From firewalls-owner Sat Apr 1 01:20:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA12539 for firewalls-outgoing; Sat, 1 Apr 1995 01:08:30 -0800 Received: from uu4.psi.com (uu4.psi.com [38.146.21.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA12534 for ; Sat, 1 Apr 1995 01:08:27 -0800 Received: from fasttech.UUCP by uu4.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA22961 for ; Sat, 1 Apr 95 04:02:04 -0500 Received: by fasttech (5.65/1.35) id AA00538; Sat, 1 Apr 95 00:29:16 -0800 Date: Sat, 1 Apr 95 00:29:16 -0800 From: fasttech!zeke@uu4.psi.com (Bohdan Tashchuk) Message-Id: <9504010829.AA00538@fasttech> To: greatcircle.com!firewalls@uu4.psi.com, isi.edu!bmanning@uu4.psi.com Subject: Re: Encryption packages Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I note that many of the replies have suggested Morningstar routers. In this topology, there are -NO- routers, just a bunch of point2point links. Following is a message I sent to firewalls about a week ago. It never showed up. But I think it highlights an alternative to using a router. ------ previous message: > The next cheapest option looks like buying MorningStar routers, > but this seems a bit excessive just for the encryption facility. NSC and uunet also have encryption products that may help. Unless your programmer/administration time is free a commercial encryption product is a cheap way to go IMHO. Also, keep in mind that Morning Star sells their PPP software separately from their routers. It's VERY expensive, $795, and it's node locked. This makes it unaffordable for a single user like me. But if you were even considering buying a whole router just for encryption then this is an alternative. Their PPP software supports the same encryption as their routers. This is single DES with a 56-bit key. They also supply an "IP network tunnel driver" which would presumably let you communicate that way using your existing ip connection. I say presumably because it's way out of my price range and so I don't have first hand experience. At www.morningstar.com I found a whole bunch of interesting info, including a PostScript manual for their PPP. This manual explains all this and more in 138 pages of detail. From firewalls-owner Sat Apr 1 01:50:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA13349 for firewalls-outgoing; Sat, 1 Apr 1995 01:29:14 -0800 Received: from wzv.win.tue.nl (wzv.win.tue.nl [131.155.210.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA13344 for ; Sat, 1 Apr 1995 01:29:10 -0800 Received: by wzv.win.tue.nl (8.6.10/1.45) id LAA17046; Sat, 1 Apr 1995 11:26:27 +0200 From: wietse@wzv.win.tue.nl (Wietse Venema) Message-Id: <199504010926.LAA17046@wzv.win.tue.nl> Subject: Re: compiling portmap_3 To: egger@N-E-T.de (Jochen Egger) Date: Sat, 1 Apr 95 11:26:27 MET DST Cc: firewalls@greatcircle.com, egger@N-E-T.de In-Reply-To: <199503312111.XAA27784@wzv.win.tue.nl>; from "Jochen Egger" at Mar 31, 95 11:13 pm Organization: Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands X-Phone: +31 40 472989 (after Oct 1995: +31 40 2472989) X-Fax: +31 40 465995 (after Oct 1995: +31 40 2465995) X-Private: +31 40 433327 (after Oct 1995: +31 40 2433327) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm now trying to install Wietse's portmap_3 on the same system, but it > refuses to compile, because pmap_check.c and pmap_dump.c refer > to a structure of type struct rpcent, which isn't defined anywhere > in the included header files. rpcent is used only when you try to build with -DSYSV40. That is not necessary with SunOS 4.x. Wietse From firewalls-owner Sat Apr 1 18:20:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA22996 for firewalls-outgoing; Sat, 1 Apr 1995 17:55:42 -0800 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA22991 for ; Sat, 1 Apr 1995 17:55:38 -0800 From: jdwilson@gold.chem.hawaii.edu Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10931; Sat, 1 Apr 95 20:53:06 -0500 Date: Sat, 1 Apr 95 20:53:06 -0500 Message-Id: <9504020153.AA10931@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: And therin is the true danger to the net... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 28 Mar 1995 padgett@tccslr.dnet.mmc.com wrote: > Every haquer and A-6 in the world on April 5th attempting to download > the big "S". Will bet a lot of collisions are detected and even more > when thousands of wannabees suddenly try to use it on whitehorse.guv 8*/ Assuming they have root access on a Sun with 32MB RAM, that is. -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Sat Apr 1 19:50:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA24158 for firewalls-outgoing; Sat, 1 Apr 1995 19:44:56 -0800 Received: from www (wwcd.com [204.91.89.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA24153 for ; Sat, 1 Apr 1995 19:44:53 -0800 Received: by www (5.x/SMI-SVR4) id AA14735; Sat, 1 Apr 1995 22:38:12 -0800 Date: Sat, 1 Apr 1995 22:38:12 -0800 From: exceed@wwcd.com (exceed) Message-Id: <9504020638.AA14735@www> To: firewalls@greatcircle.com Subject: 2nd dns .. setting up for email to that dns?? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi We have a second dns which is being routed here. When coming through mosaic it arrives here fine. ie: www.xxx.com and www.yyy.com both arrive at the same server and it arrives at the same level (directory) as the first dns... No problem for now....but How do I get it to be recognized by e-mail ie: my email is tech@wwcd.com when I send a letter to tech@(new dns).com it gets kicked out any help gary From firewalls-owner Sat Apr 1 20:10:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA24116 for firewalls-outgoing; Sat, 1 Apr 1995 19:25:28 -0800 Received: from suned1.Nswses.Navy.Mil (suned1.nswses.navy.mil [137.24.30.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA24111 for ; Sat, 1 Apr 1995 19:25:21 -0800 Received: from slced1 (slced1.nswses.navy.mil) by suned1.Nswses.Navy.Mil (4.1/Nswses4.1.2_920723eb) id AA05221; Sat, 1 Apr 95 19:22:37 PST Date: Sat, 1 Apr 1995 19:22:36 -0800 (PST) From: Everett F Batey WA6CRE Subject: Pagers (esp display) To: Firewalls@GreatCircle.Com Cc: Don.Harper@houston.chron.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With all the folks in the firewalls business and in communications .. seems like a natural fit to have the community offer the business opportunity to the pager and cellular companies to develop an email link to paging and voice mail .. only a few companies would have to see the market opportunity and a small spoon-feed on how-to and it could be off and running. Or .. have I missed something. + efb@suned1.nswses.Navy.MIL efb@gcpacix.cotdazr.org efb@uvsi.jpl.nasa.gov + + efb@nosc.mil efb@oxnardsd.org [EFB15] WA6CRE Gold Coast Sun Users + + The Genie is Out of the Bottle! :-) CANT Put it Back, Nor even Nuke It + + Opinions, MINE, NOT Uncle_s | WWW b-news innd postmaster XNTP3 DNS GNU + From firewalls-owner Sat Apr 1 21:50:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA25848 for firewalls-outgoing; Sat, 1 Apr 1995 21:25:51 -0800 Received: from suned1.Nswses.Navy.Mil (suned1.nswses.navy.mil [137.24.30.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA25843 for ; Sat, 1 Apr 1995 21:25:46 -0800 Received: from slced1 (slced1.nswses.navy.mil) by suned1.Nswses.Navy.Mil (4.1/Nswses4.1.2_920723eb) id AA05868; Sat, 1 Apr 95 21:23:08 PST From: efb@suned1.Nswses.Navy.Mil (Everett F Batey SysAdm) Message-Id: <9504020523.AA27311@slced1> Subject: NIST FIPS PUB 190 .. Comments To: firewalls@GreatCircle.Com Date: Sat, 1 Apr 95 21:23:06 PST Reply-To: efb@suned1.Nswses.Navy.Mil ( Everett F Batey II ) X-Orgztn: PHD NSWC (NSWSES) 4A05 Port Hueneme, CA 93043 - Opinions: Only Mine X-Phones: 805.982.7180, DSN 551, VoiceMail 805.340.6471, DPage: 655.2017 X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was just provided a copy (will be glad to forward to those with a fat lot of disk) of US NIST FIPS PUB 190 on enhanced authentication, DES, SmartCArd and BioMetrics. I found it rich with in-bred references to the work of NIST and scarce of community wisdom in its references. I would greatly welcome your advice and assessment as to whether this major work will bear a lot of weight in the Federal System or if it is likely to be received and followed by few .. -- + efb@suned1.nswses.Navy.MIL efb@gcpacix.cotdazr.org efb@uvsi.jpl.nasa.gov + + efb@nosc.mil efb@oxnardsd.org [EFB15] WA6CRE Gold Coast Sun Users + + The Genie is Out of the Bottle! :-) CANT Put it Back, Nor even Nuke It + + Opinions, MINE, NOT Uncle_s | WWW b-news innd postmaster XNTP3 DNS GNU + From firewalls-owner Sun Apr 2 05:50:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA29961 for firewalls-outgoing; Sun, 2 Apr 1995 05:22:47 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA29956 for ; Sun, 2 Apr 1995 05:22:45 -0700 From: smb@research.att.com Message-Id: <199504021222.FAA29956@miles.greatcircle.com> Received: by gryphon; Sun Apr 2 08:19:56 EDT 1995 To: efb@suned1.Nswses.Navy.Mil ( Everett F Batey II ) cc: firewalls@GreatCircle.Com Subject: Re: NIST FIPS PUB 190 .. Comments Date: Sun, 02 Apr 95 08:19:55 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was just provided a copy (will be glad to forward to those with a fat lot of disk) of US NIST FIPS PUB 190 on enhanced authentication, DES, SmartCArd and BioMetrics. I found it rich with in-bred references to the work of NIST and scarce of community wisdom in its references. For those who are interested, security-related FIPS can be found on the Web at http://csrc.ncsl.nist.gov/fips/index.html From firewalls-owner Sun Apr 2 07:21:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA00964 for firewalls-outgoing; Sun, 2 Apr 1995 06:52:59 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA00959 for ; Sun, 2 Apr 1995 06:52:55 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA17443 for firewalls@greatcircle.com; Sun, 2 Apr 95 09:46:49 EDT Message-Id: <9504021346.AA17443@all.net> Subject: All.Net now testing for X holes To: firewalls@greatcircle.com Date: Sun, 2 Apr 1995 09:46:49 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 873 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have recently upgraded our automated testing service to include the (old) SATAN version of tests for X-related holes (with Dan Farmer's permission). We believe that the current test suite now covers all of the attacks detected by SATAN and several other attacks that SATAN may not currently cover. When the new SATAN release comes out (in a few days) we will upgrade our tests to reflect the new SATAN testing capabilities. See below for details on how to reach our server. FC -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities at URL: \/Analytics| http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Sun Apr 2 10:20:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02298 for firewalls-outgoing; Sun, 2 Apr 1995 10:15:32 -0700 Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA02293 for ; Sun, 2 Apr 1995 10:15:29 -0700 Received: from wpo.barr.com by sun6.barr.com (4.1/SMI-4.1) id AA15030; Sun, 2 Apr 95 12:14:11 CDT Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Sun, 02 Apr 1995 12:12:39 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 02 Apr 1995 11:50:46 -0600 From: "Steve P. Devore" To: firewalls@greatcircle.com Subject: Is the SANS conference any good? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is the Unix Security and Sysadmin Conference put on by the Open Systems Conference Board worth attending? From firewalls-owner Sun Apr 2 10:41:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02262 for firewalls-outgoing; Sun, 2 Apr 1995 10:07:09 -0700 Received: from cs.sandia.gov (cs.sandia.gov [132.175.13.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA02257 for ; Sun, 2 Apr 1995 10:07:06 -0700 Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp (Smail3.1.28.1 #5) id m0rvT4f-000XQvC; Sun, 2 Apr 95 11:04 MDT Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA08369; Sun, 2 Apr 95 11:04:28 MDT From: mccurley@cs.sandia.gov (Kevin S. McCurley) Message-Id: <9504021704.AA08369@work.cs.sandia.gov.noname> Subject: Re: NIST FIPS PUB 190 .. Comments To: smb@research.att.com Date: Sun, 2 Apr 1995 11:04:28 -0600 (MDT) Cc: efb@suned1.Nswses.Navy.Mil, firewalls@GreatCircle.Com In-Reply-To: <199504021222.FAA29956@miles.greatcircle.com> from "smb@research.att.com" at Apr 2, 95 08:19:55 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 774 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was just provided a copy (will be glad to forward to those with a > fat lot of disk) of US NIST FIPS PUB 190 on enhanced authentication, > DES, SmartCArd and BioMetrics. I found it rich with in-bred > references to the work of NIST and scarce of community wisdom in its > references. > > For those who are interested, security-related FIPS can be found on > the Web at http://csrc.ncsl.nist.gov/fips/index.html NIST does not seem to have a single site with all of the security related FIPS. In particular, the URL given above does not contain FIPS 112 on password usage. That only seems to be available at: http://www.ncsl.nist.gov/fips I didn't see FIPS 190 at either one, so perhaps there is a THIRD site? Kevin McCurley Sandia National Laboratories From firewalls-owner Sun Apr 2 12:50:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04061 for firewalls-outgoing; Sun, 2 Apr 1995 12:29:33 -0700 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA04056 for ; Sun, 2 Apr 1995 12:29:30 -0700 Received: by wolfe.wimsey.com (Smail-3.1.29.1 #10) id m0rvVIc-000EgWC; Sun, 2 Apr 95 19:27 GMT Received: from cc:Mail by bctinet.bctransit.com id AA796847128 Sun, 02 Apr 95 11:25:28 Date: Sun, 02 Apr 95 11:25:28 From: "jeff wong" Message-Id: <9503027968.AA796847128@bctinet.bctransit.com> To: firewalls@greatcircle.com Subject: Firewall-1 on HP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI there, So far I have heard Firewall-1 running on a Sun box, rumours say they also have it available on HP!? IS that true, please comment! -Jeff From firewalls-owner Sun Apr 2 17:20:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA08002 for firewalls-outgoing; Sun, 2 Apr 1995 17:10:02 -0700 Received: from amalfi.trl.OZ.AU (amalfi.trl.OZ.AU [137.147.99.99]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA07997 for ; Sun, 2 Apr 1995 17:09:54 -0700 Received: from otcgpo.isg.otc.com.au ([134.159.16.100]) by amalfi.trl.OZ.AU (8.6.10/8.6.9) with SMTP id KAA12413; Mon, 3 Apr 1995 10:08:57 +1000 Received: from nmspad1.pad.otc.com.au by otcgpo.isg.otc.com.au (4.1/OTC_GPO.2.4) id AA01114; Mon, 3 Apr 95 00:11:53 GMT Received: from icarus.nmsho.otc.com.au by nmspad1.pad.otc.com.au (4.1/OTC_Gateway2.0) id AA02893; Mon, 3 Apr 95 00:09:43 GMT Received: by icarus.nmsho.otc.com.au (4.1/OTC_Peer_1.7) id AA03663; Mon, 3 Apr 95 00:09:43 GMT Date: Mon, 3 Apr 1995 11:09:42 +1100 (AEST) From: Gordon Rowell X-Sender: gordonr@icarus.nmsho.otc.com.au To: "Bai, Mario" Cc: firewalls Subject: Re: Microsoft SMTP Gateway In-Reply-To: <2F7C3CB5@SMTPGATE.VIACOM.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone ever implemented Microsoft's SMTP gateway for MS-Mail? Yep. > Both Microsoft and our mail people here swear that it is unbreakable, > (nothing is unbreakable) > but I was wondering if anyone has ever implemented it or discovered any > "holes". The machine sits on both our unprotected side to receive mail from > the internet, translates the internet addresses to MS-Mail addresses, and > shoots them off to our mail MTA. Since it is dual -homed, I do not feel > comfortable, but do not have any real data to support my paranoid feeling. Being a DOS box which just gets and puts mail between SMTP and MSMAIL, I would be surprised if you could use it to hop (depending on what other services your PC TCP/IP stack provides - though they've been removed from the PC haven't they?). However, I would definitely move your MSMAIL/SMTP box off the external net for reliability reasons if nothing else. The box does no intelligent routing of SMTP - it just passes it to a mail router. It is also single-threaded, and turns around between MSMAIL->SMTP and SMTP->MSMAIL between each piece of mail. If another connection attempt happens while mail is being transferred, the current connection will drop. Similarly, if someone tries to send you commands the box doesn't want (like EHLO, VRFY, EXPN), it closes the connection. Sites which try to send mail with these commands may never be able to get through to you. Having experienced all of the above, I'd suggest you put the MSMAIL/SMTP box purely on your internal networks, talking to a recent sendmail (8.6.11 or whatever it is this week) behind something like the TIS FWTK's SMAP daemon. Sendmail8 has connection caching, which means that all mail queued for the box will go through as one chunk, rather than individual connections. This improves performance of the box as the box doesn't try to turn around after each mail. It also means all of your mail can go through one logging/monitoring point. In the spirit of hard/known outer shell you then have a tested/fixed sendmail/smap running facing the Internet and the untested/unfixable (from your point of view - you have no source) behind that. For performance and paranoia reasons, put two Ethernet cards in the PC - one talking TCP/IP and the other IPX (assuming your mailboxes are on Novell). If you ever see IP from the card bound with IPX - complain. > If anyone has seen any problems, or know of anything, I would appreciate > hearing about it. Gordon -- Gordon Rowell Phone: +61 2 287 4973 Fax: +61 2 287 5754 Pager: 016 289 267 Email: Gordon.Rowell@nms.otc.com.au From firewalls-owner Sun Apr 2 17:49:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA08173 for firewalls-outgoing; Sun, 2 Apr 1995 17:19:55 -0700 Received: from amalfi.trl.OZ.AU (amalfi.trl.OZ.AU [137.147.99.99]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA08168 for ; Sun, 2 Apr 1995 17:19:41 -0700 Received: from cedar.melb.cpr.itg.telecom.com.au ([144.136.63.5]) by amalfi.trl.OZ.AU (8.6.10/8.6.9) with ESMTP id KAA12735 for ; Mon, 3 Apr 1995 10:18:58 +1000 Received: from huon.melb.cpr.itg.telecom.com.au (huon.melb.cpr.itg.telecom.com.au [144.136.63.213]) by cedar.melb.cpr.itg.telecom.com.au (8.6.10/8.6.11) with ESMTP id KAA14969; Mon, 3 Apr 1995 10:19:44 +1000 Received: (lukem@localhost) by huon.melb.cpr.itg.telecom.com.au (8.6.10/8.6.9) id KAA11896; Mon, 3 Apr 1995 10:19:44 +1000 Message-Id: <199504030019.KAA11896@huon.melb.cpr.itg.telecom.com.au> Subject: Re: ADDENDUM: Brief report on Firewalls BoF from Networld+Interop, Las Vegas To: avalon@coombs.anu.edu.au (Darren Reed) Date: Mon, 3 Apr 1995 10:19:43 +1000 (EST) Cc: avolio@tis.com, firewalls@GreatCircle.COM In-Reply-To: <199503310201.SAA17658@miles.greatcircle.com> from "Darren Reed" at Mar 31, 95 11:59:28 am From: Luke Mewburn Reply-To: Luke Mewburn X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2338 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk darren reed writes: > Whilst one-time keycards are nice, ones such as S/Key are also "dangerous". > If you're attending a conference (and have a name tag), or travelling, > you're going to take your s/key list or other with you...whilst the > security seems well and good, it does, however, reduce the skill required > to get `in' to somene who is good at picking pockets...and what do you do > if you `lose' your `card' ? Can you call back to work, 24 hours a day and > report it missing ? We don't use S/Key for our dialin, just for backup (q.v.). > Some of the pricey cards require PIN numbers which is better, but again, > what sort of backup/procedure do you have for cards that go missing ? We use fwtk with a module for the authentication server written locally for our cards(*). The cards have a pin. If a card goes missing, we have a backup "wizard" account that uses s/key. Of course, that s/key list is locked away physically in a safe at work, in a room safer than the authentication machine. > Maybe S/key could be enhanced to require a "secret" password, in addition > to the one-time password to affirm authenticity ? (NOT the one used to > generate the keys). The role of it is to make up for not having a PIN > number... Defeats the purpose of avoid passwords. I recommend buying something like our cards, installing fwtk or the like, and applying the mods to get card support. Keep s/key as a backup locked away somewhere. For the truly security concious, do as we eventually plan to; buy a laptop, run encrypting telnet between it and the destination machine along with other authentication techniques. We have to think this thru a bit more. > darren > p.s. I'm assuming they get your wallet and/or know who you are anyway... (*) Our cards are the Enigma MultiSyncs. Cost is about AU$130 (which is relevant to darren since he's in Australia.) The code to support the cards was written by David Burren , who is "cleaning it up for release later this month" (hohoho ;). Unfortunately, due to Australian Export restrictions, he may not be able to send this code outside of Australia; we're checking this up. --- ``Don't steal. The Government (and the Banks) hate Luke Mewburn competition.'' -- (anon) From firewalls-owner Sun Apr 2 18:20:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA09093 for firewalls-outgoing; Sun, 2 Apr 1995 18:06:12 -0700 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA09077 for ; Sun, 2 Apr 1995 18:06:05 -0700 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.12/8.6.10+PanixU1.0) with SMTP id VAA03003 for ; Sun, 2 Apr 1995 21:05:49 -0400 Message-Id: <199504030105.VAA03003@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Sun, 02 Apr 1995 20:04:24 -0500 To: Firewalls@greatcircle.com From: wallynet@panix.com (Walter F. Inetman) Subject: Bullet Proof Servers and UnderDog Pills Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there: I am searching for commercial FTP and MAIL servers for Unixware, Solaris 1&2, Dec OSF & N3.12 4.x which can be considered bullet proof and not cryptic or overly complex to administer. Do you have any ideas or recommendations? A Windows winsock email application with PGP or other encryption which I could implement globally in a gov agcy would be nice too. FW proxy server compliant is a must.... Thanks, --- Walt PS: How would you stop surfers from injecting your LAN with infected FTP downloads? From firewalls-owner Sun Apr 2 18:50:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA09542 for firewalls-outgoing; Sun, 2 Apr 1995 18:22:23 -0700 Received: from nahanni.BouletFermat.ab.ca (NAHANNI.remote.ualberta.ca [129.128.3.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA09509 for ; Sun, 2 Apr 1995 18:22:15 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id TAA10586 for Firewalls@GreatCircle.COM; Sun, 2 Apr 1995 19:15:43 -0600 Date: Sun, 2 Apr 1995 19:15:43 -0600 From: Danny Boulet Message-Id: <199504030115.TAA10586@nahanni.BouletFermat.ab.ca> To: Firewalls@GreatCircle.COM Subject: ipfirewall v2.0 now available Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most of you have probably never heard of ipfirewall. This is a packet filtering IP firewall facility that I've written. It has been around for about 18 months. All of the development work on ipfirewall has been done on BSD/OS (and BSD/386) although various versions have been ported to NetBSD, FreeBSD and Linux. Here are the features that are in the current version: - ability to match packets based on essentially any combination of: = their source and/or destination IP address or port number. = the protocol used by the enclosed packet (TCP, UDP, ICMP). = which interface the packet arrived via (useful for preventing IP spoofing and other things). = whether or not the packet represents an in-bound TCP/IP connection attempt (i.e. is the first packet sent by a TCP/IP client trying to establish a connection with a TCP/IP server). This is quite useful for ensuring that outsiders can only connect to a selected set of TCP/IP servers while allowing insiders access to external TCP/IP servers. = whether or not the packet is a fragment of a larger original IP packet. = whether or not the packet uses various flavours of IP options. - ability to request that an accepted packet be logged (normally, only rejected packets get logged). - all rejected or logged packet messages indicate which filter matched the packet (helps when debugging filters). The package is distributed in source form with patches for a few kernel files. This version includes patches for BSD/OS v2.0 and NetBSD-current. I suspect that the version will drop into BSDOS v1.1 (or earlier) with little or no extra effort. Porting to FreeBSD is also probably very easy. Porting to Linux might require more work (since it isn't based on the same 4.4BSD networking code) but is probably not very hard. Starting with ipfirewall v2.0, I'm distributing ipfirewall on a shareware basis. Users who register themselves by making a minimum contribution of $60 Canadian (about $42 US) will receive a bound 29 page user's guide. Users who are protecting larger sites are asked to make a larger contribution (see the distribution for details). I'll also try to keep registered users informed of bug fixes and future versions. I intend to try to make the version quite widely available. It will probably appear on a number of ftp sites quite soon. For now, please send me a request via e-mail to: danny@BouletFermat.ab.ca I'd like to express my thanks to all of my beta testers (from all over the world). Here's a list of the sections in the "ipfirewall v2.0 User's Guide": section page title 1.0 1 Overview of ipfirewall v2.0 2.0 3 Obtaining ipfirewall 3.0 4 ipfirewall copyright (description of copyright terms) 4.0 5 Installation 5.0 7 The ipfirewall command 6.0 10 Filter syntax 7.0 13 Filter examples 8.0 19 A complete example 9.0 22 Packet filtering rules (how ipfirewall filters packets) 10.0 24 Other security considerations 11.0 27 Recommended reading 12.0 29 About the author (my fifteen minutes of fame!) -Danny From firewalls-owner Sun Apr 2 19:20:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA10203 for firewalls-outgoing; Sun, 2 Apr 1995 18:51:46 -0700 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA10198 for ; Sun, 2 Apr 1995 18:51:43 -0700 Received: by wolfe.wimsey.com (Smail-3.1.29.1 #10) id m0rvbIn-000EdVC; Mon, 3 Apr 95 01:51 GMT Received: from cc:Mail by bctinet.bctransit.com id AA796869998 Sun, 02 Apr 95 17:46:38 Date: Sun, 02 Apr 95 17:46:38 From: "jeff wong" Message-Id: <9503027968.AA796869998@bctinet.bctransit.com> To: firewalls@greatcircle.com Subject: ccMail SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, Does anyone ever successfully implemented ccMail SMTP gateway for ccMail running on a Novell box? Is that the only product for ccMail to transport Internet mail? What about problems and bugs? The last time I've heard said the SMTP Gateway was somewhat buggy? Should the ccMail SMTP gateway be implemented on a UNIX box running DNS and other stuffs like FTP server, WWW. Or is ccMail SMTP gateway only for PC? Please help. -Jeff From firewalls-owner Sun Apr 2 19:50:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA10256 for firewalls-outgoing; Sun, 2 Apr 1995 18:53:54 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA10246 for ; Sun, 2 Apr 1995 18:53:51 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA01547; Sun, 2 Apr 95 21:53:42 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504030253.AA01547@hawksbill.sprintmrn.com> Subject: Re: Bullet Proof Servers and UnderDog Pills To: wallynet@panix.com (Walter F. Inetman) Date: Sun, 2 Apr 1995 21:53:42 -0500 (EST) Cc: Firewalls@greatcircle.com In-Reply-To: <199504030105.VAA03003@panix3.panix.com> from "Walter F. Inetman" at Apr 2, 95 08:04:24 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 467 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > PS: How would you stop surfers from injecting your LAN with infected > FTP downloads? > > Antibiotics. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Apr 2 21:20:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA12776 for firewalls-outgoing; Sun, 2 Apr 1995 21:05:40 -0700 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA12771 for ; Sun, 2 Apr 1995 21:05:36 -0700 Received: from elf.wang.com by tuna.wang.com with SMTP id AA01809 (5.67b/IDA-1.5 for ); Mon, 3 Apr 1995 00:05:48 -0400 Received: from fnord.wang.com by elf.wang.com with SMTP id AA10720 (5.67a/IDA-1.5 for ); Sun, 2 Apr 1995 23:37:22 -0400 Received: by fnord.wang.com (5.67a/TF8) id AA04387; Mon, 3 Apr 1995 00:05:41 -0400 Date: Mon, 3 Apr 1995 00:05:41 -0400 From: Tom Fitzgerald Message-Id: <199504030405.AA04387@fnord.wang.com> To: firewalls@greatcircle.com Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > One of the advantages > that routers have over UNIX hosts is that they don't come with so many > capabilities, each of which have to be considered for security implications > and protected or turned off as necessary. Synchronizing a firewalled net with the Internet requires running NTP *somewhere*, whether it's on the routers themselves (assuming a screened- network configuration) or on a Unix bastion. So the question isn't whether adding NTP to the router makes it less secure, the question is whether a router with NTP is less secure than a Unix box with NTP. And it's a question that I'm not going to try to answer, no way. There are some other issues.... A router isn't such a simple thing that NTP is a big increase in complexity. It's already likely to be running multiple routing processes redistributing routes between themselves and into the routing table, it may have an SNMP server, telnet server, finger server, telnet client, tftp client, and probably lots more stuff that I can't think of. Due to this, it's already got a scheduler, memory manager and maybe even a protected memory system, which will certainly help a lot in keeping NTP bugs from opening holes in code unrelated to NTP. If the router software is architected right, then something like NTP should be no big deal. On the other hand, it's easier to trust a Unix box built from sources, running NTP built from source. Do we *know* that some router's software is architected to keep processes out of each other's data? Now I'm going to kill off my previous points... while Ciscos can run NTP, there's no reason for them to. I don't agree with the point that routers should do NTP because they're on every subnet anyway; you're much better off having a single Unix server using directed broadcasts to flood the time onto all the subnets where it's useful. Then, all you need are routers that can forward directed broadcasts, and one central host. There's no need to have to modify all your router configurations just because you want to change the NTP topology. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Sun Apr 2 21:50:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA12945 for firewalls-outgoing; Sun, 2 Apr 1995 21:27:05 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA12940 for ; Sun, 2 Apr 1995 21:27:02 -0700 Message-Id: <199504030427.VAA12940@miles.greatcircle.com> Received: from IBMMAIL.COM by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 1272; Mon, 03 Apr 95 00:27:13 EDT Date: Mon, 03 Apr 1995 00:27:13 EDT From: " George Janczuk JZKGEQ - AMPLN1" To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Tunnelling Sender: firewalls-owner@GreatCircle.COM Precedence: bulk =========================================================================== There has been lots of discussion on this list about firewalls - but not a lot about the security of IP networks that a glued together via tunnelling over a third-party internet connected IP network. We are in a situation where we might be doing this - and are not very aware of the technologies out there. The vendor we are potentially using recommends using the IP over IP tunnelling functionality available in CISCO routers. Now - obviously a lot of firewall issues do not apply - primarily due to the fact no IP traffic actually leaves or enters the internal network, and no services are provided outside. Some issues do obviously still apply, and may even be more accute. The tunnell routers will obviously have some sort of access lists so that only other tunnell routers can gain access - though the usual problems still apply. IP spoofing needs to be guarded against. Encryption may be useful. Obviously if someone penetrated the tu nnelled virtual network then they are on the inside. Basically, I'm interested in hearing from people who have had experience in doing something like this, and what sort of issues are significant. Also products that are of use in this scenario would be on interest. Regards, George Janczuk AMP Society. From firewalls-owner Sun Apr 2 22:20:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA13657 for firewalls-outgoing; Sun, 2 Apr 1995 22:18:01 -0700 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA13652 for ; Sun, 2 Apr 1995 22:17:57 -0700 Message-Id: To: fitz@wang.com Cc: firewalls@greatcircle.com Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) Reply-To: estutes@frus.com In-Reply-To: Your message of "Mon, 3 Apr 1995 00:05:41 -0400" References: <199504030405.AA04387@fnord.wang.com> X-Mailer: Mew beta version 0.89 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 02 Apr 1995 22:17:59 -0700 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fitz said in [Re: Feeping Creaturism in routers (was Re: Response to Satan)] on Mon, 3 Apr 1995 00:05:41 -0400 fitz> A router isn't such a simple thing that NTP is a big increase in fitz> complexity. It's already likely to be running multiple routing processes fitz> redistributing routes between themselves and into the routing table, it may In our case, we need NTP running on the net because we need to syncronize our router and the authentication server, and in one case they are 1500 miles apart and the only way to keep them in sync is NTP. =eas= From firewalls-owner Sun Apr 2 22:30:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA12938 for firewalls-outgoing; Sun, 2 Apr 1995 21:27:00 -0700 Received: from hac2arpa.hac.com (hac2arpa.hac.com [192.27.0.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA12933 for ; Sun, 2 Apr 1995 21:26:57 -0700 Received: from mls1.HAC.COM ([147.19.21.53]) by hac2arpa.hac.com (4.1/SMI-4.1) id AA18686; Sun, 2 Apr 95 21:26:35 PDT Received: from [147.19.21.193] (mls-remote1) by mls1.HAC.COM (4.1/SMI-4.0) id AA01707; Sun, 2 Apr 95 21:24:26 PDT X-Sender: ward@mls1.hac.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 2 Apr 1995 21:28:28 -0700 To: bmanning@ISI.EDU, jnb@ptech.com, fasttech!zeke@uu4.psi.com From: ward@mls.HAC.COM (Ward Bathrick) Subject: Re: Encryption packages Cc: ids@uow.edu.au, Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Though product advertising is self indulgent and discouraged, it seems warranted in this case Hughes Aircraft builds a commercial network security product called NetLOCK. It currently is available on Sun and HP UNIX platforms. Other platforms including DOS/Windows (due October 95), Macintosh (due December 95) and a router product (due October 95) will be available this year. The product is an enterprise product that provides end-system to end-system authentication and then constructs a secure cryptographic pipe between the two end-systems. The cryptographic pipe protects all TCP, UDP, and raw IP traffic transparently to the user. NetLOCK is compatible with your network topology whether it's over ethernet, fiber, SLIP, etc. NetLOCK provides several levels of data protection including a DES, and a Hughes hi-speed exportable algorithm for integrity and encryption protection modes. The key management process is automatic. Upon receipt of a datagram, the key management process is invoked automatically. It authenticates the destination machine, negotiates the security services, and produces a shared traffic key. The cryptographic pipe is un-spoofable, because the key management generates an authentication key only the two hosts know. Authentication is provided by X.509 certificates generated by a certifying authority application called CAMS. CAMS also provides remote configuration and administration of all NetLOCK hosts that belong to your domain. If you'd like more information, call (714) 732-4577 or send email to netlock@mls.hac.com (please include your US mail address) ________________________________________________________________________ Ward Bathrick wbathrick@msmail3.hac.com Product Manager - NetLOCK ward@mls.hac.com Information Security Products Voice: (714) 732-0169 Hughes Aircraft Co. FAX: (714) 732-2427 Bld. 601/N130 P.O. Box 3310 1901 W. Malvern Ave. Fullerton CA. 92634-3310 From firewalls-owner Sun Apr 2 22:50:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA13891 for firewalls-outgoing; Sun, 2 Apr 1995 22:25:30 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA13874 for ; Sun, 2 Apr 1995 22:24:51 -0700 Message-Id: <199504030524.WAA13874@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.15/16.2) id AA204356683; Mon, 3 Apr 1995 15:24:43 +1000 From: Darren Reed Subject: Re: Tunnelling To: auampdrv@ibmmail.com (George Janczuk JZKGEQ - AMPLN1) Date: Mon, 3 Apr 1995 15:24:42 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199504030427.VAA12940@miles.greatcircle.com> from "George Janczuk JZKGEQ - AMPLN1" at Apr 3, 95 00:27:13 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 548 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [...] > Basically, I'm interested in hearing from people who have had experience > in doing something like this, and what sort of issues are significant. > Also products that are of use in this scenario would be on interest. I'm yet to try it out, but swIPe will provide IP over IP encapsulation with both encryption (DES) and authentication (MD-5 based). You can use either or both or neither. swIPe is not a "final" product, but the result of the current efforts by the IETF WG responsible for this. Look for swipe.tar.Z with archie. darren From firewalls-owner Mon Apr 3 01:50:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17934 for firewalls-outgoing; Mon, 3 Apr 1995 01:21:31 -0700 Received: from relay.xlink.net (relay.xlink.net [193.141.40.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA17929 for ; Mon, 3 Apr 1995 01:21:28 -0700 Received: from nixe.ISAR.net by relay.xlink.net id <48028-0@relay.xlink.net>; Mon, 3 Apr 1995 10:21:28 +0000 Received: from GeNUA.DE (Ugenua@localhost) by nixe.isar.net (8.6.12/ni-1.2) with UUCP id KAA29893; Mon, 3 Apr 1995 10:21:00 +0200 Received: from localhost.GeNUA.DE by Woozle.GeNUA.DE with SMTP id AA06596 (5.65c/IDA-1.4.4); Mon, 3 Apr 1995 09:58:09 +0200 Message-Id: <199504030758.AA06596@Woozle.GeNUA.DE> To: Darren Reed Cc: firewalls@greatcircle.com Subject: Re: Tunnelling In-Reply-To: Your message of "Mon, 03 Apr 95 15:24:42 +1000." <199504030524.WAA13874@miles.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Apr 1995 09:58:08 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren, In message <199504030524.WAA13874@miles.greatcircle.com>you write: > I'm yet to try it out, but swIPe will provide IP over IP encapsulation > with both encryption (DES) and authentication (MD-5 based). You can > use either or both or neither. swIPe is not a "final" product, but > the result of the current efforts by the IETF WG responsible for this. > > Look for swipe.tar.Z with archie. how do you inted to export swIPe from the US? Or is there an exportable version? (I know it appeared on some non-US FTP servers recently, but AFAIK the ITAR are transitive: if you get it from someone who exported it illegally, your copy is also illegal.) \Bernhard. From firewalls-owner Mon Apr 3 06:23:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA21983 for firewalls-outgoing; Mon, 3 Apr 1995 05:54:39 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA21978 for ; Mon, 3 Apr 1995 05:54:36 -0700 Received: (hcb@localhost) by clark.net (8.6.11/8.6.5) id IAA07534; Mon, 3 Apr 1995 08:54:43 -0400 From: Howard Berkowitz Message-Id: <199504031254.IAA07534@clark.net> Subject: Re: ccMail SMTP Gateway To: jeff_wong@bctransit.com (jeff wong) Date: Mon, 3 Apr 1995 08:54:42 -0400 (EDT) Cc: firewalls@GreatCircle.COM, web@psci.com, hcb@clark.net (Howard Berkowitz) In-Reply-To: <9503027968.AA796869998@bctinet.bctransit.com> from "jeff wong" at Apr 2, 95 05:46:38 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 983 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Hi there, > > Does anyone ever successfully implemented ccMail SMTP gateway for > ccMail running on a Novell box? Is that the only product for ccMail > to transport Internet mail? What about problems and bugs? The last > time I've heard said the SMTP Gateway was somewhat buggy? Should the > ccMail SMTP gateway be implemented on a UNIX box running DNS and other > stuffs like FTP server, WWW. Or is ccMail SMTP gateway only for PC? > > Please help. > > -Jeff > We have it running between a 486 Novell server and our BSDI UNIX box; the gateway, as far as I know, has to be on a PC platform. It was quite difficult to get running, partially due to LONG waits on the ccMail support line. Since this is somewhat outside the scope of firewalls, we can continue in email. I was not the primary person implementing the gateway; that was Wendy Brown (web@psci.com). She's on vacation for a few days. From firewalls-owner Mon Apr 3 07:22:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA22982 for firewalls-outgoing; Mon, 3 Apr 1995 06:56:33 -0700 Received: from s.ecc.engr.uky.edu (s.ecc.engr.uky.edu [128.163.144.19]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA22977 for ; Mon, 3 Apr 1995 06:56:31 -0700 Received: (from morgan@localhost) by s.ecc.engr.uky.edu (8.6.10/8.6.10) id JAA27533 for firewalls@greatcircle.com; Mon, 3 Apr 1995 09:57:06 -0400 Date: Mon, 3 Apr 1995 09:57:06 -0400 From: Wes Morgan Message-Id: <199504031357.JAA27533@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Re: Anti-Satan tool Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) > >I'm still puzzled. Why are folks still so spun up about SATAN? If >their operations are properly protected...what is the problem? >Apparently there are some CEO/CIO's out there who are not doing their >jobs, and that's why the sysadmin community is all atwitter. Bingo! <*hammer hitting nail on head*> The most recent issue of _Information Week_ led with SATAN as a cover story. They surveyed a group of 100 IS managers; More than 70% claimed that network security was of primary importance, but over 60% of that group had *no* automated security procedures in place. SATAN is nothing more than a library of known problems...all right, let's call it an *active* library. In any case, there are no secrets in SATAN; if anything, the program is merely calling the bluff of those who have sloughed off their responsibilities. --Wes From firewalls-owner Mon Apr 3 08:20:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23781 for firewalls-outgoing; Mon, 3 Apr 1995 07:41:51 -0700 Received: from dsinc.myxa.com (dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23773 for ; Mon, 3 Apr 1995 07:41:45 -0700 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #36) id m0rvmol-0000AwC; Mon, 3 Apr 95 10:09 EDT Received: by pnc-pimc.com (4.1/SMI-4.1) id AA04858; Mon, 3 Apr 95 09:54:20 EDT From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9504031354.AA04858@pnc-pimc.com> Subject: Re: Firewalls and Novell To: firewalls@greatcircle.com Date: Mon, 3 Apr 1995 09:54:19 -0400 (EDT) In-Reply-To: <199503311406.JAA11410@interport.net> from "David S. Goodman" at Mar 31, 95 09:06:55 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1315 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David S. Goodman writes: > > I'm trying to get some information on firewalls in a Netware environment. > Most (if not all) of the things that I've read on the net (FAQs, white > papers, etc.) do not discuss PCs or Novell. Can anyone shed any light on > this? For instance, if I'm using a TCP/IP stack such as SuperTCP or > LANWorkplace for DOS, what kinds of risks am I facing? If you use a lot of LANWorkplace on pcs, it contains a bug that generates duplicate ip address messages. These created a bit of havoc on one of my internal (unix) firewalls that was setup to be extremely (overly?) sensitive to this. LWPD, versions 4.x, just a heads up. (SuperTCP does not have this "feature". But we have also been able to break this stack too often for comfort.) cathy -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| http://www.waterw.com/~manowar : ,;`( )__ ) ~ PNC Bank (Phila, PA, US) : // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Mon Apr 3 10:52:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25137 for firewalls-outgoing; Mon, 3 Apr 1995 09:03:47 -0700 Received: from cambridge.cadcentre.co.uk (cambridge.cadcentre.co.uk [193.130.24.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA25129 for ; Mon, 3 Apr 1995 09:03:41 -0700 Received: from internet.cadcentre.co.uk by cambridge.cadcentre.co.uk with ESMTP id RAA02462; Mon, 3 Apr 1995 17:03:41 +0100 Received: from sp23 by internet.cadcentre.co.uk with SMTP id RAA08972; Mon, 3 Apr 1995 17:02:58 +0100 From: "D.Ashton-Reader" Received: by sp23 (5.0) id AA18676; Mon, 3 Apr 1995 17:02:54 +0000 Date: Mon, 3 Apr 1995 17:02:54 +0000 Message-Id: <9504031602.AA18676@sp23> To: firewalls@greatcircle.com Subject: 2 IP addresses on 1 Ethernet card? (SG IRIX 5.3) Content-Length: 271 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to configure a single Ethernet card on an SG IRIX 5.3 machine to act as 2 different IP addresses (i.e. and different network nos.) I get rumour that this is possible via PPP, but can anyone advise the details of how its done pretty-please Thanx - David A-R From firewalls-owner Mon Apr 3 11:33:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25407 for firewalls-outgoing; Mon, 3 Apr 1995 09:15:39 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA25402 for ; Mon, 3 Apr 1995 09:15:35 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA04212; Mon, 3 Apr 95 12:07:20 -0400 Date: Mon, 3 Apr 95 12:07:19 -0400 Message-Id: <9504031607.AA04212@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: But the wrong nail usually gets wacked... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) > >I'm still puzzled. Why are folks still so spun up about SATAN? If >their operations are properly protected...what is the problem? >Apparently there are some CEO/CIO's out there who are not doing their >jobs, and that's why the sysadmin community is all atwitter. Problem is that particularly after three years of "downsizing" and "rightsizing", the CEOs/CIOs that are left are expert at CYA. The sysadmins know that "we were not allowed to do our jobs" is not going to be a defence when *they* get fired. My suggestion would be either of the time-honored military responses: 1) "Unless I receive explicit written orders to the contrary, I shall..." 2) "You mean our net connection was down all day on the 5th ? Too bad I was ill." Warmly, Padgett From firewalls-owner Mon Apr 3 11:51:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25837 for firewalls-outgoing; Mon, 3 Apr 1995 09:47:02 -0700 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA25832 for ; Mon, 3 Apr 1995 09:46:59 -0700 Received: by wolfe.wimsey.com (Smail-3.1.29.1 #10) id m0rvpHR-000EgXC; Mon, 3 Apr 95 16:47 GMT Received: by ilinx.com (/\oo/\ Smail3.1.29.1 #29.6) id ; Mon, 3 Apr 95 09:45 PDT Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Mon, 3 Apr 95 09:45 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) To: firewalls@greatcircle.com Subject: Re: ccMail SMTP Gateway Date: Mon, 3 Apr 1995 09:45:11 -0700 (PDT) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-386-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of "jeff wong" on scroll <9503027968.AA796869998@bctinet.bctransit.com> > Does anyone ever successfully implemented ccMail SMTP gateway for > ccMail running on a Novell box? Is that the only product for ccMail > to transport Internet mail? What about problems and bugs? The last > time I've heard said the SMTP Gateway was somewhat buggy? Should the > ccMail SMTP gateway be implemented on a UNIX box running DNS and other > stuffs like FTP server, WWW. Or is ccMail SMTP gateway only for PC? Is it just annoying me or are others reading here annoyed with these non-firewalls related questions flooding this mailing list lately?? It's not like there is no traffic on it (can you say 2 hours to read 2 days backlog??) so we need these off-topic messages to keep us awake. Perhaps we need Brent's heavy hand (no offence Brent, I like the way you keep the noise down here) to help keep this stuff out. I realize how busy Brent is, but I don't think anybody else has the right to police this list. Given the authority to police and the time, I would volunteer, but I'm out of the office 3-4 days a week and only read this list 1-2 times a week, so I don't think I'd be very effective. I'm not really talking about a moderated list either, just a warning sent to the offender when an off-topic message is posted. Perhaps upon subscription, the subscriber should be warned that posting of non-firewalls related information, will subject them from removal from the list, with all future posts filtered from distribution?? Maybe I'm just being anal today, but I'm just getting tired of people taking advantage of the knowledge of this group for non-topical questions. *Sigh* Back to your regularly scheduled programming... b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Mon Apr 3 12:20:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA27223 for firewalls-outgoing; Mon, 3 Apr 1995 11:27:48 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA27212 for ; Mon, 3 Apr 1995 11:27:43 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id NAA01964; Mon, 3 Apr 1995 13:27:55 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id NAA14172; Mon, 3 Apr 1995 13:27:53 -0500 From: Alan Hannan Message-Id: <199504031827.NAA14172@jayhawk.mid.net> Subject: Re: 2 IP addresses on 1 Ethernet card? (SG IRIX 5.3) To: dar@cadcentre.co.uk (D.Ashton-Reader) Date: Mon, 3 Apr 1995 13:27:52 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9504031602.AA18676@sp23> from "D.Ashton-Reader" at Apr 3, 95 05:02:54 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1183 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I want to configure a single Ethernet card on an SG IRIX 5.3 machine > to act as 2 different IP addresses (i.e. and different network nos.) In solaris, this is done in the following manner: Assume the interface has a "normal" ip of 10.0.0.50 Assume you want your interface you have another ip of 10.0.0.60. ifconfig le0:1 10.0.0.60 up The :1 sets up an "alias" for the interface. I am not certain how this applies to IRIX. > I get rumour that this is possible via PPP, but can anyone advise > the details of how its done pretty-please It may be possible to setup some sort of routing to (secondary) loopbacks in order to emulate a second ip address. Perhaps someone that's done this will tell.... I know how to do it on ciscos, but cisco's IOS is a bit different from Unix Router Daemons. Good luck. It is often nice to have secondary ip addresses to pick up probes. -- Alan Hannan (402) 472-0241 MIDnet Inc. ------------------------------\ fax (402) 472-0240 A Global Internet Company " All perception of truth is \_________________________ the detection of an analogy " -- Henry David Thoreau \____________________ From firewalls-owner Mon Apr 3 12:26:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26901 for firewalls-outgoing; Mon, 3 Apr 1995 11:14:18 -0700 Received: from luey.cadvision.com (huey.cadvision.com [204.50.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA26896 for ; Mon, 3 Apr 1995 11:14:15 -0700 Received: from cad75.cadvision.com by luey.cadvision.com (AIX 3.2/UCB 5.64/4.04.tri.dcx) id AA22078; Mon, 3 Apr 1995 12:15:39 -0600 Date: Mon, 3 Apr 1995 12:15:39 -0600 Message-Id: <9504031815.AA22078@luey.cadvision.com> X-Sender: myattj@huey.cadvision.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: myattj@cadvision.com (Justin "Kipper" Myatt) Subject: Re:ccMail SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use the SMTP gateway version 2.1 with the 2.1.0.1 patch. This runs on a mid size dos box and works pretty well - how ever only uuencoded formats are supported. Check the Lotus-Communications forum in CrudUserve (Compuserve) more more details on SMTP. cheers Justin ----------------------------------------------------------- Justin Myatt - Email Personage | Call me at 403 290 3262 GE Capital Technology Services | Fax me at 403 290 2566 435, 4th Ave SW | Email to: Calgary, Alberta, Canada, T2P 3A8 | myattj@cadvision.com Brrr it's cold here today.... | CrudUServe(CIS)72234.23 ----------------------------------------------------------- From firewalls-owner Mon Apr 3 12:43:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26849 for firewalls-outgoing; Mon, 3 Apr 1995 11:09:21 -0700 Received: from octrf.on.ca (ocaa.octrf.on.ca [198.96.64.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA26844 for ; Mon, 3 Apr 1995 11:09:17 -0700 From: crooke@octrf.on.ca Received: from ocaa.octrf.on.ca (smtpgate.octrf.on.ca) by OCAA.octrf.on.ca with SMTP (1.37.109.15/16.2) id AA266792811; Mon, 3 Apr 1995 14:13:31 -0400 Received: from cc:Mail by ocaa.octrf.on.ca id AA796942865 Mon, 03 Apr 95 14:01:05 EST Date: Mon, 03 Apr 95 14:01:05 EST Message-Id: <9503037969.AA796942865@ocaa.octrf.on.ca> To: firewalls@greatcircle.com Subject: Re: NFS behind the firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I have a question regarding NFS. I know the general rule is to choose either security _or_ NFS. But if your site has a firewall (say based on TIS fwtk) installed and properly configured, does having NFS filesystems floating around on the internal network still pose a security risk? We want to use a source code control system that uses NFS to do it's work between platforms (i.e. PC's on a Novell network and one or more unix boxes for developing client-server applications) but from lurking on this list, I have come to the belief that NFS and security mix like oil and water. Could someone clue me in? Please Email me direct because I am only on the digest list and it seems to be a little unreliable. Thanks in advance. Cameron Rooke Unix Systems Administrator The Ontario Cancer Treatment and Research Foundation crooke@octrf.on.ca From firewalls-owner Mon Apr 3 13:08:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26810 for firewalls-outgoing; Mon, 3 Apr 1995 11:04:04 -0700 Received: from mickey.jsc.nasa.gov (mickey.jsc.nasa.gov [139.169.132.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA26803 for ; Mon, 3 Apr 1995 11:03:59 -0700 From: horn@mickey.jsc.nasa.gov Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.1) id AA15056; Mon, 3 Apr 1995 13:03:35 -0500 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA04698; Mon, 3 Apr 1995 13:03:30 -0500 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma004696; Mon Apr 3 13:03:23 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id NAA07160; Mon, 3 Apr 1995 13:03:17 -0500 Message-Id: <199504031803.NAA07160@freefall.jsc.nasa.gov> Subject: Re: Pagers (esp display) To: efb@suned1.Nswses.Navy.Mil (Everett F Batey WA6CRE) Date: Mon, 3 Apr 1995 13:03:16 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Everett F Batey WA6CRE" at Apr 1, 95 07:22:36 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 804 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >develop an email link >to paging and voice mail .. only a few companies would have to see the >market opportunity and a small spoon-feed on how-to and it could be off >and running. Or .. have I missed something. When I called my paging service and asked them about it, they said that their first concern would be allowing anyone on the Internet to send a page to any of their customers. Their fear was that opening up this hole would allow a large number of pranksters in to harrass their customers. It strikes me as ironic that we can't increase the security of our network through logging, because it makes someone else's network insecure. -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn mark.horn1@jsc.nasa.gov From firewalls-owner Mon Apr 3 13:22:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA28884 for firewalls-outgoing; Mon, 3 Apr 1995 12:33:30 -0700 Received: from moose.usmcs.maine.edu (moose.usmcs.maine.edu [130.111.131.39]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA28879 for ; Mon, 3 Apr 1995 12:33:27 -0700 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA17708; Mon, 3 Apr 95 15:33:52 -0400 Received: by sleepy.usmcs.maine.edu; (5.65/1.1.8.2/29Mar95-0232PM) id AA09936; Mon, 3 Apr 1995 15:33:32 -0400 From: Edward Maillet Message-Id: <9504031933.AA09936@sleepy.usmcs.maine.edu> Subject: Looking for papers on NFS, HTTP, and X security. To: firewalls@greatcircle.com Date: Mon, 3 Apr 1995 15:33:31 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 335 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, I looking for some papers that describe security risks of NFS, HTTP, and X-11. I'm hoping there are papers along the same lines as the common TCP/IP general security problems paper. (I forget the exact title.) Any references would be appreciated. I'll summarize replies to the list. ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Mon Apr 3 13:49:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA29869 for firewalls-outgoing; Mon, 3 Apr 1995 13:06:23 -0700 Received: from locust.net.ohio-state.edu (mail.net.ohio-state.edu [128.146.222.110]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA29864 for ; Mon, 3 Apr 1995 13:06:20 -0700 Received: from bedbugs.net.ohio-state.edu (bedbugs [128.146.222.2]) by locust.net.ohio-state.edu (8.6.10/8.6.9) with ESMTP id QAA25146; Mon, 3 Apr 1995 16:06:30 -0400 Received: (from romig@localhost) by bedbugs.net.ohio-state.edu (8.6.10/8.6.9) id QAA29850; Mon, 3 Apr 1995 16:06:29 -0400 Date: Mon, 3 Apr 1995 16:06:29 -0400 From: Steve Romig Message-Id: <199504032006.QAA29850@bedbugs.net.ohio-state.edu> To: vds7789@aw101.iasl.ca.boeing.com CC: firewalls@GreatCircle.COM In-reply-to: <199503302134.AA18604@aw102.firewalls@GreatCircle.COM> (vds7789@aw101.iasl.ca.boeing.com) Subject: Re: How to detect SATAN surfing attempts ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a rough outline about what Satan does, for those who may be trying to detect this sort of stuff. subnet scan when it probes a subnet, it runs fping to see what hosts are there. fping sends ICMP echo request packets to a bunch o'hosts and waits for the replies. its faster than ping since it doesn't wait for the reply for one before sending the request to the next. satan calls this as 'fping NET.1 NET.2 NET.3 ...NET.255', so when satan probes a subnet you should see icmp echo requests for increasing IP addresses, starting at 1 (regardless of the real subnet mask, btw, satan assumes class c subnet masks). host scan when it probes a host, i have no idea what order it goes in. i don't think that its set - it might change from host to host, and it is fluid in that some tests don't get done on every host (eg, if it isn't running nfs, it won't test certain nfs things). minimal scan at the very least, when a host is being probed it will do the dns, rpc and showmount probes. the dns probe looks up the name/ip address and reads the output of "nslookup / set qt=any / $target". It squirrels away info like the mail exchange host, name servers for the domain, and HINFO records. the rpc probe does "rpcinfo -p $target" to see what rpc services are listed. far as i know, it just saves the data, doesn't immeadiately do anything on the net. the showmount probe does "showmount -e $target" to see what other hosts can mount from the target, and then runs "showmount -a $target" to see who has mounted what from the target. heavy scan at the highest level, it will optionally use an rusers scan (if rpcinfo showed that the rusers service was registered), a bootparam scan (if registered), finger, and a normal and heavy tcp and udp port scans. the tcp and udp scans do the following in order: normal tcp: 70, 80, ftp, telnet, smtp, nntp and uucp normal udp: 53, 177 heavy tcp: 1-9999 heavy udp: 1-2050,32767-33500 the tcp scanner tries to connect to each port in turn, when it connects, it sends 'QUIT\r\n' and closes the connection. the udp scanner sends a 0 byte. So, when satan scans a subnet you will see ICMP echo requests to hosts NET.1, NET.2 through NET.255. When satan scans a host, at a bare minimum, you will see the "rpcinfo -p" call to the portmapper on the target, and the "showmount -e" and "-a" calls to the mountd on the target. You can't depend on seeing more than that, since some tests (like tcp and udp port scans) will only be done at high scanning levels, and others (like rusers and boot) will only be done if those services were listed with the portmapper on the target. From firewalls-owner Mon Apr 3 14:16:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA00931 for firewalls-outgoing; Mon, 3 Apr 1995 13:42:45 -0700 Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA00926 for ; Mon, 3 Apr 1995 13:42:36 -0700 Received: from klondike.winternet.com by icicle.winternet.com with smtp (SunOS Smail3.1.28.1 #5) id m0rvsxP-000SxuC; Mon, 3 Apr 95 15:42 CDT Received: (from dufresne@localhost) by klondike.winternet.com (8.6.10/8.6.9) id PAA22136; Mon, 3 Apr 1995 15:42:36 -0500 Posted-Date: Mon, 3 Apr 1995 15:42:36 -0500 Date: Mon, 3 Apr 1995 15:42:35 -0500 (CDT) From: Ron DuFresne To: "Brian J. Murrell" cc: firewalls@greatcircle.com Subject: Re: ccMail SMTP Gateway In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian, Perhaps rather than a _warning_ a pointer down the proper path of this quest...honey vs. vinegar Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Apr 3 14:20:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01721 for firewalls-outgoing; Mon, 3 Apr 1995 14:03:52 -0700 Received: from dee.retix.com (dee.retix.com [163.182.4.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA01716 for ; Mon, 3 Apr 1995 14:03:47 -0700 Received: from sleepy.retix.com (sleepy.retix.com [163.182.52.17]) by dee.retix.com (8.6.9/8.6.4) with ESMTP id OAA13819; Mon, 3 Apr 1995 14:03:50 -0700 From: joshua geller Received: (joshua@localhost) by sleepy.retix.com (8.6.7/8.6.4) id OAA18104; Mon, 3 Apr 1995 14:04:08 -0700 Date: Mon, 3 Apr 1995 14:04:08 -0700 Message-Id: <199504032104.OAA18104@sleepy.retix.com> To: crooke@octrf.on.ca CC: firewalls@GreatCircle.COM In-reply-to: <9503037969.AA796942865@ocaa.octrf.on.ca> (crooke@octrf.on.ca) Subject: Re: NFS behind the firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have a question regarding NFS. I know the general rule is to choose > either security _or_ NFS. But if your site has a firewall (say based on TIS > fwtk) installed and properly configured, does having NFS filesystems > floating around on the internal network still pose a security risk? depends if you trust your users. josh From firewalls-owner Mon Apr 3 14:52:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA01668 for firewalls-outgoing; Mon, 3 Apr 1995 14:01:46 -0700 Received: from stella.ZGI.COM (stella.ZGI.COM [192.156.218.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA01663 for ; Mon, 3 Apr 1995 14:01:42 -0700 Received: from mothra.zgi.com by stella.ZGI.COM (8.6.11/8.6.9) id OAA21701; Mon, 3 Apr 1995 14:01:52 -0700 Received: by mothra.zgi.com (8.6.11/112294.SGI.ZGI) id VAA12793; Mon, 3 Apr 1995 21:01:52 GMT Date: Mon, 3 Apr 1995 14:01:51 -0700 (PDT) From: Kenneth Martig To: firewalls@GreatCircle.COM Subject: X.25 Security and Firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are being pushed to put in a link to our parent company in Denmark via an X.25 link. Mostly it will be for cc:mail, but there will also be some TCP/IP traffic. I was wondering what security issues I should be aware of. Any references to breakins would be greatly appreciated. A couple of ideas that I was kicking around were encryting routers, but I'm not sure about the export restrictions. The other would be to build a firewall, but I', not sure how cc:mail would or should be handled. Since this is only marginally firewall related please reply directly to me. Thanks, Ken Martig ZymoGenetics, Inc. martig@zgi.com From firewalls-owner Mon Apr 3 15:27:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA01421 for firewalls-outgoing; Mon, 3 Apr 1995 13:55:14 -0700 Received: from remarque.berkeley.edu (remarque.Berkeley.EDU [128.32.152.164]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA01416 for ; Mon, 3 Apr 1995 13:55:09 -0700 Received: from localhost by remarque.berkeley.edu (8.6.10/1.31) id NAA09791; Mon, 3 Apr 1995 13:51:05 -0700 From: Richard Threadgill Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) In-reply-to: References: Your message of "Mon, 3 Apr 1995 00:05:41 -0400" To: estutes@frus.com Cc: fitz@wang.com, firewalls@greatcircle.com Date: Mon, 03 Apr 1995 13:51:04 -0700 Message-ID: <9790.796942264@remarque.berkeley.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In our case, we need NTP running on the net because we need to > syncronize our router and the authentication server, and in one case > they are 1500 miles apart and the only way to keep them in sync is > NTP. This is the strongest reason to not run ntp on your firewall router. Why do you consider the incoming ntp stream trustworthy? (Not to cast doubt upon the NTP project, but there are *lots* of interesting attacks on authentication systems which depend on perverting their clock). I would strongly recommend that if you are planning on using clock-based authentication schemes (eg, kerberos), you make sure that the clock is fundamentally internal. An atomic or radio clock on your premises is fairly unlikely to be compromised; an external ntp clock is not so blessed. RichardT From firewalls-owner Mon Apr 3 15:33:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA02608 for firewalls-outgoing; Mon, 3 Apr 1995 14:29:52 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA02603 for ; Mon, 3 Apr 1995 14:29:48 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id QAA04430; Mon, 3 Apr 1995 16:29:57 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id QAA12981; Mon, 3 Apr 1995 16:29:56 -0500 From: Alan Hannan Message-Id: <199504032129.QAA12981@jayhawk.mid.net> Subject: Re: 2 IP addresses on 1 Ethernet card? (SG IRIX 5.3) To: alan@mid.net (Alan Hannan) Date: Mon, 3 Apr 1995 16:29:56 -0500 (CDT) Cc: dar@cadcentre.co.uk, firewalls@GreatCircle.COM, wzhu@yoda.unl.edu In-Reply-To: <199504031827.NAA14172@jayhawk.mid.net> from "Alan Hannan" at Apr 3, 95 01:27:52 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1282 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The :1 sets up an "alias" for the interface. I am not certain how this > applies to IRIX. David Zhu from Paranet writes: :: If I am not mistaken, on IRIX 5.3 it is done by: :: :: ifconfig le0 10.0.0.50 :: ifconfig le0 10.0.0.60 alias > It may be possible to setup some sort of routing to (secondary) loopbacks > in order to emulate a second ip address. Perhaps someone that's done this >will tell.... I know how to do it on ciscos, but cisco's IOS is a bit different > from Unix Router Daemons. He further writes: ::Or you can setup your serial interface with PPP, but not really connected with :: your network, so the routing daemon will listen to the two IP address on two :: interfaces. :: :: restart your in.routed after you make the change. He sure is smart.... Now, I have to ask myself, what are some uses of multiples ip numbers on one address? I see the usefulness for servers, like FTP, Web, etc...; but how about for Security and Breach detection? -- Alan Hannan (402) 472-0241 MIDnet Inc. ------------------------------\ fax (402) 472-0240 A Global Internet Company " All perception of truth is \_________________________ the detection of an analogy " -- Henry David Thoreau \____________________ From firewalls-owner Mon Apr 3 15:56:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04714 for firewalls-outgoing; Mon, 3 Apr 1995 15:29:03 -0700 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA04709 for ; Mon, 3 Apr 1995 15:28:58 -0700 Message-Id: To: horn@mickey.jsc.nasa.gov Cc: efb@suned1.nswses.navy.mil, firewalls@greatcircle.com Subject: Re: Pagers (esp display) Reply-To: estutes@frus.com In-Reply-To: Your message of "Mon, 3 Apr 1995 13:03:16 -0500 (CDT)" References: <199504031803.NAA07160@freefall.jsc.nasa.gov> X-Mailer: Mew beta version 0.89 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 03 Apr 1995 15:28:43 -0700 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk horn said in [Re: Pagers (esp display)] on Mon, 3 Apr 1995 13:03:16 -0500 (CDT) > >develop an email link > >to paging and voice mail .. only a few companies would have to see the > >market opportunity and a small spoon-feed on how-to and it could be off > >and running. Or .. have I missed something. > > When I called my paging service and asked them about it, they said that their > first concern would be allowing anyone on the Internet to send a page to any > of their customers. Their fear was that opening up this hole would allow a > large number of pranksters in to harrass their customers. If you were in the commerical pager business, isn't that the answer you would give? I get funny calls every now and then anyway. There are really two seperate issues here. The protocol used to send traffic to pagers, and who should be allowed access. To get to my pager direct, there is a phone number where the only thing that is expected is touch tones. To leave me an alpha message, there is another number where you get a human that answers properly, and says I am out of the office and takes a message which is then sent to my pager. Now since my pager receives both kinds of messages, it is only logical that if you knew the protocol, there should be no problem in sending internet email to my pager. In fact there are at least three companies here in the SF Bay area that advertise such services. If you got the money, honey, they got the time. ;*) =eas= From firewalls-owner Mon Apr 3 15:57:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA04942 for firewalls-outgoing; Mon, 3 Apr 1995 15:34:51 -0700 Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA04937 for ; Mon, 3 Apr 1995 15:34:47 -0700 Received: from wpo.barr.com by sun6.barr.com (4.1/SMI-4.1) id AA21243; Mon, 3 Apr 95 17:36:11 CDT Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Mon, 03 Apr 1995 17:34:37 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 03 Apr 1995 17:34:11 -0600 From: "Steve P. Devore" To: firewalls@greatcircle.com Subject: Re: ccMail SMTP Gateway -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, there seems to be more messages flaming off topic messages than there are the off topic messages themselves. How about if everyone sends an email to the offending person, rather than stating the obvious to everyone on the the mailing list. And besides, talk about off topic mail is off topic too! (Which I guess this email is also off topic...) >>> Brian J. Murrell 4/3/95, 10:45am >>> Is it just annoying me or are others reading here annoyed with these non-firewalls related questions flooding this mailing list lately?? It's not like there is no traffic on it (can you say 2 hours to read 2 days backlog??) so we need these off-topic messages to keep us awake. From firewalls-owner Mon Apr 3 16:22:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06158 for firewalls-outgoing; Mon, 3 Apr 1995 16:16:07 -0700 Received: from eas (eas.frus.com [199.173.156.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA06153 for ; Mon, 3 Apr 1995 16:16:03 -0700 Message-Id: To: richardt@remarque.berkeley.edu Cc: fitz@wang.com, firewalls@greatcircle.com Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) Reply-To: estutes@frus.com In-Reply-To: Your message of "Mon, 03 Apr 1995 13:51:04 -0700" References: <9790.796942264@remarque.berkeley.edu> X-Mailer: Mew beta version 0.89 on Emacs 19.28.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 03 Apr 1995 16:16:01 -0700 From: Earl Stutes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk richardt said in [Re: Feeping Creaturism in routers (was Re: Response to Satan) ] on Mon, 03 Apr 1995 13:51:04 -0700 > > > In our case, we need NTP running on the net because we need to > > syncronize our router and the authentication server, and in one case > > they are 1500 miles apart and the only way to keep them in sync is > > NTP. > > This is the strongest reason to not run ntp on your firewall router. > Why do you consider the incoming ntp stream trustworthy? (Not to cast > doubt upon the NTP project, but there are *lots* of interesting attacks > on authentication systems which depend on perverting their clock). I would > strongly recommend that if you are planning on using clock-based authentication > schemes (eg, kerberos), you make sure that the clock is fundamentally internal. > An atomic or radio clock on your premises is fairly unlikely to be compromised; > an external ntp clock is not so blessed. The failure mode is, if the router and the internal network machines are not in sync, then they can not validate each other's credentials. So the failure mode is they do not authenticate, and all attempts from the outside to get in fail. This is duly noted in the authentication server's logs, which are closely monitored. If I were really concerned, I would sync using NTP over our encrypted ppp link from an internal feed we have from WWV, but we have not deemed that necessary. Oh yeah, we are not kerberos based. =eas= From firewalls-owner Mon Apr 3 17:51:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA07435 for firewalls-outgoing; Mon, 3 Apr 1995 16:56:30 -0700 Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA07429 for ; Mon, 3 Apr 1995 16:56:26 -0700 Received: by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA14728 for ; Mon, 3 Apr 95 19:41:21 -0400 Received: from cc:Mail by sr01024.dynasys.com id AA796945085 Mon, 03 Apr 95 14:38:05 Date: Mon, 03 Apr 95 14:38:05 From: "Jon" Message-Id: <9503037969.AA796945085@sr01024.dynasys.com> To: Edward Maillet Cc: firewalls@greatcircle.com Subject: Re: Looking for papers on NFS, HTTP, and X security. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======================================== From: Edward Maillet at Internet To: firewalls@greatcircle.com at Internet cc: Subject: Looking for papers on NFS, HTTP, and X security. Date: 4/3/95 2:08PM >>Hey All, >> I looking for some papers that describe security risks of NFS, HTTP, and X-11. >>I'm hoping there are papers along the same lines as the common TCP/IP general >>security problems paper. >>----- Ed Maillet >>maillet@usmcs.maine.edu Hello Ed, You might take a look at a book from Addison Wesley publishing called FIREWALLS AND INTERNET SECURITY -- Repelling the Willy Hacker by William R. Cheswick and Steven M Bellovin. I found it very up to date (as up to date a book can be) on Internet socket issues. Check it out, Jon Hawkins Sr. Systems Engineer Dynamic Systems -- Authorized Sun Reseller From firewalls-owner Mon Apr 3 18:50:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11339 for firewalls-outgoing; Mon, 3 Apr 1995 18:39:55 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA11334 for ; Mon, 3 Apr 1995 18:39:51 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA07034; Mon, 3 Apr 95 21:11:07 -0400 Date: Mon, 3 Apr 95 21:11:06 -0400 Message-Id: <9504040111.AA07034@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Exports and ITAR Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken rites: >A couple of ideas that I was kicking around were encryting routers, but >I'm not sure about the export restrictions. The other would be to build >a firewall, but I', not sure how cc:mail would or should be handled. And I disagree about it being related since if all traffic were encrypted, then the function of the firewall would be to block anything in the clear. The export restrictions are something else however I suspect (would welcome an informed opinion) that if I strongly encrypt a message and send it to somone overseas *right now* there is no law against this so long as I do not send them the encryption program. Further, I can send them a decryption program so long as I do not provide them with any means for encryption. Next, I can receive encrypted messages from overseas and decrypt them with my domestically purchased & licensed software (I use Viacrypt PGP - plug) without any violation occuring. Next, I can exchange keys/messages with anyone so long as I do not send them the program necessary for them to encrypt anything. If the person beyond our borders happens to have the necessary software or pad, that is not my concern. Finally, so long as the program is in the "public domain" (and ITAR seems to have a very special meaning that can even include patented algorithms), It seems that I can legally send a text description ("information") of the encryption module in hardcopy (E-mail seems to be a no-no, not certain about a FAX but probably verboden also) overseas (notice I specified "description". This could be as small as a couple of subroutines). So much for ITAR. To me the biggest problem is agreeing on who is to do what and with which and to whom (most likely the calling party will be required to use the current mechanism in use by the DE). Possable scenario: I request a telnet access to 1L6.toob.com including my public key in the body. 1L6 encrypts the current algorithm & a key fer me (a function of my address + some other mechanism to make each session unique yet generatable easily at the packet level) and returns it. My end then uses this to encrypt the next packet and off we go. *Though what I have described can be handled at the host level right now, ultimately I expect it will be a Firewall function. Warmly, Padgett ps and once it is in effect, "remote probes" will cease to have meaning. From firewalls-owner Mon Apr 3 19:17:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA11627 for firewalls-outgoing; Mon, 3 Apr 1995 18:47:46 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA11622 for ; Mon, 3 Apr 1995 18:47:42 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA07868; Mon, 3 Apr 95 21:47:35 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504040247.AA07868@hawksbill.sprintmrn.com> Subject: Re: How to detect SATAN surfing attempts ? To: romig@net.ohio-state.edu (Steve Romig) Date: Mon, 3 Apr 1995 21:47:35 -0500 (EST) Cc: vds7789@aw101.iasl.ca.boeing.com, firewalls@GreatCircle.COM In-Reply-To: <199504032006.QAA29850@bedbugs.net.ohio-state.edu> from "Steve Romig" at Apr 3, 95 04:06:29 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 3646 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is pretty simple stuff. In fact, most of it is really old, simple stuff. In any event, it looks like satan is nothing more than ISS with a motif, but I'm sure we'll all get a better feel for 'it' after the 5th. I've already had an opportunity to tinker with the pre-release, and I can assure you it's not as devastating as the popular press would depict it. Can you say 'hype'? [sorry for the lengthy quote] - paul > > Here's a rough outline about what Satan does, for those who may be > trying to detect this sort of stuff. > > subnet scan > > when it probes a subnet, it runs fping to see what hosts are there. > fping sends ICMP echo request packets to a bunch o'hosts and waits > for the replies. its faster than ping since it doesn't wait for the > reply for one before sending the request to the next. satan calls > this as 'fping NET.1 NET.2 NET.3 ...NET.255', so when satan probes a > subnet you should see icmp echo requests for increasing IP > addresses, starting at 1 (regardless of the real subnet mask, btw, > satan assumes class c subnet masks). > > host scan > > when it probes a host, i have no idea what order it goes in. i > don't think that its set - it might change from host to host, and it > is fluid in that some tests don't get done on every host (eg, if it > isn't running nfs, it won't test certain nfs things). > > minimal scan > > at the very least, when a host is being probed it will do the dns, > rpc and showmount probes. > > the dns probe looks up the name/ip address and reads the output of > "nslookup / set qt=any / $target". It squirrels away info like > the mail exchange host, name servers for the domain, and HINFO > records. > > the rpc probe does "rpcinfo -p $target" to see what rpc services > are listed. far as i know, it just saves the data, doesn't > immeadiately do anything on the net. > > the showmount probe does "showmount -e $target" to see what other > hosts can mount from the target, and then runs "showmount -a > $target" to see who has mounted what from the target. > > heavy scan > > at the highest level, it will optionally use an rusers scan (if > rpcinfo showed that the rusers service was registered), a bootparam > scan (if registered), finger, and a normal and heavy tcp and udp > port scans. > > the tcp and udp scans do the following in order: > > normal tcp: 70, 80, ftp, telnet, smtp, nntp and uucp > normal udp: 53, 177 > heavy tcp: 1-9999 > heavy udp: 1-2050,32767-33500 > > the tcp scanner tries to connect to each port in turn, when it > connects, it sends 'QUIT\r\n' and closes the connection. the udp > scanner sends a 0 byte. > > So, when satan scans a subnet you will see ICMP echo requests to hosts > NET.1, NET.2 through NET.255. When satan scans a host, at a bare > minimum, you will see the "rpcinfo -p" call to the portmapper on the > target, and the "showmount -e" and "-a" calls to the mountd on the > target. > > You can't depend on seeing more than that, since some tests (like tcp > and udp port scans) will only be done at high scanning levels, and > others (like rusers and boot) will only be done if those services were > listed with the portmapper on the target. > _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Apr 3 19:20:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA11759 for firewalls-outgoing; Mon, 3 Apr 1995 19:00:21 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA11754 for ; Mon, 3 Apr 1995 19:00:17 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA07210; Mon, 3 Apr 95 21:56:50 -0400 Date: Mon, 3 Apr 95 21:56:50 -0400 Message-Id: <9504040156.AA07210@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Multiple addresses Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan rites: > Now, I have to ask myself, what are some uses of multiples ip numbers on >one address? I see the usefulness for servers, like FTP, Web, etc...; but how >about for Security and Breach detection? You recall I mentioned a "minefield", well suppose that a PC was set on the firewall feed and *all* unused subnet addresses in your domain that came from the great beyond were recognized/alarmed/logged by that one machine (or maybe two identical ones if you like redundancy). Need I say more ? Warmly, Padgett From firewalls-owner Mon Apr 3 19:50:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA12452 for firewalls-outgoing; Mon, 3 Apr 1995 19:27:25 -0700 Received: from jbxs1 (jbxs1.jbx.com [204.97.14.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA12447 for ; Mon, 3 Apr 1995 19:27:21 -0700 Received: by jbxs1 (5.0/SMI-SVR4) id AA03994; Mon, 3 Apr 1995 22:31:51 +0500 From: johnb@jbxs1.jbx.com (John Boudreaux) Message-Id: <9504040231.AA03994@jbxs1> Subject: swipe To: firewalls@greatcircle.com Date: Mon, 3 Apr 1995 22:31:50 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 171 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk silly question, iv seen lots of reference's etc to swipe but i cant seem to find the source etc. to build it here... anyone out there know where i might find it? John From firewalls-owner Mon Apr 3 23:38:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA18415 for firewalls-outgoing; Mon, 3 Apr 1995 23:07:11 -0700 Received: from gatekeeper.icl.co.uk (gatekeeper.icl.co.uk [192.188.132.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA28493 for ; Fri, 31 Mar 1995 00:27:25 -0800 From: x.gosselin.rea0803@oasis.icl.co.uk Received: by gatekeeper.icl.co.uk (4.1/UNIPALM-VRevision: 1.3@gatekeeper.icl.co.uk) id AA16965; Fri, 31 Mar 95 08:26:58 GMT Received: from unknown(145.227.14.59) by gatekeeper.icl.co.uk via smap (V1.3) id sma016942; Fri Mar 31 08:26:32 1995 Received: from trojan.oasis.icl.co.uk by ming.oasis.icl.co.uk over SMTP id IAA08013; Fri, 31 Mar 1995 08:27:16 GMT Message-Id: <9503310827.AA09825@getafix.oasis.icl.co.uk> Date: Fri, 31 Mar 95 09:27:54 BST Reply-To: x.gosselin.rea0803@oasis.icl.co.uk Subject: help: .Z format docs To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know it isn't the list subject. I try to find information on firewalls and security but mainly all docs are .Z format. The trouble is : I'm collecting them via a PC (DOS/Windows). Does anyone can tell me where I may find a .Z uncompress tool for PC. (and gunzip.exe also) Thanks for your help. Xavier From firewalls-owner Tue Apr 4 02:23:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA22047 for firewalls-outgoing; Tue, 4 Apr 1995 02:06:25 -0700 Received: from daisy.ee.und.ac.za (Daisy.ee.und.ac.za [146.230.192.18]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA21996 for ; Tue, 4 Apr 1995 02:02:59 -0700 Received: by daisy.ee.und.ac.za (Smail3.1.28.1 #31) id m0rw4R2-0007UuC; Tue, 4 Apr 95 10:58 GMT+0200 Date: Tue, 4 Apr 1995 10:58:02 +0200 (GMT+0200) From: Alan Barrett To: Richard Threadgill cc: firewalls@greatcircle.com Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) In-Reply-To: <9790.796942264@remarque.berkeley.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Apr 1995, Richard Threadgill wrote: > This is the strongest reason to not run ntp on your firewall router. > Why do you consider the incoming ntp stream trustworthy? The widely used xntpd implementation supports DES and MD5 authentication of timestamps, even over unencrypted links. Cisco's ntp implementation supports MD5 authentication. > An atomic or radio clock on your premises is fairly unlikely to be > compromised; an external ntp clock is not so blessed. Quite so. But you don't need an atomic clock in every branch office; you can have a trusted clock at headquarters and distribute authenticated chime from there. Use several trusted clocks in different locations for higher reliability. --apb (Alan Barrett) From firewalls-owner Tue Apr 4 02:54:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA22665 for firewalls-outgoing; Tue, 4 Apr 1995 02:44:48 -0700 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA22658 for ; Tue, 4 Apr 1995 02:44:32 -0700 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA04248; Tue, 4 Apr 95 11:37:50 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA07935; Tue, 4 Apr 95 11:36:56 +0100 From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9504041036.AA07935@tidtest.total.fr> Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) To: richardt@remarque.berkeley.edu (Richard Threadgill) Date: Tue, 4 Apr 95 11:36:55 BST Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <9790.796942264@remarque.berkeley.edu>; from "Richard Threadgill" at Apr 3, 95 1:51 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard Threadgill wrote : > > [snip] > > This is the strongest reason to not run ntp on your firewall router. > Why do you consider the incoming ntp stream trustworthy? (Not to cast > doubt upon the NTP project, but there are *lots* of interesting attacks > on authentication systems which depend on perverting their clock). I would > strongly recommend that if you are planning on using clock-based > authentication schemes (eg, kerberos), you make sure that the clock is > fundamentally internal. An atomic or radio clock on your premises is fairly > unlikely to be compromised; an external ntp clock is not so blessed. > What bothers me most is that (according to the docs - I didn't try it) NTP is *enabled* by default. -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Phone : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Tue Apr 4 03:10:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA22175 for firewalls-outgoing; Tue, 4 Apr 1995 02:21:12 -0700 Received: from sunbim.sunbim.be (sunbim.sunbim.be [141.253.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA22170 for ; Tue, 4 Apr 1995 02:20:59 -0700 Received: from prince.sunbim.be by sunbim.sunbim.be (4.1/SMI-4.1) id AA08424; Tue, 4 Apr 95 11:17:42 +0200 Received: from dvorak.mumath by prince.sunbim.be (4.1/SMI-4.1) id AA03644; Tue, 4 Apr 95 11:14:18 +0200 Date: Tue, 4 Apr 95 11:14:18 +0200 From: pc@sunbim.be (Philippe Cayphas) Message-Id: <9504040914.AA03644@prince.sunbim.be> To: firewalls@greatcircle.com Subject: Firewall on Sun/Solaris Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Has someone the knowledge of a document describing how to configure a Sun/Solaris workstation into a bastion host? I'm looking for something like the Livingston paper for SunOS. Thanks for your answers. Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@sunbim.be (or uunet!mcsun!ub4b!sunbim!pc) Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Tue Apr 4 03:55:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA23978 for firewalls-outgoing; Tue, 4 Apr 1995 03:39:08 -0700 Received: from NYXGATE1.btco.com ([198.81.205.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA23973 for ; Tue, 4 Apr 1995 03:39:03 -0700 Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id GAA11935; Tue, 4 Apr 1995 06:38:35 -0400 Received: from lncsex0003.eu.btco.com(160.82.152.218) by NYXGATE1.btco.com via smap (V1.3) id sma012305; Tue Apr 4 06:38:17 1995 Received: from lncsea0001.eu.btco.com (lncsea0001.eu.btco.com [160.82.136.15]) by LNCSEX0003.eu.btco.com (8.6.9/BTmail) with SMTP id LAA31275; Tue, 4 Apr 1995 11:38:12 +0100 Date: Tue, 4 Apr 1995 11:38:09 -0900 (PDT) From: "Todd S. Aven" To: bind@uunet.uu.net, bind-workers@vix.com, firewalls@greatcircle.com cc: azeez@btco.com, leviner@btco.com Subject: BIND conflict between delegation and forwarding X-Sender: avento@lncsex0003.eu.btco.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please pardon me if (a) I'm rehashing a stale topic or (b) this memo is much too long or (c) my use of terminology is poor. Following is a fairly detailed description of the background of my problem, at the end of which is a statement of exactly what I want from you readers. If you get bored with the discussion, skip to the end and work backward ;-). I participated in a discussion in January on the Firewalls list related to the above topic, during which Goetz von Escher pointed out that (using current versions of BIND) name lookups in a subdomain fail when the subdomain is properly delegated from a parent domain but the servers authoritative for the parent domain are not authoritative for the subdomain *AND* the servers for the parent domain are configured with a 'forwarder' directive in named.boot *AND* the server to which queries are forwarded is authoritative for the parent zone but holds different data which does not include the delegation (what a mouthful!). This somewhat bizarre combination of circumstances exists for many sites that have an Internet firewall which runs a nameserver which is primary for a zone of the same name as used internally, but which contains completely different (sanitized) information suitable for the Internet. To preempt any stray bullets, let me say up front that I'm not the least bit interested in debating the rationality of this configuration. At the time, I (like several others) pooh-poohed the problem report because my servers were either primary or secondary for all my domains and subdomains. Now I have a requirement to delegate a subdomain to a separate server, and it doesn't work because of the 'forwarder' directive. To paraphrase Goetz, the reason it doesn't work is because BIND resolves names in the following order: 1. Look in cache 2. Look in database ==> Bingo! if server is a primary/secondary 3. Query forwarder nameservers ==> firewall returns NXDOMAIN 4. Do a regular query Since the nameserver on the firewall returns NXDOMAIN in stage 3 of the resolution process, the regular query in stage 4 is never performed. To make things concrete, let's take the following scenario: The Foo Corporation uses domain foo.com on its private internet. There is one bind492 server (call it 'A.foo.com') which is primary for foo.com. There is a firewall (call it 'B.foo.com') connected to the private internet and the public Internet, and it is running bind492 serving as primary for foo.com, but the only entry in this domain is an MX record. The internal foo.com domain delegates test.foo.com domain to another nameserver (call it 'C.foo.com'). Server A has a forwarder directive with the address of B. Here's the internal foo.com zone (served by A): foo.com. IN SOA A.foo.com. ... foo.com. IN NS A.foo.com. A.foo.com. IN A 1.1.1.1 B.foo.com. IN A 1.1.1.2 C.foo.com IN A 1.1.1.3 test.foo.com. IN NS C.foo.com. Here's the external foo.com zone (served by B): foo.com. IN SOA B.foo.com. ... foo.com. IN NS B.foo.com. foo.com. IN MX 0 B.foo.com. Now, if I send an A query for 'x.test.foo.com' to A.foo.com, it looks in the cache (misses), looks in the zone (no data), forwards the query to B.foo.com, who answers NXDOMAIN. Bah, humbug! If I put an NS record for test.foo.com in the external foo.com zone, then things work correctly (albeit slowly), but I don't want to put this information in the external zone at all. That's duct tape, not a solution. ***WHAT I WANT*** is for bind on A.foo.com to find the NS record for test.foo.com and either recurse the query for x.test.foo.com to C.foo.com (if recursion requested and available) or return the NS record (if recursion not requested or not available). My understanding and use of the 'forwarder' directive is for situations where the resolution can not be achieved directly due to connectivity issues. I would solve this problem by skipping the forwarder stage if the query was for a name ending in foo.com or the NS record for the subdomain specified a 'reachable' network. I'm willing (and capable) to put this functionality into bind, but I don't want to trod on a claim already staked or reinvent the wheel. Has someone already done this for bind 4.9.2 or 4.9.3? Has someone declared their intent to do something like this for 4.9.4? If noone has done this, I'm willing to accept (constructive) suggestions on refinements to my half-baked solution in the previous paragraph. I'll summarize all offline discussions to the net, for those interested in minimizing multiple-mailing-list chatter. Regards, Todd Aven avents@btco.com From firewalls-owner Tue Apr 4 04:21:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA24815 for firewalls-outgoing; Tue, 4 Apr 1995 04:19:45 -0700 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA24808 for ; Tue, 4 Apr 1995 04:19:41 -0700 Received: by mail.Germany.EU.net with ESMTP (8.6.5:29/EUnetD-2.5.1.d) via EUnet id NAA27150; Tue, 4 Apr 1995 13:20:58 +0200 Message-Id: <199504041120.NAA03452@taps.Germany.EU.net> Received: from localhost.Germany.EU.net by taps.Germany.EU.net with SMTP (8.6.4/EUnetDlan-1.14-1.2.0) via EUnet for [mail.germany.eu.net] id NAA03452; Tue, 4 Apr 1995 13:20:14 +0200 To: firewalls@greatcircle.com From: John Murray Subject: Transparent proxies Date: Tue, 04 Apr 1995 13:20:13 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, will future versions of the fwtk include transparent proxies or is this feature restricted to Gauntlet? Cheers John === ____ === John Murray, System Management === / / / ___ ___ _/_ === John.Murray@Germany.EU.net === /---- / / / / /___/ / === EUnet Deutschland GmbH === /____ /___/ / / /___ / === Emil-Figge-Str. 80 ===== ===== 44227 Dortmund Germany ===== Connecting Europe since 1982 ===== Tel.(Fax) +49 231 972 2222 (1111) From firewalls-owner Tue Apr 4 04:51:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA24858 for firewalls-outgoing; Tue, 4 Apr 1995 04:21:30 -0700 Received: from hostserver.merit.edu (hostserver.merit.edu [35.1.1.98]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA24853 for ; Tue, 4 Apr 1995 04:21:27 -0700 Received: from [198.111.2.15] by hostserver.merit.edu (8.6.10/hostsrvr-1.1) id HAA11142; Tue, 4 Apr 1995 07:21:37 -0400 Message-Id: <199504041121.HAA11142@hostserver.merit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 4 Apr 1995 06:26:00 -0500 To: firewalls@GreatCircle.COM From: cwerner@hsdemo.merit.edu (Christopher L. Werner) Subject: C & B 'Relay' program Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Cheswick & Bellovin 'Firewalls and Internet Security' book mentions a 'Relay' program used to to pass mail from the 'Outside' host through 'Inside' and to 'Research' where the mail is retrieved by the users. Is this relay program freely available? Where? Is this tcp_wrapper? Are they using UUCP to distribute their files between bastions or another program (part of upas)? When will upas be available? Internally does upas have Windows and Mac clients? Will it support MIME (assuming the files are filtered before being allowed in)? FWIW: (proposed) Internet ----- Router ------ Dual-Homed Host ----- Choke Router -----> >-------Internal Dual-Homed Host ------ Mail and other hosts. IP forwarding off, static routing (no routed), newest BIND, newest Sendmail, Solaris 2.4, NFS and NIS+ only on internal hosts. Thanks, (I haven't seen this posted on firewalls, went direct first but got no response) ----------------------------------------------------------------- Opinions expressed are my own and not those of Robert Bosch Corp. ----------------------------------------------------------------- Christopher L. Werner | Robert Bosch Corporation System Engineer | 38000 Hills Tech Dr. (810)553-1389 | Farmington Hills, MI 48331-3417 From firewalls-owner Tue Apr 4 05:21:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA25829 for firewalls-outgoing; Tue, 4 Apr 1995 05:11:12 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA25822 for ; Tue, 4 Apr 1995 05:11:07 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA07900 for firewalls@greatcircle.com; Tue, 4 Apr 95 08:07:41 EDT Message-Id: <9504041207.AA07900@all.net> Subject: gopher getcommand: readline error To: firewalls@greatcircle.com Date: Tue, 4 Apr 1995 08:07:41 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 878 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I noticed that when I do certain port scans, my gopher server produces an error message (in the log file): getcommand: readline error I assume this relates to the probe exersizing the channel but not sending a request or waiting around for a result. Is this right? If so, I am going to up my estimate of port prober attempts at my site. p.s. Satan and some other port probers seem to trigger this behavior. It may be a good indicator of being scanned. FC -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Tue Apr 4 05:40:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA25898 for firewalls-outgoing; Tue, 4 Apr 1995 05:16:37 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA25886 for ; Tue, 4 Apr 1995 05:16:32 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA08391 for firewalls@greatcircle.com; Tue, 4 Apr 95 08:13:07 EDT Message-Id: <9504041213.AA08391@all.net> Subject: firewall weaknesses To: firewalls@greatcircle.com Date: Tue, 4 Apr 1995 08:13:06 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1293 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few weeks ago (or was it only a few days - time flies when your constantly under network attack) I asked the members of this forum about known weaknesses and limitation in existing firewalls. To date, I haven't gotten any responses from the vendors. Is this because all firewalls are perfect, because nobody will admit to weaknesses, or because of inadequate testing programs? Maybe I'll get the ball rolling. Does anyone have a firewall that will protect users from poorly configured http deamons without preventing authorized use? For example, if the users use methods other than POST or try to execute commands sent in from the remote site or have old versions of httpd with known bugs, does anyone claim to have a firewall that allows use of the httpd without introducing the holes? Is anyone working on one? How about a similar capability for the client side? FC -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Tue Apr 4 05:52:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26122 for firewalls-outgoing; Tue, 4 Apr 1995 05:26:29 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA26117 for ; Tue, 4 Apr 1995 05:26:26 -0700 Received: from daisy.ee.und.ac.za by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id FAA18852; Tue, 4 Apr 1995 05:25:59 -0700 Received: by daisy.ee.und.ac.za (Smail3.1.28.1 #31) id m0rw7cj-0007UmC; Tue, 4 Apr 95 14:22 GMT+0200 Date: Tue, 4 Apr 1995 14:22:20 +0200 (GMT+0200) From: Alan Barrett To: "Todd S. Aven" cc: bind@uunet.uu.net, bind-workers@vix.com, firewalls@greatcircle.com, azeez@btco.com, leviner@btco.com Subject: Re: BIND conflict between delegation and forwarding In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Relevance to firewalls: not much. But the presence of a firewall with split DNS caused the problem addressed here. Relevance to bind-workers: not much. Just a suggestion about a new "fallback-forwarder" directive. Relevance to bind: more than the relevance to the other mailing lists. "Todd S. Aven" wrote: > (using current versions of BIND) name lookups in a subdomain fail > when the subdomain is properly delegated from a parent domain but the > servers authoritative for the parent domain are not authoritative for > the subdomain *AND* the servers for the parent domain are configured > with a 'forwarder' directive in named.boot *AND* the server to which > queries are forwarded is authoritative for the parent zone but > holds different data which does not include the delegation (what a > mouthful!). Correct. The whole point of the "forwarders" directive in BIND's named.boot file is to tell it to forward queries elsewhere if it does not have the answer immediately available, even if it does have NS records pointing to servers other than the forwarder. Sending to the forwarders is not a last resort, it's a second resort (just after looking for the info locally). It might be useful to add some kind of "fallback forwarder" to be used as a last resort if normal queries don't work, but it's not immediately obvious to me how you would tell when to use the fallback and when not to. (I am not saying its infeasible or even difficult, just that I haven't thought about it enough to tell.) > ***WHAT I WANT*** is for bind on A.foo.com to find the NS record > for test.foo.com and either recurse the query for x.test.foo.com to > C.foo.com (if recursion requested and available) or return the NS > record (if recursion not requested or not available). Remove the "forwarders" directive, and it will do that. Then you will probably want an internal root server to handle the stuff that your forwarder handled previously. Another option is to make your server a secondary for all the delegated *.foo.com zones. A third option is to insert another layer of forwarders: Have internal machines thet do not carry all internal zones forward to an internal machine that does carry all internal zones, and have that in turn forward to a machine that can talk to the outside world. --apb (Alan Barrett) From firewalls-owner Tue Apr 4 06:22:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26319 for firewalls-outgoing; Tue, 4 Apr 1995 05:35:13 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA26314 for ; Tue, 4 Apr 1995 05:35:11 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma003393; Tue Apr 4 08:34:29 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA22722; Tue, 4 Apr 95 08:34:38 EDT Message-Id: <9504041234.AA22722@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: John Murray Cc: firewalls@greatcircle.com Subject: Re: Transparent proxies In-Reply-To: Your message of Tue, 04 Apr 95 13:20:13 +0200. <199504041120.NAA03452@taps.Germany.EU.net> Date: Tue, 04 Apr 95 08:34:37 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > will future versions of the fwtk include transparent proxies > or is this feature restricted to Gauntlet? Gauntlet Internet Firewall only. The FWTK will have few, if any, new features. Fred From firewalls-owner Tue Apr 4 06:49:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27126 for firewalls-outgoing; Tue, 4 Apr 1995 06:03:16 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA27119 for ; Tue, 4 Apr 1995 06:03:14 -0700 Received: by gw.home.vix.com id AA27695; Tue, 4 Apr 95 05:54:41 -0700 Message-Id: <9504041254.AA27695@gw.home.vix.com> X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us To: "Todd S. Aven" Cc: bind@uunet.uu.net, bind-workers@vix.com, firewalls@greatcircle.com, azeez@btco.com, leviner@btco.com Subject: Re: BIND conflict between delegation and forwarding In-Reply-To: Your message of "Tue, 04 Apr 1995 11:38:09 -0900." Date: Tue, 04 Apr 1995 05:54:41 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No message is ever appropriate for bind-workers and some other list, other than messages like this one telling people not to do it. Please do not cross post to bind-workers. From firewalls-owner Tue Apr 4 07:09:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27907 for firewalls-outgoing; Tue, 4 Apr 1995 06:34:38 -0700 Received: from tovlan.ubique.co.il (tovlan.ubique.co.il [192.114.166.68]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA27902 for ; Tue, 4 Apr 1995 06:34:22 -0700 Received: from dror.ubique.co.il (dror.ubique.co.il [192.114.166.70]) by tovlan.ubique.co.il (8.6.9/8.6.9) with ESMTP id QAA11501; Tue, 4 Apr 1995 16:33:48 +0300 From: Avshalom Houri Received: from shaldag.ubique.co.il (shaldag.ubique.co.il [192.114.166.76]) by dror.ubique.co.il (8.6.9/8.6.9) with ESMTP id PAA28065; Tue, 4 Apr 1995 15:33:36 +0200 Received: (avshalom@localhost) by shaldag.ubique.co.il (8.6.9/8.6.9) id QAA04018; Tue, 4 Apr 1995 16:33:45 +0300 Date: Tue, 4 Apr 1995 16:33:45 +0300 Message-Id: <199504041333.QAA04018@shaldag.ubique.co.il> To: firewalls@GreatCircle.COM Subject: Alternative Routes Cc: avshalom@tovlan.ubique.co.il X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have two network providers. Is there a way to advertise our subnet (Class C) so that when one of the network providers fails the traffic will go through the other one? P.S. If the question is not appropriate for the firewall list, can you please point to such a list. Thanks Limor Schweitzer & Avshalom Houri From firewalls-owner Tue Apr 4 07:26:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26968 for firewalls-outgoing; Tue, 4 Apr 1995 05:58:18 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA26962 for ; Tue, 4 Apr 1995 05:58:15 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma003678; Tue Apr 4 08:57:25 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA26064; Tue, 4 Apr 95 08:57:34 EDT Received: by (4.1/illuminati) id AA24204; Tue, 4 Apr 95 09:03:47 EDT From: "Marcus J. Ranum" Message-Id: <24204.9504041303@illuminati> Subject: Re: Transparent proxies To: John.Murray@Germany.EU.net (John Murray) Date: Tue, 4 Apr 1995 09:03:46 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199504041120.NAA03452@taps.Germany.EU.net> from "John Murray" at Apr 4, 95 01:20:13 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 790 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > will future versions of the fwtk include transparent proxies > or is this feature restricted to Gauntlet? It will be restricted to Gauntlet, for 2 reasons. Firstly, it relies on kernel modifications more than on support in the proxies. The actual support required in the proxy code is minimal; the kernel changes are fairly significant. We can't release our modified kernel sources for licensing reasons. Secondly, it's our "value added." TIS did the engineering work and paid for it. We can't give away *ALL* our good stuff; after all, we're in the firewalls business. Right now, the toolkit is our closest competitor. :) Our preferred way of competing with the toolkit is to offer things in Gauntlet that are better, such as transparency, encryption, management interface, etc. mjr. From firewalls-owner Tue Apr 4 07:46:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27633 for firewalls-outgoing; Tue, 4 Apr 1995 06:22:49 -0700 Received: from Polka.Med.Yale.Edu (polka.med.yale.edu [130.132.19.123]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA27625 for ; Tue, 4 Apr 1995 06:22:46 -0700 Received: from beaker.med.yale.edu by Polka.Med.Yale.Edu (PMDF #12135) id <01HOXPHUW5LS0001PL@Polka.Med.Yale.Edu>; Tue, 4 Apr 1995 09:22 EDT Received: from rrr.ynhhlab.yale.edu by beaker.med.yale.edu via SMTP; Tue, 4 Apr 95 09:14:57 -0400 Date: Tue, 04 Apr 1995 09:18:34 -0400 From: rodion@beaker.med.yale.edu (R. Rodion Rathbone) Subject: Re: Alarms and paging To: firewalls@greatcircle.com Message-id: <9504041314.AA11085@beaker.med.yale.edu> X-Envelope-to: firewalls@greatcircle.com Content-type: text/plain; charset="us-ascii" X-Sender: rodion@beaker.med.yale.edu Mime-Version: 1.0 X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Padgett Peterson writes -- >Would suspect the problem may be one of timing vs the modem. When I dial >my pager, you have the connection time plus a message time then three beeps >signalling that it is ready for input. The window that is open for >input of the desired number is pretty small before it autohangsup. I do not >know of a modem that can recognize the beeps (if some one does know of >one that would be interesting) so you have to "guess" at the delay. Too long >or too short and it will not go through. A friend worked on a project for a national technical support service a couple years ago. He said that for the touch-tone interface to non-alpha pagers, the sequence of beeps and timing varied widely, not only between pager companies, but sometimes on successive pages to the same service and even the same beeper. He eventually found commercial voice-mail hardware system that had enough analog hooks to support reliable software, but it was pricey ($5-10K I think.) There is a kludge for those of us who just want a reliable notice to a numeric beepers. It's useful if you just need to know that you should check-in, with little other info. Dial the beeper, pause for the minimum time for the message prompt, and repeat a short signature at short intervals, as in "91,,91,,91,,91,,91". Whatever the timing or promps, some of it will get through, an you'll get a recogizable code. It's not elegant, just quick and cheap appropriate technology for those with a simple need and other obligations. From firewalls-owner Tue Apr 4 07:51:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28282 for firewalls-outgoing; Tue, 4 Apr 1995 06:43:51 -0700 Received: from oak.zilker.net (oak.zilker.net [198.252.182.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA28277 for ; Tue, 4 Apr 1995 06:43:48 -0700 Received: from by oak.zilker.net (8.6.10/zilker.1.77) id IAA24963; Tue, 4 Apr 1995 08:38:46 -0500 Date: Tue, 4 Apr 1995 08:38:46 -0500 Message-Id: <199504041338.IAA24963@oak.zilker.net> X-Sender: matt@zilker.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: ches@plan9.att.com, firewalls@GreatCircle.COM From: matt@zilker.net (Matt Lawrence) Subject: Re: 95% undetected? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:26 PM 3/31/95 EST, ches@plan9.att.com wrote: >There are several interesting rates that are not >easily figured out: > 1 what percentage of attacks are detected? This may be a good point. I'm in the process of setting up Internet access for a small company, so I've been looking into the issues a lot. The current plan is to use an Ascend Pipeline-50 to implement a 128K connection to our IAP. Since this router has some filtering capabilities, I won't even be able to see any attacks that don't make it through the router. Do I care? Not really, I just want to know what does make it through. Since I'm still working my way through the Cheswick and Bellovin book, any suggestions for the next layer of security will be greatly appreciated. -- Matt From firewalls-owner Tue Apr 4 08:09:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA28727 for firewalls-outgoing; Tue, 4 Apr 1995 07:05:13 -0700 Received: from schoolnet.carleton.ca (schoolnet.carleton.ca [134.117.55.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA28722 for ; Tue, 4 Apr 1995 07:05:03 -0700 Received: by schoolnet.carleton.ca (8.6.9/SMI-4.0) id KAA25546; Tue, 4 Apr 1995 10:04:13 -0400 From: mshaver@schoolnet.carleton.ca (Mike Shaver) Message-Id: <199504041404.KAA25546@schoolnet.carleton.ca> Subject: Re: Multiple addresses To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Mon, 3 Apr 1995 23:25:21 -0400 (EDT) In-Reply-To: <9504040156.AA07210@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Apr 3, 95 09:56:50 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1083 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security mumbled something vague about: > > Alan rites: > > Now, I have to ask myself, what are some uses of multiples ip numbers on > >one address? I see the usefulness for servers, like FTP, Web, etc...; but how > >about for Security and Breach detection? > > You recall I mentioned a "minefield", well suppose that a PC was set > on the firewall feed and *all* unused subnet addresses in your domain > that came from the great beyond were recognized/alarmed/logged by that one > machine (or maybe two identical ones if you like redundancy). Need I say > more ? A better way than explicit binding of all those IPs would be a network monitor that just watched everything, discarded those packets related to known-legal (and known-that-traffic-should-come-through-these-here-parts, if there's a difference) hosts, and logged the rest. Or three PCs, if triplicate turns you on. =) It's probably actually easier than convincing the machine to watch all of n addresses, for very large values of n, or very small values of machine. Mike From firewalls-owner Tue Apr 4 08:29:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00119 for firewalls-outgoing; Tue, 4 Apr 1995 07:51:33 -0700 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA00114 for ; Tue, 4 Apr 1995 07:51:29 -0700 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id KAA07278; Tue, 4 Apr 1995 10:50:29 -0400 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma007274; Tue Apr 4 10:50:05 1995 Received: from prophet.concorde.com (jna@prophet.concorde.com [198.242.54.15]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id KAA19637; Tue, 4 Apr 1995 10:50:17 -0400 From: John Adams Received: (jna@localhost) by prophet.concorde.com (8.6.8.1/8.6.6) id KAA02732; Tue, 4 Apr 1995 10:47:43 -0500 Date: Tue, 4 Apr 1995 10:47:43 -0500 Message-Id: <199504041547.KAA02732@prophet.concorde.com> To: crooke@octrf.on.ca, firewalls@GreatCircle.COM Subject: Re: NFS behind the firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As TIS passes _nothing_ except what travels through it's application level proxies, NFS on the inside is completely isolated. Novell and anything else is trapped on the inside too. -john From firewalls-owner Tue Apr 4 08:55:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00182 for firewalls-outgoing; Tue, 4 Apr 1995 07:53:38 -0700 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA00172 for ; Tue, 4 Apr 1995 07:53:34 -0700 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id KAA07292; Tue, 4 Apr 1995 10:52:28 -0400 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma007290; Tue Apr 4 10:52:26 1995 Received: from prophet.concorde.com (jna@prophet.concorde.com [198.242.54.15]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id KAA19671; Tue, 4 Apr 1995 10:52:38 -0400 From: John Adams Received: (jna@localhost) by prophet.concorde.com (8.6.8.1/8.6.6) id KAA02748; Tue, 4 Apr 1995 10:50:04 -0500 Date: Tue, 4 Apr 1995 10:50:04 -0500 Message-Id: <199504041550.KAA02748@prophet.concorde.com> To: efb@suned1.Nswses.Navy.Mil, horn@mickey.jsc.nasa.gov Subject: Re: Pagers (esp display) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Geesh, It's a very simple solution. Write a script to dial a modem you have connected to a machine someplace (And don't be a weenie and run a getty process for the modem, because then you'll open yourself up to dialup access). Have it call your pager number, and dial a list of codes, like "400400-911" if something's wrong , or "404404-911" if something's not found..etcetc... So much for the complaints from the pager company. Or, get another pager company. -john From firewalls-owner Tue Apr 4 09:27:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00454 for firewalls-outgoing; Tue, 4 Apr 1995 08:00:03 -0700 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA00431 for ; Tue, 4 Apr 1995 07:59:58 -0700 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id KAA07303; Tue, 4 Apr 1995 10:58:58 -0400 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma007301; Tue Apr 4 10:58:57 1995 Received: from prophet.concorde.com (jna@prophet.concorde.com [198.242.54.15]) by galaxy.concorde.com (8.6.8.1/8.6.6) with ESMTP id KAA19707; Tue, 4 Apr 1995 10:59:10 -0400 From: John Adams Received: (jna@localhost) by prophet.concorde.com (8.6.8.1/8.6.6) id KAA02872; Tue, 4 Apr 1995 10:56:36 -0500 Date: Tue, 4 Apr 1995 10:56:36 -0500 Message-Id: <199504041556.KAA02872@prophet.concorde.com> To: brian@ilinx.ilinx.com, dufresne@winternet.com Subject: Re: ccMail SMTP Gateway Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Apr 4 09:32:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00911 for firewalls-outgoing; Tue, 4 Apr 1995 08:14:04 -0700 Received: from info-server.bbn.com (INFO-SERVER.BBN.COM [128.89.7.131]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00904 for ; Tue, 4 Apr 1995 08:14:01 -0700 Received: (daemon@localhost) by info-server.bbn.com (8.6.9/8.6.5) id LAA00583; Tue, 4 Apr 1995 11:09:00 -0400 Received: from USENET by info-server.bbn.com with netnews for usenet@greatcircle.com (firewalls@greatcircle.com); contact usenet@info-server.bbn.com if you have questions. To: firewalls@greatcircle.com Date: 4 Apr 1995 15:08:59 GMT Message-ID: <3lrneb$fs@info-server.bbn.com> Organization: BBN Systems & Technologies, Inc. From: hootowl.bbn.com!ltaylor@bbn.com Reply-To: ltaylor@hootowl.bbn.com Subject: IP Forwarding -- On or Off Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone explain to me what happens when you turn off IP forwarding in the kernel of say a unix system and why does this make the system/network more sercure? Won't some of the networking functionality be turned off? Like will this make packets get lost? I am thinking of turning IP forwarding off on a few systems here because I have read that this enhances security. However, I don't want to break anything else... Apologies for this rather basic question...TCP/IP is not my forte. /laura From firewalls-owner Tue Apr 4 09:52:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03088 for firewalls-outgoing; Tue, 4 Apr 1995 09:31:38 -0700 Received: from mail.lancs.ac.uk (mail.lancs.ac.uk [148.88.8.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA03083 for ; Tue, 4 Apr 1995 09:31:30 -0700 Received: from cent1.lancs.ac.uk by mail.lancs.ac.uk with SMTP (PP); Tue, 4 Apr 1995 17:30:46 +0100 Received: by cent1.lancs.ac.uk; Tue, 4 Apr 95 17:30:44 +0100 Date: Tue, 4 Apr 1995 17:30:43 +0100 (BST) From: T S Johnston Subject: lists To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lists ---------------------------------------- _____ _ _ _ |_ _|__ _ __ ___ | | ___ | |__ _ __ ___| |_ ___ _ __ | |/ _ \| '_ ` _ \ _ | |/ _ \| '_ \| '_ \/ __| __/ _ \| '_ \ | | (_) | | | | | | | |_| | (_) | | | | | | \__ \ || (_) | | | | |_|\___/|_| |_| |_| \___/ \___/|_| |_|_| |_|___/\__\___/|_| |_| csc151@cent1.lancs.ac.uk gec066@cent1.lancs.ac.uk Wolffy on LuBBs ------------------------------ Just because you're paranoid, doesn't mean they're not after you. From firewalls-owner Tue Apr 4 10:25:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03857 for firewalls-outgoing; Tue, 4 Apr 1995 09:55:22 -0700 Received: from luey.cadvision.com (huey.cadvision.com [204.50.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA03851 for ; Tue, 4 Apr 1995 09:55:18 -0700 Received: from cad72.cadvision.com by luey.cadvision.com (AIX 3.2/UCB 5.64/4.04.tri.dcx) id AA27330; Tue, 4 Apr 1995 10:56:43 -0600 Date: Tue, 4 Apr 1995 10:56:43 -0600 Message-Id: <9504041656.AA27330@luey.cadvision.com> X-Sender: myattj@huey.cadvision.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: myattj@cadvision.com (Justin "Kipper" Myatt) Subject: First Time Fire Walls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm hopeing to get the chance to set up my own firewall, mail, ftp and news server for our comapnies local SE's. This would be a pilot to give me the pratice and our SE's the chance to use the Internet in more depth. If it's a sucess i'd like to implment a better system with commercial s/w. Can some one point me in the direction of an FTP site where I can pick up some PD fire wall software. Assuming I start with nowt (nothing) what would my minimum hardware and s/w requirements be. Should I go PC/UNIX box or PC/NT3.5 or something else cheers & my aplogies for replying to the cc:Mail SMTP g/w question, did not mean to clog things up. Justin ----------------------------------------------------------- Justin Myatt - Email Personage | Call me at 403 290 3262 GE Capital Technology Services | Fax me at 403 290 2566 435, 4th Ave SW | Email to: Calgary, Alberta, Canada, T2P 3A8 | myattj@cadvision.com Brrr it's cold here today.... | CrudUServe(CIS)72234.23 ----------------------------------------------------------- From firewalls-owner Tue Apr 4 11:56:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05911 for firewalls-outgoing; Tue, 4 Apr 1995 10:50:05 -0700 Received: from rubik ([146.155.224.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA05903 for ; Tue, 4 Apr 1995 10:49:51 -0700 Message-Id: From: quito@constructa.cl (Francisco Javier...el quitolin) Subject: I need others opinions To: firewalls@greatcircle.com (Security List) Date: Tue, 4 Apr 1995 13:49:43 -0400 (CST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 579 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi : My name is Francisco Cabezas for the people that don't know me :-) I have a problem. My boss think so the net what I look ( Enterprise Net) have that to be close, in other words, I can't conect from outside of net. I think that is very bad, to make close zone is very dangerous, but I need others opinions respect this. I know it, My english is very bad :-( Sorry but to long time that I don't write in english, less speak !!! Thanks for all Quito. quito@constructa.cl pd : if somebody know spanish, i will can write this letter in spanish... From firewalls-owner Tue Apr 4 12:26:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08314 for firewalls-outgoing; Tue, 4 Apr 1995 12:02:10 -0700 Received: from mail.lancs.ac.uk (mail.lancs.ac.uk [148.88.8.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA08309 for ; Tue, 4 Apr 1995 12:02:07 -0700 Received: from cent1.lancs.ac.uk by mail.lancs.ac.uk with SMTP (PP); Tue, 4 Apr 1995 20:01:58 +0100 Received: by cent1.lancs.ac.uk; Tue, 4 Apr 95 20:01:56 +0100 Date: Tue, 4 Apr 1995 20:01:56 +0100 (BST) From: T S Johnston Subject: lists To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lists ---------------------------------------- _____ _ _ _ |_ _|__ _ __ ___ | | ___ | |__ _ __ ___| |_ ___ _ __ | |/ _ \| '_ ` _ \ _ | |/ _ \| '_ \| '_ \/ __| __/ _ \| '_ \ | | (_) | | | | | | | |_| | (_) | | | | | | \__ \ || (_) | | | | |_|\___/|_| |_| |_| \___/ \___/|_| |_|_| |_|___/\__\___/|_| |_| csc151@cent1.lancs.ac.uk gec066@cent1.lancs.ac.uk Wolffy on LuBBs ------------------------------ Just because you're paranoid, doesn't mean they're not after you. From firewalls-owner Tue Apr 4 12:52:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08817 for firewalls-outgoing; Tue, 4 Apr 1995 12:20:37 -0700 Received: from lokkur.dexter.mi.us (dexter-gw.dexter.msen.com [148.59.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA08803 for ; Tue, 4 Apr 1995 12:20:29 -0700 Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.9/8.6.5) id NAA28377; Tue, 4 Apr 1995 13:35:45 -0400 Date: Tue, 4 Apr 1995 13:35:45 -0400 From: Steve Simmons Message-Id: <199504041735.NAA28377@lokkur.dexter.mi.us> To: firewalls@greatcircle.com Cc: Alan Hannan Subject: Re: 2 IP addresses on 1 Ethernet card? (SG IRIX 5.3) References: <199504032129.QAA12981@jayhawk.mid.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In local.firewalls Alan Hannan wrote: >David Zhu from Paranet writes: >> The :1 sets up an "alias" for the interface. I am not certain how this >> applies to IRIX. > Now, I have to ask myself, what are some uses of multiples ip numbers on >one address? I see the usefulness for servers, like FTP, Web, etc...; but how >about for Security and Breach detection? The implication for firewalls is that is is possible for different host numbers on the same net to represent the same machine, so filters or rules like `any machine on net N except N.X' become somewhat more difficult. From firewalls-owner Tue Apr 4 13:01:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08426 for firewalls-outgoing; Tue, 4 Apr 1995 12:05:35 -0700 Received: from luey.cadvision.com (huey.cadvision.com [204.50.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA08417 for ; Tue, 4 Apr 1995 12:05:30 -0700 Received: from cad32.cadvision.com by luey.cadvision.com (AIX 3.2/UCB 5.64/4.04.tri.dcx) id AA38867; Tue, 4 Apr 1995 13:06:42 -0600 Date: Tue, 4 Apr 1995 13:06:42 -0600 Message-Id: <9504041906.AA38867@luey.cadvision.com> X-Sender: myattj@huey.cadvision.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Grant M. Fengstad" , firewalls@greatcircle.com From: myattj@cadvision.com (Justin "Kipper" Myatt) Subject: Re: First Time Fire Walls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G, I have some small UNIX experience - however I have not had the chance to look at Linux at all. How much tweaking is required. Assume that I can handle kernal rebuilds Ok providing I have some hints i.e this puts me at the same level as a typical Sun Admin type. Once I was a UNIX/C sort but that was 6 years ago - hell I only use windows, VB, DOs/OS/2 Scripts &PERL now (poor boy) - there fore way out of touch. Will check out the FTP site - this appears to be the only one. I assume I would need an app level fwall since I just want to provide the basics... Hmmm some one from the parent comapny just called me with an offer of some help with this. There are advantages to working for a largeish Company after all i.e GE. How ever I want to do the work my self! cheers Justin >On Tue, 4 Apr 1995, Justin Kipper Myatt wrote: > >> I'm hopeing to get the chance to set up my own firewall, mail, ftp and news >> server for our comapnies local SE's. >> >> This would be a pilot to give me the pratice and our SE's the chance to use >> the Internet in more depth. If it's a sucess i'd like to implment a better >> system with commercial s/w. >> >> Can some one point me in the direction of an FTP site where I can pick up >> some PD fire wall software. > >You really don't indicate whether you are looking for a Network filtering >firewall or an Application proxy firewall. Assuming that you are looking >for the latter, I would recommend TIS's Firewall toolkit. > >It can be FTP'd at: ftp://ftp.tis.com/firewalls/toolkit > >> >> Assuming I start with nowt (nothing) what would my minimum hardware and s/w >> requirements be. >> >> Should I go PC/UNIX box or PC/NT3.5 or something else > >Definitely stick with Unix. If you are looking at using a PC (ie: Intel >x86), the most logical, supported choice for the TIS system is to get a >license of BSDI Unix. If you have a hankering to tinker a bit, I can >tell you that I am successfully using Novell's UnixWare on one >implementation and Linux on another. > ----------------------------------------------------------- Justin Myatt - Email Personage | Call me at 403 290 3262 GE Capital Technology Services | Fax me at 403 290 2566 435, 4th Ave SW | Email to: Calgary, Alberta, Canada, T2P 3A8 | myattj@cadvision.com Brrr it's cold here today.... | CrudUServe(CIS)72234.23 ----------------------------------------------------------- From firewalls-owner Tue Apr 4 13:27:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10174 for firewalls-outgoing; Tue, 4 Apr 1995 13:02:39 -0700 Received: from rubik ([146.155.224.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10123 for ; Tue, 4 Apr 1995 13:00:48 -0700 Message-Id: From: quito@constructa.cl (Francisco Javier...el quitolin) Subject: Re: I need others opinions To: kender@esu.edu (Daniel Garcia) Date: Tue, 4 Apr 1995 15:58:21 -0400 (CST) Cc: firewalls@greatcircle.com (Security List) In-Reply-To: <9504041937.AA19171@babbage.esu.edu> from "Daniel Garcia" at Apr 4, 95 03:37:42 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2061 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi : [hola :] > > Actually - having a closed net is less dangerous than an open net. (I > think I understand what you were trying to say - my spanish is probably as > rusty as your english :). If you have your network open to the internet, > so that people can connect to it from the outside, then people from the > outside can potentially break into it. I have the net with tcpwrapper and I have a permision only for me, from a pc in other net, and from a Unix machine on University's Net. But he believe that it is very dangerous, but he don't know about Linux, about Posix, about TCPD, but believe that is necesary to close for all world the net... Then, What do I do ? [ Yo tengo la red con tcpwrapper y tengo solo permiso para mi, desde un pc en otra red, y desde una maquina unix sobre la Red de la Universidad. Pero el ( el Jefe) cree que es muy peligroso, pero el no sabe de Linux, ,de Posix, de TCPD, pero el cree que es necesario cerrar para todo el mundo la red... Entonces, que hago yo ? ] > > What exactly is your boss considering doing? (if you want to try this in > spanish, i might be able to carry it one, it would be a good chance for me > to brush back up on it :) > > BTW - where is .cl, columbia? > .cl -----> Chile domain. :-) South America. > D. Garcia Daniel Garcia.....why? mexican? spanish? Puerto Riquenno? > > -- > ___________________________________________________________________________ > /Daniel Garcia/Soon to be PhD Student/Virtual Environments /kender@esu.edu / > /Linux Hacker/C Programmer for Hire /#include /The Answer's 42/| > ,-------------+----------------------+---------------------+-------------- + | > | He does not show himself, and so is conspicuous; <<==-- Lao Tzu | | > | He does not consider himself right, and so is illustrious; | / > | He does not brag, and so has merit; He does not boast, and so endures. |/ > `------------------------http://www.esu.edu/~kender------------------------' > > Quito. Unix Adm. From firewalls-owner Tue Apr 4 13:34:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA09121 for firewalls-outgoing; Tue, 4 Apr 1995 12:27:43 -0700 Received: from luey.cadvision.com (huey.cadvision.com [204.50.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA09115 for ; Tue, 4 Apr 1995 12:27:39 -0700 Received: from cad36.cadvision.com by luey.cadvision.com (AIX 3.2/UCB 5.64/4.04.tri.dcx) id AA33033; Tue, 4 Apr 1995 13:29:03 -0600 Date: Tue, 4 Apr 1995 13:29:03 -0600 Message-Id: <9504041929.AA33033@luey.cadvision.com> X-Sender: myattj@huey.cadvision.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: myattj@cadvision.com (Justin "Kipper" Myatt) Subject: Re: First Time Fire Walls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Posted at the request of Francisco. I keep posting back to the sender instead of the list too..... I am a veg. >> Can some one point me in the direction of an FTP site where I can pick up >> some PD fire wall software. >> > > get TCPWrapper 6.3 or better, it's a filter very good !!! > Ah...it's freeware :-) > Only need a Unix machine as server. > > The Ftp address... hum, only remember the 146.155.4.4 >but do you have something more near, I'm shure :-) > >> Assuming I start with nowt (nothing) what would my minimum hardware and s/w >> requirements be. >> >> Should I go PC/UNIX box or PC/NT3.5 or something else > > Oh, I forgot it, I only know the TCPwrapper asfilter local, maybe >there are some for a gateway, that is you filter in one machine all packets, >and no only the packets for local machines. >( just one intallation it's better ) > >> >> cheers & my aplogies for replying to the cc:Mail SMTP g/w question, did not >> mean to clog things up. >> >> Justin ----------------------------------------------------------- Justin Myatt - Email Personage | Call me at 403 290 3262 GE Capital Technology Services | Fax me at 403 290 2566 435, 4th Ave SW | Email to: Calgary, Alberta, Canada, T2P 3A8 | myattj@cadvision.com Brrr it's cold here today.... | CrudUServe(CIS)72234.23 ----------------------------------------------------------- From firewalls-owner Tue Apr 4 15:22:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA13571 for firewalls-outgoing; Tue, 4 Apr 1995 15:12:24 -0700 Received: from suned1.Nswses.Navy.Mil (suned1.nswses.navy.mil [137.24.30.40]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA13566 for ; Tue, 4 Apr 1995 15:12:18 -0700 Received: from sp10t0 (sp10t0.nswses.navy.mil) by suned1.Nswses.Navy.Mil (4.1/Nswses4.1.2_920723eb) id AA07476; Tue, 4 Apr 95 15:12:25 PDT Date: Tue, 4 Apr 1995 15:12:24 -0700 (PDT) From: Everett F Batey WA6CRE Subject: tcpd for pmd (Livingston) To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you have a Livingston daemon in your inetd.conf .. could you tell me (a) Do you have a wrapping line .. hosts.allow entry for pmd (b) What can you expect to wrap ( allow or deny ) .. thanks /ev/ + efb@suned1.nswses.Navy.MIL efb@gcpacix.cotdazr.org efb@uvsi.jpl.nasa.gov + + efb@nosc.mil efb@oxnardsd.org [EFB15] WA6CRE Gold Coast Sun Users + + The Genie is Out of the Bottle! :-) CANT Put it Back, Nor even Nuke It + + Opinions, MINE, NOT Uncle_s | WWW b-news innd postmaster XNTP3 DNS GNU + From firewalls-owner Tue Apr 4 16:21:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA14067 for firewalls-outgoing; Tue, 4 Apr 1995 15:31:07 -0700 Received: from heechee.trinet.com (heechee.trinet.com [204.145.146.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA14062 for ; Tue, 4 Apr 1995 15:31:03 -0700 Received: (from crumley@localhost) by heechee.trinet.com (8.6.10/8.6.10) id SAA13354; Tue, 4 Apr 1995 18:30:45 -0400 From: Steve Crumley Message-Id: <199504042230.SAA13354@heechee.trinet.com> Subject: firewalls and routing To: firewalls@GreatCircle.com Date: Tue, 4 Apr 1995 18:30:44 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1580 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a pretty basic question. I'll be setting up a Class-C network with a firewall and I'm unsure about sub-netting and routing. It would look something like this: Internet | _______|______ | router | | 192.x.y.1 | |____________| | | public net - webservers, etc _______________|________________ | | ______|______ ____|_______ | 192.x.y.2 | | WWW | | firewall | | 192.x.y.3 | | 192.x.y.4 | |___________| |___________| | private net ____|_________________________ | | ______|_____ _____|_____ | 192.x.y.5 | | 192.x.y.6 | |___________| |___________| My question is how do I number the network for this setup and how is routing setup? I assume the router knows nothing about subnets and dumps all trafic for 192.x.y.0 onto the lan. Don't I have to subnet in order to split the network into 2 sections like this? If I subnet, isn't 192.x.y.1 no longer a good address? (it is in the all zero subnet) If I don't subnet, will I have to set up a static route for each machine on the public net? Thanks for the help. -Steve From firewalls-owner Tue Apr 4 16:52:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15542 for firewalls-outgoing; Tue, 4 Apr 1995 16:38:19 -0700 Received: from volitans.MorningStar.Com (volitans.MorningStar.Com [137.175.2.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15537 for ; Tue, 4 Apr 1995 16:38:14 -0700 Received: from cowfish.MorningStar.Com by volitans.MorningStar.Com (5.65a/94040804) id AA27283; Tue, 4 Apr 95 19:38:19 -0400 From: Bob Sutterfield Received: by cowfish.MorningStar.Com (5.65a/94063001) id AA00795; Tue, 4 Apr 95 19:38:17 -0400 Date: Tue, 4 Apr 95 19:38:17 -0400 Message-Id: <9504042338.AA00795@cowfish.MorningStar.Com> To: firewalls@greatcircle.com Subject: Morning Star packet-filtering routers vs SATAN Cc: gtebben@cd.columbus.oh.us Organization: Morning Star Technologies, Inc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Users of the Express router line from Morning Star Technologies should visit http://www.MorningStar.Com/mst-satan.html for our suggestions about responding to SATAN's probes by application of dynamic packet filters. The basic strategy: watch for any of several characteristic probe sequences, then block off all exchanges with the suspect host for 5 minutes. This is long enough for SATAN to grow bored banging on the door, and surf away to bother someone else... -- Bob Sutterfield, Network Environmentalist Morning Star Technologies, Inc. +1 614 451 1883 3518 Riverside Dr, Suite 101, Columbus Ohio USA, 43221-1754 +1 800 558 7827 bob@MorningStar.Com http://www.MorningStar.Com/bob.html Fax: +1 614 459 5054 From firewalls-owner Wed Apr 5 02:22:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA23653 for firewalls-outgoing; Wed, 5 Apr 1995 01:52:05 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA23648 for ; Wed, 5 Apr 1995 01:51:59 -0700 From: Paul Crossley To: firewalls@greatcircle.com Subject: ISDN X-Mailer: ScoMail 1.0 Date: Wed, 5 Apr 1995 9:43:58 +0100 (BST) Message-ID: <9504050944.aa22471@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My appologies for mailing to this list but being people with networking interests someone will hopefully be able to re-direct me. Does anyone know of any lists discussing ISDN issues (particularly as regards spoofing the protocols carried for networks)? ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Wed Apr 5 02:52:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA24418 for firewalls-outgoing; Wed, 5 Apr 1995 02:37:55 -0700 Received: from AMCCCA.AMC.UVA.NL (amccca.amc.uva.nl [145.18.202.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA24405 for ; Wed, 5 Apr 1995 02:37:38 -0700 Received: from amchelix.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HOZ6XMM5MO0004J3@amc.uva.nl>; Wed, 5 Apr 1995 10:52:19 MET Received: by amchelix.amc.uva.nl (5.0/SMI-5.0) id AA26358; Wed, 5 Apr 1995 10:52:17 +0200 Date: Wed, 05 Apr 1995 10:52:17 +0200 From: F.Wetzels@amc.uva.nl (Frank Wetzels) Subject: Re: firewalls and routing To: firewalls@GreatCircle.com Message-id: <9504050852.AA26358@amchelix.amc.uva.nl> X-Envelope-to: firewalls@GreatCircle.com Content-transfer-encoding: 7BIT Content-length: 2836 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> Hi, I have a pretty basic question. I'll be setting up a Class-C network fpmw> with a firewall and I'm unsure about sub-netting and routing. It would fpmw> look something like this: fpmw> fpmw> Internet fpmw> | fpmw> _______|______ fpmw> | router | fpmw> | 192.x.y.1 | fpmw> |____________| fpmw> | fpmw> | public net - webservers, etc fpmw> _______________|________________ fpmw> | | fpmw> ______|______ ____|_______ fpmw> | 192.x.y.2 | | WWW | fpmw> | firewall | | 192.x.y.3 | fpmw> | 192.x.y.4 | |___________| fpmw> |___________| fpmw> | private net fpmw> ____|_________________________ fpmw> | | fpmw> ______|_____ _____|_____ fpmw> | 192.x.y.5 | | 192.x.y.6 | fpmw> |___________| |___________| fpmw> fpmw> fpmw> My question is how do I number the network for this setup and how fpmw> is routing setup? I assume the router knows nothing about subnets fpmw> and dumps all trafic for 192.x.y.0 onto the lan. Don't I have to fpmw> subnet in order to split the network into 2 sections like this? fpmw> If I subnet, isn't 192.x.y.1 no longer a good address? (it is in the fpmw> all zero subnet) fpmw> If I don't subnet, will I have to set up a static route for each fpmw> machine on the public net? If your firewall has two interfaces then you should give them IP-addresses from two different subnets. So either you subnet your class C net or use another class C net as the private net. Your router should know about all your subnets. The result is that the public net and the private net are two different subnets with a firewall between them. I have a general question on this configuration: The public machines, are these only to be reached from the internet (and/and not) from the private net? Then what about putting *these* machines in a screened subnet? It's against the filosophy of having a firewall. On the otherhand these public machines can be regarded as internet machines and should be treated that way. So there are pro's and con's. Any opinions? Frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-329 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662917 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Wed Apr 5 03:51:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA25755 for firewalls-outgoing; Wed, 5 Apr 1995 03:43:31 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id DAA25750 for ; Wed, 5 Apr 1995 03:43:26 -0700 From: Paul Crossley To: crumley@trinet.com, firewalls@GreatCircle.com Subject: firewalls and routing X-Mailer: ScoMail 1.0 Date: Wed, 5 Apr 1995 11:35:05 +0100 (BST) Message-ID: <9504051135.aa22997@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Internet > | > _______|______ > | router | > | 192.x.y.1 | > |____________| > | > | public net - webservers, etc > _______________|________________ > | | > ______|______ ____|_______ > | 192.x.y.2 | | WWW | > | firewall | | 192.x.y.3 | > | 192.x.y.4 | |___________| > |___________| > | private net > ____|_________________________ > | | > ______|_____ _____|_____ > | 192.x.y.5 | | 192.x.y.6 | > |___________| |___________| You said that you "assume" that the router knows nothing about the subnets. By placing the public net on one subnet and the private hosts on the other you would be able to use the router to apply different sets of filters to the different subnets. Since most routers these days handle this sort of thing quite well and you are certain to want some communication between your public and private hosts, the router to my paranoid frame of mind is the place to filter out as many unwanted services as possible. ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Wed Apr 5 04:21:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA26225 for firewalls-outgoing; Wed, 5 Apr 1995 04:10:10 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA26220 for ; Wed, 5 Apr 1995 04:10:06 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA13981; Wed, 5 Apr 95 07:09:08 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504051209.AA13981@hawksbill.sprintmrn.com> Subject: Re: ISDN To: paul@toploguk.co.uk (Paul Crossley) Date: Wed, 5 Apr 1995 07:09:08 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9504050944.aa22471@gateway.toploguk.co.uk> from "Paul Crossley" at Apr 5, 95 09:43:58 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 652 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My appologies for mailing to this list but being people with networking > interests someone will hopefully be able to re-direct me. > > Does anyone know of any lists discussing ISDN issues (particularly > as regards spoofing the protocols carried for networks)? > comp.dcom.isdn on USENET. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Apr 5 06:50:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27858 for firewalls-outgoing; Wed, 5 Apr 1995 06:34:44 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA27853 for ; Wed, 5 Apr 1995 06:34:40 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16082; Wed, 5 Apr 95 09:30:49 -0400 Date: Wed, 5 Apr 95 09:30:48 -0400 Message-Id: <9504051330.AA16082@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Detecting failures Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt rites: >Since this router has some filtering capabilities, I won't even >be able to see any attacks that don't make it through the router. Do I >care? Not really, I just want to know what does make it through. I disagree since I wnat to know about failed probes since they are usually the first sign of a more concerted attack. My procedure is to set up a special flag/watch for all access from a site folowing rejected probes and to follow up on it with the sysadmins involved. Usually nothing happens but once in a while... Warmly, Padgett From firewalls-owner Wed Apr 5 07:09:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27670 for firewalls-outgoing; Wed, 5 Apr 1995 06:22:51 -0700 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA27665 for ; Wed, 5 Apr 1995 06:22:48 -0700 From: tws@wh.bayer.com Received: by wh.bayer.com (4.1/SMI-4.1) id AA29913; Wed, 5 Apr 95 09:20:53 EDT Received: by mrcs1 (5.64/X1.00) id AA00917; Wed, 5 Apr 95 09:19:13 -0400 Date: Wed, 5 Apr 95 09:19:13 -0400 Message-Id: <9504051319.AA00917@mrcs1> To: crumley@trinet.com, firewalls@GreatCircle.com Subject: Re: firewalls and routing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a way to think about this. A paradigm, if you would. You want to have two logical networks. You call one as public and the other private (and the two are connected via the firewall in your picture). If there is such logical separation there must be two network addresses. Your picture does not reflect that. What I see is one network id, 192.x.y. Given two network id's the box labeld as firewall will handle passing or not passing of packetts from one net to the other. Subnetting is a way to make two (or more) networks out of one (legitimate) network id. Regards, Tenna Sakai Bayer Research Center > From firewalls-owner@GreatCircle.COM Tue Apr 4 19:43:14 1995 > Subject: firewalls and routing > To: firewalls@GreatCircle.com > Hi, I have a pretty basic question. I'll be setting up a Class-C network > with a firewall and I'm unsure about sub-netting and routing. It would > look something like this: > Internet > | > _______|______ > | router | > | 192.x.y.1 | > |____________| > | > | public net - webservers, etc > _______________|________________ > | | > ______|______ ____|_______ > | 192.x.y.2 | | WWW | > | firewall | | 192.x.y.3 | > | 192.x.y.4 | |___________| > |___________| > | private net > ____|_________________________ > | | > ______|_____ _____|_____ > | 192.x.y.5 | | 192.x.y.6 | > |___________| |___________| > My question is how do I number the network for this setup and how > is routing setup? I assume the router knows nothing about subnets > and dumps all trafic for 192.x.y.0 onto the lan. Don't I have to > subnet in order to split the network into 2 sections like this? > If I subnet, isn't 192.x.y.1 no longer a good address? (it is in the > all zero subnet) > If I don't subnet, will I have to set up a static route for each > machine on the public net? > Thanks for the help. > -Steve From firewalls-owner Wed Apr 5 07:20:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27848 for firewalls-outgoing; Wed, 5 Apr 1995 06:33:31 -0700 Received: from anima.nums.nwu.edu (anima.nums.nwu.edu [165.124.50.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA27843 for ; Wed, 5 Apr 1995 06:33:27 -0700 Received: from pfield.childmmc.edu by anima.nums.nwu.edu with SMTP (1.37.109.16/20.3) id AA160148822; Wed, 5 Apr 1995 08:33:42 -0500 Message-Id: In-Reply-To: <9504041213.AA08391@all.net> References: Conversation <9504041213.AA08391@all.net> with last message <9504041213.AA08391@all.net> Priority: Normal To: firewalls@GreatCircle.COM Mime-Version: 1.0 From: Phil Field Subject: TIS and Firewall one #'s Date: Tue, 04 Apr 95 16:30:50 CDT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All, Does anybody have the address or phone numbers of two firewall vendors TIS and Firewall ? Thank you for your support, ______________________________________________________________ Phillip Field | Children's Memorial Medical Center Network Administrator | 2300 Children's Plaza, Mailstop 56 Email: pfield@nwu.edu | Chicago, Illinios 60614 FAX: 312-880-3280 | Voice: 312-880-6335 | _______________________________________________________________ From firewalls-owner Wed Apr 5 07:50:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA28570 for firewalls-outgoing; Wed, 5 Apr 1995 07:21:50 -0700 Received: from lc.lindenwood.edu (lc.lindenwood.edu [128.252.65.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA28565 for ; Wed, 5 Apr 1995 07:21:45 -0700 Received: by lc.lindenwood.edu (5.65/DEC-Ultrix/4.3) id AA01951; Wed, 5 Apr 1995 09:22:58 -0500 Date: Wed, 5 Apr 1995 09:22:58 -0500 (CDT) From: Jeff Prince To: Firewalls Group Subject: Need sources to set up network security Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone, I'm trying to setup my network in a secure manner, and am looking for sources to consult, books, papers, etc. I'm looking at both software (tcp-wrappers, etc) as well as hardware (routers, firewalls, etc), but need to know what questions to ask, as well as the vocabulary to use, to make a good decision. This is a educational environment, so I cannot trust my users -- this network cannot have a soft, chewy center. :-) I recently picked up Siyan's _Internet Firewalls and Network Security_ through a book club. Just started reading it. I hear this list refer to Cheswick & Bellovin's _Firewalls & Internet Security_, anyone have the complete name, publisher and ISBN number? Reply to me directly or to the list, I'm lurking in the background. It would help if you'd also include a short blurb on the strengths and weaknesses of each source. As always, thanks in advance for your time and help. -- Jeff Prince, Assistant System Administrator Lindenwood College, 209 S. Kingshighway, St. Charles, MO 63301 (USA) Internet: prince@lc.lindenwood.edu *LOCAL* entropy control From firewalls-owner Wed Apr 5 08:29:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29423 for firewalls-outgoing; Wed, 5 Apr 1995 07:56:11 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA29418 for ; Wed, 5 Apr 1995 07:56:08 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma004919; Wed Apr 5 10:55:56 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA29952; Wed, 5 Apr 95 10:55:38 EDT Message-Id: <9504051455.AA29952@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Phil Field Cc: firewalls@greatcircle.com Subject: Re: TIS and Firewall one #'s In-Reply-To: Your message of Tue, 04 Apr 95 16:30:50 -0500. Date: Wed, 05 Apr 95 10:55:37 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 is from Checkpoint or SunSoft. TIS is: gauntlet-info@tis.com or +1 301-854-5550 Fred > To All, > > > Does anybody have the address or phone numbers of two > firewall vendors TIS and Firewall ? > > > > Thank you for your support, > > > > ______________________________________________________________ > Phillip Field | Children's Memorial Medical Center > Network Administrator | 2300 Children's Plaza, Mailstop 56 > Email: pfield@nwu.edu | Chicago, Illinios 60614 > FAX: 312-880-3280 | > Voice: 312-880-6335 | > _______________________________________________________________ > > > From firewalls-owner Wed Apr 5 08:53:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29726 for firewalls-outgoing; Wed, 5 Apr 1995 08:06:23 -0700 Received: from luey.cadvision.com (huey.cadvision.com [204.50.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA29715 for ; Wed, 5 Apr 1995 08:06:17 -0700 Received: from cad68.cadvision.com by luey.cadvision.com (AIX 3.2/UCB 5.64/4.04.tri.dcx) id AA29044; Wed, 5 Apr 1995 09:07:35 -0600 Date: Wed, 5 Apr 1995 09:07:35 -0600 Message-Id: <9504051507.AA29044@luey.cadvision.com> X-Sender: myattj@huey.cadvision.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Chambers, M.A." , firewalls@greatcircle.com From: myattj@cadvision.com (Justin "Kipper" Myatt) Subject: Re: Let me know that you find out. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt, will do - how ever the consnesus appears to be that UNIX (LINUX, SUnOs) is best. Have not seen much on an NT version yet. Ask Microsoft their FTP g/w runs on a n NT PC I'm told. As to their fire wall ???? cheers Justin > >We are going to do the same thing at our installation. >We are still at ground zero, just like you. Essex is mostly an NT >environment with WFW clients. We would like to have our firewall >implimentation on NT as well. >If you find anything out, please let me know. Also, if I find any >information out, I'll drop you a line as well. >Thanks, >Matt Chambers >CHAMBMA@SMTP.ESSEXGROUP.COM > > > ----------------------------------------------------------- Justin Myatt - Email Personage | Call me at 403 290 3262 GE Capital Technology Services | Fax me at 403 290 2566 435, 4th Ave SW | Email to: Calgary, Alberta, Canada, T2P 3A8 | myattj@cadvision.com Brrr it's cold here today.... | CrudUServe(CIS)72234.23 ----------------------------------------------------------- From firewalls-owner Wed Apr 5 09:23:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01489 for firewalls-outgoing; Wed, 5 Apr 1995 09:10:38 -0700 Received: from wolfe.wimsey.com (wolfe.wimsey.com [204.191.160.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA01484 for ; Wed, 5 Apr 1995 09:10:35 -0700 Received: by wolfe.wimsey.com (Smail-3.1.29.1 #10) id m0rwXfD-000EgyC; Wed, 5 Apr 95 16:10 GMT Received: from cc:Mail by bctinet.bctransit.com id AA797098060 Wed, 05 Apr 95 09:07:40 Date: Wed, 05 Apr 95 09:07:40 From: "jeff wong" Message-Id: <9503057970.AA797098060@bctinet.bctransit.com> To: firewalls@greatcircle.com Subject: Firewall-1 on HP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, Does anybody know whether Firewall-1 is on HP. I know it's currently available on Sun? Thanks Jeff From firewalls-owner Wed Apr 5 09:51:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02157 for firewalls-outgoing; Wed, 5 Apr 1995 09:30:44 -0700 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02151 for ; Wed, 5 Apr 1995 09:30:41 -0700 Received: from hpindda.cup.hp.com by hp.com with ESMTP (1.37.109.15/15.5+ECS 3.3) id AA023049456; Wed, 5 Apr 1995 09:30:57 -0700 Received: from localhost by hpindda.cup.hp.com with SMTP (1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA140539453; Wed, 5 Apr 1995 09:30:53 -0700 Message-Id: <199504051630.AA140539453@hpindda.cup.hp.com> To: firewalls@GreatCircle.COM Subject: Source Routing Date: Wed, 05 Apr 1995 09:30:52 -0700 From: Abraham Lui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Can anyone out there give me a couple of scenarios on how a source routing attack is being launched? The description in the C&B book does not show how it is different from IP address spoofing. Thanks in advance. Abraham +-------------------------------------------+---------------------------------+ |Abraham Lui (Member, Technical Staff) |Bldg: 43L; MS 43LM; Pillar P7 | |Information Networks Division |Phone: 408-447-2403 | |Hewlett-Packard Company |Telnet: 1-447-2403 | |19420 Homestead Road, MS 43LM |Fax: 408-447-3660 | |Cupertino, CA 95014-9807 |Email: abraham@cup.hp.com | +-------------------------------------------+---------------------------------+ From firewalls-owner Wed Apr 5 10:28:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02807 for firewalls-outgoing; Wed, 5 Apr 1995 09:54:27 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02802 for ; Wed, 5 Apr 1995 09:54:22 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17114; Wed, 5 Apr 95 12:51:30 -0400 Date: Wed, 5 Apr 95 12:51:30 -0400 Message-Id: <9504051651.AA17114@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Detection of the big "S" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FC rites >Subj: gopher getcommand: readline error >I noticed that when I do certain port scans, my gopher server produces an >error message (in the log file): > getcommand: readline error Yes this is an indicator of the current version but is related to a "generic" handler that is fixable. I would not rely on it as a "once and future" mechanism. Warmly, Padgett From firewalls-owner Wed Apr 5 10:32:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02140 for firewalls-outgoing; Wed, 5 Apr 1995 09:30:01 -0700 Received: from noc.netins.net (noc.netins.net [167.142.225.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02132 for ; Wed, 5 Apr 1995 09:29:57 -0700 Received: (from jeffo@localhost) by noc.netins.net id LAA32126; Wed, 5 Apr 1995 11:30:04 -0500 Date: Wed, 5 Apr 1995 11:30:04 -0500 (CDT) From: "Jeffrey C. Ollie" To: Jeff Prince cc: Firewalls Group Subject: Re: Need sources to set up network security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Apr 1995, Jeff Prince wrote: > Hello everyone, > I'm trying to setup my network in a secure manner, and am looking > for sources to consult, books, papers, etc. I'm looking at both software > (tcp-wrappers, etc) as well as hardware (routers, firewalls, etc), but > need to know what questions to ask, as well as the vocabulary to use, to > make a good decision. This is a educational environment, so I cannot > trust my users -- this network cannot have a soft, chewy center. :-) > I recently picked up Siyan's _Internet Firewalls and Network > Security_ through a book club. Just started reading it. I hear this list > refer to Cheswick & Bellovin's _Firewalls & Internet Security_, anyone > have the complete name, publisher and ISBN number? > Reply to me directly or to the list, I'm lurking in the background. > It would help if you'd also include a short blurb on the strengths and > weaknesses of each source. > As always, thanks in advance for your time and help. Firewalls and Internet Security: Repelling the Wily Hacker William R. Cheswick and Steven M. Bellovin Addison-Wesley 1994 ISBN 0-201-63357-4 Can you provide the same information for Siyan's book? Jeffrey C. Ollie Iowa Network Services Support Daemon From firewalls-owner Wed Apr 5 10:51:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03541 for firewalls-outgoing; Wed, 5 Apr 1995 10:22:20 -0700 Received: from bach.ccinet.ab.ca (bach.ccinet.ab.ca [198.161.96.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA03536 for ; Wed, 5 Apr 1995 10:22:10 -0700 Received: by bach.ccinet.ab.ca; id AA26439; Wed, 5 Apr 1995 11:19:27 -0600 Date: Wed, 5 Apr 1995 11:19:27 -0600 Message-Id: <9504051719.AA26439@bach.ccinet.ab.ca> X-Sender: fmrcss@bach.ccinet.ab.ca Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: FMRCSS@ccinet.ab.ca (Fort McMurray Catholic Schools) Subject: Creating a firewall on a Mac Network Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a Mac WAN with approximatly 600 Macintoshes and about 40 zones of eithernet and local talk scattered accross the city. I am looking at putting in a dedicated 56K pipe into the internet from the central hub. However, I want to put a firewall up to prevent problems on the internet from invading my network. I have been told that there are products out there which will allow people on my network to then access internet directly without the use of dial up modems at each site. What I need is security. Can anyone out there help me.?? Thanks Richard ______________________________________________ Richard Critchley Educational Technology Applications Developer Ed Tech Department Fort McMurray Catholic Schools, 9809 Main Street, Fort McMurray, Alberta, T9H-1T7 CANADA From firewalls-owner Wed Apr 5 10:51:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02716 for firewalls-outgoing; Wed, 5 Apr 1995 09:51:48 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02710 for ; Wed, 5 Apr 1995 09:51:44 -0700 Posted-Date: Wed, 5 Apr 1995 12:51:57 -0400 From: "Bryan D. Boyle" Message-Id: <9504051251.ZM2533@maverick.erenj.com> Date: Wed, 5 Apr 1995 12:51:57 -0400 In-Reply-To: "jeff wong" "Firewall-1 on HP" (Apr 5, 9:07am) References: <9503057970.AA797098060@bctinet.bctransit.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Firewall-1 on HP Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 5, 9:07am, jeff wong wrote: > Subject: Firewall-1 on HP > > Hi there, > > Does anybody know whether Firewall-1 is on HP. I know it's currently > available on Sun? only on sun. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Wed Apr 5 11:17:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03071 for firewalls-outgoing; Wed, 5 Apr 1995 10:05:02 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03066 for ; Wed, 5 Apr 1995 10:04:59 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQykee00874; Wed, 5 Apr 1995 13:05:15 -0400 Received: from brite.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Wed, 5 Apr 1995 13:05:14 -0400 Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) id AA09859; Wed, 5 Apr 95 17:04:17 GMT Date: Wed, 5 Apr 95 11:59:58 CDT From: Shane Kinsch Subject: Re: Pagers (esp display) To: uunet!GreatCircle.COM!firewalls@uunet.uu.net X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I really don't know why people are maing a big deal about this either. I wrote a script that echos the appropriate information to the modem, that's it. It's not too elaborate but it works. I have it call my numeric after people leave a message for me. It's quite simple, just echo the Hayes commands to the modem device. >Geesh, It's a very simple solution. Write a script to dial a modem >you have connected to a machine someplace (And don't be a weenie and >run a getty process for the modem, because then you'll open yourself up to >dialup access). Have it call your pager number, and dial a list of codes, like >"400400-911" if something's wrong , or "404404-911" if something's not >found..etcetc... > >So much for the complaints from the pager company. Or, get another >pager company. > >-john > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Shane T Kinsch BRITE VOICE SYSTEMS, INC. _/ _/ shane.kinsch@brite.com VP UNIX Technical Engineer _/ _/ Wichita, KS USA "MIME is ok here" _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Wed Apr 5 11:42:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05460 for firewalls-outgoing; Wed, 5 Apr 1995 11:17:29 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05455 for ; Wed, 5 Apr 1995 11:17:23 -0700 From: matt@zilker.net Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17496; Wed, 5 Apr 95 14:17:35 -0400 Date: Wed, 5 Apr 95 14:17:35 -0400 Message-Id: <9504051817.AA17496@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), ("firewalls@greatcircle.com"@uvs1.dnet.mmc.com) Subject: Re: Detecting failures Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:30 AM 4/5/95 -0400, A. Padgett Peterson, P.E. Information Security wrote: >Matt rites: >>Since this router has some filtering capabilities, I won't even >>be able to see any attacks that don't make it through the router. Do I >>care? Not really, I just want to know what does make it through. > >I disagree since I wnat to know about failed probes since they are usually >the first sign of a more concerted attack. My procedure is to set up a >special flag/watch for all access from a site folowing rejected probes >and to follow up on it with the sysadmins involved. Those are good points. However, this is a very small company and there is a limit on how much hardware I can throw at the problem. Having to pass all traffic and then put a filter machine just inside may not be practical (I'm a lousy salesman). Also, I'm hoping that I can lock things down tightly enough that won't need to talk to the other sysadmins. -- Matt From firewalls-owner Wed Apr 5 11:56:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05092 for firewalls-outgoing; Wed, 5 Apr 1995 11:08:32 -0700 Received: from ACM.ORG (ACM.ORG [192.135.174.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA05087 for ; Wed, 5 Apr 1995 11:08:30 -0700 From: VROOM@ACM.ORG Received: from ACM.ORG by ACM.ORG (PMDF V4.3-10 #4177) id <01HOZBIGFEBK009E6T@ACM.ORG>; Wed, 05 Apr 1995 13:08:44 -0500 (CDT) Date: Wed, 05 Apr 1995 13:08:44 -0500 (CDT) Subject: Proxy WWW through firewall To: FIREWALLS@GREATCIRCLE.COM Message-id: <01HOZBIGFG7M009E6T@ACM.ORG> X-VMS-To: FIREWALLS@GREATCIRCLE.COM MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some details: We've just installed a Raptor firewall system (on a sun). We have a web site outside the firewall running BSD/OS with the CERN server in proxy mode. We've previously used SLIP to allow staff to surf the web. My question is, how to I get PC clients running netscape or mosaic to use the proxy instead of expecting a SLIP or PPP connection? Thanks, Andrew From firewalls-owner Wed Apr 5 12:51:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08004 for firewalls-outgoing; Wed, 5 Apr 1995 12:24:35 -0700 Received: from mx3.smtp.psi.net (mx3.smtp.psi.net [38.145.204.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA07999 for ; Wed, 5 Apr 1995 12:24:32 -0700 Received: from viacom.COM by mx3.smtp.psi.net (8.6.9/SMI-4.1.3-PSI) id PAA10820; Wed, 5 Apr 1995 15:13:19 -0400 Received: from smtpgate.viacom.com by viacom.viacom.COM id aa04676; 5 Apr 95 14:57 EDT Received: by SMTPGATE.VIACOM.COM with Microsoft Mail id <2F8315BE@SMTPGATE.VIACOM.COM>; Wed, 05 Apr 95 15:12:14 PDT From: "Bai, Mario" To: firewalls Subject: FW: Proxy WWW through firewall Date: Wed, 05 Apr 95 15:11:00 PDT Message-ID: <2F8315BE@SMTPGATE.VIACOM.COM> Encoding: 23 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Put the proxy *behind* the firewall, point the clients to it and proxy over the firewall (using something like socks) .... or *not recommended* run the proxy on the firewall, and point the clients to it. Why did you decide to put the proxy outside the firewall? ---------- From: firewalls-owner To: FIREWALLS Subject: Proxy WWW through firewall Date: Wednesday, April 05, 1995 1:08PM Some details: We've just installed a Raptor firewall system (on a sun). We have a web site outside the firewall running BSD/OS with the CERN server in proxy mode. We've previously used SLIP to allow staff to surf the web. My question is, how to I get PC clients running netscape or mosaic to use the proxy instead of expecting a SLIP or PPP connection? Thanks, Andrew From firewalls-owner Wed Apr 5 13:26:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA08081 for firewalls-outgoing; Wed, 5 Apr 1995 12:26:11 -0700 Received: from netcom6.netcom.com (netcom6.netcom.com [192.100.81.114]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA08072 for ; Wed, 5 Apr 1995 12:26:07 -0700 Received: by netcom6.netcom.com (8.6.11/Netcom) id MAA00731; Wed, 5 Apr 1995 12:23:42 -0700 Date: Wed, 5 Apr 1995 12:23:41 -0700 (PDT) From: Brad McCarty Subject: Registered IP vs unregistered To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My company is setting up a TCP/IP network and we've come the point of deciding on whether we should try to use registered class C addresses or unregistered class A addresses. Background: We will probably have very few hosts which need Internet access, the switch to TCP/IP is mostly for internal use. Those hosts would probably need access only for Web browsing and maybe FTP. When we connect to the Internet it will definitely be through a proxy server or firewall machine not directly from any host. We applied for registered IP network numbers and got 16 class C numbers. The problem is that due to the physical layout of our company we run into several problems with the max of 254 hosts per subnet. If we use unregistered class A addresses than almost all the problems go away and we can even assign some meaning to the addresses. I'm assuming that we would gain our Internet access through a proxy server or perhaps a network address translation server so the class A addresses wouldn't be a problem on the Internet. The questions I have (finally) are: 1) If we use unregistered class A addresses internally what Internet services will we have a problem using? i.e. what can't we do through a proxy server or network address translation server? 2) In your opinion, do you think we will we be painting ourselves into a corner if we go with unregistered class A addresses? Do you think this may become a liability for us in the future in that, there may be a new service available on the Internet which will not work through a proxy server or firewall and will require registered IP addresses on our side? TIA, Brad McCarty From firewalls-owner Wed Apr 5 13:53:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA09082 for firewalls-outgoing; Wed, 5 Apr 1995 13:16:45 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA09062 for ; Wed, 5 Apr 1995 13:16:38 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id QAA00452 for ; Wed, 5 Apr 1995 16:24:16 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma000450; Wed Apr 5 16:23:52 1995 Received: by calisto.milkyway.com (8.6.7/Sun-Client) id QAA13551; Wed, 5 Apr 1995 16:19:32 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: firewall weaknesses Date: 5 Apr 1995 16:19:31 -0400 Organization: Milkyway Networks Corporation Lines: 23 Distribution: milkyway Message-ID: <3luu0j$d7c@calisto.milkyway.com> References: <9504041213.AA08391@all.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9504041213.AA08391@all.net>, Dr. Frederick B. Cohen wrote: >Does anyone have a firewall that will protect users from poorly >configured http deamons without preventing authorized use? For example, You mean, a poorly configured http daemon on the private network? Put it on the DMZ, or on a service network. (A third network that is behind the firewall, but still can't access the private network. It might be behind a filtering router, but in front of the firewall, or it might be on a third interface of a firewall) Why not just secure the httpd daemon itself. Wouldn't that be the best solution? The firewall administrator had better know about any services being provided on internal machines. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed Apr 5 14:21:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA09143 for firewalls-outgoing; Wed, 5 Apr 1995 13:20:44 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA09137 for ; Wed, 5 Apr 1995 13:20:40 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id QAA00499 for ; Wed, 5 Apr 1995 16:28:16 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma000495; Wed Apr 5 16:27:51 1995 Received: by calisto.milkyway.com (8.6.7/Sun-Client) id QAA13593; Wed, 5 Apr 1995 16:22:34 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Alarms and paging Date: 5 Apr 1995 16:22:33 -0400 Organization: Milkyway Networks Corporation Lines: 26 Distribution: milkyway Message-ID: <3luu69$d8m@calisto.milkyway.com> References: <9504041314.AA11085@beaker.med.yale.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9504041314.AA11085@beaker.med.yale.edu>, R. Rodion Rathbone wrote: >sequence of beeps and timing varied widely, not only between pager companies, >but sometimes on successive pages to the same service and even the same beeper. >He eventually found commercial voice-mail hardware system that had enough analog >hooks to support reliable software, but it was pricey ($5-10K I Many of the newer fax/v32bis modems have voice capability. My rather old ZyXel does this, although the sun3 it is hooked up to can not do the 57.6k required to get voice data. Shouldn't that do the trick? >for the message prompt, and repeat a short signature at short intervals, >as in "91,,91,,91,,91,,91". Whatever the timing or promps, some of it >will get through, an you'll get a recogizable code. Good idea... a 1200 baud modem can do that. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed Apr 5 14:56:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10011 for firewalls-outgoing; Wed, 5 Apr 1995 13:51:07 -0700 Received: from lc.lindenwood.edu (lc.lindenwood.edu [128.252.65.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA09958 for ; Wed, 5 Apr 1995 13:50:07 -0700 Received: by lc.lindenwood.edu (5.65/DEC-Ultrix/4.3) id AA12810; Wed, 5 Apr 1995 15:50:33 -0500 Date: Wed, 5 Apr 1995 15:50:29 -0500 (CDT) From: Jeff Prince To: Firewalls Group Subject: Re: Need sources to set up network security Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's the info on the book I mentioned previously. I haven't had a chance to read it, so I can't comment on it. Internet Firewalls and Network Security Karanjit Siyan, Ph.D. and Chris Hare New Riders Publishing ISBN 1-56205-437-6 The back cover states $35.00 (US) price, category: Networking, User Level: Accomplished-Expert. Siyan is president of Kinetics Corporation. Hare has written technical articles for Sys Admin and is currently operations manager of i*internet, Inc. (Canadian Internet service provider). I've received several good tips from people, some of which I've been using. I've no problems to someone plugging their own books/papers/company/seminars. Would there be any objections to posting the condensed version here in a few days, or is this old news to everyone? -- Jeff Prince, Assistant System Administrator Lindenwood College, 209 S. Kingshighway, St. Charles, MO 63301 (USA) Internet: prince@lc.lindenwood.edu *LOCAL* entropy control From firewalls-owner Wed Apr 5 15:11:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA10874 for firewalls-outgoing; Wed, 5 Apr 1995 14:18:42 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA10868 for ; Wed, 5 Apr 1995 14:18:38 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id RAA18397; Wed, 5 Apr 1995 17:18:06 -0400 From: Howard Berkowitz Message-Id: <199504052118.RAA18397@clark.net> Subject: Re: Registered IP vs unregistered To: mccarbc@netcom.com (Brad McCarty) Date: Wed, 5 Apr 1995 17:18:04 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Brad McCarty" at Apr 5, 95 12:23:41 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 3073 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My company is setting up a TCP/IP network and we've come the point of > deciding on whether we should try to use registered class C addresses or > unregistered class A addresses. > > Background: > > We will probably have very few hosts which need Internet access, the switch > to TCP/IP is mostly for internal use. Those hosts would probably need > access only for Web browsing and maybe FTP. > > When we connect to the Internet it will definitely be through a proxy > server or firewall machine not directly from any host. > > We applied for registered IP network numbers and got 16 class C numbers. > The problem is that due to the physical layout of our company we run > into several problems with the max of 254 hosts per subnet. Without seeing your specific layout, I would be concerned over trying to put that many hosts on a subnet, if for no other reason than routing and troubleshooting. With most routers, you can put multiple subnets on the same wire -- by extension, multiple network numbers on the same wire. > > If we use unregistered class A addresses than almost all the problems go > away and we can even assign some meaning to the addresses. I'm assuming > that we would gain our Internet access through a proxy server or perhaps > a network address translation server so the class A addresses wouldn't be > a problem on the Internet. For that matter, RFC1597 also defines unregistered Class B and Class C addresses. Don't go too far into assigning "meaning" to IP addresses, if by meaning you refer to organizational structure. IP address structure should reflect routing design and, to a lesser extent, physical topology. It's your DNS naming structure that should reflect organizational meaning. If I guess correctly, you are running a bridged environment at present. IP address structure is not always the optimal bridged structure and vice versa. > > The questions I have (finally) are: > > 1) If we use unregistered class A addresses internally what Internet > services will we have a problem using? i.e. what can't we do through > a proxy server or network address translation server? Might you ever have to use an Internet service provider for connectivity to remote locations? This can be done with unregistered addresses using IP over IP tunneling, but that adds overhead. > > 2) In your opinion, do you think we will we be painting ourselves into a > corner if we go with unregistered class A addresses? Do you think > this may become a liability for us in the future in that, there may > be a new service available on the Internet which will not work > through a proxy server or firewall and will require registered IP > addresses on our side? I still like RFC1597 addresses in many circumstances, but they can be a management problem if you merge, etc. There are workarounds, such as IP over IP tunneling. I would very strongly recommend you use address assignment software such as DHCP in your end systems, if you go to unregistered addresses. > > TIA, Brad McCarty > > From firewalls-owner Wed Apr 5 15:24:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12880 for firewalls-outgoing; Wed, 5 Apr 1995 15:11:20 -0700 Received: from sdwsys (sdwsys.lig.net [199.18.175.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12873 for ; Wed, 5 Apr 1995 15:11:15 -0700 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0rwYZC-0009tGC; Wed, 5 Apr 95 17:08 GMT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: FW: Proxy WWW through firewall To: BAIM@itg.viacom.com (Bai, Mario) Date: Wed, 5 Apr 1995 17:08:29 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <2F8315BE@SMTPGATE.VIACOM.COM> from "Bai, Mario" at Apr 5, 95 03:11:00 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 933 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Put the proxy *behind* the firewall, point the clients to it and proxy over > the firewall (using something like socks) .... or *not recommended* run the > proxy on the firewall, and point the clients to it. Why did you decide to > put the proxy outside the firewall? I disagree. The proxy should go outside the firewall: Cern reached with a simple app gateway or via a bastion allowed IP address works just fine. I don't want to use socks or a whole bunch of other proxies for wais, gopher, http, ftp, etc. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Senior Consultant, Manhattan Feb95- | 513-865-9599 FAX/LIG 513.496.5223 OH Page OO R&D AI:NN/ES crypto DBMS RPC/CS |2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs|ICBM/GPS: 39 38 34N 84 17 12W home, 40 47 00N 73 58 00W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;1Mar95 From firewalls-owner Wed Apr 5 15:51:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12469 for firewalls-outgoing; Wed, 5 Apr 1995 15:01:59 -0700 Received: from mbadev.mba.com ([198.60.144.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12461 for ; Wed, 5 Apr 1995 15:01:56 -0700 Message-Id: <199504052201.PAA12461@miles.greatcircle.com> Received: from he.mba.com by mbadev.mba.com with SMTP (1.37.109.8/16.2) id AA19957; Wed, 5 Apr 1995 14:59:54 -0700 Date: Wed, 5 Apr 1995 14:59:54 -0700 X-Sender: cxh@mbadev.mba.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cxh@mba.com (Cynthia He) Subject: pc running SCO Open Server Network as firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are trying to set up a firewall pc running SCO Open Server Network. While we are waiting for our manuals to come in, does somebody know how to disable ip-forwarding in SCO? Thanks! C. He From firewalls-owner Wed Apr 5 15:59:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA12148 for firewalls-outgoing; Wed, 5 Apr 1995 14:55:53 -0700 Received: from Altitude.CAM.ORG (Altitude.CAM.ORG [198.168.100.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA12143 for ; Wed, 5 Apr 1995 14:55:50 -0700 Received: from Grafnetix.Qc.CA by Altitude.CAM.ORG with UUCP id RAA05968 (8.6.9/8.6.9 for firewalls@greatcircle.com); Wed, 5 Apr 1995 17:17:11 -0400 Received: from renoir.Qc.CA (renoir) by monet.Grafnetix.Qc.CA with SMTP id AA00749 (5.65c/IDA-1.4.4/MB for ); Wed, 5 Apr 1995 17:15:17 -0400 Received: by renoir.Qc.CA (5.x/SMI-SVR4) id AA01301; Wed, 5 Apr 1995 17:15:10 -0400 Message-Id: <9504052115.AA01301@renoir.Qc.CA> From: laurent@Grafnetix.Qc.CA (Laurent Duperval) Date: Wed, 5 Apr 1995 17:15:10 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@greatcircle.com Subject: SATAN on Solaris Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Does this thing work on Solaris or not? I'm running Solaris 2.4 with NIS+ and I get the following message when i try to do a normal probe: rpcinfo: can't contact portmapper: RPC: Rpcbind failure - RPC: Failed (unspecified error) I get a lot of timeout errors. So far, it seems pretty useless to me. Anyone have an idea why it's not working? I also get a showmount: RPC: Procedure unavailable -- Laurent Duperval Grafnetix Systems Inc. Tel: (514) 861-3389 777, de la Commune Ouest Fax: (514) 866-6206 Suite 101, Montreal, Qc duperval@grafnetix.qc.ca Canada, H3C 1Y1 From firewalls-owner Wed Apr 5 16:28:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15653 for firewalls-outgoing; Wed, 5 Apr 1995 16:17:07 -0700 Received: from ns.inter.edu (NS.INTER.EDU [164.42.100.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15646 for ; Wed, 5 Apr 1995 16:16:42 -0700 From: CUETARA@zorzal.metro.inter.edu Received: from zorzal.metro.inter.edu by ns.inter.edu (AIX 3.2/UCB 5.64/4.03) id AA09116; Wed, 5 Apr 1995 19:20:28 -0400 Received: from NSTTC1/SMTPQueue by zorzal.metro.inter.edu (Mercury 1.11); Wed, 5 Apr 95 19:21:32 +500 Received: from Mailqueue by NSTTC1 (Mercury 1.11); Wed, 5 Apr 95 19:20:54 +500 Organization: Locally Produced Equipment Project To: firewalls@greatcircle.com Date: Wed, 5 Apr 1995 19:20:45 AST Subject: Re: Alarms and paging Priority: normal X-Mailer: Pegasus Mail v3.22 Message-Id: <11FF8190140@zorzal.metro.inter.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >sequence of beeps and timing varied widely, not only between pager companies, >but sometimes on successive pages to the same service and even the same beeper. The frequency is probably fixed. Anybody know of a tone decoder circuit that can be hooked to the phone line and used to trigger a modem control line? -Ramon de la Cuetara From firewalls-owner Wed Apr 5 16:50:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA14772 for firewalls-outgoing; Wed, 5 Apr 1995 15:53:42 -0700 Received: from lccma.bos.locus.com (lccma.bos.locus.com [192.80.81.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA14767 for ; Wed, 5 Apr 1995 15:53:39 -0700 Received: from orchard.la.locus.com by lccma.bos.locus.com with SMTP (PP) id <05583-0@lccma.bos.locus.com>; Wed, 5 Apr 1995 18:53:50 +0000 Received: by orchard.la.locus.com (5.61-AIX-1.2/1.0) from traveller.la.locus.com with SMTP id AA156728 (for bdboyle@maverick.erenj.com, from kamran/kamran@orchard.la.locus.com); Wed, 5 Apr 95 15:53:47 -0700 Received: from sheytoon.la.locus.com by troy.la.locus.com (AIX 3.2/UCB 5.64/4.03) id AA37862; Wed, 5 Apr 1995 15:56:15 -0700 Date: Wed, 5 Apr 1995 15:56:15 -0700 Message-Id: <9504052256.AA37862@troy.la.locus.com> X-Sender: kamran@troy.la.locus.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Bryan D. Boyle" From: kamran@locus.com (Kamran Pechrak) Subject: Re: Firewall-1 on HP Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:51 PM 4/5/95 -0400, Bryan D. Boyle wrote: >On Apr 5, 9:07am, jeff wong wrote: >> Subject: Firewall-1 on HP >> Hi there, >> Does anybody know whether Firewall-1 is on HP. I know it's currently >> available on Sun? > >only on sun. >-- >Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. >#include |Nor all your Piety nor Wit can call it back to cancel >EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. >--------------http://www.access.digex.net/~bdboyle/index.html--------------- I believe it is also available on RS-6000. ***************** signature, the following 4 lines ****************** Kamran Pechrak Locus Computing Corporation PMTS/Network Manager 9800 S. La Cienega Blvd. Email: kamran@locus.com Inglewood, CA 90301 Phone: (310)337-5044 Fax: (310)670-2980 From firewalls-owner Wed Apr 5 16:53:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA15161 for firewalls-outgoing; Wed, 5 Apr 1995 16:02:47 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA15156 for ; Wed, 5 Apr 1995 16:02:43 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA18568; Wed, 5 Apr 95 19:01:25 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504060001.AA18568@hawksbill.sprintmrn.com> Subject: Re: I had a look at SATAN... To: droelke@spirit.aud.alcatel.com (Daniel R. Oelke) Date: Wed, 5 Apr 1995 19:01:24 -0500 (EST) Cc: danisch@ira.uka.de, cypherpunks@toad.com, firewalls@greatcircle.com (Firewalls List) In-Reply-To: <9504052059.AA04313@spirit.aud.alcatel.com> from "Daniel R. Oelke" at Apr 5, 95 03:59:19 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 3163 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I like the name, but I like the PostScript 'Satan Inside' and the Full Length Artwork sketch provided in the .tar file even better. I dinked with it for a while earlier this afternoon. No big hairy deal. I would tend to agree with you; the underlying mechanisms in Satan are old news. ISS (at least the freely available version) performs equally in scope, with a less 'user-friendly' motif. The implications are obvious; anyone with a modicum of experience could easily insert their [your choice of phraseology here] and act upon vulnerabilities found with Satan. Call it 'Son of Satan'. All in all, no news here. - paul > > > The big hoopla is mostly because it is a nice tool and framework > with a good front end. WWW was around long before Mosaic. Yet, > it didn't take off until Mosaic came out. Security testing > scripts have been around (mostly in hacker hands) for a long > time. I hope that such testing now takes off and > flourishs under Satan. > > Other than being a good tool - it is also one of the first times > that anyone has released a freely available comprehensive > security testing tool. Testing security is something people > tend to get scared of. Information about security is "bad" > according to many who would rather have security lie in FUD. > > Of course the name of the tool doesn't hurt it. Such a name > makes for a *great* soundbyte in the media. (Good for > raising the ire of the christian right too! :-) > > > It is a nice tool, and the graphical interface (a perl5 program uses > > html and Mosaic as an interactive user interface) is very clever. > > > > But at the moment there is nothing real new about Security in > > Satan. It just a nice way to handle and apply methods to check already > > know vulnerabilities. (where some methods still need to be improved, > > e.g. rsh.satan) > > > > Of course, it is a wonderful idea to make such a tool. I am sure it > > will become (became?) a standard. Security holes will no longer be > > reported as a report only, but as a Satan method also. This would be very > > helpfull. > > > > The only thing I don't understand is why there was so much noise and > > rumour about. It was praised so much (as far as I know it was in the > > TV in America, isn't it?), that some people expected all networks and > > hosts to be cracked at release time of SATAN. > > > > I like SATAN very much, and it makes life more comfortable (and > > networks more secure because people do check it more with SATAN than > > without SATAN), but from the view of security there is nothing new > > yet. > > > > I am sure that it will get bigger and stronger in future, when the > > test methods get more and better. Hope that people will put their > > knowledge about security holes in scripts to be used by satan. > > > _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Apr 5 18:20:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA18045 for firewalls-outgoing; Wed, 5 Apr 1995 18:13:59 -0700 Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA18038 for ; Wed, 5 Apr 1995 18:13:56 -0700 Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA29556; Wed, 5 Apr 1995 21:13:14 -0400 Received: from [191.254.22.8] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA14179; Wed, 5 Apr 1995 21:13:02 -0400 Date: Wed, 5 Apr 1995 21:13:02 -0400 Message-Id: <9504060113.AA14179@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls-digest@greatcircle.com From: jon@nytimes.com (Jon E. Price) Subject: http proxy on firewall Cc: baim@itg.viacom.com, stan@nytimes.com, gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why is running the http proxy "on" the firewall "not recommended". Jon >From: "Bai, Mario" >Date: Wed, 05 Apr 95 15:11:00 PDT >Subject: FW: Proxy WWW through firewall >Put the proxy *behind* the firewall, point the clients to it and >proxy over >the firewall (using something like socks) .... or *not recommended* >run the >proxy on the firewall, and point the clients to it. Why did you >decide to >put the proxy outside the firewall? --------------------------------------------------------------- "Beware of bargains in bypass surgery, bungee jumping, and quality printing" Jon E. Price Systems Analyst Publishing Systems The New York Times --------------------------------------------------------------- From firewalls-owner Wed Apr 5 19:20:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18841 for firewalls-outgoing; Wed, 5 Apr 1995 19:09:30 -0700 Received: from dg02sg.mcimail.com (dg02sg.mcimail.com [192.147.45.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA18836 for ; Wed, 5 Apr 1995 19:09:24 -0700 Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.38.40.3]) by dg02sg.mcimail.com (8.6.10/8.6.10) with SMTP id CAA27620 for ; Thu, 6 Apr 1995 02:08:45 GMT Received: from mcimail.com by mailgate.mcimail.com id ag13603; 6 Apr 95 2:03 WET Date: Wed, 5 Apr 95 21:04 EST From: Emily Cohen To: Firewalls Subject: How to reach CheckPoint Software Message-Id: <31950406020413/0005853726NA3EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CheckPoint's phone number is 800-429-4391 or you can email info@checkpoint.com. From firewalls-owner Wed Apr 5 19:36:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18929 for firewalls-outgoing; Wed, 5 Apr 1995 19:17:17 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA18923 for ; Wed, 5 Apr 1995 19:17:14 -0700 Posted-Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) From: "Bryan D. Boyle" Subject: Re: http proxy on firewall To: "Jon E. Price" Cc: firewalls-digest@greatcircle.com, baim@itg.viacom.com, stan@nytimes.com, gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com In-Reply-To: <9504060113.AA14179@mailgate.nytimes.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not run the proxy on the wall? 1) most proxies have holes large enough for your delivery trucks to drive through in terms of access privs, etc. etc. Do you want large, monolithic programs running on the firewall? No. 2) processor gets eaten up by the proxy server. big, complex program= big, complex cpu usage. 3) firewall is a choke point, not a common access point. One is providing a service, the other security. COmpartmentalization means that weaknesses in one will have a minimal impact on the other. 4) You don't have to run the server on the wall. It supports socks. Socks was designed to run on a firewall and provide the requisite service (security, address masking, validation, etc.). Proxy servers were designed to serve documents. 5) Configuration, based on changes in your network, of the proxy mean that the system should be easily accessable to make those changes. A firewall should not be changed at the same rate or for the same trivial reasons. 6) It is easier. (want more?) Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- On Wed, 5 Apr 1995, Jon E. Price wrote: > > Why is running the http proxy "on" the firewall "not recommended". > > Jon > > > >From: "Bai, Mario" > >Date: Wed, 05 Apr 95 15:11:00 PDT > >Subject: FW: Proxy WWW through firewall > > >Put the proxy *behind* the firewall, point the clients to it and >proxy over > >the firewall (using something like socks) .... or *not recommended* >run the > >proxy on the firewall, and point the clients to it. Why did you >decide to > >put the proxy outside the firewall? > > --------------------------------------------------------------- > "Beware of bargains in bypass surgery, bungee jumping, and quality printing" > > Jon E. Price > Systems Analyst > Publishing Systems > The New York Times > --------------------------------------------------------------- > > From firewalls-owner Wed Apr 5 19:50:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19169 for firewalls-outgoing; Wed, 5 Apr 1995 19:26:52 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19162 for ; Wed, 5 Apr 1995 19:26:49 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA25339; Wed, 5 Apr 95 19:22:35 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfp26878; Wed, 5 Apr 1995 22:23:02 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18841 for firewalls-outgoing; Wed, 5 Apr 1995 19:09:30 -0700 Received: from dg02sg.mcimail.com (dg02sg.mcimail.com [192.147.45.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA18836 for ; Wed, 5 Apr 1995 19:09:24 -0700 Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.38.40.3]) by dg02sg.mcimail.com (8.6.10/8.6.10) with SMTP id CAA27620 for ; Thu, 6 Apr 1995 02:08:45 GMT Received: from mcimail.com by mailgate.mcimail.com id ag13603; 6 Apr 95 2:03 WET Date: Wed, 5 Apr 95 21:04 EST From: Emily Cohen To: Firewalls Subject: How to reach CheckPoint Software Message-Id: <31950406020413/0005853726NA3EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CheckPoint's phone number is 800-429-4391 or you can email info@checkpoint.com. From firewalls-owner Wed Apr 5 20:07:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19765 for firewalls-outgoing; Wed, 5 Apr 1995 19:44:36 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19760 for ; Wed, 5 Apr 1995 19:44:32 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA26523; Wed, 5 Apr 95 19:38:34 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfq29418; Wed, 5 Apr 1995 22:38:52 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18929 for firewalls-outgoing; Wed, 5 Apr 1995 19:17:17 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA18923 for ; Wed, 5 Apr 1995 19:17:14 -0700 Posted-Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) From: "Bryan D. Boyle" Subject: Re: http proxy on firewall To: "Jon E. Price" Cc: firewalls-digest@greatcircle.com, baim@itg.viacom.com, stan@nytimes.com, gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com In-Reply-To: <9504060113.AA14179@mailgate.nytimes.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not run the proxy on the wall? 1) most proxies have holes large enough for your delivery trucks to drive through in terms of access privs, etc. etc. Do you want large, monolithic programs running on the firewall? No. 2) processor gets eaten up by the proxy server. big, complex program= big, complex cpu usage. 3) firewall is a choke point, not a common access point. One is providing a service, the other security. COmpartmentalization means that weaknesses in one will have a minimal impact on the other. 4) You don't have to run the server on the wall. It supports socks. Socks was designed to run on a firewall and provide the requisite service (security, address masking, validation, etc.). Proxy servers were designed to serve documents. 5) Configuration, based on changes in your network, of the proxy mean that the system should be easily accessable to make those changes. A firewall should not be changed at the same rate or for the same trivial reasons. 6) It is easier. (want more?) Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- On Wed, 5 Apr 1995, Jon E. Price wrote: > > Why is running the http proxy "on" the firewall "not recommended". > > Jon > > > >From: "Bai, Mario" > >Date: Wed, 05 Apr 95 15:11:00 PDT > >Subject: FW: Proxy WWW through firewall > > >Put the proxy *behind* the firewall, point the clients to it and >proxy over > >the firewall (using something like socks) .... or *not recommended* >run the > >proxy on the firewall, and point the clients to it. Why did you >decide to > >put the proxy outside the firewall? > > --------------------------------------------------------------- > "Beware of bargains in bypass surgery, bungee jumping, and quality printing" > > Jon E. Price > Systems Analyst > Publishing Systems > The New York Times > --------------------------------------------------------------- > > From firewalls-owner Wed Apr 5 20:21:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20414 for firewalls-outgoing; Wed, 5 Apr 1995 20:04:57 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA20409 for ; Wed, 5 Apr 1995 20:04:53 -0700 Received: from haus.efn.org.efn.org by efn.efn.org (4.1/smail2.5/05-07-92) id AA27911; Wed, 5 Apr 95 20:00:12 PDT Received: by haus.efn.org.efn.org (4.1/SMI-4.1) id AA07986; Wed, 5 Apr 95 20:02:40 PDT Date: Wed, 5 Apr 1995 11:42:06 -0700 (PDT) From: "R.S." To: support@efn.org Subject: downloading Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Date: Wed, 5 Apr 1995 20:02:37 -0700 (PDT) Resent-From: Gary Frazier Resent-To: SLIP dialup account Resent-Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I have a few questions. 1. I got netscape16-90 (or 96) out on internet. It downloaded fine. Now I found netscape16-100 on efn. I thought that must be better, so I got that. In downloading, 2 errors were found. I used ymodem both times. (the xmodem doesn't work. can you tell me why?) So, what do those 2 errors mean? Are they automatically corrected? Should I toss out the file and try again? How do I know if they matter? 2. What's the difference between the 2 files? How much better is the 100? 3. Do you have something called pkzipfix? How can I get it? 4. I am going to get a slip account. I can't tell what software to download. 5. I just signed up yesterday for the first time for priority access. Then I saw online that first-timers get what is left of their first month for free and the fee goes to the coming month. I hope this applies to me. 6. What happens to my slip when I can't pay my $7? I know you disable it, but does it go back on when I do pay? Thanks, Raina From firewalls-owner Wed Apr 5 20:40:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA20128 for firewalls-outgoing; Wed, 5 Apr 1995 19:56:56 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA20117 for ; Wed, 5 Apr 1995 19:56:52 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA27404; Wed, 5 Apr 95 19:52:27 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfr01786; Wed, 5 Apr 1995 22:53:19 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19169 for firewalls-outgoing; Wed, 5 Apr 1995 19:26:52 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19162 for ; Wed, 5 Apr 1995 19:26:49 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA25339; Wed, 5 Apr 95 19:22:35 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfp26878; Wed, 5 Apr 1995 22:23:02 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18841 for firewalls-outgoing; Wed, 5 Apr 1995 19:09:30 -0700 Received: from dg02sg.mcimail.com (dg02sg.mcimail.com [192.147.45.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA18836 for ; Wed, 5 Apr 1995 19:09:24 -0700 Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.38.40.3]) by dg02sg.mcimail.com (8.6.10/8.6.10) with SMTP id CAA27620 for ; Thu, 6 Apr 1995 02:08:45 GMT Received: from mcimail.com by mailgate.mcimail.com id ag13603; 6 Apr 95 2:03 WET Date: Wed, 5 Apr 95 21:04 EST From: Emily Cohen To: Firewalls Subject: How to reach CheckPoint Software Message-Id: <31950406020413/0005853726NA3EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CheckPoint's phone number is 800-429-4391 or you can email info@checkpoint.com. From firewalls-owner Wed Apr 5 20:57:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA21517 for firewalls-outgoing; Wed, 5 Apr 1995 20:33:59 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA21512 for ; Wed, 5 Apr 1995 20:33:55 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA29704; Wed, 5 Apr 95 20:26:42 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykft19362; Wed, 5 Apr 1995 23:24:23 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20414 for firewalls-outgoing; Wed, 5 Apr 1995 20:04:57 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA20409 for ; Wed, 5 Apr 1995 20:04:53 -0700 Received: from haus.efn.org.efn.org by efn.efn.org (4.1/smail2.5/05-07-92) id AA27911; Wed, 5 Apr 95 20:00:12 PDT Received: by haus.efn.org.efn.org (4.1/SMI-4.1) id AA07986; Wed, 5 Apr 95 20:02:40 PDT Date: Wed, 5 Apr 1995 11:42:06 -0700 (PDT) From: "R.S." To: support@efn.org Subject: downloading Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Date: Wed, 5 Apr 1995 20:02:37 -0700 (PDT) Resent-From: Gary Frazier Resent-To: SLIP dialup account Resent-Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I have a few questions. 1. I got netscape16-90 (or 96) out on internet. It downloaded fine. Now I found netscape16-100 on efn. I thought that must be better, so I got that. In downloading, 2 errors were found. I used ymodem both times. (the xmodem doesn't work. can you tell me why?) So, what do those 2 errors mean? Are they automatically corrected? Should I toss out the file and try again? How do I know if they matter? 2. What's the difference between the 2 files? How much better is the 100? 3. Do you have something called pkzipfix? How can I get it? 4. I am going to get a slip account. I can't tell what software to download. 5. I just signed up yesterday for the first time for priority access. Then I saw online that first-timers get what is left of their first month for free and the fee goes to the coming month. I hope this applies to me. 6. What happens to my slip when I can't pay my $7? I know you disable it, but does it go back on when I do pay? Thanks, Raina From firewalls-owner Wed Apr 5 21:08:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20894 for firewalls-outgoing; Wed, 5 Apr 1995 20:17:14 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA20889 for ; Wed, 5 Apr 1995 20:17:09 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA28518; Wed, 5 Apr 95 20:09:03 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfs04301; Wed, 5 Apr 1995 23:09:39 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19765 for firewalls-outgoing; Wed, 5 Apr 1995 19:44:36 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19760 for ; Wed, 5 Apr 1995 19:44:32 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA26523; Wed, 5 Apr 95 19:38:34 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfq29418; Wed, 5 Apr 1995 22:38:52 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18929 for firewalls-outgoing; Wed, 5 Apr 1995 19:17:17 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA18923 for ; Wed, 5 Apr 1995 19:17:14 -0700 Posted-Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) From: "Bryan D. Boyle" Subject: Re: http proxy on firewall To: "Jon E. Price" Cc: firewalls-digest@greatcircle.com, baim@itg.viacom.com, stan@nytimes.com, gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com In-Reply-To: <9504060113.AA14179@mailgate.nytimes.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not run the proxy on the wall? 1) most proxies have holes large enough for your delivery trucks to drive through in terms of access privs, etc. etc. Do you want large, monolithic programs running on the firewall? No. 2) processor gets eaten up by the proxy server. big, complex program= big, complex cpu usage. 3) firewall is a choke point, not a common access point. One is providing a service, the other security. COmpartmentalization means that weaknesses in one will have a minimal impact on the other. 4) You don't have to run the server on the wall. It supports socks. Socks was designed to run on a firewall and provide the requisite service (security, address masking, validation, etc.). Proxy servers were designed to serve documents. 5) Configuration, based on changes in your network, of the proxy mean that the system should be easily accessable to make those changes. A firewall should not be changed at the same rate or for the same trivial reasons. 6) It is easier. (want more?) Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- On Wed, 5 Apr 1995, Jon E. Price wrote: > > Why is running the http proxy "on" the firewall "not recommended". > > Jon > > > >From: "Bai, Mario" > >Date: Wed, 05 Apr 95 15:11:00 PDT > >Subject: FW: Proxy WWW through firewall > > >Put the proxy *behind* the firewall, point the clients to it and >proxy over > >the firewall (using something like socks) .... or *not recommended* >run the > >proxy on the firewall, and point the clients to it. Why did you >decide to > >put the proxy outside the firewall? > > --------------------------------------------------------------- > "Beware of bargains in bypass surgery, bungee jumping, and quality printing" > > Jon E. Price > Systems Analyst > Publishing Systems > The New York Times > --------------------------------------------------------------- > > From firewalls-owner Wed Apr 5 21:24:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA22208 for firewalls-outgoing; Wed, 5 Apr 1995 20:56:13 -0700 Received: from janus.dot.state.az.us (janus.dot.state.az.us [192.133.42.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA22203 for ; Wed, 5 Apr 1995 20:56:09 -0700 Received: by janus.dot.state.az.us (4.1/SMI-4.1) id AA22572; Wed, 5 Apr 95 20:56:25 MST Received: from pserv1.dot.state.az.us(162.59.10.28) by janus.dot.state.az.us via smap (V1.3) id sma022570; Wed Apr 5 20:56:18 1995 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA19511; Wed, 5 Apr 1995 20:56:17 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199504060356.AA19511@pserv1.dot.state.az.us> Subject: Re: http proxy on firewall (fwd) To: firewalls%greatcircle.com@janus.dot.state.az.us (Firewalls) Date: Wed, 5 Apr 95 20:56:16 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan D. Boyle writes: > Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) > From: "Bryan D. Boyle" > Subject: Re: http proxy on firewall > To: "Jon E. Price" > > Why not run the proxy on the wall? > > 1) most proxies have holes large enough for your delivery trucks to drive > through in terms of access privs, etc. etc. Do you want large, monolithic > programs running on the firewall? No. I agree if you are talking about an http proxy such as NCSA's. However, I do believe you can run a http proxy 'safely' if it is of the TIS fwtk variety (small, compact, easy to configure, and best of all, source code). > 2) processor gets eaten up by the proxy server. big, complex program= > big, complex cpu usage. See above. -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Wed Apr 5 21:35:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA21977 for firewalls-outgoing; Wed, 5 Apr 1995 20:49:06 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA21967 for ; Wed, 5 Apr 1995 20:49:03 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA00655; Wed, 5 Apr 95 20:44:30 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykfu21270; Wed, 5 Apr 1995 23:43:26 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA20128 for firewalls-outgoing; Wed, 5 Apr 1995 19:56:56 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA20117 for ; Wed, 5 Apr 1995 19:56:52 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA27404; Wed, 5 Apr 95 19:52:27 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfr01786; Wed, 5 Apr 1995 22:53:19 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19169 for firewalls-outgoing; Wed, 5 Apr 1995 19:26:52 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19162 for ; Wed, 5 Apr 1995 19:26:49 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA25339; Wed, 5 Apr 95 19:22:35 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfp26878; Wed, 5 Apr 1995 22:23:02 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18841 for firewalls-outgoing; Wed, 5 Apr 1995 19:09:30 -0700 Received: from dg02sg.mcimail.com (dg02sg.mcimail.com [192.147.45.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA18836 for ; Wed, 5 Apr 1995 19:09:24 -0700 Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.38.40.3]) by dg02sg.mcimail.com (8.6.10/8.6.10) with SMTP id CAA27620 for ; Thu, 6 Apr 1995 02:08:45 GMT Received: from mcimail.com by mailgate.mcimail.com id ag13603; 6 Apr 95 2:03 WET Date: Wed, 5 Apr 95 21:04 EST From: Emily Cohen To: Firewalls Subject: How to reach CheckPoint Software Message-Id: <31950406020413/0005853726NA3EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CheckPoint's phone number is 800-429-4391 or you can email info@checkpoint.com. From firewalls-owner Wed Apr 5 21:50:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA22653 for firewalls-outgoing; Wed, 5 Apr 1995 21:09:14 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA22640 for ; Wed, 5 Apr 1995 21:09:08 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA02307; Wed, 5 Apr 95 21:05:11 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykfw23626; Thu, 6 Apr 1995 00:03:02 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA21517 for firewalls-outgoing; Wed, 5 Apr 1995 20:33:59 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA21512 for ; Wed, 5 Apr 1995 20:33:55 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA29704; Wed, 5 Apr 95 20:26:42 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykft19362; Wed, 5 Apr 1995 23:24:23 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20414 for firewalls-outgoing; Wed, 5 Apr 1995 20:04:57 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA20409 for ; Wed, 5 Apr 1995 20:04:53 -0700 Received: from haus.efn.org.efn.org by efn.efn.org (4.1/smail2.5/05-07-92) id AA27911; Wed, 5 Apr 95 20:00:12 PDT Received: by haus.efn.org.efn.org (4.1/SMI-4.1) id AA07986; Wed, 5 Apr 95 20:02:40 PDT Date: Wed, 5 Apr 1995 11:42:06 -0700 (PDT) From: "R.S." To: support@efn.org Subject: downloading Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Date: Wed, 5 Apr 1995 20:02:37 -0700 (PDT) Resent-From: Gary Frazier Resent-To: SLIP dialup account Resent-Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I have a few questions. 1. I got netscape16-90 (or 96) out on internet. It downloaded fine. Now I found netscape16-100 on efn. I thought that must be better, so I got that. In downloading, 2 errors were found. I used ymodem both times. (the xmodem doesn't work. can you tell me why?) So, what do those 2 errors mean? Are they automatically corrected? Should I toss out the file and try again? How do I know if they matter? 2. What's the difference between the 2 files? How much better is the 100? 3. Do you have something called pkzipfix? How can I get it? 4. I am going to get a slip account. I can't tell what software to download. 5. I just signed up yesterday for the first time for priority access. Then I saw online that first-timers get what is left of their first month for free and the fee goes to the coming month. I hope this applies to me. 6. What happens to my slip when I can't pay my $7? I know you disable it, but does it go back on when I do pay? Thanks, Raina From firewalls-owner Wed Apr 5 22:18:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA24318 for firewalls-outgoing; Wed, 5 Apr 1995 21:37:54 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA24291 for ; Wed, 5 Apr 1995 21:37:43 -0700 Received: from relay1.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA04264; Wed, 5 Apr 95 21:33:41 PDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQykfy02204; Thu, 6 Apr 1995 00:32:20 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA22208 for firewalls-outgoing; Wed, 5 Apr 1995 20:56:13 -0700 Received: from janus.dot.state.az.us (janus.dot.state.az.us [192.133.42.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA22203 for ; Wed, 5 Apr 1995 20:56:09 -0700 Received: by janus.dot.state.az.us (4.1/SMI-4.1) id AA22572; Wed, 5 Apr 95 20:56:25 MST Received: from pserv1.dot.state.az.us(162.59.10.28) by janus.dot.state.az.us via smap (V1.3) id sma022570; Wed Apr 5 20:56:18 1995 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA19511; Wed, 5 Apr 1995 20:56:17 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199504060356.AA19511@pserv1.dot.state.az.us> Subject: Re: http proxy on firewall (fwd) To: firewalls%greatcircle.com@janus.dot.state.az.us (Firewalls) Date: Wed, 5 Apr 95 20:56:16 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan D. Boyle writes: > Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) > From: "Bryan D. Boyle" > Subject: Re: http proxy on firewall > To: "Jon E. Price" > > Why not run the proxy on the wall? > > 1) most proxies have holes large enough for your delivery trucks to drive > through in terms of access privs, etc. etc. Do you want large, monolithic > programs running on the firewall? No. I agree if you are talking about an http proxy such as NCSA's. However, I do believe you can run a http proxy 'safely' if it is of the TIS fwtk variety (small, compact, easy to configure, and best of all, source code). > 2) processor gets eaten up by the proxy server. big, complex program= > big, complex cpu usage. See above. -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Wed Apr 5 22:20:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA23205 for firewalls-outgoing; Wed, 5 Apr 1995 21:20:40 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA23188 for ; Wed, 5 Apr 1995 21:20:35 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA03141; Wed, 5 Apr 95 21:15:05 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykfw25123; Thu, 6 Apr 1995 00:13:06 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20894 for firewalls-outgoing; Wed, 5 Apr 1995 20:17:14 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA20889 for ; Wed, 5 Apr 1995 20:17:09 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA28518; Wed, 5 Apr 95 20:09:03 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfs04301; Wed, 5 Apr 1995 23:09:39 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19765 for firewalls-outgoing; Wed, 5 Apr 1995 19:44:36 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19760 for ; Wed, 5 Apr 1995 19:44:32 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA26523; Wed, 5 Apr 95 19:38:34 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfq29418; Wed, 5 Apr 1995 22:38:52 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18929 for firewalls-outgoing; Wed, 5 Apr 1995 19:17:17 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA18923 for ; Wed, 5 Apr 1995 19:17:14 -0700 Posted-Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) From: "Bryan D. Boyle" Subject: Re: http proxy on firewall To: "Jon E. Price" Cc: firewalls-digest@greatcircle.com, baim@itg.viacom.com, stan@nytimes.com, gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com In-Reply-To: <9504060113.AA14179@mailgate.nytimes.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not run the proxy on the wall? 1) most proxies have holes large enough for your delivery trucks to drive through in terms of access privs, etc. etc. Do you want large, monolithic programs running on the firewall? No. 2) processor gets eaten up by the proxy server. big, complex program= big, complex cpu usage. 3) firewall is a choke point, not a common access point. One is providing a service, the other security. COmpartmentalization means that weaknesses in one will have a minimal impact on the other. 4) You don't have to run the server on the wall. It supports socks. Socks was designed to run on a firewall and provide the requisite service (security, address masking, validation, etc.). Proxy servers were designed to serve documents. 5) Configuration, based on changes in your network, of the proxy mean that the system should be easily accessable to make those changes. A firewall should not be changed at the same rate or for the same trivial reasons. 6) It is easier. (want more?) Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- On Wed, 5 Apr 1995, Jon E. Price wrote: > > Why is running the http proxy "on" the firewall "not recommended". > > Jon > > > >From: "Bai, Mario" > >Date: Wed, 05 Apr 95 15:11:00 PDT > >Subject: FW: Proxy WWW through firewall > > >Put the proxy *behind* the firewall, point the clients to it and >proxy over > >the firewall (using something like socks) .... or *not recommended* >run the > >proxy on the firewall, and point the clients to it. Why did you >decide to > >put the proxy outside the firewall? > > --------------------------------------------------------------- > "Beware of bargains in bypass surgery, bungee jumping, and quality printing" > > Jon E. Price > Systems Analyst > Publishing Systems > The New York Times > --------------------------------------------------------------- > > From firewalls-owner Wed Apr 5 22:48:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA29299 for firewalls-outgoing; Wed, 5 Apr 1995 22:00:55 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA29270 for ; Wed, 5 Apr 1995 22:00:45 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA05585; Wed, 5 Apr 95 21:56:30 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykfz15845; Thu, 6 Apr 1995 00:54:44 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA22653 for firewalls-outgoing; Wed, 5 Apr 1995 21:09:14 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA22640 for ; Wed, 5 Apr 1995 21:09:08 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA02307; Wed, 5 Apr 95 21:05:11 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykfw23626; Thu, 6 Apr 1995 00:03:02 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA21517 for firewalls-outgoing; Wed, 5 Apr 1995 20:33:59 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA21512 for ; Wed, 5 Apr 1995 20:33:55 -0700 Received: from relay4.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA29704; Wed, 5 Apr 95 20:26:42 PDT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQykft19362; Wed, 5 Apr 1995 23:24:23 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA20414 for firewalls-outgoing; Wed, 5 Apr 1995 20:04:57 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA20409 for ; Wed, 5 Apr 1995 20:04:53 -0700 Received: from haus.efn.org.efn.org by efn.efn.org (4.1/smail2.5/05-07-92) id AA27911; Wed, 5 Apr 95 20:00:12 PDT Received: by haus.efn.org.efn.org (4.1/SMI-4.1) id AA07986; Wed, 5 Apr 95 20:02:40 PDT Date: Wed, 5 Apr 1995 11:42:06 -0700 (PDT) From: "R.S." To: support@efn.org Subject: downloading Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Date: Wed, 5 Apr 1995 20:02:37 -0700 (PDT) Resent-From: Gary Frazier Resent-To: SLIP dialup account Resent-Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I have a few questions. 1. I got netscape16-90 (or 96) out on internet. It downloaded fine. Now I found netscape16-100 on efn. I thought that must be better, so I got that. In downloading, 2 errors were found. I used ymodem both times. (the xmodem doesn't work. can you tell me why?) So, what do those 2 errors mean? Are they automatically corrected? Should I toss out the file and try again? How do I know if they matter? 2. What's the difference between the 2 files? How much better is the 100? 3. Do you have something called pkzipfix? How can I get it? 4. I am going to get a slip account. I can't tell what software to download. 5. I just signed up yesterday for the first time for priority access. Then I saw online that first-timers get what is left of their first month for free and the fee goes to the coming month. I hope this applies to me. 6. What happens to my slip when I can't pay my $7? I know you disable it, but does it go back on when I do pay? Thanks, Raina From firewalls-owner Wed Apr 5 22:50:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA03530 for firewalls-outgoing; Wed, 5 Apr 1995 22:29:07 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA03523 for ; Wed, 5 Apr 1995 22:29:03 -0700 Received: from relay3.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA06965; Wed, 5 Apr 95 22:23:36 PDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQykgb19297; Thu, 6 Apr 1995 01:21:43 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA24318 for firewalls-outgoing; Wed, 5 Apr 1995 21:37:54 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA24291 for ; Wed, 5 Apr 1995 21:37:43 -0700 Received: from relay1.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA04264; Wed, 5 Apr 95 21:33:41 PDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQykfy02204; Thu, 6 Apr 1995 00:32:20 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA22208 for firewalls-outgoing; Wed, 5 Apr 1995 20:56:13 -0700 Received: from janus.dot.state.az.us (janus.dot.state.az.us [192.133.42.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA22203 for ; Wed, 5 Apr 1995 20:56:09 -0700 Received: by janus.dot.state.az.us (4.1/SMI-4.1) id AA22572; Wed, 5 Apr 95 20:56:25 MST Received: from pserv1.dot.state.az.us(162.59.10.28) by janus.dot.state.az.us via smap (V1.3) id sma022570; Wed Apr 5 20:56:18 1995 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA19511; Wed, 5 Apr 1995 20:56:17 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199504060356.AA19511@pserv1.dot.state.az.us> Subject: Re: http proxy on firewall (fwd) To: firewalls%greatcircle.com@janus.dot.state.az.us (Firewalls) Date: Wed, 5 Apr 95 20:56:16 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan D. Boyle writes: > Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) > From: "Bryan D. Boyle" > Subject: Re: http proxy on firewall > To: "Jon E. Price" > > Why not run the proxy on the wall? > > 1) most proxies have holes large enough for your delivery trucks to drive > through in terms of access privs, etc. etc. Do you want large, monolithic > programs running on the firewall? No. I agree if you are talking about an http proxy such as NCSA's. However, I do believe you can run a http proxy 'safely' if it is of the TIS fwtk variety (small, compact, easy to configure, and best of all, source code). > 2) processor gets eaten up by the proxy server. big, complex program= > big, complex cpu usage. See above. -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Wed Apr 5 23:29:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA02947 for firewalls-outgoing; Wed, 5 Apr 1995 22:20:32 -0700 Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA02939 for ; Wed, 5 Apr 1995 22:20:28 -0700 Received: from relay1.UU.NET by efn.efn.org (4.1/smail2.5/05-07-92) id AA06604; Wed, 5 Apr 95 22:17:54 PDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQykgb12556; Thu, 6 Apr 1995 01:20:15 -0400 Received: (mcb@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA02862; Wed, 5 Apr 1995 22:19:55 -0700 Message-Id: <199504060519.WAA02862@miles.greatcircle.com> From: mcb@GreatCircle.COM (Michael C. Berch) Date: Wed, 5 Apr 1995 22:19:55 +0000 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: postmaster@efn.org Subject: Looping mail from Bill Fletcher Cc: brent@GreatCircle.COM, billf@efn.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear user and/or postmaster: The address Bill Fletcher is looping mail from the firewalls mailing list back to the list and/or list owner mailbox and has been removed from the list. Please check any automatic redistribution or forwarding for problems before attempting to resubscribe. Thank you, -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com Example looped message: > From firewalls-owner Wed Apr 5 20:09:34 1995 > Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA19765 for firewalls-outgoing; Wed, 5 Apr 1995 19:44:36 -0700 > Received: from efn.efn.org (efn.org [198.68.17.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA19760 for ; Wed, 5 Apr 1995 19:44:32 -0700 > Received: from relay3.UU.NET > by efn.efn.org (4.1/smail2.5/05-07-92) > id AA26523; Wed, 5 Apr 95 19:38:34 PDT > Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP > id QQykfq29418; Wed, 5 Apr 1995 22:38:52 -0400 > Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA18929 for firewalls-outgoing; Wed, 5 Apr 1995 19:17:17 -0700 > Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA18923 for ; Wed, 5 Apr 1995 19:17:14 -0700 > Posted-Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) > Date: Wed, 5 Apr 1995 22:16:00 -0400 (EDT) > From: "Bryan D. Boyle" > Subject: Re: http proxy on firewall > To: "Jon E. Price" > Cc: firewalls-digest@greatcircle.com, baim@itg.viacom.com, stan@nytimes.com, > gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com > In-Reply-To: <9504060113.AA14179@mailgate.nytimes.com> > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > [message body omitted] From firewalls-owner Wed Apr 5 23:46:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA04903 for firewalls-outgoing; Wed, 5 Apr 1995 22:46:47 -0700 Received: from www (wwcd.com [204.91.89.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA04893 for ; Wed, 5 Apr 1995 22:46:40 -0700 Received: by www (5.x/SMI-SVR4) id AA12506; Thu, 6 Apr 1995 01:42:38 -0700 Date: Thu, 6 Apr 1995 01:42:38 -0700 From: exceed@wwcd.com (exceed) Message-Id: <9504060842.AA12506@www> To: firewalls@greatcircle.com Subject: tcp_wrappers_7.2 -error X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello After downloading and tar'ing the tcp_wrappers_7.2, when trying to "make sunos5" We are receiving error code 1 Fatal error failed for config-check also error code 1 failed for target sunos5 same thing goes for any make ???? we have tried.... running x windows into a sun NETRA w/ solaris 5.4 any help appreciated............ gary From firewalls-owner Thu Apr 6 00:40:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA15610 for firewalls-outgoing; Thu, 6 Apr 1995 00:30:10 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA14046 for ; Thu, 6 Apr 1995 00:19:10 -0700 Date: Thu, 6 Apr 95 03:19 EDT Message-ID: <9504060319.AA24257@databus.databus.com> From: Barney Wolff To: exceed@wwcd.com (exceed), firewalls@greatcircle.com Subject: Re: tcp_wrappers_7.2 -error Content-Length: 248 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 6 Apr 1995 01:42:38 -0700 > From: exceed@wwcd.com (exceed) > failed for target sunos5 > > running x windows into a sun NETRA w/ solaris 5.4 Stupid question: Are you sure you have a C compiler? Barney Wolff From firewalls-owner Thu Apr 6 00:58:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA15753 for firewalls-outgoing; Thu, 6 Apr 1995 00:48:35 -0700 Received: from netcomsv.netcom.com (uucp6.netcom.com [163.179.3.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA15687 for ; Thu, 6 Apr 1995 00:39:44 -0700 Received: by netcomsv.netcom.com with UUCP (8.6.9/SMI-4.1) id AAA16951; Thu, 6 Apr 1995 00:29:55 -0700 Received: from enigma.lat.com by lat.com (4.1/SMI-4.1/LAT.COM-950317-1) id AA00588; Thu, 6 Apr 95 00:12:49 PDT Received: by enigma.lat.com (4.1/SMI-4.1) id AA15600; Thu, 6 Apr 95 00:12:47 PDT Date: Thu, 6 Apr 95 00:12:47 PDT From: baldwin@lat.com (Bob Baldwin) Organization: Los Altos Technologies, Inc. Message-Id: <9504060712.AA15600@enigma.lat.com> To: Firewalls@GreatCircle.COM Subject: Announcing GABRIEL - Free SATAN Detector Cc: baldwin@lat.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Los Altos Technologies, Inc. has released Gabriel, a free SATAN detector. Gabriel gives the system administrator an early warning of a possible network intrusion by detecting and identifying unauthorized network probing. Gabriel is complete and ready to run software that does not require Perl or any other public domain programs. Gabriel's highlights: Ready to run for Sun Solaris1 and Solaris2 operating systems. Full source included. Perl IS NOT required. Test script included to simplify evaluation of Gabriel. Built-in mechanism to send real-time alerts via pager, phone call, email, or online displays. Gabriel comes with: gabriel_client - Reports to gabriel_server excessive probing of any host on its network segment. gabriel_server - Gathers data from clients and notifies administrator via email, pager, etc. install_gabriel_clients - Single script to install and start client monitor programs network-wide. install_gabriel_server - Installs the server program. ----------------------------------------- | Via the World Wide Web: | | http://www.lat.com | | ftp://ftp.best.com/pub/lat | | | | Via FTP: | | ftp.lat.com | ----------------------------------------- To join the Gabriel mailing list: Send mail to "Majordomo@lat.com" with the command "subscribe gabriel" in the body of the email message. WHAT IS GABRIEL? As a public service, Los Altos Technologies, Inc., a provider of Unix security software, has developed and released a free SATAN detector called Gabriel(tm). Gabriel gives the system administrator an early warning of possible network intrusions by detecting and identifying SATAN's network probing. Gabriel is a complete and ready to run package that DOES NOT require Perl or any other software or libraries. HOW MUCH DOES IT COST? We are providing Gabriel at no charge to our customers or anyone else who wishes to use it, subject to the terms explained in the COPYRIGHT file. WHY DID LOS ALTOS TECHNOLOGIES CREATE GABRIEL? We are deeply concerned with network security and the possible negative effects of SATAN and other network probing software. By combining SATAN with Gabriel, a system administrator can get all the benefits of running authorized SATAN scans without the risks of unauthorized and undetected network probing. HOW IS IT SUPPORTED? HOW DO I JOIN THE MAILING LIST? It is expected that future updates, enhancements and revisions will come from the users' group. To subscribe to the users' group mailing list, send a message to "majordomo@lat.com" with any subject line, and inside the body of the message include the line "subscribe gabriel". WHERE IS THE LATEST VERSION? You can get the latest version via World Wide Web or ftp. http://www.lat.com ftp://ftp.best.com/pub/lat HOW DO I MAKE GABRIEL FROM SOURCE CODE? Gabriel includes pre-compiled binaries for Solaris 1.x and Solaris 2.x, so you do not need to build it from source. If you wish to compile it execute "make all" and follow the directions. HOW DO I INSTALL AND EVALUATE GABRIEL? Follow the directions in the manual page, gabriel.8. You can print this file using "troff -man -t gabriel.8 | lpr -t", or just look at gabriel.txt. Basically, you just run the server install script, and then the client install script. ====================================================================== Los Altos Technologies, Inc. 2111 Grant Rd, Los Altos, CA 94024 Phone: 415/988-4848 Fax: 415/988-4860 Email: info@lat.com From firewalls-owner Thu Apr 6 01:29:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17204 for firewalls-outgoing; Thu, 6 Apr 1995 01:22:00 -0700 Received: from opine.cs.umass.edu (opine.cs.umass.edu [128.119.41.246]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA17199 for ; Thu, 6 Apr 1995 01:21:57 -0700 Received: (from lmccarth@localhost) by opine.cs.umass.edu (8.6.11/8.6.9) id EAA27860 for Firewalls@GreatCircle.COM; Thu, 6 Apr 1995 04:22:13 -0400 From: "L. McCarthy" Message-Id: <199504060822.EAA27860@opine.cs.umass.edu> Subject: S*T*N Questions -> Elsewhere To: Firewalls@GreatCircle.COM Date: Thu, 6 Apr 1995 04:22:13 -0500 (EDT) In-Reply-To: <199504060358.UAA22283@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 5, 95 08:58:07 pm X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 945 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [attribution deliberately misplaced] writes: > Date: Wed, 5 Apr 1995 17:15:10 -0400 > Subject: SATAN on Solaris [...] > I get a lot of timeout errors. So far, it seems pretty useless to me. > Anyone have an idea why it's not working? I read the digest format, so this may be a bit redundant. Since it's about 4:13am EDT right now, there probably hasn't been much traffic since the last digest. Anyway, I just want to suggest that technical support questions about S*T*N not be discussed on the firewalls list. Someone should set up a separate mailing list for this, and probably already has. (I can't get through to www.fish.com at all right now to look for info -- surprise surprise.) Of course there are also various other lists, newsgroups, etc. where this *would* be appropriate. -L. Futplex McCarthy Let's start balancing the budget by saving the $500M [PGP key available] allocated to make the U.S. phone network wiretap-ready ! From firewalls-owner Thu Apr 6 01:56:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA16431 for firewalls-outgoing; Thu, 6 Apr 1995 01:11:13 -0700 Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA16426 for ; Thu, 6 Apr 1995 01:11:11 -0700 Received: from hpbbi30.bbn.hp.com by relay.hp.com with ESMTP (1.37.109.15/15.5+ECS 3.3) id AA110035885; Thu, 6 Apr 1995 01:11:27 -0700 Received: from isoit095.bbn.hp.com by hpbbi30.bbn.hp.com with SMTP (1.37.109.15/15.5+ISO 3.3.3) id AA241045882; Thu, 6 Apr 1995 10:11:22 +0200 Message-Id: <199504060811.AA241045882@hpbbi30.bbn.hp.com> To: Firewalls@GreatCircle.COM Subject: Re: FW: Proxy WWW through firewall Date: Thu, 06 Apr 95 10:11:22 +0200 From: "Yan Fa LI" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: sdw@lig.net (Stephen D. Williams) > Date: Wed, 5 Apr 1995 17:08:29 +0000 (GMT) > Subject: Re: FW: Proxy WWW through firewall > > > > > > > Put the proxy *behind* the firewall, point the clients to it and proxy over > > the firewall (using something like socks) .... or *not recommended* run the > > proxy on the firewall, and point the clients to it. Why did you decide to > > put the proxy outside the firewall? > > I disagree. The proxy should go outside the firewall: Cern reached > with a simple app gateway or via a bastion allowed IP address works > just fine. I don't want to use socks or a whole bunch of other > proxies for wais, gopher, http, ftp, etc. > > > sdw > - -- Well, I'll have to disagree with you here as WWW proxies can provide all these services through one interface with locally manageable access control lists, cascaded proxy setups and control over which services are allowed and which are not. For the users a big win I think, one interface and all that blah blah. With the proxy behind the firewall you also present only 1 IP address to the world, that of your socks proxy host. The WWW proxy is also not directly accessible from the outside world hopefully circumventing some potential problems with the server. What's to stop somebody cracking your external proxy host and then putting a less then benign proxy host on it ? Means you also have to configure your choke IP filter with all the hosts who want to access to the proxy if I've correctly understood your argument. Forgive me if I haven't. But with a site in the 5 figure range, I'm not sure I'd willingly do that. Of course you are still vulnerable to cgi-script attacks :) and the ubiquitous Trojan or Virus attack, but then it's never been that easy ;) Sincerely, Yan ___________________________________________________________________ | Bio-Routing: | Electronic Connectivity: | | | | | Yan-Fa LI (CNS-BBN CSS) | Phone: +49 - 7031 14 1412 | | Hewlett-Packard GmbH | Fax: +49 - 7031-14 1554 | | Herrenberger Strasse 130 | Telnet: 778 - 1412 | | D-71034 Boeblingen | Email: yanfali@hpbbi30.bbn.hp.com | | Germany | Yan-Fa_Li@HP-Germany-om1.om.hp.com| |____________________________|______________________________________| My views do not necessarily represent those of the Hewlett Packard Company and should be taken with a large dose of salt or whatever passes for sodium in your neck of the woods/universe/continuum/etc... ___________________________________________________________________ From firewalls-owner Thu Apr 6 02:00:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA18125 for firewalls-outgoing; Thu, 6 Apr 1995 01:47:44 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA18119 for ; Thu, 6 Apr 1995 01:47:37 -0700 From: Paul Crossley To: cxh@mba.com Subject: pc running SCO Open Server Network as firewall Cc: firewalls@greatcircle.com X-Mailer: ScoMail 1.0 Date: Thu, 6 Apr 1995 9:36:02 +0100 (BST) Message-ID: <9504060936.aa29351@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From relay3.uu.net!greatcircle.com!firewalls-owner Wed Apr 5 23:54:56 1995 > > We are trying to set up a firewall pc running SCO Open Server Network. > While we are waiting for our manuals to come in, does somebody know > how to disable ip-forwarding in SCO? When you add your second ip interface through "netconfig" you will be asked whether you wish to set the system up as a gateway - If you say yes then IPFORWARDING willbe turned on. To turn it off again change to the directory /etc/conf/cf.d and edit the file "stune" - set the value of IPFORWARDING to 0 and then re-build the kernel with ./link_unix ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Thu Apr 6 02:26:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA18161 for firewalls-outgoing; Thu, 6 Apr 1995 01:48:55 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA18142 for ; Thu, 6 Apr 1995 01:48:43 -0700 Message-Id: <199504060848.BAA18142@miles.greatcircle.com> Received: from hyperion.co.uk by eros.britain.eu.net with UUCP id ; Thu, 6 Apr 1995 09:48:35 +0100 Date: 6 Apr 1995 09:13:15 +0100 From: Richard Harris Subject: Re: Creating a firewall on a To: Firewalls Mailing list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Creating a firewall on a Ma "From: Fort McMurray Catholic Schools I have a Mac WAN with approximatly 600 Macintoshes and about 40 zones of eithernet and local talk scattered accross the city. I am looking at putting in a dedicated 56K pipe into the internet from the central hub. However, I want to put a firewall up to prevent problems on the internet from invading my network. I have been told that there are products out there which will allow people on my network to then access internet directly without the use of dial up modems at each site. What I need is security. Can anyone out there help me.?? Thanks Richard ______________________________________________ Richard Critchley Educational Technology Applications Developer Ed Tech Department Fort McMurray Catholic Schools, 9809 Main Street, Fort McMurray, Alberta, T9H-1T7 CANADA" Richard, I'm not aware of any firewall products that actually on a Mac. Macs do however make good and inherently secure internet hosts (using MacOS, that is - if you run MachTen or similar, then you get into the same problems as for any unix host). The main things that have been missing for the Mac are a DNS package (now in late alpha) and the ability to handle an arbitrarily large number of simultaneous connections (which should be rectified by Open Transport this summer). That doesn't actually help you at the moment, so I'd suggest you look at either the use of a unix-based firewall at your central hub (for further info, there are people on this list far better qualified than I to advise you on products and setup) or to do what we've done with our Mac networks and multiple sites, which is to use paired Cisco routers at our central hub to create a DMZ containing our "public" hosts whilst providing secure remote site and central LAN access to the Internet. Setup of the access control lists is non-trivial but, IMHO, provides a secure and flexible means of providing access. We configure our routers via telnet from a Mac. As for providing access to your remote sites without needing a modem, all I can suggest is that you'll need a separate Switched 56/ISDN line from each site into your hub (in which case it may be easier to provide separate access for each site!). We'll eventually be looking at using a combination of basic and primary rate ISDN to provide multiple channels for remote sites (e.g. basic rate at each site, coming into a primary rate circuit at our hub). By doing it this way, we don't have to go to the expense of a full-time leased line from every remote site. Hope this helps at least somewhat Regards, Richard _________________________________________________________________________ Richard Harris ___ ___ ___ __ ___ Senior Consultant / // // // / / / / //| / Hyperion /__/ \_//__//-- /__/ / / // | / richard@hyperion.co.uk / / // /___/ \_/_/__// |/ Tel: +44 1483 301793 BRIDGING TECHNOLOGY AND BUSINESS Fax: +44 1483 61657 _________________________________________________________________________ From firewalls-owner Thu Apr 6 04:28:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA21576 for firewalls-outgoing; Thu, 6 Apr 1995 04:15:33 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA21571 for ; Thu, 6 Apr 1995 04:15:09 -0700 From: paul@jtsuk.co.uk Received: from jtsuk.co.uk by eros.britain.eu.net with UUCP id ; Thu, 6 Apr 1995 12:14:32 +0100 Received: from paul_pc.jtsuk.co.uk by lande.jtsuk.co.uk (4.1) id AA00286; Thu, 6 Apr 95 12:00:33 BST To: firewalls@greatcircle.com Subject: PLEASE . . . . . . . Date: Thu, 6 Apr 95 11:01: 4 GMT Message-Id: <9504061101.044B4C@paul_pc.jtsuk.co.uk> Read-Receipt-To: paul@lande.jtsuk.co.uk X-Mailer: E-Mail 1.6 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take me off your mailing list. I got 57 mails this a.m. Thanks - - - - - - - - - - - - - o O o - - - - - - - - - - - - - - | | Paul M Dessoy | JTS Systems London | | 1 Northumberland Avenue | paul@jtsuk.co.uk | Trafalgar Square | Voice : 44-(0)171-872-5533 | London | | WC2N 5BW | | | | Voice : 44-(0)171-872-5585 | | Fax : 44-(0)171-753-2753 | | | - - - - - - - - - - - - - o O o - - - - - - - - - - - - - - From firewalls-owner Thu Apr 6 05:57:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA22835 for firewalls-outgoing; Thu, 6 Apr 1995 05:33:41 -0700 Received: from mozart.eurocontrol.fr (mozart.eurocontrol.fr [147.196.1.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA22822 for ; Thu, 6 Apr 1995 05:33:15 -0700 Message-Id: <199504061233.FAA22822@miles.greatcircle.com> Received: by mozart.eurocontrol.fr (1.37.109.16/16.2) id AA107671604; Thu, 6 Apr 1995 14:33:24 +0200 From: "HAJJ-CHEHADE.Jamal" Subject: NFS PROXY To: firewalls@greatcircle.com Date: Thu, 6 Apr 95 14:33:24 METDST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is theire a poduct acting as proxy for NFS ( or UDP in general)? Thanks. From firewalls-owner Thu Apr 6 06:20:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA22802 for firewalls-outgoing; Thu, 6 Apr 1995 05:31:00 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA22795 for ; Thu, 6 Apr 1995 05:30:56 -0700 Date: Thu, 6 Apr 1995 08:30:02 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id IAA04363 for ; Thu, 6 Apr 1995 08:30:02 -0400 Message-Id: <199504061230.IAA04363@real.com> To: firewalls@greatcircle.com Subject: Re: SATAN on Solaris Cc: laurent@Grafnetix.Qc.CA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi, > > Does this thing work on Solaris or not? I'm running Solaris 2.4 with > NIS+ and I get the following message when i try to do a normal probe: > > rpcinfo: can't contact portmapper: RPC: Rpcbind failure - RPC: Failed > (unspecified error) > > I get a lot of timeout errors. So far, it seems pretty useless to me. > Anyone have an idea why it's not working? > > I also get a > > showmount: RPC: Procedure unavailable > As I understand NIS+, it uses secure RPC calls, as well as some encryption.. If SATAN isnt trying to do the same, it wont be able to interface with the portmapper and get a valid result.. Of course I am new to NIS+ (only went over it 1 day in a Slowaris SA class, and havent used it since), so I could be mistaken.. From firewalls-owner Thu Apr 6 06:31:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA22893 for firewalls-outgoing; Thu, 6 Apr 1995 05:39:32 -0700 Received: from earth.eng.vantageware.com (earth.eng.vantageware.com [198.160.145.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA22888 for ; Thu, 6 Apr 1995 05:39:26 -0700 Received: from io_dialin0.eng.vantageware.com by earth.eng.vantageware.com (AIX 3.2/UCB 5.64/4.03) id AA29155; Thu, 6 Apr 1995 05:42:39 -0700 Date: Thu, 6 Apr 95 05:39:56 PDT From: Ron A Lindsay Subject: RE: Telebit NetBlazer ST Set As Internet Firewall To: firewalls@greatcircle.com, Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use the filter permit commands e.g. ip filter permit {IP addr of your mail host/32} {interface} dest in tcp 20 21 70 80 >1023 ip filter permit {your IP range/subnet bits} {interface} dest in tcp >1023 Be sure to leave the '>1023' port range so SMTP can get a backchannel for outgoing mail. To block IP spoofing: ip filter add {your IP range/subnet bits} {interface} source in deny You can subscribe to the NetBlazer forum at NETBLAZER-USERS-REQUEST@TELEBIT.COM. V3.0 is planned to be released this month. ---------------Original Message--------------- Hello, All We have a Telebit NetBlazer ST router. I don't know whether it can be setup as an internet firewall or not. I talked to Telebit tech support and they told me that it can be setup as an internet firewall. Does anybody know how to set it up? I know a lot of discussion and some article are talking about Livingston firewall 211 but we already have Telebit. To save the money, we try to use Telebit. Thanks in advance. Ruiyuan Jiang ADVANTAGE kbs rjiang@akbs.com ----------End of Original Message---------- ---------------------------------------------------------------------- E-mail: ronl@vantageware.com (Ron A Lindsay) Date: 04/06/95 Time:05:39:56 ---------------------------------------------------------------------- From firewalls-owner Thu Apr 6 06:49:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23637 for firewalls-outgoing; Thu, 6 Apr 1995 06:15:05 -0700 Received: from netcom23.netcom.com (netcom23.netcom.com [192.100.81.137]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA23632 for ; Thu, 6 Apr 1995 06:15:02 -0700 Received: from omix by netcom23.netcom.com (8.6.11/Netcom) id GAA22543; Thu, 6 Apr 1995 06:12:36 -0700 Received: from ppp8.omix.com by omix (5.0/SMI-SVR4) id AB28921; Thu, 6 Apr 1995 06:18:10 +0800 Message-Id: <9504061318.AB28921@omix> Date: Thu, 6 Apr 1995 06:21:47 -0700 To: Firewalls@GreatCircle.COM From: mkriss@gi.net (Mark Kriss) X-Sender: mkriss@omix.omix.com (Unverified) Subject: Re: TIS source content-length: 1264 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Phil Field >Date: Tue, 04 Apr 95 16:30:50 CDT >Subject: TIS and Firewall one #'s > >To All, > > Does anybody have the address or phone numbers of two >firewall vendors TIS and Firewall ? > > > >Thank you for your support, > > > >______________________________________________________________ >Phillip Field | Children's Memorial Medical Center >Network Administrator | 2300 Children's Plaza, Mailstop 56 >Email: pfield@nwu.edu | Chicago, Illinios 60614 >FAX: 312-880-3280 | >Voice: 312-880-6335 | >_______________________________________________________________ > Mr. Field, MIDnet, the leading Internet service provider in the midwest, is the midwestern distributor of TIS's Gauntlet firewall. MIDnet provides full installation, consulting and post-install support of the firewall (in addition to Internet connectivity services). For further information, please contact Mary McLaughlin, MIDnet's Chicago-based manager, at 708-386-7758. --mark kriss _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Mark R. Kriss Global Internet * 3145 Porter Dr. * Palo Alto, CA 94304 Phone: 415-855-1700 * Fax: 415-855-1715 * mkriss@gi.net _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From firewalls-owner Thu Apr 6 07:03:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA25049 for firewalls-outgoing; Thu, 6 Apr 1995 06:52:34 -0700 Received: from EMXCABQ (emxcabq.cabq.gov [143.120.99.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA25038 for ; Thu, 6 Apr 1995 06:52:29 -0700 X400-Received: by mta EMXCABQ in /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 6 Apr 1995 07:45:05 -0600 X400-Received: by mta isdaix.cabq.gov in /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 6 Apr 1995 07:52:25 -0600 X400-Received: by /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 6 Apr 1995 07:52:25 -0600 Date: Thu, 6 Apr 1995 07:52:25 -0600 X400-Originator: stark@cabq.gov X400-Recipients: firewalls@GreatCircle.com X400-MTS-Identifier: [/PRMD=CABQ/ADMD=TELEMAIL/C=US/;0000700001042915000002] X400-Content-Type: P2-1988 (22) Content-Identifier: Re: GABRIEL From: " (K. Lee Stark)" Message-ID: <9504061352.AA18509@isdaix.cabq.gov> To: fw-list Cc: stark Subject: Re: GABRIEL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't seem to hit any of the sites listed in this announcement; Is this an April Fool's joke, or is somebody just not ready?! L ============================================================================= Lee Stark, Systems Admin | +1 505 768 2978 | "If you're not in City of Albuquerque ISD | +1 505 768 4615 fax | the loop, it can't One Civic Plaza, NW Rm 2061 | stark@cabq.gov | be tightened around Albuquerque, NM 87102-2166 | NIC: [KLS25] | your neck..." ============================================================================= From firewalls-owner Thu Apr 6 07:09:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23334 for firewalls-outgoing; Thu, 6 Apr 1995 06:02:24 -0700 Received: from earth.eng.vantageware.com (earth.eng.vantageware.com [198.160.145.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA23329 for ; Thu, 6 Apr 1995 06:02:20 -0700 Received: from io_dialin0.eng.vantageware.com by earth.eng.vantageware.com (AIX 3.2/UCB 5.64/4.03) id AA28397; Thu, 6 Apr 1995 06:05:38 -0700 Date: Thu, 6 Apr 95 06:00:30 PDT From: Ron A Lindsay Subject: RE: Outgoing ftp and filters To: firewalls@greatcircle.com, cisco@spot.colorado.edu, dfci.harvard.edu!ellozy@sam.wal-mart.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I attempted to close TCP ports >1023. I was then unable to receive mail via SMTP. SMTP was unable to get a backchannel to send incoming mail. I was lead to believe that the backchannel was dynamically determined and was ALWAYS >1023. Outgoing mail was unaffected. ---------------Original Message--------------- This is an extract from a program on ftp.cisco.com to generate access lists, summarizing the problem with outgoing ftp: # # Permit TCP connections with port numbers greater than 1024 # into a very limited set of hosts. Make sure NO terminal servers # are in this list because this allows dangerous access to terminal # servers and protocol translators. # # This is so that people can FTP out of cisco without using pftp # (available from ftp.cisco.com). We now use passive-ftp everywhere # and no longer need to permit this. This is the *ONLY* reason to allow # inbound TCP >1023 so don't let anyone give you shit for closing this # hole. # # This is a serious major gaping security hole and should be denied # except known secure machines. The 'established' keyword earlier on # handles everything outbound but outbound FTP, so that is the ONLY # reason we should allow this. # Passive ftp is available for UNIX computers in source form, but what about its availability on other platforms (Macs and PCs running ftp software tcp/ip)? Also, how widely do the "main" public ftp servers support it? Thanks. Mohamed {original message deleted} ---------------------------------------------------------------------- E-mail: ronl@vantageware.com (Ron A Lindsay) Date: 04/06/95 ---------------------------------------------------------------------- From firewalls-owner Thu Apr 6 07:31:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA23406 for firewalls-outgoing; Thu, 6 Apr 1995 06:06:34 -0700 Received: from zcias1.ziff.com (zcias1.ziff.com [140.244.1.69]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA23401 for ; Thu, 6 Apr 1995 06:06:31 -0700 Received: from DN-ARNOR by zcias1.ziff.com (PMDF V4.3-10 #6906) id <01HP0HICT2W000IYOH@zcias1.ziff.com>; Thu, 06 Apr 1995 09:06:10 -0500 (EST) Received: from arnor.zis.ziff.com by arnor.zis.ziff.com (PMDF V4.3-10 #6906) id <01HP0GKT0SKWEGOYQ4@arnor.zis.ziff.com>; Thu, 06 Apr 1995 09:06:00 -0400 (EDT) Date: Thu, 06 Apr 1995 08:40:16 -0400 (EDT) From: "May we be forgiving of our systems' faults..." Subject: Job position offering - SORRY for the abuse of the list... To: list-bugtraq:;, list-firewalls:; Cc: SEAN@zis.ziff.com Reply-to: marybeth_mcneil@iacnet.com Message-id: <01HP0HI5CA04EGOYQ4@arnor.zis.ziff.com> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID PRiQyE3RqYytKSPJOzNi+A)" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID PRiQyE3RqYytKSPJOzNi+A) Content-type: TEXT/PLAIN ...however, I recognize the readership to include a lot of the type of people we are looking for to fill a position in our data centre. [No, the newsgroups have yielded no candidates; I would not bother the list if that had worked.] With that "I know I should not do this, but I had to" out of the way (and embracing for all the justified flames)...we are looking for a UNIX expert, knowledgeable in several incarnations of UNIX (we currently use SunOS 4.1.3, Solaris 2.4, HPUX, Ultrix, OSF/1, Linux and Unixware, just about in that order of importance). We need someone who is used to reading lists like these to keep current on security and OS functionality problems/issues, someone who likes reading source code to figure out problems when all else fails...definitely someone who can give a good answer to the "what happened?" questions when "something" happens. From setting systems up to ensuring those "somethings" do not happen (again), you will be a primary, focal point for our UNIX support and development efforts. Our shop also offers a great opportunity to be involved in VMS; if you are already familiar with it, all the more fantastic. And we need someone to work closely (50/50) with our systems support group and our Internet and networking technologies group (yes, we are the home of the Ziff-Davis Publishing Web server, and have many other equally exciting projects ready to go online). If interested, send your resume to: Information Access Center Ten Presidents Landing Medford, MA 02158 attn' Marybeth McNeil or electronically to: Marybeth_McNeil@IACNET.COM Thanks! And, again, sorry for abusing the list!!! --Boundary (ID PRiQyE3RqYytKSPJOzNi+A) Content-type: MESSAGE/RFC822 *** STANDARD PR BLURB *** We are looking for a system administrator with strong knowledge of Unix (HP, SunOS, Solaris), some knowledge of VMS, and a knowledge of TCP/IP and the Internet. This person will be setting up new Unix machines and supporting existing machines, along with all of the associated hardware and layered product software. This person will also help us expand our Internet environment by setting up and configuring WWW servers, implementing security, managing news groups and supporting our mail environment, et cetera. In addition, this position offers the chance to learn about VMS in one of the most exciting DEC shops in the area. Familiarity with Sybase, Oracle, Novell, PCs a plus. Sean. +--------------------------------------+---------------------------------------+ | Sean_Gonzalez@iacnet.com | IAC {Post,Web,FTP,News}master | +--------------------------------------+---------------------------------------+ | Information Access Centre | | | Ten Presidents Landing | Ziff-Davis Publishing WWW server | | Medford, MA 02155 | http://www.ziff.com | | 617.393.3252 | | +--------------------------------------+---------------------------------------+ L.A.T.R.: HI Rh+W B 04 Y L W- C++ I+++ T+ A+ E H+ S++ V++ F Q++ P B++ PA++ PL-- ISAAC: AS W C 07 Y L+++ W+ C-- I+++ T+ A++ E H+ S+++ V++ F- Q++ P++ B- PA++ PL+ SPECKLES: AS r C 04 X L++ W++ C-- I+++ T+ A- E++ H S+++ V- F- Q++ P+ B PA+ PL+ --Boundary (ID PRiQyE3RqYytKSPJOzNi+A)-- From firewalls-owner Thu Apr 6 07:35:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA25567 for firewalls-outgoing; Thu, 6 Apr 1995 07:05:42 -0700 Received: from chico.rediris.es (chico.rediris.es [130.206.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA25557 for ; Thu, 6 Apr 1995 07:05:38 -0700 From: JESUS.PITARQUE@iberdrola.es X400-Received: by mta relay.rediris.es in /PRMD=iris/ADMD=mensatex/C=es/; Relayed; Thu, 6 Apr 1995 15:39:05 +0200 X400-Received: by /PRMD=IBERDROLA/ADMD=MENSATEX/C=ES/; Relayed; Thu, 6 Apr 1995 22:46:47 +0200 Date: Thu, 6 Apr 1995 22:46:47 +0200 X400-Originator: JESUS.PITARQUE@iberdrola.es X400-Recipients: Firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=IBERDROLA/ADMD=MENSATEX/C=ES/;0000yeyggick] X400-Content-Type: P2-1984 (2) Content-Identifier: 0000yeyggick Conversion: Prohibited Alternate-Recipient: Allowed Message-ID: <0000yeyggick*/G=JESUS/S=PITARQUE/PRMD=IBERDROLA/ADMD=MENSATEX/C=ES/@MHS> To: Firewalls@GreatCircle.COM (Receipt Notification Requested) (Non Receipt Notification Requested) Subject: Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are an Electric Utility from Spain starting the conection of our internal network to Internet. We have seen a lot of information about firewalls and we are evaluating FireWall-1, Gauntlet from TIS and EAGLE from Raptor Systems. The last one seems a good firewall with some enhancements over the others, but we haven't any experience about firewalls and don't know anybody with that experience in Spain. We need your opinions about Eagle Firewall, is it a true firewall?, allows it application proxies?, how easy is it to set up?... Jesus Pitarque Iberdrola S.A. Bilbao (Spain) From firewalls-owner Thu Apr 6 07:47:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA24984 for firewalls-outgoing; Thu, 6 Apr 1995 06:50:55 -0700 Received: from mx3.smtp.psi.net (mx3.smtp.psi.net [38.145.204.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA24978 for ; Thu, 6 Apr 1995 06:50:52 -0700 Received: from viacom.COM by mx3.smtp.psi.net (8.6.9/SMI-4.1.3-PSI) id JAA11169; Thu, 6 Apr 1995 09:35:37 -0400 Received: from smtpgate.viacom.com by viacom.viacom.COM id aa06794; 6 Apr 95 9:19 EDT Received: by SMTPGATE.VIACOM.COM with Microsoft Mail id <2F841822@SMTPGATE.VIACOM.COM>; Thu, 06 Apr 95 09:34:42 PDT From: "Bai, Mario" To: firewalls Subject: FW: FW: Proxy WWW through firewall Date: Thu, 06 Apr 95 09:34:00 PDT Message-ID: <2F841822@SMTPGATE.VIACOM.COM> Encoding: 40 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seems like I'm missing something here. Why have a proxy outside the firewall? What does that gain you? Are you utilizing it as just a cache? CERN's proxy will proxy all info (ftp,gopher,wais,and http) if you have sockd running on the bastion host. ---------- From: firewalls-owner To: BAIM; Mario) Cc: firewalls Subject: Re: FW: Proxy WWW through firewall Date: Wednesday, April 05, 1995 5:08PM > > > Put the proxy *behind* the firewall, point the clients to it and proxy over > the firewall (using something like socks) .... or *not recommended* run the > proxy on the firewall, and point the clients to it. Why did you decide to > put the proxy outside the firewall? I disagree. The proxy should go outside the firewall: Cern reached with a simple app gateway or via a bastion allowed IP address works just fine. I don't want to use socks or a whole bunch of other proxies for wais, gopher, http, ftp, etc. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Senior Consultant, Manhattan Feb95- | 513-865-9599 FAX/LIG 513.496.5223 OH Page OO R&D AI:NN/ES crypto DBMS RPC/CS |2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs|ICBM/GPS: 39 38 34N 84 17 12W home, 40 47 00N 73 58 00W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;1Mar95 From firewalls-owner Thu Apr 6 08:02:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA25706 for firewalls-outgoing; Thu, 6 Apr 1995 07:09:06 -0700 Received: from clavin.uprc.com (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA25692 for ; Thu, 6 Apr 1995 07:08:59 -0700 Received: from moon.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA02429 for firewalls@greatcircle.com; Thu, 6 Apr 95 09:06:45 CDT Received: by moon.uprc.com (4.1/SMI-4.1) id AA13907; Thu, 6 Apr 95 09:06:43 CDT Date: Thu, 6 Apr 95 09:06:43 CDT From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9504061406.AA13907@moon.uprc.com> To: firewalls@greatcircle.com Subject: Re: FW: Proxy WWW through firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [discussing socks and its inability to recognize the interface a packet arives on] > I'd be happy to be convinced that SOCKS is secure or can be made > secure easily, but I'm not so sure. Maybe adding application > awareness (for basic protocols, like telnet, ftp, http, etc.) > might be a good combination. It is true that it would probably not be a good idea on a simple dual-homed gateway, as it is not interface aware, thus you would be prone to spoofing attacks. I protect my bastion with a filtering router that filters out spoofing attacks before reaching the bastion, so I don;t feel this is a threat. We are putting the finishing touches on an interface aware filtering package that will help... Accepting this, I have yet to hear a valid argument against using SOCKS. I have followed several flame wars about it on the socks and the firewalls lists, but all seemed to die out as misconceptions were solved... ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Thu Apr 6 08:14:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA25440 for firewalls-outgoing; Thu, 6 Apr 1995 07:02:08 -0700 Received: from tgserve1.tgslc.org ([198.213.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA25435 for ; Thu, 6 Apr 1995 07:02:05 -0700 Received: from msmail_gate.tgslc.org (msmail_gate.tgslc.org [198.214.1.252]) by tgserve1.tgslc.org (8.6.9/8.6.9.002) with SMTP id HAA10761 for ; Thu, 6 Apr 1995 07:59:09 -0600 Received: by msmail_gate.tgslc.org with Microsoft Mail id <2F83E6E7@msmail_gate.tgslc.org>; Thu, 06 Apr 95 08:04:39 CDT From: "Newcomb, Kelly" To: "'smtp:firewalls@greatcircle.com'" Subject: Re: Firewall-1 on HP Date: Thu, 06 Apr 95 08:02:00 CDT Message-ID: <2F83E6E7@msmail_gate.tgslc.org> Encoding: 19 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- >>>> Hi there, >>>> Does anybody know whether Firewall-1 is on HP. I know it's currently >>>> available on Sun? If you have access to a Web browser, check out "http://www.checkpoint.com/). Everything I've seen says Sun only. Kelly ===================================================================== Kelly Newcomb | P.O. Box 201725 Security/E-mail Administrator | Austin, TX 78720-1725 Texas Guaranteed Student Loan Corp. | Voice: (512) 219-4697 * * * * * | Fax: (512) 219-4525 Internet: kelly.newcomb@tgslc.org | Opinions: Mine, not theirs ===================================================================== From firewalls-owner Thu Apr 6 08:26:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA25912 for firewalls-outgoing; Thu, 6 Apr 1995 07:11:00 -0700 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA25902 for ; Thu, 6 Apr 1995 07:10:56 -0700 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Thu, 6 Apr 95 07:11:13 -0700 Received: by argus.intel.com (5.65/10.0i); Thu, 6 Apr 95 07:11:12 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9504061411.AA01026@argus.intel.com> Subject: Re: I had a look at SATAN... To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Thu, 6 Apr 95 7:11:10 PDT Cc: droelke@spirit.aud.alcatel.com, danisch@ira.uka.de, cypherpunks@toad.com, firewalls@greatcircle.com In-Reply-To: <9504060001.AA18568@hawksbill.sprintmrn.com> from "Paul Ferguson" at Apr 5, 95 07:01:24 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 2149 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I like the name, but I like the PostScript 'Satan Inside' and the > Full Length Artwork sketch provided in the .tar file even better. > I dinked with it for a while earlier this afternoon. No big > hairy deal. > I would tend to agree with you; the underlying mechanisms in Satan > are old news. ISS (at least the freely available version) performs > equally in scope, with a less 'user-friendly' motif. The implications > are obvious; anyone with a modicum of experience could easily insert > their [your choice of phraseology here] and act upon vulnerabilities > found with Satan. Call it 'Son of Satan'. > All in all, no news here. I wouldn't say "no news". Sure, it doesn't check for anything really new. But Dan Farmer did lose his job over it (which is news, at least to Dan!). Actually, that raises a whole set of issues about how much one's outside activities matter to an employer (not germane to firewalls though). Satan also pointed out problems in certain operating systems and programs. I have seen reports that certain OSF configurations are negatively impacted by Satan and that Satan will crash Netview 3.1. Also, I like Satan's architecture and potential for slotting in new probes and tests. In the future, I'd like to add in tests for misconfigured proxy agents that let people do the wrong thing (a misconfigured SOCKS or CERN HTTPD proxy could have devastating effects). Also, when run inside of a company, Satan (with proxy testing) could point out where users have created their own Internet gateways and proxies (important as this gets easier and easier to do). So I agree that there is a lot of hype, but the real news is that Satan is a useful tool. > - paul Jeff [stuff deleted] > _______________________________________________________________________________ > Paul Ferguson > US Sprint tel: 703.689.6828 > Managed Network Engineering internet: paul@hawk.sprintmrn.com > Reston, Virginia USA http://www.sprintmrn.com > -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu Apr 6 08:39:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27259 for firewalls-outgoing; Thu, 6 Apr 1995 07:40:46 -0700 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27254 for ; Thu, 6 Apr 1995 07:40:44 -0700 Received: from vbv03.vbv.dec.com by inet-gw-1.pa.dec.com (5.65/24Feb95) id AA28485; Thu, 6 Apr 95 07:38:31 -0700 Received: by vbv03.vbv.dec.com (5.65/MS-012594); id AA23173; Thu, 6 Apr 1995 10:38:25 -0400 Message-Id: <9504061438.AA23173@vbv03.vbv.dec.com> To: firewalls@greatcircle.com Subject: Re: GABRIEL In-Reply-To: Your message of "Thu, 06 Apr 95 10:32:40 EDT." Date: Thu, 06 Apr 95 10:38:24 -0400 From: "Frank Byrum" X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes... I pulled it earlier... Frank From firewalls-owner Thu Apr 6 09:04:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00483 for firewalls-outgoing; Thu, 6 Apr 1995 08:44:43 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA00477 for ; Thu, 6 Apr 1995 08:44:38 -0700 Posted-Date: Thu, 6 Apr 1995 11:44:51 -0400 From: "Bryan D. Boyle" Message-Id: <9504061144.ZM5483@maverick.erenj.com> Date: Thu, 6 Apr 1995 11:44:51 -0400 In-Reply-To: jgt10@amdahl.com (John G. Thompson) "Re: http proxy on firewall" (Apr 6, 8:22am) References: X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: http proxy on firewall Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 6, 8:22am, John G. Thompson wrote: > > Oh, by the way, who says that proxies are big monolithic porgrams??? Take a look at the cern server. Compile it. Then tell me if you want that running on the firewall. do the same with the fwtk http proxy. you decide. > Hmm. I do believe that a firewall is a choke point BECAUSE it is the > common access point to the internet. The philosophy of a firewall > (not to start THAT discusion up again) [to steal from the LA Police > department] is to protect and serve, in that order. It is hard to protect when all those that you are serving (but not necessarily configuring) are accessing your choke point. I prefer to move the access point inside the wall on a machine that does not provide any other service. Makes it easier to maintain, and certainly LIMITS the range of who inside can bang on the firewall. > > > 4) You don't have to run the server on the wall. It supports socks. > > Socks was designed to run on a firewall and provide the requisite service > > (security, address masking, validation, etc.). Proxy servers were > > designed to serve documents. > > Okay, I'll nit pick. What is the difference between a proxy and socks? > Is not the purpose of both to provide a tunnel through the firewall for > a well defined protocol such that the firewal does not appear in the > data path? We view socks as a tunnel, not a proxy. Perhaps definition of the terms is in order (from this tired admin...) Tunnel: well-known secure application that accepts requests from an inside resource on a controlled and monitored port, and makes the request for you at the proper service on the outside. Proxy: a service that acts as the target, but communicates your request to the location(s) that can satisfy the request on your behalf. For all intents and purposes, looks like, to the application, like the origination point for all the information, and is the central access point for the service. In the current argot, view how we have implemented the http/gopher/wais/ftp proxy as how you would configure the inn/nntp service using the fwtk, in concept. > > > 5) Configuration, based on changes in your network, of the proxy mean > > that the system should be easily accessable to make those changes. A > > firewall should not be changed at the same rate or for the same trivial > > reasons. > > I don't understand this, but that may be because I missed the leading > article on this. Tunnel (socks) is configured to only talk to ONE (1) machine, the inside proxy. That doesn't change. As a matter of fact, we run socks under the wrapper program under inetd control. Been that way for more than a year. configuration hasn't changed at all. As they say, been there, done that. It hasn't changed. It is stable. Proxy is configured to allow or deny based on the range of subnets as we roll out new machines and grow the popualation. It changes from time to time. But, a mistake in configuration will not open up a hole on the firewall, nor will an application fault cause problems on the wall. Compartmentalization, and putting applications where they make the most sense from a business, security, traffic, and control standpoint are what drive this decision. Allowable subnets change from time to time. There is an active cache, and real activity. But, there is a manageable load, a queuing algorithm that processes requests relatively efficiently, and so forth. Good, in our opinion, on a common access machine serving many users. Not the optimal solution on a security perimeter. There we want to keep the open user interaction to a minimum. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Thu Apr 6 09:11:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA28029 for firewalls-outgoing; Thu, 6 Apr 1995 07:53:58 -0700 Received: from netcom8.netcom.com (netcom8.netcom.com [192.100.81.117]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA28018 for ; Thu, 6 Apr 1995 07:53:55 -0700 Received: by netcom8.netcom.com (8.6.11/Netcom) id HAA21296; Thu, 6 Apr 1995 07:51:28 -0700 Date: Thu, 6 Apr 1995 07:51:27 -0700 (PDT) From: Brad McCarty Subject: Re: Registered IP vs unregistered To: Gregg Siegfried cc: firewalls@GreatCircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Apr 1995, Gregg Siegfried wrote: > With a proper proxy setup, no internal addresses ever make it out > past the gateway. So in that sense, no services are "unavailable". > There are those that are very difficult to proxy, like UDP stuff, which > probably don't belong in a secure gateway environment anyway. This is part of what I'm trying to find out. Can you be more specific on which applications are difficult to proxy? What are some typical applications that my users may want to do which might rely on "UDP stuff". Are you refering to things like MBONE etc.? > By unregistered class A addresses, I assume you mean the network 10 that > IANA has reserved for this purpose. Yes. Brad. From firewalls-owner Thu Apr 6 09:22:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA26935 for firewalls-outgoing; Thu, 6 Apr 1995 07:33:46 -0700 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA26928 for ; Thu, 6 Apr 1995 07:33:44 -0700 Received: from ebayuucp.Sun.COM (ebayuucp.EBay.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA25206; Thu, 6 Apr 95 07:33:37 PDT Received: by ebayuucp.Sun.COM (5.0/SMI-4.1) id AA26343; Thu, 6 Apr 1995 07:33:36 +0800 >Received: from constellation.tolkein by tolkein (4.1/SMI-4.1) id AA07665; Thu, 6 Apr 95 11:24:53 ADT Received: from bdamicro by ebayuucp.ebaynsacu.EBay.Sun.COM; Thu, 6 Apr 1995 07:33 PDT Received: from constellation.tolkein by tolkein (4.1/SMI-4.1) id AA07665; Thu, 6 Apr 95 11:24:53 ADT Received: by constellation.tolkein (5.x/SMI-SVR4) id AA17239; Thu, 6 Apr 1995 11:23:57 -0300 Date: Thu, 6 Apr 1995 11:23:57 -0300 From: bdamicro!scott@Sun.COM (Scott Abrutyn) Message-Id: <9504061423.AA17239@constellation.tolkein> To: firewalls@greatcircle.com, bret@real.com Subject: Re: SATAN on Solaris Cc: laurent@Grafnetix.Qc.CA X-Sun-Charset: US-ASCII Content-Type: text Content-Length: 781 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Does this thing work on Solaris or not? I'm running Solaris 2.4 with > > NIS+ and I get the following message when i try to do a normal probe: > > > > rpcinfo: can't contact portmapper: RPC: Rpcbind failure - RPC: Failed ... > > showmount: RPC: Procedure unavailable > > > > > As I understand NIS+, it uses secure RPC calls, as well as some encryption.. > If SATAN isnt trying to do the same, it wont be able to interface > with the portmapper and get a valid result.. > > Of course I am new to NIS+ (only went over it 1 day in a Slowaris SA class, > and havent used it since), so I could be mistaken.. misinformation fyi to the group, NIS+ only uses secure RPC mode if you configure it that way. The default is not secure RPC. Scott Abrutyn Bermuda Microsystems From firewalls-owner Thu Apr 6 09:37:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27188 for firewalls-outgoing; Thu, 6 Apr 1995 07:39:09 -0700 Received: from aruba.lerc.nasa.gov (aruba.lerc.nasa.gov [139.88.35.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA27183 for ; Thu, 6 Apr 1995 07:39:00 -0700 Received: from nyjets.lerc.nasa.gov by aruba.lerc.nasa.gov with ESMTP (950215.SGI.8.6.10/LeRC/DLW/TAF(1.24-main)) id KAA02610; Thu, 6 Apr 1995 10:39:01 -0400 Received: by nyjets.lerc.nasa.gov (950215.SGI.8.6.10/LeRC/DLW/TAF(1.22p-local)) id KAA16513; Thu, 6 Apr 1995 10:39:01 -0400 From: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Message-Id: <199504061439.KAA16513@nyjets.lerc.nasa.gov> Subject: Re: GABRIEL To: stark@cabq.gov Date: Thu, 6 Apr 95 10:39:00 EDT Cc: firewalls@GreatCircle.com, syskls@isdaix.cabq.gov In-Reply-To: <9504061352.AA18509@isdaix.cabq.gov>; from "firewalls-owner@GreatCircle.COM" at Apr 6, 95 7:52 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I can't seem to hit any of the sites listed in this announcement; > Is this an April Fool's joke, or is somebody just not ready?! > > L > ============================================================================= > Lee Stark, Systems Admin | +1 505 768 2978 | "If you're not in > City of Albuquerque ISD | +1 505 768 4615 fax | the loop, it can't > One Civic Plaza, NW Rm 2061 | stark@cabq.gov | be tightened around > Albuquerque, NM 87102-2166 | NIC: [KLS25] | your neck..." > ============================================================================= > It's there. On the ftp server is in the directory pub/lat, along with copies of SATAN, Courtney, and a few docs and notes sets. Ben -- ______________________________________________________________________________ | Ben Nowlin | If you don't get what you want in life, it's either NASA Lewis Research Center | a sign that you seriously didn't want it, or that ben@lerc.nasa.gov | you tried to BARGAIN over the PRICE. ______________________________________________________________________________ From firewalls-owner Thu Apr 6 09:38:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01573 for firewalls-outgoing; Thu, 6 Apr 1995 09:08:46 -0700 Received: from psi.com (psi.com [192.67.6.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA01555 for ; Thu, 6 Apr 1995 09:08:32 -0700 Received: from Phibro.COM by psi.com (4.1/2.1-PSI/PSINet) id AA23164; Thu, 6 Apr 95 12:06:50 EDT Received: from [149.58.1.20] by Phibro.COM (NX5.67d/NeXT-2.0 (gate $Revision: 1.4 $ $State: Rel $ amm/lbl)) id AA14855; Thu, 6 Apr 95 11:22:32 -0400 Received: from admn0162 by mail0120 (NX5.67d/NeXT-2.0) id AA05354; Thu, 6 Apr 95 11:03:58 -0500 Received: by admn0162 (NX5.67d/NX3.0S) id AA02571; Thu, 6 Apr 95 11:03:58 -0500 Date: Thu, 6 Apr 95 11:03:58 -0500 From: Larry Kealey Message-Id: <9504061603.AA02571@admn0162> Received: by NeXT.Mailer (1.100.RR) Received: by NeXT Mailer (1.100.RR) To: firewalls@greatcircle.com Subject: Satan Detectors Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have found the SATAN Detector, Gabriel - But I read about another "SATAN Detector" called Courtney, developed by Lawrence Livermore Laboratories. Does anyone know what the latest version is and where it can be found? Thanks. Larry Kealey Phibro Energy USA, Inc. From firewalls-owner Thu Apr 6 09:42:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29880 for firewalls-outgoing; Thu, 6 Apr 1995 08:29:11 -0700 Received: from obelix.htl-tex.ac.at (obelix.htl-tex.ac.at [192.189.51.194]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA29797 for ; Thu, 6 Apr 1995 08:27:14 -0700 From: liperta@obelix.htl-tex.ac.at Message-Id: <199504061527.IAA29797@miles.greatcircle.com> Received: by obelix.htl-tex.ac.at (1.37.109.8/16.2) id AA24384; Thu, 6 Apr 1995 17:30:50 +0200 Subject: Re: TIS and Firewall one #'s To: pfield@nwu.edu (Phil Field) Date: Thu, 6 Apr 95 17:30:50 METDST Cc: firewalls@greatcircle.com In-Reply-To: ; from "Phil Field" at Apr 04, 95 4:30 pm Mailer: Elm [revision: 72.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > To All, > > > Does anybody have the address or phone numbers of two > firewall vendors TIS and Firewall ? > TIS stands for TRUSTED INFORMATION SYSTEMS They offer a Toolkit for firewalls Available over the internet in source code form -FTP from ftp.tis.com/pub/firewalls/toolkit/fwtk.tar.Z No phone number known Happy datatransfer from a.liperta@obelix.htltex.ac.at > > Thank you for your support, > ______________________________________________________________ > Phillip Field | Children's Memorial Medical Center > Network Administrator | 2300 Children's Plaza, Mailstop 56 > Email: pfield@nwu.edu | Chicago, Illinios 60614 > FAX: 312-880-3280 | > Voice: 312-880-6335 | > _______________________________________________________________ From firewalls-owner Thu Apr 6 10:01:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27997 for firewalls-outgoing; Thu, 6 Apr 1995 07:52:46 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27992 for ; Thu, 6 Apr 1995 07:52:43 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA21768; Thu, 6 Apr 95 10:52:26 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504061552.AA21768@hawksbill.sprintmrn.com> Subject: Re: GABRIEL To: stark@cabq.gov Date: Thu, 6 Apr 1995 10:52:25 -0500 (EST) Cc: firewalls@GreatCircle.com, syskls@isdaix.cabq.gov In-Reply-To: <9504061352.AA18509@isdaix.cabq.gov> from "firewalls-owner@GreatCircle.COM" at Apr 6, 95 07:52:25 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 546 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I can't seem to hit any of the sites listed in this announcement; > Is this an April Fool's joke, or is somebody just not ready?! > > Works for me. ftp.lat.com:/gabriel-1.0.tar.Z - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Thu Apr 6 10:07:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01769 for firewalls-outgoing; Thu, 6 Apr 1995 09:12:57 -0700 Received: from EMXCABQ (emxcabq.cabq.gov [143.120.99.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA01723 for ; Thu, 6 Apr 1995 09:12:41 -0700 X400-Received: by mta EMXCABQ in /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 6 Apr 1995 10:05:13 -0600 X400-Received: by mta isdaix.cabq.gov in /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 6 Apr 1995 10:12:34 -0600 X400-Received: by /PRMD=CABQ/ADMD=TELEMAIL/C=US/; Relayed; Thu, 6 Apr 1995 10:12:34 -0600 Date: Thu, 6 Apr 1995 10:12:34 -0600 X400-Originator: stark@cabq.gov X400-Recipients: firewalls@GreatCircle.com X400-MTS-Identifier: [/PRMD=CABQ/ADMD=TELEMAIL/C=US/;0000700001042946000002] X400-Content-Type: P2-1988 (22) Content-Identifier: Re: GABRIEL (... From: " (K. Lee Stark)" Message-ID: <9504061612.AA16564@isdaix.cabq.gov> To: fw-list Cc: stark Subject: Re: GABRIEL (never mind) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all who repsonded personally; it appears I have a problem with my service provider (you don't REALLY need to reach anybody on the left coast, do you?)... Lee ============================================================================= Lee Stark, Systems Admin | +1 505 768 2978 | "If you're not in City of Albuquerque ISD | +1 505 768 4615 fax | the loop, it can't One Civic Plaza, NW Rm 2061 | stark@cabq.gov | be tightened around Albuquerque, NM 87102-2166 | NIC: [KLS25] | your neck..." ============================================================================= From firewalls-owner Thu Apr 6 10:13:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA29778 for firewalls-outgoing; Thu, 6 Apr 1995 08:26:52 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA29770 for ; Thu, 6 Apr 1995 08:26:45 -0700 Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0rwtP8-0000HYC; Thu, 6 Apr 95 08:23 PDT Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0rwtOY-0003oMC; Thu, 6 Apr 95 08:22 PDT Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: http proxy on firewall To: bdboyle@maverick.erenj.com (Bryan D. Boyle) Date: Thu, 6 Apr 1995 08:22:54 -0700 (PDT) Cc: firewalls-digest@greatcircle.com In-Reply-To: from "Bryan D. Boyle" at Apr 5, 95 10:16:00 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2741 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Why not run the proxy on the wall? > > 1) most proxies have holes large enough for your delivery trucks to drive > through in terms of access privs, etc. etc. Do you want large, monolithic > programs running on the firewall? No. But they are less a security risk than the services they proxy for. I'd much rather have a proxy service I can code review, recompile, instrument, debug, log and KILL, than a bunch of well meaning users who import ALL sorts of things (IRC?!?!?!), fill up filesystems, break things, demand root privilieges, etc. Proxies may not be entirely safe, but they are MUCH more manageable than the users they replace. > 2) processor gets eaten up by the proxy server. big, complex program= > big, complex cpu usage. Processors get eaten up by users, to a larger degree than the corresponding user load. Think about it, a proxy is only going to the handle the the control and data for the service, it isn't going to handle the shell processing the terminal interrupt processing, the disk io processing, and on and on and on... Oh, by the way, who says that proxies are big monolithic porgrams??? > 3) firewall is a choke point, not a common access point. One is > providing a service, the other security. COmpartmentalization means that > weaknesses in one will have a minimal impact on the other. Hmm. I do believe that a firewall is a choke point BECAUSE it is the common access point to the internet. The philosophy of a firewall (not to start THAT discusion up again) [to steal from the LA Police department] is to protect and serve, in that order. > 4) You don't have to run the server on the wall. It supports socks. > Socks was designed to run on a firewall and provide the requisite service > (security, address masking, validation, etc.). Proxy servers were > designed to serve documents. Okay, I'll nit pick. What is the difference between a proxy and socks? Is not the purpose of both to provide a tunnel through the firewall for a well defined protocol such that the firewal does not appear in the data path? > 5) Configuration, based on changes in your network, of the proxy mean > that the system should be easily accessable to make those changes. A > firewall should not be changed at the same rate or for the same trivial > reasons. I don't understand this, but that may be because I missed the leading article on this. > 6) It is easier. Easier than what? See above. JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Thu Apr 6 10:18:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27903 for firewalls-outgoing; Thu, 6 Apr 1995 07:51:26 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27879 for ; Thu, 6 Apr 1995 07:51:19 -0700 From: Paul Crossley To: ronl@earth.eng.vantageware.com, firewalls@greatcircle.com, cisco@spot.colorado.edu, ellozy@dfci.harvard.edu Subject: RE: Outgoing ftp and filters X-Mailer: ScoMail 1.0 Date: Thu, 6 Apr 1995 15:44:09 +0100 (BST) Message-ID: <9504061544.aa01820@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I attempted to close TCP ports >1023. I was then unable to receive mail via SMTP. SMTP was > unable to get a backchannel to send incoming mail. I was lead to believe that the backchannel > was dynamically determined and was ALWAYS >1023. > Outgoing mail will be sent with a source port >1023 and a (remote) destination port of 25. The replies will come in with a (remote) source port of 25 and a destination port >1023. If you are allowing ESTABLISHED tcp sessions through the replies will get back without specifically opening ports >1023. Incoming mail should arrive with a source port >1023 and a destination port of 25. Again your system will reply from port 25 to the remote host port >1023. You will therefore ned to open ports >1023 on the OUTGOING interface OR again allow established connections through. Thus for incoming mail the incoming filters must accept tcp connections to port 25 and the outgoing filters must allow connections to ports >1023 OR they must allow ESTABLISHED TCP connections. For outgoing mail the reverse is true, the outgoing filters must allow connections to port 25 and the incoming filters must accept connections to ports >1023 OR they must allow ESTABLISHED TCP connections. ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Thu Apr 6 10:28:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27555 for firewalls-outgoing; Thu, 6 Apr 1995 07:46:21 -0700 Received: from netcom8.netcom.com (netcom8.netcom.com [192.100.81.117]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA27548 for ; Thu, 6 Apr 1995 07:46:18 -0700 Received: by netcom8.netcom.com (8.6.11/Netcom) id HAA20456; Thu, 6 Apr 1995 07:43:51 -0700 Date: Thu, 6 Apr 1995 07:43:50 -0700 (PDT) From: Brad McCarty Subject: Re: Registered IP vs unregistered To: Howard Berkowitz cc: firewalls@GreatCircle.COM In-Reply-To: <199504052118.RAA18397@clark.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Apr 1995, Howard Berkowitz wrote: > > The problem is that due to the physical layout of our company we run > > into several problems with the max of 254 hosts per subnet. > > Without seeing your specific layout, I would be concerned over trying > to put that many hosts on a subnet, if for no other reason than routing > and troubleshooting. With most routers, you can put multiple subnets > on the same wire -- by extension, multiple network numbers on the > same wire. In all likelyhood would not have over 254 hosts per subnet but it may grow close to that and I don't want to be limited later by the class of IP number that I pick today. The machines on the local wire will actually not be using TCP/IP but NetBEUI, only TCP/IP across the WAN. > For that matter, RFC1597 also defines unregistered Class B and Class C > addresses. We're planning on using the network 10.0.0.0 number described in RFC1597. > Don't go too far into assigning "meaning" to IP addresses, if by > meaning you refer to organizational structure. IP address structure > should reflect routing design and, to a lesser extent, physical > topology. It's your DNS naming structure that should reflect > organizational meaning. The only meaning we're going to assign is geographic location and "sublocation" if you will. > Might you ever have to use an Internet service provider for connectivity > to remote locations? This can be done with unregistered addresses using > IP over IP tunneling, but that adds overhead. No, I'm sure the company is too scared of passing internal traffic over the Internet. > I would very strongly recommend you use address assignment software > such as DHCP in your end systems, if you go to unregistered addresses. We are planning on using DHCP for the address assignments, at least for those hosts which will use DHCP. I understand the concerns you mentioned but I'm still left wondering if the proxy server may limit our Internet access capabilities and if it does, how does it specifically? Thanks for the response. Brad From firewalls-owner Thu Apr 6 10:43:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05774 for firewalls-outgoing; Thu, 6 Apr 1995 10:23:31 -0700 Received: from mmdfhost.gtis.gc.ca (mmdfhost.gtis.gc.ca [198.103.0.71]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA05767 for ; Thu, 6 Apr 1995 10:23:28 -0700 Received: from smtpgate.gtis.gc.ca by mmdfhost.gtis.gc.ca id aa17979; 6 Apr 95 13:22 EDT Received: by smtpgate.gtis.gc.ca with Microsoft Mail id <2F84240B@smtpgate.gtis.gc.ca>; Thu, 06 Apr 95 13:25:31 EDT From: "Kochar, Neil: GTIS" To: "'Firwalls'" Subject: Courses/Training on Firewalls/Bastion Host Date: Thu, 06 Apr 95 12:26:00 EDT Message-ID: <2F84240B@smtpgate.gtis.gc.ca> Encoding: 2 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just wondering if there is any information available on the subject item. From firewalls-owner Thu Apr 6 10:54:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03286 for firewalls-outgoing; Thu, 6 Apr 1995 09:46:40 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.6.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA03281 for ; Thu, 6 Apr 1995 09:46:37 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA03754 for GreatCircle.COM!firewalls-digest; Thu, 6 Apr 1995 11:36:33 -0500 Received: by ris1.nmti.com (smail2.5) id AA03106; 6 Apr 95 09:22:54 CDT (Thu) Received: by sonic.nmti.com; id AA20306; Thu, 6 Apr 1995 09:39:33 -0500 Message-Id: <9504061439.AA20306@sonic.nmti.com.nmti.com> To: jon@nytimes.com (Jon E. Price) Cc: firewalls-digest@GreatCircle.COM, baim@itg.viacom.com, stan@nytimes.com, gordy@nytimes.com, dgbrown@nytimes.com, theresa@nytimes.com, peter@nmti.com Subject: Re: http proxy on firewall In-Reply-To: Your message of "Wed, 05 Apr 95 21:13:02 EDT." <9504060113.AA14179@mailgate.nytimes.com> X-Mailer: exmh version 1.4.1 7/21/94 Date: Thu, 06 Apr 95 09:39:32 -0500 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Why is running the http proxy "on" the firewall "not recommended". The more stuff you run on the firewall the more likely you're going to run something with an undiscovered security hole. For example, the NCSA server had a fingerd-style overrun problem that might have been exploitable (and I've seen evidence of people trying to exploit it in logs). -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Har du kramat din varg idag?" From firewalls-owner Thu Apr 6 11:16:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07334 for firewalls-outgoing; Thu, 6 Apr 1995 10:48:44 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA07324 for ; Thu, 6 Apr 1995 10:48:41 -0700 Received: from gatekeeper.Bridge.COM by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA27452; Thu, 6 Apr 1995 10:48:37 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id MAA03029 for ; Thu, 6 Apr 1995 12:37:55 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003027; Thu Apr 6 12:37:45 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA08087 (5.67b/IDA-1.5 for ); Thu, 6 Apr 1995 12:49:16 -0500 Date: Thu, 6 Apr 1995 12:49:16 -0500 From: Ken Hardy Message-Id: <199504061749.AA08087@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: "secure" HTTP service through firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think I heard here that one or the other of the secure WWW protocols cannot be proxied through a firewall. Can anyone provide more or better information? Where should I start looking for implementation details of these services? -KH From firewalls-owner Thu Apr 6 11:27:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06361 for firewalls-outgoing; Thu, 6 Apr 1995 10:32:47 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA06354 for ; Thu, 6 Apr 1995 10:32:41 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA22574; Thu, 6 Apr 95 13:30:19 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504061830.AA22574@hawksbill.sprintmrn.com> Subject: Re: Satan Detectors To: kealeyl@phibro.com (Larry Kealey) Date: Thu, 6 Apr 1995 13:30:19 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9504061603.AA02571@admn0162> from "Larry Kealey" at Apr 6, 95 11:03:58 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 672 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I have found the SATAN Detector, Gabriel - But I read about another > "SATAN Detector" called Courtney, developed by Lawrence Livermore > Laboratories. Does anyone know what the latest version is and where > it can be found? > > available at http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Thu Apr 6 11:40:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05034 for firewalls-outgoing; Thu, 6 Apr 1995 10:10:17 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA05013 for ; Thu, 6 Apr 1995 10:10:02 -0700 Date: Thu, 6 Apr 1995 13:09:01 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id NAA08212 for ; Thu, 6 Apr 1995 13:09:01 -0400 Message-Id: <199504061709.NAA08212@real.com> To: firewalls@greatcircle.com Subject: Re: Satan Detectors Cc: ealeyl@phibro.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have found the SATAN Detector, Gabriel - But I read about another > "SATAN Detector" called Courtney, developed by Lawrence Livermore > Laboratories. Does anyone know what the latest version is and where > it can be found? > > Thanks. courtney can be gotten at ciac.llnl.gov.. gabriel can be gotten from ftp.lat.com... From firewalls-owner Thu Apr 6 11:46:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA03328 for firewalls-outgoing; Thu, 6 Apr 1995 09:47:27 -0700 Received: from psi.com (psi.com [192.67.6.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA03318 for ; Thu, 6 Apr 1995 09:47:15 -0700 Received: from Phibro.COM by psi.com (4.1/2.1-PSI/PSINet) id AA25673; Thu, 6 Apr 95 12:46:14 EDT Received: from [149.58.1.20] by Phibro.COM (NX5.67d/NeXT-2.0 (gate $Revision: 1.4 $ $State: Rel $ amm/lbl)) id AA14968; Thu, 6 Apr 95 12:02:50 -0400 Received: from admn0162 by mail0120 (NX5.67d/NeXT-2.0) id AA05679; Thu, 6 Apr 95 11:44:39 -0500 Received: by admn0162 (NX5.67d/NX3.0S) id AA02682; Thu, 6 Apr 95 11:44:39 -0500 Date: Thu, 6 Apr 95 11:44:39 -0500 From: Larry Kealey Message-Id: <9504061644.AA02682@admn0162> Received: by NeXT.Mailer (1.100.RR) Received: by NeXT Mailer (1.100.RR) To: firewalls@greatcircle.com Subject: Re: I had a look at SATAN... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeffery C. Sedayao Wrote [today]: >I wouldn't say "no news". Sure, it doesn't check for anything >really new. But Dan Farmer did lose his job over it (which is news, >at least to Dan!). As I heard it, Dan Farmer lost his job because his employers did not feel that he could devote all his time to SATAN [pardon the pun] and still take care of his job...which I think is a really valid point....so I don't believe creating SATAN cost Dan Farmer his job, I think he made a decision with his employer to part ways - because the work [at SG] was not what he [Dan] wanted to do. ...at least thats how Dan and SG tell it... With regard to your look at SATAN, there is one thing I do like about SATAN, and that is the major flow in its design - SATAN SYSTEMATICALLY scans a network, making it more easily detectable. It will make it easier for administrators to detect wannabe's who try to use this tool for hacking. As for the real crackers out there, well they have better stuff than satan to use...and they would probably not want to use this type of tool because of the detection factor. Larry Kealey Phibro Energy USA, Inc. From firewalls-owner Thu Apr 6 11:52:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08476 for firewalls-outgoing; Thu, 6 Apr 1995 11:13:22 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08471 for ; Thu, 6 Apr 1995 11:13:09 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22275; Thu, 6 Apr 95 13:55:33 -0400 Date: Thu, 6 Apr 95 13:55:33 -0400 Message-Id: <9504061755.AA22275@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Definitions (was http proxy on firewall) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >It is hard to protect when all those that you are serving (but not necessarily >configuring) are accessing your choke point. I prefer to move the access >point inside the wall on a machine that does not provide any other service. >Makes it easier to maintain, and certainly LIMITS the range of who inside >can bang on the firewall. Point of order. Referring to "The Book" page 9 "We define a *firewall* as a collection of components placed between two networks...". This does not mean that a single unit such as a router must be a firewall all by itself not must all firewall related tasks be performed on a single machine. Further there does not need to be only a single path between the networks. Instead, a firewall could be several machines each handling a portion of the task in a distributed manner and having parallel inputs and outputs. "Choke Point" in this sense means a single point of entry and not a limit to the volume of data it can pass. In the current rage for "one size fits all" and single unit firewalls, this is true but it is not inherant in the word "firewall". Further proxy servers, bastien hosts, & tunnelling devices are a part of the overall firewall design (true, they can also be used to subvert a firewall but that is something different). Think I mentioned this some time ago in relation to viruses - analysis should be done on a host that is able to reassemble the entire package and examine it as a whole before sending to the addressee - that would be a proxy host, right ? Obviously from the above, such a host could also be one of the components of the firewall. We are now used to a centralized system being marketed as a firewall. We are moving toward a period where decentralization may be necessary to accomodate all of the services/throughput required by a large organization. Decentralization will not make such a system any less a firewall nor more than a firewall, it will still *be* a firewall. Warmly, Padgett From firewalls-owner Thu Apr 6 11:58:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09458 for firewalls-outgoing; Thu, 6 Apr 1995 11:34:28 -0700 Received: from justice.usdoj.gov (justice.usdoj.gov [149.101.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA09447 for ; Thu, 6 Apr 1995 11:34:24 -0700 From: To: firewalls@GreatCircle.com Subject: V1 contact information X-Mailer: SCO Portfolio 2.0 Date: Thu, 6 Apr 1995 14:31:20 -0400 (EDT) Message-ID: <9504061431.aa12556@justice.usdoj.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a contact name and number for V1 in the Wash. D.C. area? Much appreciated. -------------------------------------------------------------------------------- Mary L. Casey Computer and Telecommunications Security Staff Justice Management Division, US Dept of Justice voice (202) 514-4312 fax (202) 616-5455 From firewalls-owner Thu Apr 6 12:03:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05842 for firewalls-outgoing; Thu, 6 Apr 1995 10:24:38 -0700 Received: from mmdfhost.gtis.gc.ca (mmdfhost.gtis.gc.ca [198.103.0.71]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA05800 for ; Thu, 6 Apr 1995 10:24:22 -0700 Received: from smtpgate.gtis.gc.ca by mmdfhost.gtis.gc.ca id aa17955; 6 Apr 95 13:22 EDT Received: by smtpgate.gtis.gc.ca with Microsoft Mail id <2F8423F9@smtpgate.gtis.gc.ca>; Thu, 06 Apr 95 13:25:13 EDT From: "Kochar, Neil: GTIS" To: "'Firwalls'" Subject: FW: Transparent Firewall Date: Thu, 06 Apr 95 12:26:00 EDT Message-ID: <2F8423F9@smtpgate.gtis.gc.ca> Encoding: 15 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a network which is shared between two departments (A and B). The network has two points of Internet access. One access point (assigned to Deptt. A) is protected with a Bastion Host (TIS Toolkit 1.3) while the other point (assigned to Deptt.B) is protected by acess-lists only. The default route on the network is assigned to department B i.e non Bastion Host point of access. Very recently, deptartment A has asked for a transparent access to the Internet (Presently they have to log on to the Bastion Host on their way to the Internet). It is my understanding that a transaparent firewall can only be installed on the default route. Just wondering what option do we have. Can we repalce the TIS Toolkit with Gauntlet ? Does it require default route as well ? How about Janus, BlackHole etc. ? Any suggestions ? From firewalls-owner Thu Apr 6 12:18:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05039 for firewalls-outgoing; Thu, 6 Apr 1995 10:10:20 -0700 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA05033 for ; Thu, 6 Apr 1995 10:10:16 -0700 Received: from smtp.essexgroup.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA00845 for firewalls@greatcircle.com; Thu, 6 Apr 95 13:10:23 -0400 Received: by SMTP.ESSEXGROUP.COM with Microsoft Mail id <2F843E73@SMTP.ESSEXGROUP.COM>; Thu, 06 Apr 95 12:18:11 PDT From: "Chambers, M.A." To: "'firewalls@greatcircle.com'" Subject: Need Help Getting Started Date: Thu, 06 Apr 95 12:16:00 PDT Message-Id: <2F843E73@SMTP.ESSEXGROUP.COM> Encoding: 30 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was looking for some direction on setting up a firewall for our company. We currently have router filtering from our service provider, I feel this is a good start. In my initial discussions with the service provider I got the impression that they didn t feel we needed a firewall. They told me in most cases, filtering is enough. I m sure that this is not the case. We are mostly an NT environment and would like to find something that would run on NT. Unfortunately, I haven t had much success in finding any firewall products that run on NT. I did find a few that will have products for NT latter this year, like Raptor at 800-9-EAGLE-6, but nothing for now. In the mean time I would like to find a firewall that would run on an I86 platform. We have E-Mail up and going. We would also like to set up a home page and a FTP server. What would anyone suggest? What flavor of UNIX should I use on an I86? Any comments would be appreciated. Thanks in advance. CHAMBMA@SMTP.ESSEXGROUP.COM From firewalls-owner Thu Apr 6 12:28:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09208 for firewalls-outgoing; Thu, 6 Apr 1995 11:28:33 -0700 Received: from pure.pure.com (pure.pure.com [192.232.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA09203 for ; Thu, 6 Apr 1995 11:28:29 -0700 Received: from stargate.pure.com by pure.pure.com (5.65c/PURE-SERVER-2.0) id AA12749; Thu, 6 Apr 1995 11:30:38 -0700 Date: Thu, 6 Apr 1995 11:30:38 -0700 From: msabouri@pure.com (Mo Sabourian) Message-Id: <199504061830.AA12749@pure.pure.com> Received: by stargate.pure.com (5.x/CLIENT-1.0) id AA01103; Thu, 6 Apr 1995 11:30:32 -0700 To: firewalls@greatcircle.com, kealeyl@phibro.com Subject: Re: Satan Detectors X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> I have found the SATAN Detector, Gabriel - But I read about another Where is this detector? >> "SATAN Detector" called Courtney, developed by Lawrence Livermore >> Laboratories. Does anyone know what the latest version is and where >> it can be found? You may be looking for this: http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney -Mo Mo Sabourian, "Acting IS Manager" "System Administrator" _/_/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/_/ _/_/ _/ _/ _/ _/ _/ _/ Pure _/ _/_/_/ _/ _/ _/_/_/ Software Inc. 1309 South Mary Avenue Sunnyvale, California 94087 (408) 720-1600 Direct: (408) 524-3637 Fax: (408) 720-9200 E-Mail: msabouri@pure.com From firewalls-owner Thu Apr 6 12:31:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09071 for firewalls-outgoing; Thu, 6 Apr 1995 11:25:18 -0700 Received: from netcom16.netcom.com (netcom16.netcom.com [192.100.81.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA09064 for ; Thu, 6 Apr 1995 11:25:15 -0700 From: Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com Received: from njcorp.akbs.com by netcom16.netcom.com (8.6.11/Netcom) id LAA26107; Thu, 6 Apr 1995 11:22:45 -0700 Received: from cc:Mail by njcorp.akbs.com id AA797203410; Thu, 06 Apr 95 14:24:00 EST Date: Thu, 06 Apr 95 14:24:00 EST Encoding: 12 Text Message-Id: <9503067972.AA797203410@njcorp.akbs.com> To: firewalls@greatcircle.com Subject: SATAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I downloaded SATAN and extracted it under UNIX box. The readme file mentions that I need PERL 5.00 or better. Can anybody tell me what it is and where I can find on the internet, please? I have NCSA Mosaic 2.0.0Beta 3 (lastest upto now). Does SATAN run on UNIX box or it can run under MS-Windows on PC? If it is just for UNIX, do I need NCSA Mosaic for X-Window because normally I just use NCSA for MS-Windows. Thanks in advance. Ruiyuan Jiang rjiang@akbs.com From firewalls-owner Thu Apr 6 12:53:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10106 for firewalls-outgoing; Thu, 6 Apr 1995 11:48:11 -0700 Received: from aruba.lerc.nasa.gov (aruba.lerc.nasa.gov [139.88.35.16]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA10095 for ; Thu, 6 Apr 1995 11:48:07 -0700 Received: from nyjets.lerc.nasa.gov by aruba.lerc.nasa.gov with ESMTP (950215.SGI.8.6.10/LeRC/DLW/TAF(1.24-main)) id OAA20434; Thu, 6 Apr 1995 14:48:23 -0400 Received: by nyjets.lerc.nasa.gov (950215.SGI.8.6.10/LeRC/DLW/TAF(1.22p-local)) id OAA16967; Thu, 6 Apr 1995 14:48:22 -0400 From: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Message-Id: <199504061848.OAA16967@nyjets.lerc.nasa.gov> Subject: Re: Satan Detectors To: kealeyl@phibro.com (Larry Kealey) Date: Thu, 6 Apr 95 14:48:11 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9504061603.AA02571@admn0162>; from "Larry Kealey" at Apr 6, 95 11:03 am X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I have found the SATAN Detector, Gabriel - But I read about another > "SATAN Detector" called Courtney, developed by Lawrence Livermore > Laboratories. Does anyone know what the latest version is and where > it can be found? > > Thanks. > > Larry Kealey > Phibro Energy USA, Inc. > Larry, Courtney's available in a few places actually, including the place you retrieved Gabriel (If you retrieved it from ftp://ftp.best.com/pub/lat, the file is courtney-1.2.tar.Z). You can also retrieve it from ciac at: http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney, and also at, ftp://coast.cs.purdue.edu/pub/tools/unix/satan/defenses, under Courtney). It's probably elsewhere, but that's all that comes to the ole brain at the moment. Good luck. Ben -- ______________________________________________________________________________ | Ben Nowlin | If you don't get what you want in life, it's either NASA Lewis Research Center | a sign that you seriously didn't want it, or that ben@lerc.nasa.gov | you tried to BARGAIN over the PRICE. ______________________________________________________________________________ From firewalls-owner Thu Apr 6 12:57:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10831 for firewalls-outgoing; Thu, 6 Apr 1995 12:00:23 -0700 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA10826 for ; Thu, 6 Apr 1995 12:00:19 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id PAA13587; Thu, 6 Apr 1995 15:16:10 -0700 From: Christopher Klaus Message-Id: <199504062216.PAA13587@iss.net> Subject: Mirrors for security program To: firewalls@greatcircle.com, bugtraq@fc.net Date: Thu, 6 Apr 1995 15:16:10 +1494730 (PDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 807 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, I am going to release an update to Internet Security Scanner from version 1.21 to 1.3. This is includes source in C. Changes from 1.21 is that I fixed a pretty serious bug in ISS 1.21 for little endian machines, which reversed the byte order of addresses so that if you tried to scan 1.2.3.4, it would actually scan 4.3.2.1. Also, I have added many more vulnerability checks to the package. I would like to find other sites that wouldn't mind putting it up for ftp so that my link isn't bogged down. Please e-mail me. Thanks, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Thu Apr 6 13:15:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11517 for firewalls-outgoing; Thu, 6 Apr 1995 12:11:28 -0700 Received: from serendip.sdsc.edu (serendip.sdsc.edu [132.249.22.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA11511 for ; Thu, 6 Apr 1995 12:11:24 -0700 Received: by serendip.sdsc.edu (931110.SGI/920502.SGI.AUTO) for firewalls@greatcircle.com id AA18827; Thu, 6 Apr 95 12:12:04 -0700 From: bac@serendip.sdsc.edu (Bilal A. Chinoy) Message-Id: <9504061912.AA18827@serendip.sdsc.edu> Subject: Re: Satan Detectors To: firewalls@greatcircle.com Date: Thu, 6 Apr 1995 12:12:04 -0700 (PDT) In-Reply-To: <199504061709.NAA08212@real.com> from "Bret McDanel" at Apr 6, 95 01:09:01 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 673 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While I favor developing tools that can monitor promiscuously for certain traffic patterns that may be "out of the ordinary", there is an easier solution in this particular (SATAN) case. Just look at your syslogs. If you have even moderate logging enabled, you should see the attempts quite plainly. -- Bilal > > > I have found the SATAN Detector, Gabriel - But I read about another > > "SATAN Detector" called Courtney, developed by Lawrence Livermore > > Laboratories. Does anyone know what the latest version is and where > > it can be found? > > > > Thanks. > > courtney can be gotten at ciac.llnl.gov.. > gabriel can be gotten from ftp.lat.com... > From firewalls-owner Thu Apr 6 13:28:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA14307 for firewalls-outgoing; Thu, 6 Apr 1995 12:55:43 -0700 Received: from ns1.hri.com (ns1.hri.com [137.203.5.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA14302; Thu, 6 Apr 1995 12:55:38 -0700 Received: from sextant.hri.com by ns1.hri.com (5.65+/1.0s) id AA29977; Thu, 6 Apr 95 15:51:07 -0400 Received: (from rali@localhost) by sextant.hri.com (8.6.10/8.6.9) id PAA26132; Thu, 6 Apr 1995 15:51:07 -0400 From: Reto Lichtensteiger Message-Id: <199504061951.PAA26132@sextant.hri.com> Subject: $%^* Can we PLEASE get off the SATAN stuff?! To: firewalls@greatcircle.com, owner-firewalls@greatcircle.com Date: Thu, 6 Apr 1995 15:51:06 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 523 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please? It's there, it works, I couldn't care less and building/running SATAN and perl have jack all to do with building firewalls or maintaining them. THank you very much -- I'll now take my reddened face and sedative and return to lurking ... -Reto L.- -- R A Lichtensteiger rali@hri.com System Administrator Horizon Research Inc (617) 466-8304 Waltham MA 02154 http://www.hri.com/HRI/People/rali.html I use Solaris because someone told me it was admirable to work with the handicapped ... From firewalls-owner Thu Apr 6 14:00:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA13608 for firewalls-outgoing; Thu, 6 Apr 1995 12:45:02 -0700 Received: from sbei.com (ftp.sbei.com [198.93.144.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA13596; Thu, 6 Apr 1995 12:44:58 -0700 Reply-To: garyh@sbei.com Received: from sbe1.sbei.com by sbei.com (Internet Gateway) (4.1/SMI-5.2.3) id AA21458; Thu, 6 Apr 95 12:46:53 PDT Received: from sbe1036.sbe by sbe1.sbei.com (4.1/SMI-4.2) id AA22492; Thu, 6 Apr 95 12:45:42 PDT Date: Thu, 6 Apr 95 12:45:42 PDT From: garyh@sbei.com (Gary Hasenfus) Message-Id: <9504061945.AA22492@sbe1.sbei.com> To: firewalls@greatcircle.com, firewalls-owner@GreatCircle.COM Subject: Re: "secure" HTTP service through firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At one of the Interop conference sessions on "Security and the Web" Dave Dalva from TIS said that their HTTP proxy works with S-HTTP but not SSL. Application level proxies are likely to fail with SSL but IP proxies (Socks) just don't care for the most part. -garyh@sbei.com > From firewalls-owner@GreatCircle.COM Thu Apr 6 11:49:09 1995 > Reply-To: firewalls-owner@GreatCircle.COM > Date: Thu, 6 Apr 1995 12:49:16 -0500 > From: Ken Hardy > To: firewalls@greatcircle.com > Subject: "secure" HTTP service through firewall? > Sender: firewalls-owner@GreatCircle.COM > > I think I heard here that one or the other of the secure WWW protocols > cannot be proxied through a firewall. Can anyone provide more or > better information? Where should I start looking for implementation > details of these services? > > -KH > > From firewalls-owner Thu Apr 6 14:14:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA14289 for firewalls-outgoing; Thu, 6 Apr 1995 12:55:06 -0700 Received: from mx3.smtp.psi.net (mx3.smtp.psi.net [38.145.204.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA14280 for ; Thu, 6 Apr 1995 12:55:03 -0700 Received: from viacom.COM by mx3.smtp.psi.net (8.6.9/SMI-4.1.3-PSI) id PAA21705; Thu, 6 Apr 1995 15:33:17 -0400 Received: from smtpgate.viacom.com by viacom.viacom.COM id aa07897; 6 Apr 95 15:17 EDT Received: by SMTPGATE.VIACOM.COM with Microsoft Mail id <2F846BF6@SMTPGATE.VIACOM.COM>; Thu, 06 Apr 95 15:32:22 PDT From: "Bai, Mario" To: firewalls Subject: FW: Undeliverable mail: Processing failure Date: Thu, 06 Apr 95 15:30:00 PDT Message-ID: <2F846BF6@SMTPGATE.VIACOM.COM> MMDF-Warning: Parse error in original version of preceding line at viacom.viacom.COM Encoding: 42 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seems like I'm missing something here. Why have a proxy outside the firewall? What does that gain you? Are you utilizing it as just a cache? CERN's proxy will proxy all info (ftp,gopher,wais,and http) if you have sockd running on the bastion host. ---------- From: firewalls-owner To: BAIM; Mario) Cc: firewalls Subject: Re: FW: Proxy WWW through firewall Date: Wednesday, April 05, 1995 5:08PM > > > Put the proxy *behind* the firewall, point the clients to it and proxy over > the firewall (using something like socks) .... or *not recommended* run the > proxy on the firewall, and point the clients to it. Why did you decide to > put the proxy outside the firewall? I disagree. The proxy should go outside the firewall: Cern reached with a simple app gateway or via a bastion allowed IP address works just fine. I don't want to use socks or a whole bunch of other proxies for wais, gopher, http, ftp, etc. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Senior Consultant, Manhattan Feb95- | 513-865-9599 FAX/LIG 513.496.5223 OH Page OO R&D AI:NN/ES crypto DBMS RPC/CS |2464 Rosina Dr., Miamisburg, OH 45342-6430 Firewall/WWW srvrs|ICBM/GPS: 39 38 34N 84 17 12W home, 40 47 00N 73 58 00W wrk Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;1Mar95 --Boundary (ID cp5o3h71k22AKHQtAZlWMw)-- From firewalls-owner Thu Apr 6 14:17:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11710 for firewalls-outgoing; Thu, 6 Apr 1995 12:14:53 -0700 Received: from hubcap.clemson.edu (hubcap.clemson.edu [130.127.8.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA11700 for ; Thu, 6 Apr 1995 12:14:49 -0700 Received: (hubcap@localhost) by hubcap.clemson.edu (8.6.7/8.6.4) id PAA19692 for firewalls@GreatCircle.COM; Thu, 6 Apr 1995 15:14:55 -0400 Date: Thu, 6 Apr 1995 15:14:55 -0400 From: System Janitor Message-Id: <199504061914.PAA19692@hubcap.clemson.edu> To: firewalls@GreatCircle.COM Subject: satan discussion... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where is an appropriate place to discuss analysis of Satan's output? Maybe I'm a dope, but I'm confused by the trusted host reports with respect to ``user login''. -Mike From firewalls-owner Thu Apr 6 14:26:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA15288 for firewalls-outgoing; Thu, 6 Apr 1995 13:14:27 -0700 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA15283 for ; Thu, 6 Apr 1995 13:14:24 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA26295; Thu, 6 Apr 1995 16:14:00 -0400 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9504062014.AA26295@oxygen.house.gov> Subject: SATAN opens http server To: firewalls@greatcircle.com Date: Thu, 6 Apr 1995 16:13:59 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1124 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is probably obvious to many of you, but starting up SATAN opens up an http server in the dynamic range (port > 1023). It appears to be password protected by a string generated on the fly from your system. I had sort of expected the whole thing to use the local "file:" type URL. If you want to change the port to something less random, this worked for me: Add these lines between the socket() and listen() calls in html.pl. $bindstuff=pack($sockaddr, $AF_INET, NN, "\0\0\0\0"); bind(SOCK, $bindstuff); Where NN is the port number you'd like. And these lines start around line 120 of html.pl: sub start_html_server { local($sockaddr, $proto, $junk); $sockaddr = 'S n a4 x8'; ($junk, $junk, $proto) = getprotobyname('tcp'); socket(SOCK, &AF_INET, &SOCK_STREAM, $proto) || die "socket: $!"; # add bind() stuff here -- dorian listen(SOCK, 1) || die "listen: $!"; ($junk, $html_port) = unpack($sockaddr, getsockname(SOCK)); } The comment is mine, of course. This may not be the best way to do it--I'm a Perl rookie--but it seems to work. dorian From firewalls-owner Thu Apr 6 14:50:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA15433 for firewalls-outgoing; Thu, 6 Apr 1995 13:16:36 -0700 Received: from clavin.uprc.com (clavin.uprc.com [144.94.68.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA15421 for ; Thu, 6 Apr 1995 13:16:31 -0700 Received: from moon.uprc.com by clavin.uprc.com (4.1/3.2.012693-Union Pacific Resources Company); id AA18708 for firewalls@greatcircle.com; Thu, 6 Apr 95 15:13:07 CDT Received: by moon.uprc.com (4.1/SMI-4.1) id AA14388; Thu, 6 Apr 95 15:13:06 CDT Date: Thu, 6 Apr 95 15:13:06 CDT From: z056716@uprc.com (LaCoursiere J. D. (Jeff)) Message-Id: <9504062013.AA14388@moon.uprc.com> To: firewalls@greatcircle.com, kealeyl@phibro.com Subject: Re: I had a look at SATAN... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ...at least thats how Dan and SG tell it... > > With regard to your look at SATAN, there is one thing I do like about > SATAN, and that is the major flow in its design - SATAN > SYSTEMATICALLY scans a network, making it more easily detectable. It > will make it easier for administrators to detect wannabe's who try to > use this tool for hacking. As for the real crackers out there, well > they have better stuff than satan to use...and they would probably > not want to use this type of tool because of the detection factor. > Ya know, something just struck me about this tool. Wouldn't it be better to have notification built into it? Obviously adept people would be able to strip it out of the source, but then the adept people already have these types of tools. If SATAN was _really_ built for the administrators, it would be a great feature for it to notify, say, root@target that they are about to be scanned. ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Thu Apr 6 14:57:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA16138 for firewalls-outgoing; Thu, 6 Apr 1995 13:34:59 -0700 Received: from psi.com (psi.com [192.67.6.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA16120 for ; Thu, 6 Apr 1995 13:34:52 -0700 Received: from Phibro.COM by psi.com (4.1/2.1-PSI/PSINet) id AA08053; Thu, 6 Apr 95 16:34:53 EDT Received: from [149.58.1.20] by Phibro.COM (NX5.67d/NeXT-2.0 (gate $Revision: 1.4 $ $State: Rel $ amm/lbl)) id AA15953; Thu, 6 Apr 95 15:52:52 -0400 Received: from admn0162 by mail0120 (NX5.67d/NeXT-2.0) id AA07752; Thu, 6 Apr 95 15:34:52 -0500 Received: by admn0162 (NX5.67d/NX3.0S) id AA03111; Thu, 6 Apr 95 15:34:52 -0500 Date: Thu, 6 Apr 95 15:34:52 -0500 From: Larry Kealey Message-Id: <9504062034.AA03111@admn0162> Received: by NeXT.Mailer (1.100.RR) Received: by NeXT Mailer (1.100.RR) To: "L. McCarthy" , firewalls@greatcircle.com Subject: Re: Systematic Nature of SATAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk **I stand corrected** I have been viewing this thing as a "hacker" tool rather than a sysadmin tool, because it is not going to tell me anything I don't already know. Those people who have been looking at security, and keeping up on things will not gain anything from using this tool (sysadmins). On the otherhand, wannabe hackers will now have a tool with which they can get into real trouble... LK Begin forwarded message: >From: "L. McCarthy" Subject: Re: Systematic Nature of SATAN To: kealeyl@Phibro.COM Date: Thu, 6 Apr 1995 15:53:18 -0500 (EDT) In-Reply-To: <199504061853.LAA10492@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 6, 95 11:53:51 am X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 791 > With regard to your look at SATAN, there is one thing I do like about > SATAN, and that is the major flow in its design - SATAN > SYSTEMATICALLY scans a network, making it more easily detectable. It > will make it easier for administrators to detect wannabe's who try to > use this tool for hacking. As for the real crackers out there, well > they have better stuff than satan to use...and they would probably > not want to use this type of tool because of the detection factor. I agree with everything you said, except for "that is the major flaw in its design". Since SATAN *is* designed for admins to check their systems, its tendency towards easier detectability surely counts as a (deliberate) feature, n'est-ce pas ? -L. Futplex McCarthy PGP key by finger or server From firewalls-owner Thu Apr 6 15:00:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA12534 for firewalls-outgoing; Thu, 6 Apr 1995 12:26:18 -0700 Received: from druid.reston.mci.net (druid.Reston.mci.net [204.70.128.42]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA12528 for ; Thu, 6 Apr 1995 12:26:15 -0700 Received: (from ddrew@localhost) by druid.reston.mci.net (8.6.9/8.6.6) id PAA04319; Thu, 6 Apr 1995 15:25:30 -0400 Date: Thu, 6 Apr 1995 15:25:30 -0400 Message-Id: <199504061925.PAA04319@druid.reston.mci.net> To: firewalls@GreatCircle.COM, casey@justice.usdoj.gov Subject: Re: V1 contact information From: ddrew@mci.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk V-One 12300 Twinbrook Parkway, Suite 235 Rockville, MD 20852 301/881-2297 -- FAX 301/881-5377 HTTP: www.v-one.com From firewalls-owner Thu Apr 6 15:26:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA19529 for firewalls-outgoing; Thu, 6 Apr 1995 15:11:59 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA19519 for ; Thu, 6 Apr 1995 15:11:56 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQykiq02012; Thu, 6 Apr 1995 18:12:12 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA05418; Thu, 6 Apr 95 18:08:12 EDT Date: Thu, 6 Apr 1995 18:08:11 -0400 (EDT) From: Sick Puppy Subject: Where can I get Watcher? To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To go further with my research on the effectiveness of various firewalls, I need to get a copy of Watcher. Can someone lurking on the list, tell me where I can pick up a copy of Watcher? When I asked about Novell on the ids list I really got flamed, because their subscribers have the childish perspective that people are either sys admin's or hackers, whereas my experience indicates that many competent people are both. Please don't flame me here, don't like being a hot dawg, just help out with Watcher. Sick Puppy the Cat_Eating_Dawg in the basement of Bellcore From firewalls-owner Thu Apr 6 15:32:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA16357 for firewalls-outgoing; Thu, 6 Apr 1995 13:42:03 -0700 Received: from netcomsv.netcom.com (uumail3.netcom.com [163.179.3.53]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA16351 for ; Thu, 6 Apr 1995 13:41:59 -0700 Received: from gatenode.chipsi.com by netcomsv.netcom.com with SMTP (8.6.12/SMI-4.1) id NAA18907; Thu, 6 Apr 1995 13:39:29 -0700 Received: from fd02.chipsi.com by gatenode.chipsi.com; (5.65/1.1.8.2/09Dec94-1241PM) id AA30533; Thu, 6 Apr 1995 15:44:42 -0500 Received: by fd02.chipsi.com; (5.65/1.1.8.2/28Oct94-0841AM) id AA00751; Thu, 6 Apr 1995 15:44:39 -0500 Date: Thu, 6 Apr 1995 15:44:39 -0500 From: Donald L Ritchey Message-Id: <9504062044.AA00751@fd02.chipsi.com> To: firewalls@greatcircle.com In-Reply-To: <9504061755.AA22275@uvs1.orl.mmc.com> (padgett@tccslr.dnet.mmc.com) Subject: Re: Definitions (was http proxy on firewall) Reply-To: Don.Ritchey@chipsi.com Cc: padgett@tccslr.dnet.mmc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: all the rage over the terminology of what is a "firewall". It appears that we have become too specialized. (We have become victims of our own terminology.) Everyone is used to speaking of a "firewall" as a "thing" which is all of a piece, when what we really need to do is to look at a firewall as an "object", which may be composed of multiple components (services), each of which may be housed on one or more machines of varying flavors and capacities (hosts or specialized thingies, like routers). The "bastion host", the "proxy server", the "filter/screening process/router", etc. are all objects that can make up a firewall, and depending on design, may or may not be present in separately identifiable packages (or even be present at all). Those are design issues, not requirements. Let's not let this degenerate into a "vi vs. emacs"-style holy war of "my firewall's better than your screening router". For Pete's sake, they are all just tools, and like any tool, some jobs are require a screw driver and some are better suited for a hammer. Have we all forgotten the old saw: "When all you have is a hammer, all of your problems begin to look like nails." Whew, now I feel much better. Now, let's get back to the real issue: How do we serve the customer (the real boss here) without letting them burn their fingers enough to get really hurt. The user may not like the process of setting up for a proxy, but if we do it right, then the impact is minimal and can be done once at setup time. The rest of the time a tool should initialize itself from setup data that includes how to access the desired sevices transparently through a proxy or other protective device. If it is not that easy, then we haven't done our job right. The use of a proxied service should be easy enough that the user doesn't see the need to circumvent it, and attempts to do so become security alert events and evidence of attempted misdeeds. If the security climate is so unwieldy and unusable that the user attempts to bypass it routinely, that in and of itself should be an indicator that the process needs more work. Thank you for the use of the soapbox (I originally misspelled it as "sapbox", which is probably a Freudian slip of the fingers). Live long and prosper, Don -- Don Ritchey CDR Computer Services Inc. (Contracted to PRC Public Sector Inc.) Tel # (312) 368-3634) (Chicago, IL 60606) "You kenw the job was dangerous when you took it..." - SuperChicken. From firewalls-owner Thu Apr 6 15:33:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA17684 for firewalls-outgoing; Thu, 6 Apr 1995 14:24:48 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA17679 for ; Thu, 6 Apr 1995 14:24:44 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Thu, 6 Apr 1995 17:24:49 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA28680; Thu, 6 Apr 1995 17:24:47 -0400 Date: Thu, 6 Apr 1995 17:24:47 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199504062124.AA28680@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, rjiang@akbs.com Subject: Re: SATAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ruiyuan Jiang wrote: > I downloaded SATAN and extracted it under UNIX box. The readme file > mentions that I need PERL 5.00 or better. Can anybody tell me what it is > and where I can find on the internet, please? The best US site for PERL I've tried and used is: Host hpcsos.col.hp.com (15.255.240.16) Last updated 07:45 28 Mar 1995 Location: /mirrors/.sds0/gnu FILE -r--r--r-- 1130765 bytes 00:38 15 Mar 1995 perl5.001.tar.gz > ............................................ I have NCSA Mosaic > 2.0.0Beta 3 (lastest upto now). Does SATAN run on UNIX box or it can run > under MS-Windows on PC? If it is just for UNIX, do I need NCSA Mosaic > for X-Window because normally I just use NCSA for MS-Windows. Thanks in > advance. The satan script starts up both the Web browser and custom dedicated http server on the same Unix machine. I suspect that it also seeds the browser (or feeds the browser and URL with) an authentication code. If you can get I found that you can use the URL with the authentication code from another Web browser on a remote machine. The auth code appears to be the jumble of bytes between the server port number and the real file/pathname portion of the http URL ( ie. http://foo.bar.com:2679/dacb193ccac3708cfa4df35bc//usr/local/SATAN//html/running/satan_run_action.pl). I've done the above using a remote X workstation but there should be no reason that that remote machine couldn't be a Mac or PC but you would have to get the magic cookie. The comments in the perl/html.pl file indicate that the magic cookie auth is probably good enough for a local Web client running on the same machine as the server since the client/server dialogue never goes out over the network, but this would not be true if you were to run the Web browser remote.... and someone could potentially sniff the magic cookie and grab control of your Satan server. Let's be careful out there. - Morrow From firewalls-owner Thu Apr 6 17:56:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA24049 for firewalls-outgoing; Thu, 6 Apr 1995 17:35:40 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA24044 for ; Thu, 6 Apr 1995 17:35:35 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA23787; Thu, 6 Apr 95 20:27:00 -0400 Date: Thu, 6 Apr 95 20:27:00 -0400 Message-Id: <9504070027.AA23787@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Daffynitions (was Definitions) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don rote: >Have we all forgotten the old saw: "When all you have is a hammer, all of >your problems begin to look like nails." And the user's/sysadmin's/journalist's corollary: "When you are a nail, everything coming at you starts to look like a hammer." Warmly, Padgett ps "The Book" by B&C - "Zenith TransOceanic - the Royalty of Radios" by John Bryant & Harold Cones - plug From firewalls-owner Thu Apr 6 18:16:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA24208 for firewalls-outgoing; Thu, 6 Apr 1995 17:48:17 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA24203 for ; Thu, 6 Apr 1995 17:48:13 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma022390; Thu Apr 6 20:47:35 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA20103; Thu, 6 Apr 95 20:47:22 EDT Received: by (4.1/illuminati) id AA09608; Thu, 6 Apr 95 20:53:40 EDT From: "Marcus J. Ranum" Message-Id: <9608.9504070053@illuminati> Subject: Re: Definitions (was http proxy on firewall) To: Don.Ritchey@chipsi.com Date: Thu, 6 Apr 1995 20:53:39 -0400 (EDT) Cc: firewalls@greatcircle.com, padgett@tccslr.dnet.mmc.com In-Reply-To: <9504062044.AA00751@fd02.chipsi.com> from "Donald L Ritchey" at Apr 6, 95 03:44:39 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 517 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Whew, now I feel much better. Now, let's get back to the real issue: > > How do we serve the customer (the real boss here) without > letting them burn their fingers enough to get really hurt. What is "the customer" in the sentence above? The real issue is that a firewall admin has several "customers" namely: 1) Organization policy (if one) 2) Upper management 3) System users Sometimes all 3 of these are in conflict. Knowing who "the customer" is can be difficult but is very important. :) mjr. From firewalls-owner Thu Apr 6 18:26:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA24434 for firewalls-outgoing; Thu, 6 Apr 1995 18:04:08 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA24250 for ; Thu, 6 Apr 1995 17:55:19 -0700 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA02510 (5.65c/IDA-1.4.4 for ); Fri, 7 Apr 1995 10:46:36 +1000 Received: by lordmuck.itd.uts.edu.au (5.x/SMI-SVR4) id AA26166; Fri, 7 Apr 1995 10:44:43 +1000 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9504070044.AA26166@lordmuck.itd.uts.edu.au> Subject: Re: SATAN on Solaris To: bret@real.com (Bret McDanel) Date: Fri, 7 Apr 1995 10:44:42 +1000 (EST) Cc: firewalls@greatcircle.com, laurent@grafnetix.qc.ca In-Reply-To: <199504061230.IAA04363@real.com> from "Bret McDanel" at Apr 6, 95 08:30:02 am X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bret McDanel wrote this... > > > Hi, > > > > Does this thing work on Solaris or not? I'm running Solaris 2.4 with > > NIS+ and I get the following message when i try to do a normal probe: > > > > rpcinfo: can't contact portmapper: RPC: Rpcbind failure - RPC: Failed > > (unspecified error) > > > > I get a lot of timeout errors. So far, it seems pretty useless to me. > > Anyone have an idea why it's not working? > > > > I also get a > > > > showmount: RPC: Procedure unavailable > > > > > As I understand NIS+, it uses secure RPC calls, as well as some encryption.. > If SATAN isnt trying to do the same, it wont be able to interface > with the portmapper and get a valid result.. > > Of course I am new to NIS+ (only went over it 1 day in a Slowaris SA class, > and havent used it since), so I could be mistaken.. > access to rpcbind is never encrypted... all that NIS+ ever uses rpcbind for is a) finding what port rpc.nisd is on. b) to synchronise the clocks between the two machines for short lived credentials. apart from those two things NIS+ rarely uses rpcbind at all (rpc.nisd handles all the nisdb calls into the database). Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Thu Apr 6 18:57:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA26106 for firewalls-outgoing; Thu, 6 Apr 1995 18:47:21 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA25743 for ; Thu, 6 Apr 1995 18:38:29 -0700 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA03798 (5.65c/IDA-1.4.4 for ); Fri, 7 Apr 1995 11:12:40 +1000 Received: by lordmuck.itd.uts.edu.au (5.x/SMI-SVR4) id AA26249; Fri, 7 Apr 1995 11:04:20 +1000 From: matt@uts.EDU.AU (Jas (Matthew K)) Message-Id: <9504070104.AA26249@lordmuck.itd.uts.edu.au> Subject: Re: SATAN on Solaris To: bdamicro!scott@Sun.COM (Scott Abrutyn) Date: Fri, 7 Apr 1995 11:04:19 +1000 (EST) Cc: firewalls@greatcircle.com, bret@real.com, laurent@grafnetix.qc.ca In-Reply-To: <9504061423.AA17239@constellation.tolkein> from "Scott Abrutyn" at Apr 6, 95 11:23:57 am X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Abrutyn wrote this... > > > Of course I am new to NIS+ (only went over it 1 day in a Slowaris SA class, > > and havent used it since), so I could be mistaken.. > > misinformation fyi to the group, > NIS+ only uses secure RPC mode if you configure it that way. The default > is not secure RPC. this is direct from Name Services Administration Guide p94 (Solaris 2.4 documentaion). 2 Security level 2, the default, is the highest level of security currently provided by NIS+. It only authenticates requests that use DES credentials. Requests that use LOCAL credentials or none at all are assigned the access rights granted to the Nobody class. Requests that use invalid DES credentials are denied. DES credentials use SecureRPC. The net effect of this minus all the tech speak is that NIS+ uses SecureRPC by default, why else would you give every user SecureRPC credentials for? Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Thu Apr 6 19:27:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA26743 for firewalls-outgoing; Thu, 6 Apr 1995 19:03:04 -0700 Received: from afterlife.ncsc.mil (afterlife.ncsc.mil [144.51.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA26733 for ; Thu, 6 Apr 1995 19:03:00 -0700 Received: (from dpkemp@localhost) by afterlife.ncsc.mil (8.6.12/8.6.6) id WAA13564; Thu, 6 Apr 1995 22:03:18 -0400 Date: Thu, 6 Apr 1995 22:03:18 -0400 From: "David P. Kemp" Message-Id: <199504070203.WAA13564@afterlife.ncsc.mil> To: firewalls@greatcircle.com Subject: Re: Detecting failures In-Reply-To: <9504051817.AA17496@uvs1.orl.mmc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Matt rites: >>>Since this router has some filtering capabilities, I won't even >>>be able to see any attacks that don't make it through the router. Do I >>>care? Not really, I just want to know what does make it through. If the router has some filtering capabilities, perhaps it also has the ability to log packets that are rejected? If so, you could have some warning of an attack without letting any of the nasties inside. Padgett's favorite architecture may be a "minefield" of PCs, each one looking for a single bad address, but a more effective solution is to simply have the router alarm every invalid destination address in your net (as well as things like source addresses that belong to you coming from the outside, etc). If your current router doesn't have a filter language that supports alarms, packet logs, and per-interface address checking, maybe your next one will :-). From firewalls-owner Thu Apr 6 20:57:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA29920 for firewalls-outgoing; Thu, 6 Apr 1995 20:56:26 -0700 Received: from darwin.technet.sg (darwin.technet.sg [192.169.33.111]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA29913 for ; Thu, 6 Apr 1995 20:56:21 -0700 Received: (jseng@localhost) by darwin.technet.sg (8.6.11/8.6.5) id LAA06844; Fri, 7 Apr 1995 11:58:19 +0800 Date: Fri, 7 Apr 1995 11:58:19 +0800 (SST) From: James Seng To: Larry Kealey cc: "L. McCarthy" , firewalls@GreatCircle.COM Subject: Re: Systematic Nature of SATAN In-Reply-To: <9504062034.AA03111@admn0162> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Apr 1995, Larry Kealey wrote: > I have been viewing this thing as a "hacker" tool rather than a > sysadmin tool, because it is not going to tell me anything I don't > already know. Those people who have been looking at security, and > keeping up on things will not gain anything from using this tool > (sysadmins). On the otherhand, wannabe hackers will now have a tool > with which they can get into real trouble... On the other hand, it is a sysadm tools, because it is not going to tell any true hacker anything which they didnt know. Those people who have been looking at security, and keeping up with things will not gain anything from using this tool (hackers). On the otherhand, hundreds of clueless sysadmin (who by trick of fate got themselves in it) will have a tool with which they can solve their problem. Ok..so lets stop this nonsense on SATAN good...SATAN bad. It is a double edge tool which the authors say so themselves. -James Seng (jseng@technet.sg) From firewalls-owner Thu Apr 6 22:26:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA01566 for firewalls-outgoing; Thu, 6 Apr 1995 22:16:11 -0700 Received: from ibminet.awdpa.ibm.com (ibminet.awdpa.ibm.com [192.35.233.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA01542 for ; Thu, 6 Apr 1995 22:16:05 -0700 Received: by ibminet.awdpa.ibm.com (5.61/1.15) id AA07152; Thu, 6 Apr 95 21:25:24 -0800 Received: from zork.aix.ch.ibm.com by ibmpa.awdpa.ibm.com (5.65b(em1)/2.06) id AA07253; Thu, 6 Apr 95 21:15:48 -0800 Received: by zork.aix.ch.ibm.com (AIX 3.2/UCB 5.64/4.03) id AA26664; Fri, 7 Apr 1995 07:15:20 +0200 Message-Id: <9504070515.AA26664@zork.aix.ch.ibm.com> X-Mailer: exmh version 1.5.3 12/28/94 From: Peter Bruderer To: firewalls@greatcircle.com Subject: SATAN Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Apr 95 07:15:19 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't hear this word anymore!!! Yes it is a nice tool, yes it works fine, yes .... But please move this discussion to another forum. This has absulutely nothing to do with firewalls!!!!! If you find a whole in your firewall using SATAN, than you can report it. But only than. have fun ... Peter Bruderer ====================================================================== Peter Bruderer | E-Mail: brudy@ch.ibm.com | voice: +41 +1 436 63 40 IBM Switzerland | OV/VM: PBRU at CHVM1 | fax : +41 +1 436 85 25 Hohlstrasse 560 | | CH-8048 Zurich | | ====================================================================== From firewalls-owner Fri Apr 7 02:57:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA05434 for firewalls-outgoing; Fri, 7 Apr 1995 02:28:07 -0700 Received: from bi.fish.com (bi.fish.com [140.174.97.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA05429 for ; Fri, 7 Apr 1995 02:27:59 -0700 Received: (from zen@localhost) by bi.fish.com (8.9.1 (Alpha)/1.0.23) id CAA28402; Fri, 7 Apr 1995 02:27:55 -0700 Date: Fri, 7 Apr 1995 02:27:55 -0700 From: d Message-Id: <199504070927.CAA28402@bi.fish.com> To: firewalls@greatcircle.com In-reply-to: kealeyl@phibro.com's message of 6 Apr 1995 12:18:55 -0700 Subject: Re: I had a look at SATAN... Organization: Vicious Fishes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As I heard it, Dan Farmer lost his job because his employers did not > feel that he could devote all his time to SATAN [pardon the pun] and > still take care of his job...which I think is a really valid > point....so I don't believe creating SATAN cost Dan Farmer his job, I > think he made a decision with his employer to part ways - because the > work [at SG] was not what he [Dan] wanted to do. > ...at least thats how Dan and SG tell it... That's not true, and I never said that. Let's put it plainly - I'm not working at sgi essentially because I wanted to give it away and they didn't want me to. It had *nothing* to do with me spending too much time on satan or anything else non sgi related. Sgi said something to the effect that they were concerned that I might do so in one press story, but I wouldn't sign our final agreement until they called up the paper and said that that was incorrect (someone who was ill-informed had talked to the press.) For what it's worth, sgi told me in no uncertain terms that they were happy with my work. I should probably just stay out of this, but for what it's worth, that's how I see/saw it. Yeah, not much about firewalls... oh well. -- d From firewalls-owner Fri Apr 7 04:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA07006 for firewalls-outgoing; Fri, 7 Apr 1995 04:41:11 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA07001 for ; Fri, 7 Apr 1995 04:41:08 -0700 Posted-Date: Fri, 7 Apr 1995 07:41:24 -0400 From: "Bryan D. Boyle" Message-Id: <9504070741.ZM7028@maverick.erenj.com> Date: Fri, 7 Apr 1995 07:41:24 -0400 In-Reply-To: "Marcus J. Ranum" "Re: Definitions (was http proxy on firewall)" (Apr 6, 8:53pm) References: <9608.9504070053@illuminati> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Definitions (was http proxy on firewall) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 6, 8:53pm, Marcus J. Ranum wrote: > Subject: Re: Definitions (was http proxy on firewall) > >Whew, now I feel much better. Now, let's get back to the real issue: > > > > How do we serve the customer (the real boss here) without > > letting them burn their fingers enough to get really hurt. > > What is "the customer" in the sentence above? The real > issue is that a firewall admin has several "customers" namely: > > 1) Organization policy (if one) > 2) Upper management > 3) System users > > Sometimes all 3 of these are in conflict. Knowing who > "the customer" is can be difficult but is very important. :) Oh, I would think that if #2 says that #1 is the key issue here, then the #3s will just have to deal with it or find another place to access the net from. Either way, someone is not going to be totally happy. Kind of draconian, but one does have to look as whose signature is at the bottom of the paycheck...:) -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Fri Apr 7 05:59:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA07997 for firewalls-outgoing; Fri, 7 Apr 1995 05:33:29 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA07992 for ; Fri, 7 Apr 1995 05:33:23 -0700 Date: Fri, 7 Apr 1995 08:32:36 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id IAA22160 for firewalls@greatcircle.com; Fri, 7 Apr 1995 08:32:36 -0400 Message-Id: <199504071232.IAA22160@real.com> To: firewalls@greatcircle.com Subject: Xhost type security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was playing around yesterday with a program or two that caputures the display and or key strokes off an Xserver.. I noticed that on the PC's that we have there is no way to prevent Xclients from connecting.. The software that they are running is NCD's PC-Xware.. Now, this machine sits behind a firewall so it is not totally opwn, but I was wondering if anyone knew of any other software for MS Windows that will allow an Xconnection, based on some type of authentication? Or a way to prevent connections to it? Thank you From firewalls-owner Fri Apr 7 06:19:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA08039 for firewalls-outgoing; Fri, 7 Apr 1995 05:35:22 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA08021 for ; Fri, 7 Apr 1995 05:35:16 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA25251; Fri, 7 Apr 95 08:18:44 -0400 Date: Fri, 7 Apr 95 08:18:44 -0400 Message-Id: <9504071218.AA25251@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: Detecting Failures Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Padgett's favorite architecture may be a "minefield" of PCs, each >one looking for a single bad address, but a more effective solution >is to simply have the router alarm every invalid destination address >in your net (as well as things like source addresses that belong to >you coming from the outside, etc). a) didn't say was my favourite, just cheap and easy, can also assign multiple addresses for each to watch for/record (essentially a smart sniffer). Router is best place to detect outside incursions, but an access point on each subnet is needed to detect things happening on the inside. Of course we all trust all of our employees/students/visitors/subcontractors/ temps right ? b) agree entirely, such things should be built into the collection of components that make up a firewall, just not everyone has that option. For many, an old mono 8088 with a 3C503 (street value arount $30) is all you need. Maybe I live in a unique situation. Dunno. Am badged to Security by choice and do not control a single firewall/router/etc other than the two PCs in my office (and have use of SUN, VAX, 3090, Cisco etc if necessary - usually don't need except to show we don't need them). do make recommendations/demo/ audit and some people seem to listen. Major turning point in my career was when people stopped demanding to know "why" and just required "what do we do". Warmly, Padgett From firewalls-owner Fri Apr 7 06:57:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA09082 for firewalls-outgoing; Fri, 7 Apr 1995 06:30:15 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA09077 for ; Fri, 7 Apr 1995 06:30:12 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Fri, 7 Apr 1995 09:30:22 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA01222; Fri, 7 Apr 1995 09:30:21 -0400 Date: Fri, 7 Apr 1995 09:30:21 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199504071330.AA01222@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, ibmpa!ch.ibm.com!brudy@ibminet.awdpa.ibm.com Subject: SATAN: Feel free to move the Satan discussion to Sneakers@CS.Yale.EDU Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Feel free to move the continuing discussion of the SATAN package to the "Sneakers@CS.Yale.EDU" mailing list, a list for discussing "tiger teams" as well as TCP/IP and Internet network security auditing tools. Brent hadn't complained about the Satan traffic in Firewalls, the discussion was timely and relevant and deserved a large distribution just after Satan was released so I didn't bring this up earlier. But now some readers appear annoyed with the continuing Satan discussion in Firewalls so I thought I'd offer. For more information about the "Sneakers" mailing list send email to Sneakers-Request@CS.Yale.EDU with "info" in the body of the message or load your Web browser with the URL: http://www.cs.yale.edu/HTML/YALE/CS/HyPlans/long-morrow/sneakers.html H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT 06520-8285, VOICE: (203)-432-{1248,1254} FAX: (203)-432-0593 INET: Long-Morrow@CS.Yale.EDU UUCP: yale!Long-Morrow BITNET: Long-Morrow@YaleCS WWW: http://www.cs.yale.edu/HTML/YALE/CS/HyPlans/long-morrow.html >From: Peter Bruderer >To: firewalls@greatcircle.com >Subject: SATAN > >I can't hear this word anymore!!! > >Yes it is a nice tool, yes it works fine, yes .... > >But please move this discussion to another forum. This has absulutely nothing >to do with firewalls!!!!! > >If you find a whole in your firewall using SATAN, than you can report it. >But only than. > > >have fun ... > Peter Bruderer > From firewalls-owner Fri Apr 7 07:17:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA09654 for firewalls-outgoing; Fri, 7 Apr 1995 06:54:05 -0700 Received: from aztec.co.za (aztec.co.za [196.7.70.131]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA09649 for ; Fri, 7 Apr 1995 06:53:59 -0700 Received: from jbarnes.aztec.co.za by aztec.co.za with smtp (Smail3.1.28.1 #17) id m0rxESA-000KdeC; Fri, 7 Apr 95 15:52 EET Message-Id: Date: Fri, 7 Apr 95 15:52 EET X-Sender: jbarnes@aztec.co.za Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jbarnes@aztec.co.za (Jay Barnes) Subject: New gloabal company problem X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We (Old Mutual) are a South African (Cape Town based) financial organisation who are "going global". We are a traditional mainframe/mini/PC/LAN environment, with Netbeui and IPX being the predominant LAN protocols. We are slowly (oh *SO* slowly) converting to TCP/IP, but our skills in this are limited, and our Unix skills are less. Basic problem. We have been allocated a single Class B address. We anticipate having several hundred subnets and several thousand nodes (in fact, we do already), and there is no way to accomodate our routing and addressing problems in one Class B address. (OK, there may be with some *REALLY* clever subnet masking, but that will take a lot of management in areas where, quite frankly, managing the on/off switch is going to be a problem.) RFC 1597 (global addresses) seems a potential cure, except that we most definitely DO want to connect to the Internet. We can put our Web pages on a friendly Service Provider, who will also (I think) carry any DNS service we need, but our users want, in particular, email, FTP, Archie, etc. We have routers available (Cray - what d'ya mean you never heard of 'em), and a Sun with Firewall-1 (still to be evaluated, but purchaseable if suitable). Basic question. If we use RFC 1597 addresses, how do we connect to the Net? Do proxies, application gateways, whatever, do address translation, so that only our official address gets published? If so, how easy is it to relate that internal address to external address, on a per session basis, so that we can audit the use )and abuse!) of the service? (A man's gotta make a livin', no?) I realise that this is pretty basic to you *fiends & fundies* out there, but we are at the bottom end of Africa, and sometimes it shows! Looking forward to any replies, and remember, I'd rather be sailing, and by the time you get this, I probably will be! Jay Barnes jbarnes@aztec.co.za Jay Barnes From firewalls-owner Fri Apr 7 08:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA11079 for firewalls-outgoing; Fri, 7 Apr 1995 07:48:03 -0700 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA11049 for ; Fri, 7 Apr 1995 07:47:56 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id LAA18625; Fri, 7 Apr 1995 11:04:13 -0700 From: Christopher Klaus Message-Id: <199504071804.LAA18625@iss.net> Subject: SATAN ATTACKS EVERYWHERE To: firewalls@greatcircle.com, bugtraq@fc.net Date: Fri, 7 Apr 1995 11:04:12 +1494730 (PDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2481 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, are we still here?? Looks like we survived the numerous attacks from hordes of hackers armed with SATAN with the only desire to pillage and pilfer everyone's networks. The Internet has survived another mega hype negative story! For some reason, I really can't see tons of hackers using SATAN for several reasons: 1. It is HUGE. It eats up tons of disk and ram space. When I tried to load up SATAN's demo information on a 16 meg machine here, it crashed from not having enough RAM. It requires 32 megs . (And I thought Windows was a memory hog). Like the administrator won't notice he only has 1 meg of ram left. 2. It requires installing other packages like perl. Most hackers aren't able to run anything unless it's a no brainer script. "Gee the bad thing is we've been hacked and someone used SATAN, the good thing is that we got perl5 and a web browser installed." 3. Since you have to use a web browser, you have to either run SATAN from the console (umm, really stupid hacker scanning from his own machine) or redirect the X Display to his own machine (still really stupid). Who knows, I wouldn't be suprised if some hacker wanna-be does use SATAN. Maybe CERT can tell us if they have seen a dramatic increase in breakins now that SATAN is released? Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted to point out (contrary to News Media) that SATAN is not the tool that will shut down the Internet. On a side note, I have released ISS 1.3 which is available on ftp.iss.net /pub/iss/iss13.tar.gz which includes many more checks than what SATAN has specified. Also, it doesn't require installing any other outside packages, is in C, and doesn't require large amounts of ram nor disk space. Here are other sites that have volunteered to mirror ISS 1.3 ftp.denet.dk /pub/security/tools/iss/ ftp.barrnet.net /security/tools/iss ftp://ftp.csc.ncsu.edu/pub/security/iss/iss13.tar.gz ftp://cch-lis.com/pub/firewall/iss ftp.ci.uminho.pt /pub/security/iss owens.ridgecrest.ca.us/users1/ftp/pub/unix/iss13.tar.gz ftp://ftp.net.ohio-state.edu/pub/security/iss (Has ISS Security FAQes as well) ftp.interaccess.com ftp.msri.org ftp.gbnet.net /pub/security/iss Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Fri Apr 7 08:27:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA11455 for firewalls-outgoing; Fri, 7 Apr 1995 08:06:07 -0700 Received: from ismael.gmv.es (ismael.gmv.es [193.127.51.205]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA11449 for ; Fri, 7 Apr 1995 08:05:53 -0700 Received: (from smap@localhost) by ismael.gmv.es (8.6.9/1.1) id RAA28401; Fri, 7 Apr 1995 17:08:05 +0200 Received: from eonwe.gmv.es(193.127.48.8) by ismael.gmv.es via smap (V1.3) id sma028392; Fri Apr 7 17:08:05 1995 Received: from flores.gmv.es by gmv.es (4.1/GMV-1.8) id AA29764; Fri, 7 Apr 95 17:05:55 +0200 Date: Fri, 7 Apr 95 17:05:55 +0200 From: jsanchez@gmv.es (Julio Sanchez) Message-Id: <9504071505.AA29764@gmv.es> Received: by flores.gmv.es (4.1/SMI-4.1) id AA10879; Fri, 7 Apr 95 17:05:54 +0200 To: jbarnes@aztec.co.za Cc: firewalls@GreatCircle.COM In-Reply-To: (jbarnes@aztec.co.za) Subject: Re: New gloabal company problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Fri, 7 Apr 95 15:52 EET > From: jbarnes@aztec.co.za (Jay Barnes) > > RFC 1597 (global addresses) seems a potential cure, except that we most > definitely DO want to connect to the Internet. We can put our Web pages on > a friendly Service Provider, who will also (I think) carry any DNS service > we need, but our users want, in particular, email, FTP, Archie, etc. We > have routers available (Cray - what d'ya mean you never heard of 'em), and a > Sun with Firewall-1 (still to be evaluated, but purchaseable if suitable). > > Basic question. If we use RFC 1597 addresses, how do we connect to the Net? > Do proxies, application gateways, whatever, do address translation, so that > only our official address gets published? If so, how easy is it to relate > that internal address to external address, on a per session basis, so that > we can audit the use )and abuse!) of the service? (A man's gotta make a > livin', no?) As far as I know, you can do what you want with the TIS software and you cannot do it with FireWall-1. For other packages, I have no direct experience and cannot comment, but I am pretty sure that someone will fill the gap... As an aside, it is funny to see how organizations that actually manage to get a class B find it small... Julio -- Julio Sanchez, GMV SA, Isaac Newton 11, PTM Tres Cantos, E-28760 Madrid, Spain Ph. +34 1 807 21 85 | jsanchez@gmv.es | Traveller, there is no Fax +34 1 807 21 99 | jsanchez%gmv.es@Spain.EU.net | path; paths are made by Telex 48487 GMEV E | Julio_Sanchez_GMV@EuroKom.ie | walking (A. Machado) From firewalls-owner Fri Apr 7 10:12:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA13619 for firewalls-outgoing; Fri, 7 Apr 1995 09:55:01 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA13614 for ; Fri, 7 Apr 1995 09:54:59 -0700 Received: from SERV04.SLAC.STANFORD.EDU by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id JAA00287; Fri, 7 Apr 1995 09:54:50 -0700 Received: from mailbox.SLAC.Stanford.EDU by SERV04.SLAC.STANFORD.EDU (PMDF V5.0-1 #6987) id <01HP1XG37RHS00019K@SERV04.SLAC.STANFORD.EDU>; Fri, 07 Apr 1995 09:53:15 -0700 (PDT) Received: from charon.SLAC.Stanford.EDU (CHARON.SLAC.Stanford.EDU [134.79.240.51]) by mailbox.SLAC.Stanford.EDU (8.6.11/8.6.11) with ESMTP id JAA19709; Fri, 07 Apr 1995 09:53:08 -0700 Received: (jxh@localhost) by charon.SLAC.Stanford.EDU (8.6.11/8.6.11) id JAA23947; Fri, 07 Apr 1995 09:53:07 -0700 Date: Fri, 07 Apr 1995 09:53:07 -0700 From: John Halperin Subject: Re: New gloabal company problem In-reply-to: (jbarnes@aztec.co.za) To: jbarnes@aztec.co.za Cc: firewalls@GreatCircle.COM Message-id: <199504071653.JAA23947@MAILBOX.SLAC.Stanford.EDU> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Basic problem. We have been allocated a single Class B address. We > anticipate having several hundred subnets and several thousand nodes (in > fact, we do already), and there is no way to accomodate our routing and > addressing problems in one Class B address. (OK, there may be with some > *REALLY* clever subnet masking, but that will take a lot of management in > areas where, quite frankly, managing the on/off switch is going to be a > problem.) If your internal routers can use a newer route-distribution protocol such as OSPF. you can set up subnets with different size subnet masks. That could be a big help in partitioning your 64K IP addresses. (That's my understanding, but I haven't tried this myself.) -- John Halperin SLAC (Stanford Linear Accelerator Center) Network Group From firewalls-owner Fri Apr 7 10:37:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA13486 for firewalls-outgoing; Fri, 7 Apr 1995 09:44:35 -0700 Received: from ussenterprise.async.vt.edu (ussenterprise.async.vt.edu [128.173.20.101]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA13475 for ; Fri, 7 Apr 1995 09:44:26 -0700 Received: (bicknell@localhost) by ussenterprise.async.vt.edu (8.6.12/8.6.4) id MAA15817; Fri, 7 Apr 1995 12:41:14 -0400 From: Leo Bicknell Message-Id: <199504071641.MAA15817@ussenterprise.async.vt.edu> Subject: Re: SATAN ATTACKS EVERYWHERE To: cklaus@iss.net (Christopher Klaus) Date: Fri, 7 Apr 1995 12:41:13 -0400 (EDT) Cc: firewalls@GreatCircle.COM, bugtraq@fc.net In-Reply-To: <199504071804.LAA18625@iss.net> from "Christopher Klaus" at Apr 7, 95 11:04:12 am X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hey, are we still here?? Looks like we survived the numerous attacks > from hordes of hackers armed with SATAN with the only desire > to pillage and pilfer everyone's networks. The Internet has survived > another mega hype negative story! While I'll agree it's hype, I'll disagree with your logic for several reasons: > 1. It is HUGE. It eats up tons of disk and ram space. When I tried to > load up SATAN's demo information on a 16 meg machine here, it crashed > from not having enough RAM. It requires 32 megs . (And I thought > Windows was a memory hog). Like the administrator won't notice he only > has 1 meg of ram left. All the CS undergrads here have an account on a machine with more then enough resources (over 600 megs total RAM + Swap), and almost all of our lab machines can run it no problem. If they only scanned a few machines and then removed it we probably would not notice, save the fact we are using courtney to log such things. > 2. It requires installing other packages like perl. Most hackers aren't > able to run anything unless it's a no brainer script. "Gee the bad thing > is we've been hacked and someone used SATAN, the good thing is that we > got perl5 and a web browser installed." Again, all of our machines have Perl 5 and Web browsers (5 I think) installed for Administrative purposes/class use. With the tools there it is a no-brainer script. > 3. Since you have to use a web browser, you have to either run SATAN from > the console (umm, really stupid hacker scanning from his own machine) or > redirect the X Display to his own machine (still really stupid). Who knows, Lynx, a text browser, works great. Plus, SATAN can be used from the command line to scan, and then the resulting data files can be downloaded to a local machine to view, if you're really crazy you can look at the database yourself, it's all in ASCII, and not too hard to read. > Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted > to point out (contrary to News Media) that SATAN is not the tool that > will shut down the Internet. I agree, within a week all the holes it checks for will be fixed on almost every machine in existance. My largest fear is since it's so extendable that some people will add new modules that scan for other things and make them so easy to add in all the lusers will pick them up. > On a side note, I have released ISS 1.3 which is available on ftp.iss.net > /pub/iss/iss13.tar.gz which includes many more checks than what SATAN > has specified. Also, it doesn't require installing any other outside packages, > is in C, and doesn't require large amounts of ram nor disk space. *wanders off to ftp* From firewalls-owner Fri Apr 7 11:48:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA14449 for firewalls-outgoing; Fri, 7 Apr 1995 10:40:08 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA14433 for ; Fri, 7 Apr 1995 10:40:02 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26551; Fri, 7 Apr 95 13:24:02 -0400 Date: Fri, 7 Apr 95 13:24:01 -0400 Message-Id: <9504071724.AA26551@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: The Software that ate Sunnyvale (was S attacks everywhere) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christopher rites in part: >1. It is HUGE. It eats up tons of disk and ram space... >2. It requires installing other packages like perl... >3. Since you have to use a web browser, you have to either run SATAN from > the console ... You noticed that. However just because that is true of the current version, does not mean that it will not be ported elsewhere v1.0 of *anything* rarely resembles a real product (the miracle is not that it works so well, the miracle is that it works at all). Perhaps we should thank Dan for making it so feature-rich. Truth is that I do not see anything in there that cannot be accomplished with a notebook PC (not offering to do it, isn't what I get paid for and have better things to do with spare time). Nor is the Mosaic stuff anything but a pretty. However it is a template for the wannabees who can read the code that says Do this then do this... Figure someone will port it to a PC (is there a BSD or Linux version of Perl ? If not, there soon will be.) RSN and then what ? My guess would be two weeks after the Easter break, all it takes is -=>one<=- talented and motivated individual with a lot of free time. Fact is that it takes a lot less brilliance to take a sequence that is known to work and report it than it does to create the sequence in the first place. So while the released version is humongous and usable only by a sysadmin with cycles to burn, the next version won't be. Not a question of "If" just "When". Warmly, Padgett From firewalls-owner Fri Apr 7 12:57:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA17494 for firewalls-outgoing; Fri, 7 Apr 1995 12:29:30 -0700 Received: from isd.csc.com (isd.csc.com [149.126.1.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA17483 for ; Fri, 7 Apr 1995 12:29:24 -0700 Date: Fri, 7 Apr 95 15:44:53 EDT From: jabraham@isd.csc.com (Joy Abraham) Received: by isd.csc.com (4.1/3.1.012693-Computer Sciences Corp.); id AA12363 for firewalls@greatcircle.com; Fri, 7 Apr 95 15:44:53 EDT Message-Id: <9504071944.AA12363@isd.csc.com> To: firewalls@greatcircle.com Subject: subscription to firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please include me in the firewalls subscription. My e-mail is : jabraham@isd.csc.com Joy Abraham Computer Sciences Corporation Moorestown, NJ 08057 (609) 983-4400 E-mail: jabraham@isd.csc.com From firewalls-owner Fri Apr 7 14:27:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA20066 for firewalls-outgoing; Fri, 7 Apr 1995 14:07:56 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA20061 for ; Fri, 7 Apr 1995 14:07:50 -0700 From: z056716@uprc.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA27578; Fri, 7 Apr 95 17:08:02 -0400 Date: Fri, 7 Apr 95 17:08:02 -0400 Message-Id: <9504072108.AA27578@uvs1.orl.mmc.com> To: firewalls@greatcircle.com@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Fact is that it takes a lot less brilliance to take a sequence that is known > to work and report it than it does to create the sequence in the first place. > > So while the released version is humongous and usable only by a sysadmin with > cycles to burn, the next version won't be. Not a question of "If" just "When". > > Warmly, > Padgett > I am wondering when the next *automated* attack, of a worm form, will take place. I have often wondered why a Morris type worm has not been seen since. With full packages like SATAN and ISS out there, what is to stop it? What have we learned from the Morris incident to contain such a beast? ______/ Jeff LaCoursiere FastLane Communications / Network security/services mail info@fastlane.net ___/ lacoursj@fastlane.net / __/ ASTLANE Communications! Connecting America to the Internet... From firewalls-owner Fri Apr 7 15:33:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA20675 for firewalls-outgoing; Fri, 7 Apr 1995 15:01:25 -0700 Received: from edison.eng.auburn.edu (edison.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA20669 for ; Fri, 7 Apr 1995 15:01:22 -0700 Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id RAA16099 for ; Fri, 7 Apr 1995 17:01:41 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id RAA01129; Fri, 7 Apr 1995 17:01:39 -0500 Date: Fri, 7 Apr 1995 17:01:39 -0500 Subject: Simple Satan detector (was Re: GABRIEL ) To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9504061352.AA18509@isdaix.cabq.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An adequate SATAN detector is just to alarm a few never used, but often scanned ports. We've done this by putting a tcp process in inetd.conf listening for a connection on tcpmux, rje, link, and supdup ports. Satan and other scanners trip these ports. The process' only function is to send out a syslog alarm to a secure station about the possible scan attempt. It includes the source address of the machine sending the packet(s). If anybody's interested I've put the lines and the source in ftp://ftp.eng.auburn.edu/pub/doug/satan You can really stick it at any tcp port you want. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as" From firewalls-owner Fri Apr 7 16:07:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA21662 for firewalls-outgoing; Fri, 7 Apr 1995 15:46:23 -0700 Received: from airdata.com (nwestwall.nwest.airdata.com [199.33.218.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA21650 for ; Fri, 7 Apr 1995 15:46:19 -0700 Received: from nwestmail.airdata.com by airdata.com (5.0/McCaw WDD SUN nwestwall 070594/PHG) id AA06702; Fri, 7 Apr 1995 15:46:34 -0700 Received: from dividivi (dividivi.nwest.airdata.com) by nwestmail.airdata.com (5.0/McCaw WDD SUN nwestmail 070594/PHG) id AA28006; Fri, 7 Apr 1995 15:46:33 -0700 Received: by dividivi (5.0/McCaw WDD SUN client 042894PHG) id AA16083; Fri, 7 Apr 1995 15:46:30 -0700 Date: Fri, 7 Apr 1995 15:46:30 -0700 From: peterg@airdata.com (Peter Gregory) Message-Id: <9504072246.AA16083@dividivi> X-Ray: a common medical diagnosis tool. X-Homepage: Visit our home page at http://www.airdata.com/ To: firewalls@greatcircle.com, padgett@tccslr.dnet.mmc.com Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) X-Sun-Charset: US-ASCII Content-Length: 1196 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am wondering when the next *automated* attack, of a worm form, will take > place. I have often wondered why a Morris type worm has not been seen since. > With full packages like SATAN and ISS out there, what is to stop it? What > have we learned from the Morris incident to contain such a beast? I'll take a shot at this... :-) We've learned: * that large-scale internetwork attacks can and do take place; * that sites with good security are less vulnerable than sites with poor/non- existent security; * a lot about clandestine methods of access (ie. grappling hooks, etc.); ---------------------------------------------------------------------------- Imagine that, in five years, the Internet with a large number of NT systems acting as gateways, firewalls, etc. (yes, God forbid, but stay with me here), and let's say a Morris-type launches a worm that successfully attacks many of the NT systems on the Internet, because of one or more obscure bugs in the operating system or its various utilities. Who ya' gonna call? -- Peter Gregory [NICname PG11] peter.gregory@asix.com Senior Consultant ASIX Consulting, 777 108th Ave. NE, Suite 1830, Bellevue WA 98004-5118 From firewalls-owner Fri Apr 7 18:30:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA23664 for firewalls-outgoing; Fri, 7 Apr 1995 18:07:48 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA23659 for ; Fri, 7 Apr 1995 18:07:46 -0700 Received: by research.att.com; Fri Apr 7 21:07 EDT 1995 Received: from roc (localhost.research.att.com [127.0.0.1]) by smb.research.att.com (8.6.9/8.6.5) with ESMTP id VAA00549; Fri, 7 Apr 1995 21:07:04 -0400 Message-Id: <199504080107.VAA00549@smb.research.att.com> To: Alan Barrett cc: Richard Threadgill , firewalls@greatcircle.com Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) Date: Fri, 07 Apr 1995 21:06:57 -0400 From: "Steven M. Bellovin" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Apr 1995, Richard Threadgill wrote: > This is the strongest reason to not run ntp on your firewall router. > Why do you consider the incoming ntp stream trustworthy? The widely used xntpd implementation supports DES and MD5 authentication of timestamps, even over unencrypted links. Cisco's ntp implementation supports MD5 authentication. It's not quite that simple. The authentication just protects your association with that time source; it doesn't say anything about their source of time. See @inproceedings{Bishop-ntp, author = {Bishop, Matt}, title = "A Security Analysis of the {NTP} Protocol", booktitle = {Sixth Annual Computer Security Conference Proceedings}, address = {Tuscon, AZ}, pages = {20--29}, year = 1990, month = {December}, annote = {Available for ftp from louie.udel.edu as /pub/ntp/doc/bishop.ps.Z. } > An atomic or radio clock on your premises is fairly unlikely to be > compromised; an external ntp clock is not so blessed. Quite so. But you don't need an atomic clock in every branch office; you can have a trusted clock at headquarters and distribute authenticated chime from there. Use several trusted clocks in different locations for higher reliability. Good idea, in light of the risks. From firewalls-owner Fri Apr 7 19:26:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA24353 for firewalls-outgoing; Fri, 7 Apr 1995 19:07:18 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id TAA24348 for ; Fri, 7 Apr 1995 19:07:15 -0700 Date: Fri, 7 Apr 95 22:06 EDT Message-ID: <9504072207.AA06358@databus.databus.com> From: Barney Wolff To: "Steven M. Bellovin" Cc: firewalls@greatcircle.com Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan) Content-Length: 685 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Fri, 07 Apr 1995 21:06:57 -0400 > From: "Steven M. Bellovin" > > @inproceedings{Bishop-ntp, > author = {Bishop, Matt}, > title = "A Security Analysis of the {NTP} Protocol", > booktitle = {Sixth Annual Computer Security Conference Proceedings}, > address = {Tuscon, AZ}, > pages = {20--29}, > year = 1990, > month = {December}, > annote = {Available for ftp from louie.udel.edu > as /pub/ntp/doc/bishop.ps.Z. > } The file name is security.ps.Z - contents appear to be as advertised, at least from looking at it on a text terminal :-). Barney Wolff From firewalls-owner Fri Apr 7 21:57:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA26696 for firewalls-outgoing; Fri, 7 Apr 1995 21:36:31 -0700 Received: from equipe.rain.com (equipe.rain.com [204.188.34.120]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA26691 for ; Fri, 7 Apr 1995 21:36:28 -0700 Received: by equipe.rain.com (Smail3.1.27.1 #3) id m0rxSDe-000HC2C; Fri, 7 Apr 95 21:33 PDT Message-Id: Date: Fri, 7 Apr 95 21:33 PDT From: ray@equipe.rain.com (Ray Shirley) To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Fri Apr 7 22:27:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA27234 for firewalls-outgoing; Fri, 7 Apr 1995 22:15:08 -0700 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA27227 for ; Fri, 7 Apr 1995 22:15:04 -0700 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.12/8.6.10+PanixU1.0) with SMTP id BAA29257; Sat, 8 Apr 1995 01:13:24 -0400 Message-Id: <199504080513.BAA29257@panix3.panix.com> From: "Walter F. InterNetman wallynet@panix.com" Date: Sat, 08 Apr 95 01:05:51 -400 To: firewalls@greatcircle.com, wallynet@panix.com Mime-Version: 1.0 X-Mailer: Mozilla/1.0N (Windows) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Watcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ftp://coast.cs.purdue.edu/pub/tools/unix/ > Current directory is /pub/tools/unix > > Up to higher level directory > [Image] ACMaint.tar.gz 350 Kb Thu Sep 15 00:00:00 1994 compressed file > [Image] Crypto-File-System.ps.Z Fri Feb 03 03:36:00 1995 Symbolic link > [Image] L5 Wed Mar 08 22:25:00 1995 Symbolic link > [Image] NeTraMet Fri Feb 03 03:36:00 1995 Symbolic link > [Image] PGP 1 Kb Sat Aug 13 00:00:00 1994 > [Image] TAMU Fri Feb 03 03:36:00 1995 Symbolic link > [Image] Tripwire Fri Feb 03 03:36:00 1995 Symbolic link > [Image] Watcher.tar.Z 74 Kb Wed Jul 06 00:00:00 1994 compressed file > [Image] access_list_examples Fri Feb 03 03:36:00 1995 Symbolic link > [Image] anlpasswd Fri Feb 03 03:36:00 1995 Symbolic link > [Image] arpmon Fri Feb 03 03:36:00 1995 Symbolic link > [Image] arpwatch Sat Feb 04 04:01:00 1995 Symbolic link > [Image] asax Fri Feb 03 03:36:00 1995 Symbolic link > [Image] authd-3.01.tar.gz 14 Kb Tue Jul 12 00:00:00 1994 compressed file > [Image] binaudit.tar.gz 112 Kb Tue Jul 12 00:00:00 1994 compressed file > [Image] bsd-tftp Fri Feb 03 03:36:00 1995 Symbolic link > [Image] cbw.tar.Z 272 Kb Sun Jun 26 00:00:00 1994 compressed file > [Image] chalace+hidleho Mon Mar 06 19:46:00 1995 Symbolic link > [Image] checkXusers.Z 3 Kb Mon Oct 24 18:23:00 1994 compressed file > [Image] chkacct Fri Feb 03 03:36:00 1995 Symbolic link > [Image] chklastlog Fri Feb 03 03:36:00 1995 Symbolic link > [Image] chkpwd.tar.gz 9 Kb Tue Jul 12 00:00:00 1994 compressed file > [Image] chkwtmp Fri Feb 03 03:36:00 1995 Symbolic link > [Image] chrootuid Fri Feb 03 03:36:00 1995 Symbolic link > [Image] cops Fri Feb 03 03:36:00 1995 Symbolic link > [Image] cops-perl.tar.gz 45 Kb Tue Jul 12 00:00:00 1994 compressed file > [Image] cpm Fri Feb 03 03:36:00 1995 Symbolic link > [Image] crack Fri Feb 03 03:36:00 1995 Symbolic link > [Image] cracklib Fri Feb 03 03:36:00 1995 Symbolic link > [Image] crashme/ Fri Feb 03 03:36:00 1995 Directory > [Image] des.tar.gz 18 Kb Tue Jul 12 00:00:00 1994 compressed file > [Image] descore.shar 61 Kb Sun Aug 07 00:00:00 1994 > [Image] deslogin/ Fri Feb 03 03:36:00 1995 Directory > [Image] dig Fri Feb 03 03:36:00 1995 Symbolic link > [Image] disable_mod_cmds 5 Kb Fri Jan 27 03:22:00 1995 > [Image] disable_mod_cmds.pgp.asc 385 bytes Mon Jan 30 16:54:00 1995 > [Image] dnswalk Fri Feb 03 03:36:00 1995 Symbolic link > [Image] doc.2.0.tar.Z 34 Kb Sat Aug 20 00:00:00 1994 compressed file > [Image] dummy_su 3 Kb Wed Aug 31 00:00:00 1994 > [Image] dump_lastlog.Z 2 Kb Thu Aug 11 00:00:00 1994 compressed file > [Image] fingerd Fri Feb 03 03:36:00 1995 Symbolic link > [Image] firewall/ Fri Mar 10 02:40:00 1995 Directory > [Image] fixkits Wed Mar 08 22:25:00 1995 Symbolic link > [Image] fwtk Wed Mar 08 22:20:00 1995 Symbolic link > [Image] hobgoblin Fri Feb 03 03:36:00 1995 Symbolic link > [Image] ident Fri Feb 03 03:36:00 1995 Symbolic link > [Image] ifstatus Fri Feb 03 03:36:00 1995 Symbolic link > [Image] ip_fil Sat Feb 25 04:09:00 1995 Symbolic link > [Image] ipacl Fri Feb 03 03:36:00 1995 Symbolic link > [Image] iss.shar.Z Fri Feb 03 03:36:00 1995 Symbolic link > [Image] kerberos Fri Feb 03 03:36:00 1995 Symbolic link > [Image] libdes Fri Feb 03 03:36:00 1995 Symbolic link > [Image] logdaemon Fri Feb 03 03:36:00 1995 Symbolic link > [Image] loginlog.c.Z 967 bytes Sun Jun 26 00:00:00 1994 compressed file > [Image] lsof Fri Feb 03 03:36:00 1995 Symbolic link > [Image] mail.local/ Fri Feb 03 03:36:00 1995 Directory > [Image] md5 Fri Feb 03 03:36:00 1995 Symbolic link > [Image] md5check Fri Feb 03 03:36:00 1995 Symbolic link > [Image] mkshadow.gz 2 Kb Sat Oct 15 23:57:00 1994 compressed file > [Image] mountd 29 Kb Tue Aug 30 00:00:00 1994 > [Image] msystem.tar.Z 21 Kb Thu May 26 00:00:00 1994 compressed file > [Image] netlog Fri Feb 03 03:36:00 1995 Symbolic link > [Image] netmon/ Thu Mar 30 04:14:00 1995 Directory > [Image] nfsbug Fri Feb 03 03:36:00 1995 Symbolic link > [Image] nfstrace Fri Feb 03 03:36:00 1995 Symbolic link > [Image] nfswatch Fri Feb 03 03:36:00 1995 Symbolic link > [Image] noshell/ Fri Feb 03 03:36:00 1995 Directory > [Image] op.shar 73 Kb Sun Aug 07 00:00:00 1994 > [Image] osh Fri Feb 03 03:36:00 1995 Symbolic link > [Image] passive-ftp Fri Feb 03 03:36:00 1995 Symbolic link > [Image] passwdd Fri Feb 03 03:36:00 1995 Symbolic link > [Image] password/ Fri Mar 10 03:52:00 1995 Directory > [Image] patchsym.tar.gz 3 Kb Sun Jan 29 20:06:00 1995 compressed file > [Image] permissions.tar.gz 33 Kb Thu Sep 15 00:00:00 1994 compressed file > [Image] portmap.shar 58 Kb Thu Aug 04 00:00:00 1994 > [Image] portmap_3.shar.Z Fri Feb 03 03:36:00 1995 Symbolic link > [Image] probe_tcp_ports Fri Feb 03 03:36:00 1995 Symbolic link > [Image] pwdiff.tar.gz 2 Kb Fri Jul 08 00:00:00 1994 compressed file > [Image] raudit.shar 11 Kb Thu Sep 15 00:00:00 1994 > [Image] rfingerd.tgz Fri Feb 03 03:36:00 1995 Symbolic link > [Image] rpc.pcnfsd.c.Z 11 Kb Fri Feb 10 23:52:00 1995 compressed file > [Image] rpcbind Sat Mar 25 21:04:00 1995 Symbolic link > [Image] rpem.tar.gz 103 Kb Fri Jul 08 00:00:00 1994 compressed file > [Image] rshd-echo.shar.Z 2 Kb Thu Dec 08 15:51:00 1994 compressed file > [Image] rsucker 6 Kb Sun Aug 07 00:00:00 1994 > [Image] satan/ Wed Apr 05 14:44:00 1995 Directory > [Image] screend Fri Feb 03 03:36:00 1995 Symbolic link > [Image] secure-sun-check 11 Kb Tue Jul 12 00:00:00 1994 > [Image] securelib/ Fri Feb 03 04:32:00 1995 Directory > [Image] securescan Fri Feb 03 03:36:00 1995 Symbolic link > [Image] sfingerd Fri Feb 03 03:36:00 1995 Symbolic link > [Image] skey Fri Feb 03 03:36:00 1995 Symbolic link > [Image] smrsh Fri Feb 03 03:36:00 1995 Symbolic link > [Image] snefru Fri Feb 03 03:36:00 1995 Symbolic link > [Image] snmp-upgrade.tar.Z Fri Feb 03 03:36:00 1995 Symbolic link > [Image] snuffle.shar 9 Kb Sun Aug 07 00:00:00 1994 > [Image] socks Fri Feb 03 03:36:00 1995 Symbolic link > [Image] sra Fri Feb 03 03:36:00 1995 Symbolic link > [Image] strobe Wed Mar 08 23:02:00 1995 Symbolic link > [Image] sudo Fri Feb 03 03:36:00 1995 Symbolic link > [Image] surrogate-syslog Fri Feb 03 03:36:00 1995 Symbolic link > [Image] swIPe Fri Feb 03 03:36:00 1995 Symbolic link > [Image] swatch Fri Feb 03 03:36:00 1995 Symbolic link > [Image] tap Fri Feb 03 03:36:00 1995 Symbolic link > [Image] tcp_wrappers Sun Mar 26 20:10:00 1995 Symbolic link > [Image] tcpr Fri Feb 03 03:36:00 1995 Symbolic link > [Image] tftpd/ Wed Mar 01 17:14:00 1995 Directory > [Image] tiger Fri Feb 03 03:36:00 1995 Symbolic link > [Image] tpage Wed Mar 29 17:34:00 1995 Symbolic link > [Image] traceroute.tar.Z Fri Feb 03 03:36:00 1995 Symbolic link > [Image] traffic Fri Feb 03 03:36:00 1995 Symbolic link > [Image] trimlog Fri Feb 03 03:36:00 1995 Symbolic link > [Image] trojan/ Fri Feb 03 03:36:00 1995 Directory > [Image] udprelay-0.2.tar.gz 14 Kb Sun Aug 07 00:00:00 1994 compressed file > [Image] ufc.tar.gz 19 Kb Fri Jul 08 00:00:00 1994 compressed file > [Image] worm-src.tar.gz 23 Kb Tue Nov 29 19:07:00 1994 compressed file > [Image] xc Fri Feb 03 03:36:00 1995 Symbolic link > [Image] yppapasswd-1.0.tar.gz 21 Kb Thu Aug 04 00:00:00 1994 compressed file > [Image] ypx.shar 26 Kb Thu Jul 07 00:00:00 1994 > [Image] zap.tar.gz 1 Kb Sat Aug 20 00:00:00 1994 compressed file > > From firewalls-owner Sat Apr 8 01:27:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA29039 for firewalls-outgoing; Sat, 8 Apr 1995 00:58:58 -0700 Received: from peking.barwonwater.vic.gov.au (peking.barwonwater.vic.gov.au [138.19.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id AAA29034 for ; Sat, 8 Apr 1995 00:58:53 -0700 Received: from maui.isd.barwonwater.vic.gov.au by peking.barwonwater.vic.gov.au with SMTP id AA02963 (5.67b/IDA-1.5 for ); Sat, 8 Apr 1995 17:54:33 +1000 From: Craig.Bishop@BarwonWater.Vic.Gov.Au Received: (csb@localhost) by maui.isd.barwonwater.vic.gov.au (8.6.9/8.6.9) id RAA00920; Sat, 8 Apr 1995 17:54:30 +1000 Date: Sat, 8 Apr 1995 17:54:30 +1000 Message-Id: <199504080754.RAA00920@maui.isd.barwonwater.vic.gov.au> To: firewalls@greatcircle.com, padgett@tccslr.dnet.mmc.com Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Fri, 7 Apr 95 13:24:01 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: The Software that ate Sunnyvale (was S attacks everywhere) Flame On Dear, "Warmly, Padgett" I know you think you are VIP on this list but that does not give you the right to change the subject of a thread. Sure the topic may wander wander a bit but it is still the same thread! This was number 2 in 2 days. I am sure the majority of the list would join with me in asking you to stop this habit. Flame Off Cheers, Craig (who is currently writing some threaded mail reading software and thought he had flushed this thread) Craig Bishop Information Systems, Barwon Water +61 52 262506 61-67 Ryrie St. Geelong 3220 Australia csb@BarwonWater.Vic.Gov.Au http://www.barwonwater.vic.gov.au/people/csb/ From firewalls-owner Sat Apr 8 15:26:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA06050 for firewalls-outgoing; Sat, 8 Apr 1995 15:11:09 -0700 Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA06044 for ; Sat, 8 Apr 1995 15:11:07 -0700 Received: from mobster.cit.ge.com ([3.47.4.100]) by ns.ge.com (8.6.11/8.6.11) with SMTP id SAA23511 for ; Sat, 8 Apr 1995 18:11:27 -0400 Received: by mobster.cit.ge.com (4.1/GEA Sun server 2.5A) id AA22348; Sat, 8 Apr 95 18:09:43 EDT Date: Sat, 8 Apr 95 18:09:43 EDT From: tborst@mobster.cit.ge.com (Tom Borst) Message-Id: <9504082209.AA22348@mobster.cit.ge.com> To: firewalls@greatcircle.com Subject: lists Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lists From firewalls-owner Sat Apr 8 15:47:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA05950 for firewalls-outgoing; Sat, 8 Apr 1995 14:57:51 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA05945 for ; Sat, 8 Apr 1995 14:57:47 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00878; Sat, 8 Apr 95 17:51:55 -0400 Date: Sat, 8 Apr 95 17:51:55 -0400 Message-Id: <9504082151.AA00878@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Morris Woim (was Re: The Software that ate etc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff rites: >I am wondering when the next *automated* attack, of a worm form, will take >place. Don't forget, the damage done but the worm was caused by a mistake in the code that caused it to propagate without control. Also, "S" is essentially an Internet war-dialer. Like the first of those, it is sequential and predictable. Current war-dialers such as TONELOC (is the best one I know on the net) are not seqential any more. Warmly, Padgett ps I was off by a couple of weeks - someone I know has already ported it to a notebook using FreeBSD & dropping the WWW requirement. From firewalls-owner Sat Apr 8 16:27:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA06968 for firewalls-outgoing; Sat, 8 Apr 1995 16:08:15 -0700 Received: from mail.msm.com (mail.msm.com [198.49.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA06963 for ; Sat, 8 Apr 1995 16:08:11 -0700 Date: Sat, 8 Apr 1995 16:08:30 -0700 (PDT) From: Greg Merrell To: firewalls@greatcircle.com CC: jbarnes@aztec.co.za, GREG@mail.msm.com Message-Id: <950408160830.551d@mail.msm.com> Subject: Re: New global company problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Halperin said in response to jbarnes@aztec.co.za: >> Basic problem. We have been allocated a single Class B address. We >> anticipate having several hundred subnets and several thousand nodes (in >> fact, we do already), and there is no way to accomodate our routing and >> addressing problems in one Class B address. (OK, there may be with some >> *REALLY* clever subnet masking, but that will take a lot of management in >> areas where, quite frankly, managing the on/off switch is going to be a >> problem.) > > If your internal routers can use a newer route-distribution protocol such > as OSPF. you can set up subnets with different size subnet masks. That > could be a big help in partitioning your 64K IP addresses. (That's my > understanding, but I haven't tried this myself.) In fact, I am in the middle of a project to roll out routers to 160 sites and have been allocated a CIDR block of only 64 contiguous class-C networks. (Want to give up your Class-B??) After doing some quick arithmetic, I discovered that I'd need to do some serious subnetting to make it all work. Here is how I chose to do it. For each site, I chose a contiguous chunk out of a Class-C net. Each Class C net is broken up into one of these to make life a little easier: 1 site of 254 addresses (Mask 255.255.255.0), or 2 sites of 62 addresses (Mask 255.255.255.192), or 4 sites of 30 addresses (Mask 255.255.255.224), or 8 sites of 14 addresses (Mask 255.255.255.240) Now with this sort of grouping, there are holes left in the Class-C address allocations. I chose to use them for things like SNMP SLIP ports (2 nodes with mask 255.255.255.252), multipoint Frame Relay links (6 nodes with mask 255.255.255.248), loopback ports (1 node with mask 255.255.255.252 - these are useful on Cisco routers in OSPF environments), special cases, etc. So here's what the 4 site scenario might look like: Addresses Hosts Addresses Hosts 0-3 unused 128-131 2 4-7 2 132-135 2 8-15 6 136-143 6 16-31 14 144-159 14 32-63 30 160-191 30 64-95 30 192-223 30 96-111 14 224-239 14 112-119 6 240-247 6 120-123 2 248-251 2 124-127 2 252-255 unused To go with the subnetting, I chose to use OSPF due to its support of variable length subnet masks. As a side effect, it also supports route aggregation so that the routing tables in the core of the network don't get too cluttered with a bunch of little nets. By making the nets for a given site contiguous, you can aggregate them in the OSPF routing tables to keep things a little cleaner. So for example, site A would use the 0-63 addresses but only advertise the whole range outside the local OSPF area. It took a while to get things setup, but now that I've done it, things seem to be running pretty smoothly. And once you assign the addresses, DNS doesn't care and that's all most users ever see anyway. One thing to be aware of is that the Cray routers I've seen don't yet support OSPF (soon I'm told), so that could present a problem here. Also, with a Class-B network, you have some additional flexibility that I didn't have with the chunk of Class-C's, especially at the low and high ends of the nets. Hope this helps, Greg ============================================================== Greg Merrell Internet: merrell@ins.com Systems Engineer Voice: +1 415-254-4223 International Network Services FAX: +1 415-254-4288 650 Castro Street, Suite 260 Pager: +1 800-616-4029 Mt View, CA 94041 From firewalls-owner Sat Apr 8 22:26:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA15222 for firewalls-outgoing; Sat, 8 Apr 1995 22:18:40 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA15217 for ; Sat, 8 Apr 1995 22:18:37 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0rxpLU-0000KBC; Sat, 8 Apr 95 22:15 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA14294; Sat, 8 Apr 1995 22:19:08 +0800 Date: Sat, 8 Apr 1995 22:19:08 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9504090519.AA14294@brittany.oes.amdahl.com> To: Craig.Bishop@BarwonWater.Vic.Gov.Au, firewalls@greatcircle.com, padgett@tccslr.dnet.mmc.com Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) Content-Length: 389 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I appreciate anyone anytime changing the Subject: line when they're diverging from the discussion. I've never imagined I'd see someone flamed for this normal and polite behavior. I would rather imagine that if someone were a boor they might flame someone for not changing the Subject: if they were diverging. Perhaps, Craig, you need to cut down on your caffiene consumption. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Sun Apr 9 01:58:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17385 for firewalls-outgoing; Sun, 9 Apr 1995 01:46:11 -0700 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA17372 for ; Sun, 9 Apr 1995 01:46:01 -0700 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id EAA00212; Sun, 9 Apr 1995 04:44:53 -0400 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma000208; Sun Apr 9 04:44:33 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id EAA25746; Sun, 9 Apr 1995 04:44:47 -0400 Date: Sun, 9 Apr 1995 04:44:47 -0400 From: John Adams Message-Id: <199504090844.EAA25746@galaxy.concorde.com> To: bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Subject: Re: http proxy on firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone had a problem with TIS's http proxy causing their firewall to dump core, go into a trap and reboot? This is what happens frequently on our Sun Sparc I... Is there a newer version we shold be using? -john From firewalls-owner Sun Apr 9 02:13:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA17370 for firewalls-outgoing; Sun, 9 Apr 1995 01:45:24 -0700 Received: from stargate.concorde.com (stargate.concorde.com [204.97.254.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA17365 for ; Sun, 9 Apr 1995 01:45:16 -0700 Received: (from smap@localhost) by stargate.concorde.com (8.6.8.1/8.6.6) id EAA00191; Sun, 9 Apr 1995 04:42:53 -0400 Received: from galaxy.concorde.com(198.242.54.51) by stargate.concorde.com via smap (V1.3) id sma000189; Sun Apr 9 04:42:50 1995 Received: (from jna@localhost) by galaxy.concorde.com (8.6.8.1/8.6.6) id EAA25729; Sun, 9 Apr 1995 04:43:04 -0400 Date: Sun, 9 Apr 1995 04:43:04 -0400 From: John Adams Message-Id: <199504090843.EAA25729@galaxy.concorde.com> To: grs@claircom.com, mccarbc@netcom.com Subject: Re: Registered IP vs unregistered Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To further this, what are the reserved unregisterd IANA addresses? I keep a local private net at my home that goes back to the company firewall (which i setup :) ) and I have 5 machines on the net here, and I'm just using some random ip # as my site's class C.. It neve makes it out past the gateway anyhoo, so does it matter? -john From firewalls-owner Sun Apr 9 04:58:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA19578 for firewalls-outgoing; Sun, 9 Apr 1995 04:47:39 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA19573 for ; Sun, 9 Apr 1995 04:47:37 -0700 Received: from maestro.Maestro.COM by relay1.UU.NET with SMTP id QQyksd17607; Sun, 9 Apr 1995 07:47:56 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA25889; Sun, 9 Apr 95 07:43:53 EDT Date: Sun, 9 Apr 1995 07:43:52 -0400 (EDT) From: Sick Puppy Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So here I am, reading one corporation's firewall logs more closely than they are reading the logs themselves and one thing stands out clearly. The number of attempted hacks had dropped off from a constant and high level the day before Satan was released to almost none now. Saturday night NOBODY tried to break in. What the hell happened to the Satan attacks? Some :) "security experts" :) have voiced the opinion that SATAN will cause sites to improve their security the same way Crack did as many sites now use passwords that resist dictionary cracking. Really? I still get 20 percent of all user passwords and the occasional sys admin password using just Crack and the Worm's password dictionary. This 20 percent is consistent from week to week, as users replace one weak password with another weak password. TONELOC is a delightful tool. Users in ther personnel department call the security d00ds to ask why their telephones are ringing and there is never anyone there. The security d00ds are clueless and say they are not doing any testing of the PBX. The corporation doesn't have a security policy anyway, so no-one really knows who is responsible for what. Call the personnel department saying you are Telco and offer them outside help with their telephone problems. Oooh, they are so cooperative. Now what was that password for the system administrator again? Neither Satan or TONELOC greatly changed the Internet and are not likely to. Dumb users are still dumb users making the same dumb choices and social engineering together with cracking tools still works the same way it always has. Request for info: which modem to use with TONELOC? Its documentation refers to out of date US Robotics modems. Can anyone tell me which modern modem gives the best results? The US Robotics sales-droids don't know. Warmly, Sick Puppy the Cat_Eating_Dawg in the basement amongst Padgett's endless supply of old PC's From firewalls-owner Sun Apr 9 05:28:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA19989 for firewalls-outgoing; Sun, 9 Apr 1995 05:26:15 -0700 Received: from cafe.net (espresso.cafe.net [199.3.239.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA19984 for ; Sun, 9 Apr 1995 05:26:11 -0700 Received: by cafe.net id AA10080 (5.67b/IDA-1.5 for firewalls@GreatCircle.com); Sun, 9 Apr 1995 05:28:54 -0700 Date: Sun, 9 Apr 1995 05:28:54 -0700 (PDT) From: The Sinner To: Sick Puppy Cc: firewalls@GreatCircle.com Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the sake of not having other people reading this dribble, i will not include it.. Yes, they are some people on the list that just lruk and are genuinely interested in security issues. Yes, sometimes we dont lik eour names being stuck up on the accounts.. I would just like to inform everyone that those types in the so called underground and whatnot are not all intelligence challenged type folks... But anyways that was my two cents worth on that.. Whoever this guy is, he just won the award for the absoloutely most moronic peice of mail that ever ended up in my spool.. Sinner Lurker mode reengaged From firewalls-owner Sun Apr 9 07:28:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA21351 for firewalls-outgoing; Sun, 9 Apr 1995 07:07:31 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA21346 for ; Sun, 9 Apr 1995 07:07:27 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA02413; Sun, 9 Apr 95 09:51:32 -0400 Date: Sun, 9 Apr 95 09:51:32 -0400 Message-Id: <9504091351.AA02413@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: The Software that ate... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Note: I receive my mail on a VAX. The "reply to" is always "firewalls-owner" so I must use "forward". This means I also must type in the "subject" line each time. Sorry if sometimes it is rong/shortened. Sick Puppy rites: >Saturday night NOBODY tried to break in. What the h*ll (mc) happened to the >Satan attacks? All playing with it and trying to get it to work on PCs (know of some sucessess already) >I still get 20 percent of all user passwords and the occasional sys admin >password using just Crack and the Worm's password dictionary. This 20 >percent is consistent from week to week, as users replace one weak password >with another weak password. Not that high for me but there - why I concentrate on perimeter defenses. >The security d00ds are clueless and say they are not doing >any testing of the PBX. Am a security d00d. When I get calls, my first question is "does it sound like a waterfall or a series of beeps at one second intervals (usually). If so I recommend forwarding their phone to the local FAX for an hour or so. If a waterfall, I check the caller-id logs. Always thank the caller for their awareness. >Request for info: which modem to use with TONELOC? About any 2400 with X4 reporting used to be good since they connect faster than something that negotiates. Some cheap ones are failing to connect with new v.34s, Microcom may be onto a security enhancement. Of course ATS0=7 still is an effective/free defense. > in the basement amongst Padgett's endless supply of old PC's Doubtful, in Florida we call basements "indoor swimming pools". Warmly, Padgett From firewalls-owner Sun Apr 9 08:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22072 for firewalls-outgoing; Sun, 9 Apr 1995 08:06:17 -0700 Received: from nic.near.net (nic.near.net [192.52.71.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22067 for ; Sun, 9 Apr 1995 08:06:14 -0700 Received: from [192.52.71.147] by nic.near.net id aa02424; 9 Apr 95 11:06 EDT X-Sender: jcurran@198.114.157.116 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 9 Apr 1995 11:06:32 -0400 To: John Adams From: John Curran Subject: Re: Registered IP vs unregistered Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:43 AM 4/9/95, John Adams wrote: >To further this, what are the reserved unregisterd IANA addresses? Extract from RFC1597: --- 3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 We will refer to the first block as "24-bit block", the second as "20-bit block, and to the third as "16-bit" block. Note that the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 255 contiguous class C network numbers. ... --- >I keep a local private net at my home that goes back to the company >firewall (which i setup :) ) and I have 5 machines on the net here, >and I'm just using some random ip # as my site's class C.. It neve >makes it out past the gateway anyhoo, so does it matter? Any given IP network can exist on either side of the firewall, but not both. The use of some "random ip #" for the interior prevents the firewall from accessing systems/services on that network number once its assigned officially to some organization and routed in the public Internet. You might want to use "whois" on the random network number that you're currently using so that you at least know the organization which cannot be accessed as a result of your selection. RFC1597 provides for a set of addresses which will _not_ be officially assigned to organizations; hence, there should not be any need to reach systems or services on these addresses in the public Internet. An organization is safe to use RFC1597 addresses on the interior of their firewall without the fear that someone will subsequently use the same network for public resources. /John From firewalls-owner Sun Apr 9 08:56:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA22506 for firewalls-outgoing; Sun, 9 Apr 1995 08:40:44 -0700 Received: from zephyr.isi.edu (zephyr.isi.edu [128.9.160.160]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA22501 for ; Sun, 9 Apr 1995 08:40:42 -0700 Received: by zephyr.isi.edu (5.65c/5.61+local-17) id ; Sun, 9 Apr 1995 08:39:43 -0700 From: bmanning@ISI.EDU (Bill Manning) Message-Id: <199504091539.AA07937@zephyr.isi.edu> Subject: Re: Registered IP vs unregistered To: jna@concorde.com (John Adams) Date: Sun, 9 Apr 1995 08:39:43 -0700 (PDT) Cc: grs@claircom.com, mccarbc@netcom.com, firewalls@greatcircle.com In-Reply-To: <199504090843.EAA25729@galaxy.concorde.com> from "John Adams" at Apr 9, 95 04:43:04 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 734 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > To further this, what are the reserved unregisterd IANA addresses? There are reserved addresses. All addresses are registered. > I keep a local private net at my home that goes back to the company > firewall (which i setup :) ) and I have 5 machines on the net here, > and I'm just using some random ip # as my site's class C.. It neve > makes it out past the gateway anyhoo, so does it matter? > > -john Following this logic, you can select any address range you like. Taking something that is registered to someone else and using it for your own may be workable, but you will get into trouble with it in future. Perhaps you should stick with RFC 1597 networks, which were allocated for just such situations. -- --bill From firewalls-owner Sun Apr 9 09:56:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA23591 for firewalls-outgoing; Sun, 9 Apr 1995 09:53:16 -0700 Received: from viking.dvc.edu (viking.dvc.edu [192.235.0.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA23586 for ; Sun, 9 Apr 1995 09:53:10 -0700 Received: by viking.dvc.edu (Smail3.1.29.1 #1) id m0ry0M2-000RX8C; Sun, 9 Apr 95 10:00 PDT Date: Sun, 9 Apr 1995 10:00:53 -0700 (PDT) From: Nancye Harder Subject: Where can I find PERL 5.000? To: John Curran cc: John Adams , firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anymone know where I may find PERL 5.000? Thanks, Nancye From firewalls-owner Sun Apr 9 10:56:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24052 for firewalls-outgoing; Sun, 9 Apr 1995 10:25:51 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA24047 for ; Sun, 9 Apr 1995 10:25:42 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA02362; Sun, 9 Apr 95 13:25:15 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504091825.AA02362@hawksbill.sprintmrn.com> Subject: Re: Where can I find PERL 5.000? To: nharder@viking.dvc.edu (Nancye Harder) Date: Sun, 9 Apr 1995 13:25:15 -0500 (EST) Cc: jcurran@nic.near.net, jna@concorde.com, firewalls@greatcircle.com In-Reply-To: from "Nancye Harder" at Apr 9, 95 10:00:53 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 786 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anymone know where I may find PERL 5.000? > > Thanks, > > Nancye > >From the README in the courtney.tar: Requirements: Courtney requires that Perl v.5, libpcap, and tcpdump be installed. They are available via anonymous FTP at the following sites: libpcap-0.0 ftp.ee.lbl.gov:/libpcap-0.0.tar.Z tcpdump-3.0 ftp.ee.lbl.gov:/tcpdump-3.0.tar.Z perl5 ftp.uu.net:/systems/gnu/perl5.001.tar.gz - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Apr 9 11:10:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA24358 for firewalls-outgoing; Sun, 9 Apr 1995 10:50:05 -0700 Received: from Mordor.Stanford.EDU (Mordor.Stanford.EDU [36.53.0.155]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA24353 for ; Sun, 9 Apr 1995 10:50:03 -0700 Received: from [198.120.32.27] (arc-tac1-slip7.nsi.nasa.gov [198.120.32.27]) by Mordor.Stanford.EDU (8.6.11/8.6.6) with SMTP id KAA02595; Sun, 9 Apr 1995 10:49:55 -0700 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 9 Apr 1995 10:50:17 -0700 To: Howard Berkowitz From: Dave Crocker Subject: Re: Registered IP vs unregistered Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:18 PM 4/5/95, Howard Berkowitz wrote: >I still like RFC1597 addresses in many circumstances, but they can >be a management problem if you merge, etc. There are workarounds, >such as IP over IP tunneling. RFC 1597 says why you may want to use private IP addresses. RFC 1627 says why you should try real hard to resist the temptation. Merging the two points of views suggests that private addresses should be used only when there is no alternative. The long-term impact of private addresses can be very unpleasant. d/ -------------------- Dave Crocker Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. fax: +1 408 249 6205 Sunnyvale, CA 94086 dcrocker@networking.stanford.edu From firewalls-owner Sun Apr 9 11:26:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25033 for firewalls-outgoing; Sun, 9 Apr 1995 11:16:17 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA25028 for ; Sun, 9 Apr 1995 11:16:14 -0700 Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQyktd21848; Sun, 9 Apr 1995 14:16:37 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA04291; Sun, 9 Apr 95 14:12:33 EDT Date: Sun, 9 Apr 1995 14:12:32 -0400 (EDT) From: Sick Puppy Subject: Re: The Software that ate Sunnyvale (was S attacks everywhere) To: firewalls@GreatCircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > For the sake of not having other people reading this dribble, i will not > include it.. Oops, forgot a couple of drops: 1) Firewalls running X; 2) The many virtues of the delicate application of X-crowbar; 3) Never met a firewall installed by TIS that was running X. (my own unkind words deleted); 4) The next generation of packet sniffers (dare not be explicit). Sick Puppy, Secret Agent and Fringe Lunatic has Network Access, is Dangerous From firewalls-owner Sun Apr 9 11:56:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25782 for firewalls-outgoing; Sun, 9 Apr 1995 11:35:29 -0700 Received: from amisk.cs.ualberta.ca (amisk.cs.ualberta.ca [129.128.13.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA25777 for ; Sun, 9 Apr 1995 11:35:25 -0700 Received: by amisk.cs.ualberta.ca id <138486-4>; Sun, 9 Apr 1995 12:35:46 -0600 Subject: Re: Registered IP vs unregistered From: Bob Beck To: dcrocker@networking.stanford.edu (Dave Crocker) Date: Sun, 9 Apr 1995 12:35:44 -0600 (MDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dave Crocker" at Apr 9, 95 10:50:17 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 913 Message-Id: <95Apr9.123546-0600_(mdt).138486-4@amisk.cs.ualberta.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Crocker Says: > > RFC 1597 says why you may want to use private IP addresses. > > RFC 1627 says why you should try real hard to resist the temptation. > > Merging the two points of views suggests that private addresses should be > used only when there is no alternative. The long-term impact of private > addresses can be very unpleasant. > > d/ > "unpleasant"? well, I have to ask, what do you mean by that? As I see it, with a properly configured firewall that will stop source routing attacks, and provide secure access off the private net in a convenient manner, private addresses look like a very nice thing to consider when constructing a secured net behind a firewall. In the context of a net behind a firewall (I mean hey, this list was about them critters once I think :), where we want no direct access to our private net, what's the possible "unpleasantness"? -Bob From firewalls-owner Sun Apr 9 12:14:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA26143 for firewalls-outgoing; Sun, 9 Apr 1995 11:52:17 -0700 Received: from ozarks.sgcl.lib.mo.us (ozarks.sgcl.lib.mo.us [128.206.1.212]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA26138 for ; Sun, 9 Apr 1995 11:52:14 -0700 Received: by ozarks.sgcl.lib.mo.us (4.1/SMI-4.1) id AA26972; Sun, 9 Apr 95 13:49:09 CDT Date: Sun, 9 Apr 1995 13:49:08 -0500 (CDT) From: "B. Joe Smith" Subject: Re: Registered IP vs unregistered To: Dave Crocker Cc: Howard Berkowitz , firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about the use of the reserved ips for setup on PPP links between routers of different brands that would disallow unnumbered links? Joe Smith (Really!) On Sun, 9 Apr 1995, Dave Crocker wrote: > At 2:18 PM 4/5/95, Howard Berkowitz wrote: > >I still like RFC1597 addresses in many circumstances, but they can > >be a management problem if you merge, etc. There are workarounds, > >such as IP over IP tunneling. > > > RFC 1597 says why you may want to use private IP addresses. > > RFC 1627 says why you should try real hard to resist the temptation. > > Merging the two points of views suggests that private addresses should be > used only when there is no alternative. The long-term impact of private > addresses can be very unpleasant. > > d/ > > -------------------- > Dave Crocker > Brandenburg Consulting +1 408 246 8253 > 675 Spruce Dr. fax: +1 408 249 6205 > Sunnyvale, CA 94086 dcrocker@networking.stanford.edu > > > From firewalls-owner Sun Apr 9 12:26:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA25378 for firewalls-outgoing; Sun, 9 Apr 1995 11:26:49 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA25368 for ; Sun, 9 Apr 1995 11:26:45 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id OAA19995; Sun, 9 Apr 1995 14:27:02 -0400 From: Howard Berkowitz Message-Id: <199504091827.OAA19995@clark.net> Subject: Re: Registered IP vs unregistered To: dcrocker@networking.stanford.edu (Dave Crocker) Date: Sun, 9 Apr 1995 14:27:00 -0400 (EDT) Cc: hcb@clark.net, firewalls@GreatCircle.COM In-Reply-To: from "Dave Crocker" at Apr 9, 95 10:50:17 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1206 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At 2:18 PM 4/5/95, Howard Berkowitz wrote: > >I still like RFC1597 addresses in many circumstances, but they can > >be a management problem if you merge, etc. There are workarounds, > >such as IP over IP tunneling. > > > RFC 1597 says why you may want to use private IP addresses. > > RFC 1627 says why you should try real hard to resist the temptation. > > Merging the two points of views suggests that private addresses should be > used only when there is no alternative. The long-term impact of private > addresses can be very unpleasant. > I agree, Dave. I use registered addresses in my own isolated networks. I don't always have that option. I also feel we are in turmoil in internet addressing for a while. It can be useful to use private address space as part of an interim transition from a really messed up (e.g., not subnetted at all) address space to a proper CIDR one. There are practical understandability issues as well. With the router configuration tools available, VLSM is beyond the short-term abilities of many system administrators. Using private address space for internal networks can buy time -- and simplicity -- until IPv6 is deployed. Howard From firewalls-owner Sun Apr 9 12:46:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA26774 for firewalls-outgoing; Sun, 9 Apr 1995 12:24:16 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA26758 for ; Sun, 9 Apr 1995 12:24:12 -0700 Received: by little-miami.iac.net id PAA15820; Sun, 9 Apr 1995 15:24:06 -0400 Date: Sun, 9 Apr 1995 15:24:05 -0400 (EDT) From: Carl Jolley To: John Curran cc: John Adams , firewalls@GreatCircle.COM Subject: Re: Registered IP vs unregistered In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few months ago when we contacted the InterNIC about "private" IP addresses, they said that if internal, private IP addresses were going to be used, they MUST be from the RFC1597 addresses. I got the definite impression that they did not agree with the overall conclusions expressed in RFC1627. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Sun, 9 Apr 1995, John Curran wrote: > At 4:43 AM 4/9/95, John Adams wrote: > >To further this, what are the reserved unregisterd IANA addresses? > > Extract from RFC1597: > --- > > 3. Private Address Space > > The Internet Assigned Numbers Authority (IANA) has reserved the > following three blocks of the IP address space for private networks: > > 10.0.0.0 - 10.255.255.255 > 172.16.0.0 - 172.31.255.255 > 192.168.0.0 - 192.168.255.255 > > We will refer to the first block as "24-bit block", the second as > "20-bit block, and to the third as "16-bit" block. Note that the > first block is nothing but a single class A network number, while the > second block is a set of 16 contiguous class B network numbers, and > third block is a set of 255 contiguous class C network numbers. > ... > --- > > >I keep a local private net at my home that goes back to the company > >firewall (which i setup :) ) and I have 5 machines on the net here, > >and I'm just using some random ip # as my site's class C.. It neve > >makes it out past the gateway anyhoo, so does it matter? > > Any given IP network can exist on either side of the firewall, > but not both. The use of some "random ip #" for the interior > prevents the firewall from accessing systems/services on that > network number once its assigned officially to some organization > and routed in the public Internet. You might want to use "whois" > on the random network number that you're currently using so that > you at least know the organization which cannot be accessed as a > result of your selection. > > RFC1597 provides for a set of addresses which will _not_ be > officially assigned to organizations; hence, there should not > be any need to reach systems or services on these addresses in > the public Internet. An organization is safe to use RFC1597 > addresses on the interior of their firewall without the fear > that someone will subsequently use the same network for public > resources. > > /John > > > From firewalls-owner Sun Apr 9 12:56:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA27131 for firewalls-outgoing; Sun, 9 Apr 1995 12:32:42 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA27120 for ; Sun, 9 Apr 1995 12:32:36 -0700 Received: by little-miami.iac.net id PAA15846; Sun, 9 Apr 1995 15:32:31 -0400 Date: Sun, 9 Apr 1995 15:32:30 -0400 (EDT) From: Carl Jolley To: Dave Crocker cc: Howard Berkowitz , firewalls@GreatCircle.COM Subject: Re: Registered IP vs unregistered In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Apr 1995, Dave Crocker wrote: > At 2:18 PM 4/5/95, Howard Berkowitz wrote: > >I still like RFC1597 addresses in many circumstances, but they can > >be a management problem if you merge, etc. There are workarounds, > >such as IP over IP tunneling. > > > RFC 1597 says why you may want to use private IP addresses. > > RFC 1627 says why you should try real hard to resist the temptation. > > Merging the two points of views suggests that private addresses should be > used only when there is no alternative. The long-term impact of private > addresses can be very unpleasant. And trying to get the InterNIC to assign registered IP addresses that are not provided by/for an ISP can be very frustrating. They seem to resist assigning addresses when the number of hosts is not some power of two times 254. > > d/ > > -------------------- > Dave Crocker > Brandenburg Consulting +1 408 246 8253 > 675 Spruce Dr. fax: +1 408 249 6205 > Sunnyvale, CA 94086 dcrocker@networking.stanford.edu > > > **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Sun Apr 9 14:56:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29793 for firewalls-outgoing; Sun, 9 Apr 1995 14:44:53 -0700 Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA29788 for ; Sun, 9 Apr 1995 14:44:48 -0700 Received: from wpo.barr.com by sun6.barr.com (4.1/SMI-4.1) id AA11154; Sun, 9 Apr 95 16:46:20 CDT Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Sun, 09 Apr 1995 16:46:09 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 09 Apr 1995 16:46:04 -0600 From: "Steve P. Devore" To: firewalls@GreatCircle.COM Subject: Re: http proxy on firewall -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yep, it happen to me when I tried out the http proxy (I am running SunOS 4.1.3_U1 on a SPARC 1+.) Let me know if you figure anything out. I gave up and am now using the cern proxy daemon. >>> John Adams 4/9/95, 02:44am >>> Has anyone had a problem with TIS's http proxy causing their firewall to dump core, go into a trap and reboot? This is what happens frequently on our Sun Sparc I... Is there a newer version we shold be using? -john From firewalls-owner Sun Apr 9 15:15:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29823 for firewalls-outgoing; Sun, 9 Apr 1995 14:46:08 -0700 Received: from Mordor.Stanford.EDU (Mordor.Stanford.EDU [36.53.0.155]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA29818 for ; Sun, 9 Apr 1995 14:46:06 -0700 Received: from [198.120.32.21] (arc-tac2-slip2.nsi.nasa.gov [198.120.32.46]) by Mordor.Stanford.EDU (8.6.11/8.6.6) with SMTP id OAA03084; Sun, 9 Apr 1995 14:46:20 -0700 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 9 Apr 1995 14:46:23 -0700 To: Bob Beck From: Dave Crocker Subject: Re: Registered IP vs unregistered Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:35 AM 4/9/95, Bob Beck wrote: >Dave Crocker Says: >> used only when there is no alternative. The long-term impact of private >> addresses can be very unpleasant. > > "unpleasant"? well, I have to ask, what do you mean by that? The best response is to suggest you read RFC 1627. That's where we tried to do a thorough job of detailing the problems. The simplistic (or, ummmmmm, concise) summary is that private addresses often end up needing to be public and this, then, requires re-numbering. With current technology, renumbering varies between somewhat painful to very painful. Let me repeat the bottom line: just because you think the numbers are going to stay private, they often don't. d/ -------------------- Dave Crocker Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. fax: +1 408 249 6205 Sunnyvale, CA 94086 dcrocker@networking.stanford.edu From firewalls-owner Sun Apr 9 15:26:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA29830 for firewalls-outgoing; Sun, 9 Apr 1995 14:46:26 -0700 Received: from Mordor.Stanford.EDU (Mordor.Stanford.EDU [36.53.0.155]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA29825 for ; Sun, 9 Apr 1995 14:46:23 -0700 Received: from [198.120.32.21] (arc-tac2-slip2.nsi.nasa.gov [198.120.32.46]) by Mordor.Stanford.EDU (8.6.11/8.6.6) with SMTP id OAA03090; Sun, 9 Apr 1995 14:46:36 -0700 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 9 Apr 1995 14:46:40 -0700 To: Carl Jolley From: Dave Crocker Subject: Re: Registered IP vs unregistered Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:24 PM 4/9/95, Carl Jolley wrote: >A few months ago when we contacted the InterNIC about "private" IP addresses, >they said that if internal, private IP addresses were going to be used, >they MUST be from the RFC1597 addresses. I got the definite impression that The Internic cannot tell you how to run the inside of your network, unless and until it reaches out to the rest of the world. Any outside person or agency claiming that they can dictate what computers and links do in the privacy of their corporate networks needs to learn a little more about real-vs-theoretical power. On the other hand, perhaps they are claiming moral, rather than legal, imperative. That is, perhaps they are saying that you really WANT/OUGHT to use the private addresses. To them I say, perhaps. That is, if you MUST do SOME private address, then perhaps the "official" private ones are the better choice. RFC1627 has some counter-arguments, but I'd class them as mild. >they did not agree with the overall conclusions expressed in RFC1627. Lots of folks don't agree. While nothing is ever this simple, the pro-private/anti-private camps seem to divide between public providers vs. organization inhouse operators. The former, of course, suffer the least if renumbering is required. d/ -------------------- Dave Crocker Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. fax: +1 408 249 6205 Sunnyvale, CA 94086 dcrocker@networking.stanford.edu From firewalls-owner Sun Apr 9 15:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA00785 for firewalls-outgoing; Sun, 9 Apr 1995 15:26:42 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA00774 for ; Sun, 9 Apr 1995 15:26:38 -0700 From: smb@research.att.com Message-Id: <199504092226.PAA00774@miles.greatcircle.com> Received: by gryphon; Sun Apr 9 18:26:27 EDT 1995 To: John Adams , "Steve P. Devore" Subject: Re: http proxy on firewall cc: firewalls@GreatCircle.COM Date: Sun, 09 Apr 95 18:26:26 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When user programs cause kernel panics, and they're not doing weird things with /dev/kmem or equivalent, it means exactly one thing: there's a kernel bug. This particular one was discussed on the fwtk mailing list in the last few weeks; get the appropriate patches from Sun. As I recall, they were related to getsockopt(). From firewalls-owner Sun Apr 9 16:14:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA01427 for firewalls-outgoing; Sun, 9 Apr 1995 15:47:24 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA01416 for ; Sun, 9 Apr 1995 15:47:21 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id SAA09631; Sun, 9 Apr 1995 18:47:33 -0400 From: Howard Berkowitz Message-Id: <199504092247.SAA09631@clark.net> Subject: Re: Registered IP vs unregistered To: dcrocker@networking.stanford.edu (Dave Crocker) Date: Sun, 9 Apr 1995 18:47:32 -0400 (EDT) Cc: beck@cs.ualberta.ca, firewalls@GreatCircle.COM In-Reply-To: from "Dave Crocker" at Apr 9, 95 02:46:23 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perhaps it's appropriate to say that before implementing RFC1597 addresses, it is appropriate to plan how you will convert from them if necessary. DHCP is one good alternative, if supported. From firewalls-owner Sun Apr 9 16:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA02107 for firewalls-outgoing; Sun, 9 Apr 1995 16:11:06 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA02098 for ; Sun, 9 Apr 1995 16:11:02 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id TAA10726 for ; Sun, 9 Apr 1995 19:18:47 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma010724; Sun Apr 9 19:18:35 1995 Received: by calisto.milkyway.com (8.6.7/Sun-Client) id TAA09937; Sun, 9 Apr 1995 19:14:07 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Registered IP vs unregistered Date: 9 Apr 1995 19:14:07 -0400 Organization: Milkyway Networks Corporation Lines: 47 Distribution: milkyway Message-ID: <3m9pnv$9me@calisto.milkyway.com> References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , Carl Jolley wrote: >And trying to get the InterNIC to assign registered IP addresses that >are not provided by/for an ISP can be very frustrating. They seem to >resist assigning addresses when the number of hosts is not some power of >two times 254. Ask your ISP to provide the networks, but just get them not to route them in anyway. I'm not terribly enthusiastic about using the official class A: too risky as 1627 points out, but the class Cs are perfect. For a great deal of small companies, using a bunch in 192.168.* is just fine. If there is any kind of merger going occur, then ods are that a small (<200 employees) company is going to have their networks rebuilt pretty soon anyway. Joining the companies on the DMZ is just fine. When we get to that single class A (10.*.*.*) then I think there is some risk. But if you really need that many addresses, then you had better have >64k hosts, and the NIC should cooperate. All application layer firewalls deal with FTP's use of ip addresses in protocol. Kerberos also puts IP addresses in the protocol. Dealing with this my current project. The initial assumption is that you will have to use registered and routed IP addresses ( that is, have routes to the internal network via the firewall, what we call a "White Hole" configuration, or SourceReal configuration) since it will be a "circuit layer" gateway: the firewall won't know the encryption keys. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun Apr 9 16:38:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA01280 for firewalls-outgoing; Sun, 9 Apr 1995 15:42:54 -0700 Received: from procert.cert.dfn.de (procert.cert.dfn.de [134.100.14.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA01272 for ; Sun, 9 Apr 1995 15:42:46 -0700 Received: from concert.cert.dfn.de (ley@concert.cert.dfn.de [134.100.14.129]) by procert.cert.dfn.de (8.6.10/8.6.10) with ESMTP id AAA29017; Mon, 10 Apr 1995 00:43:29 +0200 Received: (ley@localhost) by concert.cert.dfn.de (8.6.10/8.6.10) id AAA28303; Mon, 10 Apr 1995 00:42:01 +0200 Date: Mon, 10 Apr 1995 00:42:01 +0200 Message-Id: <199504092242.AAA28303@concert.cert.dfn.de> From: Wolfgang Ley To: cklaus@iss.net, firewalls@GreatCircle.COM, bugtraq@fc.net Subject: Re: SATAN ATTACKS EVERYWHERE In-Reply-To: <199504071804.LAA18625@iss.net> from "Christopher Klaus" at Apr 7,94 11:04:12 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hey, are we still here?? Looks like we survived the numerous attacks > from hordes of hackers armed with SATAN with the only desire > to pillage and pilfer everyone's networks. The Internet has survived > another mega hype negative story! > > For some reason, I really can't see tons of hackers using SATAN for several > reasons: 0. SATAN was never designed to be a tool to exploit security problems on other sites. > 1. It is HUGE. It eats up tons of disk and ram space. When I tried to > load up SATAN's demo information on a 16 meg machine here, it crashed > from not having enough RAM. It requires 32 megs . (And I thought > Windows was a memory hog). Like the administrator won't notice he only > has 1 meg of ram left. I have never seen a "real" Unix system with 16 meg total memory (phys. memory and swap space). I'm not talking about your poor PC running linux or something like that... SATAN itself is not "HUGE". Maybe you are talking about an interactive session using an X11-html-viewer and you are including perl5 into your count? The memory SATAN needs depends on the size of your network. If you have a network with several thousand computers you will have at least one with more than 16 meg total memory (including swap) and a free disk space of a few (lets say 50) megs - don't you? > 2. It requires installing other packages like perl. Most hackers aren't > able to run anything unless it's a no brainer script. "Gee the bad thing > is we've been hacked and someone used SATAN, the good thing is that we > got perl5 and a web browser installed." Perhaps you are talking about wannbe-hackers that are trying to break into other systems (crackers). Hackers (in the original term people with deep knowledge about computers) won't have problems installing perl... Every normal sys-admin is able to install perl - it's one of the easiest to install packages that are available. > 3. Since you have to use a web browser, you have to either run SATAN from > the console (umm, really stupid hacker scanning from his own machine) or > redirect the X Display to his own machine (still really stupid). Who knows, > I wouldn't be suprised if some hacker wanna-be does use SATAN. Maybe > CERT can tell us if they have seen a dramatic increase in breakins now > that SATAN is released? Have you ever tried to read the documentation? Ever used SATAN? Of course you can use satan as a shell-command to collect the data. There are also HTML-viewers that do not need X (like lynx) and work very well together with satan. > Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted > to point out (contrary to News Media) that SATAN is not the tool that > will shut down the Internet. Hmm. My very personal opinion is that you not tried to be objective nor did you read the full documentation and understood the principles of SATAN. But now we are comming to the real reason of your posting: > On a side note, I have released ISS 1.3 which is available on ftp.iss.net > /pub/iss/iss13.tar.gz which includes many more checks than what SATAN > has specified. Also, it doesn't require installing any other > outside packages, is in C, and doesn't require large amounts of ram > nor disk space. > Ok. Let's check. 1. Includes more checks? This is not a problem. The main goal of the current release of SATAN was to bring out the package right now so it can't be stopped, to get feedback for bug-fixes and (later) add more tests. It would be interesting to see new versions of ISS as soon as new checks are being shipped with SATAN. So why haven't you released this iss version with more tests before? 2. Doesn't require installing other packages? Oh - nice. How will it work on my Solaris 2.x machine (out of the box) that has no C-compiler? SATAN also includes another very important part (missing in ISS): the "web of trust". By using this you can "get the whole picture" instead of highliting only single problems. This part isn't yet powerful enough but the authors are still working especially on this topic. Another point: You first said that satan is huge, requires additional packages, etc. and than said that your product is better in this categories. Also you said because of the disadvantages of SATAN in this points crackers won't use it. Later on you are advertising your tool... Who should use it? The crackers or the sysadmins? You completly ignored the very good documentation of SATAN! Also compare the data presentation of ISS and SATAN and the user interface... Also I don't think that Dan and Wietse are those guys who are thinking: first we release a small package for public use and than (after getting feedback and imporving the product) don't give the results of the feedback back to the community but instead sell the product as binary only for a very high price... Bye, Wolfgang Ley. -- ---------------------------------------------------------------------- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 54715-262 Fax: +49 40 54715-241 PGP-Key available via finger ley@concert.cert.dfn.de or any key-server From firewalls-owner Sun Apr 9 16:57:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA03961 for firewalls-outgoing; Sun, 9 Apr 1995 16:47:24 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA03943; Sun, 9 Apr 1995 16:47:19 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 9 Apr 1995 16:47:45 -0800 To: Wolfgang Ley , cklaus@iss.net, firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: SATAN ATTACKS EVERYWHERE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please do NOT cross-post stuff to both Firewalls & Bugtraq. They are different lists with different purposes and different audiences; stuff that gets cross-posted between them (like this thread) usually leads to a flame war on one list or the other. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Sun Apr 9 17:26:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA04582 for firewalls-outgoing; Sun, 9 Apr 1995 16:59:31 -0700 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA04575 for ; Sun, 9 Apr 1995 16:59:27 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id UAA09411; Sun, 9 Apr 1995 20:13:49 -0700 From: Christopher Klaus Message-Id: <199504100313.UAA09411@iss.net> Subject: Re: SATAN ATTACKS EVERYWHERE To: ley@cert.dfn.de (Wolfgang Ley) Date: Sun, 9 Apr 1995 20:13:48 +1494730 (PDT) Cc: cklaus@iss.net, firewalls@GreatCircle.COM, bugtraq@fc.net In-Reply-To: <199504092242.AAA28303@concert.cert.dfn.de> from "Wolfgang Ley" at Apr 10, 95 00:42:01 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 7672 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Hey, are we still here?? Looks like we survived the numerous attacks > > from hordes of hackers armed with SATAN with the only desire > > to pillage and pilfer everyone's networks. The Internet has survived > > another mega hype negative story! > > > > For some reason, I really can't see tons of hackers using SATAN for several > > reasons: > > 0. SATAN was never designed to be a tool to exploit security problems > on other sites. You missed my point and obviosuly missed all the news coverage that this tool would be the new tool for hackers to abuse Internet. > I have never seen a "real" Unix system with 16 meg total memory (phys. > memory and swap space). I'm not talking about your poor PC running > linux or something like that... Well, in the US, the fastest growing number of machines getting on the Internet, would probalby be the typical PC machines, especially with all the slip/ppp account ISPs. If SATAN was going to be the tool that every hacker would use, then I would think it would atleast run on most of those machines. Again, my point was that the mass media was wrong. > > 2. It requires installing other packages like perl. Most hackers aren't > > able to run anything unless it's a no brainer script. "Gee the bad thing > > is we've been hacked and someone used SATAN, the good thing is that we > > got perl5 and a web browser installed." > > Perhaps you are talking about wannbe-hackers that are trying to break > into other systems (crackers). Hackers (in the original term people > with deep knowledge about computers) won't have problems installing > perl... Every normal sys-admin is able to install perl - it's one > of the easiest to install packages that are available. The basis for my statements was why i didnt think hackers (the mass media term for crackers or wanna-be crackers). I would think most admins could install perl. I would hope so. > > > Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted > > to point out (contrary to News Media) that SATAN is not the tool that > > will shut down the Internet. > > Hmm. My very personal opinion is that you not tried to be objective > nor did you read the full documentation and understood the principles of > SATAN. You obviously missed my whole point. Im not slamming SATAN as a product. I recommend everyone use it. I just don't think SATAN is as great a danger to the Internet as the media portrays. Obviously, a few sites are going to get hit by SATAN, but I doubt it is anywhere as big as the media has portrayed it. > > On a side note, I have released ISS 1.3 which is available on ftp.iss.net > > /pub/iss/iss13.tar.gz which includes many more checks than what SATAN > > has specified. Also, it doesn't require installing any other > > outside packages, is in C, and doesn't require large amounts of ram > > nor disk space. > > > > Ok. Let's check. > > 1. Includes more checks? > This is not a problem. The main goal of the current release of > SATAN was to bring out the package right now so it can't be stopped, > to get feedback for bug-fixes and (later) add more tests. > > It would be interesting to see new versions of ISS as soon as new > checks are being shipped with SATAN. So why haven't you released > this iss version with more tests before? Because posting exploit code for new bugs is in my opinion not the best situation for the Internet. I think it helps to make the code available but under more controlled circumstances. I think that is the biggest complaint with SATAN, is that it was control-free. > > 2. Doesn't require installing other packages? > Oh - nice. How will it work on my Solaris 2.x machine (out of the box) > that has no C-compiler? Well, then you can't run very many publicly available packages, including ISS or SATAN. Have a friend compile it for you, I guess. > > SATAN also includes another very important part (missing in ISS): > the "web of trust". By using this you can "get the whole picture" instead > of highliting only single problems. This part isn't yet powerful enough > but the authors are still working especially on this topic. The commercial version of ISS does all the trust hosts/users analysis. I do not plan on releasing another free ISS version, unless another serious bug appears in the code which I am almost certian I have removed all such bugs. If someone else wants to add their own code/checks to ISS, I'll happily put it on ftp.iss.net along with the other ports. ISS 1.21 had a big bug that could cause it to scan unspecified networks, and I felt it was worthwhile to make sure that I released a fixed version for such a volatile and possibly liable-causing bug. > > Another point: You first said that satan is huge, requires additional > packages, etc. and than said that your product is better in this > categories. Also you said because of the disadvantages of SATAN in > this points crackers won't use it. Later on you are advertising your > tool... Who should use it? The crackers or the sysadmins? Administrators obviously should use it. Crackers have their own tools anyways. Just wanted to point out that programs have been available on the Internet that could be abused like SATAN, long before SATAN was released. I did not quite get the mass hysteria over SATAN (other than the neato name). > > You completly ignored the very good documentation of SATAN! Also Great. Check out my Security FAQes I make available on http://iss.net/iss They provide a very clear checklist of things for an admin to follow to make sure their network is safe. If you did follow that checklist, ISS, SATAN, and any other scanner would be useless for your network. > > Also I don't think that Dan and Wietse are those guys who are > thinking: first we release a small package for public use and than > (after getting feedback and imporving the product) don't give the > results of the feedback back to the community All vulnerability checks and feedback I was given was placed in the freeware version. ISS 2.1 is a completely re-written product with very little of the original code. Well, I was developing ISS in my spare time 4 years ago. And I was using it for my own personal use. I talked with others, such as Alec Muffett and convinced me to release it for Usenet. No problem. After getting flooded with a lot of mail saying what a useful tool, etc, there would be only one way to really turn it into a very powerful and useful tool and make sure that it wasn't being abused each time I added a new check, and that was to go go commercial. That way, I do not have to worry about a lawsuit (Im sure you haven't missed the talks about SATAN and the great possibility that Mr. Farmer will get sued.) and also, allow me to work on the product full time. So, going commercial for me was the right decision, just wanted to point out, my releasing initial versions of ISS was not some sneaky marketing strategy. I look at it as the same way as TIS did their firewall toolkit. I will be announcing ISS 3.0 soon and it has many dangerous checks in it. And by having it commercial, I do not have to worry about it being abused or being sued. Nor have I heard of a single case where ISS 2.1 has been found to be used by crackers, because I took special precautions to limit ISS scans to particular networks and hosts. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Sun Apr 9 18:56:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA07712 for firewalls-outgoing; Sun, 9 Apr 1995 18:32:02 -0700 Received: from voyager.datatools.com (datatools.com [192.216.89.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA07707 for ; Sun, 9 Apr 1995 18:31:59 -0700 Message-Id: <199504100131.SAA07707@miles.greatcircle.com> Received: from nova.datatools.com.datatools.com by voyager.datatools.com (4.1/4.7); Sun, 9 Apr 95 18:38:35 PDT Date: Sun, 9 Apr 95 18:38:35 PDT From: greep@datatools.com (Steven Tepper) Received: by nova.datatools.com.datatools.com (4.1/SMI-4.1) id AA04047; Sun, 9 Apr 95 18:31:40 PDT To: firewalls@GreatCircle.COM In-Reply-To: <199504092226.PAA00774@miles.greatcircle.com> (smb@research.att.com) Subject: Re: http proxy on firewall Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: smb@research.att.com > Cc: firewalls@GreatCircle.COM > Date: Sun, 09 Apr 95 18:26:26 EDT > > When user programs cause kernel panics, and they're not doing > weird things with /dev/kmem or equivalent, it means exactly one > thing: there's a kernel bug. Or there's a hardware problem. But kernel bugs are a much more common reason. -greep cyber-haruspex From firewalls-owner Sun Apr 9 21:26:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA09490 for firewalls-outgoing; Sun, 9 Apr 1995 21:06:38 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA09485 for ; Sun, 9 Apr 1995 21:06:34 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id VAA01383; Sun, 9 Apr 1995 21:15:09 -0700 Date: Sun, 9 Apr 1995 21:15:08 -0700 (PDT) From: Tim Keanini To: firewalls@GreatCircle.COM Subject: Router mailing list? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, In efforts to keep the Firewalls Mailing list free and clear of topics that dont really have anything to do with firewall discussion I have a question. I was wondering if there was a mailing list that anyone knows about that would be the discussion of routing and network stuff. The subject matters would be: -routing problems -routing protocols -subnetting hell -superneting hell -basic network layer problems and resolutions. -PC IP stacks and their problems As I get into the this more and more I can see clearly that there seems to be a few people who accually know what they are talking about and a lot of people standing around noding their heads. I dont want to take up bandwidth here, I just need a pointer to more information. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Sun Apr 9 22:07:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA10135 for firewalls-outgoing; Sun, 9 Apr 1995 21:32:39 -0700 Received: from locust.net.ohio-state.edu (locust.net.ohio-state.edu [128.146.222.110]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA15270 for ; Wed, 5 Apr 1995 16:06:33 -0700 Received: from [128.146.144.246] (karl-hmac.net.ohio-state.edu [128.146.144.246]) by locust.net.ohio-state.edu (8.6.10/8.6.9) with SMTP id TAA02479; Wed, 5 Apr 1995 19:06:35 -0400 Message-Id: <199504052306.TAA02479@locust.net.ohio-state.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Apr 1995 18:10:04 -0500 To: firewalls@greatcircle.com From: dkarl@net.ohio-state.edu (Doug Karl) Subject: KarlBridge/Router vs Satan and an overview of the new version 3.0 Cc: sales@karlnet.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all from Doug Karl..... Well everyone seems to be talking about the latest network security scanners and firewalls to protect against them. The current version of KarlBridge and KarlBrouter V2.09 will already help protect against both the Satan scans and also the deliberate attacks that may follow. (Consult the "Security (Firewall) Setup" chapter in the documentation) for a discussion of the configuration. For those who need additional immediate security; the KarlBridge/Router static firewall filters can be set to block ALL incoming Internet traffic unless a particular incoming IP address has been "Authenticated". This authentication can be accomplished by using the special KarlBridge/Router Dynamic Filters in conjunction with your favorite authentication server running Kerberos, S/Key, etc. We have a special authentication deamon that runs on the Unix box which will then inform the KarlBridge/Router to open a connection from a particular remote IP address to/from another particular internal IP address. (Version 3.0 will expand this to include both UDP or TCP ports.) Break-in attempt logs can be sent from the KarlBridge/Router to any Unix box setup to accept SYSLOG packets. Scanning can be detected by setting up the KarlBridge/Router to send SYSLOG packets for each TCP establish packet. In addition to the above features the new Version 3.0 of the KarlBridge/Router due out for beta test at the end of the month also includes: 1) Tighter and more extensive firewall filters. 2) Lure hosts and lure subnet support. This is the ability of the KarlBridge/Router firewall to make an intruder think there are real hosts in the internal network that are not actually there. These lure hosts can be setup to trip counter measures when accessed (described in 6 below). 2) New ICMP filters. Some examples are the ability to "ping" out of the internal network but not in. One can argue that if you stop incoming "pings" at the boarder then some scanners can be slowed down. Also incoming ICMP Redirects can be blocked from entering the network. This will protect against ICMP bombs. 3) Greatly enhanced logging capability using both SYSLOG and SNMP Traps. We log source and destination IP/UDP/TCP Port, and source and destination IP addresses, source and destination Ethernet addresses, protocol used, and which filter rule was violated. 4) Integrated Network Statistics monitor. The KarlBridge/Router will keep packet and byte counts on every socket from 0 through 1023 plus 20 user defined sockets above 1024. Packet and byte counts will be kept on each Ethernet address and other things such as IP ARP requests and replys. Duplicate IP address will be detected along with all hosts that have incorrectly configured IP address masks and default gateway address (i.e. they are attempting a Proxy ARP request). All of these statistics will be reported via SNMP and can be displayed with the standard KarlBridge SNMP monitoring program. 5) Application Level Packet Filters. The advantages of Application Level Gateway is its logging ability and ability to better protect against UDP port spoofing. They can accomplish this because they work on all 7 layers of the OSI model. The new KarlBridge/Router will include this type of application level filtering. We are calling it an Application Level Packet Filter since it works on all 7 layers of the OSI model. 6) Network scanner and intruder counter measures. This is the ability of the KarlBridge/Router to detect scanners and intruders, optionally log their activity, and immediately and automatically deny them further access to the internal network. This access denial applies to any particular intruding IP address. Once an intruding IP address has been dynamically denied the internal network will be viewed by that intruder as either a black hole (i.e. all further attempts to communicate with the network will be ignored) or as a whole set of Lure Hosts (i.e. every address the intruder tries to contact will return either the appropriate ICMP message or TCP/RST). New versions of the PD Demo KarlBridge and complete manual can be obtained from ftp.net.ohio-state.edu /pub/kbridge. Please direct inquires for brochures on the commercial version to sales@karlnet.com. Existing customers of the commercial version will receive V3.0 at no extra charge. Please send e-mail to sales@karlnet.com to request V3.0 when it is ready. Wish us luck in our final stages of implementation and testing. Thanks, Doug Karl Associate Director of Data Communications and Networking, Ohio State University and President, KarlNet, Inc. From firewalls-owner Sun Apr 9 22:26:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA10438 for firewalls-outgoing; Sun, 9 Apr 1995 21:41:00 -0700 Received: from Mordor.Stanford.EDU (Mordor.Stanford.EDU [36.53.0.155]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA10425 for ; Sun, 9 Apr 1995 21:40:52 -0700 Received: from [198.120.32.14] (arc-tac2-slip9.nsi.nasa.gov [198.120.32.14]) by Mordor.Stanford.EDU (8.6.11/8.6.6) with SMTP id VAA04212; Sun, 9 Apr 1995 21:41:05 -0700 X-Sender: dcrocker@mordor.stanford.edu (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 9 Apr 1995 21:41:11 -0700 To: Howard Berkowitz From: Dave Crocker Subject: Re: Registered IP vs unregistered Cc: beck@cs.ualberta.ca, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 3:47 PM 4/9/95, Howard Berkowitz wrote: >Perhaps it's appropriate to say that before implementing >RFC1597 addresses, it is appropriate to plan how you will excellent suggestion. >convert from them if necessary. DHCP is one good alternative, >if supported. DHCP does somewhat less than many people may realize. It relieves you from having to changes tables in each user host; this is wonderful. However, you still must have a server -- on each net or available via relaying routers -- with the necessary tables configured to hand out the values for the user hosts. d/ -------------------- Dave Crocker Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. fax: +1 408 249 6205 Sunnyvale, CA 94086 dcrocker@networking.stanford.edu From firewalls-owner Mon Apr 10 01:56:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA15114 for firewalls-outgoing; Mon, 10 Apr 1995 01:32:50 -0700 Received: from vampire.science.gmu.edu (vampire.science.gmu.edu [129.174.124.30]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA15109 for ; Mon, 10 Apr 1995 01:32:38 -0700 Received: by vampire.science.gmu.edu (NX5.67e/NX3.0M) id AA02264; Mon, 10 Apr 95 04:29:08 -0400 Message-Id: <9504100829.AA02264@vampire.science.gmu.edu> Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Tim Scanlon Date: Mon, 10 Apr 95 04:29:05 -0400 To: Wolfgang Ley cklaus@iss.net Subject: Re: SATAN ATTACKS EVERYWHERE Cc: cklaus@iss.net, firewalls@GreatCircle.COM, bugtraq@fc.net Reply-To: tfs@vampire.science.gmu.edu References: <199504092242.AAA28303@concert.cert.dfn.de> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bugtraq is a list whose mission is to discuss and provide specific information and full disclosure about security weaknesses. Not neccesarily solutions, but they're damned nice to have and most people want the good with the bad. - You both know this. It is not a favored forum to randomly flame critical comparisons of diffrent products. alt.flame, or alt.flame.satan.spaz.spaz.spaz is for doing that. It is not a place to advertise commecial services or products. comp.security.announce is for that. It is not firewalls either. I got off firewalls because there was so much more noise than substance that it became a waste of time to sort through. I really don't want to see cross-pollination, especially when it's the sort of flaming that got me off firewalls in the first place. On there, people flamed for getting full disclosure information in crossposts. This is a flame from the other side of the fence for NOT getting full disclosure information. - Don't crosspost. I am SURE that both Chris and you know not to do this. Poor form. I'm like alot of other people, I have more than enough sitting in my mailbox to deal with as it is. I do NOT need, nor really want off-purpose or otherwise witless mail. It makes all that much harder to sort through, and increases the risk I may miss something that I would rather not. Considering the topic is systems security related, and that I have a professional intrest in reducing risks related to security, I would like to see that risk minimized as much as possible. Tim Scanlon ________________________________________________________________ tfs@vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic posession From firewalls-owner Mon Apr 10 04:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA17683 for firewalls-outgoing; Mon, 10 Apr 1995 04:00:19 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA17678 for ; Mon, 10 Apr 1995 04:00:15 -0700 Received: from morse.co.uk by eros.britain.eu.net with UUCP id ; Mon, 10 Apr 1995 11:59:41 +0100 Received: from morse1000 by seng1 with SMTP (1.38.193.4/16.2) id AA19206; Mon, 10 Apr 95 10:54:04 +0100 Received: from lush.morse.computers by morse1000.morse.computers (5.0/SMI-SVR4) id AA09665; Mon, 10 Apr 1995 10:47:13 +0100 Received: by lush.morse.computers (5.x/SMI-SVR4) id AA06745; Mon, 10 Apr 1995 10:47:05 +0100 Date: Mon, 10 Apr 1995 10:47:05 +0100 From: graemes@morse.co.uk (Graeme Sandieson) Message-Id: <9504100947.AA06745@lush.morse.computers> To: firewalls@GreatCircle.COM Subject: IP Tunneling / Allocation X-Sun-Charset: US-ASCII Content-Length: 1367 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am sure that most parties involved in this list are familiar with the problem of dynamic allocation (spoofing ?) of IP addresses to machines wishing to communicate on the net, where all LAN based machines cannot be allocated a static unique address. That is, all LAN based machines have a local address, but still wish to communicate accross the Internet with a legal,but scarce, IP address. I understand the use of DHCP etc. , but is it possible to allocate a valid address on the way out of a firewall and the reverse on the way in, and so reduce any complexity of the LAN ? The offshoot of this would obviously be the ability to use a single Class C with a public and private LAN. Is there a "black box" product which will allocate valid IP addresses to any IP pipe. I am primarily interested in Sun, but any UNIX variant should do. If anyone has any ideas then please mail me, otherwise I apologise for adding more insignificant postings to an already disillusioned group. Why so much junk ? Thanking you in advance Graeme Sandieson "Its MY opinion" ----------------------------------------------------------------- >From : Graeme Sandieson Morse Computers Limited London Tel. : +44 (0)181 392 4030 Fax. : +44 (0)181 878 8588 Email : Graeme.Sandieson@morse.co.uk ----------------------------------------------------------------- From firewalls-owner Mon Apr 10 05:59:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA18808 for firewalls-outgoing; Mon, 10 Apr 1995 05:49:13 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA18803 for ; Mon, 10 Apr 1995 05:49:10 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id IAA11905; Mon, 10 Apr 1995 08:49:24 -0400 From: Howard Berkowitz Message-Id: <199504101249.IAA11905@clark.net> Subject: Re: Registered IP vs unregistered To: dcrocker@networking.stanford.edu (Dave Crocker) Date: Mon, 10 Apr 1995 08:49:24 -0400 (EDT) Cc: hcb@clark.net, beck@cs.ualberta.ca, firewalls@GreatCircle.COM In-Reply-To: from "Dave Crocker" at Apr 9, 95 09:41:11 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2309 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk DC: HB: At 3:47 PM 4/9/95, Howard Berkowitz wrote: HB: Perhaps it's appropriate to say that before implementing HB: RFC1597 addresses, it is appropriate to plan how you will : DC: excellent suggestion. : HB: convert from them if necessary. DHCP is one good alternative, HB: if supported. : DC: DHCP does somewhat less than many people may realize. It relieves DC: you from having to changes tables in each user host; this is wonderful. DC: However, you still must have a server -- on each net or available via DC: relaying routers -- with the necessary tables configured to hand out the DC: values for the user hosts. DC: HB: Dave, I'm not sure why you feel a server is a negative thing to have, other than the obvious cost factors. IMHO, it is far better to use a more centralized address assignment mechanism than to rely on schemes where address assignment has to be delegated down to the workstation level. The Internet -- and I mean by this "the set of systems that use rational, if not legal, IP addresses" -- is in a period of extreme growth, and the growth of network adminstrator skills and availability has not necessarily kept pace. There have been too many Class C networks used because the admin "could get away without subnetting;" there have been too many Class B networks used so "there could be a nice clean subnet byte," etc. Most legacy networks, especially those that have involved organizational mergers, needs some level of address redesign if they want to avoid serious scaling problems. Too many current networks also confuse the roles of addressing and naming, trying to put non-topological/routing information into addresses. Thankfully, a reasonable of networks do have DNS servers, which gives them a starting set of tools to evolve to a rational address plan. Some type of host configuration server, be it DHCP, a proprietary remote configuration tool, etc., is a logical next step. Howard Berkowitz PSC International, a Cisco Training Partner (703)998-5819 voice (703)998-5017 home (703)998-5058 fax PS: I do like the idea of a routing and addressing list separate from firewalls. From firewalls-owner Mon Apr 10 06:29:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA19541 for firewalls-outgoing; Mon, 10 Apr 1995 06:22:09 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA19536 for ; Mon, 10 Apr 1995 06:22:06 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Mon, 10 Apr 1995 09:22:22 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA11261; Mon, 10 Apr 1995 09:22:20 -0400 Date: Mon, 10 Apr 1995 09:22:20 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199504101322.AA11261@SPARKY.CF.CS.YALE.EDU> To: blast@worldbit.com, firewalls@GreatCircle.COM Subject: Re: Router mailing list? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In efforts to keep the Firewalls Mailing list free and clear of topics >that dont really have anything to do with firewall discussion I have a question. > >I was wondering if there was a mailing list that anyone knows about >that would be the discussion of routing and network stuff. Mailing lists: gated-people@gated.cornell.edu (Gated routing software) gated-alpha@comet.cit.cornell.edu ( "" alpha versions) IBMTCP-L@PUCC.PRINCETON.EDU (IBM TCP/IP software) Newsgroups: bit.listserv.ibmtcp-l (IBM TCP/IP software) comp.dcom.sys.cisco (about Cisco routers) comp.dcom.sys.wellfleet (about Bay Networks routers) comp.os.ms-windows.networking.tcp-ip (about MS Windows TCP/IP) comp.os.os2.networking.tcp-ip (about OS/2 TCP/IP) comp.protocols.tcp-ip ( about TCP/IP in general) comp.protocols.tcp-ip.domains ( about TCP/IP DNS) comp.protocols.tcp-ip.ibmpc ( about TCP/IP on IBM/PCs) info.big-internet ( about corp/campus Internets) info.gated ( Gated routing software) info.ietf ( Internet Eng. Task Force) info.snmp ( Simple Network Mtg. Protocol) vmsnet.networks.tcp-ip.cmu-tek (VMS CMU-TEK TCP/IP software) vmsnet.networks.tcp-ip.misc (VMS Misc. TCP/IP software) vmsnet.networks.tcp-ip.multinet (VMS Multinet TCP/IP software) vmsnet.networks.tcp-ip.ucx (VMS UCX TCP/IP software) vmsnet.networks.tcp-ip.wintcp (VMS WIN TCP TCP/IP software) vmsnet.tcp.multinet (VMS Multinet TCP/IP software) Anyone have anymore mailing lists? I know that there are mailing lists for specific router vendors (CISCO, etc.). - Morrow >The subject matters would be: >-routing problems >-routing protocols >-subnetting hell >-superneting hell >-basic network layer problems and resolutions. >-PC IP stacks and their problems > >As I get into the this more and more I can see clearly that there >seems to be a few people who accually know what they are talking about >and a lot of people standing around noding their heads. > >I dont want to take up bandwidth here, >I just need a pointer to more information. > >--blast From firewalls-owner Mon Apr 10 06:59:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA18874 for firewalls-outgoing; Mon, 10 Apr 1995 05:56:59 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA18869 for ; Mon, 10 Apr 1995 05:56:54 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma011094; Mon Apr 10 08:56:07 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA22940; Mon, 10 Apr 95 08:56:07 EDT Received: by (4.1/illuminati) id AA15379; Mon, 10 Apr 95 09:02:32 EDT From: "Marcus J. Ranum" Message-Id: <15379.9504101302@illuminati> Subject: Re: http proxy on firewall -Reply To: sdevore@barr.com (Steve P. Devore) Date: Mon, 10 Apr 1995 09:02:32 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Steve P. Devore" at Apr 9, 95 04:46:04 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 364 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Has anyone had a problem with TIS's http proxy causing their firewall >to dump core, go into a trap and reboot? It is a SunOS bug. In lib/pname.c we use getsockopt() to try to find out if the TCP connecting to us was source routed. This tickles a known Sun kernel bug. Simply remove the code around the getsockopt() call or get the kernel patch from Sun. mjr. From firewalls-owner Mon Apr 10 07:05:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA19273 for firewalls-outgoing; Mon, 10 Apr 1995 06:13:56 -0700 Received: from gate.tridom.com (gate.tridom.com [148.62.76.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA19266 for ; Mon, 10 Apr 1995 06:13:52 -0700 Received: from daemon@localhost by gate.tridom.com for via smapd (V1.3) id JAA19403; Mon, 10 Apr 1995 09:11:22 -0400 Received: from gatekeeper.mis.tridom.com by gate.tridom.com for via SMTP (smap V1.3) id sma019398; Mon Apr 10 09:09:24 1995 Received: from diamond.eng.tridom.com [148.62.2.16] by gatekeeper.mis.tridom.com for via SMTP id JAA03407; Mon, 10 Apr 1995 09:06:04 -0400 Received: from spiff.tridom.com by eng.tridom.com (4.1/AT&T Tridom Eng 2.0) id AA15491; Mon, 10 Apr 95 09:09:48 EDT Date: Mon, 10 Apr 95 09:09:48 EDT From: jmorgan@eng.tridom.com (John Morgan) Message-Id: <9504101309.AA15491@eng.tridom.com> To: firewalls@GreatCircle.COM Subject: Firewall FAQ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My site recently put in a firewall which has hosed up all net our access capabilities, is there a Firewall FAQ out the that someone could send me? I really don't know enough about them yet to present any good arguments or suggestions to our IS dept. I have a lot of questions, but don't want to pose them till I determine a FAQ existance.. -john jmorgan@eng.tridom.com From firewalls-owner Mon Apr 10 07:17:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA20327 for firewalls-outgoing; Mon, 10 Apr 1995 06:47:45 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA20322 for ; Mon, 10 Apr 1995 06:47:42 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id IAA25371; Mon, 10 Apr 1995 08:38:27 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma025368; Mon Apr 10 08:38:18 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA11293 (5.67b/IDA-1.5); Mon, 10 Apr 1995 08:50:16 -0500 Date: Mon, 10 Apr 1995 08:50:16 -0500 From: Ken Hardy Message-Id: <199504101350.AA11293@ignatz.bridge.com> To: graemes@morse.co.uk Subject: Re: IP Tunneling / Allocation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk graemes@morse.co.uk (Graeme Sandieson) wrote: >I understand the use of DHCP etc. , but is it possible to allocate a valid >address on the way out of a firewall and the reverse on the way in, and so >reduce any complexity of the LAN ? > >The offshoot of this would obviously be the ability to use a single Class C >with a public and private LAN. > >Is there a "black box" product which will allocate valid IP addresses to >any IP pipe. I don't know of an implemented "black box" to do this. Something like this was proposed by Tsuchiya & Eng in "Extending the IP Internet Through Address Reuse", Computer Communications Review (ACM), vol. 23 no. 1 (Jan., 1993). There have doubtless been other similar proposals. It would be interesting to hear of any implementations. Ob. firewalls: a TIS-like or socks proxied firewall hides your internal addresses, as has been pointed out here countless times. Question: does the new "transparent" Gauntlet implementation hide internal addresses also? -KH From firewalls-owner Mon Apr 10 07:27:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA21283 for firewalls-outgoing; Mon, 10 Apr 1995 07:08:21 -0700 Received: from sierra.corsof.com (corsof.com [198.22.44.240]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA21278 for ; Mon, 10 Apr 1995 07:08:16 -0700 Message-Id: <199504101408.HAA21278@miles.greatcircle.com> Received: from granite.corsof.com by sierra.corsof.com with ESMTP (8.6.10/16.2) id KAA06052; Mon, 10 Apr 1995 10:08:30 -0400 Received: from dana.corsof.com by granite.corsof.com with SMTP (1.37.109.16/16.2) id AA200222066; Mon, 10 Apr 1995 09:54:26 -0400 X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Apr 1995 10:08:08 -0400 To: firewalls@greatcircle.com From: DanaNowell@corsof.com (Dana Nowell) Subject: The Software that ate Sunnyvale (was S attacks everywhere) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It just so happens I had a Linux box around that I used to test my net with. Satan runs fine (but SLOWLY) on a Linux based 386/25 with 8 meg ram and 20 meg swap if you handle the differences between Sun header files and Linux header files. The conversion took less than two hours using telnet and vi (now with a REAL editor/interface ...). Linux comes with Lynx, Perl5 and gcc. Every home/business should have something to make use of the old 386s ... > >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) >Date: Fri, 7 Apr 95 13:24:01 -0400 >Subject: The Software that ate Sunnyvale (was S attacks everywhere) > >Christopher rites in part: >>1. It is HUGE. It eats up tons of disk and ram space... >>2. It requires installing other packages like perl... >>3. Since you have to use a web browser, you have to either run SATAN from >> the console ... > >You noticed that. However just because that is true of the current version, >does not mean that it will not be ported elsewhere v1.0 of *anything* >rarely resembles a real product (the miracle is not that it works so well, >the miracle is that it works at all). Perhaps we should thank Dan for making >it so feature-rich. > >Truth is that I do not see anything in there that cannot be accomplished >with a notebook PC (not offering to do it, isn't what I get paid for and >have better things to do with spare time). Nor is the Mosaic stuff anything >but a pretty. > >However it is a template for the wannabees who can read the code that says >Do this then do this... Figure someone will port it to a PC (is there a >BSD or Linux version of Perl ? If not, there soon will be.) RSN and then >what ? My guess would be two weeks after the Easter break, all it takes is >- -=>one<=- talented and motivated individual with a lot of free time. > >Fact is that it takes a lot less brilliance to take a sequence that is known >to work and report it than it does to create the sequence in the first place. > >So while the released version is humongous and usable only by a sysadmin with >cycles to burn, the next version won't be. Not a question of "If" just "When". > > Warmly, > Padgett > Dana Nowell Work: DanaNowell@corsof.com Cornerstone Software Inc. Home: dnowell@mv.mv.com I don't even believe myself, why should you! (Standard disclaimer in force). From firewalls-owner Mon Apr 10 07:58:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA22386 for firewalls-outgoing; Mon, 10 Apr 1995 07:34:21 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA22381 for ; Mon, 10 Apr 1995 07:34:18 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id KAA05502; Mon, 10 Apr 1995 10:34:29 -0400 From: Howard Berkowitz Message-Id: <199504101434.KAA05502@clark.net> Subject: Re: Router mailing list? To: long-morrow@CS.YALE.EDU (H Morrow Long) Date: Mon, 10 Apr 1995 10:34:29 -0400 (EDT) Cc: blast@worldbit.com, firewalls@GreatCircle.COM In-Reply-To: <199504101322.AA11261@SPARKY.CF.CS.YALE.EDU> from "H Morrow Long" at Apr 10, 95 09:22:20 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 304 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are a great many lists and newsgroup that deal with specific products, a smaller number that deal with next-generation issues, and some that are fairly unstructured. What seems to be missing is a group on IP network design, including addressing, naming, and choices in routing strategies. Howard From firewalls-owner Mon Apr 10 08:31:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA23272 for firewalls-outgoing; Mon, 10 Apr 1995 07:54:04 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA23267 for ; Mon, 10 Apr 1995 07:54:01 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Mon, 10 Apr 1995 10:54:17 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA11609; Mon, 10 Apr 1995 10:54:16 -0400 Date: Mon, 10 Apr 1995 10:54:16 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199504101454.AA11609@SPARKY.CF.CS.YALE.EDU> To: hcb@clark.net Subject: Re: Router mailing list? Cc: blast@worldbit.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >There are a great many lists and newsgroup that deal with >specific products, a smaller number that deal with next-generation >issues, and some that are fairly unstructured. > >What seems to be missing is a group on IP network design, >including addressing, naming, and choices in routing strategies. > >Howard Mmmmm.... Big-Internet (the mailing list and the info.big-internet newsgroup that is fed) covers most of this for the large enterprise network. - Morrow From firewalls-owner Mon Apr 10 09:30:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA23613 for firewalls-outgoing; Mon, 10 Apr 1995 08:02:06 -0700 Received: from gatekeeper.tasb.org (gatekeeper.tasb.org [198.214.77.67]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA23608 for ; Mon, 10 Apr 1995 08:02:03 -0700 Received: from towanda.tasb.org (towanda.tasb.org [198.214.78.66]) by gatekeeper.tasb.org (8.6.10/8.6.9) with ESMTP id KAA20145 for ; Mon, 10 Apr 1995 10:04:43 -0500 Received: from tripolis.tasb.org (tripolis.tasb.org [198.214.77.77]) by towanda.tasb.org (8.6.9/8.6.9) with SMTP id KAA27477 for ; Mon, 10 Apr 1995 10:01:52 -0500 Date: Mon, 10 Apr 95 10:01:42 PDT From: Matthew Huff Subject: Re: Registered IP vs unregistered To: firewalls@GreatCircle.COM X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think one of the main reason the InterNIC is advising people to check with their ISP before registering their public IP is the rapid growth of CIDR routing. The ISP's are given blocks of IPs to hand out in order to maintain their routing tables at the absolute minimums From firewalls-owner Mon Apr 10 09:45:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24108 for firewalls-outgoing; Mon, 10 Apr 1995 08:24:01 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA24098 for ; Mon, 10 Apr 1995 08:23:58 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id LAA17480; Mon, 10 Apr 1995 11:24:03 -0400 From: Howard Berkowitz Message-Id: <199504101524.LAA17480@clark.net> Subject: Re: Router mailing list? To: long-morrow@CS.YALE.EDU (H Morrow Long) Date: Mon, 10 Apr 1995 11:24:03 -0400 (EDT) Cc: hcb@clark.net, blast@worldbit.com, firewalls@GreatCircle.COM In-Reply-To: <199504101454.AA11609@SPARKY.CF.CS.YALE.EDU> from "H Morrow Long" at Apr 10, 95 10:54:16 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 646 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > >There are a great many lists and newsgroup that deal with > >specific products, a smaller number that deal with next-generation > >issues, and some that are fairly unstructured. > > > >What seems to be missing is a group on IP network design, > >including addressing, naming, and choices in routing strategies. > > > >Howard > > Mmmmm.... Big-Internet (the mailing list and the info.big-internet > newsgroup that is fed) covers most of this for the large enterprise network. > > - Morrow > > I'm a participant in that group. I've always thought of it as intendend more for IPv6 protocol developers than for current IPv4 practice. From firewalls-owner Mon Apr 10 10:01:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA25279 for firewalls-outgoing; Mon, 10 Apr 1995 09:18:34 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA25274 for ; Mon, 10 Apr 1995 09:18:31 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0ryM7e-0000QxC; Mon, 10 Apr 95 09:15 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15516; Mon, 10 Apr 1995 09:19:04 +0800 Date: Mon, 10 Apr 1995 09:19:04 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9504101619.AA15516@brittany.oes.amdahl.com> To: blast@worldbit.com, firewalls@GreatCircle.COM, long-morrow@CS.YALE.EDU Subject: Re: Router mailing list? X-Sun-Charset: US-ASCII content-length: 1270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >In efforts to keep the Firewalls Mailing list free and clear of topics > >that dont really have anything to do with firewall discussion I have a question. > > > >I was wondering if there was a mailing list that anyone knows about > >that would be the discussion of routing and network stuff. > While it's not really a mailing list, anyone with www access and interest in these areas should check out the "Data Communications and Networking Links" page. It's http://www.racal.com/networking.html It's amazing in it's content, it has links to everything in this area I've ever heard of and more that I found only through this site. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Apr 10 10:03:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA24931 for firewalls-outgoing; Mon, 10 Apr 1995 08:57:51 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA24926 for ; Mon, 10 Apr 1995 08:57:47 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0ryLna-0000P5C; Mon, 10 Apr 95 08:54 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15485; Mon, 10 Apr 1995 08:58:21 +0800 Date: Mon, 10 Apr 1995 08:58:21 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9504101558.AA15485@brittany.oes.amdahl.com> To: firewalls@GreatCircle.COM, blast@worldbit.com Subject: Re: Router mailing list? X-Sun-Charset: US-ASCII content-length: 1075 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hello, > > In efforts to keep the Firewalls Mailing list free and clear of topics > that dont really have anything to do with firewall discussion I have a question. > > I was wondering if there was a mailing list that anyone knows about > that would be the discussion of routing and network stuff. > comp.protocols.tcp-ip is pretty good for that. It's a usenet group. There are mailing lists for most of the particular router manufacturers. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Apr 10 12:55:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01006 for firewalls-outgoing; Mon, 10 Apr 1995 11:16:35 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA01001 for ; Mon, 10 Apr 1995 11:16:32 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Mon, 10 Apr 1995 14:16:50 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA12318; Mon, 10 Apr 1995 14:16:49 -0400 Date: Mon, 10 Apr 1995 14:16:49 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199504101816.AA12318@SPARKY.CF.CS.YALE.EDU> To: hcb@clark.net Subject: Re: Router mailing list? Cc: blast@worldbit.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Mmmmm.... Big-Internet (the mailing list and the info.big-internet >> newsgroup that is fed) covers most of this for the large enterprise network. >> - Morrow >> >I'm a participant in that group. I've always thought of it as >intendend more for IPv6 protocol developers than for current >IPv4 practice. You're right. I think the mailing list I'm thinking of may be called the BIG-LAN mailing list. Anyone have any pointers on how to subscribe to it, etc? - Morrow From firewalls-owner Mon Apr 10 13:10:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01761 for firewalls-outgoing; Mon, 10 Apr 1995 11:41:16 -0700 Received: from tgserve1.tgslc.org ([198.213.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA01755 for ; Mon, 10 Apr 1995 11:41:12 -0700 Received: from msmail_gate.tgslc.org (msmail_gate.tgslc.org [198.214.1.252]) by tgserve1.tgslc.org (8.6.9/8.6.9.002) with SMTP id NAA20751 for ; Mon, 10 Apr 1995 13:38:07 -0500 Received: by msmail_gate.tgslc.org with Microsoft Mail id <2F897C94@msmail_gate.tgslc.org>; Mon, 10 Apr 95 13:44:36 CDT From: "Newcomb, Kelly" To: Firewalls-List Subject: Firewall Products Date: Mon, 10 Apr 95 13:41:00 CDT Message-ID: <2F897C94@msmail_gate.tgslc.org> Encoding: 32 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're looking at firewall products (preferably for the AIX platform) and I wondered if anyone could offer advice as to limitations (or "gotchas") with our "narrowed down" list. So far, IBM's NetSP and ANS's InterLock seem to be good candidates, although Sidewinder, from Secure Computing appears to be the most secure (even though it doesn't run on the AIX platform). Given our somewhat limited experience with the Unix environment (we're learning, but the services that management wants to offer won't wait), we'll most likely need our hands held through the initial implementation. Most of the product information I've gathered has come from the vendors' Web pages and white papers I've ftp'd down. (We're also looking at Firewall-1 from CheckPoint, Centri, from Cohesive Systems, and Gauntlet from TIS). Since all I've had to go on is what the vendors' say their products will do, I wondered if anyone who is using them can lend a hand. How is the support? Did you require/get assistance with the installation of the firewall? Does your firewall solution require someone who is pretty Unix-literate? I've got the [Cheswick & Bellovin] firewall book and have begun the race to understand all of the issues involved, but any help offered would be very much appreciated. Feel free to email me directly at the address below, so as not to clutter the list, or post if you feel it appropriate. TIA, Kelly *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Kelly Newcomb Texas Guaranteed Student Loan Corp. Internet: kelly.newcomb@tgslc.org Opinions: Mine, not TGSLC's. Caution: Objects in calendar are closer than they appear. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* From firewalls-owner Mon Apr 10 13:41:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04819 for firewalls-outgoing; Mon, 10 Apr 1995 12:44:41 -0700 Received: from Spectrum.RNS.COM (SPECTRUM.RNS.COM [131.143.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA04814 for ; Mon, 10 Apr 1995 12:44:37 -0700 Received: by Spectrum.RNS.COM (4.1/SMI-4.1(Spectrum)) id AA00135; Mon, 10 Apr 95 10:41:10 PDT Date: Mon, 10 Apr 95 10:41:10 PDT From: lars@RNS.COM (Lars Poulsen) Message-Id: <9504101741.AA00135@Spectrum.RNS.COM> To: firewalls@greatcircle.com Subject: Network Address Translation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk graemes@morse.co.uk (Graeme Sandieson) writes: > ... ... ... ... is it possible to allocate a valid >address on the way out of a firewall and the reverse on the way in, and so >reduce any complexity of the LAN ? > >Is there a "black box" product which will allocate valid IP addresses to >any IP pipe. This feature is known as Network Address Translation (NAT). A few vendors have produced such boxes. (Rockwell has not (yet ?).) Due to the FTP PORT command, the address translation box needs to scan all the data going through, and track connections (in the same way as VJ header compression needs to) so that it can adjust TCP sequence numbers. There is also a real possibility that IP addresses embedded in protocols that the address translator can't parse can slip through. (Can you say Enterprise MIB ? I knew you could.) So, NAT boxes are not a panacea, but they are one more tool that can sometimes be useful. / Lars Poulsen Internet E-mail: lars@RNS.COM Rockwell Network Systems Phone: +1-805-562-3158 7402 Hollister Avenue Telefax: +1-805-968-8256 Santa Barbara, CA 93105 Internets: designed and built while you wait From firewalls-owner Mon Apr 10 14:09:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07213 for firewalls-outgoing; Mon, 10 Apr 1995 13:46:16 -0700 Received: from slam.internic.net (slam.internic.net [198.41.0.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA07208 for ; Mon, 10 Apr 1995 13:46:13 -0700 Received: (markk@localhost) by slam.internic.net (8.6.10/SLAM-1) id QAA12330; Mon, 10 Apr 1995 16:48:14 -0400 From: Mark Kosters Message-Id: <199504102048.QAA12330@slam.internic.net> Subject: Re: Registered IP vs unregistered To: Matthew.Huff@tasb.org (Matthew Huff) Date: Mon, 10 Apr 1995 16:48:13 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Matthew Huff" at Apr 10, 95 10:01:42 am X-Mailer: ELM [version 2.4 PL24alpha4] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 571 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That is correct. Plus we are running out of class C space. With our current growth rates, we will be out of class C's withing the next two years. Mark > > I think one of the main reason the InterNIC is advising people > to check with their ISP before registering their public IP is > the rapid growth of CIDR routing. The ISP's are given blocks > of IPs to hand out in order to maintain their routing tables > at the absolute minimums > > -- Mark Kosters markk@internic.net +1 703 742 4795 Software Engineer InterNIC Registration Services From firewalls-owner Mon Apr 10 14:36:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07623 for firewalls-outgoing; Mon, 10 Apr 1995 13:58:06 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA07613 for ; Mon, 10 Apr 1995 13:57:48 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0ryQTh-0000IQC; Mon, 10 Apr 95 13:54 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15903; Mon, 10 Apr 1995 13:58:03 +0800 Date: Mon, 10 Apr 1995 13:58:03 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9504102058.AA15903@brittany.oes.amdahl.com> To: firewalls@greatcircle.com Subject: Newest CERT advisory X-Sun-Charset: US-ASCII content-length: 690 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I laughed out loud when I saw the newest CERT advisory RE: Satan Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Apr 10 15:01:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07833 for firewalls-outgoing; Mon, 10 Apr 1995 14:04:12 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA07826 for ; Mon, 10 Apr 1995 14:04:07 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA23454 for firewalls@greatcircle.com; Mon, 10 Apr 95 16:59:42 EDT Message-Id: <9504102059.AA23454@all.net> Subject: SATAN ATTACKS EVERYWHERE (NOT!!!) To: ley@cert.dfn.de (Wolfgang Ley) Date: Mon, 10 Apr 1995 16:59:42 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199504092242.AAA28303@concert.cert.dfn.de> from "Wolfgang Ley" at Apr 10, 95 00:42:01 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1295 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have resisted commenting up till now, however: This subject heading is inaccurate and therefore misleading. Let's stop using it as a headliner and get back on topic. (talk about the pot calling the kettle black). What does the memory size of SATAN have to do with this forum? Nothing that I can figure out. Do the ergonomics somehow relate to our subject matter? I think not. Are there firewalls being broken by it? Not that I've heard of. So, what is the real advantage of the two routers with a firewall machine inbetween them as opposed to the one router with the firewall inside? That it avoids someone who breaks the firewall from forging internal addresses? If so, it's not much of an advantage, because - if the firewall is eaten, internal security has to be as good as the firewall (better!), or the person who got the wall will get the rest of the systems. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Mon Apr 10 15:24:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA07602 for firewalls-outgoing; Mon, 10 Apr 1995 13:57:27 -0700 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA07597 for ; Mon, 10 Apr 1995 13:57:07 -0700 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA29625 for ; Mon, 10 Apr 95 15:56:07 -0400 Received: from ecuador (ecuador.ARPA) by baosc.com (4.1/3.2.083191-Bell Atlantic BAOSC Project) id AA09744; Mon, 10 Apr 95 14:41:58 EDT Received: by ecuador (4.1/SMI-4.1) id AA11118; Mon, 10 Apr 95 14:44:04 EDT Date: Mon, 10 Apr 95 14:44:04 EDT From: kmac@baosc.com (Keith McCloskey x8110) Message-Id: <9504101844.AA11118@ecuador> To: firewalls@greatcircle.com Subject: X proxy service Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if there is an X proxy service available. We are trying to build a firewall utilizing public dommain products. Most of our needs can be met via FWTK with minimal changes to the code & IP forwarding turned off. Our dilema is the fact that we must monitor remote systems via a vendor specific non client/server application. We basically have to export the display back to our internal net to monitor the remote systems. This is an interim solution till we can build SNMP agents to accomplish the same tasks that the vendors software can. Bottom line, we need to allow X through the firewall, and I dont want to try to duplicate work if it has already been done by someone else. We realize the security risks involved, but it is a business requirement, and we do not have the $$$ to utilize 3rd party software/hardware. I know all of the retoric about costs vs. security, because I have been trying to sell my management on the need for security, and the risks involved if we ignore it. But again this is an interim solution till 4th quarter of this year. ************************************************************************* * * * Keith McCloskey Internet: kmac@baosc.com * * Network Systems Engineer * * * * Bell Atlantic * * 11710 Beltsville Dr. Suite 170 fax: (301)595-6697 * * Beltsville MD. 20705 v-mail: (301)595-1424, x8110 * * * ************************************************************************* From firewalls-owner Mon Apr 10 16:34:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA09039 for firewalls-outgoing; Mon, 10 Apr 1995 14:39:11 -0700 Received: from mailstorm.dot.gov (mailstorm.dot.gov [152.120.130.150]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA09034 for ; Mon, 10 Apr 1995 14:39:08 -0700 Received: by mailstorm.dot.gov id AA16868 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Mon, 10 Apr 1995 17:41:34 -0400 Date: Mon, 10 Apr 1995 17:18:07 -0400 (EDT) From: Mark Barnes Subject: Looking for examples of Security Architectures To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I am looking for a few good examples of security architectures. The scope would include Internet and corporate network as well as Internet, Corporate and other (Multiple internal and\or external networks). I feel that the security architecture is dependent upon the network\communications architecture however, the basic theories should apply. Any feedback is much appreciated, if people wish to send the mail to me directly thus saving our fellow readers, please do so otherwise I will look for responses here. Regards, Mark From firewalls-owner Mon Apr 10 16:59:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA08866 for firewalls-outgoing; Mon, 10 Apr 1995 14:33:47 -0700 Received: from netcomsv.netcom.com ([163.179.3.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA08860 for ; Mon, 10 Apr 1995 14:33:40 -0700 Received: from wabash.UUCP by netcomsv.netcom.com with UUCP (8.6.9/SMI-4.1) id OAA22078; Mon, 10 Apr 1995 14:06:41 -0700 Received: from speedy.acuson.com by wabash.acuson.com (4.1/Acuson/SMI-4.0) id AA06549; Mon, 10 Apr 95 12:13:01 PDT Received: from october.acuson.com by speedy.acuson.com (4.1/SMI-4.1) id AA22511; Mon, 10 Apr 95 12:09:40 PDT Received: by october.acuson.com (4.1/SMI-4.1) id AA16144; Mon, 10 Apr 95 12:08:45 PDT From: lojewski@acuson.com (Tom Lojewski) Message-Id: <9504101908.AA16144@october.acuson.com> Subject: Re: Where can I find PERL 5.000? (fwd) To: firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Mon, 10 Apr 1995 12:08:45 -0700 (PDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 658 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson writes: > > > > > Does anymone know where I may find PERL 5.000? > > Thanks, > > Nancye > > From the README in the courtney.tar: > > perl5 ftp.uu.net:/systems/gnu/perl5.001.tar.gz We're in the process of getting our DNS registered. Until we do root servers won't look back to our DNS server for reverse lookups. Consequently we can't get into ftp.uu.net as they force reverse the reverse lookup to be successful. Is there another site for perl5 that I can try? Thanks much. -------------------------------------------------------------------------- Tom Lojewski - ACUSON Corp - Mountain View, CA - (lojewski@Acuson.COM) From firewalls-owner Mon Apr 10 17:01:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA09606 for firewalls-outgoing; Mon, 10 Apr 1995 14:50:26 -0700 Received: from locust.net.ohio-state.edu (locust.net.ohio-state.edu [128.146.222.110]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA01633 for ; Thu, 6 Apr 1995 09:09:52 -0700 Received: from [128.146.144.246] (karl-hmac.net.ohio-state.edu [128.146.144.246]) by locust.net.ohio-state.edu (8.6.10/8.6.9) with SMTP id MAA05125; Thu, 6 Apr 1995 12:10:04 -0400 Message-Id: <199504061610.MAA05125@locust.net.ohio-state.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Apr 1995 11:13:29 -0500 To: firewalls@greatcircle.com From: dkarl@net.ohio-state.edu (Doug Karl) Subject: KarlBridge/Router vs Satan and an overview of the new version 3.0 Cc: sales@karlnet.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all from Doug Karl..... Well everyone seems to be talking about the latest network security scanners and firewalls to protect against them. The current version of KarlBridge and KarlBrouter V2.09 will already help protect against both the Satan scans and also the deliberate attacks that may follow. (Consult the "Security (Firewall) Setup" chapter in the documentation) for a discussion of the configuration. For those who need additional immediate security; the KarlBridge/Router static firewall filters can be set to block ALL incoming Internet traffic unless a particular incoming IP address has been "Authenticated". This authentication can be accomplished by using the special KarlBridge/Router Dynamic Filters in conjunction with your favorite authentication server running Kerberos, S/Key, etc. We have a special authentication deamon that runs on the Unix box which will then inform the KarlBridge/Router to open a connection from a particular remote IP address to/from another particular internal IP address. (Version 3.0 will expand this to include both UDP or TCP ports.) Break-in attempt logs can be sent from the KarlBridge/Router to any Unix box setup to accept SYSLOG packets. Scanning can be detected by setting up the KarlBridge/Router to send SYSLOG packets for each TCP establish packet. In addition to the above features the new Version 3.0 of the KarlBridge/Router due out for beta test at the end of the month also includes: 1) Tighter and more extensive firewall filters. 2) Lure hosts and lure subnet support. This is the ability of the KarlBridge/Router firewall to make an intruder think there are real hosts in the internal network that are not actually there. These lure hosts can be setup to trip counter measures when accessed (described in 6 below). 2) New ICMP filters. Some examples are the ability to "ping" out of the internal network but not in. One can argue that if you stop incoming "pings" at the boarder then some scanners can be slowed down. Also incoming ICMP Redirects can be blocked from entering the network. This will protect against ICMP bombs. 3) Greatly enhanced logging capability using both SYSLOG and SNMP Traps. We log source and destination IP/UDP/TCP Port, and source and destination IP addresses, source and destination Ethernet addresses, protocol used, and which filter rule was violated. 4) Integrated Network Statistics monitor. The KarlBridge/Router will keep packet and byte counts on every socket from 0 through 1023 plus 20 user defined sockets above 1024. Packet and byte counts will be kept on each Ethernet address and other things such as IP ARP requests and replys. Duplicate IP address will be detected along with all hosts that have incorrectly configured IP address masks and default gateway address (i.e. they are attempting a Proxy ARP request). All of these statistics will be reported via SNMP and can be displayed with the standard KarlBridge SNMP monitoring program. 5) Application Level Packet Filters. The advantages of Application Level Gateway is its logging ability and ability to better protect against UDP port spoofing. They can accomplish this because they work on all 7 layers of the OSI model. The new KarlBridge/Router will include this type of application level filtering. We are calling it an Application Level Packet Filter since it works on all 7 layers of the OSI model. 6) Network scanner and intruder counter measures. This is the ability of the KarlBridge/Router to detect scanners and intruders, optionally log their activity, and immediately and automatically deny them further access to the internal network. This access denial applies to any particular intruding IP address. Once an intruding IP address has been dynamically denied the internal network will be viewed by that intruder as either a black hole (i.e. all further attempts to communicate with the network will be ignored) or as a whole set of Lure Hosts (i.e. every address the intruder tries to contact will return either the appropriate ICMP message or TCP/RST). New versions of the PD Demo KarlBridge and complete manual can be obtained from ftp.net.ohio-state.edu /pub/kbridge. Please direct inquires for brochures on the commercial version to sales@karlnet.com. Existing customers of the commercial version will receive V3.0 at no extra charge. Please send e-mail to sales@karlnet.com to request V3.0 when it is ready. Wish us luck in our final stages of implementation and testing. Thanks, Doug Karl Associate Director of Data Communications and Networking, Ohio State University and President, KarlNet, Inc. From firewalls-owner Mon Apr 10 17:18:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA13032 for firewalls-outgoing; Mon, 10 Apr 1995 16:44:06 -0700 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA13020 for ; Mon, 10 Apr 1995 16:44:02 -0700 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-21) id ; Mon, 10 Apr 1995 16:44:21 -0700 Posted-Date: Mon, 10 Apr 1995 16:42:58 -0700 (PDT) Message-Id: <199504102342.AA02609@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Mon, 10 Apr 1995 16:42:58 -0700 Subject: Re: Router mailing list? To: patrick@oes.amdahl.com (Patrick Horgan) Date: Mon, 10 Apr 1995 16:42:58 -0700 (PDT) Cc: firewalls@greatcircle.com, blast@worldbit.com In-Reply-To: <9504101558.AA15485@brittany.oes.amdahl.com> from "Patrick Horgan" at Apr 10, 95 08:58:21 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 373 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > I was wondering if there was a mailing list that anyone knows about > > that would be the discussion of routing and network stuff. > > well, the router requirements WG mailing list is at rreq@isi.edu subscriptions are via the standard -request format. The document we have generated is in the internet-drafts directory and is to replace RFC 1716. --bill From firewalls-owner Mon Apr 10 17:58:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA14731 for firewalls-outgoing; Mon, 10 Apr 1995 17:34:23 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA14719 for ; Mon, 10 Apr 1995 17:34:18 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma006759; Mon Apr 10 20:33:43 1995 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA15505; Mon, 10 Apr 95 20:33:23 EDT Message-Id: <9504110033.AA15505@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: kmac@baosc.com (Keith McCloskey x8110) Cc: firewalls@greatcircle.com Subject: Re: X proxy service In-Reply-To: Your message of Mon, 10 Apr 95 14:44:04 -0400. <9504101844.AA11118@ecuador> Date: Mon, 10 Apr 95 20:33:22 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone know if there is an X proxy service available. We are trying to > build a firewall utilizing public dommain products. Most of our needs can be > met via FWTK with minimal changes to the code & IP forwarding turned off. 1. The FWTk is not public domain. It is publicly available and licensed. 2. The FWTK has an X gateway. Fred From firewalls-owner Mon Apr 10 19:01:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA17521 for firewalls-outgoing; Mon, 10 Apr 1995 18:47:58 -0700 Received: from merlion.singnet.com.sg (merlion.singnet.com.sg [165.21.1.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA17506 for ; Mon, 10 Apr 1995 18:47:54 -0700 Received: (from lorna@localhost) by merlion.singnet.com.sg (8.6.11/8.6.9) id JAA31076; Tue, 11 Apr 1995 09:48:09 +0800 Date: Tue, 11 Apr 1995 09:48:08 +0800 (SST) From: Lorna Leong Subject: Re: Firewall FAQ? To: John Morgan cc: firewalls@GreatCircle.COM In-Reply-To: <9504101309.AA15491@eng.tridom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi John, > > My site recently put in a firewall which has hosed up all net our > access capabilities, is there a Firewall FAQ out the that someone > could send me? I really don't know enough about them yet to present > any good arguments or suggestions to our IS dept. I have a lot of > questions, but don't want to pose them till I determine a FAQ > existance.. You can find the current firewalls FAQ at ftp.tis.com in the /pub/firewalls directory. Hope that helps. Lorna From firewalls-owner Tue Apr 11 04:59:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA26903 for firewalls-outgoing; Tue, 11 Apr 1995 04:35:58 -0700 Received: from bstgw1.bst.bls.com (bstgw1.bst.bls.com [198.79.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA26898 for ; Tue, 11 Apr 1995 04:35:56 -0700 Received: from bstgw.bst.bls.com by bstgw1.bst.bls.com with smtp (Smail3.1.28.1 #11) id m0ryeIy-0000ezC; Tue, 11 Apr 95 07:40 EDT Received: by bstgw.bst.bls.com (4.1/SMI-4.1) id AA17478; Tue, 11 Apr 95 07:36:30 EDT Date: Tue, 11 Apr 95 07:36:30 EDT From: blmqzjc@bst.bls.com (Jerry Upchurch) Message-Id: <9504111136.AA17478@bstgw.bst.bls.com> To: firewalls@greatcircle.com, jerry.upchurch@bst.bls.com, kmac@baosc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: X proxy service >> Does anyone know if there is an X proxy service available. We are trying to >> build a firewall utilizing public dommain products. Most of our needs can be >> met via FWTK with minimal changes to the code & IP forwarding turned off. > >1. The FWTk is not public domain. It is publicly available and >licensed. > >2. The FWTK has an X gateway. > >Fred > The X proxy released with fwtk v1.3 has a known problem where it almost entirely consumes the CPU. TIS has acknowledged this to me on more than one occasion, and said that a fix would be available "someday". They are concentrating on their commercial product "Gauntlet" (who can blame them), so it's probably just a matter of priorities. Point is, if you are planning on running more than one or two users through your firewall concurrently, your response time will degrade significantly. I've tried it on a SPARC 20 with 48mb RAM, with 3 or 4 concurrent X sessions, and found the response unacceptable. I wonder if Gauntlet contains an X proxy, and if so, if it is any better than the one with the toolkit? Jerry From firewalls-owner Tue Apr 11 05:28:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA27450 for firewalls-outgoing; Tue, 11 Apr 1995 05:16:27 -0700 Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA27445 for ; Tue, 11 Apr 1995 05:16:24 -0700 Received: from trevor ([13.252.80.2]) by alpha.xerox.com with SMTP id <14401(6)>; Tue, 11 Apr 1995 05:16:35 PDT Received: from Galaxy ([13.1.194.120]) by trevor (4.1/SMI-4.1) id AA02478; Tue, 11 Apr 95 08:16:31 EDT Date: Tue, 11 Apr 1995 05:16:31 PDT From: joep@ia.mc.xerox.com (Joe Pennell) Message-Id: <9504111216.AA02478@trevor> To: Firewalls@greatcircle.com Subject: Re: Xhost type security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bret McDanel wrote: >I was playing around yesterday with a program or two that caputures >the display and or key strokes off an Xserver.. >I noticed that on the PC's that we have there is no way to prevent >Xclients from connecting.. The software that they are running >is NCD's PC-Xware.. Now, this machine sits behind a firewall >so it is not totally opwn, but I was wondering if anyone knew >of any other software for MS Windows that will allow an Xconnection, >based on some type of authentication? Or a way to prevent connections >to it? The package eXceed/W from Hummingbird has this feature. There is the capability to maintain a database of authorized hosts in the configuration. The default, as you can imagine, is no security. The other trick is to find it in the setup. Overall, it's not a bad package, except that I've seen it suffer if you're running on a Banyan Vines pc network. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + = + + joep@ia.mc.xerox.com = "if you choose not to decide, you + + = still have made a choice" + + = RUSH-Freewill + + = + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Tue Apr 11 06:32:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28418 for firewalls-outgoing; Tue, 11 Apr 1995 06:00:05 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA28381 for ; Tue, 11 Apr 1995 05:59:59 -0700 Date: Tue, 11 Apr 1995 08:59:09 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id IAA07472 for firewalls@greatcircle.com; Tue, 11 Apr 1995 08:59:09 -0400 Message-Id: <199504111259.IAA07472@real.com> To: firewalls@greatcircle.com Subject: Re: Newest CERT advisory Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I laughed out loud when I saw the newest CERT advisory RE: Satan > > Patrick Looks like SATAN is a crackers dream after all.. Everyone is getting it, and that means that there are a lot of systems open (granted they are only open for as long as they are actually running SATAN, but still) :) From firewalls-owner Tue Apr 11 06:58:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28484 for firewalls-outgoing; Tue, 11 Apr 1995 06:04:17 -0700 Received: from gater3.sematech.org (GATER3.SEMATECH.ORG [192.73.53.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA28479 for ; Tue, 11 Apr 1995 06:04:14 -0700 Received: from gatev3.sematech.org by gater3.sematech.org (8.6.11/F-1.8) with ESMTP id IAA21578; Tue, 11 Apr 1995 08:04:33 -0500 Received: from thecount.eng.sematech.org by SEMATECH.Org (PMDF V4.3-10 #5463) id <01HP7ETF8NIO9JERCZ@SEMATECH.Org>; Tue, 11 Apr 1995 08:04:21 -0500 (CDT) Received: from localhost by thecount.eng.sematech.org (8.6.11/I-1.8) with SMTP id IAA19788; Tue, 11 Apr 1995 08:04:14 -0500 Date: Tue, 11 Apr 1995 08:04:12 -0500 From: Quentin Fennessy Subject: Re: X proxy service To: blmqzjc@bst.bls.com (Jerry Upchurch) Cc: firewalls@greatcircle.com, jerry.upchurch@bst.bls.com, kmac@baosc.com Message-id: <199504111304.IAA19788@thecount.eng.sematech.org> X-Mailer: exmh version 1.5.3 12/28/94 Content-transfer-encoding: 7BIT X-Authentication-Warning: thecount.eng.sematech.org: Host localhost didn't use HELO protocol Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have read of something called Xforward, from someone at DEC. This is an X proxy you can run on your firewall. If you are interested email me and I will find a reference to the paper. (I am not near my library right now) (It may have been presented at the Security USENIX in Baltimore) You may find it via Archie as well. Quentin From firewalls-owner Tue Apr 11 07:14:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28578 for firewalls-outgoing; Tue, 11 Apr 1995 06:18:58 -0700 Received: from dsinc.myxa.com (dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA28573 for ; Tue, 11 Apr 1995 06:18:55 -0700 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #36) id m0ryfhA-0000ljC; Tue, 11 Apr 95 09:09 EDT Received: by pnc-pimc.com (4.1/SMI-4.1) id AA15639; Tue, 11 Apr 95 08:46:20 EDT From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9504111246.AA15639@pnc-pimc.com> Subject: Re: Firewall FAQ? To: firewalls@GreatCircle.COM Date: Tue, 11 Apr 1995 08:46:19 -0400 (EDT) In-Reply-To: from "Lorna Leong" at Apr 11, 95 09:48:08 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1016 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lorna Leong writes: > > You can find the current firewalls FAQ at ftp.tis.com in the > /pub/firewalls directory. > > Hope that helps. And there is a (long) list of commercial firewalls and products at url: http://www.access.digex.net/~bdboyle/firewall.vendor.html And there is a backup copy at: http://www.waterw.com/~manowar/vendor.html If you aren't web-enabled, there are web pages via email services, but if you must, drop me a note and I'll mail you a copy... cathy -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, clf@pnc-pimc.com : _ ___/ /\| http://www.waterw.com/~manowar : ,;`( )__ ) ~ PNC Bank (Phila, PA, US) : // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Tue Apr 11 07:20:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28525 for firewalls-outgoing; Tue, 11 Apr 1995 06:07:24 -0700 Received: from gatekeeper.qms.com (gatekeeper.imagen.com [161.33.3.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA28520 for ; Tue, 11 Apr 1995 06:07:22 -0700 From: john_smith@iscclink.is.qms.com Received: from imagen.sclara.qms.com (imagen.imagen.com) by gatekeeper.qms.com (4.1/SMI-4.1) id AA27259; Tue, 11 Apr 95 06:07:48 PDT Received: from sun470.rd.qms.com by imagen.sclara.qms.com (4.1/SMI-4.1) id AA28971; Tue, 11 Apr 95 06:07:46 PDT Received: from iscclink.is.qms.com by sun470.rd.qms.com (4.1/SMI-4.1) id AA28616; Tue, 11 Apr 95 08:03:00 CDT Received: from ccMail by iscclink.is.qms.com id AA797613090 Tue, 11 Apr 95 08:11:30 CST Date: Tue, 11 Apr 95 08:11:30 CST Message-Id: <9503117976.AA797613090@iscclink.is.qms.com> To: Firewalls@greatcircle.com Subject: Re[2]: Xhost type security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Bret McDanel wrote: >>I was playing around yesterday with a program or two that caputures >>the display and or key strokes off an Xserver.. >>I noticed that on the PC's that we have there is no way to prevent >>Xclients from connecting.. The software that they are running >>is NCD's PC-Xware.. Now, this machine sits behind a firewall >>so it is not totally opwn, but I was wondering if anyone knew >>of any other software for MS Windows that will allow an Xconnection, >>based on some type of authentication? Or a way to prevent connections >>to it? >The package eXceed/W from Hummingbird has this feature. There is the >capability to maintain a database of authorized hosts in the configuration. >The default, as you can imagine, is no security. The other trick is to find it >in the setup. Overall, it's not a bad package, except that I've seen it suffer >if you're running on a Banyan Vines pc network. WRQs Reflection/X has this capability also. jcs john_smith@iscclink.is.qms.com And yes, if anyone wants to know, Pocahantas (sp?) is doing just fine. jcs From firewalls-owner Tue Apr 11 07:26:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00272 for firewalls-outgoing; Tue, 11 Apr 1995 07:23:17 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA00245 for ; Tue, 11 Apr 1995 07:23:09 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA05954 for firewalls@greatcircle.com; Tue, 11 Apr 95 10:19:08 EDT Message-Id: <9504111419.AA05954@all.net> Subject: Improvements to Scanning and Free Scan Set Reset To: firewalls@greatcircle.com Date: Tue, 11 Apr 1995 10:19:07 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At the request of the manufacturer of ISS, we have removed all of their code from our scanning service. Even though ISS was clearly marked as being used, the author didn't feel we gave adequate credit or pointers and because we made our software available with a copy of their free version for a modest fee ($100) which doesn't even cover costs, that we were unfairly making a profit from their efforts. Naturally, we have rewritten and replaced all of the functions of ISS as well as augmenting those functions with improved reporting to assure that those who use our free scanning service aren't as increased risk. I just wanted to publicly make certain that everyone knew that the scans performed before today used ISS, so that there is no misunderstanding. I have also decided to reset the list of people who have performed scans to allow those of you who wish to use the scanner again to do so. This is because we have had no cases of complaints for several weeks and usres have been polite and not scanned when the scanning queue is too full. Please enjoy a second one-time free test. FC -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Tue Apr 11 07:59:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00541 for firewalls-outgoing; Tue, 11 Apr 1995 07:29:46 -0700 Received: from translation.com (pao.jma.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA00535 for ; Tue, 11 Apr 1995 07:29:42 -0700 Received: (from bwc@localhost) by translation.com (8.6.9/8.6.9) id HAA17399 for firewalls@greatcircle.com; Tue, 11 Apr 1995 07:30:09 -0700 Date: Tue, 11 Apr 1995 07:30:09 -0700 From: Brantley Coile Message-Id: <199504111430.HAA17399@translation.com> Subject: Network Address Translation Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We at Network Translation build a NAT box called Private Internet Exchange (or PIX). Works great. We've got about 30 in the field. One unexpected benefit is the by-product of keeping information on TCP connections thru the box. We can do higher-level packet filtering. Since we have all the knowledge of connections that a proxy server has we can do better filtering. But, since we wrote all the code from boot rom to command parser, we are as fast as a packet filter; we designed everything around the packet path. We don't use UNIX or any other general purpose OS (not even a real-time one.) because the resources we needed to manage had to do with the traffic thru the box. We've been shipping since December. Brantley Coile CTO Network Translation, Inc. bwc@translation.com From firewalls-owner Tue Apr 11 08:24:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA01689 for firewalls-outgoing; Tue, 11 Apr 1995 07:54:19 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA01682 for ; Tue, 11 Apr 1995 07:54:13 -0700 From: Paul Crossley To: firewalls@greatcircle.com Subject: High Port No's X-Mailer: ScoMail 1.0 Date: Tue, 11 Apr 1995 15:41:22 +0100 (BST) Message-ID: <9504111541.aa03710@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I still seem to have a bit of a hole in my understanding of how TCP/UDP port No's are used. I have been selectively filtering certain protocols such that I am allowing replies to ports 1024-5999 whenever the source port is OK. I have now discovered that netscape on SUN's will generate a random port such as 33675 - rather above my accepted range. Can some kind subscriber give me the official line on how these ports are generated (I assume there must be guidelines that developers should adhere to) so that I can modify my filtering strategy. I guess there must be an RFC for this somewhere. Regards P Crossley ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Tue Apr 11 08:36:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00768 for firewalls-outgoing; Tue, 11 Apr 1995 07:35:21 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA00759 for ; Tue, 11 Apr 1995 07:35:17 -0700 Received: (adam@localhost) by bwh.harvard.edu (8.6.9/8.6.9) id KAA13013; Tue, 11 Apr 1995 10:35:37 -0400 From: Adam Shostack Message-Id: <199504111435.KAA13013@bwh.harvard.edu> X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Subject: Re: Firewall Products To: tgrkn@tg3.tgslc.org (Newcomb, Kelly) Date: Tue, 11 Apr 1995 10:35:37 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <2F897C94@msmail_gate.tgslc.org> from "Newcomb, Kelly" at Apr 10, 95 01:41:00 pm X-PGP: 876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 637 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | We're looking at firewall products (preferably for the AIX platform) and I | wondered if anyone could offer advice as to limitations (or "gotchas") with | our "narrowed down" list. So far, IBM's NetSP and ANS's InterLock seem to | be good candidates, although Sidewinder, from Secure Computing appears to be NetSP requires a firewall expert to set up. There are several things that the manual doesn't cover, it runs sendmail, and has no easy to configure tripwire-like functionality. These will probably be fixed in the future... Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Apr 11 10:05:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA03250 for firewalls-outgoing; Tue, 11 Apr 1995 08:33:15 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA03245 for ; Tue, 11 Apr 1995 08:33:12 -0700 From: smb@research.att.com Message-Id: <199504111533.IAA03245@miles.greatcircle.com> Received: by gryphon; Tue Apr 11 10:28:15 EDT 1995 To: bret@real.com (Bret McDanel) cc: firewalls@greatcircle.com Subject: Re: Newest CERT advisory Date: Tue, 11 Apr 95 10:28:14 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I laughed out loud when I saw the newest CERT advisory RE: Satan > > Patrick Looks like SATAN is a crackers dream after all.. Everyone is getting it, and that means that there are a lot of systems open (granted they are only open for as long as they are actually running SATAN, but still) Even when they're running SATAN, the threat is rather low-grade, in that if you're in a position to exploit the hole, you have other, easier ways in. It's not a big deal. From firewalls-owner Tue Apr 11 10:08:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA03981 for firewalls-outgoing; Tue, 11 Apr 1995 08:55:47 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA03975 for ; Tue, 11 Apr 1995 08:55:42 -0700 Received: from airtechsms.co.uk by eros.britain.eu.net with UUCP id ; Tue, 11 Apr 1995 16:54:52 +0100 Received: by airtechsms.co.uk (Smail3.1.28.1 #1) id m0ryhM6-000012C; Tue, 11 Apr 95 15:55 BST Date: Tue, 11 Apr 1995 15:55:50 +0100 (BST) From: Martin Hepworth X-Sender: max@airtechs To: firewalls@greatcircle.com Subject: Defender Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a firewall product called Defender and have a contact address for the makers. MGH ---------------------------------------------------------------------- Martin Hepworth, Racal-Airtech email: max@airtechsms.co.uk Meadowview House Voice: +44(0)1844 201800 Long Crendon, Aylesbury FAX: +44(0)1844 201832 Bucks, HP18 9EQ, UK From firewalls-owner Tue Apr 11 10:28:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA04512 for firewalls-outgoing; Tue, 11 Apr 1995 09:15:25 -0700 Received: from fs.CS.Princeton.EDU (fs.CS.Princeton.EDU [128.112.152.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA04507 for ; Tue, 11 Apr 1995 09:15:22 -0700 Received: from cs (ems@elan.CS.Princeton.EDU [128.112.152.8]) by fs.CS.Princeton.EDU (8.6.10/8.6.9) with SMTP id MAA27797 for ; Tue, 11 Apr 1995 12:15:47 -0400 From: Ed Strong Received: by cs (5.65/CS-Client) id AA27942; Tue, 11 Apr 1995 12:15:46 -0400 Date: Tue, 11 Apr 1995 12:15:46 -0400 Message-Id: <9504111615.AA27942@cs> To: firewalls@greatcircle.com Subject: nfs tunnels, how bad? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A question for the list. We have a request to provide nfs from an "inside" filesystem to a few hosts outside the firewall. I've told them this is not a good idea, unfortunately I wasn't able to quantify exactly how bad this is. So exactly what can happen? I take the corruption of that exported filesystem as a given. And using the filehandle trick, other exported filesystems from that server are accessible. Special files can be written, and trojans can be planted. (That's enough to discourage ME from trying it.) However, assuming the firewall prevents outsiders from telnetting to the server, are any other, non-exported filesystems directly at risk? Thank You Ed From firewalls-owner Tue Apr 11 10:49:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA05321 for firewalls-outgoing; Tue, 11 Apr 1995 09:40:42 -0700 Received: from shadow.net (anshar.shadow.net [198.79.48.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA05312 for ; Tue, 11 Apr 1995 09:40:37 -0700 Received: (cklaus@localhost) by shadow.net (8.6.10/jc-1.0) id MAA12488; Tue, 11 Apr 1995 12:44:41 -0400 From: Christopher Klaus Message-Id: <199504111644.MAA12488@shadow.net> Subject: Re: Improvements to Scamming and Free Scam Set Reset To: fc@all.net (Dr. Frederick B. Cohen) Date: Tue, 11 Apr 1995 12:44:41 -0400 (EDT) Cc: firewalls@greatcircle.com, cklaus@iss.net In-Reply-To: <9504111419.AA05954@all.net> from "Dr. Frederick B. Cohen" at Apr 11, 95 10:19:07 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2268 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At the request of the manufacturer of ISS, we have removed all of their > code from our scanning service. Even though ISS was clearly marked as > being used, the author didn't feel we gave adequate credit or pointers > and because we made our software available with a copy of their free > version for a modest fee ($100) which doesn't even cover costs, that we > were unfairly making a profit from their efforts. The problem isn't that you are charging $100 for my program with some additional scripts for web and checks, it is the fact that you broke the only two constraints I had in my copyright. 1. Do not pretend you wrote it. In several announcements, you say your company developed Vulnerability Testing code, to only fail to mention you were using ISS as the basis of your engine. 2. Do not make any money off of my code. Not only were you charging for repeated scans using my software, you are selling my demonstrational code. It is bad enough to totaly abuse the copyright, but then to never even notify the author of the code what you were doing shows a lot of integrity. > Naturally, we have rewritten and replaced all of the functions of ISS > as well as augmenting those functions with improved reporting to assure > that those who use our free scanning service aren't as increased risk. > I just wanted to publicly make certain that everyone knew that the scans > performed before today used ISS, so that there is no misunderstanding. I just performed the new improved scan that you offer and not only did it do the exact same checks in the exact same order that it did when you were using ISS, it is the exact same format of output. The only difference I noticed was you removed any mention of ISS. That is hardly considered an improvement. You must have read the Greencard lawyers' Guide to Doing Business on the Internet. What a coincidence you charge a $100 for something that is already free. To save $100, you can get ISS v1.3 from http://iss.net/iss which does a deeper scan than all.net's testing service. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 From firewalls-owner Tue Apr 11 11:02:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA05882 for firewalls-outgoing; Tue, 11 Apr 1995 10:04:04 -0700 Received: from translation.com (pao.jma.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA05877 for ; Tue, 11 Apr 1995 10:04:01 -0700 Received: (from bwc@localhost) by translation.com (8.6.9/8.6.9) id KAA17652 for firewalls@greatcircle.com; Tue, 11 Apr 1995 10:03:55 -0700 Date: Tue, 11 Apr 1995 10:03:55 -0700 From: Brantley Coile Message-Id: <199504111703.KAA17652@translation.com> Subject: NAT box makers phone number Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've had quite a few email messages asking for our phone number. It's 415.494.6387. Brantley Coile bwc@translation.com From firewalls-owner Tue Apr 11 11:30:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08651 for firewalls-outgoing; Tue, 11 Apr 1995 11:19:23 -0700 Received: from gabriel.resudox.net (gabriel.resudox.net [198.96.220.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA08645 for ; Tue, 11 Apr 1995 11:19:18 -0700 Received: from localhost (rommel@localhost) by gabriel.resudox.net (8.6.4/8.6.4) id OAA02377; Tue, 11 Apr 1995 14:22:31 -0400 Date: Tue, 11 Apr 1995 14:22:30 -0400 (EDT) From: "Rommel \"The Desert Fox\"" X-Sender: rommel@gabriel To: Martin Hepworth cc: firewalls@GreatCircle.COM Subject: Re: Defender In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Apr 1995, Martin Hepworth wrote: > > > Does anyone know of a firewall product called Defender and have a contact > address for the makers. i know of a dial-in authentication unit that is called the Defender. It is a hefty piece of hardware that offers chronologically varialbe passwords. doug From firewalls-owner Tue Apr 11 11:53:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA08742 for firewalls-outgoing; Tue, 11 Apr 1995 11:21:26 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA08732 for ; Tue, 11 Apr 1995 11:21:22 -0700 Posted-Date: Tue, 11 Apr 1995 14:21:45 -0400 From: "Bryan D. Boyle" Message-Id: <9504111421.ZM11768@maverick.erenj.com> Date: Tue, 11 Apr 1995 14:21:45 -0400 In-Reply-To: Christopher Klaus "Re: Improvements to Scamming and Free Scam Set Reset" (Apr 11, 12:44pm) References: <199504111644.MAA12488@shadow.net> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Improvements to Scamming and Free Scam Set Reset Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 11, 12:44pm, Christopher Klaus wrote: > Subject: Re: Improvements to Scamming and Free Scam Set Reset > > > > At the request of the manufacturer of ISS, we have removed all of their > > code from our scanning service. Even though ISS was clearly marked as > > being used, the author didn't feel we gave adequate credit or pointers > > and because we made our software available with a copy of their free > > version for a modest fee ($100) which doesn't even cover costs, that we > > were unfairly making a profit from their efforts. > > The problem isn't that you are charging $100 for my program with some > additional scripts for web and checks, it is the fact that you broke the > only two constraints I had in my copyright. > > 1. Do not pretend you wrote it. In several announcements, you say your > company developed Vulnerability Testing code, to only fail to mention you > were using ISS as the basis of your engine. > > 2. Do not make any money off of my code. Not only were you charging for > repeated scans using my software, you are selling my demonstrational code. You know, in academic circles and most professional societies, this would be cause for the revocation of any degrees or certificates held by the perpetrator, if it was proven true. Just my $.02. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Tue Apr 11 12:02:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06586 for firewalls-outgoing; Tue, 11 Apr 1995 10:24:30 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA06580 for ; Tue, 11 Apr 1995 10:24:26 -0700 Received: from [192.0.2.1] (crl7.crl.com [165.113.1.18]) by world1.worldbit.com (8.6.10/A/UX 3.1) with SMTP id KAA04390; Tue, 11 Apr 1995 10:32:49 -0700 X-Sender: blast@199.4.115.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Apr 1995 10:28:22 +0100 To: Paul Crossley From: Tim Keanini (Tim Keanini) Subject: Re: High Port No's Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have now discovered that netscape on SUN's will generate a random port >such as 33675 - rather above my accepted range. When you say SUN's I think that you are refering to Solaris 2.x On page 529 of the Steven's book "TCP/IP Illustrated" Vol.1 you will find all the information you need. udp_smallest_anon_port of /dev/udp is one you want to look at since it clearly states that the default for the 'ephemeral' ports start at 32768. tcp_smallest_anon_port of /dev/tcp what you want to set also for the tcp end of things. Default there is 32768. Again, these are for the starting port number to allocate for TCP or UDP ephemeral ports. Good luck, blast +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | "The limits of my language, are the limits of my world" | | --Wittgenstein | | | | | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Tue Apr 11 12:05:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA07726 for firewalls-outgoing; Tue, 11 Apr 1995 10:57:57 -0700 Received: from suntan.Tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA07716 for ; Tue, 11 Apr 1995 10:57:53 -0700 Received: from adm.loc3.tandem.com by suntan.Tandem.com (4.1/suntan5.950313) for firewalls@greatcircle.com id AA08069; Tue, 11 Apr 95 10:58:18 PDT Received: from zorch.loc3.tandem.com by adm.loc3.tandem.com (4.1/6main.940209) id AA03068; Tue, 11 Apr 95 10:56:43 PDT Received: by zorch.loc3.tandem.com (4.1/6leaf.940209) id AA29975; Tue, 11 Apr 95 10:58:17 PDT Date: Tue, 11 Apr 95 10:58:17 PDT From: scott@loc3.tandem.com (mueller_scott) Message-Id: <9504111758.AA29975@zorch.loc3.tandem.com> To: firewalls@greatcircle.com Subject: "Source Route Failed" errors? Cc: dhollis@hq.jcic.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had a really bizarre problem occur between my site and another. They've been getting "Source Route Failed" errors in their logs and on their console, and the IP addresses logged are systems at my site. After some correspondence we found a correlation - every time they exchanged a mail message with my site, a new error was logged. They're running Linux, so I snarfed a copy of the kernel source and traced the message back to the module 'icmp.c', in a case statement handling ICMP message reception. The ICMP message appears to be 'ICMP_SR_FAILED', and the way the code reads implies that it's being generated in response to packets sent by their site. This is even weirder than the original supposition, which was that someone was source routing packets from my site at theirs. Part of the reason it is so weird is that both of us are dropping source routed packets in our routers, so the apparent situation of my site generating them and their site receiving them was exceedingly unlikely. What we cannot determine is what might be generating these packets. They run identd, which we drop at our firewall. They're also running smail 3.1.29, which I've never heard of as being particularly weird, network-wise. My site is running a non-split DNS with lowest-preference MX records that point to inside (unreachable) mail hubs; it's not the friendliest configuration in the world, but the cost of changing it is too high right now. All I can think of is that something (identd, smail?) is trying to reach those inside mail hubs with source-routed packets. The complicating factor in the equation (as if it weren't already messy enough) is that they are not seeing this situation with any other site. Besides the implied question (what the heck is going on here?!), I'm also curious as to whether many other sites have their lowest-preference MX records pointing to unreachable hosts. And, as long as I'm here, is it hard or difficult to configure a Cisco to generate some sort of ICMP unreachable message when dropping packets, instead of just silently dropping them? -- Scott Hazen Mueller, Tandem Computers +1 408 285 5762 scott@tandem.com Unix System/Network Administrator, Host-, Post-, News- and Web-Master From firewalls-owner Tue Apr 11 12:27:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA06532 for firewalls-outgoing; Tue, 11 Apr 1995 10:22:10 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA06520 for ; Tue, 11 Apr 1995 10:22:02 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA26441 for firewalls@greatcircle.com; Tue, 11 Apr 95 13:18:32 EDT Message-Id: <9504111718.AA26441@all.net> Subject: Re: Improvements to Scamming and Free Scam Set Reset To: cklaus@shadow.net (Christopher Klaus) Date: Tue, 11 Apr 1995 13:18:31 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199504111644.MAA12488@shadow.net> from "Christopher Klaus" at Apr 11, 95 12:44:41 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 3897 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The problem isn't that you are charging $100 for my program with some > additional scripts for web and checks, it is the fact that you broke the > only two constraints I had in my copyright. > 1. Do not pretend you wrote it. In several announcements, you say your > company developed Vulnerability Testing code, to only fail to mention you > were using ISS as the basis of your engine. This is incorrect. Your program was only about 10% of the total program for vulnerability testing, not including the web scripts. I have not charged anyone anything for your program, and have repeatedly stated in both public and private forums that your software is free and available on the net and that users need not pay anything for it. ISS has never been the basis for my engine, is is only one of many programs used to perform testing services. I am sorry you have a misunderstanding about this, and I tried to explain it to you in private, but apparently you still don't understand. > 2. Do not make any money off of my code. Not only were you charging for > repeated scans using my software, you are selling my demonstrational code. Patently false. I have never charged anyone for your program, and have never made any money from the testing service. In fact, I pay fees to an Internet provider to get access to allow the tests to run, and donate a great deal of my time to maintaining the service at no charge. I have never - repeat NEVER sold any of your code. > It is bad enough to totaly abuse the copyright, but then to never even > notify the author of the code what you were doing shows a lot of integrity. I in fact notified you and asked you permission to use your program, which you granted on the basis that I tell people it is your code and provide a pointer to your home page. I did so. If this is what you call a lack of integrity, then perhaps you should reevaluate your definition. > I just performed the new improved scan that you offer and not only did > it do the exact same checks in the exact same order that it did when > you were using ISS, it is the exact same format of output. The > only difference I noticed was you removed any mention of ISS. That > is hardly considered an improvement. This is not correct, and furthermore, you should know it if you did this scan. It does slightly different checks and several more checks, it does them in a similar, but not identical order, and it adds information on what each scan tests for and what to look for in your results. It is a very big improvement for most users who don't understand the output without additional information. > You must have read the Greencard lawyers' Guide to Doing Business > on the Internet. What a coincidence you charge a $100 for something > that is already free. To save $100, you can get ISS v1.3 from > http://iss.net/iss which does a deeper scan than all.net's testing > service. Please feel free to use ISS. It is a fine product and has, I am certain, taken a lot of effort to develop. Again, let me repeat, that the scans performed by our service prior to today were ISS scans performed under what we thought were the terms and conditions set forth by the author. As of the authors notice, we immediately removed those tests and replaced them, and as of today, they no longer ISS scans. I am truly sorry for any misunderstanding, and hope we have not unduely burdend the readers of this forum through this effort to clarify this matter. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Tue Apr 11 12:43:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA09669 for firewalls-outgoing; Tue, 11 Apr 1995 11:45:37 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA09664; Tue, 11 Apr 1995 11:45:33 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Apr 1995 11:46:03 -0800 To: Christopher Klaus , fc@all.net (Dr. Frederick B. Cohen) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Improvements to Scamming and Free Scam Set Reset Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take it somewhere else, folks. The Firewalls mailing list is not the place to argue this. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Tue Apr 11 13:31:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11510 for firewalls-outgoing; Tue, 11 Apr 1995 12:21:34 -0700 Received: from merlin.etsu.edu (merlin.etsu.edu [192.43.199.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA08695 for ; Fri, 7 Apr 1995 06:18:44 -0700 Received: by merlin.etsu.edu (16.6/16.2) id AA05911; Fri, 7 Apr 95 08:20:05 -0500 Date: Fri, 7 Apr 1995 08:20:04 -0500 (CDT) From: Slemo Warigon To: Firewalls@GreatCircle.COM Subject: Info Security List In-Reply-To: <199504070127.SAA25423@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would like to inform you all that we created an information security discussion list (INFSEC-L) open for all info security professionals, and for discussion on issues/trends related to info security. To subscribe, send subscription message to LISTSERV@ETSUADMN.ETSU.EDU. Thanks! -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- Slemo Warigon -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- From firewalls-owner Tue Apr 11 13:33:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA12930 for firewalls-outgoing; Tue, 11 Apr 1995 12:53:38 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA12925 for ; Tue, 11 Apr 1995 12:53:32 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA23622; Tue, 11 Apr 95 15:55:59 EDT Date: Tue, 11 Apr 95 15:55:59 EDT From: scott@Disclosure.COM (Scott Barman) Message-Id: <9504111955.AA23622@ Disclosure.COM> To: adam@bwh.harvard.edu Subject: Re: Firewall Products Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam Shostack writes: > >| We're looking at firewall products (preferably for the AIX platform) and I >| wondered if anyone could offer advice as to limitations (or "gotchas") with >| our "narrowed down" list. So far, IBM's NetSP and ANS's InterLock seem to >| be good candidates, although Sidewinder, from Secure Computing appears to be > > NetSP requires a firewall expert to set up. There are several >things that the manual doesn't cover, it runs sendmail, and has no >easy to configure tripwire-like functionality. There are a few others I am looking at (along with some comments based on my preliminary look): Internet Site Patrol from BBN Planet It is a turnkey system that has a Mac front-ending a UNIX box to do all the firewall work. It looks interesting and a review of it called it easy to use. Even though I have nothing against the Mac (I want a PowerBook!), I am having a hard time with the Mac being a front-end to the UNIX box. Also, I understand that you can't use the UNIX box for any general purpose applications with Site Patrol. FireWall-1 from CheckPoint Software (sold in the DC area by I-Net) I saw this at a time I was not that interested in firewall product and was impressed with the demo. The thing I liked about it is that it handled just about everything from the interface (X11R5/OpenLook): sub-networking, packet filtering and customization options, (I think) DNS, and even managing access list for a Cisco router (if you've ever tried to program a Cisco router, you know how nice a good interface can be!). However, it only runs on Sun SPARC boxes and its interface is OpenLook (sorry, I am not an OpenLook fan). Also, it only supports Cisco routers (ok, so most people use them, but not everyone!). Netra from Sun I know the least about this except that it is a standalone SPARC box with no monitor and software that uses voice to configure. Sun's literature on this isn't the greatest and I haven't had time to contact a local distributor. We are in the evaluation phase for a firewall system. If anyone has comments on these and others (such as Gauntlet from Trusted Information Systems--which is on my list to look at), it would be appreciated. scott barman scott@disclosure.com barman@ix.netcom.com From firewalls-owner Tue Apr 11 14:03:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13230 for firewalls-outgoing; Tue, 11 Apr 1995 13:00:52 -0700 Received: from Smrtstr.smartstar.com (smrtstr.smartstar.com [192.135.139.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA13223 for ; Tue, 11 Apr 1995 13:00:47 -0700 From: dennis@smartstar.com Received: from smartstar.com (marlin.smartstar.com) by Smrtstr.smartstar.com (4.1/SMI-4.1(Smrtstr)) id AA23379; Tue, 11 Apr 95 12:59:05 PDT Received: by smartstar.com (5.57/Ultrix3.0-C) id AA01639; Tue, 11 Apr 95 12:59:43 -0700 Message-Id: <9504111959.AA01639@smartstar.com> To: firewalls@greatcircle.com Subject: Which router was that ? Date: Tue, 11 Apr 95 12:59:42 -0700 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about repeating this question for the billionth time to the list. Unfortunately, I find myself in the situation where a remote site is defining what router we are going to receive. They mentioned Wellfleet as a top candidate. I can't remember whether or not Wellfleet reorders access lists thus making it less suitable for use as a firewall component than others. A rapid (and personal) reply would be greatly appreciated. TIA Dennis From firewalls-owner Tue Apr 11 14:39:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA15123 for firewalls-outgoing; Tue, 11 Apr 1995 13:36:43 -0700 Received: from redstone.interpath.net (redstone.interpath.net [199.72.1.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA15109 for ; Tue, 11 Apr 1995 13:36:37 -0700 Received: from archp.pdial.interpath.net (archp.pdial.interpath.net [199.72.103.1]) by redstone.interpath.net (8.6.9/8.6.9) with SMTP id QAA04396; Tue, 11 Apr 1995 16:35:00 -0400 Date: Tue, 11 Apr 1995 16:41:28 -0400 (EDT") From: Arley Carter Subject: Re: Newest CERT advisory To: smb@research.att.com cc: Bret McDanel , firewalls@GreatCircle.COM In-Reply-To: <199504111533.IAA03245@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OH NO! An evil force has taken control of me when I'm running Satan. CERT was right!!! Don't make me crash my whole ..................... Arrrggghhh :-) -arc On Tue, 11 Apr 1995 smb@research.att.com wrote: > > I laughed out loud when I saw the newest CERT advisory RE: Satan > > > > Patrick > > Looks like SATAN is a crackers dream after all.. Everyone is getting > it, > and that means that there are a lot of systems open (granted they > are only open for as long as they are actually running SATAN, but > still) > > Even when they're running SATAN, the threat is rather low-grade, in that > if you're in a position to exploit the hole, you have other, easier ways > in. It's not a big deal. > From firewalls-owner Tue Apr 11 14:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA15952 for firewalls-outgoing; Tue, 11 Apr 1995 14:00:43 -0700 Received: from Toro.Com (LYNUX35.TORO.COM [170.92.1.180]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA15947 for ; Tue, 11 Apr 1995 14:00:39 -0700 From: Maurice.Yergeau@Toro.Com Received: by lynux36.toro.com (Smail3.1.28.1 #3) id m0rymxW-0001lsC; Tue, 11 Apr 95 15:54 CDT Message-Id: Date: Tuesday, 11 April 1995 4:00pm CT To: Firewalls@GreatCircle.COM Subject: Socks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what is socks? where can I find more information about it. is it a software product, or a type of software product. If it is software, where can I get it. you can e-mail me direct if this is inappropriate for this forum maurice.yergeau@toro.com From firewalls-owner Tue Apr 11 15:01:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11453 for firewalls-outgoing; Tue, 11 Apr 1995 12:20:38 -0700 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA18642 for ; Thu, 6 Apr 1995 14:51:07 -0700 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id OAA16496; Thu, 6 Apr 1995 14:51:17 -0700 Date: Thu, 6 Apr 1995 14:51:16 -0700 (PDT) From: Phil Trubey To: firewalls@greatcircle.com Subject: BorderWare mailing list announcement Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a new mailing list now available for users of the BorderWare Firewall Server. You can subscribe to it by sending an email message to firewall-request@netpart.com with a subject line composed of the word: subscribe BorderWare is the new name of the JANUS firewall server - name change went into effect April 1, 1995 (no joke). --- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Tue Apr 11 15:22:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA13362 for firewalls-outgoing; Tue, 11 Apr 1995 13:03:49 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA13356 for ; Tue, 11 Apr 1995 13:03:39 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma014518; Tue Apr 11 16:02:58 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA09518; Tue, 11 Apr 95 16:02:36 EDT Received: by (4.1/illuminati) id AA22654; Tue, 11 Apr 95 16:09:04 EDT From: "Marcus J. Ranum" Message-Id: <22654.9504112009@illuminati> Subject: Re: Improvements to Scamming and Free Scam Set Reset To: fc@all.net (Dr. Frederick B. Cohen) Date: Tue, 11 Apr 1995 16:09:03 -0400 (EDT) Cc: cklaus@shadow.net, firewalls@greatcircle.com In-Reply-To: <9504111718.AA26441@all.net> from "Dr. Frederick B. Cohen" at Apr 11, 95 01:18:31 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 484 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Frederick B. Cohen [...] Cklaus [...] Once again, the firewalls mailing list becomes a forum for personal debate. Would you please take it elsewhere? I know it's natural to want to defend oneself when commented upon in a public forum like this, but the inevitable end result is that the thousands of subscribers of the list are forced to watch two people struggle to see who can get in the last word. That's a situation that doesn't make anyone look good in the long run. mjr. From firewalls-owner Tue Apr 11 15:42:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA10941 for firewalls-outgoing; Tue, 11 Apr 1995 12:13:59 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA10926 for ; Tue, 11 Apr 1995 12:13:54 -0700 Posted-Date: Tue, 11 Apr 1995 15:14:18 -0400 From: "Bryan D. Boyle" Message-Id: <9504111514.ZM11911@maverick.erenj.com> Date: Tue, 11 Apr 1995 15:14:18 -0400 In-Reply-To: fc@all.net (Dr. Frederick B. Cohen) "Re: Improvements to Scamming and Free Scam Set Reset" (Apr 11, 3:06pm) References: <9504111906.AA07364@all.net> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Improvements to Scamming and Free Scam Set Reset Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Then I suggest you air your dirty laundry elsewhere, since I am sure the rest of the world is weary of this stuff infesting the firewalls list. This is for the discussion of security perimeter technology, not who is stealing whose software, or marketing, or anything else. your replies, of course, can be sent to /dev/null. On Apr 11, 3:06pm, Dr. Frederick B. Cohen wrote: > Subject: Re: Improvements to Scamming and Free Scam Set Reset > > You know, in academic circles and most professional societies, this would > > be cause for the revocation of any degrees or certificates held by the > > perpetrator, if it was proven true. > > The problem is, it is completely false, and he is well aware of it, because > I told it tio him before he posted a public statement. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Tue Apr 11 16:26:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA20881 for firewalls-outgoing; Tue, 11 Apr 1995 16:18:41 -0700 Received: from miriworld.its.unimelb.EDU.AU (miriworld.its.unimelb.EDU.AU [128.250.20.27]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA20840 for ; Tue, 11 Apr 1995 16:17:59 -0700 Received: (from danny@localhost) by miriworld.its.unimelb.EDU.AU (8.6.11/8.6.11) id JAA21375; Wed, 12 Apr 1995 09:15:45 +1000 Date: Wed, 12 Apr 1995 09:15:44 +1000 (EST) From: "Daniel O'callaghan" To: mueller_scott cc: firewalls@GreatCircle.COM, dhollis@hq.jcic.org Subject: Re: "Source Route Failed" errors? In-Reply-To: <9504111758.AA29975@zorch.loc3.tandem.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Apr 1995, mueller_scott wrote: > > Besides the implied question (what the heck is going on here?!), I'm also > curious as to whether many other sites have their lowest-preference MX records > pointing to unreachable hosts. One solution to this is to use the Sendmail 8.6.x creature which is commented as "If we are best MX host for a site, send directly instead of generating local config error". Turn that on, and make your bastion the best MX. Mail goes through to the bastion immediately, instead of timing out the best MX. The catch here is that all internal mail will go through the bastion, too. Easier that running split DNS, though. Danny From firewalls-owner Tue Apr 11 17:26:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA22791 for firewalls-outgoing; Tue, 11 Apr 1995 17:21:46 -0700 Received: from feta.cisco.com (feta.cisco.com [171.69.1.158]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA22784 for ; Tue, 11 Apr 1995 17:21:44 -0700 Received: (dkatz@localhost) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) id RAA25319; Tue, 11 Apr 1995 17:21:07 -0700 Date: Tue, 11 Apr 1995 17:21:07 -0700 From: Dave Katz Message-Id: <199504120021.RAA25319@feta.cisco.com> To: cisco@spot.colorado.edu Cc: firewalls@greatcircle.com, dkatz@cisco.com Subject: NTP and SATAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There have been some rumors making the rounds on the net recently that the Network Time Protocol, NTP, has a vulnerability to one of the tests that SATAN performs. The rumor states that one of SATAN's tests will cause the time to suddenly shift by several years. Real NTP daemons, including cisco's implementation and the freely available Unix implementation "xntpd" do *not* have this vulnerability, due to extensive format checking of incoming packets, and due to the statistical selection mechanisms used (a packet with wildly incorrect time would be discarded as an outlier). If anyone has further questions on this subject, let me know. --Dave From firewalls-owner Tue Apr 11 19:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA24366 for firewalls-outgoing; Tue, 11 Apr 1995 19:22:54 -0700 Received: from amalfi.trl.OZ.AU (amalfi.trl.OZ.AU [137.147.99.99]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA24361 for ; Tue, 11 Apr 1995 19:22:39 -0700 Received: from cedar.melb.cpr.itg.telecom.com.au ([144.136.63.5]) by amalfi.trl.OZ.AU (8.6.10/8.6.9) with ESMTP id MAA27256 for ; Wed, 12 Apr 1995 12:21:52 +1000 Received: from huon.melb.cpr.itg.telecom.com.au (huon.melb.cpr.itg.telecom.com.au [144.136.63.213]) by cedar.melb.cpr.itg.telecom.com.au (8.6.10/8.6.11) with SMTP id MAA27923; Wed, 12 Apr 1995 12:22:49 +1000 From: David Burren Message-Id: <199504120222.MAA27923@cedar.melb.cpr.itg.telecom.com.au> X-Authentication-Warning: cedar.melb.cpr.itg.telecom.com.au: Host huon.melb.cpr.itg.telecom.com.au didn't use HELO protocol To: blmqzjc@bst.bls.com (Jerry Upchurch) cc: firewalls@GreatCircle.COM, jerry.upchurch@bst.bls.com, kmac@baosc.com, davidb@cedar.melb.cpr.itg.telecom.com.au Subject: Re: X proxy service In-reply-to: Your message of "Tue, 11 Apr 95 07:36:30 EDT." <9504111136.AA17478@bstgw.bst.bls.com> Date: Wed, 12 Apr 95 12:22:49 +1000 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The X proxy released with fwtk v1.3 has a known problem where it almost > entirely consumes the CPU. TIS has acknowledged this to me on more than > one occasion, and said that a fix would be available "someday". They are > concentrating on their commercial product "Gauntlet" (who can blame them), > so it's probably just a matter of priorities. > Point is, if you are planning on running more than one or two users through > your firewall concurrently, your response time will degrade significantly. > I've tried it on a SPARC 20 with 48mb RAM, with 3 or 4 concurrent X sessions, > and found the response unacceptable. I'm using it on a DEC 5000/133 and had the same problem. Looking at the proxy code, it was buffering the data for reads and writes with malloc() and free()! On a write, if not all of the buffer got written, they realloc'ed the buffer to save the remainder and try it again later. Safe, but UGLY. I changed the code to use a similar loop to that in plug-gw, with fixed buffers. A quick fix, and it's certainly been running under heavy load for some months now. We have developers running CAD sessions on remote machines for problem-resolution, and the proxy's been reliable with this change. The CPU still has very little idle time left, but this seems to be caused by the number of read()s and write()s, with very small amounts of data per operation. It's certainly much better performance than the original. - David Burren davidb@cpr.itg.telecom.com.au The change is small, thus I've included it here. Please note that I place no guarantee or warranty on this code. Use at your own risk, etc. =================================================================== RCS file: /support/src/net/fwtk/x-gw/fwd.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 fwd.c *** 1.1.1.1 1994/11/16 03:09:28 --- fwd.c 1995/02/28 01:55:50 *************** *** 79,84 **** --- 79,87 ---- int timemax, idlemax; pid_t ppid; { + #define BUFF_SIZ 4096 + + char dbuff[BUFF_SIZ], fbuff[BUFF_SIZ]; fd_set readable, writable; char *pbuffrom=NULL; /* buf from dest to forward to from */ char *pbufdest=NULL; /* buf from from to forward to dest */ *************** *** 89,94 **** --- 92,98 ---- for(;;) { readable= *rset; writable= *wset; + #if 0 ret=serv_select( maxfd,&readable,&writable,timemax,idlemax ); if( ret<0 ) { if( -ret==EINTR ) continue; *************** *** 111,116 **** --- 115,144 ---- if(pbuffrom && FD_ISSET(dest,&writable) && (szfrom=writefd(&dest,rset,wset,&pbuffrom,szfrom))<0) break; + #else + ret=serv_select( maxfd,&readable,NULL,timemax,idlemax ); + if( ret<0 ) { + if( -ret==EINTR ) continue; + break; + } + else if( !ret ) continue; + + if (FD_ISSET(from, &readable)) + { + if ((szfrom = read(from, fbuff, BUFF_SIZ)) < 0) + break; + if (write(dest, fbuff, szfrom) != szfrom) + break; + } + + if (FD_ISSET(dest, &readable)) + { + if ((szdest = read(dest, dbuff, BUFF_SIZ)) < 0) + break; + if (write(from, dbuff, szdest) != szdest) + break; + } + #endif if( ppid>=0 && ppid!=getppid() ) break; } From firewalls-owner Tue Apr 11 21:27:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA25740 for firewalls-outgoing; Tue, 11 Apr 1995 21:18:56 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA25735 for ; Tue, 11 Apr 1995 21:18:54 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (a1.4) id sma017440; Tue Apr 11 22:54:55 1995 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA22060; Tue, 11 Apr 95 22:53:41 EDT Received: by (4.1/illuminati) id AA23446; Tue, 11 Apr 95 23:00:10 EDT From: "Marcus J. Ranum" Message-Id: <23446.9504120300@illuminati> Subject: Re: X proxy service To: davidb@melb.cpr.itg.telecom.com.au (David Burren) Date: Tue, 11 Apr 1995 23:00:09 -0400 (EDT) Cc: blmqzjc@bst.bls.com, firewalls@GreatCircle.COM, jerry.upchurch@bst.bls.com, kmac@baosc.com, davidb@cedar.melb.cpr.itg.telecom.com.au In-Reply-To: <199504120222.MAA27923@cedar.melb.cpr.itg.telecom.com.au> from "David Burren" at Apr 12, 95 12:22:49 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 462 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> The X proxy released with fwtk v1.3 has a known problem where it almost >> entirely consumes the CPU. The problem is that the select() in the main loop is accidentally implementing a poll, since the timeout is zero. It's fixed in our inhouse copy but we haven't published a new version of the toolkit because we're really busy trying to get products out and that takes priority over all else. We also want to avoid "toolkit-of-the-month" syndrome. :) mjr. From firewalls-owner Wed Apr 12 01:26:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA29655 for firewalls-outgoing; Wed, 12 Apr 1995 00:53:18 -0700 Received: from AMCCCA.AMC.UVA.NL (amccca.amc.uva.nl [145.18.202.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA29649 for ; Wed, 12 Apr 1995 00:53:10 -0700 Received: from amchelix.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HP8WWEJ5LS000258@amc.uva.nl>; Wed, 12 Apr 1995 09:52:56 MET Received: by amchelix.amc.uva.nl (5.0/SMI-5.0) id AA06879; Wed, 12 Apr 1995 09:52:53 +0200 Date: Wed, 12 Apr 1995 09:52:53 +0200 From: F.Wetzels@amc.uva.nl (Frank Wetzels) Subject: Re: NTP and SATAN To: firewalls@greatcircle.com Message-id: <9504120752.AA06879@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 782 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> There have been some rumors making the rounds on the net recently that fpmw> the Network Time Protocol, NTP, has a vulnerability to one of the fpmw> tests that SATAN performs. The rumor states that one of SATAN's tests fpmw> will cause the time to suddenly shift by several years. fpmw> fpmw> Real NTP daemons, including cisco's implementation and the freely available fpmw> Unix implementation "xntpd" do *not* have this vulnerability, due to extensive fpmw> format checking of incoming packets, and due to the statistical selection fpmw> mechanisms used (a packet with wildly incorrect time would be discarded fpmw> as an outlier). But, how about sending packets that shifts time a little bit. After a number of packets, the time could be changed considerably? - Frank From firewalls-owner Wed Apr 12 01:26:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA00330 for firewalls-outgoing; Wed, 12 Apr 1995 01:09:15 -0700 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA00318 for ; Wed, 12 Apr 1995 01:09:09 -0700 Received: from arwen.unibe.ch by chx400.switch.ch with SMTP (PP); Wed, 12 Apr 1995 10:09:24 +0200 From: zumbrunn@iam.unibe.ch (Patrick Zumbrunn) Message-Id: <9504120809.AA02814@baghira.unibe.ch> Subject: Pictures To: firewalls@greatcircle.com Date: Wed, 12 Apr 1995 10:09:05 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Can somebody tell me, where I can get nice FW-pictures (like the ones used by Marcus J. Ranum in 'Thinkin About Firewalls') if possible in xfig format. Thanks ! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Patrick Zumbrunn __o University of Berne, Switzerland __!__ _`\<,_ zumbrunn@iam.unibe.ch -----o----- ( )/ ( ) http://iamwww.unibe.ch:80/~zumbrunn/ " " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Apr 12 01:43:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA29567 for firewalls-outgoing; Wed, 12 Apr 1995 00:49:53 -0700 Received: from swan.lanl.gov (swan.lanl.gov [128.165.96.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA29553 for ; Tue, 11 Apr 1995 07:02:11 -0700 Received: from goshawk.lanl.gov (goshawk.lanl.gov [128.165.96.145]) by swan.lanl.gov (8.6.10/8.6.4) with ESMTP id IAA15102; Tue, 11 Apr 1995 08:00:59 -0600 Received: from [192.67.239.214] (franklin-tty13.jvnc.net [192.67.239.213]) by goshawk.lanl.gov (8.6.10/8.6.4) with SMTP id IAA25788; Tue, 11 Apr 1995 08:02:24 -0600 Date: Tue, 11 Apr 1995 08:02:24 -0600 X-Sender: corecom@tigger.jvnc.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Mark Kosters , Matthew.Huff@tasb.org (Matthew Huff) From: dave@corecom.com (David M. Piscitello) Subject: Re: Registered IP vs unregistered Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is also the issue of whether an IP address you acquire from a source other than the ISP you subscribe to interferes with address aggregation. If large numbers of holes are punched in ISP CIDR blocks, aggregation fails, routing tables grow beyond what can be sored in current router resources, and we are hosed. There are 3 principles emerging from these discussions: 1) If you are going to use public, registered C addresses, you really ought to get them from the ISP you subscribe to. 2) If you are not initially going to connect to a public IP infrastructure, and are acquiring IP addresses for your company, AND you expect to connect EVENTUALLY, you ought to use registered addresses. Note that how and from whom you obtain these addresses may make your transition simple or hard; if, for example, you get a block of C's from a source other than an ISP you eventually connect to, you may find in the future that the ISP will ask you to renumber so you don't punch holes in the ISP's CIDR block (this is not widely practiced today, but in the future, an ISP faced with a serious routing load problem may impose such constraints for the good of its existing customer base). 3) If you have NO intention of ever connecting to a public infrastructure, OR you ABSOLUTELY want to have inside/outside addresses, RFC 1597 isn't such a bad idea. I use 172.16.x.x and 172.17.x.x because they are convenient. Having said this, perhaps we could move this off to a new list? At 8:48 PM 4/10/95, Mark Kosters wrote: >That is correct. Plus we are running out of class C space. With our >current growth rates, we will be out of class C's withing the next >two years. > >Mark > >> >> I think one of the main reason the InterNIC is advising people >> to check with their ISP before registering their public IP is >> the rapid growth of CIDR routing. The ISP's are given blocks >> of IPs to hand out in order to maintain their routing tables >> at the absolute minimums >> >> > > >-- > >Mark Kosters markk@internic.net +1 703 742 4795 >Software Engineer InterNIC Registration Services David M. Piscitello Core Competence, Inc. 1620 Tuckerstown Road Dresher, PA USA 19025 dave@corecom.com 1.215.830.0692 From firewalls-owner Wed Apr 12 01:48:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA29465 for firewalls-outgoing; Wed, 12 Apr 1995 00:47:15 -0700 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA25848 for ; Mon, 10 Apr 1995 09:45:23 -0700 Received: from localhost (phil@localhost) by lykos.netpart.com (8.6.5/8.6.5) id JAA28068; Mon, 10 Apr 1995 09:45:36 -0700 Date: Mon, 10 Apr 1995 09:45:36 -0700 (PDT) From: Phil Trubey To: firewalls@greatcircle.com Subject: BorderWare mailing list announcement Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am re-sending this accouncement since it did not seem to make it the first time when I sent it to the firewalls list. There is a new mailing list now available for users of the BorderWare Firewall Server. You can subscribe to it by sending an email message to firewall-request@netpart.com with a subject line composed of the word: subscribe BorderWare is the new name of the JANUS firewall server - name change went into effect April 1, 1995 (no joke). --- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Wed Apr 12 01:56:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA01177 for firewalls-outgoing; Wed, 12 Apr 1995 01:28:56 -0700 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id BAA01172 for ; Wed, 12 Apr 1995 01:28:52 -0700 Received: from arwen.unibe.ch by chx400.switch.ch with SMTP (PP); Wed, 12 Apr 1995 10:28:39 +0200 From: zumbrunn@iam.unibe.ch (Patrick Zumbrunn) Message-Id: <9504120828.AA02894@baghira.unibe.ch> Subject: Pictures To: firewalls@greatcircle.com Date: Wed, 12 Apr 1995 10:28:13 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Can somebody tell me, where to get nice FW pictures (like the ones in 'Thinking About Firewalls') if possible in xfig format. Thanks, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Patrick Zumbrunn __o University of Berne, Switzerland __!__ _`\<,_ zumbrunn@iam.unibe.ch -----o----- ( )/ ( ) http://iamwww.unibe.ch:80/~zumbrunn/ " " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Apr 12 02:01:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA29521 for firewalls-outgoing; Wed, 12 Apr 1995 00:48:39 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA07873 for ; Mon, 10 Apr 1995 14:06:40 -0700 Date: Mon, 10 Apr 95 17:06 EDT Message-ID: <9504101707.AA15310@databus.databus.com> From: Barney Wolff To: long-morrow@CS.YALE.EDU (H Morrow Long), hcb@clark.net Cc: blast@worldbit.com, firewalls@GreatCircle.COM Subject: Re: Router mailing list? Content-Length: 1335 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Mon, 10 Apr 1995 14:16:49 -0400 > From: long-morrow@CS.YALE.EDU (H Morrow Long) > > You're right. I think the mailing list I'm thinking of may be called the > BIG-LAN mailing list. Anyone have any pointers on how to subscribe to it, etc? For the moment, Moderated by John Wobus, Syracuse University Relevant addresses: Internet BITNET Submissions: big-lan@suvm.acs.syr.edu BIG-LAN@SUVM Subscriptions: big-lan-request@suvm.acs.syr.edu BIG-REQ@SUVM LISTSERV/Archives: listserv@suvm.acs.syr.edu LISTSERV@SUVM Moderator: jmwobus@syr.edu JMWOBUS@SYREDU Anonymous ftp archives: syr.edu Note: BIG-LAN is redistributed through many mailing lists at other sites run by other individuals. If you subscribe(d) through such a "redistribution" list, you will need to remember its owner. syr.edu also has a copy of the BIG-LAN "FAQ" memo (answers to frequently asked questions) under the path information/big-lan/big-lan.faq BIG-LAN is also available via netnews, through newsgroup bit.listserv.big-lan. The list administrator has just advised that the subscription address will soon change, so get in fast. I've found the faq's posted periodically to be quite valuable. Barney Wolff From firewalls-owner Wed Apr 12 05:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA04649 for firewalls-outgoing; Wed, 12 Apr 1995 05:16:30 -0700 Received: from javelin.hks.com (javelin.hks.com [192.101.199.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA04644 for ; Wed, 12 Apr 1995 05:16:27 -0700 Received: from ragnarok.hks.com by javelin.hks.com with smtp (Smail3.1.29.0 #2) id m0rz1Lq-0008f4C; Wed, 12 Apr 95 08:16 EDT Received: by ragnarok.hks.com (940816.SGI.8.6.9/940406.SGI) for firewalls@greatcircle.com id IAA12799; Wed, 12 Apr 1995 08:16:53 -0400 From: "Jim Littlefield" Message-Id: <9504120816.ZM12797@ragnarok.hks.com> Date: Wed, 12 Apr 1995 08:16:52 -0400 In-Reply-To: F.Wetzels@amc.uva.nl (Frank Wetzels) "Re: NTP and SATAN" (Apr 12, 9:52am) References: <9504120752.AA06879@amchelix.amc.uva.nl> X-Mailer: Z-Mail (3.2.1 15feb95) To: firewalls@greatcircle.com Subject: Re: NTP and SATAN Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 12, 9:52am, Frank Wetzels wrote: : : But, how about sending packets that shifts time a little bit. After a number : of packets, the time could be changed considerably? This will not work if you are using multiple systems to provide your time. Eventually, the system which is spoofing the current time will be dropped as the source to sync to because it varies greatly from the other systems. -- Jim Littlefield "Listen to them: Children of the night. What beautiful music they make..." -- Dracula (1931) From firewalls-owner Wed Apr 12 09:42:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07084 for firewalls-outgoing; Wed, 12 Apr 1995 08:18:09 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA07079 for ; Wed, 12 Apr 1995 08:18:07 -0700 Received: from suned1.Nswses.Navy.Mil by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id IAA13641; Wed, 12 Apr 1995 08:17:57 -0700 Received: from slced1 (slced1.nswses.navy.mil) by suned1.Nswses.Navy.Mil (4.1/Nswses4.1.2_920723eb) id AA17326; Wed, 12 Apr 95 08:15:30 PDT Date: Wed, 12 Apr 1995 08:15:25 -0700 (PDT) From: Everett F Batey WA6CRE X-Sender: efb@slced1 To: firewalls@greatcircle.com Subject: Sanity check comm servers Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have noted a lot of cooperation and openness in supporting firewall needs from Portmaster vendor and the Annex vendor. Understand they both lend to using externally generated one time passwords and are multi-os friendly. We have been advised we need Shiva. Can those as well support easily without adding a DOS box, etc, Unix side generated once-used pw-s ? How do you who have built firewalls feel about the several comm servers in this context, ... or other commservers ? Thanks .. it is urgent for me .. folks are about to spend large dollars and want to put off security till a later year. + efb@suned1.nswses.Navy.MIL efb@gcpacix.cotdazr.org efb@uvsi.jpl.nasa.gov + + efb@nosc.mil efb@oxnardsd.org [EFB15] WA6CRE Gold Coast Sun Users + + The Genie is Out of the Bottle! :-) CANT Put it Back, Nor even Nuke It + + Opinions, MINE, NOT Uncle_s | WWW b-news innd postmaster XNTP3 DNS GNU + From firewalls-owner Wed Apr 12 09:45:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA07433 for firewalls-outgoing; Wed, 12 Apr 1995 08:45:56 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA07428 for ; Wed, 12 Apr 1995 08:45:52 -0700 Received: from uucp6.UU.NET by relay3.UU.NET with SMTP id QQyldv15567; Wed, 12 Apr 1995 11:46:14 -0400 Received: from cii.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Wed, 12 Apr 1995 11:46:15 -0400 Received: by StarPower.Com (5.x/SMI-SVR4) id AA02408; Wed, 12 Apr 1995 11:36:55 -0400 Date: Wed, 12 Apr 1995 11:36:55 -0400 From: george@cii.StarPower.Com Message-Id: <9504121536.AA02408@StarPower.Com> To: firewalls@greatcircle.com Subject: ftp via mosaic X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to do ftp throught my firewall using URL's of the form:- ftp://ftp.xxx.com THe result is an ftp (21) connect followed by a tcp SYN with high (>1023) source and destination values, which my firewall is currently rejecting. Can anyone give me any suggestions. I really want to make this work, but I cannot see any secure way of permitting this service. My firewall is a Livingston IRX-211. THanks, ---- George Eberhardt George@StarPower.Com Computer Innovations, Inc PH (908) 542-5920 1129 Broad Street, FAX (908) 542-6121 Shrewsbury, NJ 07702 From firewalls-owner Wed Apr 12 11:34:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10118 for firewalls-outgoing; Wed, 12 Apr 1995 11:21:02 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA10107 for ; Wed, 12 Apr 1995 11:20:58 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id LAA04949; Wed, 12 Apr 1995 11:19:06 -0700 Received: from espresso(192.197.176.129) by tera via smap (V1.3) id sma004947; Wed Apr 12 11:18:50 1995 Received: (from murrell@localhost) by espresso.bctel.net (8.6.10/8.6.10) id LAA14959; Wed, 12 Apr 1995 11:19:48 -0700 From: Brian Murrell Message-Id: <199504121819.LAA14959@espresso.bctel.net> To: george@cii.StarPower.Com Subject: Re: ftp via mosaic Cc: firewalls@GreatCircle.COM Date: Wed, 12 Apr 1995 11:19:48 -0700 (PDT) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-sol-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk george@cii.StarPower.Com wrote: > I am trying to do ftp throught my firewall using URL's of the form:- > > ftp://ftp.xxx.com > > THe result is an ftp (21) connect followed by a tcp SYN with > high (>1023) source and destination values, which my firewall > is currently rejecting. This is how passive ftp works. Normally the ftp server will open a connection back to your system which means you have to open unspecified ports for INBOUND access. Yuck. > Can anyone give me any suggestions. I really want to make > this work, but I cannot see any secure way of permitting > this service. Open up TCP ports >1023 and 1023 from inside but refuse connections with port numbers >1023 from outside. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5243 From firewalls-owner Wed Apr 12 11:57:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA10298 for firewalls-outgoing; Wed, 12 Apr 1995 11:33:52 -0700 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA10293 for ; Wed, 12 Apr 1995 11:33:50 -0700 From: robert@rlemire.canada.hp.com Received: from rlemire.canada.hp.com by hp.com with SMTP (1.37.109.15/15.5+ECS 3.3) id AA203571647; Wed, 12 Apr 1995 11:34:08 -0700 Message-Id: <199504121834.AA203571647@hp.com> Received: by rlemire.canada.hp.com (1.38.193.4/16.2) id AA01169; Wed, 12 Apr 1995 14:34:26 -0400 Subject: HP software To: firewalls@GreatCircle.com Date: Wed, 12 Apr 95 14:34:26 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if there is any firewall software running on HP-UX in the market From firewalls-owner Wed Apr 12 13:30:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA11816 for firewalls-outgoing; Wed, 12 Apr 1995 12:35:03 -0700 Received: from Aptech.com (rama.aptech.com [199.29.185.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA11811 for ; Wed, 12 Apr 1995 12:34:59 -0700 Received: from amos.Aptech.com by Aptech.com (5.x/SMI-SVR4) id AA13231; Wed, 12 Apr 1995 12:34:51 -0700 Received: by amos.Aptech.com (5.x/SMI-SVR4) id AA02090; Wed, 12 Apr 1995 12:34:50 -0700 Date: Wed, 12 Apr 1995 12:34:50 -0700 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <9504121934.AA02090@amos.Aptech.com> To: firewalls@GreatCircle.COM Subject: NetBlazer filters X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to set up filters for a Telebit NetBlazer to allow mail and outgoing ftp and telnet. I want everything else shut down. I would like to be able to ping also. I have filters already in place, but I don't know if I am missing something important. Can anyone help me? Samuel D. Jones sam@Aptech.com From firewalls-owner Wed Apr 12 13:56:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA12468 for firewalls-outgoing; Wed, 12 Apr 1995 13:03:57 -0700 Received: from gw2.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA12463 for ; Wed, 12 Apr 1995 13:03:53 -0700 Received: from cmprime.UUCP by ig1.att.com id AA05969; Wed, 12 Apr 95 15:31:32 EDT From: Ken Lee Received: by cmprime.cis.att.com (1.37.109.15/16.2) id AA267534344; Wed, 12 Apr 1995 15:19:04 -0400 Original-From: Ken Lee Posted-Date: Wed, 12 Apr 1995 15:19:04 -0400 Received-Date: Wed, 12 Apr 1995 15:19:04 -0400 Message-Id: <199504121919.AA267534344@cmprime.cis.att.com> Subject: Re: HP software To: robert@rlemire.canada.hp.com Date: Wed, 12 Apr 1995 15:19:04 EDT Cc: firewalls@GreatCircle.com In-Reply-To: <199504121834.AA203571647@hp.com>; from "robert@rlemire.canada.hp.com" at Apr 12, 95 2:34 pm X-Mailer: Elm [revision: 109.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert, > > Does anyone know if there is any firewall software running on HP-UX > in the market > I don't know of any commercial products (I've only looked at a few), but the TIS Toolkit and SOCKS will both run on HP-UX. Ken Lee From firewalls-owner Wed Apr 12 19:56:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA17369 for firewalls-outgoing; Wed, 12 Apr 1995 19:00:14 -0700 Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA17360; Wed, 12 Apr 1995 19:00:05 -0700 From: ESMOND_TONG@HP-HongKong-om1.om.hp.com Received: from hpsgm1.sgp.hp.com by relay.hp.com with ESMTP (1.37.109.15/15.5+ECS 3.3) id AA255378413; Wed, 12 Apr 1995 19:00:16 -0700 Received: from by hpsgm1.sgp.hp.com with SMTP (1.37.109.11/15.5+ECS 3.4 Openmail) id AA045108411; Thu, 13 Apr 1995 10:00:12 +0800 X-Openmail-Hops: 2 Date: Thu, 13 Apr 95 09:59:35 +0800 Message-Id: In-Reply-To: <199504121919.AA267534344@cmprime.cis.att.com> Subject: Re: HP software To: firewalls-owner@GreatCircle.com Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Item Subject: Message text Hello, As far as I know, Eagle from Raptor can run on HP-UX platform Best Regards, Esmond TONG > Robert, > > > > > Does anyone know if there is any firewall software running on HP-UX > > in the market > > > > I don't know of any commercial products (I've only looked at a few), > but the TIS Toolkit and SOCKS will both run on HP-UX. > > Ken Lee > From firewalls-owner Wed Apr 12 20:26:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA17668 for firewalls-outgoing; Wed, 12 Apr 1995 19:51:41 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA17663 for ; Wed, 12 Apr 1995 19:51:37 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id UAA07290; Wed, 12 Apr 1995 20:00:24 -0700 Date: Wed, 12 Apr 1995 20:00:23 -0700 (PDT) From: Tim Keanini To: firewalls@GreatCircle.com Subject: port of fwtk to BSD/OS 2.0 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering if someone has ported the Firewall Toolkit to BSD/OS 2.0 yet? If you have, please let me know. Thanks in advance. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Wed Apr 12 20:56:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA18126 for firewalls-outgoing; Wed, 12 Apr 1995 20:29:44 -0700 Received: from mailhub.nol.com.sg (mailhub.nol.com.sg [202.42.165.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA18121 for ; Wed, 12 Apr 1995 20:29:34 -0700 From: tists9@notes-gw.nol.com.sg Received: by mailhub.nol.com.sg; Thu, 13 Apr 95 11:28:26 +0800 X400-Received: by /c=sg/admd=tas/prmd=nol/; Relayed; 13 Apr 95 11:27:50 +0800 X400-Received: by mta nolmta in /c=sg/admd=tas/prmd=nol/; Relayed; 13 Apr 95 11:27:50 +0800 X400-MTS-Identifier: [/c=sg/admd=tas/prmd=nol/; 0071C2F8C9A36001-nolmta] Content-Identifier: 0071C2F8C9A36001 Content-Return: Allowed X400-Content-Type: P2-1984 ( 2 ) Conversion: Allowed Priority: non-urgent Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: tists9@notes-gw.nol.com.sg X400-Recipients: non-disclosure; Message-Id: <0071C2F8C9A36001*/c=sg/admd=tas/prmd=nol/o=nol/ou=nolsgp/s=tists9/@MHS> Date: 13 Apr 95 11:27:50 +0800 To: firewalls@GreatCircle.COM (Return requested) Subject: NetBlazer filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to set up filters for a Telebit NetBlazer ST to allow all outgoing services and disable all incoming services. could someone tell me how ? Thanks Calvin Yap tists9@mailhub.nol.com.sg Send To : firewalls%GreatCircle.COM @ internet cc : >From : sjones%Aptech.com @ internet Date : 13/04/95 11:13:00 AM Subject : NetBlazer filters ____________________________ Start of Memo _____________________________ I am trying to set up filters for a Telebit NetBlazer to allow mail and outgoing ftp and telnet. I want everything else shut down. I would like to be able to ping also. I have filters already in place, but I don't know if I am missing something important. Can anyone help me? Samuel D. Jones sam@Aptech.com ____________________________ End of Memo _____________________________ From firewalls-owner Wed Apr 12 21:26:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA19226 for firewalls-outgoing; Wed, 12 Apr 1995 21:22:23 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA19221 for ; Wed, 12 Apr 1995 21:22:22 -0700 Received: from gatekeeper.qantel.com.au by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id VAA15799; Wed, 12 Apr 1995 21:21:45 -0700 Received: (from nobody@localhost) by gatekeeper.qantel.com.au (8.6.12/8.6.9) id OAA01372; Thu, 13 Apr 1995 14:33:46 +1000 Received: from gatekeeper.qantel.com.au(203.5.27.252) by gatekeeper.qantel.com.au via smap (V1.3) id sma001370; Thu Apr 13 14:33:19 1995 Date: Thu, 13 Apr 1995 14:33:19 +1000 (EST) From: phyber To: Tim Keanini cc: firewalls@GreatCircle.COM Subject: Re: port of fwtk to BSD/OS 2.0 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I fwtk on bsd/os 2.0. It compiled without any problems. ------------------------------------------------------- On Wed, 12 Apr 1995, Tim Keanini wrote: > I am wondering if someone has ported the Firewall Toolkit to BSD/OS > 2.0 yet? > > If you have, please let me know. > > Thanks in advance. > > --blast > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > \ Tim Keanini | "The limits of my language, / > / aka blast | are the limits of my world." \ > \ | --Ludwig Wittgenstein / > / | \ > \ +================================================/ > / for more info on BayMOO... \ > \ email baymoo@worldbit.com / > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > From firewalls-owner Wed Apr 12 21:57:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA19420 for firewalls-outgoing; Wed, 12 Apr 1995 21:32:45 -0700 Received: from rex.buf.Cubic.COM (buf.Cubic.COM [149.63.9.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA19415 for ; Wed, 12 Apr 1995 21:32:41 -0700 Received: (from mischler@localhost) by rex.buf.Cubic.COM (8.6.9/8.6.9) id AAA00191 for firewalls@greatcircle.com; Thu, 13 Apr 1995 00:32:42 -0400 Date: Thu, 13 Apr 1995 00:32:42 -0400 From: Dave Mischler Message-Id: <199504130432.AAA00191@rex.buf.Cubic.COM> To: firewalls@greatcircle.com Subject: Shareware packet filtering and address translation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope nobody thinks this is too self-serving. If you think you might be interested in a shareware package for the PC that provides IP routing, demand-dial scripting, packet filtering and logging, and address/port translation then check out: ftp://ftp.demon.co.uk/pub/ibmpc/iprv/iprv063.zip or ftp://ftp.cdrom.com/incoming/iprv063.zip From firewalls-owner Wed Apr 12 23:56:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA21473 for firewalls-outgoing; Wed, 12 Apr 1995 23:34:39 -0700 Received: from xmission.xmission.com (xmission.xmission.com [198.60.22.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id XAA21468 for ; Wed, 12 Apr 1995 23:34:36 -0700 Received: (from charly@localhost) by xmission.xmission.com (8.6.12/8.6.12) id AAA28519 for firewalls@GreatCircle.Com; Thu, 13 Apr 1995 00:35:00 -0600 From: charly Message-Id: <199504130635.AAA28519@xmission.xmission.com> To: firewalls@GreatCircle.Com Date: Thu, 13 Apr 1995 00:34:57 -0600 (MDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 44 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsucscirbe firewalls@GreatCircle.Com From firewalls-owner Thu Apr 13 00:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA21790 for firewalls-outgoing; Thu, 13 Apr 1995 00:09:34 -0700 Received: from infoac.rmi.de (infoac.RMI.DE [192.33.254.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA21782 for ; Thu, 13 Apr 1995 00:09:28 -0700 Received: from detewe.de by infoac.rmi.de with SMTP (8.6.5/GEN-1.1.5-RMI-940426.01) via EUnet EUregio POP Aachen for greatcircle.com id JAA29646; Thu, 13 Apr 1995 09:00:02 +0200 Received: from oen.detewe.de by detewe.de with SMTP id <950411.161211.06239>; Tue, 11 Apr 95 16:12:11 +0100 X-Smtp-From: aszameit@oen.detewe.de X-Smtp-To: Firewalls@GreatCircle.COM (full domain: GREATCIRCLE.COM) Received: from singapur.detewe.de by oen.detewe.de (4.1/OeEN-conf-0.1-(Sza)) id AA20680; Thu, 13 Apr 95 07:07:43 +0200 From: aszameit@oen.detewe.de (Andreas Szameit, DeTeWe OeEN) To: Firewalls@GreatCircle.COM Subject: Re: Firewall Products Reply-To: aszameit@oen.detewe.de Date: Thu, 13 Apr 95 05:07:42 GMT Message-Id: <9504130507.2A3054@singapur.detewe.de> X-Mailer: SelectMAIL 1.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: scott@Disclosure.COM (Scott Barman) > Date: Tue, 11 Apr 95 15:55:59 EDT > Subject: Re: Firewall Products > > Adam Shostack writes: > > > >| We're looking at firewall products (preferably for the AIX platform) and I > >| wondered if anyone could offer advice as to limitations (or "gotchas") with > >| our "narrowed down" list. So far, IBM's NetSP and ANS's InterLock seem to > >| be good candidates, although Sidewinder, from Secure Computing appears to be > > > > NetSP requires a firewall expert to set up. There are several > >things that the manual doesn't cover, it runs sendmail, and has no > >easy to configure tripwire-like functionality. Scott wrotes: > > There are a few others I am looking at (along with some comments based > on my preliminary look): > > Internet Site Patrol from BBN Planet > It is a turnkey system that has a Mac front-ending a UNIX box to > do all the firewall work. It looks interesting and a review of > it called it easy to use. > > Even though I have nothing against the Mac (I want a PowerBook!), > I am having a hard time with the Mac being a front-end to the > UNIX box. Also, I understand that you can't use the UNIX box for > any general purpose applications with Site Patrol. > > FireWall-1 from CheckPoint Software (sold in the DC area by I-Net) > I saw this at a time I was not that interested in firewall > product and was impressed with the demo. The thing I liked > about it is that it handled just about everything from the > interface (X11R5/OpenLook): sub-networking, packet filtering and > customization options, (I think) DNS, and even managing access > list for a Cisco router (if you've ever tried to program a Cisco > router, you know how nice a good interface can be!). > > However, it only runs on Sun SPARC boxes and its interface is > OpenLook (sorry, I am not an OpenLook fan). Also, it only > supports Cisco routers (ok, so most people use them, but not > everyone!). > > Netra from Sun > I know the least about this except that it is a standalone SPARC > box with no monitor and software that uses voice to configure. > Sun's literature on this isn't the greatest and I haven't had > time to contact a local distributor. > > We are in the evaluation phase for a firewall system. If anyone has > comments on these and others (such as Gauntlet from Trusted Information > Systems--which is on my list to look at), it would be appreciated. > > scott barman > scott@disclosure.com > barman@ix.netcom.com > Netra isn't a firewall system, but it is a ready installed Internet machine. It was build for people who haven't enough experience with connecting those type of machines to the net. If you wan't to run Netra-I as a firewall system you have to load FireWall-1 or an other firewall kit. FireWall-1 will also distributed by Sun. My opinion is that Netra is a sales trick! At CeBit'95 exhibition I talked with the Sun guys about FW-1 and they told me that next releases will support other routers than Cisco, OK that could be a rumour, but they told me definitly that FW-1 will have IP address mapping soon. This is a very important item if you have to connect your LAN to the net and if you don't like or can rearrange the existence address space. There is a large pool of free software which you can use to build up your own firewall system. One of these is the TIS firewall kit, it was often mentioned in that mailing list. But just as important as a firewall system is a security strategy in your company. You have to fix security rules for machines and users inside the company, and all have to live the rules like her own religion. regards ------------------------------------------------------------------ | Andreas Szameit | Department OeEN | Voice: +49 30 6104 5460 | | DeTeWe AG&CoKG | Network Management | FAX: +49 30 6104 5266 | | Zeughofstr.1 | Systems | | | 10997 Berlin | UNIX System | INTERNET: | | Germany | Administration | aszameit@oen.detewe.de | | | | COMPUSERVE: 100434,1610 | ------------------------\|||/------------------------------------- > > O From firewalls-owner Thu Apr 13 03:30:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id DAA24838 for firewalls-outgoing; Thu, 13 Apr 1995 03:15:34 -0700 Received: from psycfrnd.interaccess.com (psycfrnd.interaccess.com [198.80.0.26]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id DAA24833 for ; Thu, 13 Apr 1995 03:15:32 -0700 Received: (sej@localhost) by psycfrnd.interaccess.com (8.6.12/8.6.10) id FAA15944; Thu, 13 Apr 1995 05:12:55 -0500 Date: Thu, 13 Apr 1995 05:12:55 -0500 (CDT) From: Stephen Johnson To: firewalls@greatcircle.com Subject: TIS fwtk mail list Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone steer me to the mail list for TIS's fwtk? TIA From firewalls-owner Thu Apr 13 06:02:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26105 for firewalls-outgoing; Thu, 13 Apr 1995 05:28:57 -0700 Received: from polaris.noc.hfh.edu (polaris.noc.hfh.edu [150.198.134.128]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA26099 for ; Thu, 13 Apr 1995 05:28:52 -0700 Received: from [150.198.132.-128] (ispc128.is.hfh.edu) by polaris.noc.hfh.edu (4.1/SMI-4.0) id AA18903; Thu, 13 Apr 95 08:29:53 EDT Message-Id: <9504131229.AA18903@polaris.noc.hfh.edu> From: "Peter A. Starceski" To: firewalls@GreatCircle.Com Date: Thu, 13 Apr 95 8:27:29 PDT Encoding: 1 TEXT , 4 TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsucscirbe firewalls@GreatCircle.Com Peter A. Starceski Sr. Systems Analyst, Henry Ford Health System 2571 Product Dr., Rochester Hills, MI 48309 (810) 853-4876 From firewalls-owner Thu Apr 13 07:27:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA27621 for firewalls-outgoing; Thu, 13 Apr 1995 07:09:46 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA27616 for ; Thu, 13 Apr 1995 07:09:43 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA20709; Thu, 13 Apr 95 10:09:54 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504131509.AA20709@hawksbill.sprintmrn.com> Subject: ARCHIE port service(s) To: firewalls@greatcircle.com (Firewalls List) Date: Thu, 13 Apr 1995 10:09:54 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 490 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Out of curiousity, what port services does ARCHIE use? I'm assuming that it uses a UDP port, but would appreciate a concrete answer. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Thu Apr 13 08:27:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA28693 for firewalls-outgoing; Thu, 13 Apr 1995 08:04:33 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA28686 for ; Thu, 13 Apr 1995 08:04:30 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id LAA07319; Thu, 13 Apr 1995 11:00:41 -0400 Date: Thu, 13 Apr 1995 11:00:40 -0400 (EDT) From: David Miller Subject: Re: port of fwtk to BSD/OS 2.0 To: Tim Keanini cc: firewalls@GreatCircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 12 Apr 1995, Tim Keanini wrote: > I am wondering if someone has ported the Firewall Toolkit to BSD/OS > 2.0 yet? > > If you have, please let me know. > > Thanks in advance. I have. It required only minor changes due to 4.4 lite changes. Mostly I had to comment out an include because the type of sys_errlist changed. --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Apr 13 09:10:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA28986 for firewalls-outgoing; Thu, 13 Apr 1995 08:18:38 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA28981 for ; Thu, 13 Apr 1995 08:18:34 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA04873; Thu, 13 Apr 95 11:21:03 EDT Date: Thu, 13 Apr 95 11:21:03 EDT From: scott@Disclosure.COM (Scott Barman) Message-Id: <9504131521.AA04873@ Disclosure.COM> To: firewalls@greatcircle.com, paul@hawksbill.sprintmrn.com Subject: Re: ARCHIE port service(s) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Out of curiousity, what port services does ARCHIE use? > >I'm assuming that it uses a UDP port, but would appreciate a concrete >answer. > >- paul UDP Port 1525. scott barman scott@disclosure.com / barman@ix.netcom.com From firewalls-owner Thu Apr 13 09:58:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00326 for firewalls-outgoing; Thu, 13 Apr 1995 09:34:51 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00318 for ; Thu, 13 Apr 1995 09:34:48 -0700 Received: from maestro.Maestro.COM by relay3.UU.NET with SMTP id QQylhq22679; Thu, 13 Apr 1995 12:35:12 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA02227; Thu, 13 Apr 95 12:31:02 EDT Date: Thu, 13 Apr 1995 12:31:00 -0400 (EDT) From: Sick Puppy Subject: Any logs of SATAN attacks against firewalls? To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So far I haven't seen anything that resembles a SATAN attack against a firewall, only a few things that could have been customised S.. or equally well could have been an attack script, coming out of US sites rather then European sites. Has anyone seen an S.. attack against a firewall? If so, could you post part of the logs please? Sick Puppy Network Security Consultant Eastern Dynamics Corp. From firewalls-owner Thu Apr 13 10:27:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01136 for firewalls-outgoing; Thu, 13 Apr 1995 10:10:09 -0700 Received: from ns1.win.net (ns1.win.net [204.215.209.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA01131 for ; Thu, 13 Apr 1995 10:10:04 -0700 Received: (from bugs@localhost) by ns1.win.net (8.6.11/8.6.9) id NAA00113 for firewalls@greatcircle.com; Thu, 13 Apr 1995 13:12:05 -0400 From: Mark Hittinger Message-Id: <199504131712.NAA00113@ns1.win.net> Subject: Re: ARCHIE port service(s) (fwd) To: firewalls@greatcircle.com Date: Thu, 13 Apr 1995 13:12:04 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 325 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Out of curiousity, what port services does ARCHIE use? > > > >I'm assuming that it uses a UDP port, but would appreciate a concrete > >answer. > > > > UDP Port 1525. > There is also a bunch of activity on port 191 (prospero protocol). Look in your archie sources at pport.h. Regards, Mark Hittinger bugs@win.net From firewalls-owner Thu Apr 13 10:41:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA00382 for firewalls-outgoing; Thu, 13 Apr 1995 09:37:30 -0700 Received: from locust.net.ohio-state.edu (mail.net.ohio-state.edu [128.146.222.110]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA00377 for ; Thu, 13 Apr 1995 09:37:26 -0700 Received: from bedbugs.net.ohio-state.edu (bedbugs [128.146.222.2]) by locust.net.ohio-state.edu (8.6.10/8.6.9) with ESMTP id MAA26798; Thu, 13 Apr 1995 12:37:19 -0400 Received: (from romig@localhost) by bedbugs.net.ohio-state.edu (8.6.10/8.6.9) id MAA12266; Thu, 13 Apr 1995 12:36:44 -0400 Date: Thu, 13 Apr 1995 12:36:44 -0400 From: Steve Romig Message-Id: <199504131636.MAA12266@bedbugs.net.ohio-state.edu> To: dkatz@cisco.com CC: cisco@spot.colorado.edu, firewalls@GreatCircle.COM, dkatz@cisco.com In-reply-to: <199504120021.RAA25319@feta.cisco.com> (message from Dave Katz on Tue, 11 Apr 1995 17:21:07 -0700) Subject: Re: NTP and SATAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >There have been some rumors making the rounds on the net recently that >the Network Time Protocol, NTP, has a vulnerability to one of the >tests that SATAN performs. The rumor states that one of SATAN's tests >will cause the time to suddenly shift by several years. That rumor probably stems from HPs Satan announcement (see below), which mentioned that DCE time services that get their time through an NTP could be affected by Satan scans (in the cases I saw, the date was always set to Feb 7, 2036, yeeha). >Real NTP daemons, including cisco's implementation and the freely available >Unix implementation "xntpd" do *not* have this vulnerability, due to extensive >format checking of incoming packets, and due to the statistical selection >mechanisms used (a packet with wildly incorrect time would be discarded >as an outlier). We only encountered problems with DCE cells that got their time through some DCE/NTP client. We couldn't reproduce this sort of problem on servers running ntpd and xntpd. Here's excerpts from the HP announcement: Document Id: [HPSBUX9504-026] Date Loaded: [04-04-95] Description: Preparing Your HP-UX System for SATAN [...] ISSUE #3: NTP should not be used as the time source for HP-DCE/9000 until further notice. [...] K. NTP vulnerabilities and HP-DCE/9000 1. The Problem When Satan is run to analyze the vulnerabilities of an HP-UX system whose time is synchronized by NTP, the time of the system can be set forward by several years. This vulnerability can affect DCE cells that use NTP as a time source, either with the dts_ntp_provider or with the dts_null_provider running on an NTP client. In this event, the Cell Directory Service (CDS) can become locked at this future date, rendering the DCE cell inoperable. 2. Fixing the Problem Hewlett-Packard recommends you configure your HP-DCE/9000 systems to use either the dts_spectracom_provider or to use the dts_null_provider without NTP. Further information on how to use NTP in conjunction with DTS is available from your HP support contact. From firewalls-owner Thu Apr 13 10:53:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01094 for firewalls-outgoing; Thu, 13 Apr 1995 10:07:57 -0700 Received: from dot.ca.gov (nic.dot.ca.gov [149.136.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01089 for ; Thu, 13 Apr 1995 10:07:54 -0700 Received: from trew002 (trew.dot.ca.gov) by dot.ca.gov (4.1/01.14.95) id AA15476; Thu, 13 Apr 95 10:08:21 PDT Message-Id: <9504131708.AA15476@dot.ca.gov> Date: Thu, 13 Apr 1995 09:59:39 -0700 From: stan@dot.ca.gov ( ) To: firewalls@greatcircle.com Subject: NTP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We get a time check twice a day and will adjust our clocks at most 5 secs per time or a total of 10 seconds per day. Additionally each time adjustment is sysloged and emailed to our admins. That kind of takes care of the problems that can crop up. Stan From firewalls-owner@GreatCircle.COM Wed Apr 12 01:38:36 1995 Date: Wed, 12 Apr 1995 09:52:53 +0200 From: F.Wetzels@amc.uva.nl (Frank Wetzels) Subject: Re: NTP and SATAN To: firewalls@greatcircle.com X-Envelope-To: firewalls@greatcircle.com Content-Transfer-Encoding: 7BIT Content-Length: 782 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> There have been some rumors making the rounds on the net recently that fpmw> the Network Time Protocol, NTP, has a vulnerability to one of the fpmw> tests that SATAN performs. The rumor states that one of SATAN's tests fpmw> will cause the time to suddenly shift by several years. fpmw> fpmw> Real NTP daemons, including cisco's implementation and the freely available fpmw> Unix implementation "xntpd" do *not* have this vulnerability, due to extensive fpmw> format checking of incoming packets, and due to the statistical selection fpmw> mechanisms used (a packet with wildly incorrect time would be discarded fpmw> as an outlier). But, how about sending packets that shifts time a little bit. After a number of packets, the time could be changed considerably? - Frank From firewalls-owner Thu Apr 13 10:58:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA02166 for firewalls-outgoing; Thu, 13 Apr 1995 10:54:17 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA02154 for ; Thu, 13 Apr 1995 10:54:13 -0700 Received: from maestro.Maestro.COM by relay3.UU.NET with SMTP id QQylhv12548; Thu, 13 Apr 1995 13:54:40 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA04202; Thu, 13 Apr 95 13:50:30 EDT Date: Thu, 13 Apr 1995 13:50:29 -0400 (EDT) From: Sick Puppy Subject: Re: NetBlazer filters To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sjones wrote > I am trying to set up filters for a Telebit NetBlazer to > allow mail and outgoing ftp and telnet. I want everything > else shut down. I would like to be able to ping also. > I have filters already in place, but I don't know if I >am missing something important. You may have missed something. The order in which packet filtering rules are entered determines how they work. The Netblazer versions that I have researched attempt to optimize the order of the filtering rules. As a result of their attempts to optimize the rules, they sometimes apply the rules in a different order than what was entered. This can permit access you don't want, deny access you do want, or even let everything in. If you are relatively new to using packet filters, would suggest that you attend Brent Chapman's one day seminar on packet filtering. It is an excellent seminar and provides a really good understanding of the topic. Probably some of the older experts on this list can tell you exactly which Netblazer versions have the problem. My opinion is that the Netblazeris a very good network interface device but in no sense is it a firewall. If you company will spring the cash, buy a turn-key TIS Gauntlet firewall and have TIS install it for you. Use the Netblazer as a router between the TIS machine and the Internet. Set up the Netblazer with a single filter to block IP spoofing. Nobody I know can hack through this combination. Sick Puppy Network Security Consultant Eastern Network Dynamics Corp. From firewalls-owner Thu Apr 13 11:22:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA00954 for firewalls-outgoing; Thu, 13 Apr 1995 10:05:19 -0700 Received: from feta.cisco.com (feta.cisco.com [171.69.1.158]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA00949 for ; Thu, 13 Apr 1995 10:05:15 -0700 Received: (dkatz@localhost) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) id KAA18785; Thu, 13 Apr 1995 10:05:11 -0700 Date: Thu, 13 Apr 1995 10:05:11 -0700 From: Dave Katz Message-Id: <199504131705.KAA18785@feta.cisco.com> To: romig@net.ohio-state.edu Cc: cisco@spot.colorado.edu, firewalls@GreatCircle.COM In-Reply-To: Steve Romig's message of Thu, 13 Apr 1995 12:36:44 -0400 <199504131636.MAA12266@bedbugs.net.ohio-state.edu> Subject: NTP and SATAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, the problem stems from the NTP shim to DTS (which really has no business calling itself NTP, as it doesn't implement the protocol in RFC1305--if it did, this wouldn't happen). Feb 7, 2036 is an alias for Jan 1, 1900 (the point at which the NTP timestamp rolls over). Date: Thu, 13 Apr 1995 12:36:44 -0400 From: Steve Romig >There have been some rumors making the rounds on the net recently that >the Network Time Protocol, NTP, has a vulnerability to one of the >tests that SATAN performs. The rumor states that one of SATAN's tests >will cause the time to suddenly shift by several years. That rumor probably stems from HPs Satan announcement (see below), which mentioned that DCE time services that get their time through an NTP could be affected by Satan scans (in the cases I saw, the date was always set to Feb 7, 2036, yeeha). >Real NTP daemons, including cisco's implementation and the freely available >Unix implementation "xntpd" do *not* have this vulnerability, due to extensive >format checking of incoming packets, and due to the statistical selection >mechanisms used (a packet with wildly incorrect time would be discarded >as an outlier). We only encountered problems with DCE cells that got their time through some DCE/NTP client. We couldn't reproduce this sort of problem on servers running ntpd and xntpd. Here's excerpts from the HP announcement: Document Id: [HPSBUX9504-026] Date Loaded: [04-04-95] Description: Preparing Your HP-UX System for SATAN [...] ISSUE #3: NTP should not be used as the time source for HP-DCE/9000 until further notice. [...] K. NTP vulnerabilities and HP-DCE/9000 1. The Problem When Satan is run to analyze the vulnerabilities of an HP-UX system whose time is synchronized by NTP, the time of the system can be set forward by several years. This vulnerability can affect DCE cells that use NTP as a time source, either with the dts_ntp_provider or with the dts_null_provider running on an NTP client. In this event, the Cell Directory Service (CDS) can become locked at this future date, rendering the DCE cell inoperable. 2. Fixing the Problem Hewlett-Packard recommends you configure your HP-DCE/9000 systems to use either the dts_spectracom_provider or to use the dts_null_provider without NTP. Further information on how to use NTP in conjunction with DTS is available from your HP support contact. From firewalls-owner Thu Apr 13 11:58:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA03195 for firewalls-outgoing; Thu, 13 Apr 1995 11:28:47 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA03188 for ; Thu, 13 Apr 1995 11:28:43 -0700 Date: Thu, 13 Apr 95 14:29 EDT Message-ID: <9504131429.AA27015@databus.databus.com> From: Barney Wolff To: Steve Romig , dkatz@cisco.com Cc: cisco@spot.colorado.edu, firewalls@GreatCircle.COM Subject: Re: NTP and SATAN Content-Length: 1125 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 13 Apr 1995 12:36:44 -0400 > From: Steve Romig > > That rumor probably stems from HPs Satan announcement (see below), > which mentioned that DCE time services that get their time through an > NTP could be affected by Satan scans (in the cases I saw, the date was > always set to Feb 7, 2036, yeeha). That's when NTP's 64-bit time representation rolls over to 0. > >Real NTP daemons, including cisco's implementation and the freely available > >Unix implementation "xntpd" do *not* have this vulnerability, due to extensive > >format checking of incoming packets, and due to the statistical selection > >mechanisms used (a packet with wildly incorrect time would be discarded > >as an outlier). According to RFC1305, 0 is not a valid time, and no NTP packet purporting to say that's the time should be accepted. > We only encountered problems with DCE cells that got their time > through some DCE/NTP client. We couldn't reproduce this sort of > problem on servers running ntpd and xntpd. My xntpd was unaffected by a (friendly) SATAN attack. Barney Wolff From firewalls-owner Thu Apr 13 12:44:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA04391 for firewalls-outgoing; Thu, 13 Apr 1995 12:11:38 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA04386 for ; Thu, 13 Apr 1995 12:11:34 -0700 Received: from uucp4.UU.NET by relay3.UU.NET with SMTP id QQylia03036; Thu, 13 Apr 1995 15:12:03 -0400 Received: from brite.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Thu, 13 Apr 1995 15:12:03 -0400 Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) id AA24955; Thu, 13 Apr 95 14:10:55 -0500 Date: Thu, 13 Apr 95 14:09:20 CDT From: Shane Kinsch Subject: RE: Any logs of SATAN attacks against firewalls? To: uunet!GreatCircle.com!firewalls@uunet.uu.net X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why don't you run it against your own firewall... then you will know. On Thu, 13 Apr 1995 12:31:00 -0400 (EDT) Sick Puppy wrote: > >Has anyone seen an S.. attack against a firewall? > >If so, could you post part of the logs please? > > Sick Puppy > Network Security Consultant > Eastern Dynamics Corp. > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Shane T Kinsch BRITE VOICE SYSTEMS, INC. _/ _/ shane.kinsch@brite.com VP UNIX Technical Engineer _/ _/ Wichita, KS USA "MIME is ok here" _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Thu Apr 13 12:57:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA05402 for firewalls-outgoing; Thu, 13 Apr 1995 12:46:27 -0700 Received: from snm.com (snm.snm.com [199.35.155.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA05397 for ; Thu, 13 Apr 1995 12:46:24 -0700 Received: from gypsy.snm.com (gypsy.snm.com [199.35.155.2]) by snm.com (8.6.9/8.6.9) with SMTP id OAA14673; Thu, 13 Apr 1995 14:58:27 -0400 Date: Thu, 13 Apr 1995 14:55:33 -0400 (EDT) From: David Blankenhorn To: robert@rlemire.canada.hp.com cc: firewalls@GreatCircle.COM Subject: Re: HP software In-Reply-To: <199504121834.AA203571647@hp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 12 Apr 1995 robert@rlemire.canada.hp.com wrote: > Does anyone know if there is any firewall software running on HP-UX Check out the Eagle firewall from Raptor Systems. It runs on HP, AIX, and Solaris 1 (Solaris 2.4 should be done RSN). David C. Blankenhorn -=-=-=-=-=-=-=- Smoke N' Mirrors * Buccaneer Systems * DBCCI -=-=-=-=-=-=-=- (703) 318-1440 1165 Herndon Parkway #200 david@snm.com - Services For Systems Integration - Herndon, VA 22070 From firewalls-owner Thu Apr 13 14:57:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA07514 for firewalls-outgoing; Thu, 13 Apr 1995 14:37:17 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA07509 for ; Thu, 13 Apr 1995 14:37:15 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id QAA03398 for ; Thu, 13 Apr 1995 16:27:42 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003396; Thu Apr 13 16:27:42 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA14160 (5.67b/IDA-1.5 for ); Thu, 13 Apr 1995 16:40:09 -0500 Date: Thu, 13 Apr 1995 16:40:09 -0500 From: Ken Hardy Message-Id: <199504132140.AA14160@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: SNMP or other mgmt/monitor of bastion &c. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FWTK is, as advertised, minimalist. (But it's still a great deal more than what you pay for it.) Now we're interested in more automated monitoring of the f/w bastion host & its connectivity. Though I like my simple, minimalist f/w, I've now got some questions. A.) Is there any useful SNMP agent that can be added to the bastion host running BSDI? B.) What commercial packages offer this? Gauntlet? Most? C.) What are the security implications of SNMP running on the f/w? I'd certainly only see it being used for monitoring, not controlling. D.) How might I monitor the connectivity to the ISP & beyond? Would I (or shouldn't I?) regularly ping various sites? -KH From firewalls-owner Thu Apr 13 16:27:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09038 for firewalls-outgoing; Thu, 13 Apr 1995 16:01:05 -0700 Received: from jpmorgan.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA09033 for ; Thu, 13 Apr 1995 16:01:02 -0700 Received: from tcpg01a.ny.jpmorgan.com by jpmorgan.jpmorgan.com (8.6.10/fma-120691.2); id TAA05848; Thu, 13 Apr 1995 19:01:29 -0400 Received: from TCPSNA-VM1.NY.JPMORGAN.COM (tcpsna-vm1.ny.jpmorgan.com [146.149.65.202]) by tcpg01a.ny.jpmorgan.com (8.6.10/cjy.sub.1.0) with SMTP id TAA05925 at Thu, 13 Apr 1995 19:01:28 -0400 Received: by TCPSNA-VM1.NY.JPMORGAN.COM (Soft*Switch Central V4L380P5) id 822800190095103FNOTE; 13 Apr 1995 19:00:19 GMT Message-Id: Date: 13 Apr 1995 19:00:19 GMT From: "Out of Office Agent" Subject: Out of Office Notification To: Firewalls@GREATCIRCLE.COM Comment: Memo 04-14-95 00:00:20 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your email message RE: "Firewalls-Digest V4 #234" addressed to John Cronin has been successfully delivered. John Cronin is currently out of the office. Message: I shall be on vacation until the 19th April. Please note that Friday 14th April and Monday 17th April are Public Holidays in the UK. From firewalls-owner Thu Apr 13 16:56:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09510 for firewalls-outgoing; Thu, 13 Apr 1995 16:47:35 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA09505 for ; Thu, 13 Apr 1995 16:47:30 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id SAA04454 for ; Thu, 13 Apr 1995 18:37:57 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma004450; Thu Apr 13 18:37:44 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA16166 (5.67b/IDA-1.5 for ); Thu, 13 Apr 1995 18:50:13 -0500 Date: Thu, 13 Apr 1995 18:50:13 -0500 From: Ken Hardy Message-Id: <199504132350.AA16166@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: Re: Out of Office Notification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk His mail system wrote: >Your email message RE: "Firewalls-Digest V4 #234" addressed to John Cronin has >been successfully delivered. John Cronin is currently out of the office. > >Message: I shall be on vacation until the 19th April. Please note that Friday >14th April and Monday 17th April are Public Holidays in the UK. Hey, mice, I know a site where the cat's away! ;-> From firewalls-owner Thu Apr 13 22:00:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA12454 for firewalls-outgoing; Thu, 13 Apr 1995 21:28:15 -0700 Received: from janus.dot.state.az.us (janus.dot.state.az.us [192.133.42.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA12449 for ; Thu, 13 Apr 1995 21:28:12 -0700 Received: by janus.dot.state.az.us (4.1/SMI-4.1) id AA07085; Thu, 13 Apr 95 21:28:38 MST Received: from pserv1.dot.state.az.us(162.59.10.28) by janus.dot.state.az.us via smap (V1.3) id sma007082; Thu Apr 13 21:28:10 1995 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA28828; Thu, 13 Apr 1995 21:28:09 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199504140428.AA28828@pserv1.dot.state.az.us> Subject: Any logs of SATAN attacks against firewalls? (fwd) To: firewalls%greatcircle.com@janus.dot.state.az.us (Firewalls) Date: Thu, 13 Apr 95 21:28:08 MST Reply-To: tom@pserv1.dot.state.az.us X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick Puppy writes: > Date: Thu, 13 Apr 1995 12:31:00 -0400 (EDT) > From: Sick Puppy > Subject: Any logs of SATAN attacks against firewalls? > > So far I haven't seen anything that resembles a SATAN attack against a > firewall, only a few things that could have been customised S.. or > equally well could have been an attack script, coming out of US sites > rather then European sites. > > Has anyone seen an S.. attack against a firewall? > > If so, could you post part of the logs please? > > Sick Puppy > Network Security Consultant > Eastern Dynamics Corp. I had requested that SATAN be run against our WAN (actually firewall). The logs show every active port was probed. The real give away was when it accessed my anon ftp, it used the password SATAN. -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Fri Apr 14 02:56:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA16481 for firewalls-outgoing; Fri, 14 Apr 1995 02:50:54 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA16473 for ; Fri, 14 Apr 1995 02:50:48 -0700 Message-Id: <199504140950.CAA16473@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA178753042; Fri, 14 Apr 1995 19:50:42 +1000 From: Darren Reed Subject: Re: KarlBridge/Router vs Satan and an overview of the new version 3.0 To: dkarl@net.ohio-state.edu (Doug Karl) Date: Fri, 14 Apr 1995 19:50:42 +1000 (EST) Cc: firewalls@greatcircle.com, sales@karlnet.com In-Reply-To: <199504061610.MAA05125@locust.net.ohio-state.edu> from "Doug Karl" at Apr 6, 95 11:13:29 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 540 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > To all from Doug Karl..... [...] > 2) New ICMP filters. Some examples are the ability to "ping" out of the > internal network but not in. One can argue that if you stop incoming > "pings" at the boarder then some scanners can be slowed down. Also > incoming ICMP Redirects can be blocked from entering the network. This > will protect against ICMP bombs. Blocking redirects doesn't stop ICMP `bombs'. This term is used to describe the behaviour of ICMP unreachables. But I assume it is general enough to allow this too. darren From firewalls-owner Fri Apr 14 05:01:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA17467 for firewalls-outgoing; Fri, 14 Apr 1995 04:46:55 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA17461 for ; Fri, 14 Apr 1995 04:46:51 -0700 Posted-Date: Fri, 14 Apr 1995 07:47:17 -0400 From: "Bryan D. Boyle" Message-Id: <9504140747.ZM15629@maverick.erenj.com> Date: Fri, 14 Apr 1995 07:47:17 -0400 In-Reply-To: Ken Hardy "SNMP or other mgmt/monitor of bastion &c." (Apr 13, 4:40pm) References: <199504132140.AA14160@ignatz.bridge.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: SNMP or other mgmt/monitor of bastion &c. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 13, 4:40pm, Ken Hardy wrote: > Subject: SNMP or other mgmt/monitor of bastion &c. > FWTK is, as advertised, minimalist. (But it's still a great deal more > than what you pay for it.) Now we're interested in more automated > monitoring of the f/w bastion host & its connectivity. Though I like > my simple, minimalist f/w, I've now got some questions. > > A.) Is there any useful SNMP agent that can be added to the bastion > host running BSDI? Probably a generic workstation MIB is supplied with bsdi; I think (we have looked into this peripherally...) there would probably have to be developed a mib for the firewall components that dealt with the individual proxies or some such. > > B.) What commercial packages offer this? Gauntlet? Most? We are just running the standard DEC w/s snmp on the components here. I don't rightfully know whether or not there is a standard MIB for firewalls other than that which would be supplied as part of an O/S... > > C.) What are the security implications of SNMP running on the f/w? I'd > certainly only see it being used for monitoring, not controlling. Well, for one, snmp is udp. And that gives us the shakes. What I would pose as a strawman would be to put an snmp 'monitor probe' up on the DMZ that would monitor the exposed network and repackage the info for tranmsission thru the screen via tcp (which can be reasonably secured beyond trying to hack some extension into UDP and call it controllable...) > > D.) How might I monitor the connectivity to the ISP & beyond? Would I > (or shouldn't I?) regularly ping various sites? Usually, if you have a good ISP, they will ping your cisco or whatever router you have (I know, using cisco as a generic name, please forgive me...) to check that you are still there. I know in talking to our ISP (alternet) that they have no problem if we want to ping (as long as it is a reasonable rate, not spray them constantly) say, their news machine that feeds us to show that the link itself is up. Beyond that, you would probably be in the range of getting into their router web (which is a whole 'nother story...). Pinging various sites? As long as they are yours, why not (end-to-end connectivity???)? Other sites? The network is too amorphous to use that, imo, as an objective gauge of overall network health...too many variables between ye and thee. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Fri Apr 14 09:09:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA20161 for firewalls-outgoing; Fri, 14 Apr 1995 08:33:07 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA20156 for ; Fri, 14 Apr 1995 08:33:04 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQylle21972; Fri, 14 Apr 1995 11:33:33 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA06383; Fri, 14 Apr 95 11:29:23 EDT Date: Fri, 14 Apr 1995 11:29:20 -0400 (EDT) From: Sick Puppy Subject: DEF CON ]I[, no speakers on firewalls To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking through the list of speakers and feds at the DEF CON ]I[ "underground" convention at the Tropicana Hotel in Las Vegas during August, don't see anyone schedule to speak on firewalls, which is surely a topic of growing importance for the "underground." Any of you SeCuRiTy D00dz planning to speak on firewalls there? Once tried to talk to "Warmly," at a convention. Was like trying to talk to a clam. Sick Puppy From firewalls-owner Fri Apr 14 12:35:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA22950 for firewalls-outgoing; Fri, 14 Apr 1995 12:01:57 -0700 Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA22945 for ; Fri, 14 Apr 1995 12:01:51 -0700 Received: from wgtech.UUCP by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA10176 for ; Fri, 14 Apr 95 14:50:06 -0400 Received: from wsi1.wsi.com by wsi.com (4.1/SMI-4.1) id AA19579; Fri, 14 Apr 95 14:41:10 EDT Received: from rivendell.wsi.com by wsi1.wsi.com (5.0/SMI-SVR4) id AA26997; Fri, 14 Apr 1995 14:43:46 +0500 Received: by rivendell.wsi.com (5.x/SMI-SVR4) id AA01885; Fri, 14 Apr 1995 14:37:21 -0400 Date: Fri, 14 Apr 1995 14:37:21 -0400 From: david@wsi1.wsi.com (David Flinn) Message-Id: <9504141837.AA01885@rivendell.wsi.com> To: firewalls@greatcircle.com Subject: Firewall-1, unix routing, and IPX/SPX bridging Cc: david@rivendell.wsi.com X-Sun-Charset: US-ASCII Content-Length: 1758 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I've got a tricky question concerning using a Sun Netra with firewall-1 running on it and Novell's IPX/SPX. More generically, it addresses the issue if any Unix box routing between two ethernet interfaces can "bridge" IPX/SPX. Note the following picture: 192.207.93.0 Class C network 255.255.192.0 subnet mask netcom.com ----- hardware ----(le0) netra (le1)--- router firewall-1 | | | xylogics internal network | | modems | | clients remote client The scenario is that if an employee uses a dial up modem into the xylogics terminal server and is using NovellRemote, the xylogics will handle it and pump out IPX/SPX packets to the router. The router can handle it, and bridges the packets out to the netra. Since the netra is a TCP/IP router, I am 98% darn sure that the IPX/SPX packets will not make it over to the internal network. So ... is it possible to make this happen? question (1) : Can a Sun (or any Unix box) with two ethernet interfaces be made to bridge IPX/SPX packets? If no, I guess we have to put the xylogics on the inside of the firewall. Bummer. If yes, what software products are required to make this happen? question (2) : Now that we can "bridge" IPX/SPX across two ethernets, will this still work if Firewall-1 is running on the netra ? If Firewall-1 can't do it, how about TIS or Gauntlet? Thanks for your time, consideration, and thoughts, david ------------- david flinn david@wsi.com From firewalls-owner Fri Apr 14 13:31:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA24497 for firewalls-outgoing; Fri, 14 Apr 1995 13:18:13 -0700 Received: from netcomsv.netcom.com (uucp13.netcom.com [163.179.3.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA24492 for ; Fri, 14 Apr 1995 13:18:11 -0700 Received: from tinman.UUCP by netcomsv.netcom.com with UUCP (8.6.9/SMI-4.1) id NAA29507; Fri, 14 Apr 1995 13:10:29 -0700 Received: by tinman (4.1/SMI-4.1) id AA24393; Fri, 14 Apr 95 12:31:20 PDT Date: Fri, 14 Apr 95 12:31:20 PDT From: srichard@abbotthpd.com (Samuel Richardson) Message-Id: <9504141931.AA24393@tinman> To: firewalls@greatcircle.com Subject: Transparent Proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can any sugest a free or low cost means of implementing transparent proxies (I[4~[4~[4~ From firewalls-owner Fri Apr 14 14:00:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA24720 for firewalls-outgoing; Fri, 14 Apr 1995 13:23:54 -0700 Received: from netcomsv.netcom.com (uucp13.netcom.com [163.179.3.13]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA24713 for ; Fri, 14 Apr 1995 13:23:52 -0700 Received: from tinman.UUCP by netcomsv.netcom.com with UUCP (8.6.9/SMI-4.1) id NAA29518; Fri, 14 Apr 1995 13:10:44 -0700 Received: by tinman (4.1/SMI-4.1) id AA24400; Fri, 14 Apr 95 12:34:11 PDT Date: Fri, 14 Apr 95 12:34:11 PDT From: srichard@abbotthpd.com (Samuel Richardson) Message-Id: <9504141934.AA24400@tinman> To: firewalls@greatcircle.com Subject: Transparent proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone suggest a free or low cost means of implementing transparent proxies (i.e. WWW,FTP,Telenet) on a baston host or other. All responses welcomed! From firewalls-owner Fri Apr 14 14:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA26548 for firewalls-outgoing; Fri, 14 Apr 1995 14:27:56 -0700 Received: from exchange.acc.org (exchange.acc.org [199.74.213.82]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA26543 for ; Fri, 14 Apr 1995 14:27:50 -0700 From: twalker@acc.org Received: from ccMail by exchange.acc.org (IMA Internet Exchange v1.04) id f8eea420; Fri, 14 Apr 95 17:33:54 -0400 Mime-Version: 1.0 Date: Fri, 14 Apr 1995 17:33:22 -0400 Message-ID: Subject: Re: Firewall-1, unix routing, and IPX/SPX bridging To: david@wsi1.wsi.com (David Flinn), firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If your hardware router is bridging only SPX/IPX & you want the SUN to do the same. Why not put the xylogics on the internal net? I do not see any advantage to it on the 'perimeter net', since you want it to bridge the packets? Bridging is not going to do any packet screening or authentication It will just forward the packets. On the other hand, if the xylogics is doing IP & SPX/IPX, I can see your problem in not wanting to put it on your internal net. You could add another router between the internal & perimeter net. Just configure it to route or bridge IPX/SPX. This keeps your IP going through your firewall & properly authenticated. The SPX/IPX is not authenticated and routed or bridged right on through. Just a thought. /Tom ----------------------------------------------------------------- Tom Walker, Network Manager American College of Cardiology MHS:twalker@acc Phone:1-301-493-2318 Internet:twalker@acc.org ______________________________ Reply Separator _________________________________ Subject: Firewall-1, unix routing, and IPX/SPX bridging Author: david@wsi1.wsi.com (David Flinn) at Internet-Mail Date: 4/14/ 0 2:37 PM Hi, I've got a tricky question concerning using a Sun Netra with firewall-1 running on it and Novell's IPX/SPX. More generically, it addresses the issue if any Unix box routing between two ethernet interfaces can "bridge" IPX/SPX. Note the following picture: 192.207.93.0 Class C network 255.255.192.0 subnet mask netcom.com ----- hardware ----(le0) netra (le1)--- router firewall-1 | | | xylogics internal network | | modems | | clients remote client The scenario is that if an employee uses a dial up modem into the xylogics terminal server and is using NovellRemote, the xylogics will handle it and pump out IPX/SPX packets to the router. The router can handle it, and bridges the packets out to the netra. Since the netra is a TCP/IP router, I am 98% darn sure that the IPX/SPX packets will not make it over to the internal network. So ... is it possible to make this happen? question (1) : Can a Sun (or any Unix box) with two ethernet interfaces be made to bridge IPX/SPX packets? If no, I guess we have to put the xylogics on the inside of the firewall. Bummer. If yes, what software products are required to make this happen? question (2) : Now that we can "bridge" IPX/SPX across two ethernets, will this still work if Firewall-1 is running on the netra ? If Firewall-1 can't do it, how about TIS or Gauntlet? Thanks for your time, consideration, and thoughts, david ------------- david flinn david@wsi.com From firewalls-owner Fri Apr 14 15:29:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA27133 for firewalls-outgoing; Fri, 14 Apr 1995 15:13:59 -0700 Received: from ns1.unicomp.net (ns1.unicomp.net [199.1.42.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA27128 for ; Fri, 14 Apr 1995 15:13:54 -0700 Received: from firewall.integctr.com ([199.1.42.163]) by ns1.unicomp.net (4.1/SMI-4.1) id AA14420; Fri, 14 Apr 95 17:19:44 CDT Date: Fri, 14 Apr 1995 16:17:57 -0500 (CDT) From: Brian Rogers To: Samuel Richardson Cc: Roger Davenport , firewalls@greatcircle.com Subject: Re: Transparent proxies In-Reply-To: <9504141934.AA24400@tinman> Message-Id: Organization: The Integrity Center (214)484-6140 (800)456-1811 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 14 Apr 1995, Samuel Richardson wrote: > Can anyone suggest a free or low cost means of implementing transparent > proxies (i.e. WWW,FTP,Telenet) on a baston host or other. All responses > welcomed! Do you mean something that looks like a router but acts like a proxy? I've been wondering that myself. Have you heard of TIA (The Internet Adapter)? It's basically a proxy-router hybrid for SLIP users. I've never used it, but it sounds like it could be adapted to or merely used as inspiration and guidance for such a project. Whad'ya think? /* Brian Rogers -- tech admin, coffee achiever -- brogers@integctr.com */ /* The Integrity Center -- "objective risk management information" */ /* http://www.integctr.com/ -- info@integctr.com */ /* (214)484-6140 (800)456-1811 FAX (214)484-6381 FOD (214)484-2147 */ From firewalls-owner Fri Apr 14 16:48:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA28884 for firewalls-outgoing; Fri, 14 Apr 1995 16:17:14 -0700 Received: from uci.uci.com (uci.uci.com [136.246.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA27222 for ; Thu, 13 Apr 1995 06:46:36 -0700 Received: from p01.uci.com ([136.246.1.11]) by uci.uci.com (8.6.11/8.6.9.1) with SMTP id IAA23162 for ; Thu, 13 Apr 1995 08:31:35 -0500 Received: by p01.uci.com with Microsoft Mail id <2F8D436F@p01.uci.com>; Thu, 13 Apr 95 08:29:51 PDT From: "Schwarz, Dick (UCI)" To: Firewalls Discussion Subject: S-HTTP Date: Thu, 13 Apr 95 08:27:00 PDT Message-ID: <2F8D436F@p01.uci.com> Encoding: 5 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a comy of the specifications and any other pertinent information about S-HTTP. Can anyone help? hrs From firewalls-owner Fri Apr 14 17:01:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA28742 for firewalls-outgoing; Fri, 14 Apr 1995 16:11:01 -0700 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA04659 for ; Wed, 12 Apr 1995 05:17:14 -0700 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-21) id ; Wed, 12 Apr 1995 05:17:39 -0700 Posted-Date: Wed, 12 Apr 1995 05:16:18 -0700 (PDT) Message-Id: <199504121216.AA04484@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Wed, 12 Apr 1995 05:16:18 -0700 Subject: Re: Registered IP vs unregistered To: dave@corecom.com (David M. Piscitello) Date: Wed, 12 Apr 1995 05:16:18 -0700 (PDT) Cc: markk@internic.net, Matthew.Huff@tasb.org, firewalls@greatcircle.com In-Reply-To: from "David M. Piscitello" at Apr 11, 95 08:02:24 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 876 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave P. writes: > There is also the issue of whether an IP address you > acquire from a source other than the ISP you subscribe > to interferes with address aggregation. If large numbers > of holes are punched in ISP CIDR blocks, aggregation > fails, routing tables grow beyond what can be sored in > current router resources, and we are hosed. This happens today. The basic premise is that once delegated, its gone. > At 8:48 PM 4/10/95, Mark Kosters wrote: > >That is correct. Plus we are running out of class C space. With our > >current growth rates, we will be out of class C's withing the next > >two years. > > The basic problem here is that people are -STILL- thinking in terms of classfull addressing. These things aren't "C" addresses, they are /24 prefixes. Now when we start carving up /8 space into /24 allocations, that will be interesting. -- --bill From firewalls-owner Fri Apr 14 17:56:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA01300 for firewalls-outgoing; Fri, 14 Apr 1995 17:50:42 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA01295 for ; Fri, 14 Apr 1995 17:50:37 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA28974; Fri, 14 Apr 95 20:49:41 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504150149.AA28974@hawksbill.sprintmrn.com> Subject: Route summarization & announcements To: bmanning@ISI.EDU Date: Fri, 14 Apr 1995 20:49:41 -0500 (EST) Cc: dave@corecom.com, markk@internic.net, Matthew.Huff@tasb.org, firewalls@greatcircle.com In-Reply-To: <199504121216.AA04484@zed.isi.edu> from "bmanning@ISI.EDU" at Apr 12, 95 05:16:18 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1758 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Manning writes - > > The basic problem here is that people are -STILL- thinking in terms > of classfull addressing. These things aren't "C" addresses, they > are /24 prefixes. > > Now when we start carving up /8 space into /24 allocations, that will > be interesting. > > True, but somewhat of a pink elephant. Classless aggregation is mostly an 'external' routing feature, insofar as private networks are concerned. The idea of classless aggregation is more of an 'internet end-to-end' routing mechanism, at least for the moment. While there are certainly valid (and valuable) methods for summarizing routes internally, we will begin to see more and more folks opting for RFC-1597 addressing internally, while announcing one or two valid networks (or CIDR blocks) to the Internet community. This is where many folks are currently looking to, perhaps foolishly, combine the functionality of a firewall, proxy services, DNS and mail tosser. I totally agree with Bill in that people really need to stop thinking of IP address space as classful, and beging to think of it as classless. The down-side to this is that there are thousands of networks using classful routing internally and unable (for whatever reason) to use BGP(4) to summarize and announce aggregate networks to the remainder of The World. Most of this summarization is now being done by the ISP. Philosophies abound. ,-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Apr 14 18:58:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA01981 for firewalls-outgoing; Fri, 14 Apr 1995 18:26:29 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA01974 for ; Fri, 14 Apr 1995 18:26:23 -0700 Message-Id: <199504150126.SAA01974@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA208679167; Sat, 15 Apr 1995 11:26:07 +1000 From: Darren Reed Subject: Re: Route summarization & announcements To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Sat, 15 Apr 1995 11:26:07 +1000 (EST) Cc: bmanning@ISI.EDU, dave@corecom.com, markk@internic.net, Matthew.Huff@tasb.org, firewalls@greatcircle.com In-Reply-To: <9504150149.AA28974@hawksbill.sprintmrn.com> from "Paul Ferguson" at Apr 14, 95 08:49:41 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1620 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Classless aggregation is mostly an 'external' routing feature, insofar > as private networks are concerned. The idea of classless aggregation > is more of an 'internet end-to-end' routing mechanism, at least for the > moment. While there are certainly valid (and valuable) methods for > summarizing routes internally, we will begin to see more and more > folks opting for RFC-1597 addressing internally, while announcing > one or two valid networks (or CIDR blocks) to the Internet community. [...] > I totally agree with Bill in that people really need to stop thinking > of IP address space as classful, and beging to think of it as classless. > The down-side to this is that there are thousands of networks using > classful routing internally and unable (for whatever reason) to use > BGP(4) to summarize and announce aggregate networks to the remainder > of The World. Most of this summarization is now being done by the > ISP. To give you some idea of hacks possible with routing, I've setup 6 subnets using 26/6 (I have to use Unix boxes to route between these), using static routrs, and advertise these to the cisco as three 24/8 routes (a single CIDR block/mask wouldn't work either because of the numbers involved :-(). Oh, I announce the three routes using RIP :-) The biggest problem, currently, with using anything other that class based routing inside a Unix box is that *VERY FEW* support classless routes. The only versions of Unix where I know it is possible are those based upon NET-2 (ie BSDI/NetBSD/FreeBSD). darren p.s. why was this on firewalls ? I assumed it was on an ID*R list. From firewalls-owner Fri Apr 14 19:14:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA02175 for firewalls-outgoing; Fri, 14 Apr 1995 18:41:41 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA02170 for ; Fri, 14 Apr 1995 18:41:33 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA29134; Fri, 14 Apr 95 21:40:14 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504150240.AA29134@hawksbill.sprintmrn.com> Subject: Re: Route summarization & announcements To: avalon@coombs.anu.edu.au (Darren Reed) Date: Fri, 14 Apr 1995 21:40:14 -0500 (EST) Cc: bmanning@ISI.EDU, dave@corecom.com, markk@internic.net, Matthew.Huff@tasb.org, firewalls@greatcircle.com In-Reply-To: <9504150225.AA29114@hawksbill.sprintmrn.com> from "Darren Reed" at Apr 15, 95 11:26:07 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 900 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The biggest problem, currently, with using anything other that class > based routing inside a Unix box is that *VERY FEW* support classless > routes. The only versions of Unix where I know it is possible are > those based upon NET-2 (ie BSDI/NetBSD/FreeBSD). > > darren > > p.s. why was this on firewalls ? I assumed it was on an ID*R list. > To briefly outline the issues with thinking in classful terms. It does have an impact on firewalls, since it involves the routes 'available' to any particular access point. 'Nuf said. :-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Apr 14 20:56:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA03936 for firewalls-outgoing; Fri, 14 Apr 1995 20:43:21 -0700 Received: from home.interaccess.com (home.interaccess.com [198.80.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA03931 for ; Fri, 14 Apr 1995 20:43:18 -0700 Received: from fd102.net.interaccess.com (fd102.net.interaccess.com [204.148.144.102]) by home.interaccess.com (8.6.11/8.6.10) with SMTP id WAA00100; Fri, 14 Apr 1995 22:44:18 -0500 Message-Id: <199504150344.WAA00100@home.interaccess.com> X-Sender: gregg@pop.interaccess.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 14 Apr 1995 22:45:21 -0500 To: david@wsi1.wsi.com (David Flinn), firewalls@GreatCircle.COM, twalker@acc.org From: gregg@interaccess.com (Gregg Rosenberg) Subject: DMZ ?s Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have not seen a discusion like this so far, hopefully it will be acceptable. I understand that a DMZ is a routers only segment. That is no machines on the segment that can snoop. Where is the best place to place the DMZ? Can a T1 span serve the purpose of a DMZ in certain circumstances? External Internal Perimeter Perimeter Firewall Boundry Boundry Screening T3 <----------- router <--------T1---------> router <--- Ethernet ---> router <--- Ethernet---> Production Net Backbone | (DMZ?) | | | | | Exposed Bastion Protected Internet Host Internet Servers Server Is it a bad idea to use an exposed Internet server? Essentialy my protected Internet server will be a mirror image of my Exposed Internet Server. Except that the Protected server will also have development tools and source on it. I assume I could restrict the external Internet server to serve WWW, Gopher, WAIS, FTP, listserve. Only allowing the maintainers access using one time passwords. My bastion host would act as a mail hub to the inside protected Internet server. Does this approach make sence? How should it be different? Thanks for everyones help in advance. Gregg Rosenberg President Internet Educational Resources, Corp. gregg@k12.com or gregg@justnet.com http://www.k12.com comming soon in May http://www.k12.org comming soon in May From firewalls-owner Fri Apr 14 21:26:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA04697 for firewalls-outgoing; Fri, 14 Apr 1995 21:23:49 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA04692 for ; Fri, 14 Apr 1995 21:23:45 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26536; Sat, 15 Apr 95 00:17:15 -0400 Date: Sat, 15 Apr 95 00:17:14 -0400 Message-Id: <9504150417.AA26536@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Registered IP vs unregistered Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill rites: >Now when we start carving up /8 space into /24 allocations, that will >be interesting. Not going to be a problem, will just take dynamic virtual addresing and we have been doing that for years. Few users address by IP anyway, that's mostly for the net. Gee, Dad we could handle that class A with just two outside addresses - the router and the DNS - and if pushed could name that tune with just one note. Warmly, Padgett From firewalls-owner Fri Apr 14 21:49:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA04072 for firewalls-outgoing; Fri, 14 Apr 1995 20:57:39 -0700 Received: from home.interaccess.com (home.interaccess.com [198.80.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA04056 for ; Fri, 14 Apr 1995 20:57:34 -0700 Received: from fd102.net.interaccess.com (fd102.net.interaccess.com [204.148.144.102]) by home.interaccess.com (8.6.11/8.6.10) with SMTP id WAA00945; Fri, 14 Apr 1995 22:58:32 -0500 Message-Id: <199504150358.WAA00945@home.interaccess.com> X-Sender: gregg@pop.interaccess.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 14 Apr 1995 22:59:34 -0500 To: david@wsi1.wsi.com (David Flinn), firewalls@GreatCircle.COM, twalker@acc.org From: gregg@interaccess.com (Gregg Rosenberg) Subject: NTP + NO Atomic Clock Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All this talk of NTP and time zone changes stimulated some thoughts. I am definetely interested in a reliable and authenticated time source. Yet I do not want to impact the net. I E-mailed our freinds at the Nval Observatory regarding access to the atomic clock time standards. Here is a summary of all the information I got back. I hope no one objects to posting this here. Although it is not directly firewall related it does seem to be conversationaly related. See our Web Page http://tycho.usno.navy.mil under http://www.usno.navy.mil Here is additional info. We are gearing up for NTP support nationwide... U.S. NAVAL OBSERVATORY MASTER CLOCK NETWORK TIME SERVICES (Revised 11/94) The U.S. Naval Observatory has established two new network time servers for reliable, accurate time over the Internet and Milnet WANs: tick.usno.navy.mil 192.5.41.40 tock.usno.navy.mil 192.5.41.41 These HP9000/747i systems host Datum VME synchronized generators using IRIG-b timecode from USNO Master Clock #2. The system clocks of these servers are synchronized to within a few tens of microseconds of USNO Master Clock 2. UTC(USNO) is provided over the network via a number of protocols. At present, access is unrestricted. 1. RFC-1305 NETWORK TIME PROTOCOL The USNO time servers are stratum 1 servers for the Network Time Protocol (NTP) [DARPA Network Working Group Report RFC-1305]. NTP software which can maintain synchronization of remote systems clocks to within a few hundred milliseconds of the time servers is available from David Mills, University of Delaware, via anonymous ftp to louie.udel.edu (128.175.1.3). At the present time, NTP has been ported to the following systems: HP9000/300/400/700 HPUX MIPS Ultrix DEC/ALPHA OSF Convex Convex OS SGI IRIX RS6000 AIX VAX-11/785 VAX/VMS Sun3/4 SunOS MX500 Sinix-m S2000 Sequent PTX PC FreeBSD PC BSD/386 PC Linux PC Dell SVR4 PC Unixware1/SVR4 NCR3445 NCR SVR4 2. TELNET ASCII TIME The U.S. Naval Observatory Master Clock is accessible in low-precision mode via telnet to one of the time servers on port 13. No login nor password is necessary. The time server will ping your system and estimate the network path delay. It will then send Modified Julian Date, Day of Year, and UTC time as ASCII strings followed by an on-time mark (*) which will be advanced by the estimated network delay. The uncertainty in the network delay estimate can reach hundreds of milliseconds, but is typically good to a few tens of milliseconds. Format of the message is shown below: telnet tick.usno.navy.mil 13 Connected to tock.usno.navy.mil. Escape character is '^]'. US Naval Observatory Master Clock, Washington, DC Estimating network time delay for 4 seconds...delay = 0.5 ms MJD DOY UTC(USNO) (* = on-time mark, follows ASCII) 49573 221 231851 UTC * 49573 221 231852 UTC * 49573 221 231853 UTC * . . . 3. TIME SETTING VIA BERKELEY INTERNET STREAM SOCKETS: USNO provides a set of tiny C program for systems which support Berkeley INTERNET stream sockets. These programs allow you to automate the synchronizing of your UNIX or RTE system clock to UTC(USNO) to 1-second accuracy. For information see the time directory under anonymous ftp on tycho.usno.navy.mil (192.5.41.239). 4. RFC 868 TIME PROTOCOL The "time" protocol [RFC-868] is supported on TCP and UDP port 37. This service returns a 32-bit binary number, in network byte order, representing the number of seconds of time since 1 Jan. 1900 UT. The "rdate" program operates over TCP port 37. 5. RFC 867 DAYTIME PROTOCOL The ASCII "daytime" protocol is supported only on UDP port 13. The TCP implementation has been replaced by the telnet ASCII time protocol above. > Is their an NTP client available for MAC or WIndows to your knowledge? > > There is winsntp for Windows available via anon ftp to louie.udel.edu in pub/ntp Also I have this note on Mac's From: dundas@netcom.com (John A. Dundas III) Date: Sun, 14 Nov 1993 13:25:13 -0800 Subject: Macintosh NTP Client Could you please add the following to the NTP FAQ? Thanks...John Dundas Another NTP client for the Macintosh is 'NTP Client' by John Dundas. This shareware is available at a number of archives; use archie to search for 'macntp'. This software features the ability to use NTP over either UDP/IP or AppleTalk. (Special servers are required for AppleTalk. The author currently has servers implemented for Macintosh, VAX/VMS (AppleTalk for VMS), and A/UX. Contact the author for more details at dundas@netcom.com.) > Thanks for the info. One concern strikes my mind. If I point at your time > servers will I generate any undesireable loads on the net? Should I wait > until regional servers are up? > The net loading is pretty trivial, especially once ntp ratchets down to infrequent polling for time. You are invited to send questions or comments to: Richard Schmidt, Time Service res@tuttle.usno.navy.mil U.S. Naval Observatory, Wash., DC 20392 (202)-653-0487; Fax 653-0909 Gregg Rosenberg President Internet Educational Resources, Corp. gregg@k12.com or gregg@justnet.com http://www.k12.com comming soon in May http://www.k12.org comming soon in May From firewalls-owner Fri Apr 14 22:26:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA05746 for firewalls-outgoing; Fri, 14 Apr 1995 22:00:22 -0700 Received: from norman.li.Cubic.COM (norman.li.Cubic.COM [149.63.2.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id WAA05741 for ; Fri, 14 Apr 1995 22:00:18 -0700 Received: from localhost (mischler@localhost) by norman.li.Cubic.COM (8.3/8.3) id BAA02742; Sat, 15 Apr 1995 01:00:48 -0400 Date: Sat, 15 Apr 1995 01:00:48 -0400 From: Dave Mischler Message-Id: <199504150500.BAA02742@norman.li.Cubic.COM> To: firewalls@GreatCircle.COM, srichard@abbotthpd.com Subject: Re: Transparent proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try ftp://ftp.demon.co.uk/pub/ibmpc/iprv063.zip. It is described as address/port translation, but controls connection establishment by service. It just might do what you want. Dave.Mischler@Cubic.COM From firewalls-owner Sat Apr 15 02:27:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA08809 for firewalls-outgoing; Sat, 15 Apr 1995 02:08:43 -0700 Received: from stewpot.mazama.com (stewpot.mazama.com [192.245.234.220]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA08803 for ; Sat, 15 Apr 1995 02:08:37 -0700 Received: (from allan@localhost) by stewpot.mazama.com (8.6.12/8.6.9) id CAA06181; Sat, 15 Apr 1995 02:09:08 -0700 Date: Sat, 15 Apr 1995 02:09:08 -0700 From: "Christopher A. Stewart" Message-Id: <199504150909.CAA06181@stewpot.mazama.com> To: firewalls@GreatCircle.Com Subject: Compromised system Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not sure this is exactly the place to post it, but I have apparently run in to a blind alley in my attempts to contact the system in question. For the past several days, 204.57.196.12 has been directing a steady stream of packets at my portmapper.. I had it blocked at my firewall, so the most annoying thing about this is the large log files this creates. Since this is apparently a fairly new system on the net, I'm assuming that it's been broken it to, and being used by unauthorized parties.. If anyone on the list knows the people that own this system could you please contact them and relay this information.. Thanx.. -- ---------------------------------------------------------------------- Gopher Stew | allan@eskimo.com The Rodent King | allan@mazama.com | stewart@networx.com \|/ | oOo <--- {his paw mark and Royal Seal} | From firewalls-owner Sat Apr 15 04:56:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA10136 for firewalls-outgoing; Sat, 15 Apr 1995 04:49:23 -0700 Received: from stewpot.mazama.com (stewpot.mazama.com [192.245.234.220]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA10131 for ; Sat, 15 Apr 1995 04:49:19 -0700 Received: (from allan@localhost) by stewpot.mazama.com (8.6.12/8.6.9) id EAA06755; Sat, 15 Apr 1995 04:49:47 -0700 Date: Sat, 15 Apr 1995 04:49:47 -0700 From: "Christopher A. Stewart" Message-Id: <199504151149.EAA06755@stewpot.mazama.com> To: firewalls@GreatCircle.Com Subject: Compromised system followup Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been getting some great advice from the readers of this list.. Problem is I've already done it.. Like I said I've come up against a blank wall.. I'd already used dig, traceroute etc to track this system down.. I've contacted the contact person for wa.com. He was helpful in providing further contact info.. That person has been unresponsive.. So like I said, if anyone knows these people, contact them and wake them up.. -- ---------------------------------------------------------------------- Gopher Stew | allan@eskimo.com The Rodent King | allan@mazama.com | stewart@networx.com \|/ | oOo <--- {his paw mark and Royal Seal} | From firewalls-owner Sat Apr 15 05:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA10552 for firewalls-outgoing; Sat, 15 Apr 1995 05:18:49 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA10546 for ; Sat, 15 Apr 1995 05:18:46 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA29831; Sat, 15 Apr 95 08:17:55 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504151317.AA29831@hawksbill.sprintmrn.com> Subject: Perimeter networks (Was: DMZ ?s) To: gregg@interaccess.com (Gregg Rosenberg) Date: Sat, 15 Apr 1995 08:17:54 -0500 (EST) Cc: david@wsi1.wsi.com, firewalls@GreatCircle.COM, twalker@acc.org In-Reply-To: <199504150344.WAA00100@home.interaccess.com> from "Gregg Rosenberg" at Apr 14, 95 10:45:21 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1974 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have not seen a discusion like this so far, hopefully it will be acceptable. > > I understand that a DMZ is a routers only segment. > That is no machines on the segment that can snoop. > > Where is the best place to place the DMZ? > > Can a T1 span serve the purpose of a DMZ in certain circumstances? > > What you call a 'DMZ' is called a Perimeter Network, and no, a circuit cannot fulfill the requirements for a perimeter net. The purpose of the perimeter net is twofold; to physically & logically separate an internal/trusted network from an external/untrusted network, and to not advertise the internal network to the external/untrusted network. | +--+ | | | +-+ |-+--+ +--+ | | | host a | | internal network internet----->+ +-----+------------+ +------------- | | | | | +-+ + +--+ external | internal router |perimeter router |network In the example above, 'host a' resides on the perimeter ethernet network. (With the advent of routers with integrated ethernet hubs, this is now much easier than it used to be.) 'Host a' can perform any number of functions, from proxy services, mail tossing, DNS, or simply as a pit-stop bastion. Also, routing to/from the internet is _only_ established for the perimeter network, and _not_ for the internal network. The external & internal routers can also perform additional packet-filtering if desired. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Apr 15 07:56:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA12106 for firewalls-outgoing; Sat, 15 Apr 1995 07:48:44 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA12101 for ; Sat, 15 Apr 1995 07:48:41 -0700 Received: by little-miami.iac.net id KAA14853; Sat, 15 Apr 1995 10:48:24 -0400 Date: Sat, 15 Apr 1995 10:48:23 -0400 (EDT) From: Carl Jolley To: Samuel Richardson cc: firewalls@GreatCircle.COM Subject: Re: Transparent Proxies In-Reply-To: <9504141931.AA24393@tinman> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure, write them yourself and pay yourself nothing or very little. What value do you place on having implemented transparent proxies? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Fri, 14 Apr 1995, Samuel Richardson wrote: > Can any sugest a free or low cost means of implementing transparent > proxies (I[4~[4~[4~ > > From firewalls-owner Sat Apr 15 08:26:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA12464 for firewalls-outgoing; Sat, 15 Apr 1995 08:12:58 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA12459 for ; Sat, 15 Apr 1995 08:12:54 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA07452 for firewalls@GreatCircle.COM; Sat, 15 Apr 95 11:09:34 EDT Message-Id: <9504151509.AA07452@all.net> Subject: Sysco Routers Son't Do Security To: firewalls@GreatCircle.COM Date: Sat, 15 Apr 1995 11:09:33 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 682 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just talked to a Sysco Router yesterday, and she said that they don't do any security functions. They just tell the drivers where to go. And in terms of acting as a firewall, she said that she would almost certainly get burned. Have a happy Easter/Passover. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Sat Apr 15 10:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA13683 for firewalls-outgoing; Sat, 15 Apr 1995 10:15:54 -0700 Received: from home.interaccess.com (home.interaccess.com [198.80.0.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA13678 for ; Sat, 15 Apr 1995 10:15:51 -0700 Received: from smtp.interaccess.com (fd101.net.interaccess.com [204.148.144.101]) by home.interaccess.com (8.6.11/8.6.10) with SMTP id MAA27229; Sat, 15 Apr 1995 12:15:50 -0500 Message-Id: <199504151715.MAA27229@home.interaccess.com> X-Sender: gregg@pop.interaccess.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 15 Apr 1995 12:17:07 -0500 To: paul@hawksbill.sprintmrn.com (Paul Ferguson), david@wsi1.wsi.com (David Flinn), firewalls@GreatCircle.COM, twalker@acc.org From: gregg@interaccess.com (Gregg Rosenberg) Subject: Re: Perimeter networks (Was: DMZ ?s) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In my case I actualy have the ability to put servers right on a T3, then I am bring a T1 to my interior net. I have choose to build both an external and internal perimeter net. I am still trying to understand the notion of a DMZ apparently. Do I realy gain any value in creating a seperate DMZ segment. Clearly hacing a firewall router on a segment that has no hosts has an advantage of preventing snooping with the host. Gregg Rosenberg President Internet Educational Resources, Corp. gregg@k12.com or gregg@justnet.com http://www.k12.com comming soon in May http://www.k12.org comming soon in May From firewalls-owner Sat Apr 15 10:46:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA13692 for firewalls-outgoing; Sat, 15 Apr 1995 10:16:20 -0700 Received: from virtual.office.com (welcome.vo.com [204.192.49.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA13685 for ; Sat, 15 Apr 1995 10:16:16 -0700 Received: (from alex@localhost) by virtual.office.com (8.6.9/8.6.9) id NAA30191; Sat, 15 Apr 1995 13:18:47 -0400 Date: Sat, 15 Apr 1995 13:18:46 -29900 From: "S. Alexander Jacobson" Reply-To: "S. Alexander Jacobson" Subject: Re: Compromised system To: "Christopher A. Stewart" cc: firewalls@GreatCircle.COM In-Reply-To: <199504150909.CAA06181@stewpot.mazama.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have you tried asking the admins for NorthWest Nexus, the ISP for the problem site? If you can't reach them, have you tried asking sprint? -Alex- --- 20 sl-pen-1-H2/0-T3.sprintlink.net (144.228.10.34) 161.149 ms 123.014 ms 133.867 ms 21 sl-pen-2-F0/0.sprintlink.net (144.228.60.2) 127.366 ms 122.045 ms 126.198 ms 22 sl-chi-3-H2/0-T3.sprintlink.net (144.228.10.38) 190.122 ms 159.853 ms 150.675 ms 23 sl-chi-4-F0/0.sprintlink.net (144.228.50.4) 167.285 ms 139.398 ms 137.384 ms 24 sl-nexus-1-S0-T1.sprintlink.net (144.228.54.50) 192.213 ms 183.053 ms * 25 eds.wa.com (192.207.47.102) 429.25 ms 224.662 ms 267.618 ms 26 204.57.196.12 (204.57.196.12) 201.407 ms 349.98 ms * Northwest Nexus, Inc. (WA-DOM) P.O. Box 94 Bothell, WA 98041-0094 Domain Name: WA.COM Administrative Contact, Technical Contact, Zone Contact: Morin, Edward A. (EM45) edm@NWNEXUS.WA.COM 206/455-3505 Record last updated on 18-Jan-95. _____________________________________________________________________________ S. Alexander Jacobson Internet Virtual Office Inc. alex@virtual.office.com Consulting info@virtual.office.com http://vo.com/people/alex/ ** http://virtual.office.com 1-212-799-2645 voice Technology gopher.virtual.office.com 1-212-799-1075 fax Strategy telephone: 1-800-TODAY-VO From firewalls-owner Sat Apr 15 10:58:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA14271 for firewalls-outgoing; Sat, 15 Apr 1995 10:49:49 -0700 Received: from afterlife.ncsc.mil (afterlife.ncsc.mil [144.51.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA14266 for ; Sat, 15 Apr 1995 10:49:45 -0700 Received: (from dpkemp@localhost) by afterlife.ncsc.mil (8.6.12/8.6.6) id NAA22453; Sat, 15 Apr 1995 13:50:17 -0400 Date: Sat, 15 Apr 1995 13:50:17 -0400 From: "David P. Kemp" Message-Id: <199504151750.NAA22453@afterlife.ncsc.mil> To: firewalls@greatcircle.com Subject: Re: SNMP or other mgmt/monitor of bastion &c. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 14, Bryan D. Boyle wrote: > >Well, for one, snmp is udp. And that gives us the shakes. What I would >pose as a strawman would be to put an snmp 'monitor probe' up on >the DMZ that would monitor the exposed network and repackage the info >for tranmsission thru the screen via tcp (which can be reasonably secured >beyond >trying to hack some extension into UDP and call it controllable...) Why would using TCP be any more secure than using UDP? In general, TCP is preferred because many firewall users have adopted a policy that says people on the inside are good and should be allowed to initiate communication through the firewall, whereas people on the outside should not. TCP, being a connection-oriented protocol, makes it possible for a filter to distinguish which packets belong to a particular connection, and from which side the connection is being established. It therefore makes it easier to write a filter that enforces the policy. But if your policy says that: 1) users on the inside can be trusted not to actively attack the internal net, and 2) the Network Management Center on the internal net will monitor the firewall using SNMP then a filter that allows UDP traffic on the SNMP port between the firewall host and the NMC can be used to implement the policy. I don't see why TCP "can be reasonably secured" for this application to any extent greater than could UDP. Is there a specific threat you are trying to protect against, or is this just a superstitious belief that "UDP is insecure" and shouldn't be used for anything. From firewalls-owner Sat Apr 15 12:26:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA15744 for firewalls-outgoing; Sat, 15 Apr 1995 12:13:26 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA15739 for ; Sat, 15 Apr 1995 12:13:16 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA00326; Sat, 15 Apr 95 15:10:14 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504152010.AA00326@hawksbill.sprintmrn.com> Subject: Re: Sysco Routers Son't Do Security To: fc@all.net (Dr. Frederick B. Cohen) Date: Sat, 15 Apr 1995 15:10:14 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9504151509.AA07452@all.net> from "Dr. Frederick B. Cohen" at Apr 15, 95 11:09:33 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 714 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I just talked to a Sysco Router yesterday, and she said that they don't > do any security functions. They just tell the drivers where to go. And > in terms of acting as a firewall, she said that she would almost > certainly get burned. > Um, Fred, that's 'cisco,' not 'sysco.' I can't imagine anyone from cisco Systems saying _anything_ like that. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Apr 15 12:41:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA15769 for firewalls-outgoing; Sat, 15 Apr 1995 12:16:12 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA15764 for ; Sat, 15 Apr 1995 12:16:08 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id OAA28614; Sat, 15 Apr 1995 14:16:34 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id OAA12919; Sat, 15 Apr 1995 14:16:42 -0500 From: Alan Hannan Message-Id: <199504151916.OAA12919@jayhawk.mid.net> Subject: Re: Sysco Routers Son't Do Security To: fc@all.net (Dr. Frederick B. Cohen) Date: Sat, 15 Apr 1995 14:16:41 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9504151509.AA07452@all.net> from "Dr. Frederick B. Cohen" at Apr 15, 95 11:09:33 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1079 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just talked to a Sysco Router yesterday, and she said that they don't > do any security functions. They just tell the drivers where to go. And > in terms of acting as a firewall, she said that she would almost > certainly get burned. I am assuming that you mean "Cisco" when you say "Sysco". I am constantly amazed by this cutting edge company. Not only do they provide amazing Internetworking Software, but they are so advanced in artificial intelligence. I mean, how you were able to actually communicate with a router, and have a conversation, Frederick, is amazing to me. However, typical to most Cisco Products, their first generation code has a few bugs. This android/AI thing to which you spoke did not speak correctly, Cisco Access Lists are a significant security function, and while they do not address authentication, they address originating addresses, which are a useful part of any firewalling system. -- Alan Hannan (402) 472-0241 MIDnet Inc. ------------------------------\ fax (402) 472-0240 A Global Internet Company From firewalls-owner Sat Apr 15 12:56:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA16455 for firewalls-outgoing; Sat, 15 Apr 1995 12:52:16 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id MAA16448 for ; Sat, 15 Apr 1995 12:52:12 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA00409; Sat, 15 Apr 95 15:52:26 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504152052.AA00409@hawksbill.sprintmrn.com> Subject: Re: Sysco Routers Son't Do Security To: fc@all.net (Dr. Frederick B. Cohen) Date: Sat, 15 Apr 1995 15:52:26 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls List) In-Reply-To: <9504151920.AA02758@all.net> from "Dr. Frederick B. Cohen" at Apr 15, 95 03:20:35 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 754 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > I just talked to a Sysco Router yesterday, and she said that they don't > > > do any security functions. They just tell the drivers where to go. And > > > in terms of acting as a firewall, she said that she would almost > > > certainly get burned. > > > > > > > Um, Fred, that's 'cisco,' not 'sysco.' > > No, I meant Sysco - the national food distribution company. > Ah, humor. ;-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Apr 15 13:28:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA17209 for firewalls-outgoing; Sat, 15 Apr 1995 13:05:33 -0700 Received: from zephyr.isi.edu (zephyr.isi.edu [128.9.160.160]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA17201 for ; Sat, 15 Apr 1995 13:05:29 -0700 Received: by zephyr.isi.edu (5.65c/5.61+local-17) id ; Sat, 15 Apr 1995 13:05:54 -0700 From: bmanning@ISI.EDU (Bill Manning) Message-Id: <199504152005.AA08985@zephyr.isi.edu> Subject: Re: Sysco Routers Son't Do Security To: alan@mid.net (Alan Hannan) Date: Sat, 15 Apr 1995 13:05:54 -0700 (PDT) Cc: fc@all.net, firewalls@greatcircle.com In-Reply-To: <199504151916.OAA12919@jayhawk.mid.net> from "Alan Hannan" at Apr 15, 95 02:16:41 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 319 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Now Alan, you should know that cisco does not talk about un-announced products. What the good dr. was talking about is cis/sys(co)'s entry into an entirely different market, bulk food distribution. The term router now refers to not only the switching and forwarding engine but also to the truck driver! -- --bill From firewalls-owner Sat Apr 15 14:03:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA18342 for firewalls-outgoing; Sat, 15 Apr 1995 13:34:29 -0700 Received: from casbah.acns.nwu.edu (casbah.acns.nwu.edu [129.105.16.52]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA01308 for ; Fri, 14 Apr 1995 17:50:57 -0700 Received: by casbah.acns.nwu.edu (1.37.109.16/20.3) id AA246757081; Fri, 14 Apr 1995 19:51:21 -0500 Message-Id: <199504150051.AA246757081@casbah.acns.nwu.edu> Subject: Re: S-HTTP To: DICKSC@p01.uci.com (Schwarz Dick) Date: Fri, 14 Apr 1995 19:51:21 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <2F8D436F@p01.uci.com> from "Schwarz, Dick" at Apr 13, 95 08:27:00 am Reply-To: Albert-Lunde@nwu.edu (Albert Lunde) From: Albert-Lunde@nwu.edu (Albert Lunde) X-Mailer: ELM [version 2.4 PL24alpha3] Content-Type: text Content-Length: 380 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I am looking for a comy of the specifications and any other pertinent > information about S-HTTP. Can anyone help? See: gopher://ds2.internic.net/00/internet-drafts/draft-rescorla-shttp-00.txt http://www.eit.com/projects/s-http/ http://www.terisa.com/ http://www-ns.rutgers.edu/www-security/ -- Albert Lunde Albert-Lunde@nwu.edu From firewalls-owner Sat Apr 15 14:26:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA18833 for firewalls-outgoing; Sat, 15 Apr 1995 13:57:59 -0700 Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA18822 for ; Sat, 15 Apr 1995 13:57:53 -0700 Received: (from jhawk@localhost) by panix2.panix.com (8.6.12/8.6.10+PanixU1.0) id QAA03962; Sat, 15 Apr 1995 16:58:04 -0400 From: John Hawkinson Message-Id: <199504152058.QAA03962@panix2.panix.com> Subject: Re: Sysco Routers Son't Do Security To: bmanning@ISI.EDU (Bill Manning) Date: Sat, 15 Apr 1995 16:58:03 -0400 (EDT) Cc: alan@mid.net, fc@all.net, firewalls@GreatCircle.COM In-Reply-To: <199504152005.AA08985@zephyr.isi.edu> from "Bill Manning" at Apr 15, 95 01:05:54 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 804 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: bmanning@ISI.EDU (Bill Manning) > To: alan@mid.net (Alan Hannan) > Cc: fc@all.net, firewalls@GreatCircle.COM > Now Alan, you should know that cisco does not talk about un-announced > products. What the good dr. was talking about is cis/sys(co)'s entry > into an entirely different market, bulk food distribution. The > term router now refers to not only the switching and forwarding engine > but also to the truck driver! No, no, Bill. You are the last person I would expect to misunderstand this. Sysco is clearly implemented using a route *server* architecture, where the truck drivers need to talk to a route server (via out-of-band mechanisms like radio...). The route servers have this layer of management above them, called the routing arbiter... -- John Hawkinson jhawk@panix.com From firewalls-owner Sat Apr 15 14:46:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA19270 for firewalls-outgoing; Sat, 15 Apr 1995 14:21:58 -0700 Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA19265 for ; Sat, 15 Apr 1995 14:21:55 -0700 Received: from uni.ins.com (mark.ins.dialup.net [158.253.1.246]) by uni.ins.com (8.6.10/8.6.10) with SMTP id OAA08390 for ; Sat, 15 Apr 1995 14:22:21 -0700 Date: Sat, 15 Apr 1995 14:22:21 -0700 Message-Id: <199504152122.OAA08390@uni.ins.com> X-Sender: kadrich@uni.ins.com (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: (Mark S. Kadrich) Subject: Re: Sysco Routers Son't Do Security X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >> >> I just talked to a Sysco Router yesterday, and she said that they don't >> do any security functions. They just tell the drivers where to go. And >> in terms of acting as a firewall, she said that she would almost >> certainly get burned. >> > >Um, Fred, that's 'cisco,' not 'sysco.' > >I can't imagine anyone from cisco Systems saying _anything_ like that. > >- paul > > A call to your friendly cisco rep will confirm what the good Doctor has stated (however incorrectly). However, Cisco will say that the capabilities of their routers (rooters? ;-) are an important aspect of any well designed security parameter. Cisco does not like to consider their products as stand-alone security devices. I suspect their lawyers have had a hand in this stance. ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-514-0355 e-mail @ kadrich@uni.ins.com Information security is a process, not a solution. ****************************************************************** From firewalls-owner Sat Apr 15 18:26:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA21874 for firewalls-outgoing; Sat, 15 Apr 1995 17:57:06 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA21869 for ; Sat, 15 Apr 1995 17:56:58 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA00737; Sat, 15 Apr 95 20:56:43 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504160156.AA00737@hawksbill.sprintmrn.com> Subject: Re: Perimeter networks (Was: DMZ ?s) To: gregg@interaccess.com (Gregg Rosenberg) Date: Sat, 15 Apr 1995 20:56:43 -0500 (EST) Cc: david@wsi1.wsi.com, firewalls@GreatCircle.COM, twalker@acc.org In-Reply-To: <199504151715.MAA27229@home.interaccess.com> from "Gregg Rosenberg" at Apr 15, 95 12:17:07 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 627 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I am still trying to understand the notion of a DMZ apparently. Do I realy > gain any value in creating a seperate DMZ segment. Clearly hacing a > firewall router on a segment that has no hosts has an advantage of > preventing snooping with the host. > Exactly. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Apr 15 20:57:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA23120 for firewalls-outgoing; Sat, 15 Apr 1995 20:29:29 -0700 Received: from earth.eng.vantageware.com (earth.eng.vantageware.com [198.160.145.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id UAA23115 for ; Sat, 15 Apr 1995 20:29:24 -0700 Received: from io_dialin0.eng.vantageware.com by earth.eng.vantageware.com (AIX 3.2/UCB 5.64/4.03) id AA17996; Fri, 14 Apr 1995 22:27:50 -0700 Date: Fri, 14 Apr 95 22:13:27 PDT From: Ron A Lindsay Subject: RE: NetBlazer filters To: firewalls@GreatCircle.COM, "Samuel D. Jones" X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I had the same issue. Try these filters: configure ip filter permit inet_p TCP =25 =42 =53 Source In configure ip filter permit inet_p UDP =53 Source In configure ip filter permit inet_p TCP =25 =42 =53 =123 Dest In configure ip filter permit inet_p UDP =53 Dest In configure ip filter permit inet_p TCP =20 =21 =25 =42 =53 =119 =123 >=1024 Source Out configure ip filter permit inet_p UDP =53 Source Out configure ip filter permit inet_p TCP =25 =42 =53 >=1024 Dest Out configure ip filter permit inet_p UDP =53 Dest Out configure ip filter deny default inet_p =your IP addresss/subnet mask inet_p=your internet interface name Notice that ports > 1024 are allowed ONLY on outgoing connections (for sendmail, ftp, etc). Ping does NOT work with this setup. Good luck. ---------------Original Message--------------- I am trying to set up filters for a Telebit NetBlazer to allow mail and outgoing ftp and telnet. I want everything else shut down. I would like to be able to ping also. I have filters already in place, but I don't know if I am missing something important. Can anyone help me? Samuel D. Jones sam@Aptech.com ----------End of Original Message---------- ---------------------------------------------------------------------- E-mail: ronl@vantageware.com (Ron A Lindsay) ---------------------------------------------------------------------- From firewalls-owner Sat Apr 15 21:56:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA23940 for firewalls-outgoing; Sat, 15 Apr 1995 21:37:08 -0700 Received: from dewey.net99.net (dewey.net99.net [204.137.146.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA23935 for ; Sat, 15 Apr 1995 21:37:05 -0700 Received: (from joe@localhost) by dewey.net99.net (8.6.9/8.6.9.1) id VAA16253; Sat, 15 Apr 1995 21:39:28 -0700 Date: Sat, 15 Apr 1995 21:39:28 -0700 (MST) From: ATM_Feel_the_Power To: Bill Manning cc: Alan Hannan , fc@all.net, firewalls@greatcircle.com Subject: Re: Sysco Routers Son't Do Security In-Reply-To: <199504152005.AA08985@zephyr.isi.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darn it all Bill... Tony has been trying to keep this secret. Joseph Stroup On Sat, 15 Apr 1995, Bill Manning wrote: > > Now Alan, you should know that cisco does not talk about un-announced > products. What the good dr. was talking about is cis/sys(co)'s entry > into an entirely different market, bulk food distribution. The > term router now refers to not only the switching and forwarding engine > but also to the truck driver! > -- > --bill > From firewalls-owner Sat Apr 15 22:15:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA23923 for firewalls-outgoing; Sat, 15 Apr 1995 21:31:23 -0700 Received: from dewey.net99.net (dewey.net99.net [204.137.146.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA23918 for ; Sat, 15 Apr 1995 21:31:20 -0700 Received: (from joe@localhost) by dewey.net99.net (8.6.9/8.6.9.1) id VAA16178; Sat, 15 Apr 1995 21:33:42 -0700 Date: Sat, 15 Apr 1995 21:33:41 -0700 (MST) From: ATM_Feel_the_Power To: Paul Ferguson cc: "Dr. Frederick B. Cohen" , firewalls@greatcircle.com Subject: Re: Sysco Routers Son't Do Security In-Reply-To: <9504152010.AA00326@hawksbill.sprintmrn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Guy's if I talked to my Cisco routers, well, eh - they get worried enough about my not sleeping....People - not the routers -;-) Wow. Joseph Stroup On Sat, 15 Apr 1995, Paul Ferguson wrote: > > > > > I just talked to a Sysco Router yesterday, and she said that they don't > > do any security functions. They just tell the drivers where to go. And > > in terms of acting as a firewall, she said that she would almost > > certainly get burned. > > > > Um, Fred, that's 'cisco,' not 'sysco.' > > I can't imagine anyone from cisco Systems saying _anything_ like that. > > - paul > > > _______________________________________________________________________________ > Paul Ferguson > US Sprint tel: 703.689.6828 > Managed Network Engineering internet: paul@hawk.sprintmrn.com > Reston, Virginia USA http://www.sprintmrn.com > From firewalls-owner Sat Apr 15 22:56:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA25034 for firewalls-outgoing; Sat, 15 Apr 1995 22:40:59 -0700 Received: from wsrcc.com (wsrcc.com [140.174.88.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA25029 for ; Sat, 15 Apr 1995 22:40:55 -0700 Received: by wsrcc.com id AA15971 (5.67a/IDA-1.5-WSR-02/23/94 for firewalls@greatcircle.com); Sat, 15 Apr 1995 22:41:27 -0700 Message-Id: <199504160541.AA15971@wsrcc.com> Received: from GATEWAY by wsrcc.com with netnews for firewalls@greatcircle.com (firewalls@greatcircle.com) To: firewalls@greatcircle.com Date: 15 Apr 1995 22:41:25 -0700 From: wolfgang@wsrcc.com (Wolfgang Rupprecht) Organization: W S Rupprecht Computer Consulting, Fremont CA References: Subject: Re: Any logs of SATAN attacks against firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sikpuppy@maestro.com (Sick Puppy) writes: >Has anyone seen an S.. attack against a firewall? Yes. >If so, could you post part of the logs please? They're boring. The firewall used a simple three strikes and you're out program. A full solution would use a smarter watcher program that charaterized an attack and then informed the firewall to update its filters. One thing I *really* like about the current Morningstar Express software is that one can update filters whenever some user-defined trigger packets are received. In the full blown firewall design one could run tcpdump on a Unix host and have some high level pattern matcher watch the tcpdump output. Any suspicious activity would cause the program to tell the firewall to raise the drawbridge with respect to that subnet (or domain etc.). One could also set tripwires in sendmail/ftp/finger/http etc looking for someone trying to exploit old bugs (eg. if someone typed "debug" at sendmail.) The daemons themselves could then tell the firewall to slam the door. This of course assumes that one is willing to live with an occasional denial of service attack. -wolfgang -- Wolfgang Rupprecht From firewalls-owner Sun Apr 16 02:56:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA28056 for firewalls-outgoing; Sun, 16 Apr 1995 02:27:25 -0700 Received: from hisar.cc.boun.edu.tr (hisar.cc.boun.edu.tr [193.140.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA28049 for ; Sun, 16 Apr 1995 02:27:13 -0700 Received: by hisar.cc.boun.edu.tr (5.65/DEC-Ultrix/4.3) id AA19965; Sun, 16 Apr 1995 12:25:19 -0400 Date: Sun, 16 Apr 1995 12:25:18 -0400 (EDT) From: Can Baysal X-Sender: baysalc@hisar.cc.boun.edu.tr To: Alan Hannan Cc: "Dr. Frederick B. Cohen" , firewalls@GreatCircle.COM Subject: Re: Sysco Routers Son't Do Security In-Reply-To: <199504151916.OAA12919@jayhawk.mid.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 15 Apr 1995, Alan Hannan wrote: > > I just talked to a Sysco Router yesterday, and she said that they don't > > do any security functions. They just tell the drivers where to go. And > > in terms of acting as a firewall, she said that she would almost > > certainly get burned. > > I am assuming that you mean "Cisco" when you say "Sysco". I am constantly > amazed by this cutting edge company. Not only do they provide amazing > Internetworking Software, but they are so advanced in artificial intelligence. > I mean, how you were able to actually communicate with a router, and have a > conversation, Frederick, is amazing to me. However, typical to most Cisco > Products, their first generation code has a few bugs. This android/AI thing > to which you spoke did not speak correctly, Cisco Access Lists are a Hi; Well access-lists are really very good especially in case of emergency while it is impossible to get the links down (you know ordinary users). However Dr. if you really can speak with a router could you please ask our 2500 why does it send correct console output only to our 4000 :)))) It sends some garbage inserted to console output to our DecSystems. Cheers; Can BAYSAL; > significant security function, and while they do not address authentication, > they address originating addresses, which are a useful part of any firewalling > system. > -- > Alan Hannan (402) 472-0241 MIDnet Inc. > ------------------------------\ fax (402) 472-0240 A Global Internet Company > From firewalls-owner Sun Apr 16 05:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA29171 for firewalls-outgoing; Sun, 16 Apr 1995 04:57:13 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA29166 for ; Sun, 16 Apr 1995 04:57:11 -0700 Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQylrz12275; Sun, 16 Apr 1995 07:57:43 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA22876; Sun, 16 Apr 95 07:53:29 EDT Date: Sun, 16 Apr 1995 07:53:28 -0400 (EDT) From: Sick Puppy Subject: Re: anyone seen an S.. attack against a firewall? To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank you, those of you who mailed copies of logs. Wolfgang made some interesting points on using pattern matching software to detect any suspicious activity and having it trigger some action by the firewall. While this approach would guard against known types of attack, it would not be able to detect attacks where the pattern is unknown. Following the release of The Big S.. I saw a sharp drop off in attacks. This was followed by increases in attacks from half a dozen sites, where the pattern does not match any of the scripts I have seen before and does not match Big S.. either. I suspect that some young genius, who deserves the respect of the "security professionals", has developed a stealthed version of Big S.. and passed it around. Puppy the Prophet interpreting scripture According to Bob Eindhoven, Netherlands From firewalls-owner Sun Apr 16 08:56:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00544 for firewalls-outgoing; Sun, 16 Apr 1995 08:55:29 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA00539 for ; Sun, 16 Apr 1995 08:55:25 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA03983 for firewalls@greatcircle.com; Sun, 16 Apr 95 11:52:05 EDT Message-Id: <9504161552.AA03983@all.net> Subject: Exploiting UDP Ports To: firewalls@greatcircle.com Date: Sun, 16 Apr 1995 11:52:04 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1471 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just added UDP port scanning to the SATAN portion of our testing service, and now find that a hole (not whole) new world is showing up on the scans. Does anyone know if there is a version of syslog that does not run over UDP? Does anyone have a utility (similar to telnet?) that will let me create UDP packets from shell scripts so I can test UDP attacks from shell scripts? Is there a UDP wrapper of some sort that could be judiciously applied (realizing of course that source information in UDP packets is truly trivial to forge) by people wanting to close down UDP attacks? I'm not completely certain, but I believe that anyone running UDP on a real computer (not just a router) exposed to the Internet is certain to be vulnerable to denial of service attacks of a wide variety. Is three anyone who believes otherwise, and if so why? P.S. I was talking about a router at Sysco, the major food distributor, not Cisco the computer hardware company. Next time, I talk to someone who's in charge of fire safety at Crisco and see what they say. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Sun Apr 16 10:56:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA01629 for firewalls-outgoing; Sun, 16 Apr 1995 10:49:24 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id KAA01624; Sun, 16 Apr 1995 10:49:11 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 16 Apr 1995 18:48:23 -0800 To: fc@all.net (Dr. Frederick B. Cohen), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Exploiting UDP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:52 4/16/95, Dr. Frederick B. Cohen wrote: > I just added UDP port scanning to the SATAN portion of our >testing service, and now find that a hole (not whole) new world is >showing up on the scans. > > Does anyone know if there is a version of syslog that does not >run over UDP? What good would that do without recompiling everything that uses syslog? Source code isn't even available for some of the most interesting things that use syslog, like all the various routers and other network hardware out there. >Does anyone have a utility (similar to telnet?) that will >let me create UDP packets from shell scripts so I can test UDP attacks >from shell scripts? Not that I know of. It would be a very small C program or perl script... Get a basic text on UNIX network programming. >Is there a UDP wrapper of some sort that could be >judiciously applied (realizing of course that source information in UDP >packets is truly trivial to forge) by people wanting to close down UDP >attacks? What attacks? That is, attacks against what services? Basicly, with UDP, you need to use some sort of packet filtering mechanism. You can't use something like TCP Wrappers, because that only works for serves started by inetd, and most UDP-based servers are not started by inetd. The big problem with UDP is not the protocol itself, but the services that use it, like NFS and NIS. Blocking access to those services is further complicated by the fact that they're RPC-based, which means that they don't run on a fixed port number on every machine; in fact, it's not unusual to find them on a different port number every time the machine reboots. NFS seems to always use port 2049, but I don't see any reason why it would _have_ to, and I sure wouldn't want to base any security on the assumption it _would_. > I'm not completely certain, but I believe that anyone running >UDP on a real computer (not just a router) exposed to the Internet is >certain to be vulnerable to denial of service attacks of a wide variety. >Is three anyone who believes otherwise, and if so why? What makes you think you're any more vulnerable to denial of service attacks via UDP than via TCP? -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Sun Apr 16 11:56:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02389 for firewalls-outgoing; Sun, 16 Apr 1995 11:38:33 -0700 Received: from amisk.cs.ualberta.ca (amisk.cs.ualberta.ca [129.128.13.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA02384 for ; Sun, 16 Apr 1995 11:38:30 -0700 Received: by amisk.cs.ualberta.ca id <138867-2>; Sun, 16 Apr 1995 12:39:00 -0600 Subject: Crisco rooters?.. Let's change the subject.. From: Bob Beck To: fc@all.net (Dr. Frederick B. Cohen) Date: Sun, 16 Apr 1995 12:38:51 -0600 (MDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9504161552.AA03983@all.net> from "Dr. Frederick B. Cohen" at Apr 16, 95 11:52:04 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1818 Message-Id: <95Apr16.123900-0600_(mdt).138867-2@amisk.cs.ualberta.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > P.S. I was talking about a router at Sysco, the major food distributor, > not Cisco the computer hardware company. Next time, I talk to someone > who's in charge of fire safety at Crisco and see what they say. Oh Yoy! I await with bated breath the descriptions of the intricacies of tunnelling and rooting with Crisco products! Perhaps this is getting a tad silly, maybe we should change the subject back to Bearcats vs. Mustangs at the Phoenix air races? (Anything but more SATAN.. heaven forbid something on topic :) How about this one for all of you. Here's a not quite normal situation: Let's say you have an relatively insecure network which for all intents and purposes you allow access to anyone off the street, it's a publicly accessible lab of PeeCees running the usual MicroSloth gamut, so the software on them is too stunned to really do any sort of user authentication itself. The problem is you want to allow http access out to the world from this lab to people who have come and gotten permission to do so, I.E. from this net where you can't tell who anyone is, you want to be have any outside access authenticated in some manner. "Conventional" proxies running on a bastion type host does a dandy job for most stuff, you can rig a proxy to ask for a username and password before initiating any connection to the outside world and log everything appropriately. I haven't yet found a really good one for http yet, particularly since most proxies try to be more and more transparent. For this, you'd like an http proxy that can be rigged to get a conventional forms-capable browser to ask for a username and password for access through the firewall in a reasonable manner, Anyone hacked up CERN or the like to try anything like this? Commercial stuff? better ways? discussion? -Bob From firewalls-owner Sun Apr 16 12:11:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA02410 for firewalls-outgoing; Sun, 16 Apr 1995 11:40:18 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA02405 for ; Sun, 16 Apr 1995 11:40:14 -0700 Date: Sun, 16 Apr 95 14:40 EDT Message-ID: <9504161440.AA04396@databus.databus.com> From: Barney Wolff To: fc@all.net (Dr. Frederick B. Cohen), firewalls@greatcircle.com Subject: Re: Exploiting UDP Ports Content-Length: 5039 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: fc@all.net (Dr. Frederick B. Cohen) > Date: Sun, 16 Apr 1995 11:52:04 -0400 (EDT) > > > ... Does anyone have a utility (similar to telnet?) that will > let me create UDP packets from shell scripts so I can test UDP attacks > from shell scripts? Here's a primitive UDP client. /* tstudp.c udp test client 10/8/94 Barney Wolff (c) 1994 Databus Inc. Permission granted to use and/or modify for any lawful purpose, provided credit is given and this notice retained. Offered "as is" with no claim of fitness for any purpose. Principal limitations: To put binary in the packet, modify uread to read hex rather than straight data. Packet size is limited. No provision for controlling source address or port. Compiled/tested only with SVR4. */ #define Usage "Usage: %s [-v] [-w] [-t timeout] ip_addr port\n" #include #include #include #include #include #include #include #include #include #include #include #include #include int verbose=0; /* message verbosity */ int timeout=15; /* default to 15 sec timeout */ struct sockaddr_in serv; /* address structure for sendto */ int sockfd; /* file descriptor for socket ops */ char *argv0; /* copy of argv[0] */ extern int errno; int sl; unsigned char rbuf[2048]; /* response buffer */ void Perror(char *msg) { /* complain & die */ char buf[BUFSIZ]; sprintf(buf,"%s got errno %d on %s",argv0,errno,msg); perror(buf); exit(2); } void siga(int sig,void (*handler)(int)) { /* our own signal setup routine */ struct sigaction act; /* struct for signal setup */ act.sa_handler = handler; /* what to do */ (void) sigemptyset(&act.sa_mask); /* block nothing else during handler */ act.sa_flags = 0; /* system calls will be interrupted */ (void) sigaction(sig,&act,NULL); } void noresp(int sig) { fprintf(stderr,"No response after %d sec\n",timeout); exit(2); } void dumppkt(unsigned char *buf, int lth) { /* dump out a packet */ int i; for (i=0; i 0) { if (verbose) fprintf(stderr,"Sending >>%s<<\n",rbuf); siga(SIGALRM,noresp); if (sendto(sockfd,&rbuf,sl,0,&serv,sizeof(serv)) < 0) Perror("sendto"); alarm(timeout); fromlen = sizeof(from); if (!writeonly) bret=recvfrom(sockfd,rbuf,sizeof(rbuf),0,(caddr_t)&from,&fromlen); alarm(0); if (writeonly) continue; if (bret<0) Perror("recv"); /* shouldn't get other errors */ if (verbose) dumppkt(rbuf,bret); if (!verbose && bret > 0 && rbuf[bret-1] == '\r') bret--; rbuf[bret] = '\0'; if (!verbose && bret > 0 && rbuf[bret-1] == '\n') fprintf(stderr,rbuf); else fprintf(stderr,"Got >>%s<<\n",rbuf); } } From firewalls-owner Sun Apr 16 13:56:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA03934 for firewalls-outgoing; Sun, 16 Apr 1995 13:27:54 -0700 Received: from gsbux1.uchicago.edu (gsbux1.uchicago.edu [128.135.130.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id NAA03929 for ; Sun, 16 Apr 1995 13:27:52 -0700 Received: (mmwidner@localhost) by gsbux1.uchicago.edu (8.6.10/8.6.4) id PAA06366; Sun, 16 Apr 1995 15:28:20 -0500 From: "Michael R. Widner" Message-Id: <199504162028.PAA06366@gsbux1.uchicago.edu> Subject: Re: Exploiting UDP Ports To: fc@all.net (Dr. Frederick B. Cohen) Date: Sun, 16 Apr 1995 15:28:19 -0500 (CDT) Cc: firewalls@greatcircle.com Reply-To: widner@uchicago.edu In-Reply-To: <9504161552.AA03983@all.net> from "Dr. Frederick B. Cohen" at Apr 16, 95 11:52:04 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 940 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously, Dr. Frederick B. Cohen wrote: > Does anyone know if there is a version of syslog that does not > run over UDP? Does anyone have a utility (similar to telnet?) that will > let me create UDP packets from shell scripts so I can test UDP attacks > from shell scripts? One of the great things about syslogd on UDP is that anybody can put forged entries into your log files. This is a great way to frame somebody you don't like, or just generally contribute to the paranoia of an admin you want to play games with. Perhaps insert 100 failed telnet and rlogins as root from cert.org to all your friends machines. This just goes back to the same old points. IP addresses are not good for authentication, and they're really not even good for identification. UDP is easy to fake, so don't trust much of what you see on it unless you've got a good authentication scheme on top of it. -Mike -- Michael R. Widner widner@uchicago.edu From firewalls-owner Sun Apr 16 15:26:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA05201 for firewalls-outgoing; Sun, 16 Apr 1995 15:24:45 -0700 Received: from voyager.datatools.com (datatools.com [192.216.89.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA05196 for ; Sun, 16 Apr 1995 15:24:43 -0700 Message-Id: <199504162224.PAA05196@miles.greatcircle.com> Received: by voyager.datatools.com (4.1/4.7); Sun, 16 Apr 95 15:25:26 PDT Date: Sun, 16 Apr 95 15:25:26 PDT From: greep@datatools.com (Steven Tepper) To: firewalls@greatcircle.com In-Reply-To: <9504161552.AA03983@all.net> (fc@all.net) Subject: Re: Exploiting UDP Ports Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: fc@all.net (Dr. Frederick B. Cohen) > Subject: Exploiting UDP Ports ... > P.S. I was talking about a router at Sysco, the major food distributor, > not Cisco the computer hardware company. Next time, I talk to someone > who's in charge of fire safety at Crisco and see what they say. Since the firewalls list often discusses crackers, don't forget Nabisco. From firewalls-owner Sun Apr 16 16:56:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA05953 for firewalls-outgoing; Sun, 16 Apr 1995 16:27:13 -0700 Received: from archimedes.vislab.navy.mil (archimedes.chinalake.navy.mil [129.131.31.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA05948 for ; Sun, 16 Apr 1995 16:27:10 -0700 Received: from archimedes.vislab.navy.mil (parcival.vislab.navy.mil [129.131.31.12]) by archimedes.vislab.navy.mil (current-1701B/current-CL-CL) with ESMTP id QAA10699 for ; Sun, 16 Apr 1995 16:29:51 -0700 Posted-Date: Sun, 16 Apr 1995 16:29:51 -0700 Message-Id: <199504162329.QAA10699@archimedes.vislab.navy.mil> To: firewalls@greatcircle.com Subject: Re: anyone seen an S.. attack against a firewall? In-reply-to: Your message of "Sun, 16 Apr 1995 07:53:28 EDT." Date: Sun, 16 Apr 1995 16:29:45 -0700 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (I know this overlaps with the Intrusion detection list, but I think that reacting to people knocking on your front door is also a firewalls issue) Sick Puppy wrote: > Wolfgang made some interesting points on using pattern matching software > to detect any suspicious activity and having it trigger some action by > the firewall. > > While this approach would guard against known types of attack, it would > not be able to detect attacks where the pattern is unknown. This all depends upon how you code your detector. If your program only matches the footprints of Satan, ISS, and other known programs, you are only protected for those attacks. But if your code is more general, looking at generic patterns of connections that your site has determined as "bad", Satan and ISS will probably be a subset of these generic patterns. When coding automatic detectors/countermeasures you need to look for trees, not just oaks and maples. The other thing that you have to decide for your detector is the time frame to look at. Courtney (or at least 1.0--I haven't looked at 1.1 yet) looks at connections over the last 7 minutes. All you need to do to break this is slow Satan down with the equivilent of a bunch of sleep()s and Courtney wouldn't see anything. Maybe the last 30 minutes is the timeframe that you want to look at. Personally, I'd like to have a program that was generic enough to look at the last n minutes (where you define n to suit your needs) and a version that looks at all connections over the last day, week, whatever, that tries to catch the sneaky, patient cracker. Of course if he was really sneaky, he'd run his version of Satan (or his equivalent) issuing one detectable event from a different site over a long span of time... -Benjamin Smith ---------------- Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake bens@archimedes.vislab.navy.mil 1972 Land Rover Series III 88 From firewalls-owner Sun Apr 16 17:28:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA06571 for firewalls-outgoing; Sun, 16 Apr 1995 17:24:04 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA06566 for ; Sun, 16 Apr 1995 17:23:56 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA24246 for firewalls@greatcircle.com; Sun, 16 Apr 95 20:20:32 EDT Message-Id: <9504170020.AA24246@all.net> Subject: Improved detection of attack patterns and the time issue To: firewalls@greatcircle.com Date: Sun, 16 Apr 1995 20:20:32 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1825 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that a lot of detectors are missing the deeper issues and that time-based methods are doomed to failure. Regardless of the time window and activity level within that window, it is possible to design the attack to sneak below the detection threshold. Furthermore, there is the issue of false positives and the signal to noise ratio. The noise level is getting higher (in case you haven't noticed) at a rate apparently designed (or not) so that we don't notice it. As we get more false positives, we decrease the time window or increase the detection threshold, thus increasing the severity of detected attack. If you study this phenomena a bit, (as othres have) you find that there is no time window or activity level that can avoid this problem and that the detection threshold and noise levels are parameters in the strategy and tactics of information warfare, which we are all essentially engaged in. An alternative approach that I have taken is to forget time, set absolute thresholds (e.g., 2 attempts for warning and 3 attempts for action), and keep history on all potentially malicious acts forever. In some cases it has taken several years to get the job done, but over time, I seem to catch people pretty successfully. There are a lot of other strategies and tactics that may be applied in various situations, but of course simplistic defenses lend themselves to simplistic attacks. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" -just released by Wiley and Sons- From firewalls-owner Sun Apr 16 18:26:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA07302 for firewalls-outgoing; Sun, 16 Apr 1995 18:03:26 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA07297 for ; Sun, 16 Apr 1995 18:03:22 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA01605; Sun, 16 Apr 95 20:48:42 -0400 Date: Sun, 16 Apr 95 20:48:41 -0400 Message-Id: <9504170048.AA01605@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In their great wisdom, the framers of IP allowed that one size might not fit all and so allow User Defined Protocols. The have their place but IMNSHO, not across a firewall - if you need a 'wall, *by definition* you must be able to control it. I have yet to find anything that I need to do across a firewall that cannot be found within TCP except ICMP (and am working on a proxy for that). If am responsible for a gate, then am only going to allow things that are understand across it and I am still learning. Does anyone out there feel they know it all ? The more learned, the more I find that is not understood & UDPs are about as close to chaos as you can get To me, I want some justification before more than PING, SMTP, Telnet, FTP, NNTP, and HTTP cross the 'wall and have usually been able to give people a way to do what they want within this. Would rather provide an authenticated dial-up to the user if more is needed. Personally cannot think of any legitemate requirement for FINGER that cannot be satisfied by a telephone call. Am sorry if this is not a PC viewpoint and do not want to imply that I am always happy with what is implimented. Just my opinion. Warmly, Padgett From firewalls-owner Sun Apr 16 18:56:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA07778 for firewalls-outgoing; Sun, 16 Apr 1995 18:47:31 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id SAA07773 for ; Sun, 16 Apr 1995 18:47:27 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA02867; Sun, 16 Apr 95 21:46:31 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504170246.AA02867@hawksbill.sprintmrn.com> Subject: Re: UDP To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 16 Apr 1995 21:46:31 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls List) In-Reply-To: <9504170048.AA01605@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Apr 16, 95 08:48:41 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 861 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes - > > To me, I want some justification before more than PING, SMTP, Telnet, > FTP, NNTP, and HTTP cross the 'wall and have usually been able to > give people a way to do what they want within this. Would rather > provide an authenticated dial-up to the user if more is needed. Personally > cannot think of any legitemate requirement for FINGER that cannot be > satisfied by a telephone call. > I can see obvious needs for various UDP services across/through a firewall, such as 53/UDP. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Apr 16 19:18:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA07758 for firewalls-outgoing; Sun, 16 Apr 1995 18:46:58 -0700 Received: from archimedes.vislab.navy.mil (archimedes.chinalake.navy.mil [129.131.31.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA07752 for ; Sun, 16 Apr 1995 18:46:55 -0700 Received: from archimedes.vislab.navy.mil (parcival.vislab.navy.mil [129.131.31.12]) by archimedes.vislab.navy.mil (current-1701B/current-CL-CL) with ESMTP id SAA11563 for ; Sun, 16 Apr 1995 18:49:38 -0700 Posted-Date: Sun, 16 Apr 1995 18:49:38 -0700 Message-Id: <199504170149.SAA11563@archimedes.vislab.navy.mil> To: firewalls@greatcircle.com Subject: Re: Improved detection of attack patterns and the time issue In-reply-to: Your message of "Sun, 16 Apr 1995 20:20:32 EDT." <9504170020.AA24246@all.net> Date: Sun, 16 Apr 1995 18:49:31 -0700 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Frederick B. Cohen wrote: > I think that a lot of detectors are missing the deeper issues and that > time-based methods are doomed to failure. Regardless of the time window > and activity level within that window, it is possible to design the > attack to sneak below the detection threshold. I agree that for any time window detection application window, an attacker can hit below the detection threshold. But time-base detection methods have their uses. They can tell you that you are being hit right now by a noisey source. I like looking at a lot of different time windows. When used together short (like last 30 minutes), medium (1 day and 1 week and long (over all time) time frame windows will give you a fairly good picture of what is happening. > Furthermore, there is > the issue of false positives and the signal to noise ratio. The noise > level is getting higher (in case you haven't noticed) at a rate > apparently designed (or not) so that we don't notice it. As we get more > false positives, we decrease the time window or increase the detection > threshold, thus increasing the severity of detected attack. This all depends upon what your current signal to noise ratio is. I would expect to find that a higher threshold is necessary for say a large class B net, than a smaller class C one. The trick is to minimize the false positives so that you avoid the positive feedback loop that you mentioned. Defining exactly what is a hostile pattern of connections is the hard part. For an internet provider the threshold may be fairly high. For a militart site that only talks to other military sites and a few specific non-military sites, the threshold will be much lower. As for the noise level getting higher, I haven't noticed. But then since I don't have any advertised services, and since since I'm in a quiet part of the net, my threshold is fairly low. -Benjamin Smith ---------------- Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake bens@archimedes.vislab.navy.mil 1972 Land Rover Series III 88 From firewalls-owner Sun Apr 16 20:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA09176 for firewalls-outgoing; Sun, 16 Apr 1995 20:11:34 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA09171 for ; Sun, 16 Apr 1995 20:11:29 -0700 Message-Id: <199504170311.UAA09171@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA128408374; Mon, 17 Apr 1995 13:12:54 +1000 From: Darren Reed Subject: Re: Exploiting UDP Ports To: fc@all.net (Dr. Frederick B. Cohen) Date: Mon, 17 Apr 1995 13:12:54 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9504161552.AA03983@all.net> from "Dr. Frederick B. Cohen" at Apr 16, 95 11:52:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1497 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Dr. Frederick B. Cohen, they said: > > I just added UDP port scanning to the SATAN portion of our > testing service, and now find that a hole (not whole) new world is > showing up on the scans. > > Does anyone know if there is a version of syslog that does not > run over UDP? Does anyone have a utility (similar to telnet?) that will > let me create UDP packets from shell scripts so I can test UDP attacks > from shell scripts? Is there a UDP wrapper of some sort that could be > judiciously applied (realizing of course that source information in UDP > packets is truly trivial to forge) by people wanting to close down UDP > attacks? Try running syslogd() as a non-root user so it can't bind to the port it wants. Check the firewalls digests for more info on syslogd and options available (this has been discussed in more detail in the past). Someone was worried about port 53 ? You don't need to setup a special realy for this. BIND 4.9.3-beta17 will bind to all port 53s it can so that on a dual-homed host, if you have IP forwarding turned off, you can send a query to the internal interface and it should be able to answer with the query it gets in the other side. Someone might like to try this out and let us know how it goes, but I believe it should work. darren p.s. if you're wondering what "all port 53s" means, it means it will bind to 127.0.0.1.53, 0.0.0.0.53, le.0.ip.#.53 and le.1.ip.#.53 (for example on a Sparc with two ethernet cards). From firewalls-owner Sun Apr 16 21:26:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA10055 for firewalls-outgoing; Sun, 16 Apr 1995 21:20:36 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id VAA10050 for ; Sun, 16 Apr 1995 21:20:34 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id XAA14037; Sun, 16 Apr 1995 23:10:43 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma014035; Sun Apr 16 23:10:37 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA17178 (5.67b/IDA-1.5); Sun, 16 Apr 1995 23:23:31 -0500 Date: Sun, 16 Apr 1995 23:23:30 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: "Dr. Frederick B. Cohen" Cc: firewalls@greatcircle.com Subject: Re: Exploiting UDP Ports In-Reply-To: <9504161552.AA03983@all.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 16 Apr 1995, Dr. Frederick B. Cohen wrote: > Does anyone have a utility (similar to telnet?) that will > let me create UDP packets from shell scripts so I can test UDP attacks > from shell scripts? Basically snarfed from courtney.pl: #!/usr/bin/perl require "syslog.pl"; &syslog ('alert', "This is a syslog message!"); -KH From firewalls-owner Mon Apr 17 00:58:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA12708 for firewalls-outgoing; Mon, 17 Apr 1995 00:32:16 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA12703 for ; Mon, 17 Apr 1995 00:32:13 -0700 Received: from relevantum.fi by funet.fi with SMTP (PP); Mon, 17 Apr 1995 10:32:41 +0300 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA07896; Mon, 17 Apr 95 10:32:02 +0300 Date: Mon, 17 Apr 1995 10:31:58 +0300 (EET DST) From: Keinanen Vesa To: Brian Rogers Cc: Samuel Richardson , Roger Davenport , firewalls@greatcircle.com Subject: Re: Transparent proxies In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Talking about transparent proxies and TIA > Do you mean something that looks like a router but acts like a proxy? I think it's more like this: Looks like a router, acts like a proxy and doesn't need any changes on host systems. > I've been wondering that myself. Have you heard of TIA (The Internet > Adapter)? It's basically a proxy-router hybrid for SLIP users. I've It requires changes on hosts systems, so it doesn't count. I quess you "adapted TIA" belongs in category of circuit gateways (like SOCKS). VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Mon Apr 17 02:59:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA15984 for firewalls-outgoing; Mon, 17 Apr 1995 02:56:16 -0700 Received: from saul4.u.washington.edu (saul4.u.washington.edu [140.142.83.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA15979 for ; Mon, 17 Apr 1995 02:56:13 -0700 Received: from blobbo.ee.washington.edu by saul4.u.washington.edu (5.65+UW95.02/UW-NDC Revision: 2.32 ) id AA17859; Mon, 17 Apr 95 02:56:47 -0700 Date: Mon, 17 Apr 1995 03:08:05 -0900 (PDT) From: Jim Cabral To: Firewalls@GreatCircle.COM Cc: truth@chmc.org Subject: Re: Firewalls-Digest V4 #236 X-Sender: cabralje@saul.u.washington.edu In-Reply-To: <199504150527.WAA06130@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've got a tricky question concerning using a Sun Netra with firewall-1 > running on it and Novell's IPX/SPX. More generically, it addresses > the issue if any Unix box routing between two ethernet interfaces can > "bridge" IPX/SPX. Note the following picture: > > 192.207.93.0 Class C network > 255.255.192.0 subnet mask > > > netcom.com ----- hardware ----(le0) netra (le1)--- > router firewall-1 | > | | > xylogics internal network > | | > modems | > | clients > remote client > > The scenario is that if an employee uses a dial up modem into > the xylogics terminal server and is using NovellRemote, the xylogics > will handle it and pump out IPX/SPX packets to the router. The router > can handle it, and bridges the packets out to the netra. Since > the netra is a TCP/IP router, I am 98% darn sure that the IPX/SPX > packets will not make it over to the internal network. > > So ... is it possible to make this happen? > > question (1) : Can a Sun (or any Unix box) with two ethernet interfaces > be made to bridge IPX/SPX packets? > > If no, I guess we have to put the xylogics on the > inside of the firewall. Bummer. > > If yes, what software products are required to make > this happen? > > question (2) : Now that we can "bridge" IPX/SPX across two ethernets, > will this still work if Firewall-1 is running on the > netra ? > > If Firewall-1 can't do it, how about TIS or Gauntlet? > > Thanks for your time, consideration, and thoughts, > > david > - ------------- > david flinn > david@wsi.com > I'm running into a similar problem, although using Windows NT 3.5 RAS as a dialin server (on the Internet DMZ side of a fwtk firewall) so I need to bridge both IPX and NetBIOS. A partner of mine thinks we should just put a second NIC in the NT server, configure only IP on the NIC connected to the Internet DMZ, and configure only NetBIOS and IPX on the NIC connected to the internal network. I think this a is good solution but I was wondering the following: *********************** Question ************************************* Does anyone knows of a version of screend or similar packet screen that supports bridging IPX and/or NetBIOS on an Ultrix system? I don't think such an animal exists but I would be helpful to allow us to log IPX and NetBIOS traffic. jim Jim Cabral 7712 Corliss Ave N, Seattle, WA 98103 Puget Technology Group, Inc. Systems Engineer, Voice/Pager/Fax: 206/525-1242 Univ. of Washington, Electrical Engineering, Research Assistant 206/543-1017 From firewalls-owner Mon Apr 17 05:27:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA17682 for firewalls-outgoing; Mon, 17 Apr 1995 05:11:32 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA17674 for ; Mon, 17 Apr 1995 05:11:08 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 13:10:13 +0000 To: firewalls@greatcircle.com (Firewalls List) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 21:46 4/16/95, Paul Ferguson wrote: >Padgett writes - > >> >> To me, I want some justification before more than PING, SMTP, Telnet, >> FTP, NNTP, and HTTP cross the 'wall and have usually been able to >> give people a way to do what they want within this. Would rather >> provide an authenticated dial-up to the user if more is needed. Personally >> cannot think of any legitemate requirement for FINGER that cannot be >> satisfied by a telephone call. >> > >I can see obvious needs for various UDP services across/through a >firewall, such as 53/UDP. Having just spent the weekend working on the "services" chapter for the book (it goes out for tech review today; no, thank you, it's too late to add any more reviewers for the list, but you should be able to buy it in late August, from O'Reilly & Associates)... Yes, you need to allow 53/UDP across the firewall, for DNS. Other UDP-based services that you might want to allow are NTP (not much worse a problem than DNS, and dealt with in much the same way; see below) and maybe Archie (big problem, see below). The main reason most well-constructed firewalls block UDP is because that's the only effective way to block access to RPC-based services like NFS and NIS/YP (which are RPC-over-UDP-based, but live on unpredictable UDP port numbers). You probably do need to handle at least DNS, though, unless you're going with a 100% proxy solution and name resolution is done by the proxy servers, not the proxy clients. The trick is to limit your exposure. What I recommend is setting up a DNS server on a bastion host (outside your filtering system) and another server on an internal machine (inside your filtering system). Then, arrange things so that the only UDP that can pass through your filtering system is DNS between these two servers. Then, set up the internal server so that it forwards to the bastion server all queries it can't answer from its own knowledge or cache (via a "forwarders" line in the /etc/resolv.conf file), instead of trying to contact DNS servers around the world to work its way through the DNS tree to find the answers itself. Let the bastion host DNS server (which is outside your filtering) be the one to query all the random servers on the Internet. You can use a similar approach with NTP: an NTP server on the bastion host, another internally, and the only NTP traffic allowed through the filters being the two servers talking to each other. Archie is trickier. The best suggestion I can make for Archie is to use a WWW client and one of the HTTP-Archie gateway pages, such as http://www.nexor.co.uk/archie.html http://www.lerc.nasa.gov/Doc/archieplex-httpd.html http://hoohoo.ncsa.uiuc.edu/archie.html -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Apr 17 05:56:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA18340 for firewalls-outgoing; Mon, 17 Apr 1995 05:50:29 -0700 Received: from dylan.mindspring.com (dylan.mindspring.com [204.180.128.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA18335 for ; Mon, 17 Apr 1995 05:50:27 -0700 Received: from darrell.mindspring.com [168.121.20.195] by dylan.mindspring.com with SMTP id IAA13453 for ; Mon, 17 Apr 1995 08:50:51 -0400 Message-Id: <199504171250.IAA13453@dylan.mindspring.com> X-Sender: darrell@expertg.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 08:50:00 -0500 To: Firewalls@GreatCircle.COM From: darrell@expertg.com (DARRELL KNIGHT) Subject: Re: Firewalls-Digest V4 #237 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Firewalls - please STOP sending me this Digest Info. I have no interest in it at all Thank you Darrell Knight From firewalls-owner Mon Apr 17 06:12:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA18379 for firewalls-outgoing; Mon, 17 Apr 1995 05:52:25 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA18372; Mon, 17 Apr 1995 05:52:21 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA03918; Mon, 17 Apr 95 08:52:45 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504171352.AA03918@hawksbill.sprintmrn.com> Subject: Re: UDP To: Brent@GreatCircle.COM (Brent Chapman) Date: Mon, 17 Apr 1995 08:52:44 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at Apr 17, 95 01:10:13 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1263 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent writes - > > > >I can see obvious needs for various UDP services across/through a > >firewall, such as 53/UDP. > > > Yes, you need to allow 53/UDP across the firewall, for DNS. Other > UDP-based services that you might want to allow are NTP (not much worse a > problem than DNS, and dealt with in much the same way; see below) and maybe > Archie (big problem, see below). > > The main reason most well-constructed firewalls block UDP is because that's > the only effective way to block access to RPC-based services like NFS and > NIS/YP (which are RPC-over-UDP-based, but live on unpredictable UDP port > numbers). > My point is that a statement, such as what Padgett mentioned, that there needs to be 'justification' for permitting UDP services through a firewall needs further clarification. Each organization should scrutinize their unique needs for _all_ services, including TCP. Cheers, - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Apr 17 06:27:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA19080 for firewalls-outgoing; Mon, 17 Apr 1995 06:19:15 -0700 Received: from service.netmaine.com (service.netmaine.com [199.191.1.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA19075 for ; Mon, 17 Apr 1995 06:19:12 -0700 Received: from localhost (atr@localhost) by service.netmaine.com (8.6.5/8.6.5) id JAA13795; Mon, 17 Apr 1995 09:21:19 -0400 Message-Id: <199504171321.JAA13795@service.netmaine.com> Date: Mon, 17 Apr 95 09:18:40 EST From: "Andrew T. Robinson" To: Firewalls mailing list Subject: ADVISORY 951072: Compromised system attacking network sites Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please be on the lookout for any packets or connections originating from IP address 204.57.196.12. According to postings to the FIREWALLS list, this host has been attacking at least one FIREWALLS subscriber and may be compromised. From firewalls-owner Mon Apr 17 06:56:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA19571 for firewalls-outgoing; Mon, 17 Apr 1995 06:42:49 -0700 Received: from service.netmaine.com (service.netmaine.com [199.191.1.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA19564 for ; Mon, 17 Apr 1995 06:42:46 -0700 Received: from localhost (atr@localhost) by service.netmaine.com (8.6.5/8.6.5) id JAA13842; Mon, 17 Apr 1995 09:44:56 -0400 Message-Id: <199504171344.JAA13842@service.netmaine.com> Date: Mon, 17 Apr 95 09:42:14 EST From: "Andrew T. Robinson" To: Firewalls mailing list Subject: ADVISORY 951072: Compromised system attacking network sites Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies to the firewalls list... This was meant to go to an internal list called "nw" and not an external list "fw" :-) ----------------------------- Note follows ----------------------------- Date: Mon, 17 Apr 95 09:18:40 EST From: "Andrew T. Robinson" To: Firewalls mailing list Subject: ADVISORY 951072: Compromised system attacking network sites Please be on the lookout for any packets or connections originating from IP address 204.57.196.12. According to postings to the FIREWALLS list, this host has been attacking at least one FIREWALLS subscriber and may be compromised. From firewalls-owner Mon Apr 17 07:28:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA20030 for firewalls-outgoing; Mon, 17 Apr 1995 06:57:35 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA20025 for ; Mon, 17 Apr 1995 06:57:32 -0700 Received: from clark.net (lordharv@localhost [127.0.0.1]) by clark.net (8.6.12/8.6.5) with ESMTP id JAA11833; Mon, 17 Apr 1995 09:58:07 -0400 Message-Id: <199504171358.JAA11833@clark.net> To: firewalls@GreatCircle.COM cc: lordharv@clark.net Subject: Re: FWIW - ADV 951072 Date: Mon, 17 Apr 1995 09:58:06 -0400 From: Lord Harvey Randomfactor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FWIW 204.57.196.12 is: Connected to 204.57.196.12. Escape character is '^]'. 220 sand.edswest.com HP Sendmail (1.38.193.4/16.2) ready at Mon, 17 Apr 1995 06:55:14 -0700 expn root 250 From firewalls-owner Mon Apr 17 07:57:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA20800 for firewalls-outgoing; Mon, 17 Apr 1995 07:22:42 -0700 Received: from nexus.astro.psu.edu (nexus.astro.psu.edu [128.118.147.20]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA20795 for ; Mon, 17 Apr 1995 07:22:39 -0700 Received: by nexus.astro.psu.edu (4.1/Nexus-1.3) id AA09146; Mon, 17 Apr 95 10:23:12 EDT Date: Mon, 17 Apr 95 10:23:12 EDT From: "George M. Weaver" Message-Id: <9504171423.AA09146@nexus.astro.psu.edu> To: Firewalls@GreatCircle.COM Subject: Re: Exploiting UDP Ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone have a utility (similar to telnet?) that will > let me create UDP packets from shell scripts so I can test UDP attacks > from shell scripts? W. Richard Stevens wrote a program called "sock" to make arbitrary TCP and UDP connections which he used to generate data for the examples in his wonderful book "TCP/IP Illustrated, Volume 1". It is fully documented in Appendix C, and instructions for obtaining the (free) source code are in Appendix F. Highly recommended. (The code *and* the book.) -George From firewalls-owner Mon Apr 17 12:17:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01589 for firewalls-outgoing; Mon, 17 Apr 1995 11:51:13 -0700 Received: from inesc.inesc.pt (inesc.inesc.pt [146.193.0.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA01584 for ; Mon, 17 Apr 1995 11:51:07 -0700 Received: from ccae-sv.inesc.pt by inesc.inesc.pt with SMTP; id AA24811 (/); Mon, 17 Apr 1995 20:48:24 +0200 Received: by ccae-sv.inesc.pt (4.1/SunOS4.1.3) id AA15415; Mon, 17 Apr 95 20:51:00 +0200 From: Ricardo.Pereira@inesc.pt (Ricardo Jorge Pereira) Message-Id: <9504171851.AA15415@ccae-sv.inesc.pt> Subject: TIS FWTK syslogd on HP-UX To: firewalls@greatcircle.com Date: Mon, 17 Apr 1995 20:50:59 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 944 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While trying to compile this configuration I have reached the conclusion that I'll have to do some work, since on SYS V, they use named pipes instead of /dev/kmem. I understand that this isn't probably too complex, but none the less is the decaf I had this morning hiding some details ? Put it this way : have someone did this already ? Thanks, for any pointers ( no need for NULLs ... ;-) ) -- __________________________________________________________________ Ricardo Jorge Pereira Network Consultant Centro de Comunicacoes em Ambientes Empresariais Av. Duque d'Avila 23, Apartado 10105, 1017 Lisboa Codex, Portugal Telef : +351 1 3100069 Fax : +351 1 3100068 email : ricardo.pereira@inesc.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft is not the answer, Microsoft is the question. No is the answer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Mon Apr 17 12:40:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01110 for firewalls-outgoing; Mon, 17 Apr 1995 11:29:33 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA00988 for ; Mon, 17 Apr 1995 11:29:09 -0700 Received: from hp.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA00203; Mon, 17 Apr 1995 10:32:32 -0700 From: robert@rlemire.canada.hp.com Received: from rlemire.canada.hp.com by hp.com with SMTP (1.37.109.15/15.5+ECS 3.3) id AA282829876; Mon, 17 Apr 1995 10:31:16 -0700 Message-Id: <199504171731.AA282829876@hp.com> Received: by rlemire.canada.hp.com (1.38.193.4/16.2) id AA02446; Mon, 17 Apr 1995 13:31:32 -0400 Subject: HP environment with RoadRunner 284(encryption box) To: firewalls@GreatCircle.COM Date: Mon, 17 Apr 95 13:31:32 EDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would anyone give feedback on how well behave the product RoadRunner 284 from "Semaphore Communication" Thank you From firewalls-owner Mon Apr 17 12:44:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01115 for firewalls-outgoing; Mon, 17 Apr 1995 11:29:36 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA01007 for ; Mon, 17 Apr 1995 11:29:12 -0700 Received: from stortek.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA00253; Mon, 17 Apr 1995 10:35:32 -0700 Received: from coltano.stortek.com by stortek.com with SMTP id AA16161 (5.65c/IDA-1.4.4 for ); Mon, 17 Apr 1995 11:18:17 -0600 Received: by coltano.stortek.com (5.x/SMI-SVR4) id AA04729; Mon, 17 Apr 1995 11:18:13 -0600 Date: Mon, 17 Apr 1995 11:18:13 -0600 From: jim@coltano.stortek.com (Jim Wamsley (303) 673-8163) Message-Id: <9504171718.AA04729@coltano.stortek.com> To: firewalls@greatcircle.com Subject: Re: FWIW - ADV 951072 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk whois -h whois.ra.net 204.57.196.12 route: 204.57.196.0/24 descr: Northwest NEXUS, Inc. descr: P.O. Box 40597 descr: Bellevue descr: WA 98015-4597, USA origin: AS1982 comm-list: COMM_NSFNET advisory: AS690 1:1239(144) 2:1800 3:1239(218) 4:1982 mnt-by: MAINT-AS1982 changed: nsfnet-admin@merit.edu 941117 source: PRDB From firewalls-owner Mon Apr 17 12:52:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA01292 for firewalls-outgoing; Mon, 17 Apr 1995 11:37:18 -0700 Received: from hhs-custos.dhhs.gov (hhs-custos.dhhs.gov [158.70.252.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA01286 for ; Mon, 17 Apr 1995 11:37:15 -0700 Received: from inms-db.os.dhhs.gov. by hhs-custos.dhhs.gov (4.1/SMI-4.1) id AA17073; Mon, 17 Apr 95 14:49:20 EDT Received: by inms-db.os.dhhs.gov. (4.1/SMI-4.1) id AA01999; Mon, 17 Apr 95 14:33:05 EDT Date: Mon, 17 Apr 95 14:33:05 EDT From: cjs@inms-db.os.dhhs.gov (Carolyn Sienkiewicz) Message-Id: <9504171833.AA01999@inms-db.os.dhhs.gov.> To: firewalls@greatcircle.com Subject: really hetero networks and firewalls Cc: cjs@inms-db.os.dhhs.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been reading the firewalls list for a while now, and the information has been really interesting. One thing I've been wondering is how would a firewall fit into the environment in which I'm currently working. I work on machines that sit on network segments that host other UNIX machines, Banyan Vines, Novell, and tons of PCs, so the protocols here are mixed on just about every segment of the network. So, if I were to contemplate putting a firewall up SOMEWHERE on our network as part of an attempt to improve UNIX host security, and if the firewall was perhaps doing some IP filtering and providing application proxies...what about the "other" protocols flying around? Do "other protocol" boxes have to be outside the firewall? Can non-IP be tunnelled through the firewall? Please e-mail me rather than expend list bandwidth. I'll be glad to summarize for any others who may be likewise uninformed. Thanks in advance, Carolyn S. =================================== cjs@inms-db.os.dhhs.gov From firewalls-owner Mon Apr 17 13:04:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA01848 for firewalls-outgoing; Mon, 17 Apr 1995 12:06:11 -0700 Received: from suburbia.apana.org.au (suburbia.apana.org.au [192.188.107.90]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA01843 for ; Mon, 17 Apr 1995 12:05:54 -0700 Received: (proff@localhost) by suburbia.apana.org.au (8.6.10/8.6.8++) id FAA08187; Tue, 18 Apr 1995 05:03:18 +1000 From: Julian Assange Message-Id: <199504171903.FAA08187@suburbia.apana.org.au> Subject: The Dan Farmer rap To: bugtraq@fc.net Date: Tue, 18 Apr 1995 05:03:14 +1000 (EST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1739 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- The Dan Farmer rap -- I'm Dan Farmer, you can't fool me - the only security consultant to be on MTV. I've got long red hair - hey hands off man! don't touch the locks of the mighty Dan. AC/DC - from the front or from behind, you can fuck my arse but you can't touch my mind. philosophy's the trip - evil 'n' stuff, god, we know a lot, Mike me and Muff. A real ardent feminist - just like she tells me to be, see me out there rooting for sexual e-qual-ity. I'm a computer spy - gosh thats soo cool! here let me show you mah security tool. Perhaps you've heard of it? Its called SAY-TAN And it can turn any hacker into a real man! It's so clever it can penetrate any inter-net-site, you see against my SAY-TAN they just can't fight. Its slick its clean. what? no! it ain't no bomb! I've been told it does quite well for fish dot com. Yes, more than just attack, its has pretty icons too! So your average 14 year old - he knows what to do! Written in in perl5 - a language so fast and so clean. Hhat? Well see here, at least it is is on MY machine. No back door! really only one little mistake - but those CERT bastards won't give bi-sex-uals a break. SGI? Their discrimination it makes me want to explode. No, its a lie! Who told you it was because I couldn't cut code? Weitse Venema? Umm, No, never heard of him. hang on, yes I have some recollection but its extremely dim... He's a guy from the Netherlands - but he wasn't right, from behind those Norwegians are way too tight. I coded it all - yes the mighty Dan did it alone, if you don't believe it, you and your note pad can fuck off home. I'm Dan Farmer - now take that down - its not every day you get to interview the worlds biggest security clown. -Proff From firewalls-owner Mon Apr 17 13:14:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA02903 for firewalls-outgoing; Mon, 17 Apr 1995 12:37:49 -0700 Received: from muffin.wis.com (muffin.wis.com [199.3.240.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA02898 for ; Mon, 17 Apr 1995 12:37:45 -0700 Received: from localhost by muffin.wis.com (8.6.5/PERFORMIX-0.9/08-16-92) id PAA29512; Mon, 17 Apr 1995 15:00:03 -0500 Date: Mon, 17 Apr 1995 15:00:00 -0500 (CDT) From: "Michael F. Nittmann" To: ATM_Feel_the_Power cc: Bill Manning , Alan Hannan , fc@all.net, firewalls@greatcircle.com Subject: Re: Sysco Routers Son't Do Security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk well, I still remember the new routers from last year about this time, when cisco announced the new defragmenting routers. really, with them acquisitions they go places ..... mikeOn Sat, 15 Apr 1995, ATM_Feel_the_Power wrote: > Darn it all Bill... Tony has been trying to keep this secret. > > Joseph Stroup > > On Sat, 15 Apr 1995, Bill Manning wrote: > > > > > Now Alan, you should know that cisco does not talk about un-announced > > products. What the good dr. was talking about is cis/sys(co)'s entry > > into an entirely different market, bulk food distribution. The > > term router now refers to not only the switching and forwarding engine > > but also to the truck driver! > > -- > > --bill > > > -------------------------------------------------------------------------------- Michael F. Nittmann nittmann@wis.com Network Architect nittmann@b3.com B3 Corporation, Marshfield, WI (CIX Member) (715) 387 1700 xt. 158 US Cyber (SM), Washington DC (715) 573 2448 (715) 831 7922 -------------------------------------------------------------------------------- From firewalls-owner Mon Apr 17 13:26:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA03003 for firewalls-outgoing; Mon, 17 Apr 1995 12:40:24 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA02991 for ; Mon, 17 Apr 1995 12:40:20 -0700 Received: from maestro.Maestro.COM by relay1.UU.NET with SMTP id QQylww23283; Mon, 17 Apr 1995 15:38:19 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA26263; Mon, 17 Apr 95 15:33:53 EDT Date: Mon, 17 Apr 1995 15:33:52 -0400 (EDT) From: Sick Puppy Subject: Re: anyone seen an S.. attack against a firewall? To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Benjamin Smith wrote: > (I know this overlaps with the Intrusion detection list, but I think > that reacting to people knocking on your front door is also a > firewalls issue) Got kicked of that list, so can't discuss it there anyway. They are a snotty lot, who would never be seen with rolled up shirt sleeves. > The other thing that you have to decide for your detector is the > time frame to look at. Courtney (or at least 1.0--I haven't looked > at 1.1 yet) looks at connections over the last 7 minutes. All you > need to do to break this is slow Satan down with the equivilent of a > bunch of sleep()s and Courtney wouldn't see ... ... > and a version that looks at all connections over the last day, week, > whatever, that tries to catch the sneaky, patient cracker. Yes, thought of that. Wrote some code to look at a week's worth of logs for a slow attack. No sign of S.., but it showed up some sneaky dood making 3 attempts to hack mail, once an hour, then disappearing for 21 hours. > Of course if he was really sneaky, he'd run his version of Satan > (or his equivalent) issuing one detectable event from a different > site over a long span of time... At least one person reading this list has a security research tool that changes its own IP address for every probe that it makes, and they got it from someone that doesn't read the list. Can't let a tool like that fall into the hands of the military, CERT, CIAC, DISA, Ferengi or Borg, because they would undoubtedly use it to attack the home worlds. Sick Puppy !USAF Electronic Warfare Center Eindhoven, Netherlands From firewalls-owner Mon Apr 17 14:01:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA04824 for firewalls-outgoing; Mon, 17 Apr 1995 13:34:23 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA04817 for ; Mon, 17 Apr 1995 13:34:19 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA17089; Mon, 17 Apr 95 16:36:27 EDT Date: Mon, 17 Apr 95 16:36:27 EDT From: scott@Disclosure.COM (Scott Barman) Message-Id: <9504172036.AA17089@ Disclosure.COM> To: firewalls@greatcircle.com Subject: Internet Security/Firewalls and Windoze/NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unfortunatly, one of the systems I have to support is a Windoze/NT (allegedly) Advanced Server system (no, I am not an NT or M$ fan and you can flame me in private email, if you dare). This box has to be accessible to the net along side a Sun box. 1) Has anyone done this? 2) What are the internet security concerns when it comes to NT? 3) They (I take no responsibility for this decision) want this thing set up on the "friendly" side of the firewall (friendly in that I haven't kicked it in its side, yet! :-). What are the issues in setting up a firewall in front of an NT box? THANKS!! scott barman scott@disclosure.com From firewalls-owner Mon Apr 17 15:07:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA05284 for firewalls-outgoing; Mon, 17 Apr 1995 13:49:17 -0700 Received: from pnh10.med.navy.mil ([164.167.53.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA05276 for ; Mon, 17 Apr 1995 13:49:10 -0700 Received: from resino_r (mclo11.med.navy.mil) by pnh10.med.navy.mil with SMTP id AA03502 (5.65c/IDA-1.4.4 for ); Mon, 17 Apr 1995 16:44:46 -0400 Message-Id: <199504172044.AA03502@pnh10.med.navy.mil> X-Sender: pnh1rgr@mclo10.med.navy.mil Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 04:54:14 -0400 To: Julian Assange From: pnh1rgr@mclo10.med.navy.mil (Bob Resino) Subject: Re: The Dan Farmer rap Cc: firewalls@miles.greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think there was a need for this to go to Firewalls. Won't be suprised if you get "scorched" by a few folks here stateside. Wrong forum and done in such poor taste. > > -- The Dan Farmer rap -- ...Trash Deleted... (why waste bandwidth) ---------------------------------------------------------------------------- Bob Resino (804) 398-7400 From firewalls-owner Mon Apr 17 15:11:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06588 for firewalls-outgoing; Mon, 17 Apr 1995 14:40:55 -0700 Received: from moose.usmcs.maine.edu (moose.usmcs.maine.edu [130.111.131.39]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA06579 for ; Mon, 17 Apr 1995 14:40:49 -0700 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA08093; Mon, 17 Apr 95 17:41:03 -0400 Received: by bashful.usmcs.maine.edu; (5.65/1.1.8.2/29Mar95-1219PM) id AA13356; Mon, 17 Apr 1995 17:40:45 -0400 Date: Mon, 17 Apr 1995 17:40:45 -0400 From: Edward Maillet Message-Id: <9504172140.AA13356@bashful.usmcs.maine.edu> To: firewalls-digest@greatcircle.com Subject: Need 3Com NetBuilder II experiences Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, I find myself having to build a firewall with only a 3Com Netbuilder II router. Any one have any experience and known gotcha's that go with setting up the packet filtering. The filter grammer is cryptic as hell so any know to be working filter sets would also be nice. ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Mon Apr 17 15:13:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA06865 for firewalls-outgoing; Mon, 17 Apr 1995 14:57:35 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA06855 for ; Mon, 17 Apr 1995 14:57:32 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA08449; Mon, 17 Apr 1995 16:57:22 -0500 Date: Mon, 17 Apr 1995 16:57:22 -0500 From: charisse@SmallWorks.COM (Charisse Castagnoli) Message-Id: <9504172157.AA08449@hosaka.smallworks.com> To: firewalls@GreatCircle.com, sikpuppy@maestro.com Subject: Re: anyone seen an S.. attack against a firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Wolfgang made some interesting points on using pattern matching software >>to detect any suspicious activity and having it trigger some action by >>the firewall. >>While this approach would guard against known types of attack, it would >>not be able to detect attacks where the pattern is unknown. I have to disagree. We use a sophisticated version of "pattern matching" in our host based intrusion detection analysis. The attack is caught regardless of the method used to commence the attack. This is because many attacks can be characterized by their outcomes, which are method independent. The trick is being able to trap the outcome early enough in the attack sequence to prevent harm. This is key in networks where the attacks themselves contribute to the harm. If you want more information on intrusion detection in general, pick up the extensive bibliography available through info@haystack.com charisse Charisse Castagnoli Haystack Labs charisse@smallworks.com 1+512 918 3555(voice) 10713 RR 620 N. #521 Austin Tx. 78726 From firewalls-owner Mon Apr 17 16:19:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09279 for firewalls-outgoing; Mon, 17 Apr 1995 16:10:19 -0700 Received: from mailhost.lanl.gov (mailhost.lanl.gov [128.165.3.12]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA09270 for ; Mon, 17 Apr 1995 16:10:15 -0700 Received: from beta.lanl.gov by mailhost.lanl.gov (8.6.11/1.2) id RAA18010; Mon, 17 Apr 1995 17:10:13 -0600 Received: by beta.lanl.gov (5.57/Ultrix2.4-C) id AA26323; Mon, 17 Apr 95 17:09:56 -0600 Date: Mon, 17 Apr 95 17:09:56 -0600 From: ddk@beta.lanl.gov (David D Kaas) Message-Id: <9504172309.AA26323@beta.lanl.gov> To: firewalls@greatcircle.com Subject: firewalls book?? Cc: ddk@lanl.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone seen the book "Internet Firewalls and Network Security"? I would like to hear some type of review before I order one.. thanks dave kaas | Dave Kaas | Internet: ddk@lanl.gov | | Box 300 M/S A1-05 | | | Boeing Computer Services Richland | dave_kaas@.rl.giv | | (Department of Energy contractor) | | | Richland, Wa 99352 | Phone: (509) 376-6386 | From firewalls-owner Mon Apr 17 16:43:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09773 for firewalls-outgoing; Mon, 17 Apr 1995 16:29:26 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09760 for ; Mon, 17 Apr 1995 16:29:18 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA06795; Mon, 17 Apr 95 19:28:52 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504180028.AA06795@hawksbill.sprintmrn.com> Subject: Re: Need 3Com NetBuilder II experiences To: maillet@bashful.usmcs.maine.edu (Edward Maillet) Date: Mon, 17 Apr 1995 19:28:52 -0500 (EST) Cc: firewalls-digest@greatcircle.com In-Reply-To: <9504172140.AA13356@bashful.usmcs.maine.edu> from "Edward Maillet" at Apr 17, 95 05:40:45 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 783 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hey All, > I find myself having to build a firewall with only a 3Com Netbuilder II > router. Any one have any experience and known gotcha's that go with setting > up the packet filtering. The filter grammer is cryptic as hell so any > know to be working filter sets would also be nice. > ----- Ed Maillet > maillet@usmcs.maine.edu > ObAdvise: Don't use a 3Com router as a firewall. Thus is the voice of experience. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Apr 17 16:44:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08387 for firewalls-outgoing; Mon, 17 Apr 1995 15:48:43 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA08373; Mon, 17 Apr 1995 15:48:30 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 23:46:57 +0000 To: Julian Assange From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: The Dan Farmer rap Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:03 4/18/95, Julian Assange wrote: > -- The Dan Farmer rap -- > This kind of personal attack is COMPLETELY inappropriate for the Firewalls mailing list. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Apr 17 17:13:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA10084 for firewalls-outgoing; Mon, 17 Apr 1995 16:45:11 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA10079 for ; Mon, 17 Apr 1995 16:45:09 -0700 Received: from cixgate by relay2.UU.NET with SMTP id QQylxn25257; Mon, 17 Apr 1995 19:45:04 -0400 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA18689; Mon, 17 Apr 95 23:50:40 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00813; Mon, 17 Apr 95 16:44:45 PDT Date: Mon, 17 Apr 95 16:44:45 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9504172344.AA00813@manzanita.DEV.3Com.COM.noname> To: ddk@beta.lanl.gov Subject: Re: firewalls book?? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got it and have read it cover to cover. Very good, somewhat technical. It's only limitation is that it tells how Cheswick and Bellovin did their firewall. Not everything they did applies to every situation. Still, I'd recommend it to anyone as a good primer if you're really serious. BobK From firewalls-owner Mon Apr 17 17:43:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA10007 for firewalls-outgoing; Mon, 17 Apr 1995 16:42:53 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id QAA10002 for ; Mon, 17 Apr 1995 16:42:49 -0700 Received: from cixgate by relay2.UU.NET with SMTP id QQylxm24983; Mon, 17 Apr 1995 19:42:45 -0400 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA18686; Mon, 17 Apr 95 23:48:19 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA00810; Mon, 17 Apr 95 16:42:25 PDT Date: Mon, 17 Apr 95 16:42:25 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9504172342.AA00810@manzanita.DEV.3Com.COM.noname> To: maillet@bashful.usmcs.maine.edu Subject: Re: Need 3Com NetBuilder II experiences Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ed, At the risk of tooting our own horn, I administer the most of the firewalls here at 3Com, and have built our firewalls with NetBuilder II's. If you want general advice, get a copy of the April 1995 issue of 3Tech mag (Our 3Com technical rag) in which I've written an article on how to build an Internet firewall with a NetBuilder II, including a guide to the filter syntax. If you don't have a copy, let me know and I'll mail you one courtesy of 3Com. (Offer good to anyone who actually needs it. I haven't got the time to send copies to everyone. I'm a network administrator, not a marketing person.) If you'd like to, I'll discuss the issue with you off-line as well. Since this is a response to a query, I hope this doesn't exceed the bounds of permissable commercialism on this list. I try to keep a low profile. BobK From firewalls-owner Mon Apr 17 18:03:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA10864 for firewalls-outgoing; Mon, 17 Apr 1995 17:11:59 -0700 Received: from Mordor.Stanford.EDU (Mordor.Stanford.EDU [36.53.0.155]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id RAA10857; Mon, 17 Apr 1995 17:11:55 -0700 Received: from [198.120.32.26] (arc-tac1-slip9.nsi.nasa.gov [198.120.32.29]) by Mordor.Stanford.EDU (8.6.11/8.6.6) with SMTP id RAA21014; Mon, 17 Apr 1995 17:11:27 -0700 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 17:11:51 -0700 To: Brent@GreatCircle.COM (Brent Chapman) From: Dave Crocker Subject: Re: The Dan Farmer rap Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:46 PM 4/17/95, Brent Chapman wrote: >At 05:03 4/18/95, Julian Assange wrote: >> -- The Dan Farmer rap -- >> > >This kind of personal attack is COMPLETELY inappropriate for the Firewalls >mailing list. I agree. However, sending notes to the list about inappropriate notes to the list is, of course, a perpetuation of the problem. I'm sending THIS one because I want to encourage those who were upset by the bad rap submission to send their notes NOT to this list, but to the author of the message AND to postmaster@suburbia.apana.org.au and postmaster@apana.org.au so that those with administrative responsibility can be aware of the problem and make an assessment of it. No need to be nasty. Just clear and direct. (Feel free to include a copy of the offending message so they know which submission you are referring to...) d/ -------------------- Dave Crocker Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. fax: +1 408 249 6205 Sunnyvale, CA 94086 dcrocker@networking.stanford.edu From firewalls-owner Mon Apr 17 18:15:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA11822 for firewalls-outgoing; Mon, 17 Apr 1995 17:51:48 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA11816 for ; Mon, 17 Apr 1995 17:51:44 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA06385; Mon, 17 Apr 95 20:44:23 -0400 Date: Mon, 17 Apr 95 20:44:23 -0400 Message-Id: <9504180044.AA06385@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: anyone seen a... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At least one person reading this list has a security research tool that >changes its own IP address for every probe that it makes, Well, given an empty subnet you could try 253 common ports that way except my filter is set to alarm on a net that is being inquisitive, not just a particular IP onnit. P.fla From firewalls-owner Mon Apr 17 18:23:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09848 for firewalls-outgoing; Mon, 17 Apr 1995 16:32:00 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09841 for ; Mon, 17 Apr 1995 16:31:57 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA06811; Mon, 17 Apr 95 19:31:31 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504180031.AA06811@hawksbill.sprintmrn.com> Subject: Re: Internet Security/Firewalls and Windoze/NT To: scott@Disclosure.COM (Scott Barman) Date: Mon, 17 Apr 1995 19:31:31 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9504172036.AA17089@ Disclosure.COM> from "Scott Barman" at Apr 17, 95 04:36:27 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1101 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would _highly_ recommend obtaining a copy of RFC's 1002 & 1002 to completely understand the technical issues that confront you. - paul > > Unfortunatly, one of the systems I have to support is a Windoze/NT > (allegedly) Advanced Server system (no, I am not an NT or M$ fan and you > can flame me in private email, if you dare). This box has to be > accessible to the net along side a Sun box. > > 1) Has anyone done this? > 2) What are the internet security concerns when it comes to NT? > 3) They (I take no responsibility for this decision) want this thing > set up on the "friendly" side of the firewall (friendly in that I > haven't kicked it in its side, yet! :-). What are the issues in > setting up a firewall in front of an NT box? > > _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Apr 17 18:27:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA09607 for firewalls-outgoing; Mon, 17 Apr 1995 16:22:53 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA09583 for ; Mon, 17 Apr 1995 16:22:04 -0700 Received: from lordmuck.itd.uts.edu.au. by sequoia.itd.uts.EDU.AU with SMTP id AA22053 (5.65c/IDA-1.4.4 for ); Tue, 18 Apr 1995 09:21:51 +1000 Received: (from matt@localhost) by lordmuck.itd.uts.edu.au. (8.6.12/8.6.12) id JAA04048; Tue, 18 Apr 1995 09:21:48 +1000 From: Jas (Matthew K) Message-Id: <199504172321.JAA04048@lordmuck.itd.uts.edu.au.> Subject: Re: really hetero networks and firewalls To: cjs@inms-db.os.dhhs.gov (Carolyn Sienkiewicz) Date: Tue, 18 Apr 1995 09:21:48 +1000 (EST) Cc: firewalls@greatcircle.com, cjs@inms-db.os.dhhs.gov In-Reply-To: <9504171833.AA01999@inms-db.os.dhhs.gov.> from "Carolyn Sienkiewicz" at Apr 17, 95 02:33:05 pm X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 774 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Carolyn Sienkiewicz wrote this... > i wont comment on anything else... > Can non-IP be tunnelled through the firewall? technically yes, good idea no. defenitely not... a clear open and shut case of lock the door and keep the window wide open. a firewall should gap/control all traffic going through it. your unix boxen can quite happily talk other protocols with a bit of coding. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Mon Apr 17 18:34:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08374 for firewalls-outgoing; Mon, 17 Apr 1995 15:48:30 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA08367; Mon, 17 Apr 1995 15:48:17 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 23:46:45 +0000 To: Julian Assange , bugtraq@fc.net From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: The Dan Farmer rap Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PLEASE, folks, don't cross-post stuff between Firewalls and BugTraq. What's appropriate in terms of postings and replies is different for each list. When somebody cross-posts a message, the replies also get cross-posted, and usually lead to a flame fest on one list or the other. If you really feel something is appropriate for both lists (which is rare, I think; they have fairly different charters), then post a separate message to each list. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Apr 17 18:43:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08358 for firewalls-outgoing; Mon, 17 Apr 1995 15:48:16 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA08348; Mon, 17 Apr 1995 15:47:53 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 23:46:27 +0000 To: Ricardo.Pereira@inesc.pt (Ricardo Jorge Pereira), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: TIS FWTK syslogd on HP-UX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 20:50 4/17/95, Ricardo Jorge Pereira wrote: >While trying to compile this configuration I have reached the >conclusion that I'll have to do some work, since on SYS V, they >use named pipes instead of /dev/kmem. I understand that this isn't >probably too complex, but none the less is the decaf I had this >morning hiding some details ? Put it this way : have someone did >this already ? Support questions about the TIS Firewalls Toolkit (such as the one above) are not appropriate for the Firewalls mailing list; they should be directed to the "fwall-users@tis.com" mailing list. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Apr 17 18:54:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA08347 for firewalls-outgoing; Mon, 17 Apr 1995 15:47:52 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA08334 for ; Mon, 17 Apr 1995 15:47:41 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 23:46:08 +0000 To: firewalls@greatcircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: ADVISORY 951072: Compromised system attacking network sites Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:42 4/17/95, Andrew T. Robinson wrote: >Apologies to the firewalls list... This was meant to go to an internal >list called "nw" and not an external list "fw" :-) > >----------------------------- Note follows ----------------------------- >Date: Mon, 17 Apr 95 09:18:40 EST >From: "Andrew T. Robinson" >To: Firewalls mailing list >Subject: ADVISORY 951072: Compromised system attacking network sites > >Please be on the lookout for any packets or connections originating from >IP address 204.57.196.12. According to postings to the FIREWALLS list, this >host has been attacking at least one FIREWALLS subscriber and may be >compromised. I'm glad to hear it was a mistaken posting. There are about 10,000 readers of Firewalls at several thousand different sites; I'd hate to start seeing a message to Firewalls every time one of them is probed. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Apr 17 18:59:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA12336 for firewalls-outgoing; Mon, 17 Apr 1995 18:15:52 -0700 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA12331 for ; Mon, 17 Apr 1995 18:15:48 -0700 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-1 #9822) id <01HPGBWADVWW8WVZ9D@Badger.Arnold.Com>; Mon, 17 Apr 1995 20:15:28 -0500 (CDT) Date: Mon, 17 Apr 1995 20:04:14 -0500 (CDT) Subject: Re: firewalls book?? In-reply-to: "Your message dated Mon, 17 Apr 1995 17:09:56 -0600" <9504172309.AA26323@beta.lanl.gov> To: ddk@beta.lanl.gov Cc: firewalls@greatcircle.com, Stephen.L.Arnold@Arnold.Com Message-id: <01HPGI3Y26LI8WVZ9D@Badger.Arnold.Com> Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone seen the book "Internet Firewalls and Network Security"? I would > like to hear some type of review before I order one.. It's been on my night stand for 2 months, and I haven't been able to get through it. There's so much general TCP/IP and UNIX information I haven't been able to get through it to the firewall stuff yet. (Disclaimer: I know this stuff, and was looking for something to recommend to clients.) I hated the typography. Tiny side thoughts that should be surrounded by parantheses (if they're to be included at all) are instead set in a decorated box with an engraved "Note" and hand-holding-pencil icon in the margin. (An example of a thought that gets this "Note" treatment, under the finger command: "Idle time is minutes if it is a single integer, hours and minutes if a colon (:) is present, or days and hours if a "d" is present.") Very distracting, impeding rather than enhancing understanding. I'm not usually negative on books. I loved the volume on mail privacy that came packaged with it as a main selection from the (Newbridge) Library of Computer and Information Science Book Club. I'll sell you my copy for $10. Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Mon Apr 17 19:43:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA14853 for firewalls-outgoing; Mon, 17 Apr 1995 19:17:42 -0700 Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA14848 for ; Mon, 17 Apr 1995 19:17:39 -0700 Received: by delta.eecs.nwu.edu (8.6.12/8.6.12) id VAA12465; Mon, 17 Apr 1995 21:17:33 -0500 Date: Mon, 17 Apr 1995 21:17:33 -0500 From: Robert Bonomi Message-Id: <199504180217.VAA12465@delta.eecs.nwu.edu> To: Stephen.L.Arnold@Arnold.Com, ddk@beta.lanl.gov Subject: Re: firewalls book?? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From firewalls-owner@GreatCircle.COM Mon Apr 17 21:13:16 1995 + From: Stephen.L.Arnold@Arnold.Com + Date: Mon, 17 Apr 1995 20:04:14 -0500 (CDT) + Subject: Re: firewalls book?? + To: ddk@beta.lanl.gov + Cc: firewalls@GreatCircle.COM, Stephen.L.Arnold@Arnold.Com + Sender: firewalls-owner@GreatCircle.COM + > Has anyone seen the book "Internet Firewalls and Network Security"? I would + > like to hear some type of review before I order one.. + It's been on my night stand for 2 months, and I haven't been able to get + through it. There's so much general TCP/IP and UNIX information I + haven't been able to get through it to the firewall stuff yet. + (Disclaimer: I know this stuff, and was looking for something to + recommend to clients.) + I hated the typography. Tiny side thoughts that should be surrounded by + parantheses (if they're to be included at all) are instead set in a + decorated box with an engraved "Note" and hand-holding-pencil icon in + the margin. (An example of a thought that gets this "Note" treatment, + under the finger command: "Idle time is minutes if it is a single + integer, hours and minutes if a colon (:) is present, or days and hours + if a "d" is present.") Very distracting, impeding rather than enhancing + understanding. + I'm not usually negative on books. I loved the volume on mail privacy + that came packaged with it as a main selection from the (Newbridge) + Library of Computer and Information Science Book Club. + I'll sell you my copy for $10. I havn't been willing to spend 'good money' for it, but, at -that- price... if the original poster doesn't want it, I'll take it off your hands! Robert Bonomi From firewalls-owner Mon Apr 17 20:22:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id TAA15778 for firewalls-outgoing; Mon, 17 Apr 1995 19:33:00 -0700 Received: from bushwire.mira.net.au (bushwire.mira.net.au [203.9.190.49]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id TAA15768; Mon, 17 Apr 1995 19:32:50 -0700 Received: (from markd@localhost) by bushwire.mira.net.au (8.6.10/bw1) id MAA23672; Tue, 18 Apr 1995 12:32:24 +1000 From: Mark Delany Message-Id: <199504180232.MAA23672@bushwire.mira.net.au> Subject: Re: The Dan Farmer rap (from postmaster@apana.org.au) To: dcrocker@networking.stanford.edu (Dave Crocker) Date: Tue, 18 Apr 1995 12:32:23 +1000 (EST) Cc: Brent@GreatCircle.COM, firewalls@GreatCircle.COM, melb-rc@apana.org.au, mc@apana.org.au In-Reply-To: from "Dave Crocker" at Apr 17, 95 05:11:51 pm Reply-To: markd@mira.net.au (Mark Delany) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1191 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >This kind of personal attack is COMPLETELY inappropriate for the Firewalls > >mailing list. > > I agree. However, sending notes to the list about inappropriate > notes to the list is, of course, a perpetuation of the problem. > > I'm sending THIS one because I want to encourage those who were > upset by the bad rap submission to send their notes NOT to this list, but > to the author of the message AND to postmaster@suburbia.apana.org.au and > postmaster@apana.org.au so that those with administrative responsibility Hi. Sorry if this is likewise inappropriate, but I'd like to make a clarification if I may. We (mira.net.au) are on the end of postmaster@apana.org.au as we have historically administered the DNS for that domain. However we have no real control over the sites or users in that organisation. The regional and national committees that do have responsibility can be contacted at melb-rc@apana.org.au and mc@apana.org.au respectively. While we will forward relevant mails sent to postmaster@apana.org.au, we'd appreciate it if you could send them directly to the committee(s) instead. Our apologies again for cluttering your list. Mark Delany. From firewalls-owner Mon Apr 17 20:43:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id UAA16959 for firewalls-outgoing; Mon, 17 Apr 1995 20:26:14 -0700 Received: from midas.co.marin.ca.us (midas.co.marin.ca.us [199.88.85.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id UAA16954 for ; Mon, 17 Apr 1995 20:26:12 -0700 From: blackmer@nbn.com Received: from (billb.co.marin.ca.us [199.88.67.4]) by midas.co.marin.ca.us (8.6.5/8.6.6) with SMTP id VAA22272; Mon, 17 Apr 1995 21:25:32 -0700 Date: Mon, 17 Apr 1995 21:25:32 -0700 Message-Id: <199504180425.VAA22272@midas.co.marin.ca.us> To: paul@hawksbill.sprintmrn.com (Paul Ferguson), maillet@bashful.usmcs.maine.edu (Edward Maillet) Subject: 3COM Routers are good Firewall solutions Cc: firewalls-digest@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul,etc: I feel you are incorrect in stating that 3COM Netbuilder II routers can not be used as firewalls or as part of blocking router for a total Firewall solution. We use a 3COM routers as a firewall to protect certain parts of the Midas project and it also used by many school districts in California. 3COM routers, in my opinion, are easilier to setup and maintain than a Cisco routers. They are also much cheaper. Any Netbuilder router software release after 7.0 has filter lists similiar to Cisco access lists. Any release after 8.0 has increased filter performance to very good. AS a firewall router I feel I can do anything with 3COM that I need to do. (I have used both CISCO and 3COM) There is no doubt that Cisco sets the standard for TCP/IP routing. They are usually the first out with new ideas (first major vendor with compression on frame relay) Bay Networks and 3COM added it in the next release. Cisco 7000's has logging which 3COM Netbuilders lack at as time. There are many pros and cons to both vendors. Bob Konigsberg at 3COM has written an excellent article on using 3COM routers as part of a total firewall solution. Really worth reading. I would be happy to provide an eMail address to receive this article if you are interested. Lastly, I would be happy to provide some information on filters, etc. about 3COM routers if anybody is interested. WARMLY fron the Hot tub in Marin county, California. Bill Blackmer 415-499-6309 P.S. I was in China for several months recently on family business. No firewall problems there !! I could never get my laptop to work with the local telephone company <---- Begin Included Message ----> From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Subject: Re: Need 3Com NetBuilder II experiences To: maillet@bashful.usmcs.maine.edu (Edward Maillet) Date: Mon, 17 Apr 1995 19:28:52 -0500 (EST) Cc: firewalls-digest@GreatCircle.COM > > Hey All, > I find myself having to build a firewall with only a 3Com Netbuilder II > router. Any one have any experience and known gotcha's that go with setting > up the packet filtering. The filter grammer is cryptic as hell so any > know to be working filter sets would also be nice. > ----- Ed Maillet > maillet@usmcs.maine.edu > ObAdvise: Don't use a 3Com router as a firewall. Thus is the voice of experience. - paul ______________________________________________________________________________ _ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com <---- End Included Message ----> From firewalls-owner Mon Apr 17 22:13:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id WAA18623 for firewalls-outgoing; Mon, 17 Apr 1995 22:09:38 -0700 Received: from crash.cts.com (crash.cts.com [192.188.72.17]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id WAA18618 for ; Mon, 17 Apr 1995 22:09:34 -0700 Received: from kelcom by crash.cts.com with uucp (Smail3.1.28.1 #23) id m0s15XY-0001oNC; Mon, 17 Apr 95 22:09 PDT Date: Mon, 17 Apr 1995 22:17:50 -0700 (PDT) From: Ron Kelley To: firewalls@greatcircle.com Subject: Network Address Translator Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for a network translator package. I want to translate an un-registered class B (internal) to registered class C (which is on the DMZ). A DEC engineer once spoke about a commercial package which would do this, but I've been unable to locate it. Ron Kelley Sharp HealthCare, Inc. San Diego, CA 92123 From firewalls-owner Tue Apr 18 02:14:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA22040 for firewalls-outgoing; Tue, 18 Apr 1995 02:09:00 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id CAA22035 for ; Tue, 18 Apr 1995 02:08:55 -0700 Received: from [198.115.177.207] (slip-0-7.shore.net) by northshore.ecosoft.com with SMTP id AA02940 (5.67a/IDA-1.5 for ); Tue, 18 Apr 1995 05:08:41 -0400 Message-Id: <199504180908.AA02940@northshore.ecosoft.com> X-Sender: vin@shore.net (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Apr 1995 04:12:52 -0500 To: Firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: The Dan Farmer Rap Cc: proff@suburbia.apana.org.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just reading this made me feel dirty. In 20+ years associated with this business, I don't think I've ever seen debate among professionals degraded to quite this slime-ball level. Mr. Assange is an unprincipled ass who has managed to create the single most irresponsible, ugly, unprofessional and irrelevant reaction to SATAN to see print in English. The proff's rap is disgusting. _Vin McLellan > >From: Julian Assange >Date: Tue, 18 Apr 1995 05:03:14 +1000 (EST) >Subject: The Dan Farmer rap -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''' From firewalls-owner Tue Apr 18 02:35:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id CAA21986 for firewalls-outgoing; Tue, 18 Apr 1995 02:03:42 -0700 Received: from piraya.electrum.kth.se (piraya.electrum.kth.se [130.237.212.130]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id CAA21973 for ; Tue, 18 Apr 1995 02:03:27 -0700 Received: from anxiety.electrum.kth.se (anxiety.electrum.kth.se [130.237.215.110]) by piraya.electrum.kth.se (8.6.10/8.6.9) with ESMTP id LAA11768; Tue, 18 Apr 1995 11:03:13 +0200 Received: from localhost.electrum.kth.se (localhost.electrum.kth.se [127.0.0.1]) by anxiety.electrum.kth.se (8.6.9/8.6.9) with SMTP id LAA15726; Tue, 18 Apr 1995 11:03:12 +0200 Message-Id: <199504180903.LAA15726@anxiety.electrum.kth.se> X-Authentication-Warning: anxiety.electrum.kth.se: Host localhost.electrum.kth.se didn't use HELO protocol To: fc@all.net (Dr. Frederick B. Cohen) cc: firewalls@greatcircle.com Subject: Re: Exploiting UDP Ports In-reply-to: Your message of Sun, 16 Apr 95 11:52:04 EDT. <9504161552.AA03983@all.net> Date: Tue, 18 Apr 95 11:03:11 +0200 From: Christian Wettergren Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | I'm not completely certain, but I believe that anyone running | UDP on a real computer (not just a router) exposed to the Internet is | certain to be vulnerable to denial of service attacks of a wide variety. | Is three anyone who believes otherwise, and if so why? There are some vulnerabilities in SUN syslogd (in the old version I have, 4.1.3). There is a fixed size buffer in logerror() that might get overwritten in some cases. This might cause the process to coredump. I believe there was a similar bug manifesting itself when sendmail 8.6.4 was new. Sendmail output too long syslog messages and caused the syslogd on some systems to core dump. There was a patch for that. On the other hand, I don't think we're any worse off with UDP that TCP. As have been mentioned before (I believe on firewalls), a rapid succession of TCP connections might very well put a machine into zoombie mode. Is it at all possible to protect against denial-of-service? I guess so, but I have the feeling that the cost is high. /Christian Wettergren ---------------------------------------------------------------------------- Christian Wettergren, Dist Edu, MICE-NSC | cwe@it.kth.se KTH/Teleinformatics, Sweden | +46 (0)8 752 1491 From firewalls-owner Tue Apr 18 05:13:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA23972 for firewalls-outgoing; Tue, 18 Apr 1995 04:57:08 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA23967 for ; Tue, 18 Apr 1995 04:57:05 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA08462; Tue, 18 Apr 95 07:56:01 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504181256.AA08462@hawksbill.sprintmrn.com> Subject: Re: 3COM Routers are good Firewall solutions To: blackmer@nbn.com Date: Tue, 18 Apr 1995 07:56:01 -0500 (EST) Cc: maillet@bashful.usmcs.maine.edu, firewalls@greatcircle.com (Firewalls List) In-Reply-To: <199504180425.VAA22272@midas.co.marin.ca.us> from "blackmer@nbn.com" at Apr 17, 95 09:25:32 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 756 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I feel you are incorrect in stating that 3COM Netbuilder II routers > can not be used as firewalls or as part of blocking router for a total > Firewall solution. > > We use a 3COM routers as a firewall to protect certain parts of the > Midas project and it also used by many school districts in California. > Perhaps a clarification is in order; I simply expressed my _opinion_. :-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Apr 18 05:46:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA24089 for firewalls-outgoing; Tue, 18 Apr 1995 05:09:22 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA24084 for ; Tue, 18 Apr 1995 05:09:13 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA08518; Tue, 18 Apr 95 08:09:02 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9504181309.AA08518@hawksbill.sprintmrn.com> Subject: Re: Internet Security/Firewalls and Windoze/NT (fwd) To: firewalls@greatcircle.com (Firewalls List) Date: Tue, 18 Apr 1995 08:09:01 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1892 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oops. I _meant_ 'RFC's 1001 & 1002,' 'PROTOCOL STANDARD FOR A NetBIOS SERVICE ON A TCP/UDP TRANSPORT.' - paul Forwarded message: > From firewalls-owner@GreatCircle.COM Mon Apr 17 21:41:32 1995 > From: paul@hawksbill.sprintmrn.com (Paul Ferguson) > Message-Id: <9504180031.AA06811@hawksbill.sprintmrn.com> > Subject: Re: Internet Security/Firewalls and Windoze/NT > To: scott@Disclosure.COM (Scott Barman) > Date: Mon, 17 Apr 1995 19:31:31 -0500 (EST) > Cc: firewalls@greatcircle.com > In-Reply-To: <9504172036.AA17089@ Disclosure.COM> from "Scott Barman" at Apr 17, 95 04:36:27 pm > X-Mailer: ELM [version 2.4 PL22] > Content-Type: text > Content-Length: 1101 > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > > > I would _highly_ recommend obtaining a copy of RFC's 1002 & 1002 > to completely understand the technical issues that confront you. > > - paul > > > > > > Unfortunatly, one of the systems I have to support is a Windoze/NT > > (allegedly) Advanced Server system (no, I am not an NT or M$ fan and you > > can flame me in private email, if you dare). This box has to be > > accessible to the net along side a Sun box. > > > > 1) Has anyone done this? > > 2) What are the internet security concerns when it comes to NT? > > 3) They (I take no responsibility for this decision) want this thing > > set up on the "friendly" side of the firewall (friendly in that I > > haven't kicked it in its side, yet! :-). What are the issues in > > setting up a firewall in front of an NT box? > > > > > >_______________________________________________________________________________ > Paul Ferguson > US Sprint tel: 703.689.6828 > Managed Network Engineering internet: paul@hawk.sprintmrn.com > Reston, Virginia USA http://www.sprintmrn.com > From firewalls-owner Tue Apr 18 06:13:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA25307 for firewalls-outgoing; Tue, 18 Apr 1995 05:51:21 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA25245 for ; Tue, 18 Apr 1995 05:51:10 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma008228; Tue, 18 Apr 95 08:50:30 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA24540; Tue, 18 Apr 95 08:50:09 EDT Message-Id: <9504181250.AA24540@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ddk@beta.lanl.gov (David D Kaas) Cc: firewalls@greatcircle.com, ddk@lanl.gov Subject: Re: firewalls book?? In-Reply-To: Your message of Mon, 17 Apr 95 17:09:56 -0600. <9504172309.AA26323@beta.lanl.gov> Date: Tue, 18 Apr 95 08:50:08 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ZZZZzzzzzzzzzzzzzzzzz. Oops... sorry, I dozed off. What was the question? Oh yeah, the book titled "Internet ... .ZZZZZZzzzzzzzzz..... From firewalls-owner Tue Apr 18 06:31:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26715 for firewalls-outgoing; Tue, 18 Apr 1995 05:57:09 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA26667 for ; Tue, 18 Apr 1995 05:57:00 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma008280; Tue, 18 Apr 95 08:56:09 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA25163; Tue, 18 Apr 95 08:55:48 EDT Message-Id: <9504181255.AA25163@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Stephen.L.Arnold@arnold.com Cc: ddk@beta.lanl.gov, firewalls@greatcircle.com Subject: Re: firewalls book?? In-Reply-To: Your message of Mon, 17 Apr 95 20:04:14 -0500. <01HPGI3Y26LI8WVZ9D@Badger.Arnold.Com> Date: Tue, 18 Apr 95 08:55:47 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Again, who is this book by? If it is Cheswick and Bellovin, I disagree with Steve. You can *easily* skip over the tcp/ip details and still gets tons out of the book. Fred From firewalls-owner Tue Apr 18 06:43:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA26348 for firewalls-outgoing; Tue, 18 Apr 1995 05:55:36 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA26142 for ; Tue, 18 Apr 1995 05:55:03 -0700 Received: from mailhub.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma008258; Tue, 18 Apr 95 08:54:06 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA25052; Tue, 18 Apr 95 08:53:44 EDT Message-Id: <9504181253.AA25052@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ddk@beta.lanl.gov (David D Kaas) Cc: firewalls@greatcircle.com, ddk@lanl.gov Subject: Re: firewalls book?? In-Reply-To: Your message of Mon, 17 Apr 95 17:09:56 -0600. <9504172309.AA26323@beta.lanl.gov> Date: Tue, 18 Apr 95 08:53:44 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh... If this is Cheswick and Bellovin's book, I take back my last posting. It is *wonderful* actually (I can send you a review I did for the Data Security Letter). I actually *AM* sleepy and have been on vacation ansd so made an idiot of myself in front of thousands of people with this (although I have done worse! This is not a record!!). I thought this was the newer book that came out this year. It is a snoozer, mostly copies of the FWTK documentation and Interlock's examples. Fred > > Has anyone seen the book "Internet Firewalls and Network Security"? I would > like to hear some type of review before I order one.. > > thanks > dave kaas > | Dave Kaas | Internet: ddk@lanl.gov | > | Box 300 M/S A1-05 | | > | Boeing Computer Services Richland | dave_kaas@.rl.giv | > | (Department of Energy contractor) | | > | Richland, Wa 99352 | Phone: (509) 376-6386 | From firewalls-owner Tue Apr 18 06:49:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA25009 for firewalls-outgoing; Tue, 18 Apr 1995 05:46:41 -0700 Received: from GOOD.CCCCD.EDU (good.ccccd.edu [192.231.40.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA25004 for ; Tue, 18 Apr 1995 05:46:36 -0700 Received: from FS7HOST.CCCCD.EDU by EXPRESS.CCCCD.EDU (PMDF V4.2-12 #3064) id <01HPH6FQ8B008ZDVBG@EXPRESS.CCCCD.EDU>; Tue, 18 Apr 1995 07:52:09 CST Received: from FS7/MAILQUEUE by FS7HOST.CCCCD.EDU (Mercury 1.1); Tue, 18 Apr 95 7:52:22 CST Date: Tue, 18 Apr 1995 07:51:58 -0600 (CST) From: Susan Farrar Subject: Re: Need 3Com NetBuilder II experiences To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg), firewalls@greatcircle.com Message-id: <01HPH6FQ8UAQ8ZDVBG@EXPRESS.CCCCD.EDU> Organization: Collin County Community College X-Mailer: Pegasus Mail/Windows (v1.22) Content-transfer-encoding: 7BIT Priority: normal Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Ed, I would like a copy of the article sent to me . . . we just purchased a bundh of 3COM hardware from Raymund Charfouris here in Dallas. thanx, > > At the risk of tooting our own horn, I administer the most of the firewalls > here at 3Com, and have built our firewalls with NetBuilder II's. > > If you want general advice, get a copy of the April 1995 issue of 3Tech mag > (Our 3Com technical rag) in which I've written an article on how to build an > Internet firewall with a NetBuilder II, including a guide to the filter syntax. > > If you don't have a copy, let me know and I'll mail you one courtesy of 3Com. > (Offer good to anyone who actually needs it. I haven't got the time to send > copies to everyone. I'm a network administrator, not a marketing person.) > > If you'd like to, I'll discuss the issue with you off-line as well. > > Since this is a response to a query, I hope this doesn't exceed the bounds of > permissable commercialism on this list. I try to keep a low profile. > > BobK > -Susan ________________________________________________ Susan Farrar, Director Academic Computing Services Collin County Community College (214) 881-5844 SFARRAR@FS7HOST.CCCCD.EDU From firewalls-owner Tue Apr 18 07:10:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA27480 for firewalls-outgoing; Tue, 18 Apr 1995 06:26:05 -0700 Received: from worldcom.com (worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA27475 for ; Tue, 18 Apr 1995 06:26:03 -0700 Received: from worldcom-18.worldcom.com (worldcom-18.worldcom.com [198.64.193.9]) by worldcom.com (8.6.11/8.6.9) with SMTP id IAA19511 for ; Tue, 18 Apr 1995 08:07:37 -0500 Received: by worldcom-18.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.13/3.3) id AA2065; Tue, 18 Apr 95 08:01:50 -0700 Message-Id: <9504181501.AA2065@worldcom-18.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 3504FB40FFBD2CBE862561A20047886A; Tue, 18 Apr 95 08:01:50 To: firewalls From: Kenneth Smith Date: 17 Apr 95 20:15:21 EDT Subject: Re: firewalls book?? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I also picked up _Internet Firewalls and Network Security_ recently. It's an adequate book, but certainly nothing to write home about. An example: the two authors list a variety of resources available on the Internet for those interested in firewalls -- and fail to mention this list. One would think they hadn't done their homework very well. From firewalls-owner Tue Apr 18 07:50:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29784 for firewalls-outgoing; Tue, 18 Apr 1995 07:37:02 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29778; Tue, 18 Apr 1995 07:36:48 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 18 Apr 1995 15:35:17 +0000 To: Frederick M Avolio , ddk@beta.lanl.gov (David D Kaas) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: firewalls book?? Cc: firewalls@greatcircle.com, ddk@lanl.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:53 4/18/95, Frederick M Avolio wrote: >Oh... If this is Cheswick and Bellovin's book, I take back my last >posting. It is *wonderful* actually (I can send you a review I did for >the Data Security Letter). I actually *AM* sleepy and have been on >vacation ansd so made an idiot of myself in front of thousands of >people with this (although I have done worse! This is not a record!!). That's "Firewalls and Internet Security", written by Bellovin & Cheswick, published by Addison-Wesley, 1994. Yes, it's the only good firewalls book currently available (but see below). >I thought this was the newer book that came out this year. It is a >snoozer, mostly copies of the FWTK documentation and Interlock's >examples. I think that's "Internet Firewalls and Network Security", don't remember the authors, published by New Riders Publishers, 1995. Yes, it's nowhere near as good as B&C (but I'm not unbiased; see below). My own book is called "Internet Security Firewalls"... There are only so many ways you can work the words "Firewalls", "Internet", and "Security" into a title, and "Internet Security Firewalls" is the exact title I've been using for my tutorial for the last couple of years. The book, co-authored by Elizabeth Zwicky and published by O'Reilly & Associates, went out to technical review yesterday (no, we can't handle any more reviewers, thank you), and should be on shelves in late August or early September (we're trying to get it out in time for the Interop and LISA conferences). -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Tue Apr 18 08:46:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA28123 for firewalls-outgoing; Tue, 18 Apr 1995 06:52:08 -0700 Received: from vampire.xinit.se (vampire.xinit.se [194.14.168.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id GAA28114 for ; Tue, 18 Apr 1995 06:52:03 -0700 Received: from ghoul.xinit.se (job@ghoul.xinit.se [194.14.168.13]) by vampire.xinit.se (8.6.10/8.1) with SMTP id PAA27111; Tue, 18 Apr 1995 15:49:45 +0200 Date: Tue, 18 Apr 1995 15:49:41 +0200 (MET DST) From: "Joakim B. Berglund" To: Ron Kelley cc: firewalls@GreatCircle.COM Subject: Re: Network Address Translator In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 17 Apr 1995, Ron Kelley wrote: > Looking for a network translator package. I want to translate an=20 > un-registered class B (internal) to registered class C (which is on the D= MZ). >=20 > A DEC engineer once spoke about a commercial package which would do this,= =20 > but I've been unable to locate it. >=20 There is something called PIX (Private Internet eXchange) that is sold by Network Translation (415-494-6387) info@translation.com It will exactly what you discribe. ---------------------------------------------------------------------------= ----- Joakim Berglund job@xinit.se Tel: +46 60 120690 +46 70 5915314 Xinit AB finger job@ns.xinit.se for PGP 2.6 Sj=F6gatan 2 S-852 34 Sundsvall From firewalls-owner Tue Apr 18 08:55:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00310 for firewalls-outgoing; Tue, 18 Apr 1995 08:02:10 -0700 Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA00305 for ; Tue, 18 Apr 1995 08:02:07 -0700 Received: by cseic.saic.com (4.1/1.34) id AA03195; Tue, 18 Apr 95 10:50:59 EDT Date: Tue, 18 Apr 95 10:50:59 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9504181450.AA03195@cseic.saic.com> To: bobk@manzanita.DEV.3Com.COM Cc: ddk@beta.lanl.gov, firewalls@greatcircle.com In-Reply-To: Bob Konigsberg's message of Mon, 17 Apr 95 16:44:45 PDT <9504172344.AA00813@manzanita.DEV.3Com.COM.noname> Subject: firewalls book?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) writes: >> I've got it and have read it cover to cover. Very good, somewhat technical. >> It's only limitation is that it tells how Cheswick and Bellovin did their >> firewall. Not everything they did applies to every situation. >> >> Still, I'd recommend it to anyone as a good primer if you're really serious. Let's keep things straight, the book in question was: "Internet Firewalls and Network Security" Which should not be confused with (though hard not to by the name) Cheswick & Bellovin's: "Firewalls and Internet Security" Kind of makes me wonder what Brent will title his book.... "Internet Security and Network Firewalls"? "Network Firewalls and Security"?.... The mind boggles. Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Tue Apr 18 08:57:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00546 for firewalls-outgoing; Tue, 18 Apr 1995 08:17:17 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.6.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00539 for ; Tue, 18 Apr 1995 08:17:12 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id KAA14897 for greatcircle.com!firewalls; Tue, 18 Apr 1995 10:11:26 -0500 Received: by ris1.nmti.com (smail2.5) id AA23814; 18 Apr 95 08:55:48 CDT (Tue) Received: by sonic.nmti.com; id AA30286; Tue, 18 Apr 1995 09:12:59 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9504181412.AA30286@sonic.nmti.com.nmti.com> Subject: Re: The Dan Farmer rap To: dcrocker@networking.stanford.edu (Dave Crocker) Date: Tue, 18 Apr 1995 09:12:58 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Dave Crocker" at Apr 17, 95 05:11:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 735 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm sending THIS one because I want to encourage those who were > upset by the bad rap submission to send their notes NOT to this list, but > to the author of the message AND to postmaster@suburbia.apana.org.au and > postmaster@apana.org.au so that those with administrative responsibility > can be aware of the problem and make an assessment of it. I would suggest not bothering the postmaster about it unless he makes a habit of this sort of thing. There's no point in bringing in administration over a stupid joke... some sites have policies that *require* official notice with things like this and people have lost net access over what's really trivia. I don't think anyone here thinks less of Dan Farmer because of it. From firewalls-owner Tue Apr 18 09:27:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA00227 for firewalls-outgoing; Tue, 18 Apr 1995 07:58:21 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA00221 for ; Tue, 18 Apr 1995 07:58:19 -0700 Received: from klaatu.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s1Eft-0000L4C; Tue, 18 Apr 95 07:54 PDT Received: by klaatu.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA25361; Tue, 18 Apr 1995 07:56:34 +0800 Date: Tue, 18 Apr 1995 07:56:34 +0800 From: peters@oes.amdahl.com (Peter Sivo) Message-Id: <9504181456.AA25361@klaatu.oes.amdahl.com> To: ddk@beta.lanl.gov, avolio@tis.com Subject: Re: firewalls book?? Cc: firewalls@greatcircle.com, ddk@lanl.gov X-Sun-Charset: US-ASCII content-length: 1086 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Oh... If this is Cheswick and Bellovin's book, > > (stuff deleted) > > Fred > > > > > > Has anyone seen the book "Internet Firewalls and Network Security"? I would > > like to hear some type of review before I order one.. > > > > thanks > > dave kaas There are two books in question, and Dave is asking about the newer book, that came out this year. The Cheswick/Bellovin book is "Firewalls and Internet Security". Very good book in my opinion. Worth its weight in gold. The new book that came out is by Karanjit Siyna & Chris Hare and is called "Internet Firewalls and Network Security". I bought this one, but didn't get out half as much as the Cheswick/Bellovin book. This book didn't go into the detail (in my opinion) as Cheswick did but it *is* a decent book. For more detail though, definitely the Cheswich/Bellovin book is the one to get (if you had a choice between the two). Peter Sivo Systems/Network Administrator Amdahl/Open Enterprise Systems peters@oes.amdahl.com **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Tue Apr 18 09:50:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01330 for firewalls-outgoing; Tue, 18 Apr 1995 08:57:31 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01325 for ; Tue, 18 Apr 1995 08:57:29 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s1FbE-0000QWC; Tue, 18 Apr 95 08:54 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA09384; Tue, 18 Apr 1995 08:57:16 +0800 Date: Tue, 18 Apr 1995 08:57:16 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9504181557.AA09384@brittany.oes.amdahl.com> To: Firewalls@greatcircle.com, vin@shore.net Subject: Re: The Dan Farmer Rap Cc: proff@suburbia.apana.org.au X-Sun-Charset: US-ASCII content-length: 711 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please stop talking about the Dan Farmer Rap...it's got nothing to do with firewalls. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue Apr 18 09:55:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29431 for firewalls-outgoing; Tue, 18 Apr 1995 07:24:00 -0700 Received: from provider.ins.com (provider.ins.com [199.0.194.125]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id HAA29413 for ; Tue, 18 Apr 1995 07:23:55 -0700 Received: from paganpb.ins.com (paganpb [199.0.194.152]) by provider.ins.com (8.6.10/8.6.10) with SMTP id KAA15525; Tue, 18 Apr 1995 10:23:44 -0400 Date: Tue, 18 Apr 1995 10:23:44 -0400 Message-Id: <199504181423.KAA15525@provider.ins.com> X-Sender: pagan@provider.ins.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ron Kelley From: Thomas_Pagan@ins.com (Tom Pagan) Subject: Re: Network Address Translator Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Looking for a network translator package. I want to translate an >un-registered class B (internal) to registered class C (which is on the DMZ). > >A DEC engineer once spoke about a commercial package which would do this, >but I've been unable to locate it. > >Ron Kelley >Sharp HealthCare, Inc. >San Diego, CA 92123 > > I _know_of a hw/sw product that supposedly deals with unregistered and RFC1597 addresses, called Private Internet Exchange from Network Translation. http://www.jma.com/pix.html info@translation.com 415.494.NETS I've no opinions or experience regarding this product. From firewalls-owner Tue Apr 18 10:14:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA01983 for firewalls-outgoing; Tue, 18 Apr 1995 09:23:49 -0700 Received: from info.unep.ch (info.unep.ch [193.5.4.131]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA01976 for ; Tue, 18 Apr 1995 09:23:44 -0700 Received: from pc41.unep.ch (pc41.unep.ch [193.5.4.141]) by info.unep.ch (8.6.8.1/8.6.6) with SMTP id SAA29532 for ; Tue, 18 Apr 1995 18:22:13 +0200 Message-Id: <199504181622.SAA29532@info.unep.ch> From: "Alex Linch" Organization: UNEP To: firewalls@GreatCircle.com Date: Tue, 18 Apr 1995 17:33:59 METZ Subject: TIS and Solaris x86 2.4 Reply-to: alex@unep.ch Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: "Alex Linch" Organization: UNEP To: firewalls@GreateCircle.com Date sent: Tue, 18 Apr 1995 17:30:18 METZ Wonder if someone out there have information on TIS toolkit working on Solaris x86 2.4. Thanks in advance From firewalls-owner Tue Apr 18 10:14:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02088 for firewalls-outgoing; Tue, 18 Apr 1995 09:28:48 -0700 Received: from dee.retix.com (dee.retix.com [163.182.4.22]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02083 for ; Tue, 18 Apr 1995 09:28:45 -0700 Received: from sleepy.retix.com (sleepy.retix.com [163.182.52.17]) by dee.retix.com (8.6.12/8.6.4) with ESMTP id JAA00332; Tue, 18 Apr 1995 09:28:43 -0700 From: joshua geller Received: (joshua@localhost) by sleepy.retix.com (8.6.7/8.6.4) id JAA06533; Tue, 18 Apr 1995 09:29:12 -0700 Date: Tue, 18 Apr 1995 09:29:12 -0700 Message-Id: <199504181629.JAA06533@sleepy.retix.com> To: peter@nmti.com CC: dcrocker@networking.stanford.edu, firewalls@GreatCircle.COM In-reply-to: <9504181412.AA30286@sonic.nmti.com.nmti.com> (peter@nmti.com) Subject: Re: The Dan Farmer rap Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm sending THIS one because I want to encourage those who were > > upset by the bad rap submission to send their notes NOT to this list, but > > to the author of the message AND to postmaster@suburbia.apana.org.au and > > postmaster@apana.org.au so that those with administrative responsibility > > can be aware of the problem and make an assessment of it. > I would suggest not bothering the postmaster about it unless he makes a > habit of this sort of thing. There's no point in bringing in administration > over a stupid joke... some sites have policies that *require* official > notice with things like this and people have lost net access over what's > really trivia. I don't think anyone here thinks less of Dan Farmer because > of it. some of us think less of proff because of it. but I agree. josh From firewalls-owner Tue Apr 18 10:22:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29299 for firewalls-outgoing; Tue, 18 Apr 1995 07:19:18 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29288 for ; Tue, 18 Apr 1995 07:19:13 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA20191; Tue, 18 Apr 95 10:21:23 EDT Date: Tue, 18 Apr 95 10:21:23 EDT From: scott@Disclosure.COM (Scott Barman) Message-Id: <9504181421.AA20191@ Disclosure.COM> To: firewalls@greatcircle.com Subject: Re: Internet Security/Firewalls and Windoze/NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 17 Apr 95 16:36:27 EDT, I wrote: >Unfortunatly, one of the systems I have to support is a Windoze/NT >(allegedly) Advanced Server system (no, I am not an NT or M$ fan and you >can flame me in private email, if you dare). This box has to be >accessible to the net along side a Sun box. ... snip ... I have gotten many responses to this. Far to many to address individually and still get work done. To all of you who passed along information, I really appreciate it! To the dozen-or-so who are interested in a follow-up, I will either post it here or post a pointer to a place where you can pick it up. THANKS!! scott barman scott@disclosure.com / barman@ix.netcom.com From firewalls-owner Tue Apr 18 10:41:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29343 for firewalls-outgoing; Tue, 18 Apr 1995 07:20:59 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29338 for ; Tue, 18 Apr 1995 07:20:56 -0700 From: smb@research.att.com Message-Id: <199504181420.HAA29338@miles.greatcircle.com> Received: by gryphon; Tue Apr 18 10:19:42 EDT 1995 To: ddk@beta.lanl.gov (David D Kaas), firewalls@greatcircle.com Subject: Re: firewalls book?? Date: Tue, 18 Apr 95 10:19:41 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oh... If this is Cheswick and Bellovin's book, I take back my last posting. It is *wonderful* actually (I can send you a review I did for the Data Security Letter). I actually *AM* sleepy and have been on vacation ansd so made an idiot of myself in front of thousands of people with this (although I have done worse! This is not a record!!). I thought this was the newer book that came out this year. It is a snoozer, mostly copies of the FWTK documentation and Interlock's examples. There indeed two firewalls books available: Firewalls and Internet Security: Repelling the Wily Hacker by myself and Bill Cheswick, published by Addison-Wesley, and available for about a year. The newer book is ``Internet Firewalls and Network Security'', and yes, the similarity of titles can be confusing. When asking about or commenting on them, please make sure you get them straight... --Steve Bellovin P.S. I do, of course, have an opinion on the relative merits of the two books, but I'm biased... From firewalls-owner Tue Apr 18 10:51:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA04481 for firewalls-outgoing; Tue, 18 Apr 1995 10:41:05 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA04475 for ; Tue, 18 Apr 1995 10:41:02 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQymag03805; Tue, 18 Apr 1995 13:41:02 -0400 Received: from ontek.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Tue, 18 Apr 1995 13:41:02 -0400 Received: from [199.164.243.218] (scotts_mac) by ontek.com (4.1/SMI-4.1) id AA06765; Tue, 18 Apr 95 10:20:01 PDT Message-Id: <9504181720.AA06765@ontek.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 18 Apr 1995 09:31:27 -0800 To: firewalls@greatcircle.com From: scott@ontek.com (Scott M. Dickson) Subject: Re: firewalls book?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kenneth Smith Wrote: >I also picked up _Internet Firewalls and Network Security_ recently. It's an >adequate book, but certainly nothing to write home about. An example: the two >authors list a variety of resources available on the Internet for those >interested in firewalls -- and fail to mention this list. One would think >they >hadn't done their homework very well. Appendix A (_Useful Free Stuff_), Section A.5 (_Information Sources_) (p. 247) A.5.2 The _Firewalls_ Mailing List [Information on how to subscribe] --------------------------------------- Then again, I looked closely at the title of the book I have in front of me and it's called _Firewalls and Internet Security -- Repelling the Wily Hacker_. Are we dealing with two different books with confusingly similar titles? Scott Dickson Tel: (714) 768-0301 ONTEK Corporation Fax: (714) 768-0851 22941 Mill Creek Dr. Email: scott@ontek.com Laguna Hills, CA 92653 USA From firewalls-owner Tue Apr 18 11:13:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA01235 for firewalls-outgoing; Tue, 18 Apr 1995 08:52:37 -0700 Received: from ncrcan.canada.ncr.com (h153-71-50-8.ATTGIS.COM [153.71.50.8]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id IAA01221 for ; Tue, 18 Apr 1995 08:52:32 -0700 Message-Id: <199504181552.IAA01221@miles.greatcircle.com> Subject: Re: firewalls book?? To: firewalls@greatcircle.com Date: Tue, 18 Apr 95 11:53:25 EDT From: Greg Nenych In-Reply-To: ; from "Stephen.L.Arnold@Arnold.Com" at Apr 17, 95 8:04 pm Reply-To: greg.nenych@canada.ncr.com X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stephen.L.Arnold@Arnold.Com writes: > > > Has anyone seen the book "Internet Firewalls and Network Security"? I would > > like to hear some type of review before I order one.. There are a couple of books out there with similar names. Who is the author of the one you are referring to? > > It's been on my night stand for 2 months, and I haven't been able to get > through it. I hope that you were not referring to "Firewalls and Internet Security: Repelling the Wily Hacker" by Cheswick & Bellovin. This is an excellent book, was the first book about firewalls to hit the market, and, is still the best I have seen on the topic. > There's so much general TCP/IP and UNIX information I > haven't been able to get through it to the firewall stuff yet. > (Disclaimer: I know this stuff, and was looking for something to > recommend to clients.) If you must, you can skip the intro chapters and still get a lot out of the book. I thought that the authors did a good job of describing many of the risks, pros and cons of various firewall architectures, the free tools available to you, and also tried to pass on some of their years of EXPERIENCE with firewalls and internetwork security. If you need more information, there is a long bibliography of books and papers. >From a technical prespective, I don't think that there is much in the book that has not already been covered in detail in the literature. However, if you want to learn about firewalls or build your own, this book tries to put as much of the information that is out there as possible into a single book and at a bargain price. - Greg -- Greg Nenych - AT&T Global Information Solutions Canada Ltd. greg.nenych@canada.attgis.com From firewalls-owner Tue Apr 18 11:44:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05613 for firewalls-outgoing; Tue, 18 Apr 1995 11:17:37 -0700 Received: from outside.mediavis.com (mediavis.com [204.30.229.9]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id LAA05608 for ; Tue, 18 Apr 1995 11:17:33 -0700 Received: from MediaVis.com by outside.mediavis.com with smtp (Smail3.1.28.1 #64) id m0s1HtF-000U1mC; Tue, 18 Apr 95 11:20 PDT Received: from mvimail.mediavis.com by MediaVis.com (Media Vision, Inc.) with SMTP (1.37.109.4/16.2) id AA16918; Tue, 18 Apr 95 11:13:58 -0700 (Send to firstname_lastname@MediaVis.com) Received: by MVIMAIL.MEDIAVIS.COM with Microsoft Mail id <2F94022C@MVIMAIL.MEDIAVIS.COM>; Tue, 18 Apr 95 11:17:16 PDT From: Alan Millar To: "'firewalls '" Subject: IP source routing with HP Router ER? Date: Tue, 18 Apr 95 11:05:00 PDT Message-Id: <2F94022C@MVIMAIL.MEDIAVIS.COM> Encoding: 23 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using an HP Router ER (27285A) in our firewall. It seems to do everything I need in the way of filtering, etc. except for one nagging question. I cannot find any information about IP source routing. There isn't any documented configuration option to allow or disallow source routed IP packets, nor is there any documentation about how they are handled by the router. My vendor doesn't know, and hasn't found the right people at HP to answer it yet. Everyone points back to the token ring source routing info :-( I am told that this router's software was OEM'd from Wellfleet, for what it is worth. Anyone know how they handle IP source routing in their own boxes? This box is about two years old. I'd appreciate any advice. Thanks. - Alan Millar Computer Network/Operations Manager Media Vision, Inc. AMillar@MediaVis.com From firewalls-owner Tue Apr 18 12:39:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id LAA05889 for firewalls-outgoing; Tue, 18 Apr 1995 11:30:23 -0700 Received: from hostserver.merit.edu (hostserver.merit.edu [35.1.1.98]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id LAA05879 for ; Tue, 18 Apr 1995 11:30:19 -0700 Received: from uodss_jr.fh.bosch.com by hostserver.merit.edu (8.6.10/hostsrvr-1.1) id OAA09596; Tue, 18 Apr 1995 14:30:12 -0400 Date: Tue, 18 Apr 1995 14:30:12 -0400 Message-Id: <199504181830.OAA09596@hostserver.merit.edu> X-Sender: cwerner@hsdemo.merit.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: cwerner@hsdemo.merit.edu (Chris Werner) Subject: Re: firewalls book?? X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since two books seem to be reviewed at once here... Cheswick & Bellovin do a wonderful service to the industry by citing 42 'bombs' to avoid in configuring a firewall. The resource list at the end (which included SATAN) alone is worth the price. However, I found(find) implimentation of the proposed firewall not as easy/straightforward/simple as the authors or hopeful customer may have thought. Specifically, the authors reference the AT&T firewall which uses a number of internally(read proprietary) developed programs to realize the security level for a large Corp. While I realize that noone wants to 'give away the store' by publishing all their secrets, I wish someone would just provide a step-by-step installation guide to create a firewall of one form or another(maybe I will when I finish this thing ...). Is the 'new' snoozy book Frank referred to 'Internet Firewalls and Network Security' by Siyan and Hare? I picked it up because it was the only thing in book form which attempts to explain how to install tcp-wrapper. It has several sections which seem to be redundant with commercial product docs (Interlock, FW-1, Gauntlet, fwtk) and alot of time spent discussing policy (ala DoD 5200.28-STD). C&B definately read better. My $0.02 worth Opinions expressed are my own and do not reflect those of Robert Bosch Corp. ---------------------------------------------------------------------------- Christopher L. Werner | Robert Bosch Corp. System Engineer | 38000 Hills Tech. Drive (810)553-1389 | Farmington Hills, MI 48331-3417 From firewalls-owner Tue Apr 18 12:47:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id MAA06701 for firewalls-outgoing; Tue, 18 Apr 1995 12:10:34 -0700 Received: from hostserver.merit.edu (hostserver.merit.edu [35.1.1.98]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id MAA06695 for ; Tue, 18 Apr 1995 12:10:30 -0700 Received: from uodss_jr.fh.bosch.com by hostserver.merit.edu (8.6.10/hostsrvr-1.1) id OAA09639; Tue, 18 Apr 1995 14:30:19 -0400 Date: Tue, 18 Apr 1995 14:30:19 -0400 Message-Id: <199504181830.OAA09639@hostserver.merit.edu> X-Sender: cwerner@hsdemo.merit.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: cwerner@hsdemo.merit.edu (Chris Werner) Subject: C & B 'Choke' Router config X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Given the following topology: Dual-homed Bastion -------- Choke Router ---------- Dual-homed Bastion A B X Y Solaris 2.4 ip_forwarding on both hosts off arp table on A contains B arp table on Y contains X static route from A to B and network X-Y with B as gateway static route from Y to X and network A-B with X as gateway Per page 91 of C & B: on Choke: no service finger no ip redirects no ip route-cache no ip proxy-arp no mop enabled no ip unreachables arp entry for A and Y all traffic blocked except specific ports telnet access off Q: A can ping B and X but not Y Y can ping X and B but not A :-( *If* I enable ip proxy-arp A can ping Y and Y can ping A. :-) Why won't it work if ip proxy-arp is off? I am assuming we want it off so someone with a sniffer would not be able to intercept arp broadcasts on the sub-net. Testing has shown that the only MAC address returned by the router is it's own when a ping of A or Y is initiated from within A-B or X-Y. Do I care? Obviously (maybe not - dangerous word) first I must ping later I can send mail, ftp-proxy, telnet-proxy, and all the other wonderful things a firewall should do well. For now - *I just want to ping* :-( Thanks Opinions expressed are my own and do not reflect those of Robert Bosch Corp. ---------------------------------------------------------------------------- Christopher L. Werner | Robert Bosch Corp. System Engineer | 38000 Hills Tech. Drive (810)553-1389 | Farmington Hills, MI 48331-3417 From firewalls-owner Tue Apr 18 12:49:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id KAA03110 for firewalls-outgoing; Tue, 18 Apr 1995 10:02:14 -0700 Received: from netcom7.netcom.com (netcom7.netcom.com [192.100.81.115]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id KAA03104 for ; Tue, 18 Apr 1995 10:02:12 -0700 Received: by netcom7.netcom.com (8.6.12/Netcom) id KAA17960; Tue, 18 Apr 1995 10:01:57 -0700 Date: Tue, 18 Apr 1995 10:01:57 -0700 (PDT) From: Michael Nelson X-Sender: mikenel@netcom7 To: Scott Barman cc: firewalls@greatcircle.com Subject: Re: Internet Security/Firewalls and Windoze/NT In-Reply-To: <9504172036.AA17089@ Disclosure.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 17 Apr 1995, Scott Barman wrote: > Unfortunatly, one of the systems I have to support is a Windoze/NT > (allegedly) Advanced Server system (no, I am not an NT or M$ fan and you > can flame me in private email, if you dare). This box has to be > accessible to the net along side a Sun box. There are more NetBIOS ports than I specified in my last message (pressed send too quickly). Check out the NetBIOS RFCs (1001 & 1002) for the complete list... -- Mike -- Michael Nelson (mikenel@netcom.com) | Real programmers don't comment their Rockville, Maryland | code. It was hard to write, it should BSD/OS and Windows NT Development | be hard to understand. From firewalls-owner Tue Apr 18 13:06:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02941 for firewalls-outgoing; Tue, 18 Apr 1995 09:57:30 -0700 Received: from netcom7.netcom.com (netcom7.netcom.com [192.100.81.115]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id JAA02936 for ; Tue, 18 Apr 1995 09:57:28 -0700 Received: by netcom7.netcom.com (8.6.12/Netcom) id JAA17506; Tue, 18 Apr 1995 09:57:09 -0700 Date: Tue, 18 Apr 1995 09:57:09 -0700 (PDT) From: Michael Nelson X-Sender: mikenel@netcom7 To: Scott Barman cc: firewalls@greatcircle.com Subject: Re: Internet Security/Firewalls and Windoze/NT In-Reply-To: <9504172036.AA17089@ Disclosure.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 17 Apr 1995, Scott Barman wrote: > Unfortunatly, one of the systems I have to support is a Windoze/NT > (allegedly) Advanced Server system (no, I am not an NT or M$ fan and you > can flame me in private email, if you dare). This box has to be > accessible to the net along side a Sun box. > > 1) Has anyone done this? > 2) What are the internet security concerns when it comes to NT? > 3) They (I take no responsibility for this decision) want this thing > set up on the "friendly" side of the firewall (friendly in that I > haven't kicked it in its side, yet! :-). What are the issues in > setting up a firewall in front of an NT box? 1. Don't use the FTP server unless you really have to. It is kind of tricky to make it completely secure. 2. Block 137/udp and 139/tcp -- these are the NetBIOS IP ports (file sharing, printer sharing, etc...). These are two I can think of off the top of my head. . . -- Mike -- Michael Nelson (mikenel@netcom.com) | Real programmers don't comment their Rockville, Maryland | code. It was hard to write, it should BSD/OS and Windows NT Development | be hard to understand. From firewalls-owner Tue Apr 18 13:14:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id JAA02697 for firewalls-outgoing; Tue, 18 Apr 1995 09:50:03 -0700 Received: from lccma.bos.locus.com (lccma.bos.locus.com [192.80.81.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id JAA02681 for ; Tue, 18 Apr 1995 09:49:58 -0700 Received: from orchard.la.locus.com by lccma.bos.locus.com with SMTP (PP) id <10528-0@lccma.bos.locus.com>; Tue, 18 Apr 1995 12:49:47 +0000 Received: by orchard.la.locus.com (5.61-AIX-1.2/1.0) from traveller.la.locus.com with SMTP id AA147339 (for bobk@manzanita.dev.3com.com, from kamran/kamran@orchard.la.locus.com); Tue, 18 Apr 95 09:49:11 -0700 Received: from sheytoon.la.locus.com by troy.la.locus.com (AIX 3.2/UCB 5.64/4.03) id AA61909; Tue, 18 Apr 1995 09:52:34 -0700 Date: Tue, 18 Apr 1995 09:52:34 -0700 Message-Id: <9504181652.AA61909@troy.la.locus.com> X-Sender: kamran@troy.la.locus.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bobk@manzanita.dev.3com.com (Bob Konigsberg), maillet@bashful.usmcs.maine.edu From: kamran@locus.com (Kamran Pechrak) Subject: Re: Need 3Com NetBuilder II experiences Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you have a copy online or can make one available, it would be very helpful. -kamran At 04:42 PM 4/17/95 PDT, Bob Konigsberg wrote: >Ed, > >At the risk of tooting our own horn, I administer the most of the firewalls >here at 3Com, and have built our firewalls with NetBuilder II's. > >If you want general advice, get a copy of the April 1995 issue of 3Tech mag >(Our 3Com technical rag) in which I've written an article on how to build an >Internet firewall with a NetBuilder II, including a guide to the filter syntax. > >If you don't have a copy, let me know and I'll mail you one courtesy of 3Com. >(Offer good to anyone who actually needs it. I haven't got the time to send >copies to everyone. I'm a network administrator, not a marketing person.) > >If you'd like to, I'll discuss the issue with you off-line as well. > >Since this is a response to a query, I hope this doesn't exceed the bounds of >permissable commercialism on this list. I try to keep a low profile. > >BobK > > ***************** signature, the following 4 lines ****************** Kamran Pechrak Locus Computing Corporation PMTS/Network Manager 9800 S. La Cienega Blvd. Email: kamran@locus.com Inglewood, CA 90301 Phone: (310)337-5044 Fax: (310)670-2980 From firewalls-owner Tue Apr 18 14:44:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA09619 for firewalls-outgoing; Tue, 18 Apr 1995 13:39:17 -0700 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA09613 for ; Tue, 18 Apr 1995 13:39:14 -0700 Received: from vbv03.vbv.dec.com by inet-gw-2.pa.dec.com (5.65/24Feb95) id AA05459; Tue, 18 Apr 95 13:30:54 -0700 Received: by vbv03.vbv.dec.com (5.65/MS-012594); id AA27268; Tue, 18 Apr 1995 16:30:49 -0400 Message-Id: <9504182030.AA27268@vbv03.vbv.dec.com> To: firewalls@greatcircle.com Cc: ddk@beta.lanl.gov (David D Kaas), byrum@vbv.dec.com Subject: Re: firewalls book?? In-Reply-To: Your message of "Tue, 18 Apr 95 15:27:11 EDT." Date: Tue, 18 Apr 95 16:30:49 -0400 From: "Frank Byrum" X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes... I agree the Cheswick and Bellovin book is great...it is a must... The other...well...I have it read it in an evening...didn't get much out of it... Frank From firewalls-owner Tue Apr 18 15:13:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA10035 for firewalls-outgoing; Tue, 18 Apr 1995 13:53:16 -0700 Received: from lmux02.ssc.siemens.com (ssc.siemens.com [192.132.51.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA10025 for ; Tue, 18 Apr 1995 13:53:07 -0700 Received: by lmux02.ssc.siemens.com (5.65/Ultrix3.0-C) id AA06659; Tue, 18 Apr 1995 16:54:13 -0400 Date: Tue, 18 Apr 1995 16:54:12 -0400 (EDT) From: Kent Wiggins Subject: Re: firewalls book?? To: "Scott M. Dickson" Cc: firewalls@greatcircle.com In-Reply-To: <9504181720.AA06765@ontek.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The original post was refering to a different book that was just recently published. "Internet Firewalls and Network Security" by Siyan and Hare. Oddly, the authors' names do not appear on the front cover or the spine. It has a black cover. "Firewalls and Internet Security" by Cheswick and Bellovin was published last year. It has a white cover. It has a truly wonderfull cartoon on the front. To avoid further confusion, I'm going to refer to them by color. I haven't completed reading either, but my opinion based on what I have consumed so far, is that the black book is more introductory than the white book. If you have the black book, you should still get the white book. If you have the white book and it makes sense to you, you won't need the black one. Some specific observations about the black book: One thing it does have is an extended section on preparing a Policy. And it DOES tell you how to subscribe to this list (page 381). Appendex C, the Vendor List, is strangely short and omits key references like TIS, which otherwise is fairly prominent in Chapter 8, Firewall Implementations. Go figure. /=======================================================================\ | Kent Wiggins | Voice: (407)942-5148 | | Pricipal Systems Programmer | Fax: (407)942-6874 | | Siemens Stromberg-Carlson | e-mail: okw@ssc.siemens.com | | Lake Mary, Florida | | \=======================================================================/ On Tue, 18 Apr 1995, Scott M. Dickson wrote: > Kenneth Smith Wrote: > > >I also picked up _Internet Firewalls and Network Security_ recently. It's an > >adequate book, but certainly nothing to write home about. An example: the two > >authors list a variety of resources available on the Internet for those > >interested in firewalls -- and fail to mention this list. One would think > >they > >hadn't done their homework very well. > > Appendix A (_Useful Free Stuff_), Section A.5 (_Information Sources_) (p. 247) > > A.5.2 The _Firewalls_ Mailing List > > [Information on how to subscribe] > > --------------------------------------- > > Then again, I looked closely at the title of the book I have in front of me > and it's called _Firewalls and Internet Security -- Repelling the Wily > Hacker_. Are we dealing with two different books with confusingly similar > titles? > > > > > Scott Dickson Tel: (714) 768-0301 > ONTEK Corporation Fax: (714) 768-0851 > 22941 Mill Creek Dr. Email: scott@ontek.com > Laguna Hills, CA 92653 USA > > > From firewalls-owner Tue Apr 18 15:39:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id NAA09032 for firewalls-outgoing; Tue, 18 Apr 1995 13:18:38 -0700 Received: from plan9.att.com (plan9.att.com [192.20.225.252]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id NAA09027 for ; Tue, 18 Apr 1995 13:18:35 -0700 From: ches@plan9.att.com Message-Id: <199504182018.NAA09027@miles.greatcircle.com> To: firewalls@greatcircle.com Date: Tue, 18 Apr 1995 16:17:22 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The Cheswick/Bellovin book is "Firewalls and Internet Security". Very good book >in my opinion. Worth its weight in gold. Thank you for the kind words. A lot has happened to our book. It was even airdropped to the south pole last June. But I admit I have never weighed it. ches From firewalls-owner Tue Apr 18 15:44:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA11058 for firewalls-outgoing; Tue, 18 Apr 1995 14:41:37 -0700 Received: from fs.CS.Princeton.EDU (fs.CS.Princeton.EDU [128.112.152.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id OAA11053 for ; Tue, 18 Apr 1995 14:41:34 -0700 Received: from cs (ems@elan.CS.Princeton.EDU [128.112.152.8]) by fs.CS.Princeton.EDU (8.6.10/8.6.9) with SMTP id RAA20622 for ; Tue, 18 Apr 1995 17:41:15 -0400 From: Ed Strong Received: by cs (5.65/CS-Client) id AA27992; Tue, 18 Apr 1995 17:41:14 -0400 Date: Tue, 18 Apr 1995 17:41:14 -0400 Message-Id: <9504182141.AA27992@cs> To: firewalls@greatcircle.com Subject: SLIP past the firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A group of influential people would like to run SLIP from their homes to machines behind the firewall. I've explained that this reduces network security to the level of the weakest password, however this does not convince. What are the worst forms of abuse that can happen via SLIP run "past" (or around) the firewall? Can I somehow remove from the home machines the capability of further extending the network in uncontrolled fashion? And will enforcing modem callback substantially reduce the risk? Thanks in advance Ed Strong From firewalls-owner Tue Apr 18 15:48:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id OAA10596 for firewalls-outgoing; Tue, 18 Apr 1995 14:12:02 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id OAA10590 for ; Tue, 18 Apr 1995 14:11:55 -0700 Received: from paragon-systems.com (sundevil.paragon-systems.com) by svcs1.digex.net with SMTP id AA08126 (5.67b8/IDA-1.5 for ); Tue, 18 Apr 1995 17:11:12 -0400 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA02403; Tue, 18 Apr 95 17:12:57 EDT Received: by sandfiddler.paragon-systems.com (5.x/SMI-SVR4) id AA01192; Tue, 18 Apr 1995 17:11:51 -0400 Date: Tue, 18 Apr 1995 17:11:51 -0400 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9504182111.AA01192@sandfiddler.paragon-systems.com> To: scott@disclosure.com, mikenel@netcom.com Subject: Re: Internet Security/Firewalls and Windoze/NT Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Unfortunatly, one of the systems I have to support is a Windoze/NT > > (allegedly) Advanced Server system (no, I am not an NT or M$ fan and you > > can flame me in private email, if you dare). This box has to be > > accessible to the net along side a Sun box. > > > > 1) Has anyone done this? > > 2) What are the internet security concerns when it comes to NT? > > 3) They (I take no responsibility for this decision) want this thing > > set up on the "friendly" side of the firewall (friendly in that I > > haven't kicked it in its side, yet! :-). What are the issues in > > setting up a firewall in front of an NT box? > > 1. Don't use the FTP server unless you really have to. It is kind of > tricky to make it completely secure. > > 2. Block 137/udp and 139/tcp -- these are the NetBIOS IP ports (file > sharing, printer sharing, etc...). > > These are two I can think of off the top of my head. . . You guys also might want to check out the action at Blue Ridge Software. Word has it that they are very close to a C2 ticket from NCSC for their version of TNT (Trusted NT). rmck From firewalls-owner Tue Apr 18 16:13:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA12421 for firewalls-outgoing; Tue, 18 Apr 1995 15:43:25 -0700 Received: from [158.152.139.213] (g-circle.demon.co.uk [158.152.139.213]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA12397; Tue, 18 Apr 1995 15:43:03 -0700 X-Sender: (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 18 Apr 1995 23:41:39 +0000 To: scott@ontek.com (Scott M. Dickson), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: firewalls book?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:31 4/18/95, Scott M. Dickson wrote: >Then again, I looked closely at the title of the book I have in front of me >and it's called _Firewalls and Internet Security -- Repelling the Wily >Hacker_. Are we dealing with two different books with confusingly similar >titles? Yes. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Tue Apr 18 16:38:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA11845 for firewalls-outgoing; Tue, 18 Apr 1995 15:20:32 -0700 Received: from info-server.bbn.com (INFO-SERVER.BBN.COM [128.89.7.131]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id PAA11839 for ; Tue, 18 Apr 1995 15:20:29 -0700 Received: (daemon@localhost) by info-server.bbn.com (8.6.9/8.6.5) id SAA00293; Tue, 18 Apr 1995 18:18:44 -0400 Received: from USENET by info-server.bbn.com with netnews for usenet@greatcircle.com (firewalls@greatcircle.com); contact usenet@info-server.bbn.com if you have questions. To: firewalls@greatcircle.com Date: 18 Apr 1995 22:18:42 GMT Message-ID: <3n1ds2$93@info-server.bbn.com> Organization: BBN Systems & Technologies From: hootowl.bbn.com!ltaylor@bbn.com References: , <199504071804.LAA18625@iss.net>.com Reply-To: ltaylor@hootowl.bbn.com Subject: Re: SATAN ATTACKS EVERYWHERE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Correct me if I am misperceiving things, but it seems to me that you keep using criticisms of SATAN to advertize ISS. I have noticed this in multiple postings that you have posted. I'm sure that SATAN is not without flaws, and I'm also sure that ISS is probably useful, however, I for one think your methods of advertising ISS are somewhat twisted. If you want to do a critique on SATAN, fine. I you want to advertize ISS, fine. However, using criticism of SATAN to advertize ISS is a bit lame. If you presented your marketing of ISS in a more benign way, I might be inclined to actually try running it here. However, the way you market ISS basically comes off as: SATAN sucks, ISS is better, and Christopher Klaus is jealous of all the attention that SATAN has gotten that ISS hasn't gotten. Such marketing basically rubs me the wrong way, and therefore, I am not inclined to try using ISS. /laura --------------------------------------------------------------- BBN Systems & Technologies | Laura Taylor 10 Moulton Street | Sr. Systems Administrator Cambridge, Ma. 02138 | ltaylor@bbn.com U.S.A | FAX (617) 873-5137 | (617) 873-4292 --------------------------------------------------------------- > For some reason, I really can't see tons of hackers using SATAN for several > reasons: [...reasons deleted...] > Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted > to point out (contrary to News Media) that SATAN is not the tool that > will shut down the Internet. > > On a side note, I have released ISS 1.3 which is available on ftp.iss.net > /pub/iss/iss13.tar.gz which includes many more checks than what SATAN > has specified. Also, it doesn't require installing any other outside packages, > is in C, and doesn't require large amounts of ram nor disk space. From firewalls-owner Tue Apr 18 16:44:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id QAA13865 for firewalls-outgoing; Tue, 18 Apr 1995 16:32:48 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id QAA13860 for ; Tue, 18 Apr 1995 16:32:45 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s1Mhq-0000L5C; Tue, 18 Apr 95 16:29 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA00787; Tue, 18 Apr 1995 16:32:12 +0800 Date: Tue, 18 Apr 1995 16:32:12 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9504182332.AA00787@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, ems@CS.Princeton.EDU Subject: Re: SLIP past the firewall? X-Sun-Charset: US-ASCII content-length: 1688 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What are the worst forms of abuse that can happen via SLIP run "past" (or > around) the firewall? Can I somehow remove from the home machines the > capability of further extending the network in uncontrolled fashion? And > will enforcing modem callback substantially reduce the risk? The only thing that would make them any less safe than your other machines is if they could dial out to two places at once and their machine would act like a router. There is an additional problem in that if they're a unix like machine that can run daemons, and they got broken into via another net they were slipped into the bad guy (TM) could have left something running that will then try to connect out through your firewall once they get on your network. I know it sounds far-fetched, but if it can be done, and someone's motivated... In real terms I don't think this is a problem unless you're a site that won't let people download and run things unless it's source and it's all inspected. If that's the case this gives you a higher level of risk, otherwise not. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue Apr 18 17:00:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id PAA11877 for firewalls-outgoing; Tue, 18 Apr 1995 15:22:34 -0700 Received: from MIZZOU1.missouri.edu (mizzou1.missouri.edu [128.206.5.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id PAA11872 for ; Tue, 18 Apr 1995 15:22:30 -0700 Message-Id: <199504182222.PAA11872@miles.greatcircle.com> Received: from MIZZOU1 by MIZZOU1.missouri.edu (IBM VM SMTP V2R3) with BSMTP id 7001; Tue, 18 Apr 95 17:21:46 CDT Received: from MIZZOU1 (UC625483) by MIZZOU1 (Mailer R2.10 ptf000) with BSMTP id 6390; Tue, 18 Apr 95 17:21:45 CDT Date: Tue, 18 Apr 95 17:00:37 CDT From: NAVEEN GUPTA Subject: Secure Telnet without firewalls? Help! To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I am a student at this univ. and was working on providing secure telnet without firewalls. I need some tips from all you experts in this discussion group. I have been reading all the postings and appreciate the subject matter. What are the options available to provide secure telnet without firewalls? I intend to secure the password and the login id only(not the whole session). Would you suggest something more economical than firewalls to achieve this goal? For now firewalls have been eliminated as a possibility because of administrative, economical and ip-spoof prone reasons. But if it's the best option, I will have to justify it's use in a university scenario. Other options under consideration are- One time passwords? (Difficult to manage. Students will have to carry hand held authenticators and they will loose it just like their student id). DES encryption (Replaying of the password can be done by the hacker. Keys have to be shared and key distribution is a problem.) Public-Key encryption How to implement it? Using Smartcards? I have been reading about all these things, but still cannot catch the right string. Maybe the seniors can lead the rookie. Thanks. Naveen Gupta c625483@mizzou1.missouri.edu QUIT From firewalls-owner Tue Apr 18 17:13:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA14577 for firewalls-outgoing; Tue, 18 Apr 1995 17:01:38 -0700 Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA14572 for ; Tue, 18 Apr 1995 17:01:35 -0700 Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA10411; Tue, 18 Apr 1995 20:02:06 -0400 Received: from [191.254.22.8] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA20241; Tue, 18 Apr 1995 20:01:46 -0400 Date: Tue, 18 Apr 1995 20:01:46 -0400 Message-Id: <9504190001.AA20241@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jon@nytimes.com (Jon E. Price) Subject: holes in firewall Cc: dgbrown@nytimes.com, gordy@nytimes.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If holes were made in a firewall by allowing data thru a few ports so that certain services could run thru the firewall, how would this compromise security? Jon --------------------------------------------------------------- "Beware of bargains in bypass surgery, bungee jumping, and quality printing" Jon E. Price Systems Analyst Publishing Systems The New York Times --------------------------------------------------------------- From firewalls-owner Tue Apr 18 17:43:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA14556 for firewalls-outgoing; Tue, 18 Apr 1995 17:00:48 -0700 Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA14543 for ; Tue, 18 Apr 1995 17:00:44 -0700 Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) id AA11332; Tue, 18 Apr 1995 20:01:15 -0400 Received: from [191.254.22.8] by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) id AA20174; Tue, 18 Apr 1995 20:00:55 -0400 Date: Tue, 18 Apr 1995 20:00:55 -0400 Message-Id: <9504190000.AA20174@mailgate.nytimes.com> X-Sender: jon@mailgate.nytimes.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jon@nytimes.com (Jon E. Price) Subject: Xylogics dial-up Cc: dgbrown@nytimes.com, gordy@nytimes.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What's the disadvantage in putting the xylogics inside the firewall? Jon --------------------------------------- David Flinn wrote: >From: david@wsi1.wsi.com (David Flinn) >Date: Fri, 14 Apr 1995 14:37:21 -0400 >..... >question (1) : Can a Sun (or any Unix box) with two ethernet interfaces > be made to bridge IPX/SPX packets? > > If no, I guess we have to put the xylogics on the > inside of the firewall. Bummer. >...... --------------------------------------------------------------- "Beware of bargains in bypass surgery, bungee jumping, and quality printing" Jon E. Price Systems Analyst Publishing Systems The New York Times --------------------------------------------------------------- --------------------------------------------------------------- "Beware of bargains in bypass surgery, bungee jumping, and quality printing" Jon E. Price Systems Analyst Publishing Systems The New York Times --------------------------------------------------------------- From firewalls-owner Tue Apr 18 18:13:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id RAA16138 for firewalls-outgoing; Tue, 18 Apr 1995 17:48:46 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id RAA16129 for ; Tue, 18 Apr 1995 17:48:43 -0700 From: smb@research.att.com Message-Id: <199504190048.RAA16129@miles.greatcircle.com> Received: by gryphon; Tue Apr 18 20:46:54 EDT 1995 To: jon@nytimes.com (Jon E. Price) cc: firewalls@greatcircle.com, dgbrown@nytimes.com, gordy@nytimes.com Subject: Re: holes in firewall Date: Tue, 18 Apr 95 20:46:53 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If holes were made in a firewall by allowing data thru a few ports so that certain services could run thru the firewall, how would this compromise security? Yes. Let me be a bit more precise, if less helpful. It depends. There's no one answer; it all depends on which ports, which services, whether or not you can trust them, and whether or not you have to open other holes as well to let those services run. From firewalls-owner Tue Apr 18 18:43:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id SAA17459 for firewalls-outgoing; Tue, 18 Apr 1995 18:23:34 -0700 Received: from warrane.connect.com.au (warrane.connect.com.au [192.189.54.33]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id SAA17448 for ; Tue, 18 Apr 1995 18:23:22 -0700 Received: (from uucp@localhost) by warrane.connect.com.au with UUCP id LAA01393 (8.6.11/IDA-1.6); Wed, 19 Apr 1995 11:22:43 +1000 Received: from hercules.iassf.easams.com.au (hercules) by dc3.easams.com.au with SMTP id AA07368 (5.67a/IDA-1.5); Wed, 19 Apr 1995 10:51:38 +1000 Received: by hercules.iassf.easams.com.au id AA18453 (5.67a/IDA-1.5); Wed, 19 Apr 1995 10:49:51 +1000 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.hercules.iassf.HP9000.755 via MS.5.6.hercules.iassf.hp700; Wed, 19 Apr 1995 10:49:50 +1000 (EST) Message-Id: <0jZ5sj3_3gX91ODX40@iassf.easams.com.au> Date: Wed, 19 Apr 1995 10:49:51 +1000 (EST) From: David MILLER To: firewalls@greatcircle.com Subject: Re: SLIP past the firewall? Cc: Ed Strong In-Reply-To: <9504182141.AA27992@cs> References: <9504182141.AA27992@cs> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been setting up a system just like what Ed has been asked to do. The only thing is, we don't have an IP link to the Internet, we just use UUCP at the moment. Thinking about it the biggest hassles (that I can see) are: Crackers getting in via your modems. Users with multiple connection from their home computers (home networks, bbs). If they allow IP forwarding and routing other non-friendles may get in. Other people using authorised people's PCs or whatever. A number of my users actually use Linux PCs so it would be quite easy for them to have mutiple links up. I have setup a firewallish machine to enable the slip links. At the moment it allows IP Forwarding for convenience :-(. It does have filters on what packets are allowed through. Direct access is only allowed to a couple of internal systems. Everything is logged. I use dial-back modems to ensure (?!) that only authorised users' systems can get at a login. The modem waits log enough for the teleco to disconnect before dialling back. I then use skey to force one time passwords. I don't want people hardcoding passwords into dial-up scripts so that someone else can just hit a button and get on. This has drawbacks - the password lists are insecure. I managed to do this rather cheaply with a PC. It's not perfect, but I have a fair amount of control over what can be done. I also have agreements with the users that they will avoid having two connections active simutaneously etc. But just in case ... Mind you a number of users think I'm being overly security consious :-). Excerpts from firewalls: 18-Apr-95 SLIP past the firewall? Ed Strong@CS.Princeton.E (534) A group of influential people would like to run SLIP from their homes to machines behind the firewall. I've explained that this reduces network security to the level of the weakest password, however this does not convince. What are the worst forms of abuse that can happen via SLIP run "past" (or around) the firewall? Can I somehow remove from the home machines the capability of further extending the network in uncontrolled fashion? And will enforcing modem callback substantially reduce the risk? David Miller, Unix System Administrator Easams Australia Direct +61-2-367 4572 Fax +61-2-367 4566 Unit 5, 2 Giffnock Ave, North Ryde, NSW 2113 From firewalls-owner Tue Apr 18 21:43:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id VAA21118 for firewalls-outgoing; Tue, 18 Apr 1995 21:16:05 -0700 Received: from gw2.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id VAA21113 for ; Tue, 18 Apr 1995 21:16:02 -0700 From: cmcurtin@clipper.cb.att.com Received: from clipper.cb.att.com by ig1.att.att.com id AA12475; Wed, 19 Apr 95 00:16:28 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA27287; Wed, 19 Apr 95 00:22:23 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA27283; Wed, 19 Apr 95 00:22:22 EDT Date: Wed, 19 Apr 95 00:22:22 EDT Message-Id: <9504190422.AA27283@clipper.cb.att.com> To: firewalls@greatcircle.com, ems@CS.Princeton.EDU Subject: Re: SLIP past the firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What are the worst forms of abuse that can happen via SLIP run "past" (or > around) the firewall? Can I somehow remove from the home machines the > capability of further extending the network in uncontrolled fashion? And > will enforcing modem callback substantially reduce the risk? The biggest problem with this, IMHO, is that you're opening up the possibility for someone to circumvent your firewall by doing something to one of your user's home machine - which would be possible of they have connectivity beyond your network. For example, my home machine is a Sun, so it'd be very easy for me to allow dialup access to my system. One of my modems is connected to work, and I'm therefore behind the firewall. If some ]; Tue, 18 Apr 1995 23:17:41 -0700 From: patrick@calon.com Message-Id: <199504190617.XAA21843@miles.greatcircle.com> Received: from calon.com by calon.calon.com; Tue, 18 Apr 95 23:19 PDT Date: Tue, 18 Apr 95 23:19 PDT Subject: Re: SLIP past the firewall? To: firewalls@greatcircle.com Cc: dpm@iassf.easams.com.au Content-Length: 1339 Content-Type: text X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David, you have company. As a newcomer to this forumn I have really become aware of just how insecure networks can be for the unprepared (like myself). I thought I had the bases covered, but find my plan is most isecure. I just read your piece on SLIP past a firewall and must admit I thought of doing the same thing... i.e. I am running a Novell 4.1 network that I have Netware Connect hooked up to, to allow people from home to dial up the network. I just got a dedicated internet line into the building with a dedicated internet server, and have a UNIX firewall on the way (why I'm keenly interested in these discussions). I had planned to have my field folks call the Netware Connect modem pool to get to a Netware server (for mail and document passing), then route the connection to my interent server 'behind the wall' and out to the net if necessary. From what I have read so far, I think this may be a bad approach. It sounds like someone with a good idea could help the both of us out - we seem to be in a similar boat (mine may be a bit easier - my users don't even know what concurrent sessions (or UNIX) are for that matter). If you do run across any suggestions routed not through this forumn, please let me know - I will be glad to do the same. Thanks for any and all suggestions, Patrick From firewalls-owner Wed Apr 19 00:16:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id XAA22217 for firewalls-outgoing; Tue, 18 Apr 1995 23:54:45 -0700 Received: from Spectrum.RNS.COM (SPECTRUM.RNS.COM [131.143.16.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id XAA22210 for ; Tue, 18 Apr 1995 23:54:42 -0700 Received: by Spectrum.RNS.COM (4.1/SMI-4.1(Spectrum)) id AA00584; Tue, 18 Apr 95 23:48:08 PDT Date: Tue, 18 Apr 95 23:48:08 PDT From: lars@RNS.COM (Lars Poulsen) Message-Id: <9504190648.AA00584@Spectrum.RNS.COM> To: cmcurtin@clipper.cb.att.com Subject: Re: SLIP past the firewall? Newsgroups: list.firewalls In-Reply-To: <9504190422.AA27283@clipper.cb.att.com> Organization: Rockwell International - CMC Network Products Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9504190422.AA27283@clipper.cb.att.com> you write: > If some ]my home machine, he's got a prompt on a machine behind my company's firewall. Or, if some cracker figures out which number my home machine is calling, he is now at a public dial-in point behind the firewall. In my security model, there are two firewalls, with a lobby area in between. Dial-in points - like public servers - go in the lobby area. INTERNET ACCESS PROVIDER - access link - LOCAL ACCESS ROUTER with packet filter LOBBY AREA includes public access servers, pc DNS and mail router ISOLATION ROUTER Inside network In my environment, we don't feel that the benefits of a proxy gateway on the inside firewall is worth the trouble; we can live with a packet filtering router. Thus, it is no trouble to punch a hole in the inner "firewall" for the work-at-home dial-ins. I would worry a lot about putting the access point for those dial-ins inside the inner firewall. -- / Lars Poulsen Internet E-mail: lars@RNS.COM Rockwell Network Systems Phone: +1-805-562-3158 7402 Hollister Avenue Telefax: +1-805-968-8256 Santa Barbara, CA 93105 Internets: designed and built while you wait From firewalls-owner Wed Apr 19 01:13:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id AAA23673 for firewalls-outgoing; Wed, 19 Apr 1995 00:55:33 -0700 Received: from bos1c.delphi.com (bos1c.delphi.com [192.80.63.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id AAA23668; Wed, 19 Apr 1995 00:55:30 -0700 Received: from delphi.com by delphi.com (PMDF V4.3-9 #7804) id <01HPICFUJ18G99G3O9@delphi.com>; Wed, 19 Apr 1995 03:55:24 -0500 (EST) Date: Wed, 19 Apr 1995 03:55:24 -0500 (EST) From: Network Security Observations Subject: New Book To: firewalls@GreatCircle.com, firewalls-digest@GreatCircle.com Message-id: <01HPICFUJAVM99G3O9@delphi.com> X-VMS-To: INTERNET"firewalls@GreatCircle.com" X-VMS-Cc: INTERNET"firewalls-digest@GreatCircle.com" ,NSO MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From *Internet Security* International Research Journal on Security Safety and Protection of Datacommunications on the Internet ------ New book release ------ For all of you interested in new book releases of relevance and importance to the subscribers of this list. Title: Network Security, Private Communication in a Public World Authors: Charlie Kaufman, Radia Perlman, Mike Speciner Released: April 1995 Cover: Hardcover Available: now Publisher: Prentice Hall Series: Computer Networking and Distributed Systems ISBN: 0-13-061466-1 Pages: 504 (exact) Chapters: 17/biblio/glossary/index Parts: 3 Cryptography - Authentication - Electronic Mail Price: $ 46 The introduction chapter deals with issues as Primer on Networking, Tempest, Firewalls/Security Gateways, Key Escrow, Viruses, Worms. Trojans, the Military model of security, and some legal issues. The Firewalls/Security Gateways chapter deals with packet filters, encrypted tunnels, and goes into application level gateway. A sizeable chunk of the book is devoted to cryptography with sub- chapters on breaking, secret key crypto, public key crypto and hash algorithms. A good overview of DES with some new ways of approaching double encryption and triple encryption with thesame and with different keys. Hashes and message digests are covered with subs on MD2/MD4 and MD5, and some notes on SHS Padding. The public key algorithms are described in chapter 5. RSA, DH, DSS fly by - (a bit too fast for such important topics, but that's a matter of taste). Surprisingly this book is one of the few that stores correctly Zero Knowledge Proof Systems under Public Key Algorithms. A chapter on Number Theory finalizes the first part. The authentication part starts with Systems, logically deals with Authentication of People, and describes Security Handshake Pitfalls. Kerberos V4 and V5 are discussed in depth. Good chapters are Evading Password Guessing Attacks and Double TGT Authentication, among the many. Electronic Mail Security is covered extensively. PEM (Privacy Enhanced Mail) and PGP are placed well on the map, though the latter deserves more technical description. A chapter on X400 and the security functions possible is a nice touch. A comparison of PEM, PGP and X400 is offered that is useful for those in doubt. A leftover chapter features NetWare, KryptoKnight, SNMP, DASS/SPX, Lotus Notes, DCE and Microsoft LAN manager. Some thoughts about the Clipper chip conclude the chapter. Critique: Words as canonicalization (in relation to PEM) are not in my version of Webster, and might appear somewhat off track for the serious reader. The Firewalls chapter should in a next edition be more up to date. Overall evaluation: A good book, modestly priced, a lot of information for the dollar. Not for the casual reader, really. But if one feels comfortable with the issues, one appreciates the authors' efforts to put it all to paper. If you're in network security, you'll likely want to have it in your room, instead of in the library. -------------- Bertil Fortrie *Internet Security* ---------------------------------------------------------------- [ if you would like to receive a free of charge trial copy of our monthly journal, and you haven't requested one, yet, please send your name and surface address information to nso@delphi.com or the address below. We'd be happy to accommodate you. ] | Internet Security | Monthly International Research Journal on | Datacommunications and Network Security | Suite 400, 1825 I Street NW, Washington DC 20006 | United States | Telephone +1 202 775 4947 - Fax +1 202 429 9574 | Internet: nso@delphi.com ----------------------X---------------------- From firewalls-owner Wed Apr 19 02:19:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id BAA25197 for firewalls-outgoing; Wed, 19 Apr 1995 01:50:50 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id BAA25178 for ; Wed, 19 Apr 1995 01:50:18 -0700 From: Paul Crossley To: UC625483@MIZZOU1.missouri.edu, firewalls@greatcircle.com Subject: Secure Telnet without firewalls? Help! X-Mailer: ScoMail 1.0 Date: Wed, 19 Apr 1995 9:32:46 +0100 (BST) Message-ID: <9504190932.aa21026@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What are the options available to provide secure telnet without firewalls? > I intend to secure the password and the login id only(not the whole session). > Would you suggest something more economical than firewalls to achieve this > goal? For now firewalls have been eliminated as a possibility because of > administrative, economical and ip-spoof prone reasons. But if it's the best > option, I will have to justify it's use in a university scenario. At the very least install a tcp wrapper - it will allow at least basic filtering and logging. - Paul ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Wed Apr 19 04:17:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA26737 for firewalls-outgoing; Wed, 19 Apr 1995 04:04:11 -0700 Received: from pegase.total.fr (pegase.total.fr [146.249.41.223]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id EAA26725 for ; Wed, 19 Apr 1995 04:04:01 -0700 Received: from tidtest.total.fr by pegase.total.fr with SMTP (16.6/16.2) id AA16971; Wed, 19 Apr 95 12:20:50 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) id AA14068; Wed, 19 Apr 95 12:26:27 +0100 From: lavondes@tidtest.total.fr (Michel Lavondes) Message-Id: <9504191126.AA14068@tidtest.total.fr> Subject: Re: C & B 'Choke' Router config To: cwerner@hsdemo.merit.edu (Chris Werner) Date: Wed, 19 Apr 95 12:26:26 BST Cc: firewalls@greatcircle.com (fw) Reply-To: lavondes@tidtest.total.fr In-Reply-To: <199504181830.OAA09639@hostserver.merit.edu>; from "Chris Werner" at Apr 18, 95 2:30 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Werner wrote : > > Q: > A can ping B and X but not Y > Y can ping X and B but not A > > *If* I enable ip proxy-arp A can ping Y and Y can ping A. :-) > Check subnet masks on A and Y. The fact that proxy ARP is needed probably means that either or both doesn't recognize the other as being behind the router. You may also want to do a debug ip- on your cisco. HTH -- Michel Lavondes |It's is not, it isn't ain't, and it's it's, not its, lavondes@tidtest.total.fr|if you mean it is. If you don't, it's its. Then too, Phone : +33-1-4135-4198 |it's hers. It isn't her's. It isn't our's, either. #include |It's ours, and likewise yours and theirs. From firewalls-owner Wed Apr 19 04:43:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id EAA26821 for firewalls-outgoing; Wed, 19 Apr 1995 04:19:05 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id EAA26816 for ; Wed, 19 Apr 1995 04:19:01 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id HAA12345; Wed, 19 Apr 1995 07:18:57 -0400 From: Howard Berkowitz Message-Id: <199504191118.HAA12345@clark.net> Subject: Re: SLIP past the firewall? To: lars@RNS.COM (Lars Poulsen) Date: Wed, 19 Apr 1995 07:18:57 -0400 (EDT) Cc: cmcurtin@clipper.cb.att.com, firewalls@GreatCircle.COM In-Reply-To: <9504190648.AA00584@Spectrum.RNS.COM> from "Lars Poulsen" at Apr 18, 95 11:48:08 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 892 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lars Paulsen wrote, > In my security model, there are two firewalls, with a lobby area in between. > Dial-in points - like public servers - go in the lobby area. ^^^^^^^^^^ Perhaps the term "lobby" has been used elsewhere, but I usually see this function described as "DMZ." I like "lobby" very much, because we have, in international work, run into cultural sensitivities about the term DMZ. People that have dealt with DMZ's on real territories have complained about it as an unpleasantly warlike, or politically incorrect, term. Non-US readers of firewalls, does "lobby" have any negative connotations that might not be obvious in the states? If not, I at least am grateful to Lars for bringing my attention to a term that might help some users focus on security technologies/requirements rather than security politics. Howard From firewalls-owner Wed Apr 19 05:13:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA27616 for firewalls-outgoing; Wed, 19 Apr 1995 05:12:40 -0700 Received: from postman.osf.org (postman.osf.org [130.105.1.152]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA27607 for ; Wed, 19 Apr 1995 05:12:37 -0700 Received: from coltsfoot.osf.org (coltsfoot.osf.org [130.105.3.72]) by postman.osf.org (8.6.9/8.6.x) with SMTP id IAA09333 for ; Wed, 19 Apr 1995 08:12:39 -0400 Message-Id: <199504191212.IAA09333@postman.osf.org> To: Firewalls@GreatCircle.COM Subject: Re: SLIP past the firewall? In-reply-to: Message from firewalls-digest-owner@GreatCircle.COM <199504190800.BAA23784@miles.greatcircle.com> . X-Face: a;}E)>U4sE9,,b@uM+#q\=,S)_go^*pb@M[' Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The last time I was stuck with the SLIP endpoint "outside" the firewall, I just started to tunnel the SLIP traffic over a telnet connection. John From firewalls-owner Wed Apr 19 06:13:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA28292 for firewalls-outgoing; Wed, 19 Apr 1995 05:46:09 -0700 Received: from BILBO.CCLA.LIB.FL.US (BILBO.CCLA.LIB.FL.US [198.78.22.24]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA28287 for ; Wed, 19 Apr 1995 05:46:06 -0700 From: JOHN@lincc.ccla.lib.fl.us Date: Wed, 19 Apr 1995 8:46:28 -0400 (EDT) To: firewalls@greatcircle.com Message-Id: <950419084628.60414035@lincc.ccla.lib.fl.us> Subject: Self activating E-mail viruses? ie, please tell me where to go :) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Being new to the internet I am not sure where to send this and apologize in advance for the off subject intrusion. Our management received an FCC (yes FCC) advisory/warning that a terrible self activating "Good Times" E-mail virus is on loose, ravaging unsuspecting E-mail readers hard drives and damaging their CPUs by putting them in a loop. (sigh) They are in a panic. (big sigh) I assured them that other than passing the Virus as a word Macro, postscript file or Ascii HEX dump, self activating E-mail viruses do not exist and they are safe reading email in Procomm or ZMail. Now they want confirmation that my assurances are correct. Would somebody more important than me confirm this or point me to somebody else who will. thank you in advance. (the laughs are a my payment for the interruption) john From firewalls-owner Wed Apr 19 06:39:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA28384 for firewalls-outgoing; Wed, 19 Apr 1995 05:50:26 -0700 Received: from zippy.radian.com (news.radian.com [129.160.16.4]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id FAA28377 for ; Wed, 19 Apr 1995 05:50:23 -0700 Received: from [129.160.224.101] (nbst1001.radian.com [129.160.224.101]) by zippy.radian.com (8.6.5/8.6.5) with SMTP id HAA29653; Wed, 19 Apr 1995 07:50:17 -0500 X-Sender: dalewl@mailhost Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 19 Apr 1995 07:50:20 -0500 To: firewalls@greatcircle.com From: dalewl@radian.com (Dale Whiteaker-Lewis) Subject: SLIP, firewalls, Netware 4.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A proposed solution to the SLIP past the firewall problem. Does anyone see a problem with setting up a BSD/OS (or Free/NetBSD or Linux) PC-based firewall with TIS toolkit (or Gauntlet) and a multiport serial board to solve this problem. The all-in-one solution would mean that you could place the machine directly on the corporate net while maintaining security at the same level as with ones Internet connection (e.g. one-time passwords, plug-gw's etc.). As an alternative to patrick@calon.com, couldn't you also use such a SLIP/PPP setup to talk to NETWARE 4.1's NETWARE/IP module? I'm just guessing, and this is something I can't wring out of any knowledgeable Novell type, but I would hope you could use a PPP dial-up to access NETWARE/IP while maintaining some firewallishness. I would appreciate anyone elses musings on the subject. From firewalls-owner Wed Apr 19 06:44:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id FAA28199 for firewalls-outgoing; Wed, 19 Apr 1995 05:43:01 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id FAA28189 for ; Wed, 19 Apr 1995 05:42:54 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14046; Wed, 19 Apr 95 08:27:11 -0400 Date: Wed, 19 Apr 95 08:27:11 -0400 Message-Id: <9504191227.AA14046@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: SLIP past the firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David rites: >Thinking about it the biggest hassles (that I can see) are: > Crackers getting in via your modems. > Users with multiple connection from their home computers (home > networks, bbs). If they allow IP forwarding and routing other > non-friendles may get in. > Other people using authorised people's PCs or whatever. Can be a problem but first you must decide way your level of risk/exposure is and what is the value of the information to an outsider (carjackings got started because automotive security systems made the driver the weakest link protecting a valuable asset). Personally, I would rather have sensitive information on modem lines since party lines like the Internet are not very common in the telco community today. With a dialup the level of effort required to tap is considerably higher than with remote telnet. As a result, a modem just needs good authentication while a telnet session requires full encryption to reach a similar level of assurance. Call-back is good. IMNSHO Caller-Id/CNID with one-time-passwords is better since the line is never answered unless from an approved number. As for users routing sessions, sure it can be done but must be started at the user's site (see "carjacking" above). For the level of information most of our users have, this can be handled procedurely. If the information is that sensitive/valuable, users should not have it accessable remotely *for their own protection*. Warmly, Padgett ps I believe that SLIP/PPP access should be through "that collection of devices that make up the firewall" just like TCP/IP is. Otherwise you do not have a firewall. From firewalls-owner Wed Apr 19 07:37:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id HAA29709 for firewalls-outgoing; Wed, 19 Apr 1995 07:04:21 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id HAA29703 for ; Wed, 19 Apr 1995 07:04:17 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA26436; Wed, 19 Apr 95 10:06:33 EDT Date: Wed, 19 Apr 95 10:06:33 EDT From: scott@Disclosure.COM (Scott Barman) Message-Id: <9504191406.AA26436@ Disclosure.COM> To: firewalls@greatcircle.com Subject: Re: Network Address Translator Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas_Pagan@ins.com (Tom Pagan) writes: > >>Looking for a network translator package. I want to translate an >>un-registered class B (internal) to registered class C (which is on the DMZ). >> >>A DEC engineer once spoke about a commercial package which would do this, >>but I've been unable to locate it. >> >>Ron Kelley >>Sharp HealthCare, Inc. >>San Diego, CA 92123 >> >> >I _know_of a hw/sw product that supposedly deals with unregistered and >RFC1597 addresses, called Private Internet Exchange from Network Translation. I saw info on that product, but it is too expensive for some around here. I was wondering if there was a way to do this in software? scott barman scott@disclosure.com / barman@ix.netcom.com From firewalls-owner Wed Apr 19 07:53:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29290 for firewalls-outgoing; Wed, 19 Apr 1995 06:46:43 -0700 Received: from duvi.eskom.co.za (duvi.eskom.co.za [147.110.52.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA29284 for ; Wed, 19 Apr 1995 06:46:31 -0700 Received: from eng1.nptmc.eskom.co.za by duvi.eskom.co.za with smtp (Smail3.1.28.1 #7) id m0s1a5a-0001cPC; Wed, 19 Apr 95 15:46 RSA Received: from 63PTMC_ENG1/MERCURY by eng1.nptmc.eskom.co.za (Mercury 1.21); 19 Apr 95 15:43:19 +200 Received: from MERCURY by 63PTMC_ENG1 (Mercury 1.21); 19 Apr 95 15:43:04 +200 From: "RG Ferris 871-2157" <0139427@nptmc.eskom.co.za> Organization: ESKOM National PTM&C To: firewalls@GreatCircle.com Date: Wed, 19 Apr 1995 15:42:54 GMT+0200 Subject: ISBN of book X-Confirm-Reading-To: "RG Ferris 871-2157" <0139427@nptmc.eskom.co.za> X-pmrqc: 1 Priority: normal X-mailer: Pegasus Mail/Windows (v1.21) Message-ID: <8F048E5A2B@eng1.nptmc.eskom.co.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for the publisher and ISBN of the "Firewalls and Internet Security" by Cheswick and Bellovin so that I can buy it. Many thanks in advance. ----------------------------------------------------------- Rod Ferris. I.T. Systems Specialist. National PTM&C, ESKOM. Email: 0139427@nptmc.eskom.co.za. Education is not a substitute for Intelligence. ----------------------------------------------------------- From firewalls-owner Wed Apr 19 08:26:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id IAA00748 for firewalls-outgoing; Wed, 19 Apr 1995 08:03:26 -0700 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with ESMTP id IAA00743 for ; Wed, 19 Apr 1995 08:03:22 -0700 Message-Id: <199504191503.JAA07494@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id JAA07494; Wed, 19 Apr 1995 09:03:17 -0600 Subject: Re: Self activating E-mail viruses? ie, please tell me where to go :) To: JOHN@lincc.ccla.lib.fl.us Date: Wed, 19 Apr 95 9:03:14 MDT Cc: firewalls@GreatCircle.COM In-Reply-To: <950419084628.60414035@lincc.ccla.lib.fl.us>; from "JOHN@lincc.ccla.lib.fl.us" at Apr 19, 95 8:46 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Our management received an FCC (yes FCC) advisory/warning that a terrible self > activating "Good Times" E-mail virus is on loose Oh no, not *AGAIN*. This is getting to be as bad as the Craig Shergold thing. The "Good Times" e-mail virus was shown to be a hoax, and an old one at that (this came out several months ago at least). While it is theoretically possible to send an e-mail message which when read by users with certain types of terminals or certain mail reading programs will do nasty things, there has not (to my knowledge) ever been a documented instance of this being done on a netwide basis. --Greg From firewalls-owner Wed Apr 19 08:28:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-941015-1) id GAA29016 for firewalls-outgoing; Wed, 19 Apr 1995 06:29:16 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-941015-1) with SMTP id GAA29004 for ; Wed, 19 Apr 1995 06:29:07 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14263; Wed, 19 Apr 95 09:17:08 -0400 Date: Wed, 19 Apr 95 09:17:07 -0400 Message-Id: <9504191317.AA14263@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Slip past the firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howard rites: >People that have dealt wi