: Re: firewall vendors Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Terry, I just tried to access: http://www.digimark.net/bdboyle/fulmer/firewall.vendor.html without success. It might be our system. Can you double-check the pointer? Thanks!! -Tom From firewalls-owner Wed Mar 15 12:51:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA26084 for firewalls-outgoing; Wed, 15 Mar 1995 10:28:35 -0800 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA26049 for ; Wed, 15 Mar 1995 10:28:26 -0800 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA04533 for firewalls@greatcircle.com; Wed, 15 Mar 95 13:22:30 EST Message-Id: <9503151822.AA04533@all.net> Subject: Re: Internet Connections and "Good Business Practices" To: uncl@llnl.gov (Frank Swift (510-422-1463)) Date: Wed, 15 Mar 1995 13:22:30 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Frank Swift (510-422-1463)" at Mar 15, 95 09:14:45 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1113 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > At Lawrence Livermore we are exploring the issues relative to what "Good= > Business Practices" dictate versus what compliance directives demand. This= > is very difficult in an academic environment since the former assumes some= > sort of risk assessment management exercise utilizing cost benefit analysis= > the results of which may restrict ones "academic freedom". We have been a= > compliance driven program for many years and are now faced with a real= > dichotomy: acting like a business while maintaining academic freedom in a= > world-class R&D laboratory. As an example, the mere mention of Firewalls= > will spark exchanges that run the gauntlet of invading one's privacy,= > decrementing data throughput, and stifling research and development = > discussions among the scientific community. Frank: One technique that has been successfully used in environments like yours is a strong educational and awareness program that will help your people want effective protection in order to assure their academic freedom. If you would like to discuss this further, give me a call. FC From firewalls-owner Wed Mar 15 13:12:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA29426 for firewalls-outgoing; Wed, 15 Mar 1995 12:54:36 -0800 Received: from vdoehp.vak12ed.edu (vdoehp.vak12ed.edu [141.104.22.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA29421 for ; Wed, 15 Mar 1995 12:54:32 -0800 Message-Id: <199503152054.MAA29421@miles.greatcircle.com> Received: by vdoehp.vak12ed.edu (1.37.109.11/16.2) id AA027700667; Wed, 15 Mar 1995 15:51:07 -0500 From: "W.C. Epperson" Subject: Re: Internet Connections and "Good Business Practices" To: avolio@tis.com (Frederick M Avolio) Date: Wed, 15 Mar 95 15:51:06 EST Cc: firewalls@greatcircle.com In-Reply-To: <9503151823.AA04021@tis.com>; from "Frederick M Avolio" at Mar 15, 95 1:23 pm Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Been written: > > world-class R&D laboratory. As an example, the mere mention of Firewalls= > > will spark exchanges that run the gauntlet of invading one's privacy,= > > Hey! Gauntlet is a trademark of Trusted Information Systems, Inc.! :-) > So it is, but contextually it appears that "run the gamut" was intended.... And I always use "run the gantlet" and "throw down the gauntlet" to differentiate a double row of men armed with clubs from an armored glove sometimes used to issue a challenge to combat (although "gauntlet" is an accepted spelling of the former). I wonder which one TIS intended; could be a double entendre. I guess systems programmers with minors in English should stick to lurking.... -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Virginia Dept. of Education --E.A. Poe-- epperson@vdoehp.vak12ed.edu From firewalls-owner Wed Mar 15 13:32:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00447 for firewalls-outgoing; Wed, 15 Mar 1995 13:21:43 -0800 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA00441 for ; Wed, 15 Mar 1995 13:21:39 -0800 Posted-Date: Wed, 15 Mar 1995 16:19:04 -0500 (EST) Date: Wed, 15 Mar 1995 16:19:04 -0500 (EST) From: "Bryan D. Boyle" Subject: Re: firewall vendors To: Tom Clark Cc: ftoth@cybernetics.net, Terry_Bernstein@qm.sri.com, firewalls@greatcircle.com In-Reply-To: <9503151859.AA15003@belfast2.eng.sun.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk that is because the url has changed. many announcements later, and so forth. http://www.access.digex.net/~bdboyle/firewall.vendor.html Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338 #include |Virtual: bdboyle@erenj.com World-Wide-Web: http://www.access.digex.net/~bdboyle/index.html On Wed, 15 Mar 1995, Tom Clark wrote: > Hi Terry, > > I just tried to access: > > http://www.digimark.net/bdboyle/fulmer/firewall.vendor.html > > without success. It might be our system. Can you double-check the > pointer? > > Thanks!! > > -Tom > From firewalls-owner Wed Mar 15 15:08:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01838 for firewalls-outgoing; Wed, 15 Mar 1995 14:30:57 -0800 Received: from sun2.nsfnet-relay.ac.uk (sun2.nsfnet-relay.ac.uk [128.86.8.45]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA01833 for ; Wed, 15 Mar 1995 14:30:54 -0800 Via: uk.ac.teesside; Wed, 15 Mar 1995 22:27:44 +0000 Received: from scorch (scorch.tees.ac.uk) by teesside.ac.uk; Wed, 15 Mar 1995 22:27:33 GMT From: Smalley Michael A -BSc Mod Comp 91 Received: from slc1 (slc1.tees) by scorch; Wed, 15 Mar 95 22:28:45 GMT Date: Wed, 15 Mar 95 22:28:43 GMT Message-Id: <233.9503152228@slc1> To: Thomas.Clark@Eng.Sun.COM, bdboyle@maverick.erenj.com Subject: Re: firewall vendors Cc: Terry_Bernstein@qm.sri.com, firewalls@greatcircle.com, ftoth@cybernetics.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about this I am trying to get off this mailing list and can't due to a blind put on by my system administrator. Can someone get me off this firewall mailing list PLEASE !!!! tHANX ... From firewalls-owner Wed Mar 15 17:11:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04926 for firewalls-outgoing; Wed, 15 Mar 1995 16:53:11 -0800 Received: from nixon.lsas.org (nixon.lsac.org [192.204.124.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA04921 for ; Wed, 15 Mar 1995 16:53:08 -0800 Message-Id: <9503160057.AA18268@nixon.lsas.org> Received: from smtpgw id: 2F678EAC.8C0 (WordPerfect SMTP Gateway V3.1a 04/27/92) Received: from lsas (WP Connection) Received: from NIXON_3COM (WP Connection) Received: from SERVER3 (WP Connection) From: (Janice Jaffee ) To: Subject: Security Policy Guide Date: Wed Mar 15 20:04:44 1995 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not long ago I saw a posting for a security policy guide. I believe it was a skeleton for creating your own. Can someone tell me where to find it? Thanks. Janice From firewalls-owner Wed Mar 15 18:02:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06091 for firewalls-outgoing; Wed, 15 Mar 1995 17:50:17 -0800 Received: from morakot.nectec.or.th (morakot.nectec.or.th [192.150.251.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA06086 for ; Wed, 15 Mar 1995 17:50:09 -0800 Received: from kmitnb03.kmitnb.ac.th.kmitnb.ac.th by morakot.nectec.or.th (8.6.8/1.34) id IAA23778; Thu, 16 Mar 1995 08:48:15 +0700 Received: from localhost.nectec.or.th by morakot.nectec.or.th (8.6.8/1.34) id IAA23778; Thu, 16 Mar 1995 08:48:15 +0700 Received: by kmitnb03.kmitnb.ac.th.kmitnb.ac.th (5.x/SMI-SVR4) id AA07771; Thu, 16 Mar 1995 08:42:23 -0700 Date: Thu, 16 Mar 1995 08:42:22 -0700 (GMT) From: Pradit Pitaksathienkul Subject: Routing Table lost To: firewalls@greatcircle.com In-Reply-To: <233.9503152228@slc1> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me that I ask my question here, I'm not sure where should I start. My routing table losts from my Sun workstations,only Sun workstations,they use Solaris 2.2, 2.3 and 2.4. In this segment has many machines ,Silicon, Silicon still has routing table. I ask my vendor ,Sun, they said it should be error from Router device. I ask my vendor ,Cisco,they said it should be error from Sun workstation. Before the problem came here ,nothing done both Sun workstations and Router. Some Sun works. no users access only root. When routing table lost , reboot it can help ,or 'snoop' command ,(that purpose I ask for 'snoop'). My question, 1.Where should I start with ,at router or sun workstations ? pradit. PS:I attach message when the problem came here : Mar 15 09:21:45 hostname in.routed[82]: SIOCDELRT: No such process Mar 15 09:21:45 hostname in.routed[82]: dst 0.0.0.0 gw routerIP metric 2 From firewalls-owner Wed Mar 15 20:08:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA07162 for firewalls-outgoing; Wed, 15 Mar 1995 19:08:29 -0800 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA04087 for ; Mon, 13 Mar 1995 09:30:38 -0800 Received: from spl.bwh.harvard.edu (spl.bwh.harvard.edu [134.174.81.53]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA02581; Mon, 13 Mar 1995 12:28:07 -0500 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: (adam@localhost) by spl.bwh.harvard.edu (8.6.9/8.6.4) id MAA04400; Mon, 13 Mar 1995 12:26:01 -0500 Message-Id: <199503131726.MAA04400@spl.bwh.harvard.edu> Subject: Re: SV: Re: IBM's Firewall To: axel.skough@scb.se Date: Mon, 13 Mar 1995 12:26:00 -0500 (EST) Cc: adam@bwh.harvard.edu, George_D._Custodio@mail.asiandevbank.org, firewalls@GreatCircle.COM In-Reply-To: <199503131541.QAA07770@mail.swip.net> from "axel.skough@scb.se" at Mar 13, 95 04:36:00 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2138 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | We are currently considering the IBM NetSP SNG for the RS6000 and it would | be very valuable to know exactly in what areas this product is lacking in. | What archives is referenced here? I would be grateful for details either | specifically or a reference list. It would help us in making out proper | decisions. The list is digested in ftp.greatcircle.com:/pub/firewalls/digest/ The discussion took place around Jan 9th. I'll inlcude my posting, I don't have all the responses. >>From adam Mon Jan 9 00:31:24 1995 >>Subject: Re: IBM's NetSP Secured Network Gateway >>To: xuthus@dss.gov.au (Chris Brittain) >>Date: Mon, 9 Jan 95 0:31:24 EST >>Cc: Firewalls@GreatCircle.COM >>In-Reply-To: ; from "Chris Brittain" at Jan 9, 95 3:47 pm >>X-PGP:876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 >>Status: RO >> >>You wrote: >> >>| Has anyone had any experience with IBM's NetSP Secured Network Gateway? >>| Anybody want to make any comments about it? positive? negative? >> >> The product manager was kind enough to send me a copy of the >>manual. (Scott Baumann (sbaumann@vnet.ibm.com)) Its a socks based >>bastion system, with support for several smartcards systems. It runs >>on an rs/6000, with aix 3.2.5. >> >> Overall, it seemed to be a decent system. It used code from >>outside IBM, and seemed to be a decent first pass at building a >>firewall. I had a number of criticisms, which I'll mention, but it >>did seem to be a decent basis on which to build. >> >> >> 1. Its a SMIT installable image. Theres very little said >>about cutting down AIX bloat & suid's. The manual does mention >>cutting whats in inetd.conf. However, I think AIX is way too big to >>be trusted. >> >> 2. It uses IBM's sendmail. Not ucb 8.6.9, not smap, smail or >>anything else, but sendmail. >> >> 3. Nothing like tripwire seems to be included. >> 4. No high speed network adapters (I noted a lack of FDDI and >>ATM) >> >> 5. The manual didn't cover testing enough. >> -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Mar 15 23:36:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA10784 for firewalls-outgoing; Wed, 15 Mar 1995 23:05:55 -0800 Received: from brolga.cc.uq.oz.au (brolga.cc.uq.oz.au [130.102.128.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA10779 for ; Wed, 15 Mar 1995 23:05:50 -0800 Received: from brolga.cc.uq.oz.au (actually localhost) by brolga.cc.uq.oz.au with SMTP (PP); Thu, 16 Mar 1995 17:02:58 +1000 Date: Thu, 16 Mar 1995 17:02:54 +1000 (EST) From: Catherine Allen Subject: Re: Security Policy Guide To: JJAFFEE cc: firewalls In-Reply-To: <9503160057.AA18268@nixon.lsas.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Mar 1995, JJAFFEE wrote: > Not long ago I saw a posting for a security policy guide. I believe A document called Site Security Policy Development is available from AUSCERT (the Australian CERT) which can be viewed via the web (http://www.auscert.org.au) or ftp'd from ftp://ftp.auscert.org.au/security/papers/Site.Security.Policy.Development.txt A section of their UNIX Security Checklist (in same directory/page), which covers password and account security, could also be incorporated into a usage policy. cAt From firewalls-owner Thu Mar 16 01:32:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA12548 for firewalls-outgoing; Thu, 16 Mar 1995 01:14:57 -0800 Received: from mailhost.micromuse.co.uk (musegate.micromuse.co.uk [193.131.96.253]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA12543 for ; Thu, 16 Mar 1995 01:14:53 -0800 Received: from picard.micromuse.co.uk by mailhost.micromuse.co.uk (8.6.10/MM-030195-mpc-2) id JAA29531; Thu, 16 Mar 1995 09:10:48 GMT X-Organisation: Micromuse PLC Tel: 081 875 9500 X-Beware: This is a new implementation of sendmail X-Mailer: TCP/Connect II for Windows Version 4.00 (Mailer Version 1.02) Message-ID: <2F40C6A9-00000001@picard.micromuse.co.uk> From: mikec@micromuse.co.uk Date: Wed, 15 Mar 95 09:14:45 cst Subject: Internet Connections and "Good Business Practices" To: academic-firewalls@net.tamu.edu Cc: Firewalls@greatcircle.com, academic-firewalls@net.tamu.edu Reply-To: academic-firewalls@net.tamu.edu MIME-Version: 1.0 Content-Type: Text/Plain; Charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nick, I saw your posting to Firewalls Digest and would be interested in not so much the experiences of other institutions since we have had at least one each of all, but in whether any of the various companies have had established connection and use policies before they let their employees jump out on the net with Mosaic, Gopher, IRC, Email, etc., etc., etc.... At Lawrence Livermore we are exploring the issues relative to what "Good Business Practices" dictate versus what compliance directives demand. This is very difficult in an academic environment since the former assumes some sort of risk assessment management exercise utilizing cost benefit analysis the results of which may restrict ones "academic freedom". We have been a compliance driven program for many years and are now faced with a real dichotomy: acting like a business while maintaining academic freedom in a world-class R&D laboratory. As an example, the mere mention of Firewalls will spark exchanges that run the gauntlet of invading one's privacy, decrementing data throughput, and stifling research and development discussions among the scientific community. frank THE WORLD IS NOT INTERESTED IN THE STORMS YOU ENCOUNTERED, BUT WHETHER YOU BROUGHT IN THE SHIP . \ | / | 0 0 | Frank Swift L-321 (510)-422-1463 ~^~ LLNL 7000 East Avenue ( fax) 423-0913 \O/ Livermore CA 94550-9516_____________uncl@llnl.gov________+ Unclassified Computer Security Lawrence Livermore National Lab Observing and Reacting to "the Net of a Million Lies" From firewalls-owner Thu Mar 16 02:34:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA14498 for firewalls-outgoing; Thu, 16 Mar 1995 02:26:18 -0800 Received: from lobster.wellfleet.com (lobster.wellfleet.com [192.32.253.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA14493 for ; Thu, 16 Mar 1995 02:26:13 -0800 Received: from paperboy.wellfleet.com by lobster.wellfleet.com (4.1/SMI-4.1) id AA16989; Thu, 16 Mar 95 05:22:13 EST Received: from wellfleet.com by paperboy.wellfleet.com (4.1/SMI-4.1) id AA24479; Thu, 16 Mar 95 05:17:17 EST From: Post_Office@wellfleet.com (Post Office) Reply-To: Post_Office@wellfleet.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #172 Date: 16 Mar 1995 20:21:24 GMT Message-Id: <471719869.216967185@wellfleet.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: David Hakaraia (Mailbox or Conference is full.) From firewalls-owner Thu Mar 16 05:37:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA17011 for firewalls-outgoing; Thu, 16 Mar 1995 05:31:21 -0800 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA16998 for ; Thu, 16 Mar 1995 05:31:10 -0800 From: Paul Crossley To: firewalls@greatcircle.com Subject: IP address re-mapping X-Mailer: ScoMail 1.0 Date: Thu, 16 Mar 1995 13:13:17 +0000 (GMT) Message-ID: <9503161313.aa13243@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone out there know whether FW-1 is capable of remapping IP addresses as packets come through and if not whether there are any products out there that will allow this. My appologies in advance if this is felt to be an inappropriate quiestion for this forum but if it is then maybe someone can re-direct me. Thanks for your help P Crossley (' ') ---------------------------oOO--(_)--OOo--------------------------------- Paul Crossley (paul@toploguk.co.uk) `-_-' Senior Consultant SCO ACE 'U` TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Thu Mar 16 07:04:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA18471 for firewalls-outgoing; Thu, 16 Mar 1995 07:01:11 -0800 Received: from lambda.msfc.nasa.gov (LAMBDA.MSFC.NASA.GOV [128.158.1.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA18464 for ; Thu, 16 Mar 1995 07:01:07 -0800 Received: from kiwi (kiwi.msfc.nasa.gov) by lambda.msfc.nasa.gov (4.1/SMI-4.0) id AA10225; Thu, 16 Mar 95 08:46:22 CST Date: Thu, 16 Mar 95 08:46:22 CST From: roosekj@lambda.msfc.nasa.gov (Kathryn Roose) Message-Id: <9503161446.AA10225@lambda.msfc.nasa.gov> To: firewalls@greatcircle.com Subject: ANS Interlock Product Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently researching various firewall product offerings. If anyone has had experience with the ANS Interlock firewall product, we would appreciate your opinion of the product - pros and cons. Also, of interest would be information relating to performance. Many thanks in advance for your support. Kathryn Roose kroose@hobbes.msfc.nasa.gov From firewalls-owner Thu Mar 16 08:36:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA19808 for firewalls-outgoing; Thu, 16 Mar 1995 08:30:01 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA19800 for ; Thu, 16 Mar 1995 08:29:57 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id IAA01804; Thu, 16 Mar 1995 08:27:37 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id IAA19762; Thu, 16 Mar 1995 08:27:35 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA26207; Thu, 16 Mar 95 08:27:18 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA00762; Thu, 16 Mar 95 08:27:15 -0800 Date: Thu, 16 Mar 95 08:27:15 -0800 Message-Id: <9503161627.AA00762@jumper.mti.sgi.com> Subject: "ANS Interlock Product" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 08:26:58 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA00756; Thu, 16 Mar 95 08:26:58 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA12337; Thu, 16 Mar 95 08:22:13 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id IAA22768; Thu, 16 Mar 1995 08:22:13 -0800 Received: from relay2.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA10719; Thu, 16 Mar 95 08:18:26 -0800 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQyhie16423; Thu, 16 Mar 1995 11:02:02 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA18471 for firewalls-outgoing; Thu, 16 Mar 1995 07:01:11 -0800 Received: from lambda.msfc.nasa.gov (LAMBDA.MSFC.NASA.GOV [128.158.1.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA18464 for ; Thu, 16 Mar 1995 07:01:07 -0800 Received: from kiwi (kiwi.msfc.nasa.gov) by lambda.msfc.nasa.gov (4.1/SMI-4.0) id AA10225; Thu, 16 Mar 95 08:46:22 CST Date: Thu, 16 Mar 95 08:46:22 CST From: roosekj@lambda.msfc.nasa.gov (Kathryn Roose) Message-Id: <9503161446.AA10225@lambda.msfc.nasa.gov> To: firewalls@GreatCircle.COM Subject: ANS Interlock Product Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are currently researching various firewall product offerings. If anyone has had experience with the ANS Interlock firewall product, we would appreciate your opinion of the product - pros and cons. Also, of interest would be information relating to performance. Many thanks in advance for your support. Kathryn Roose kroose@hobbes.msfc.nasa.gov -- End of filtered message -- From firewalls-owner Thu Mar 16 12:05:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA22349 for firewalls-outgoing; Thu, 16 Mar 1995 11:44:37 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA22344 for ; Thu, 16 Mar 1995 11:44:34 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HO7F02N9E89OD7BW@wl.aecl.ca>; Thu, 16 Mar 1995 13:41:11 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA15337; Thu, 16 Mar 1995 13:40:37 -0600 Date: Thu, 16 Mar 1995 13:40:36 -0600 (CST) From: system PRIVILEGED account Subject: Re: End-to-end Encryption and CERT In-reply-to: <199501260036.QAA01793@miles.greatcircle.com> To: Dave Barrett Cc: Firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 25 Jan 1995, Dave Barrett wrote: > I've been using a program I wrote called deslogin which I last released > on ftp.uu.net about six months ago. The recent CERT advisory has caused a > flood of inquiries to me about my program and I'm preparing a new release > as a result. How difficult would it be to graft the rsh daemon/client into the encryption routines of deslogin? I have a copy of deslogin, but I have not had time to attempt to compile it on an Alpha OSF/1 v3.0 box. Does deslogin use a public and private key(s)? From firewalls-owner Thu Mar 16 13:02:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA22638 for firewalls-outgoing; Thu, 16 Mar 1995 12:37:19 -0800 Received: from internet.un.org (gatekeeper.un.org [157.150.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA22633 for ; Thu, 16 Mar 1995 12:37:13 -0800 From: adamsb@un.org Received: by internet.un.org; id PAA13597; Thu, 16 Mar 1995 15:33:18 -0500 Received: from mail-in.un.org(157.150.191.1) by internet.un.org via smap (V1.3) id sma013588; Thu Mar 16 15:33:01 1995 Received: from cc:Mail by mail-in.un.org id AA795396907; Thu, 16 Mar 95 15:32:08 EST Date: Thu, 16 Mar 95 15:32:08 EST Message-Id: <9502167953.AA795396907@mail-in.un.org> To: firewalls@GreatCircle.COM Subject: Re: Financial Institutions connecting to the Internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The experience of the UN with firewalls, internet, unwanted visitors and grade of service run parallel to those described by Rens Troost. I think he covered all the major issues, especially that the main cause for concern may not be the Internet but back-door connections to older systems. People seldom think of UN as a financial institution, but the foreign investments of its Pension Fund exceed the assets of many financial institutions. We are experimenting with "firewall friendly" TCP/IP packages in that regard. From firewalls-owner Thu Mar 16 13:32:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA22888 for firewalls-outgoing; Thu, 16 Mar 1995 13:06:08 -0800 Received: from cuc.ca (cuc.tor.hookup.net [199.0.20.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA22882 for ; Thu, 16 Mar 1995 13:06:03 -0800 Received: from OFFICE40DOMAIN-Message_Server by cuc.ca with Novell_GroupWise; Thu, 16 Mar 1995 16:01:30 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 16 Mar 1995 15:10:27 -0500 From: Chris Kalaboukis To: firewalls@greatcircle.com Subject: Firewall/Software Router Product II Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are looking for software which runs on a PC, routing IP between a RS232 serial PPP internet connection (dialup connection to a internet service provider) and a network interface card running TCP/IP (connected to the rest of our IP network). This product would route and do traffic filtering. Can Windows NT Server do this out of the box - or do I need other software? Thanks...Chris -------------------------------------------------------------- Chris Kalaboukis, PC/LAN Manager CUC Broadcasting, 1300-300 Consilium Place Scarborough ON Canada M1H 3E4 416-296-9966 Fax: 416-296-7374 chrisk@cuc.ca -------------------------------------------------------------- From firewalls-owner Thu Mar 16 14:02:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA23627 for firewalls-outgoing; Thu, 16 Mar 1995 13:46:35 -0800 Received: from gate.tlogic.com (gate.tlogic.com [168.121.18.234]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA23622 for ; Thu, 16 Mar 1995 13:46:30 -0800 Received: from leith.tlogic.com [199.120.197.3] by gate.tlogic.com for via ESMTP id QAA22065; Thu, 16 Mar 1995 16:44:16 -0500 Received: from perry@localhost by leith.tlogic.com for firewalls@greatcircle.com id QAA00488; Thu, 16 Mar 1995 16:44:21 -0500 From: Perry Flinn Message-Id: <199503162144.QAA00488@leith.tlogic.com> Subject: Re: split-DNS ... would this work? To: firewalls@greatcircle.com Date: Thu, 16 Mar 1995 16:44:21 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1865 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr writes: > The current version of the bind code has a set of #defines for > SECURE_ZONES which is also docmented below. Has anyone played with the > secure_zone stuff? It seems like it should work OK. As someone who has > spent his share of time snarling at the named code, the idea of a common > working solution for split brained DNS is very appealing. The SECURE_ZONES feature is fine for restricting which clients can see your DNS zone data, but it doesn't really contribute to "splitting the brain". > [Never mind the fact that split brained DNS is only arguably a > security feature. So many people seem to think it's a Big Deal and Ches > and Steve have published it as a feature, it's now an accepted part of > the lore.] As I see it, splitting DNS into separate external and internal views is not as much a matter of security as it is a matter of making things work right. For example, I want the MX record associated with tlogic.com to point to my bastion host when viewed from the outside, but when viewed from the inside, I want it to point to my internal mail relay. In a similar vein, I have various common domain names (e.g., www, nntp) whose externally visible A records should refer to the bastion host but which should point to inside addresses when seen internally. As far as I know, the only way to achieve this without hacking bind is to use something like the configuration suggested by Brent, now canonized in C&B. I'd be thrilled for someone to tell me how to run a single DNS server on my bastion host that could serve up different data for a given query depending upon its origin. ---------------------------------------------------------------------------- Perry Flinn Voice: 404/843-9111/22 Fax: 404/843-9700 Technologic, Inc. / 4170 Ashford Dunwoody Rd. #465 / Atlanta, GA 30319-1457 From firewalls-owner Thu Mar 16 14:32:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA24151 for firewalls-outgoing; Thu, 16 Mar 1995 14:26:42 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA24146 for ; Thu, 16 Mar 1995 14:26:36 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id OAA18959; Thu, 16 Mar 1995 14:24:12 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id OAA14202; Thu, 16 Mar 1995 14:24:10 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA03818; Thu, 16 Mar 95 14:24:00 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA01410; Thu, 16 Mar 95 14:24:01 -0800 Date: Thu, 16 Mar 95 14:24:01 -0800 Message-Id: <9503162224.AA01410@jumper.mti.sgi.com> Subject: "Firewall/Software Router Product II" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 14:23:58 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA01404; Thu, 16 Mar 95 14:23:58 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA12953; Thu, 16 Mar 95 14:19:13 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id OAA04128; Thu, 16 Mar 1995 14:09:01 -0800 Received: from relay4.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA15731; Thu, 16 Mar 95 14:01:21 -0800 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQyhjb22790; Thu, 16 Mar 1995 16:51:14 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA22888 for firewalls-outgoing; Thu, 16 Mar 1995 13:06:08 -0800 Received: from cuc.ca (cuc.tor.hookup.net [199.0.20.21]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA22882 for ; Thu, 16 Mar 1995 13:06:03 -0800 Received: from OFFICE40DOMAIN-Message_Server by cuc.ca with Novell_GroupWise; Thu, 16 Mar 1995 16:01:30 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 16 Mar 1995 15:10:27 -0500 From: Chris Kalaboukis To: firewalls@GreatCircle.COM Subject: Firewall/Software Router Product II Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are looking for software which runs on a PC, routing IP between a RS232 serial PPP internet connection (dialup connection to a internet service provider) and a network interface card running TCP/IP (connected to the rest of our IP network). This product would route and do traffic filtering. Can Windows NT Server do this out of the box - or do I need other software? Thanks...Chris -------------------------------------------------------------- Chris Kalaboukis, PC/LAN Manager CUC Broadcasting, 1300-300 Consilium Place Scarborough ON Canada M1H 3E4 416-296-9966 Fax: 416-296-7374 chrisk@cuc.ca -------------------------------------------------------------- -- End of filtered message -- From firewalls-owner Thu Mar 16 14:50:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA24056 for firewalls-outgoing; Thu, 16 Mar 1995 14:21:39 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA24050 for ; Thu, 16 Mar 1995 14:21:36 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id OAA17655; Thu, 16 Mar 1995 14:19:15 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id OAA13469; Thu, 16 Mar 1995 14:19:12 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA03652; Thu, 16 Mar 95 14:19:06 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA01393; Thu, 16 Mar 95 14:19:10 -0800 Date: Thu, 16 Mar 95 14:19:10 -0800 Message-Id: <9503162219.AA01393@jumper.mti.sgi.com> Subject: "Re: Financial Institutions connecting to the Internet" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 14:18:55 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA01387; Thu, 16 Mar 95 14:18:55 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA12928; Thu, 16 Mar 95 14:14:09 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id NAA02743; Thu, 16 Mar 1995 13:33:57 -0800 Received: from relay4.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA12959; Thu, 16 Mar 95 13:30:50 -0800 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQyhiz18677; Thu, 16 Mar 1995 16:23:20 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA22638 for firewalls-outgoing; Thu, 16 Mar 1995 12:37:19 -0800 Received: from internet.un.org (gatekeeper.un.org [157.150.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA22633 for ; Thu, 16 Mar 1995 12:37:13 -0800 From: adamsb@un.org Received: by internet.un.org; id PAA13597; Thu, 16 Mar 1995 15:33:18 -0500 Received: from mail-in.un.org(157.150.191.1) by internet.un.org via smap (V1.3) id sma013588; Thu Mar 16 15:33:01 1995 Received: from cc:Mail by mail-in.un.org id AA795396907; Thu, 16 Mar 95 15:32:08 EST Date: Thu, 16 Mar 95 15:32:08 EST Message-Id: <9502167953.AA795396907@mail-in.un.org> To: firewalls@GreatCircle.COM Subject: Re: Financial Institutions connecting to the Internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The experience of the UN with firewalls, internet, unwanted visitors and grade of service run parallel to those described by Rens Troost. I think he covered all the major issues, especially that the main cause for concern may not be the Internet but back-door connections to older systems. People seldom think of UN as a financial institution, but the foreign investments of its Pension Fund exceed the assets of many financial institutions. We are experimenting with "firewall friendly" TCP/IP packages in that regard. -- End of filtered message -- From firewalls-owner Thu Mar 16 15:05:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA24307 for firewalls-outgoing; Thu, 16 Mar 1995 14:41:31 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA24301 for ; Thu, 16 Mar 1995 14:41:27 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id OAA22064; Thu, 16 Mar 1995 14:39:07 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id OAA16027; Thu, 16 Mar 1995 14:39:04 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA04177; Thu, 16 Mar 95 14:38:56 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA01420; Thu, 16 Mar 95 14:39:01 -0800 Date: Thu, 16 Mar 95 14:39:01 -0800 Message-Id: <9503162239.AA01420@jumper.mti.sgi.com> Subject: "Re: split-DNS ... would this work?" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 14:38:51 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA01414; Thu, 16 Mar 95 14:38:51 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA13023; Thu, 16 Mar 95 14:34:05 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id OAA04726; Thu, 16 Mar 1995 14:34:03 -0800 Received: from relay4.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA18215; Thu, 16 Mar 95 14:30:28 -0800 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQyhjd26795; Thu, 16 Mar 1995 17:20:50 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA23627 for firewalls-outgoing; Thu, 16 Mar 1995 13:46:35 -0800 Received: from gate.tlogic.com (gate.tlogic.com [168.121.18.234]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA23622 for ; Thu, 16 Mar 1995 13:46:30 -0800 Received: from leith.tlogic.com [199.120.197.3] by gate.tlogic.com for via ESMTP id QAA22065; Thu, 16 Mar 1995 16:44:16 -0500 Received: from perry@localhost by leith.tlogic.com for firewalls@greatcircle.com id QAA00488; Thu, 16 Mar 1995 16:44:21 -0500 From: Perry Flinn Message-Id: <199503162144.QAA00488@leith.tlogic.com> Subject: Re: split-DNS ... would this work? To: firewalls@GreatCircle.COM Date: Thu, 16 Mar 1995 16:44:21 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1865 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr writes: > The current version of the bind code has a set of #defines for > SECURE_ZONES which is also docmented below. Has anyone played with the > secure_zone stuff? It seems like it should work OK. As someone who has > spent his share of time snarling at the named code, the idea of a common > working solution for split brained DNS is very appealing. The SECURE_ZONES feature is fine for restricting which clients can see your DNS zone data, but it doesn't really contribute to "splitting the brain". > [Never mind the fact that split brained DNS is only arguably a > security feature. So many people seem to think it's a Big Deal and Ches > and Steve have published it as a feature, it's now an accepted part of > the lore.] As I see it, splitting DNS into separate external and internal views is not as much a matter of security as it is a matter of making things work right. For example, I want the MX record associated with tlogic.com to point to my bastion host when viewed from the outside, but when viewed from the inside, I want it to point to my internal mail relay. In a similar vein, I have various common domain names (e.g., www, nntp) whose externally visible A records should refer to the bastion host but which should point to inside addresses when seen internally. As far as I know, the only way to achieve this without hacking bind is to use something like the configuration suggested by Brent, now canonized in C&B. I'd be thrilled for someone to tell me how to run a single DNS server on my bastion host that could serve up different data for a given query depending upon its origin. ---------------------------------------------------------------------------- Perry Flinn Voice: 404/843-9111/22 Fax: 404/843-9700 Technologic, Inc. / 4170 Ashford Dunwoody Rd. #465 / Atlanta, GA 30319-1457 -- End of filtered message -- From firewalls-owner Thu Mar 16 16:01:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA25522 for firewalls-outgoing; Thu, 16 Mar 1995 15:40:55 -0800 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA25517 for ; Thu, 16 Mar 1995 15:40:50 -0800 Received: from slip-0-18.shore.net (slip-0-15.shore.net) by northshore.ecosoft.com with SMTP id AA11364 (5.67a/IDA-1.5 for ); Thu, 16 Mar 1995 18:38:18 -0500 Date: 15 Mar 1995 05:34:57 GMT From: Satan@nsa.com (by way of vin@shore.net (Vin McLellan)) To: firewalls@greatcircle.com Subject: Satan Newstory <------- enjoy Newsgroups: alt.2600 Organization: Festering boils of America Path: shore.shore.net!news3.near.net!nntp-hub.barrnet.net!wetware!olivea!uunet!newsfeed.pitt.edu!gvls1!myriad.pc.cc.cmu.edu!news Lines: 193 Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pardon to Knight Ridder. This copyrighted material is already in widespread circulation, posted internationally by an unknown person. I'm just rerouting the dataflow slightly, not initiating it. _vbm> __ alt.2600 posting follows __ Here's a newstory ripped from *some* online newsservice.. enjoy. (Nameless) ***************************************************************************** 6:13 Computer program that probes networks' security risks causes uproar SAN JOSE, Calif. _ Satan is coming to the Internet _ and may create havoc on computer networks around the world. The devilish software, due to be released on April 5, probes for hidden flaws in computer networks that make them vulnerable to intruders. The tool could be used by mischievous pranksters or serious espionage agents to attack and penetrate the computer networks of large corporations, small businesses _ or even military and government installations. That is not its intended use. Satan was designed to help computer network administrators plug security holes before the crackers find them. But intruders and hackers will find Satan an easy-to-use, automated and extremely powerful tool for identifying and exploiting a network's weaknesses. For the first time, cracking computer security will require no special technical skills and will be as easy as surfing the Internet. The exclusive fraternity of computer crackers will be democratized and expanded to include thousands of new members. That prospect has alarmed members of the computer establishment, who have used everything from gentle persuasion to strident denunciation to try to prevent the software's release. They predict the release of Satan will lead to a rash of computer break-ins and discourage new users and information providers from connecting to the Internet because of security fears. None of the arguments have swayed the authors of the program, Dan Farmer, now the ''network security czar'' of Silicon Graphics Inc. in Mountain View, Calif., and Wietse Venema, his Dutch collaborator. The pair intend to release the software, free and without copying restrictions, on April 5. ''Unfortunately, this is going to cause some serious damage to some people,'' said Farmer, who demonstrated the software last week in his San Francisco apartment while Death, one of his four cats, looked on. ''I'm certainly advocating responsible use, but I'm not so naive to think it won't be abused. ''But once you bite into the apple, it's hard to go back.'' Farmer, 32, is a staunch advocate for the free flow of information. In his view, Satan will help harried network administrators identify and correct security flaws that intruders would have discovered over time anyway. ''Satan is a classic double-edged sword,'' said Steve Bellovin, a senior researcher at AT&T Corp.'s Bell Laboratories. ''You can use it to defend yourself or you can use it to attack. The tool doesn't know the difference.'' Critics say Farmer's approach is dangerously idealistic. They say flaws always will be a part of computer networks and with Satan, hackers can find the holes before fixes can be made. ''It's an extremely dangerous tool,'' said Donn Parker, a veteran computer security consultant with SRI International in Menlo Park, Calif. ''I think we're on the verge of seeing the Internet completely wrecked in a sea of information anarchy. ''It's like distributing high-powered rocket launchers throughout the world, free of charge, available at your local library or school, and inviting people to try them out by shooting at somebody,'' Parker said. Parker advocates destroying every copy of Satan. ''It shouldn't even be around on researchers' disks,'' he said. It may already be too late for that. Farmer said the notorious hacker Kevin Mitnick broke into his computer and grabbed an early copy of Satan during a widely publicized Internet crime spree last month. Mitnick's copy itself then was copied at least several times. Farmer said he didn't try to protect the security of Satan because he intended to give it away anyway. Farmer, whose wavy red hair falls well below his shoulders, said he has no interest in making money from his product. ''I already make lots of money,'' he said. ''I wrote this because I was curious.'' That kind of thinking makes Farmer difficult for old-guard computer experts to fathom. When he was criticized for the provocative name for the software _ Satan is an acronym for Security Administrator Tool for Analyzing Networks _ he quickly wrote a companion program (called Repent) that finds all references to ''Satan'' and changes them to ''Santa.'' The program works just the same when it is known as Security Analysis Network Tool for Administrators. Supporters say Satan will enable administrators to improve the security of their systems without high-priced consultants and that over time, the Internet will become a safer communications system. ''Having good tools out there will in the long term make it more secure, '' said Glenn Tenney, a San Mateo, Calif., software consultant. ''Living with the illusion of security is much worse.'' Satan uses the Mosaic-type graphical interface developed for the World Wide Web to guide users through a series of menus for analyzing networks. Users simply type in the name of the network to be analyzed. The networks can be scanned by type, or degree, of vulnerability, or by the number of separate flaws. Users can select a light scan, a moderate scan or what Farmer calls ''an all-out call to arms.'' In describing the program, Farmer repeatedly caught himself using the word ''attack,'' and would then correct himself with the more acceptable term, ''probe.'' ''It goes out and discovers, for example, a Sun (Microsystems) computer, running a send-mail program and using a certain operating system release and then it says, 'Oh, I can break into that machine,''' he said. ''This takes almost all of the manual labor out of it.'' Farmer, who once worked for the Computer Emergency Response Team at Carnegie-Mellon University in Pittsburgh, developed Satan in his off-hours in his three years as network security chief at Sun Microsystems Inc. During that time, he worked extensively with his good friend Tsutomu Shimomura, the San Diego computer security expert who played a key role in Mitnick's capture. ''They were like two people who had day jobs and at night were a jazz duo,'' said John Gage, chief of Sun's science office. ''That's what they are, artists together, creating new things.'' Last year, Farmer said he and Shimomura both were approached by the National Security Agency, to work on Satan and other projects. Farmer said the project's funding ran into bureaucratic obstacles and he accepted an offer at Silicon Graphics instead. He said he's prepared for the controversy that is likely to intensify as Satan's release date nears. He cites the ancient Chinese strategist Sun Tzu, author of the ''The Art of War.'' ''The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him,'' Sun Tzu wrote. X X X (Photo available from KRT Photo Service; call 202-383-6099. Photos move on KRT Photo Service and are posted to the ''KRT Daily Photos'' icon in category folder on PressLink the day the story moves. One week after transmission, archive photos are available via keyword search in the KRT Photo Archive on PressLink; call (800) 435-7578 or (202) 383-6099.) KNIGHT-RIDDER-WASHINGTON--03-08-95 0834EST -0- By David Bank Knight-Ridder Newspapers End of story, for list: From firewalls-owner Thu Mar 16 16:31:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA25762 for firewalls-outgoing; Thu, 16 Mar 1995 16:13:10 -0800 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA25757 for ; Thu, 16 Mar 1995 16:13:07 -0800 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.10/8.6.10+PanixU1.0) with SMTP id TAA01797; Thu, 16 Mar 1995 19:10:18 -0500 Message-Id: <199503170010.TAA01797@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Thu, 16 Mar 1995 19:10:29 -0500 To: westokes@dcss.com From: wallynet@panix.com (Walter F. InterNetman) Subject: DECUS UUCP VS. TGV TCP/IP (SMTP only) & Cisco 9.21 as a FW VS. SEAL Cc: davey@alpha.fdu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: I would like to find a white paper that discusses these three solutions with respect to the potential penetration issues when connecting to the Internet. If you have one, know of one or where to get one, shout... If you have a suggestion of where to find base documents to write one, please let me know as soon as you have a chance. The implementation is to be on a VAX 8820 and must include access to email from All-in-1. No other web services will be executed across this link. You may repost this message if you think it might help. Thanx, --- Walt 212.435.4196 From firewalls-owner Thu Mar 16 17:33:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA27015 for firewalls-outgoing; Thu, 16 Mar 1995 17:11:19 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA27010 for ; Thu, 16 Mar 1995 17:11:15 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id RAA21566; Thu, 16 Mar 1995 17:08:55 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id RAA11212; Thu, 16 Mar 1995 17:08:52 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA06572; Thu, 16 Mar 95 17:08:36 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA01482; Thu, 16 Mar 95 17:08:36 -0800 Date: Thu, 16 Mar 95 17:08:36 -0800 Message-Id: <9503170108.AA01482@jumper.mti.sgi.com> Subject: "Satan Newstory <------- enjoy" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 17:08:20 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA01476; Thu, 16 Mar 95 17:08:20 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA13520; Thu, 16 Mar 95 17:03:34 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id RAA10769; Thu, 16 Mar 1995 17:02:51 -0800 Received: from relay2.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA02603; Thu, 16 Mar 95 16:56:25 -0800 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQyhjm11759; Thu, 16 Mar 1995 19:43:38 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA25522 for firewalls-outgoing; Thu, 16 Mar 1995 15:40:55 -0800 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA25517 for ; Thu, 16 Mar 1995 15:40:50 -0800 Received: from slip-0-18.shore.net (slip-0-15.shore.net) by northshore.ecosoft.com with SMTP id AA11364 (5.67a/IDA-1.5 for ); Thu, 16 Mar 1995 18:38:18 -0500 Date: 15 Mar 1995 05:34:57 GMT From: Satan@nsa.com (by way of vin@shore.net (Vin McLellan)) To: firewalls@GreatCircle.COM Subject: Satan Newstory <------- enjoy Newsgroups: alt.2600 Organization: Festering boils of America Path: shore.shore.net!news3.near.net!nntp-hub.barrnet.net!wetware!olivea!uunet!newsfeed.pitt.edu!gvls1!myriad.pc.cc.cmu.edu!news Lines: 193 Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pardon to Knight Ridder. This copyrighted material is already in widespread circulation, posted internationally by an unknown person. I'm just rerouting the dataflow slightly, not initiating it. _vbm> __ alt.2600 posting follows __ Here's a newstory ripped from *some* online newsservice.. enjoy. (Nameless) ***************************************************************************** 6:13 Computer program that probes networks' security risks causes uproar SAN JOSE, Calif. _ Satan is coming to the Internet _ and may create havoc on computer networks around the world. The devilish software, due to be released on April 5, probes for hidden flaws in computer networks that make them vulnerable to intruders. The tool could be used by mischievous pranksters or serious espionage agents to attack and penetrate the computer networks of large corporations, small businesses _ or even military and government installations. That is not its intended use. Satan was designed to help computer network administrators plug security holes before the crackers find them. But intruders and hackers will find Satan an easy-to-use, automated and extremely powerful tool for identifying and exploiting a network's weaknesses. For the first time, cracking computer security will require no special technical skills and will be as easy as surfing the Internet. The exclusive fraternity of computer crackers will be democratized and expanded to include thousands of new members. That prospect has alarmed members of the computer establishment, who have used everything from gentle persuasion to strident denunciation to try to prevent the software's release. They predict the release of Satan will lead to a rash of computer break-ins and discourage new users and information providers from connecting to the Internet because of security fears. None of the arguments have swayed the authors of the program, Dan Farmer, now the ''network security czar'' of Silicon Graphics Inc. in Mountain View, Calif., and Wietse Venema, his Dutch collaborator. The pair intend to release the software, free and without copying restrictions, on April 5. ''Unfortunately, this is going to cause some serious damage to some people,'' said Farmer, who demonstrated the software last week in his San Francisco apartment while Death, one of his four cats, looked on. ''I'm certainly advocating responsible use, but I'm not so naive to think it won't be abused. ''But once you bite into the apple, it's hard to go back.'' Farmer, 32, is a staunch advocate for the free flow of information. In his view, Satan will help harried network administrators identify and correct security flaws that intruders would have discovered over time anyway. ''Satan is a classic double-edged sword,'' said Steve Bellovin, a senior researcher at AT&T Corp.'s Bell Laboratories. ''You can use it to defend yourself or you can use it to attack. The tool doesn't know the difference.'' Critics say Farmer's approach is dangerously idealistic. They say flaws always will be a part of computer networks and with Satan, hackers can find the holes before fixes can be made. ''It's an extremely dangerous tool,'' said Donn Parker, a veteran computer security consultant with SRI International in Menlo Park, Calif. ''I think we're on the verge of seeing the Internet completely wrecked in a sea of information anarchy. ''It's like distributing high-powered rocket launchers throughout the world, free of charge, available at your local library or school, and inviting people to try them out by shooting at somebody,'' Parker said. Parker advocates destroying every copy of Satan. ''It shouldn't even be around on researchers' disks,'' he said. It may already be too late for that. Farmer said the notorious hacker Kevin Mitnick broke into his computer and grabbed an early copy of Satan during a widely publicized Internet crime spree last month. Mitnick's copy itself then was copied at least several times. Farmer said he didn't try to protect the security of Satan because he intended to give it away anyway. Farmer, whose wavy red hair falls well below his shoulders, said he has no interest in making money from his product. ''I already make lots of money,'' he said. ''I wrote this because I was curious.'' That kind of thinking makes Farmer difficult for old-guard computer experts to fathom. When he was criticized for the provocative name for the software _ Satan is an acronym for Security Administrator Tool for Analyzing Networks _ he quickly wrote a companion program (called Repent) that finds all references to ''Satan'' and changes them to ''Santa.'' The program works just the same when it is known as Security Analysis Network Tool for Administrators. Supporters say Satan will enable administrators to improve the security of their systems without high-priced consultants and that over time, the Internet will become a safer communications system. ''Having good tools out there will in the long term make it more secure, '' said Glenn Tenney, a San Mateo, Calif., software consultant. ''Living with the illusion of security is much worse.'' Satan uses the Mosaic-type graphical interface developed for the World Wide Web to guide users through a series of menus for analyzing networks. Users simply type in the name of the network to be analyzed. The networks can be scanned by type, or degree, of vulnerability, or by the number of separate flaws. Users can select a light scan, a moderate scan or what Farmer calls ''an all-out call to arms.'' In describing the program, Farmer repeatedly caught himself using the word ''attack,'' and would then correct himself with the more acceptable term, ''probe.'' ''It goes out and discovers, for example, a Sun (Microsystems) computer, running a send-mail program and using a certain operating system release and then it says, 'Oh, I can break into that machine,''' he said. ''This takes almost all of the manual labor out of it.'' Farmer, who once worked for the Computer Emergency Response Team at Carnegie-Mellon University in Pittsburgh, developed Satan in his off-hours in his three years as network security chief at Sun Microsystems Inc. During that time, he worked extensively with his good friend Tsutomu Shimomura, the San Diego computer security expert who played a key role in Mitnick's capture. ''They were like two people who had day jobs and at night were a jazz duo,'' said John Gage, chief of Sun's science office. ''That's what they are, artists together, creating new things.'' Last year, Farmer said he and Shimomura both were approached by the National Security Agency, to work on Satan and other projects. Farmer said the project's funding ran into bureaucratic obstacles and he accepted an offer at Silicon Graphics instead. He said he's prepared for the controversy that is likely to intensify as Satan's release date nears. He cites the ancient Chinese strategist Sun Tzu, author of the ''The Art of War.'' ''The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him,'' Sun Tzu wrote. X X X (Photo available from KRT Photo Service; call 202-383-6099. Photos move on KRT Photo Service and are posted to the ''KRT Daily Photos'' icon in category folder on PressLink the day the story moves. One week after transmission, archive photos are available via keyword search in the KRT Photo Archive on PressLink; call (800) 435-7578 or (202) 383-6099.) KNIGHT-RIDDER-WASHINGTON--03-08-95 0834EST -0- By David Bank Knight-Ridder Newspapers End of story, for list: -- End of filtered message -- From firewalls-owner Thu Mar 16 18:32:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA28260 for firewalls-outgoing; Thu, 16 Mar 1995 18:05:28 -0800 Received: (mcb@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA28249 for firewalls; Thu, 16 Mar 1995 18:05:25 -0800 Message-Id: <199503170205.SAA28249@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Thu, 16 Mar 1995 18:05:25 +0000 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: ADMIN: Duplicate messages Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several people have noticed duplicate messages on Firewalls; the problem was due to someone's "filter" program regurgitating messages back to the list. The address has been removed. -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Thu Mar 16 19:02:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA28298 for firewalls-outgoing; Thu, 16 Mar 1995 18:07:35 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA28293 for ; Thu, 16 Mar 1995 18:07:31 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id SAA03298; Thu, 16 Mar 1995 18:04:17 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id SAA18389; Thu, 16 Mar 1995 18:04:12 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA07836; Thu, 16 Mar 95 18:04:07 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA01520; Thu, 16 Mar 95 18:04:12 -0800 Date: Thu, 16 Mar 95 18:04:12 -0800 Message-Id: <9503170204.AA01520@jumper.mti.sgi.com> Subject: "Re: End-to-end Encryption and CERT" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 18:03:53 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA01514; Thu, 16 Mar 95 18:03:53 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA13660; Thu, 16 Mar 95 17:59:07 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id RAA12188; Thu, 16 Mar 1995 17:47:10 -0800 Received: from relay1.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA06279; Thu, 16 Mar 95 17:36:09 -0800 Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQyhjp15155; Thu, 16 Mar 1995 20:23:07 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA22349 for firewalls-outgoing; Thu, 16 Mar 1995 11:44:37 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA22344 for ; Thu, 16 Mar 1995 11:44:34 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HO7F02N9E89OD7BW@wl.aecl.ca>; Thu, 16 Mar 1995 13:41:11 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA15337; Thu, 16 Mar 1995 13:40:37 -0600 Date: Thu, 16 Mar 1995 13:40:36 -0600 (CST) From: system PRIVILEGED account Subject: Re: End-to-end Encryption and CERT In-Reply-To: <199501260036.QAA01793@miles.greatcircle.com> To: Dave Barrett Cc: Firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 25 Jan 1995, Dave Barrett wrote: > I've been using a program I wrote called deslogin which I last released > on ftp.uu.net about six months ago. The recent CERT advisory has caused a > flood of inquiries to me about my program and I'm preparing a new release > as a result. How difficult would it be to graft the rsh daemon/client into the encryption routines of deslogin? I have a copy of deslogin, but I have not had time to attempt to compile it on an Alpha OSF/1 v3.0 box. Does deslogin use a public and private key(s)? -- End of filtered message -- From firewalls-owner Thu Mar 16 20:32:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA00309 for firewalls-outgoing; Thu, 16 Mar 1995 20:10:21 -0800 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA00304 for ; Thu, 16 Mar 1995 20:09:51 -0800 Message-Id: <199503170409.UAA00304@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.15/16.2) id AA134633203; Fri, 17 Mar 1995 14:06:43 +1000 From: Darren Reed Subject: Internet Packet Filter for SunOS 4.1.x/xBSD To: firewalls@greatcircle.com Date: Fri, 17 Mar 1995 14:06:42 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1990 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet Packet Filter for SunOS 4.1.x/NetBSD/FreeBSD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'd like to announce the most recent results of my efforts in writing an IP packet filter for Unix servers/workstations. Why would you need it ? * Allows you to protect your subnets against IP spoofing (the most recent `attack' against as used by Kevin Mitnick) where you have Unix doing IP routing; * Allows you to build a firewall using your existing SunOS/*BSD setup without needing to purchase expnsive software/hardware. Recent featurisms added include: * optional returning ICMP error packets for "blocked" packets (a per-rule option, allowing some rules to block packets silently and others with a returned ICMP packet); * "short" TCP packets (which can be deficient in various TCP header details) can be filtered out - short UDP/ICMP packets are just dropped and logged as a matter of course - by default "short" packets are NOT checked against port values/TCP flags; * fragmented IP packets can be selectively filtered; * TCP/UDP packets can be grouped together for filtering on ports; * ipftest (largely as yet undocumented :/) will read in either tcpdump/ etherfind output (text) or snoop binary output (see recent RFC) and apply a ruleset against each IP packet found therein; (good for testing your rules before you "commit" yourself) * The "log reader", which reads the log "output device", has been updated to show which rule and the result (block/pass/log) of the filtering at the stage it was logged. Also, ICMP headers are now expanded out properly. How do I get it to work ? * Follow the instructions on installing the kernel patches, rebuild your kernel and use "modload" to load the packet filter. From there on, it is upto you and what you want to do with it. Where can I get it to check out ? coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5.tar.Z coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5.tar.gz Cheers, Darren From firewalls-owner Thu Mar 16 21:32:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA01183 for firewalls-outgoing; Thu, 16 Mar 1995 21:26:32 -0800 Received: from sealex.kaman.com (sealex.kaman.com [199.29.132.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA01178 for ; Thu, 16 Mar 1995 21:26:29 -0800 Received: by sealex.kaman.com (5.65/fma-120691); id AA04185; Fri, 17 Mar 1995 00:22:15 -0500 Received: by utica1.kaman.com (4.1/1.34/Kaman-1.2) id AA04500; Fri, 17 Mar 95 00:24:59 EST Date: Fri, 17 Mar 95 00:24:59 EST Message-Id: <9503170524.AA04500@utica1.kaman.com> Reply-To: Mark Costello From: Mark Costello To: firewalls@greatcircle.com Subject: Re: chroot httpd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 9 Mar 1995 22:52:28 -0600 (CST) > From: Ken Hardy > > On Thu, 9 Mar 1995, Paul Dodd wrote: > > > The CERN httpd doesn't seem to do a chroot when it starts up. Is there a > > publicly available daemon that does, or a list of instructions on how > > to easily change the source on some httpd to force a chroot? > > /usr/sbin/chroot /jails/httpd /bin/httpd -r /configs/httpd.conf > > where /bin/httpd and /configs/httpd.conf are really /jails/httpd/bin/httpd > and /jails/httpd/configs/httpd.conf. Location of chroot(1) may vary. I've done that with NCSA httpd and I get the following error: httpd: could not get socket socket: Bad file number and the it quits, any ideas? Regards, Mark From firewalls-owner Thu Mar 16 21:52:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA01167 for firewalls-outgoing; Thu, 16 Mar 1995 21:21:59 -0800 Received: from jma.com (jma.com [192.159.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA01162 for ; Thu, 16 Mar 1995 21:21:56 -0800 Received: by jma.com id <23840>; Thu, 16 Mar 1995 21:20:58 -0800 Subject: Re: IP address re-mapping From: John Mayes To: paul@toploguk.co.uk (Paul Crossley) Date: Thu, 16 Mar 1995 21:20:48 -0800 Cc: firewalls@GreatCircle.COM In-Reply-To: <9503161313.aa13243@gateway.toploguk.co.uk> from "Paul Crossley" at Mar 16, 95 05:13:17 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 808 Message-Id: <95Mar16.212058pst.23840@jma.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our Private Internet Exchange provides full dynamic and static Network Address Translation along with super easy to configure firewalling of your private IP network. It runs a real-time operating system based on the concepts of Plan-9 and is implemented with simplicity and performance in mind. So as not to burn bandwidth, I'll keep it short. Check www.translation.com for more info. John Mayes Network Translation, Inc. jcm@translation.com > Does anyone out there know whether FW-1 is capable of remapping IP addresses > as packets come through and if not whether there are any products out there > that will allow this. > My appologies in advance if this is felt to be an inappropriate quiestion > for this forum but if it is then maybe someone can re-direct me. > Thanks for your help > P Crossley From firewalls-owner Thu Mar 16 22:12:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA00982 for firewalls-outgoing; Thu, 16 Mar 1995 21:04:10 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA00976 for ; Thu, 16 Mar 1995 21:04:06 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) for <@sgi.sgi.com:Firewalls@GreatCircle.COM> id VAA21698; Thu, 16 Mar 1995 21:01:48 -0800 Received: from mti.mti.sgi.com by sgihub.corp.sgi.com via SMTP (940519.SGI.8.6.9/911001.SGI) for <@sgi.com:Firewalls@GreatCircle.COM> id VAA02543; Thu, 16 Mar 1995 21:01:46 -0800 Received: from isdn-jumper.mti.sgi.com by mti.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for @sgi.com:Firewalls@GreatCircle.COM id AA09169; Thu, 16 Mar 95 21:01:37 -0800 Received: by jumper.mti.sgi.com (931110.SGI/911001.SGI) for @mti.mti.sgi.com:Firewalls@GreatCircle.COM id AA01719; Thu, 16 Mar 95 21:01:42 -0800 Date: Thu, 16 Mar 95 21:01:42 -0800 Message-Id: <9503170501.AA01719@jumper.mti.sgi.com> Subject: "DECUS UUCP VS. TGV TCP/IP (SMTP only) & Cisco 9.21 as a FW VS. SEAL" From: "The Filter of jcw@jumper" To: Firewalls@GreatCircle.COM X-Filtered-By: filter, version 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Begin filtered message -- From firewalls-owner@GreatCircle.COM Thu Mar 16 21:01:40 1995 Received: from skyking.skyking.com by jumper.mti.sgi.com via SMTP (931110.SGI/911001.SGI) for /usr/local/bin/filter -o /user/jcw/.elm/filter-errors id AA01713; Thu, 16 Mar 95 21:01:40 -0800 Received: from GreatCircle.COM by skyking.skyking.com via UUCP (931110.SGI/911001.SGI) for jcw@jumper.mti.sgi.com id AA14638; Thu, 16 Mar 95 20:56:53 -0800 Received: from GreatCircle.COM by sgiblab.sgi.com via UUCP (950215.SGI.8.6.10/911001.SGI) id UAA19802; Thu, 16 Mar 1995 20:56:52 -0800 Received: from relay4.UU.NET by uucp-gw-2.pa.dec.com (5.65/vix-uugw2-4apr92) id AA26457; Thu, 16 Mar 95 20:53:03 -0800 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQyhjn16382; Thu, 16 Mar 1995 19:51:33 -0500 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA25762 for firewalls-outgoing; Thu, 16 Mar 1995 16:13:10 -0800 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA25757 for ; Thu, 16 Mar 1995 16:13:07 -0800 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.10/8.6.10+PanixU1.0) with SMTP id TAA01797; Thu, 16 Mar 1995 19:10:18 -0500 Message-Id: <199503170010.TAA01797@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Thu, 16 Mar 1995 19:10:29 -0500 To: westokes@dcss.com From: wallynet@panix.com (Walter F. InterNetman) Subject: DECUS UUCP VS. TGV TCP/IP (SMTP only) & Cisco 9.21 as a FW VS. SEAL Cc: davey@alpha.fdu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: I would like to find a white paper that discusses these three solutions with respect to the potential penetration issues when connecting to the Internet. If you have one, know of one or where to get one, shout... If you have a suggestion of where to find base documents to write one, please let me know as soon as you have a chance. The implementation is to be on a VAX 8820 and must include access to email from All-in-1. No other web services will be executed across this link. You may repost this message if you think it might help. Thanx, --- Walt 212.435.4196 -- End of filtered message -- From firewalls-owner Fri Mar 17 00:06:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA04295 for firewalls-outgoing; Thu, 16 Mar 1995 23:44:59 -0800 Received: from sealex.kaman.com (sealex.kaman.com [199.29.132.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA04290 for ; Thu, 16 Mar 1995 23:44:56 -0800 Received: by sealex.kaman.com (5.65/fma-120691); id AA04775; Fri, 17 Mar 1995 02:40:42 -0500 Received: by utica1.kaman.com (4.1/1.34/Kaman-1.2) id AA05244; Fri, 17 Mar 95 02:43:25 EST Date: Fri, 17 Mar 95 02:43:25 EST Message-Id: <9503170743.AA05244@utica1.kaman.com> Reply-To: Mark Costello From: Mark Costello To: firewalls@greatcircle.com Subject: SUMMARY: chroot httpd for Solaris 2.4 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Fri, 17 Mar 95 00:24:59 EST From: Mark Costello >> /usr/sbin/chroot /jails/httpd /bin/httpd -r /configs/httpd.conf >> >> where /bin/httpd and /configs/httpd.conf are really /jails/httpd/bin/httpd >> and /jails/httpd/configs/httpd.conf. Location of chroot(1) may vary. > > I've done that with NCSA httpd and I get the following error: > > httpd: could not get socket > socket: Bad file number > > and then it quits, any ideas? I needed to provide a set of files under /jails/httpd to make it work: dev/tcp dev/ticots dev/udp dev/ticlts dev/ticotsord dev/zero etc/group etc/nsswitch.conf etc/shadow etc/netconfig etc/passwd usr/lib/ld.so.1 usr/lib/libintl.so.1 usr/lib/libw.so.1 usr/lib/nss_files.so.1 usr/lib/libc.so.1 usr/lib/libnsl.so.1 usr/lib/libdl.so.1 usr/lib/libsocket.so.1 Thanks to G.Steer@as02.bull.oz.au (Geoff Steer) for his suggestions. Regards, Mark From firewalls-owner Fri Mar 17 03:02:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA07969 for firewalls-outgoing; Fri, 17 Mar 1995 02:54:07 -0800 Received: from gatekeeper.icl.co.uk (gatekeeper.icl.co.uk [192.188.132.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA07964 for ; Fri, 17 Mar 1995 02:53:50 -0800 From: x.gosselin.rea0803@oasis.icl.co.uk Received: by gatekeeper.icl.co.uk (4.1/UNIPALM-VRevision: 1.3@gatekeeper.icl.co.uk) id AA24260; Fri, 17 Mar 95 10:53:33 GMT Received: from unknown(145.227.14.59) by gatekeeper via smap (V1.3mjr) id sma024245; Fri Mar 17 10:53:23 1995 Received: from trojan.oasis.icl.co.uk by ming.oasis.icl.co.uk over SMTP id KAA05871; Fri, 17 Mar 1995 10:52:36 GMT Message-Id: <9503171054.AA08354@getafix.oasis.icl.co.uk> Date: Fri, 17 Mar 95 10:54:24 GMT Reply-To: x.gosselin.rea0803@oasis.icl.co.uk Subject: FAQ To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is someone can send me the FAQ in text format ? I've tried to get them via ftp but I only received them in encoded format and I have nothing to read this format. Thanks a lot Xavier From firewalls-owner Fri Mar 17 07:40:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA10849 for firewalls-outgoing; Fri, 17 Mar 1995 07:12:20 -0800 Received: from gategn.telecom.ptt.nl (gategn.telecom.ptt.nl [193.79.184.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA10844 for ; Fri, 17 Mar 1995 07:12:01 -0800 Received: by gategn.telecom.ptt.nl (4.1/SMI-4.1) id AA10067; Thu, 16 Mar 95 18:25:50 GMT Message-Id: <9503161612.AA18641@hdxu03.telecom.ptt.nl> X-Sender: mosse001@mailgate X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 16 Mar 1995 16:23:44 +0100 To: firewalls@GreatCircle.COM From: P.vanMossel@telecom.ptt.nl Subject: RE: Lotus Notes Encryption Methods Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | I have been looking at the methods used by Lotus Notes to do encryption on | its mail transfers. It seems to use RC4 (Rivest Cipher) for domestic | communications and RC2 for international communications. | | In the tech notes that I have, it would seemt that RC2 uses a 128bit key and | RC4 uses a 256bit key. | | Both these keys seem rather small in comparison to something like PGP's 1028bit key. | | Is this a valid concern/criticism? Not compared to the keylength of 40 bits that AFAIK is being used for exported products... --------------------------------------------------------------------- drs. Paul van Mossel | Telephone : +31 50 852238 PTT Telecom BV | Telefax : +31 50 852240 I&AT | E-mail : P.vanMossel@telecom.ptt.nl P.O. Box 188 | DISCLAIMER: This statement is not an official NL-9700 AD Groningen | statement from, nor does it represent an, The Netherlands | official position of, PTT Telecom B.V. --------------------------------------------------------------------- X400 address: /c=NL/admd=400NET/prmd=PTT Telecom/s=van Mossel/I=P --------------------------------------------------------------------- From firewalls-owner Fri Mar 17 10:33:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA13665 for firewalls-outgoing; Fri, 17 Mar 1995 10:02:08 -0800 Received: from wc11.wl.aecl.ca (wc11.wl.aecl.ca [132.225.64.31]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA13655 for ; Fri, 17 Mar 1995 10:01:51 -0800 Received: from wu1.wl.aecl.ca by wl.aecl.ca (PMDF V4.2-14 #3601) id <01HO8PN3BZJ49ODAAP@wl.aecl.ca>; Fri, 17 Mar 1995 11:56:52 CDT Received: by wu1.wl.aecl.ca (5.65/1.1.3.6 (2-Jun-93)) id AA28766; Fri, 17 Mar 1995 11:56:14 -0600 Date: Fri, 17 Mar 1995 11:56:13 -0600 (CST) From: Erik Lindquist Subject: What to do about the impending release of SATAN? To: firewalls@greatcircle.com Cc: smb@research.att.com, padgett@tccslr.dnet.mmc.com, ciac@llnl.gov, 8lgm@bagpuss.demon.co.uk, dan@fish.com, cert@cert.org Reply-to: Erik Lindquist Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Over the last four months I have attempted to assess and document the ease of availability to network analysis (diagnostic/security/hacking) tools and information on the Internet. Much to my shgrin, I found that there are sufficient tools to both greatly improve general network security as well as severely handicap even some of the most secure establishments -- without the release of SATAN. I appreciate those organizations that are committed to full disclosure so that administrators can not only patch problems -- they can understand them and be more proactive in their administration. But I also understand that grave consequences that can have on unprepared facilities by less scrupulous adaministrators/hackers. I look forward to an automated network analysis tool, but I also want to make sure our network is prepared for it. Having said that, what are some realistic actions to be taken in lieu of the release of SATAN. Also I would like to get some sort of feel for the learning cure required to effectively implement and use SATAN in a proper administrative role, how it might be integrated in to the day to day tasks, and the capital/time investment required in terms of internal maintenance. Any comments or recommendations are greatly appreciated. Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca From firewalls-owner Fri Mar 17 11:31:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA14684 for firewalls-outgoing; Fri, 17 Mar 1995 11:02:51 -0800 Received: from mickey.jsc.nasa.gov (mickey.jsc.nasa.gov [139.169.132.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA14679 for ; Fri, 17 Mar 1995 11:02:48 -0800 From: horn@mickey.jsc.nasa.gov Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA17352; Fri, 17 Mar 1995 13:00:24 -0600 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA09979; Fri, 17 Mar 1995 13:00:24 -0600 Received: from arsd.jsc.nasa.gov(139.169.132.8) by janus.jsc.nasa.gov via smap (V1.3) id sma009977; Fri Mar 17 13:00:21 1995 Received: by arsd.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA13738; Fri, 17 Mar 1995 13:00:20 -0600 Message-Id: <199503171900.AA13738@arsd.jsc.nasa.gov> Subject: passive mode FTP clients To: firewalls@greatcircle.com Date: Fri, 17 Mar 1995 13:00:20 -0600 (CST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 435 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm looking for FTP clients that will do passive mode initiation of the FTP data channel. I've got one for Unix already. But I'd like one for our PC's and Macs that are sitting behind a packet filtering firewall. Could anyone give me a pointer to such clients? Thanks, -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn mark.horn1@jsc.nasa.gov From firewalls-owner Fri Mar 17 11:59:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15105 for firewalls-outgoing; Fri, 17 Mar 1995 11:25:17 -0800 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA15100 for ; Fri, 17 Mar 1995 11:25:14 -0800 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma009076; Fri Mar 17 14:16:00 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA08511; Fri, 17 Mar 95 14:16:27 EST Received: by (4.1/illuminati) id AA11763; Fri, 17 Mar 95 14:22:05 EST From: "Marcus J. Ranum" Message-Id: <11763.9503171922@illuminati> Subject: Re: What to do about the impending release of SATAN? To: lindquie@wu1.wl.aecl.ca Date: Fri, 17 Mar 1995 14:22:05 -0500 (EST) Cc: firewalls@greatcircle.com, smb@research.att.com, padgett@tccslr.dnet.mmc.com, ciac@llnl.gov, 8lgm@bagpuss.demon.co.uk, dan@fish.com, cert@cert.org In-Reply-To: from "Erik Lindquist" at Mar 17, 95 11:56:13 am Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 965 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Also I would like to get some sort of feel for the learning cure required >to effectively implement and use SATAN in a proper administrative role, >how it might be integrated in to the day to day tasks, and the capital/time >investment required in terms of internal maintenance. Well, setting SATAN up from the prerelease kit took me about one minute. I did have to have perl5 built on my machine first, which took about an hour, but it's safe to assume that setting SATAN up is a low maintenance type activity. It's got some nice functionality for keeping track of where it's been and what it's seen, so I believe it will in fact make a very valuable administrator's tool. SATAN is going to get people's noses out of joint in a pretty major way, I'm sure. Not because it's anything that a good cracker's toolkit doesn't already have, but because it's going to pull people's heads out of the sand where they've been sticking them. People hate that. mjr. From firewalls-owner Fri Mar 17 12:03:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15098 for firewalls-outgoing; Fri, 17 Mar 1995 11:24:29 -0800 Received: from gateway.sequent.com (gateway.sequent.com [138.95.18.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA15093 for ; Fri, 17 Mar 1995 11:24:25 -0800 Received: from [138.95.14.34] by gateway.sequent.com (5.61/1.34) id AA28815; Fri, 17 Mar 95 11:21:50 -0800 Received: from ushqgw0a.sequent.com by relay1.sequent.com (5.65/crg/11) id AA03379; Fri, 17 Mar 95 11:22:01 -0800 Received: by ushqgw.sequent.com with Microsoft Mail id <2F69E1AB@ushqgw.sequent.com>; Fri, 17 Mar 95 11:23:23 PST From: "Ned Smith (nedbob)" To: "'Firewalls Alias(firewalls@greatcircle.com)'" Subject: RE: What to do about the impending release of SATAN? Date: Fri, 17 Mar 95 11:21:00 PST Message-Id: <2F69E1AB@ushqgw.sequent.com> Encoding: 56 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Indeed! I think it is safe to assume the miscreants already have SATAN and are engaged in using it to find sites that are exposed. I suspect they're interested in surgically implanting backdoors that can be exploited later - even after increased security measures have been put in place? Regards, Ned Smith nedbob@sequent.com ---------- |From: firewalls-owner |To: firewalls |Cc: smb; padgett; ciac; 8lgm; dan; cert |Subject: What to do about the impending release of SATAN? |Date: Friday, March 17, 1995 11:56AM | |------------------------------------------------------------------- |Over the last four months I have attempted to assess and document the |ease of availability to network analysis (diagnostic/security/hacking) |tools and information on the Internet. Much to my shgrin, I found that |there are sufficient tools to both greatly improve general network security |as |well as severely handicap even some of the most secure establishments -- |without the release of SATAN. | |I appreciate those organizations that are committed to full disclosure so |that administrators can not only patch problems -- they can understand |them and be more proactive in their administration. But I also |understand that grave consequences that can have on unprepared facilities |by less scrupulous adaministrators/hackers. | |I look forward to an automated network analysis tool, but I also want to |make sure our network is prepared for it. Having said that, what are some |realistic actions to be taken in lieu of the release of SATAN. | |Also I would like to get some sort of feel for the learning cure required |to effectively implement and use SATAN in a proper administrative role, |how it might be integrated in to the day to day tasks, and the capital/time |investment required in terms of internal maintenance. | |Any comments or recommendations are greatly appreciated. | | |Erik | ____ _____ _______ __ Erik Lindquist | / _ | / ___/ / _____/ / / Systems Administrator | / /_| | / /__ / / / / AECL Whiteshell Laboratories | / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 | / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 |/_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca | | | | From firewalls-owner Fri Mar 17 12:52:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA15752 for firewalls-outgoing; Fri, 17 Mar 1995 11:57:09 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA15747 for ; Fri, 17 Mar 1995 11:57:04 -0800 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09221; Fri, 17 Mar 95 14:33:05 -0500 Date: Fri, 17 Mar 95 14:33:05 -0500 Message-Id: <9503171933.AA09221@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "lindquie@wu1.w1.aecl.ca"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Haquer Tools Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Much to my shgrin, I found that >there are sufficient tools to both greatly improve general network security as >well as severely handicap even some of the most secure establishments -- >without the release of SATAN. Very true, and all of the tools to build more. >But I also >understand that grave consequences that can have on unprepared facilities >by less scrupulous adaministrators/hackers. Is inevitable. >I look forward to an automated network analysis tool, but I also want to >make sure our network is prepared for it. Having said that, what are some >realistic actions to be taken in lieu of the release of SATAN. Put a machine on the outside of the net and pick a machine known to have extensive services available. See if you can make connection on any. Set up a batch file to Ping every address on your subnet and see what responds (first one I wrote used a desktop PC, Waterloo PING in debug mode, and a short QuickBasic routine to increment addresses). Since net responses are typically much longer than machine cycles (microseconds vs milliseconds) a batch or script file encapsulating known processes does not hurt. Dunno what Fred was doing but was really not a bad idea if you really really trust outsiders to find everything & tell all they find. (What a good security program really comes down to: TRUST - of the system and of the people running it.) >Also I would like to get some sort of feel for the learning cure required >to effectively implement and use SATAN in a proper administrative role, >how it might be integrated in to the day to day tasks, and the capital/time >investment required in terms of internal maintenance. Well what I saw some time ago, it was a collection of scripts that generated a report, just point and shoot. Understand that the latest one is much better (easier) to use but have not asked for it. The real key is to have a good security policy and enforcement in the first place, things like this are just good to test it and then will only test what you tell it to. No software is going to be able to find/fix as many potential holes as a person who really understands YOUR system. I can give a general guideline: if an outsider can run a "daemon pinger" or random FINGERs against your system *without them being noticed/reported*, you have a real problem. An easy answer is a "mine field" - a collection of dumb PCs assigned random IP addresses that do nothing but capture/alarm *any* packets addressed to them. - could just do it with one in the right place having a creative mask. Would make it difficult for an outsider to reconoiter your site undetected and anonymity is something they rely on. (Yes, I know about spoofing. Most intruders do not bother & detection of "most" is a Good Thing. Warmly, Padgett From firewalls-owner Fri Mar 17 13:21:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA16308 for firewalls-outgoing; Fri, 17 Mar 1995 12:23:46 -0800 Received: from crash.cts.com (crash.cts.com [192.188.72.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA16303 for ; Fri, 17 Mar 1995 12:23:43 -0800 Received: from kelcom by crash.cts.com with uucp (Smail3.1.28.1 #18) id m0rpiWT-0001UCC; Fri, 17 Mar 95 12:21 PST Date: Fri, 17 Mar 1995 11:49:55 -0800 (PST) From: Ron Kelley To: firewalls@greatcircle.com Subject: Policy Statement Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RE: Internet Access Policy If any organization has what they consider a good Policy Statement in this area, I'd like to see it. I've reviewed a good number of policies from neighboring organizations, but a significant number of them lack substance. Even local service providers are somewhat weak in this area. ----------------------- Ron Kelley 3119 Old Bridgeport Way San Diego, CA 92111 (619) 278-1291 kelro@cts.com ----------------------- From firewalls-owner Fri Mar 17 13:32:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA17588 for firewalls-outgoing; Fri, 17 Mar 1995 13:18:52 -0800 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA17583 for ; Fri, 17 Mar 1995 13:18:48 -0800 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA26896; Fri, 17 Mar 1995 16:15:59 -0500 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9503172115.AA26896@oxygen.house.gov> Subject: Re: What to do about the impending release of SATAN? To: mjr@tis.com (Marcus J. Ranum) Date: Fri, 17 Mar 1995 16:15:59 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <11763.9503171922@illuminati> from "Marcus J. Ranum" at Mar 17, 95 02:22:05 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 320 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well, setting SATAN up from the prerelease kit took me about one > minute. I did have to have perl5 built on my machine first, which took Is it safe to say, then, that you trusted the code and the machine it came from to run it without first reading through it? ;-/ (that's supposed to be a semi-smiley). dorian From firewalls-owner Fri Mar 17 13:47:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA16712 for firewalls-outgoing; Fri, 17 Mar 1995 12:39:39 -0800 Received: from covina.lightside.com (covina.lightside.com [198.81.209.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA16707 for ; Fri, 17 Mar 1995 12:39:34 -0800 Received: from laguna by covina.lightside.com with smtp (Smail3.1.28.1 #6) id m0rpiln-0009WvC; Fri, 17 Mar 95 12:37 PST Message-Id: X-Sender: pkelly@covina.lightside.com X-Mailer: Windows Eudora Version 1.4.3b4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 17 Mar 1995 12:37:15 -0800 To: firewalls@greatcircle.com From: pkelly@nekton.com (Pete Kelly) Subject: Re: What to do about the impending release of SATAN? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Probably the best source for details on SATAN is Dan Farmer himself. He has shared some insight to these questions that Eric asks on his home page at http://www.fish.com/dan.html All of the discussion in the world isn't going to change the fact that SATAN _will_ be released and what happens after that is anyone's guess. Dan does point out that SATAN uses tools that are available today and that most of his probes originate in areas previously described in CERT advisories. Batten down the hatches! Later, Pete -- /\ Pete Kelly pkelly@nekton.com / \__/ Nekton Technologies \ / 512 South Vermont Avenue, Glendora, CA 91741-6205 \/ (818) 335-4173 voice (818) 335-2933 fax *** SCSI tape drive sales, repairs, and diagnostic tools *** From firewalls-owner Fri Mar 17 14:53:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00283 for firewalls-outgoing; Fri, 17 Mar 1995 14:09:41 -0800 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA10120 for ; Fri, 17 Mar 1995 06:16:55 -0800 From: Paul Crossley To: firewalls@greatcircle.com Subject: SCO based fire-walls X-Mailer: ScoMail 1.0 Date: Fri, 17 Mar 1995 13:59:54 +0000 (GMT) Message-ID: <9503171359.aa20605@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any commercialy available fire-walling products that install under SCO UNIX. ? Thanks for your help (' ') ---------------------------oOO--(_)--OOo--------------------------------- Paul Crossley (paul@toploguk.co.uk) `-_-' Senior Consultant SCO ACE 'U` TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Fri Mar 17 15:08:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00428 for firewalls-outgoing; Fri, 17 Mar 1995 14:15:31 -0800 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA00423 for ; Fri, 17 Mar 1995 14:15:28 -0800 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.10/8.6.9) id QAA11298; Fri, 17 Mar 1995 16:05:58 -0600 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma011294; Fri Mar 17 16:05:51 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA01608 (5.67b/IDA-1.5); Fri, 17 Mar 1995 16:14:27 -0600 Date: Fri, 17 Mar 1995 16:14:27 -0600 From: Ken Hardy Message-Id: <199503172214.AA01608@ignatz.bridge.com> To: pkelly@nekton.com Subject: Re: What to do about the impending release of SATAN? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk pkelly@nekton.com (Pete Kelly) sez: > >Probably the best source for details on SATAN is Dan Farmer himself. He has >shared some insight to these questions that Eric asks on his home page at > http://www.fish.com/dan.html > That URL has been refusing my connections all day. What's the [sc|p]oop? Any other source of info that can be recommended? -- KH From firewalls-owner Fri Mar 17 15:20:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00284 for firewalls-outgoing; Fri, 17 Mar 1995 14:09:42 -0800 Received: from ocean.bunyip.com (ocean.Bunyip.Com [192.197.208.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA00275 for ; Fri, 17 Mar 1995 14:09:36 -0800 Received: (from delphys@localhost) by ocean.bunyip.com (8.6.9/8.6.9) id RAA01868; Fri, 17 Mar 1995 17:04:43 -0500 Date: Fri, 17 Mar 1995 17:04:42 -30000 From: David Holmes Subject: working pointers to Satan info? To: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Probably the best source for details on SATAN is Dan Farmer himself. He has > shared some insight to these questions that Eric asks on his home page at > http://www.fish.com/dan.html don't seem to able to get this. does anyone have a list of working sites with info/pointers? thanks, --david ________________________________________________________________________ David Holmes Bunyip Information Systems Inc Manager, Operations Montreal, Canada e-mail: delphys@bunyip.com voice: +1 514 875 8611 fax: +1 514 875 8134 From firewalls-owner Fri Mar 17 15:29:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00322 for firewalls-outgoing; Fri, 17 Mar 1995 14:11:58 -0800 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA18007 for ; Thu, 16 Mar 1995 06:23:55 -0800 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA10234; Thu, 16 Mar 95 08:38:13 CST Received: from beldar.network.com by anubis.network.com (4.1/SMI-4.1) id AA02046; Thu, 16 Mar 95 08:21:07 CST From: robp@anubis.network.com (Rob Peglar) Message-Id: <9503161421.AA02046@anubis.network.com> Subject: Re: IP address re-mapping To: paul@toploguk.co.uk (Paul Crossley) Date: Thu, 16 Mar 1995 08:24:21 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9503161313.aa13243@gateway.toploguk.co.uk> from "Paul Crossley" at Mar 16, 95 01:13:17 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1532 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NSC routers, with the Packet Control Facility (PCF), can do this: a) by using the action "clone_to". This allows the router to change the IP destination address to , and the IP checksum updated (of course) in a cloned packet. b) by using the actions "ip_stamp_da" and/or "ip_stamp_sa". These two actions change the IP DA and/or SA, and also update the IP, TCP, and/or UDP checksums. the original packet is changed, as opposed to cloned as in a) above. Rob > > Does anyone out there know whether FW-1 is capable of remapping IP addresses > as packets come through and if not whether there are any products out there > that will allow this. > > My appologies in advance if this is felt to be an inappropriate quiestion for this > forum but if it is then maybe someone can re-direct me. > > Thanks for your help > P Crossley > > (' ') > ---------------------------oOO--(_)--OOo--------------------------------- > > Paul Crossley (paul@toploguk.co.uk) `-_-' > Senior Consultant SCO ACE 'U` > TopLog Limited > TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY > Phone (01628) 819444 Fax (01628) 819356 > ------------------------------------------------------------------------- > -- Rob Peglar Network Systems Division, Storage Tech Eagle Inc. Channel Strategic Group 7600 Boone Avenue North robp@network.com Minneapolis MN 55428 (612)424-4888 x1028 From firewalls-owner Fri Mar 17 15:37:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA00826 for firewalls-outgoing; Fri, 17 Mar 1995 14:24:28 -0800 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA00746 for ; Fri, 17 Mar 1995 14:24:11 -0800 Received: from all.net by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id NAA27891; Fri, 17 Mar 1995 13:53:55 -0800 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA04035 for firewalls@greatcircle.com; Fri, 17 Mar 95 16:53:44 EST Message-Id: <9503172153.AA04035@all.net> Subject: SATAN To: firewalls@greatcircle.com Date: Fri, 17 Mar 1995 16:53:43 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 394 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The real question is whether the good guys will get the release before the bad guys and how you tell them apart. If I had SATAN, you could do tests with it today without having the source available to attackers. Would Dan or someone else provide this servicxe to those of us who would liket to test ourselves so that before the world is able to launch, we can verify our own protection? FC From firewalls-owner Fri Mar 17 15:54:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA02942 for firewalls-outgoing; Fri, 17 Mar 1995 15:24:26 -0800 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA02937 for ; Fri, 17 Mar 1995 15:24:20 -0800 Message-Id: <199503172324.PAA02937@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.15/16.2) id AA256092457; Sat, 18 Mar 1995 09:20:57 +1000 From: Darren Reed Subject: Re: What to do about the impending release of SATAN? To: nedbob@sequent.com (Ned Smith) Date: Sat, 18 Mar 1995 09:20:57 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <2F69E1AB@ushqgw.sequent.com> from "Ned Smith" at Mar 17, 95 11:21:00 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 704 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some email I received from Ned Smith, they wrote: > > > Indeed! I think it is safe to assume the miscreants already have SATAN and > are engaged in using it to find sites that are exposed. I suspect they're > interested in surgically implanting backdoors that can be exploited later - > even after increased security measures have been put in place? > > Regards, > Ned Smith > nedbob@sequent.com Or even, maybe they'll close up the security holes that let them in (if they're not easily noticeable) to prevent others from getting in and/or the system admin. from discovering, to his chagrin, that his host has been vulnerable and so doesn't take any steps to look closer for backdoors. darren From firewalls-owner Fri Mar 17 16:07:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04298 for firewalls-outgoing; Fri, 17 Mar 1995 15:58:10 -0800 Received: from subzero.winternet.com (subzero.winternet.com [198.174.169.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA04293 for ; Fri, 17 Mar 1995 15:58:05 -0800 Received: by subzero.winternet.com (SunOS Smail3.1.28.1 #5) id m0rplrj-000QlGC; Fri, 17 Mar 95 17:55 CST Date: Fri, 17 Mar 1995 17:55:35 -0600 (CST) From: Ron DuFresne To: Paul Crossley cc: firewalls@greatcircle.com Subject: Re: SCO based fire-walls In-Reply-To: <9503171359.aa20605@gateway.toploguk.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 17 Mar 1995, Paul Crossley wrote: > Does anyone know of any commercialy available fire-walling products that > install under SCO UNIX. ? > > Thanks for your help > > (' ') > ---------------------------oOO--(_)--OOo--------------------------------- > > Paul Crossley (paul@toploguk.co.uk) `-_-' > Senior Consultant SCO ACE 'U` > TopLog Limited > TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY > Phone (01628) 819444 Fax (01628) 819356 > ------------------------------------------------------------------------- > > Paul, I believe that the TIS firewall toolkit can be run under SCO , comes with all the souces so one can do a *make* for just about any enviroment... My best to all, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! From firewalls-owner Fri Mar 17 16:12:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA03154 for firewalls-outgoing; Fri, 17 Mar 1995 15:29:21 -0800 From: firewalls-owner Received: from chinacat.unicom.com (chinacat.unicom.com [192.108.105.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA03149 for ; Fri, 17 Mar 1995 15:29:18 -0800 Date: Fri, 17 Mar 1995 15:29:18 -0800 Message-Id: <199503172329.PAA03149@miles.greatcircle.com> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk <<< No Message Collected >>> From firewalls-owner Fri Mar 17 16:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04557 for firewalls-outgoing; Fri, 17 Mar 1995 16:06:25 -0800 Received: from zang.kcc.hawaii.edu (zang.kcc.hawaii.edu [128.171.105.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA04552 for ; Fri, 17 Mar 1995 16:06:21 -0800 Received: (from mark@localhost) by zang.kcc.hawaii.edu (8.6.9/zang) id OAA04540; Fri, 17 Mar 1995 14:03:25 -1000 From: Mark (Mookie) Message-Id: <199503180003.OAA04540@zang.kcc.hawaii.edu> Subject: Re: SATAN To: fc@all.net (Dr. Frederick B. Cohen) Date: Fri, 17 Mar 1995 14:03:24 -1000 (HST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9503172153.AA04035@all.net> from "Dr. Frederick B. Cohen" at Mar 17, 95 04:53:43 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 641 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The real question is whether the good guys will get the release before >the bad guys and how you tell them apart. Satan has been "available" and used for over a year. Ive seen releases of it dating back to Jan 94 and have been supplied quarterly updates since then. I havent used it since I dont regard it as being that useful, looks pretty standard stuff actually. The html interface is a nice addition but a tcl/tk one would have been even better. In short dont get too excited about it, its just another tool. Anyone could have written the things in it, and the things it does it a duplication of other programs floating around. Mark From firewalls-owner Fri Mar 17 16:37:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04586 for firewalls-outgoing; Fri, 17 Mar 1995 16:07:48 -0800 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA04578 for ; Fri, 17 Mar 1995 16:07:43 -0800 Message-Id: To: fc@all.net Cc: firewalls@greatcircle.com Subject: Re: SATAN Reply-To: estutes@frus.com In-Reply-To: Your message of "Fri, 17 Mar 1995 16:53:43 -0500 (EST)" References: <9503172153.AA04035@all.net> X-Mailer: Mew beta version 0.89 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 17 Mar 1995 16:04:44 -0800 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fc said in [SATAN] on Fri, 17 Mar 1995 16:53:43 -0500 (EST) fc> The real question is whether the good guys will get the release before fc> the bad guys and how you tell them apart. fc> fc> If I had SATAN, you could do tests with it today without having the fc> source available to attackers. How can we trust you. You have not even pgp signed your article. Are you really THE Dr. Frederick B. Cohen. fc> Would Dan or someone else provide this fc> servicxe to those of us who would liket to test ourselves so that before fc> the world is able to launch, we can verify our own protection? I think it is more fun to give everybody and even start. If you are a good guy, you get to rush out there and close them holes. If you are a bad guy, how many sites can you trash before the good guys get all the holes plugged up. ;*) I'm sorry, I'll bet you folks don't see the humor in all of this. 8*( =eas= From firewalls-owner Fri Mar 17 16:55:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04943 for firewalls-outgoing; Fri, 17 Mar 1995 16:15:07 -0800 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA04938 for ; Fri, 17 Mar 1995 16:15:04 -0800 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950221.405.SGI.8.6.10/910110.SGI) id QAA04704; Fri, 17 Mar 1995 16:12:31 -0800 Received: from akira.corp.sgi.com by sgihub.corp.sgi.com via ESMTP (940519.SGI.8.6.9/911001.SGI) id QAA15916; Fri, 17 Mar 1995 16:12:30 -0800 Received: by akira.corp.sgi.com (950215.SGI.8.6.10/930416.SGI) id QAA16548; Fri, 17 Mar 1995 16:12:29 -0800 From: tju@akira.corp.sgi.com (T. Jason Ucker) Message-Id: <9503171612.ZM16546@akira.corp.sgi.com> Date: Fri, 17 Mar 1995 16:12:28 -0800 In-Reply-To: fc@all.net (Dr. Frederick B. Cohen) "SATAN" (Mar 17, 4:53pm) References: <9503172153.AA04035@all.net> X-Mailer: Z-Mail-SGI (3.0S.1026 26oct93 MediaMail) To: fc@all.net (Dr. Frederick B. Cohen), firewalls@greatcircle.com Subject: Re: SATAN Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And how is "good" and "bad" going to be determined? Just a thought... -- T. Jason Ucker 415.390.3720 Sys Admin/jr Sys Engineer tju@sgi.com SGI Direct On Mar 17, 4:53pm, Dr. Frederick B. Cohen wrote: > Subject: SATAN > The real question is whether the good guys will get the release before > the bad guys and how you tell them apart. > > If I had SATAN, you could do tests with it today without having the > source available to attackers. Would Dan or someone else provide this > servicxe to those of us who would liket to test ourselves so that before > the world is able to launch, we can verify our own protection? >-- End of excerpt from Dr. Frederick B. Cohen From firewalls-owner Fri Mar 17 17:07:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05020 for firewalls-outgoing; Fri, 17 Mar 1995 16:17:19 -0800 Received: from zang.kcc.hawaii.edu (zang.kcc.hawaii.edu [128.171.105.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05013 for ; Fri, 17 Mar 1995 16:17:15 -0800 Received: (from mark@localhost) by zang.kcc.hawaii.edu (8.6.9/zang) id OAA04568; Fri, 17 Mar 1995 14:14:10 -1000 From: Mark (Mookie) Message-Id: <199503180014.OAA04568@zang.kcc.hawaii.edu> Subject: Re: What to do about the impending release of SATAN? To: mjr@tis.com (Marcus J. Ranum) Date: Fri, 17 Mar 1995 14:14:08 -1000 (HST) Cc: lindquie@wu1.wl.aecl.ca, firewalls@GreatCircle.COM, smb@research.att.com, padgett@tccslr.dnet.mmc.com, ciac@llnl.gov, 8lgm@bagpuss.demon.co.uk, dan@fish.com, cert@cert.org In-Reply-To: <11763.9503171922@illuminati> from "Marcus J. Ranum" at Mar 17, 95 02:22:05 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 925 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > SATAN is going to get people's noses out of joint in a pretty >major way, I'm sure. Not because it's anything that a good cracker's >toolkit doesn't already have, but because it's going to pull people's >heads out of the sand where they've been sticking them. People hate that. Yup, its main use will be to bring the general level of security up. This can only be a good thing since its the minions of wannabe's out there that are basically the biggest problem. They get outdated tools and run the scripts and then start doing anti social acts from their newly aquired hosts. I have little respect or time for people who see the net as a place to be irresponsible. If admins do their job, run the satan scripts, fix the holes then the opportunities for the average schmuck will disappear. Nothing in the kit is leading edge, but rather its complete enough and vocal enough to help in tightening up domains. Cheers, Mark From firewalls-owner Fri Mar 17 17:20:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05139 for firewalls-outgoing; Fri, 17 Mar 1995 16:20:22 -0800 Received: from diablo.cisco.com (diablo.cisco.com [171.68.235.78]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05134 for ; Fri, 17 Mar 1995 16:20:19 -0800 Received: (karyn@localhost) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) id QAA11523 for firewalls@GreatCircle.COM; Fri, 17 Mar 1995 16:18:41 -0800 From: Karen Pichnarczyk Message-Id: <199503180018.QAA11523@diablo.cisco.com> Subject: Dan Farmer's vacation msg re: SATAN To: firewalls@GreatCircle.COM Date: Fri, 17 Mar 95 16:18:40 PST X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan just updated his vacation message to his account on fish. I'm posting it here so that he doesn't have 10 zillion messages in his inbox when he decides to read mail again. You'd get the same msg if you sent him mail. I edited out his account name because if you don't already know it, then you don't need to. karyn -------------------- Forwarded message: > From [Dan's account] Fri Mar 17 16:11 PST 1995 > Date: Fri, 17 Mar 1995 16:15:14 -0800 > Message-Id: <199503180015.QAA06845@fish.com> > To: karyn@cisco.com > From: [Dan's account] (via software automation) > Subject: away from my mail > > I will probably not be reading your mail for a while; I've got to > release SATAN (don't ask if you don't know) in a few weeks (release date > is april 5th.) Your mail will be read when I get back to my real life. > > T'care - > > -- d > > (no, we don't need any further alpha or beta testers, either. However, > bribes of software or hardware from cool manufacturers or very good > desserts will be carefully consumed and considered in this decision.) > > ----- > > On April 5th the real thing will go out. I'll > post copiously where it'll be. If you want to volunteer > your MASSIVE ftp site, let me know. > > Here are some of the current volunteers/locations: > > gatekeeper.dec.com:/pub/net/SATAN/ > ftp.cs.ruu.nl:/pub/SECURITY > ftp.informatik.uni-kiel.de:/pub/sources/security/MIRROR.ftp.win.tue.nl > ftp.wi.leidenuniv.nl:/pub/security > ftp.kfki.hu:/pub/util/security/ftp.win.tue.nl > ftp.demon.co.uk:/pub/mirrors/satan > ftp.lerc.nasa.gov:/security/satan.tar.Z > > ----- > (My coauthor put this out) > ----- > > Subject: SATAN release schedule > > Here's the release schedule for the SATAN (Security Administrator Tool > for Analyzing Networks) tool. Below is a summary of what it is about. > > February 24 > alpha release to selected expert sites > > March 15, 16:00 MET > beta release to selected major sites > documentation release to the public > ftp.win.tue.nl:/pub/security/satan_doc.tar.Z > > April 5, 16:00 MET > first release to the public. > ftp.win.tue.nl:/pub/security/satan.tar.Z > > Mirror site offers are welcome. > > Wietse Venema / Dan Farmer > > SATAN was written because we realized that computer systems are > becoming more and more dependent on the network, and at the same > becoming more and more vulnerable to attack via that same network. > > The rationale for SATAN is given in a paper posted in december 1993 > (ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.101.Z, flat text > compressed with the UNIX compress command). > > SATAN is a tool to help systems administrators. It recognizes several > common networking-related security problems, and reports the problems > without actually exploiting them. > > For each type or problem found, SATAN offers a tutorial that explains > the problem and what its impact could be. The tutorial also explains > what can be done about the problem: correct an error in a configuration > file, install a bugfix from the vendor, use other means to restrict > access, or simply disable service. > > SATAN collects information that is available to everyone on with access > to the network. With a properly-configured firewall in place, that > should be near-zero information for outsiders. > > We have done some limited research with SATAN. Our finding is that on > networks with more than a few dozen systems, SATAN will inevitably find > problems. Here's the current problem list: > > NFS file systems exported to arbitrary hosts > NFS file systems exported to unprivileged programs > NFS file systems exported via the portmapper > NIS password file access from arbitrary hosts > Old (i.e. before 8.6.10) sendmail versions > REXD access from arbitrary hosts > X server access control disabled > arbitrary files accessible via TFTP > remote shell access from arbitrary hosts > writable anonymous FTP home directory > > These are well-known problems. They have been subject of CERT, CIAC, or > other advisories, or are described extensively in practical security > handbooks. The problems have been exploited by the intruder community > for a long time. > > We realize that SATAN is a two-edged sword - like many tools, it can be > used for good and for evil purposes. We also realize that intruders > (including wannabees) have much more capable (read intrusive) tools > than offered with SATAN. We have those tools, too, but giving them > away to the world at large is not the goal of the SATAN project. > > From firewalls-owner Fri Mar 17 17:28:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06034 for firewalls-outgoing; Fri, 17 Mar 1995 16:46:09 -0800 Received: from muse.microunity.com (muse1.microunity.com [192.216.206.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA06029 for ; Fri, 17 Mar 1995 16:46:06 -0800 Received: from gaea.microunity.com by muse.microunity.com (4.1/ericm1.1) id AA17547; Fri, 17 Mar 95 16:43:29 PST Received: from dockmaster.microunity.com by gaea.microunity.com (4.1/muse1.3) id AA18094; Fri, 17 Mar 95 16:43:27 PST Received: by dockmaster.microunity.com (8.6.10/muse-sw.3) id QAA11903; Fri, 17 Mar 1995 16:43:27 -0800 From: ericm@microunity.com (Eric Murray) Message-Id: <199503180043.QAA11903@dockmaster.microunity.com> Subject: Re: SATAN To: fc@all.net (Dr. Frederick B. Cohen) Date: Fri, 17 Mar 95 16:43:26 GMT Cc: firewalls@greatcircle.com In-Reply-To: <9503172153.AA04035@all.net>; from "Dr. Frederick B. Cohen" at Mar 17, 95 4:53 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Frederick B. Cohen wrote: > > The real question is whether the good guys will get the release before > the bad guys and how you tell them apart. > > If I had SATAN, you could do tests with it today without having the > source available to attackers. Would Dan or someone else provide this > servicxe to those of us who would liket to test ourselves so that before > the world is able to launch, we can verify our own protection? how would you be able to tell 'good sysadmin' from 'bad hacker'? why should anyone trust you? why should anyone trust any results from a tool they don't have the source to? please don't take this as a personal attack, it's not. i'm sure you mean well. you just haven't thought it through. it has to be (relatively) freely available as source, or not at all. BTW, SATAN's authors have stated repeatedly that SATAN will not contain any new cracks, nor will it contain exploit code. (see the 'what SATAN is' post by Wietse Venema, available at many fine security newsfroups). The print media hype would have it be, well, the coming of Satan. It's not. it won't be anything that any competent security administrator hasn't already been aware of. don't beleve the hype. -- ericm ericm@microunity.com From firewalls-owner Fri Mar 17 17:47:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06027 for firewalls-outgoing; Fri, 17 Mar 1995 16:46:04 -0800 Received: from gate.nb.rockwell.com (gate.nb.rockwell.com [129.172.200.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA06021 for ; Fri, 17 Mar 1995 16:46:00 -0800 Received: by gate.nb.rockwell.com (5.57/Ultrix3.0-C) id AA13653; Fri, 17 Mar 95 16:39:45 -0800 Received: from monkey.nb.rockwell.com.dcdnis by atlas.nb.rockwell.com (4.1/SMI-4.1) id AA09618; Fri, 17 Mar 95 16:43:31 PST From: yaube@nb.rockwell.com (Ben E.Yau) Message-Id: <9503180043.AA09618@atlas.nb.rockwell.com> Subject: SATAN release schedule (fwd) To: firewalls@greatcircle.com Date: Fri, 17 Mar 1995 16:43:32 -0800 (PST) X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2980 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Believe me..if you have a secure firewall, that will probably cut more than half of Satan's functionality: This is from the co-author of SATAN ----------------------------------- >From the desktop of Wietse Venema Here's the release schedule for the SATAN (Security Administrator Tool for Analyzing Networks) tool. Below is a summary of what it is about. February 24 alpha release to selected expert sites March 15, 16:00 MET beta release to selected major sites documentation release to the public ftp.win.tue.nl:/pub/security/satan_doc.tar.Z April 5, 16:00 MET first release to the public. ftp.win.tue.nl:/pub/security/satan.tar.Z Mirror site offers are welcome. Wietse Venema / Dan Farmer SATAN was written because we realized that computer systems are becoming more and more dependent on the network, and at the same becoming more and more vulnerable to attack via that same network. The rationale for SATAN is given in a paper posted in december 1993 (ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.101.Z, flat text compressed with the UNIX compress command). SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them. For each type or problem found, SATAN offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bugfix from the vendor, use other means to restrict access, or simply disable service. SATAN collects information that is available to everyone on with access to the network. With a properly-configured firewall in place, that should be near-zero information for outsiders. We have done some limited research with SATAN. Our finding is that on networks with more than a few dozen systems, SATAN will inevitably find problems. Here's the current problem list: NFS file systems exported to arbitrary hosts NFS file systems exported to unprivileged programs NFS file systems exported via the portmapper NIS password file access from arbitrary hosts Old (i.e. before 8.6.10) sendmail versions REXD access from arbitrary hosts X server access control disabled arbitrary files accessible via TFTP remote shell access from arbitrary hosts writable anonymous FTP home directory These are well-known problems. They have been subject of CERT, CIAC, or other advisories, or are described extensively in practical security handbooks. The problems have been exploited by the intruder community for a long time. We realize that SATAN is a two-edged sword - like many tools, it can be used for good and for evil purposes. We also realize that intruders (including wannabees) have much more capable (read intrusive) tools than offered with SATAN. We have those tools, too, but giving them away to the world at large is not the goal of the SATAN project. From firewalls-owner Fri Mar 17 17:47:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06108 for firewalls-outgoing; Fri, 17 Mar 1995 16:48:48 -0800 Received: from gate.nb.rockwell.com (gate.nb.rockwell.com [129.172.200.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA06103 for ; Fri, 17 Mar 1995 16:48:44 -0800 Received: by gate.nb.rockwell.com (5.57/Ultrix3.0-C) id AA13851; Fri, 17 Mar 95 16:42:28 -0800 Received: from monkey.nb.rockwell.com.dcdnis by atlas.nb.rockwell.com (4.1/SMI-4.1) id AA09931; Fri, 17 Mar 95 16:46:14 PST From: yaube@nb.rockwell.com (Ben E.Yau) Message-Id: <9503180046.AA09931@atlas.nb.rockwell.com> Subject: what SATAN is (fwd) To: firewalls@greatcircle.com Date: Fri, 17 Mar 1995 16:46:15 -0800 (PST) X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3520 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk More from the co-author. I also recommend reading the admin-guide-to-cracking paper which is referenced in this text. ---------------------------- There seems to be considerable confusion about what SATAN is and what the impact of its release will be. SATAN was written because we realized that computer systems are becoming more and more dependent on the network, and at the same becoming more and more vulnerable to attack via that same network. The rationale for creating SATAN can be found in a paper that we posted as long ago as december 1993. This paper can be found on ftp.win.tue.nl as /pub/security/admin-guide-to-cracking.101.Z (flat text, compressed with the UNIX compress command). SATAN is a tool to help systems administrators to keep a large class of intruders out. Keeping out the real Mitnicks is hard enough even for real security experts. SATAN collects information that is available to everyone on with access to the network. With a properly-configured firewall in place, that should be zero information for external users. SATAN performs scans at various levels. - At the light level, SATAN queries the host and establishes the general character of a system: is it a file server, a diskless workstation? - At the intermediate level, SATAN recognizes the system type (ex: SUN SGI DEC IBM HP), and well-known network services that the system offers to the network (ex: remote login, anonymous FTP, WWW, Gopher, email). - At the advanced level, SATAN interrogates the host to find out if critical access controls are missing or defective. This is probably the most controversial part. We take a conservative approach. SATAN collects information without actually exploiting p