From firewalls-owner Sat Jul 1 12:34:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11390 for firewalls-outgoing; Sat, 1 Jul 1995 12:22:41 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA16954 for ; Fri, 30 Jun 1995 16:13:31 -0700 Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26326; Fri, 30 Jun 95 19:12:32 -0400 Date: Fri, 30 Jun 95 19:12:31 -0400 Message-Id: <9506302312.AA26326@uvs1.orl.mmc.com> From: firewalls-owner@greatcircle.com To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: TW safe on a write protected floppy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk KH rites: >Someone just told me that he thought it is possible, if access at a low >enough level can be obtained, to write to a write-protected floppy; he >claims that there are disk duplication programs for PCs that can do >this for copying distributions onto diskettes w/o the write-enable >tab. Another mythconception. Short answer is no. Long answer is that so long as it is enforced by a hardware mechanism on the drive itself (e.g. PC) & the physical/optical mechanism has not been "fixed"/failed, no. Macintoshes are a different matter (have been told that the write protect is a signal that is enforced by software. Have not verified.) Easy enough to verify, just issue some Int 13 Fn B's with BX pointing to garbage and see what happens. If the carry flag sets and the disk is still 100% usable, the write protect works. Would someone care to amplify re Suns & Vaxes (AFAIK the Mac is the only possibly strange one out). Warmly, Padgett From firewalls-owner Sat Jul 1 12:55:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11411 for firewalls-outgoing; Sat, 1 Jul 1995 12:23:40 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA26075 for ; Fri, 30 Jun 1995 22:25:02 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA27093; Fri, 30 Jun 95 22:26:03 -0400 Date: Fri, 30 Jun 95 22:26:03 -0400 Message-Id: <9507010226.AA27093@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: More Mytconceptions (was TW) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Infosec Heaven rites: >It's pretty easy to make a floppy (or other disk) truly read-only. >You simply cit the wire that attaches to the write head. Well some floppies (not some flopticals or Iomega's ZIP which incidently does use software rite protect) and some hard disks (not ATA/IDEs) but is difficult if the head (most) is read/write. Now for a ST-506 (MFM & RLL) AFAIR it is line six of the fat ribbon and something else for a SCSI (I do forget some things) and you had best terminate the wire since if left to float anything may occur. However for an IDE, it takes a logic circuit (have one here - somewhere...). Warmly, Padgett ps am in need of a Tech Manual for an early SAIC V2LC "Lightweight Computer Unit" TM 11-7021-217-12 &P. Or just a circuit description/pinout for the TFT display (one with the DOLCH video card - assy 31-1001-0048). Have exhausted all normal channels without luck. Is just a PC inna transit case, but all them little white wires... From firewalls-owner Sat Jul 1 13:04:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11446 for firewalls-outgoing; Sat, 1 Jul 1995 12:24:17 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA14355 for ; Fri, 30 Jun 1995 19:08:00 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA29534; Fri, 30 Jun 95 22:06:56 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507010306.AA29534@hawksbill.sprintmrn.com> Subject: Re: TW safe on a write-protected floppy? To: bonomi@delta.eecs.nwu.edu (Robert Bonomi) Date: Fri, 30 Jun 1995 22:06:55 -0500 (EST) Cc: firewalls@GreatCircle.COM, ken@bridge.com In-Reply-To: <199506302052.PAA19768@delta.eecs.nwu.edu> from "Robert Bonomi" at Jun 30, 95 03:52:01 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 896 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Possible *only* with a _modified_ drive. I had such a drive once (unknown > to me!). found out, the "hard way", when I erased all the files off an > original distribution disk that did *not* have a 'write enable' on it. > I said some *nasty* things to the company I was leasing the machine from!! :)) > > > Deja vu, in a big way. This discussion has played out a thousand times over, on every discussion group from Prodigy to Fidonet. Can we please drop this silly thread and move on with vaild discussions concerning firewalls? - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Jul 1 13:18:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11460 for firewalls-outgoing; Sat, 1 Jul 1995 12:24:22 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA14201 for ; Fri, 30 Jun 1995 19:06:15 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA29520; Fri, 30 Jun 95 22:04:58 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507010304.AA29520@hawksbill.sprintmrn.com> Subject: Re: NBT traffic filters (was: Comments Appreciated) To: larry@merakusa.com (Larry Barras) Date: Fri, 30 Jun 1995 22:04:58 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199506302240.RAA29840@igate.merakusa.com> from "Larry Barras" at Jun 30, 95 05:40:53 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1056 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Actually, you *can* run MS-Mail through the internet and connect to a WGPO. > It sucks! I tried this and found that a single connection just to check for > mail required a transfer of 87k *with no mail transferred*. You are right > that it cannot be secured either. Its a big bandwidth hog. I figured 20-30 > people in an office could continously tie up a 56k leased line just checking > mail from a remote server all the time. > Oh, you can certainly secure it. ;-) As the previous poster pointed out, NBT services are defined and 'standardized.' They can be selectively plugged. FWIW, the consistent bandwidth utilization is due to the constant NB directory lookup services. A real pig. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Jul 1 13:24:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11477 for firewalls-outgoing; Sat, 1 Jul 1995 12:24:32 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA15841 for ; Fri, 30 Jun 1995 19:31:38 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa24450; 30 Jun 95 22:19 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma020293; Fri, 30 Jun 95 22:21:44 -0400 Received: by tis.com (4.1/SMI-4.1) id AA19675; Fri, 30 Jun 95 22:23:01 EDT From: Marcus J Ranum Message-Id: <9507010223.AA19675@tis.com> Subject: Re: controlling FTP transfers To: firewalls@greatcircle.com Date: Fri, 30 Jun 1995 22:23:00 -2800 (EDT) Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1197 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim Shankland writes: >Application gateways are an *implementation technique* for performing >stateful filtering and/or interposition based on data extending >above the TCP layer. That's *GOT* to be the best description of them that I've ever seen! Can I steal it and use it? :) The only caveat I'd make is that "statefulness" in filtering may be more than just TCP state. It may also depend on other factors like whether the user has authenticated, and application-level protocol specific information (such as FTP STOR commands being handle differently from FTP RETR commands). It's *easier* to do that kind of processing in an application but it's really an implementation detail whether that state is held in the pcb of a socket connected to an application, or whether it's some extra state flags in some kernel-level subroutine. Prediction: the router firewalls will evolve up towards the application layer and will "understand" more and more about what is going across them. The application level firewalls will move deeper into the kernel until eventually they're kernel subroutines. Then we can agree that we're *ALL* right about the best way to build a secure firewall. :) mjr. From firewalls-owner Sat Jul 1 13:34:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11494 for firewalls-outgoing; Sat, 1 Jul 1995 12:24:53 -0700 Received: from reo.icf.esygvl.com (reo.icf.esygvl.com [199.249.247.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA05960 for ; Sat, 1 Jul 1995 03:46:02 -0700 From: tlr1@esygvl.com Received: from monaco.esygvl.com by reo.icf.esygvl.com with ESMTP (1.37.109.16/16.2) id AA165415588; Sat, 1 Jul 1995 05:46:33 -0500 Received: by monaco.esygvl.com (1.37.109.16/16.2) id AA041075474; Sat, 1 Jul 1995 05:44:34 -0500 Date: Sat, 1 Jul 1995 05:44:34 -0500 (CDT) To: mulligan@icgmail.Eng.Sun.COM Cc: firewalls@GreatCircle.COM Subject: Re: sendmail not delivering to you In-Reply-To: <9506301815.AA04147@future.incog.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I fixed it!!! We were denying ALL connections to and from ports above 5000 from and to port 25. All I had to do was move the lines that denied connections to and from ports above 5000 to be after the line that allowed connections to port 25. Thanks for your help in fixing this problem. Terry L. Robison | I struggled no more, but the agony of my soul Engineer | found vent in one loud, long, and final scream E-Systems, Inc. | of despair. I felt that I tottered upon the brink... Greenville TX | -= from "The Pit and the Pendulum" =- tlr1@esygvl.com | -= by E. A. Poe =- On Fri, 30 Jun 1995 mulligan@icgmail.Eng.Sun.COM wrote: > Terry, > The problem is that you need to allow inbound connections from any > port above 1024 to your mailservers port 25 (smtp). > > Port numbers go from 1 to 65535. All Solaris boxes start opening ports > in the range 32768 to 65535 so no one on a Solaris box will be able to > send you mail (maybe you want that :-) ). > > Also you will randomly not be able to receive mail from sites as their > port numbers may at time be assigned abover 5000. > > There really isn't any danger in allowing a tcp connection from any port > to you mailservers smtp port (25) as the only thing that will be able to > be passed is mail commands. > > Please feel free to give me a call if you would like to talk about this. > > geoff mulligan > Sun Microsystems Labs > > > From firewalls-owner Sat Jul 1 13:43:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11426 for firewalls-outgoing; Sat, 1 Jul 1995 12:24:06 -0700 Received: from catarina.usc.edu (catarina.usc.edu [128.125.51.47]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA17231 for ; Fri, 30 Jun 1995 16:17:26 -0700 Received: from warthog.usc.edu (warthog.usc.edu [128.125.51.16]) by catarina.usc.edu (8.6.10/8.6.9) with ESMTP id QAA26404 for ; Fri, 30 Jun 1995 16:16:41 -0700 From: Peter Danzig Received: (danzig@localhost) by warthog.usc.edu (8.6.10/8.6.9) id QAA10706 for Firewalls@GreatCircle.COM; Fri, 30 Jun 1995 16:16:40 -0700 Date: Fri, 30 Jun 1995 16:16:40 -0700 Message-Id: <199506302316.QAA10706@warthog.usc.edu> To: Firewalls@GreatCircle.COM Subject: Harvest Cache Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Daniel O'Callaghan recently wrote about his negative experience with the Harvest cache. I am posting this note to explain what Daniel experienced and to encourage others experiencing ttrouble to read our support policy http://harvest.cs.colorado.edu/support.html and then end us email. >> Just wondering if anybody has tried setting up the Harvest >> hierarchical object cache as an app proxy through a firewall. Let's >> hear the good and the bad, and any possible comparisons to the Cern >> server proxy. >I have tested Harvest cached and found it to work well when it works, but >it appears have a memory leak and will ultimately crash or run away with >"Unable to allocate 0 bytes" messages. >It does not preserve the cache across a restart, and it does not check >with the remote site using GET If-modified-since pragmas before returning >documents from its cache. >My project for this week is to try to get the CERN proxy server to pre-fork. > > Danny For Harvest cache version 1.2.1 available from http://harvest.cs.colorado.edu (dated June 12, 1995), we are not aware of memory leaks. We run purify against the cache for all releases, but if you think it does leak, please let us know why. Our internal 1.3.alpha version fixes a core-dump that we introduced in code that kills connections to stalled clients. Version 1.3 also recovers the cache from disk. Version 1.3 does not implement the If-modified-since pragma, but this is on our list (We expect to release 1.3 sometime this summer). What we did in the current version, 1.2.1, is implement a rule where the life-time of a page depends on the explicit expiration time or 1/2 the difference between the last-modified time and the date reported by the httpd. I think that people will want different models. Some will want the cache's best guess and others may want the cache to implement If-modified-since. I think we'll need to add an option that says whether you want the cache to perform If-modified-since or to accept with the cache's guess as to the page's lifetime. > The memory problem I have experienced is that the RAM size of the program > grows from a virgin 4MB to nearly 30MB, despite the ram/swap cache size > being set at 8MB. The daemon then gets stuck in a loop between ... Ah. This is a not a memory leak but because up till 1.3-beta, we store the mime header with the object and keep the object metadata in memory. Since the mimeheader adds upto a kb/object, the meta data grows pretty quickly. In 1.3, the VM image grows by about ~150bytes/object cached, but the cache doesn't include this meta data in its estimate of the ram/swap cache size set in the conf-file. This means that as you get 40K object cached, you have a 6MB memory image plus your 8MB VM cache for a total of 14MB. My plan is to move cold meta-data to disk or to move the meta-data itself to a disk-able structure. So far, we didn't do this because we were thinking of regional networks when we built the cache, rather than end-systems. We figured that a regional net would happily spend a few $1,000 on memory to make their cache's sizzle. Now that the cache is out there, more end-systems are using it and dealing with gobs of meta-data on 8MB machines is something we need to deal with. Harvest 1.2.* and 1.3 is 10 times faster for cache-able objects than are Netscape and NCSA 1.4 httpds, when the Harvest cache is used in httpd-accelerator mode. When using an httpd accelerator, sites can partition their cgi-bin and other non-cacheable URLS so requests for these URLS go directly to the real httpd, but requests for cacheable objects go to the harvest cache. Documentation for these claims is available from http://excalibur.usc.edu. Given that Harvest is so much faster than a pre-forking NCSA 1.4, I doubt that a pre-forking CERN server will be that much faster. We want to make the Harvest cache error-free and fast; we appreciate your feedback. Our support policy http://harvest.cs.colorado.edu/support.html tells you have to send email for harvest technical support. Peter B. Danzig Asst. Professor Computer Science Department University of Southern California 941 W. 37th Place Los Angeles, CA 90089-0781 Work 213-740-4780 Fax 213-740-7285 From firewalls-owner Sun Jul 2 10:04:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04724 for firewalls-outgoing; Sun, 2 Jul 1995 09:42:05 -0700 Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA23529 for ; Sat, 1 Jul 1995 19:51:36 -0700 Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA18188; Sat, 1 Jul 95 22:50:49 EDT Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma018185; Sat Jul 1 22:50:31 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA14489; Sat, 1 Jul 95 22:53:25 EDT From: ajack@corp.micrognosis.com (Adam Jack) Received: by becks id ; Sat, 1 Jul 95 22:53:22 EDT Message-Id: <9507020253.AA18309@becks> Subject: How does one provide http://X.com/~FRED w/o giving FRED an account on the firewall? To: firewalls@greatcircle.com Date: Sat, 1 Jul 1995 22:53:22 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1003 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- People I'm sorry if this isn't firewall-ish enough. I tried giving you all a let out at subject level. OK - so the question is exactly as in the subject. If we wish to allow users who have account within the firewall to have their own personal home pages - then we should follow the convention of http://X.com/~FRED. However - ee do not want to allow users accounts on the firewall. The problem is that we don't wish to hack into the httpd unless required. Is there a configuration option like CERN's "UserDir" that might help - or a form of MAP that does the job? What are peoples mechanisms for allowing users to maintain home pages w/o given the ftp access to the firewall or accounts. Thanks : Adam -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AwUBL/YKHX/n1RaxZTflAQE7+AL/fKu2JKGxt9eMX2VXgbJkf2JMc3Y3UcTQ tg2zm40zONGFC2WUAHEtv6pVsY5bcNFgnqCbj8qnx5R7/b/Vah1VyB8fu7paaAUN WgqBXni8Z9DXRChz1MIENpCTdUI6lz2E =aaMY -----END PGP SIGNATURE----- From firewalls-owner Sun Jul 2 10:25:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04663 for firewalls-outgoing; Sun, 2 Jul 1995 09:40:15 -0700 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA12149 for ; Sat, 1 Jul 1995 12:51:23 -0700 Received: from wittsend.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.14) via UUCP id AA01773 ; Sat, 1 Jul 95 15:50:38 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Sat, 1 Jul 95 15:19 EDT Message-Id: Subject: Re: TW on a w-protected floppy To: firewalls@greatcircle.com Date: Sat, 1 Jul 1995 15:19:31 -0400 (EDT) From: "Michael H. Warfield" In-Reply-To: <9506302257.AA10302@all.net> from "Dr. Frederick B. Cohen" at Jun 30, 95 06:57:01 pm X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 4209 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Getting a little off topic but misinformation should not go unchallenged. > > Ken Hardy writes: > > >Someone just told me that he thought it is possible, if access at a low > > >enough level can be obtained, to write to a write-protected floppy; he > > >claims that there are disk duplication programs for PCs that can do > > >this for copying distributions onto diskettes w/o the write-enable > > >tab. Assumption (potentially bad): we are dealing with PC style hardware and or PC compatible floppy drives. You milage may vary if you have proprietary floppy drives with non-conventional hardware. In simple terms - NO! Unless the floppy drive hardware has been modified or re-jumpered or in some other way bypassed, the write-enable circuit of the drive itself inhibits current to the erase head and write circuitry. This is hardware. I don't care how low level you get in the software, you're not about to override the hardware. (Unless the hardware is busted to begin with). I copy disks without the 3-1/2 write enable tab simply by blocking the hole (tape works). 5-1/4 is a little tougher. To copy data to a 5-1/4 disk with no write enable notch, I use a special floppy drive which has the write enable sensor wired to a connector which comes out to the "turbo" switch on my tower (my system never operates in anything but turbo, so that switch was not connected anyways). Bulk copiers simply use drives which have the write-enable bybassed. These drives don't know or care what the enable state of the disk is. BUT IT HAS TO BE DONE ON THE DRIVE HARDWARE!!! > > It's possible, I suppose, but if you're dealing with that kind > > of level of effort it'd be easier to just hack the kernel to not see or > > remap certain files. > .. NO ITS NOT. You can't do it with software alone. Period. Just get the service manual on your favorite floppy drive and check it out your self. Can't be done without HARDWARE modifications. > It's pretty easy to make a floppy (or other disk) truly read-only. > You simply cit the wire that attaches to the write head. Think again. Most floppy drives which I have worked with use a common read/write head with a separate erase head. The major reasons for that are alignment (the read and write operations must be tightly colinear while erase must be wider and overlap). I'm not sure about the 2.88 Meg floppies, but 5-1/4 and 3-1/2 720K/1.2M/1.44M floppies all work this way. The erase head track width is twice as wide as the r/w head to insure that there is no chance of "left-over" inter-track data, but read and write heads are one and the same. Cut a line to those heads and the drive is more than just write-protected. Most drives do have a common drive current point which supplies current to both the write circuits and erase head. It's that point which is typically inhibited by the write-protect circuit. Cut that trace and you no longer have erase current or record current. But some of the 3-1/2 drives have that buried in a VLSI chip. Then your best bet is to short the write protect sensor to always indicated a write protected disk. In any case you must have a schematic, PCB layout, and the skills to do minor surgery on hardware. (So put away that Weller 180W soldering gun! :-) :-) ) > -- > -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server > -> Free: Test your system's security (scans deeper than SATAN or ISS!) > ---------------------- both at URL: http://all.net ---------------------- > -> Read: "Protection and Security on the Information Superhighway" > John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 > ------------------------------------------------------------------------- > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 > My pardon to those you wonder what this has to do with firewalls. I just can't let this level of misinformation stand. Regards, Mike -- Michael H. Warfield | (404) 925-8248 | mhw@WittsEnd.com (The Mad Wizard) | NIC whois: MHW9 | mathcs.emory.edu!wittsend!mhw An optimist believes we live in the best of all possible worlds. A pessimist is sure of it! | http://www.wittsend.com/mhw/ From firewalls-owner Sun Jul 2 11:34:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07415 for firewalls-outgoing; Sun, 2 Jul 1995 11:27:17 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07409 for ; Sun, 2 Jul 1995 11:27:14 -0700 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id SAA21040; Sun, 2 Jul 1995 18:27:51 GMT Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id OAA01633 for ; Sun, 2 Jul 1995 14:24:03 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id OAA24229; Sun, 2 Jul 1995 14:24:02 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Controlling ftp file transfers Date: 2 Jul 1995 14:24:02 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 29 Distribution: milkyway Message-ID: <3t6o82$nl3@metis.milkyway.com> References: <199506301902.MAA15128@saguaro.flyingfox.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199506301902.MAA15128@saguaro.flyingfox.com>, Jim Shankland wrote: >As packet filters become more stateful, and application gateways >become more transparent, the distinction between the two >implementation techniques blurs. In the past, you could use >"application gateway" as shorthand for "stateful filtering and/or >interposition based on data extending above the TCP layer" -- Well, when a packet filter acquires enough state to keep track of and translate TCP sequence numbers, then it is an application/circuit layer gateway. I'm not one to hammer metaphors Disney style, but I'll explain my point about brains vs liver: they are indistinguishable at the atomic and subatomic level. Of course everything is just 0s and 1s, but that does not mean that packet filters are application layer gateways anymore than neurons are liver cells. If you want to extend the metaphor: yes, application gateways do more processing of each data byte than a "router" does, and often with sub-optimal code. They are slower, and probably can not protect very large pipes, or ones with definite requirements for latency (e.g. video applications). -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Sun Jul 2 11:49:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07280 for firewalls-outgoing; Sun, 2 Jul 1995 11:18:15 -0700 Received: from mail.llu.edu (mail.LLU.EDU [151.112.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07275 for ; Sun, 2 Jul 1995 11:18:12 -0700 Received: from brent.llu.edu (brent.llu.edu [151.112.1.2]) by mail.llu.edu (8.6.12/8.6.12) with ESMTP id LAA23488; Sun, 2 Jul 1995 11:17:01 -0700 Received: (from bboyko@localhost) by brent.llu.edu (8.7.Beta.5/8.7.Beta.3) id LAA00285; Sun, 2 Jul 1995 11:16:54 -0700 From: "Brent E. Boyko" Message-Id: <199507021816.LAA00285@brent.llu.edu> Subject: Re: How does one provide http://X.com/~FRED w/o giving FRED an account on the firewall? To: ajack@corp.micrognosis.com (Adam Jack) Date: Sun, 2 Jul 1995 11:16:54 -0700 (PDT) Cc: firewalls@greatcircle.com Action: In-Reply-To: <9507020253.AA18309@becks> from "Adam Jack" at Jul 1, 95 10:53:22 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > OK - so the question is exactly as in the subject. If we wish to allow > users who have account within the firewall to have their own personal > home pages - then we should follow the convention of http://X.com/~FRED. > However - ee do not want to allow users accounts on the firewall. Well, the little '~' symbol in '~FRED' means "the home directory for user FRED as listed in the passwd file" (assuming certain flavors of Unix). What you can do for to prevent telnet logins is to specify /bin/false as the login shell in the passwd file. This would also prevent ftp, as long as /bin/false is not listed in /etc/shells. (Check your ftpd manual for details. If the /etc/shells mechanism isn't shown, use something like wu-ftpd as a replacement.) You would also put "nologin" or "***" in the password field. > What are peoples mechanisms for allowing users to maintain home pages w/o > given the ftp access to the firewall or accounts. If you MUST put your web service on your firewall or bastion host, look at the guestgroups mechanism in the ftpaccess.5 man page for wu-ftpd. This mechanism allows you to assign a user to a specific guest group in /etc/groups. When a member of the guest group makes an ftp connection, the ftp daemon chroots() the session to a specified subdirectory, does a chdir() to the users home directory, which must be within the new hierarchy, and then behaves as it does when an anonymous session is running. If you set up a file system specifically for home pages, this looks like it would be reasonably secure. As with any firewall or bastion host, I would probably disable the rlogin, rsh, rexec, etc commands, in case a user drops a .rhosts turd in his home directory. WARNING! I have not tried this yet, but I am going to. Your mileage may vary. > > Thanks : > Hope this helps. -- Brent E. Boyko Telecom Engineer Loma Linda University Medical Center bboyko@brent.llu.edu 909-824-4321 From firewalls-owner Mon Jul 3 02:08:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA27420 for firewalls-outgoing; Mon, 3 Jul 1995 02:03:56 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA27415 for ; Mon, 3 Jul 1995 02:03:53 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sShOb-0001aeC; Mon, 3 Jul 95 02:02 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA12865; Mon, 3 Jul 1995 02:03:14 +0800 Date: Mon, 3 Jul 1995 02:03:14 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9507030903.AA12865@brittany.oes.amdahl.com> To: isdmill@gatekeeper.ddp.state.me.us, tingarg@yam.cccc.com Subject: Re: [Q]: Cheap Terminal Server / Firewall product Cc: firewalls@greatcircle.com Content-Length: 558 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > which can handle : > > > > 4-8 Modems, (at least) 1 T1 interface, and (at least) 2 ethernet > > interfaces. It should be able to have its modem ports "appear" on a host > > on the local network, and it should have good packet filtering and > > proxying capabilities. And price *is* an issue -- the cheaper, the > > better! > > > > I'd very much appreciate any suggestions that you might make. Thanks! > > Sounds pretty contradictory to me:) You can afford a T connection but > not a real firewall? > Portmaster from Livinston. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (mail copyright Patrick J. Horgan) (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Jul 3 02:35:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA27564 for firewalls-outgoing; Mon, 3 Jul 1995 02:09:24 -0700 Received: from stroma.dcs.ed.ac.uk (stroma.dcs.ed.ac.uk [129.215.160.108]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA27557 for ; Mon, 3 Jul 1995 02:09:18 -0700 Received: from staffin.dcs.ed.ac.uk by dcs.ed.ac.uk id aa19946; 3 Jul 95 10:08 BST Newsgroups: cs-lists.firewalls Path: jura.dcs.ed.ac.uk!gdmr From: George Ross Subject: Re: Has Skey been ported to Solaris (was: Linux). Message-Id: Organization: Department of Computer Science, University of Edinburgh X-Newsreader: xrn 7.03 References: Distribution: cs Date: Mon, 3 Jul 1995 09:08:04 GMT Lines: 10 Apparently-To: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Adams writes: > I've ported Skey to ... Solaris 2.2 ... Is that a replacement unix_scheme.so or just the individual applications? Does anyone have a unix_scheme.so version? (Diffs against Sun's sources would be fine.) -- Dr George D M Ross, Department of Computer Science, University of Edinburgh Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ Mail: gdmr@dcs.ed.ac.uk Voice: +44 131 650 5147 Fax: +44 131 667 7209 From firewalls-owner Mon Jul 3 07:45:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA02751 for firewalls-outgoing; Mon, 3 Jul 1995 07:18:21 -0700 Received: from HOUVMSCC.lsis.loral.com (houvmscc.lsis.loral.com [141.205.18.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA02746 for ; Mon, 3 Jul 1995 07:18:17 -0700 From: DEEVEE@HOUVMSCC.lsis.loral.com Message-Id: <199507031418.HAA02746@miles.greatcircle.com> Received: from HOUVMSCC.lsis.loral.com by HOUVMSCC.lsis.loral.com (IBM VM SMTP V2R2) with BSMTP id 1438; Mon, 03 Jul 95 09:14:29 CDT Date: Mon, 3 Jul 95 09:14:28 CDT To: firewalls@greatcircle.com Subject: Proxies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm assisting with the implementation of a secure subnet architecture between a government customer and several contractor companies. Each contractor subnet will enter the secure subnet via a secure firewall. We would like to allow the following functions between the subnets(FTP, TELNET, client/server, NFS, and X-windows). I'm looking for firewall proxies for (NFS, client/server, and X-windows). Users have OS/2 workstations, and X-windows users have OS/2 and MAC workstations. Multi-user systems are AIX/UNIX platforms. If proxies are not available, could someone tell me what controls need to be implemented to provide a safe environment if these functions are allowed? Thanks. DEEVEE@LORAL.LSIS.COM.. From firewalls-owner Mon Jul 3 08:39:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03592 for firewalls-outgoing; Mon, 3 Jul 1995 08:05:11 -0700 Received: from gmap15.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA03481 for ; Mon, 3 Jul 1995 07:59:13 -0700 Received: (from danny@localhost) by gmap15.leeds.ac.uk (8.6.12/8.6.9) id PAA00425; Mon, 3 Jul 1995 15:55:53 +0100 Date: Mon, 3 Jul 1995 15:55:53 +0100 From: Danny Message-Id: <199507031455.PAA00425@gmap15.leeds.ac.uk> To: firewalls@greatcircle.com Subject: Where do I store my mail? Cc: danny@gmap15.leeds.ac.uk X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm slowly putting together my kit. I've a router which has two ethernet interfaces. It's running Solaris 2.3 btw. Does anyone know how to switch off ip-forwarding ? And is it the same procedure for Solaris 2.4? In order to use this as my bastion host, I want to remove lots of stuff from it. I don't know quite what I'm needing to do with my email though. The easy and obvious way to do it, is to store all mail actually on this host, and have the various clients on our local network mount /var/mail via NFS. If I do do this, has anyone any comments as to the security implications please? Also, if it's a bad idea .. anyone got any comments as to what I should do instead. I'm running Sendmail8 version 8.6.12 btw. If I should pass it through somehow (any recommendations) then has anyone any comments! At some point, I want to build an anon-ftp/WWW server too; should I think about bunging the mail on this machine then ? I'd plan to have this connected to the router via a third ethernet interface probably. thanks for your thoughts, Danny From firewalls-owner Mon Jul 3 09:04:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04610 for firewalls-outgoing; Mon, 3 Jul 1995 08:52:40 -0700 Received: from atc.boeing.com (atc.boeing.com [130.42.28.80]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA04605 for ; Mon, 3 Jul 1995 08:52:37 -0700 Received: by atc.boeing.com (5.57) id AA27838; Mon, 3 Jul 95 08:54:28 -0700 Received: from baker2.ds.boeing.com (baker.ds.boeing.com) by splinter.boeing.com with SMTP (1.37.109.14/16.2) id AA004056596; Mon, 3 Jul 1995 08:49:56 -0700 Received: from mlsspar51.ds.boeing.com by baker2.ds.boeing.com (5.x/SMI-SVR4) id AA16353; Mon, 3 Jul 1995 08:52:35 -0700 Received: by mlsspar51.ds.boeing.com (5.x/SMI-SVR4) id AA29210; Mon, 3 Jul 1995 08:50:52 -0700 Date: Mon, 3 Jul 1995 08:50:52 -0700 From: rsmith@baker.ds.boeing.com Message-Id: <9507031550.AA29210@mlsspar51.ds.boeing.com> To: firewalls@greatcircle.com Subject: E-mail review station Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to configure a mail review station (not unlike a moderated news group) so that all mail sent from one network (the "user net") to another network (the "destination net") is reviewed before it is forwarded by an authorized person on the review host. user net -------> review host ------> destination net (Sun Workstation) All E-mail traffic addressed to the destination net is received by the review host and stored until it is reviewed. Then each message is either forwarded to the destination net or rejected. Are there any simple techniques for configuring the mail program on the review host to do this, or are there any "firewall" tools (e.g., fwtk) that can be used to build this functionality? One solution would be to have the users address the mail to the review host and then have the review host re-address the mail to the destination net, but I want to allow the users to address it directly to the destination address. Thanks, Randy Smith From firewalls-owner Mon Jul 3 09:23:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04558 for firewalls-outgoing; Mon, 3 Jul 1995 08:51:16 -0700 Received: from relay1.oleane.net (Relay1.OLEANE.NET [194.2.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA04545 for ; Mon, 3 Jul 1995 08:51:10 -0700 Received: from silogic.fr (mailhost.silogic.fr [194.2.184.1]) by relay1.oleane.net (8.6.10/8.6.9) with SMTP id RAA25784 for ; Mon, 3 Jul 1995 17:49:33 +0200 Received: by silogic.fr (4.1/SMI-4.1) id AA08549; Mon, 3 Jul 95 17:35:34 +0100 From: pyb@silogic.fr (Pierre-Yves Bonnetain) Message-Id: <9507031635.AA08549@silogic.fr> Subject: SUMMARY : Available proxies sources To: firewalls@greatcircle.com Date: Mon, 3 Jul 1995 17:35:33 +0100 (BST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1537 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a previous message, I did ask for available Public Domain proxies sources. Thanks to those who did answer. For those interested, you will find below what I got. It seems the two best known 'products' are the TIS toolkit and Socks. Again, for those interested, I will set up (somewhere after my holidays :-) a fwall using either TIS of SOCKS or both. I may event tell you how I fared ! --------------------- From: pascal@i-kinetics.com (Pascal Petit) Une solution classique, simple et peu couteuse serait d'installer le TIS toolkit -www.tis.com- sur un PC tournant BSD. Le TIS toolkit filtre et garde trace de toute connection ftp www et autres. --------------------- > From: Lyndon David > Subject: Re: Available proxies sources > > The TIS firewall toolkit does this. ftp://ftp.tis.com/firewalls/toolkit > > Also a new one out from SOS corp. This has only been out a couple of > days so I cant comment on it. > ftp://ftp.soscorp.com/pub/sos/ > --------------------- > From: Amos Shapira > > I think the FAQ (should be available from ftp.greatcircle.com or > www.greatcircle.com, I think) mentions a few PD firewalls kits. > > In general - the most common is SOCKS, as far as I remember. -- -+-+ Pierre-Yves BONNETAIN (aka Pyb) Consultant Systemes Ouverts et Interfaces Graphiques SILOGIC Consultants Tel : [33] 61.13.53.00 78, chemin des Sept Deniers Fax : [33] 61.57.96.60 31200 TOULOUSE - FRANCE Email : pyb@silogic.fr From firewalls-owner Mon Jul 3 10:18:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA06731 for firewalls-outgoing; Mon, 3 Jul 1995 09:50:12 -0700 Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA06725 for ; Mon, 3 Jul 1995 09:50:08 -0700 Received: (from jrg@localhost) by ns.gbnet.net (8.6.12/8.6.12) id RAA05276; Mon, 3 Jul 1995 17:49:07 +0100 Date: Mon, 3 Jul 1995 17:49:07 +0100 From: James R Grinter Message-Id: <199507031649.RAA05276@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Danny , firewalls@GreatCircle.COM Subject: Re: Where do I store my mail? Cc: danny@gmap15.leeds.ac.uk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon 3 Jul, 1995, Danny wrote: >I'm slowly putting together my kit. I've a router which has two ethernet >interfaces. It's running Solaris 2.3 btw. Does anyone know how to switch >off ip-forwarding ? And is it the same procedure for Solaris 2.4? ndd -set /dev/ip ip_forward_directed_broadcasts 0 ndd -set /dev/ip ip_forward_src_routed 0 ndd -set /dev/ip ip_forwarding 0 to be safe. -- jrg. From firewalls-owner Mon Jul 3 10:37:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA06943 for firewalls-outgoing; Mon, 3 Jul 1995 09:54:08 -0700 Received: from sycgate.sycomore.fr (sycgate.sycomore.fr [192.134.92.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA06929 for ; Mon, 3 Jul 1995 09:53:49 -0700 Received: from [192.134.92.69] (pezziardi.sycomore.fr [192.134.92.69]) by sycgate.sycomore.fr (8.6.3/8.5) with SMTP id SAA06479; Mon, 3 Jul 1995 18:39:04 +0200 Message-Id: <199507031639.SAA06479@sycgate.sycomore.fr> X-Sender: pezziardi@192.134.92.10 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora F1.4.2 Date: Mon, 3 Jul 1995 18:54:45 +0100 To: Firewalls@GreatCircle.COM From: Pierre.Pezziardi@sycomore.fr (Pierre PEZZIARDI) Subject: Info about PIX Cc: brisse@sycomore.fr, jonville@sycomore.fr, pezziardi@sycomore.fr Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have informations about a product from Network Translations called PIX ? Roughly it's an IP translator that allows internal hosts to have arbitrary IP addresses. When an internal client wants to use an external service, it is assigned a new address from a pool managed by the PIX black box. The pub said that it could also act as a firewall because nobody can reach an internal host. I'm afraid there is a hole in the system (for instance what if someone catch a connection or guess an address from the pool ???), am I right ? Thanks for all comments (perhaps send directly and I summarize) Pierre Pezziardi Sycomore Tel(+33 1) 41 26 46 60 - Fax (+33 1) 41 26 46 47 From firewalls-owner Mon Jul 3 11:13:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07421 for firewalls-outgoing; Mon, 3 Jul 1995 10:09:27 -0700 Received: from camelot.netmarket.com (camelot.netmarket.com [199.79.247.247]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA07416 for ; Mon, 3 Jul 1995 10:09:24 -0700 Received: from tannis.netmarket.com (tannis.netmarket.com [172.16.1.10]) by camelot.netmarket.com (8.6.10/8.6.9) with ESMTP id NAA25589; Mon, 3 Jul 1995 13:08:11 -0400 Received: from brigadoon.netmarket.com (brigadoon.netmarket.com [172.16.1.236]) by tannis.netmarket.com (8.6.10/8.6.10) with SMTP id NAA11271; Mon, 3 Jul 1995 13:08:10 -0400 Received: by brigadoon.netmarket.com (5.x/client-1.5) id AA03915; Mon, 3 Jul 1995 13:08:09 -0400 Message-Id: <9507031708.AA03915@brigadoon.netmarket.com> From: hal@netmarket.com (Hal Pomeranz) Date: Mon, 3 Jul 1995 13:08:07 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: rsmith@baker.ds.boeing.com, danny@gmap15.leeds.ac.uk, firewalls@GreatCircle.COM Subject: email "proxies" and "review stations", et al Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've seen a lot of traffic on the list lately about how to get email through your firewall, or where to put email on your bastion host, or how to filter email through a particular machine, etc. Like it or hate it, sendmail is a simple answer for most of these problems. The basic idea is to set up MX records in your DNS database so that all mail for "yourdomain.com" goes to your bastion host. Configure the bastion host to route all mail for hosts in "yourdomain.com" to a mail hub machine on your protected network (which can then forward the mail to other parts of your company as necessary). Similarly, the internal mail hub should be configured to route all mail destined for hosts outside your company to the bastion host for forwarding. This is easy to do with v8 Sendmail (Sendmail v8.6.12 is available from ftp.cs.berkeley.edu). Here's an m4 file to produce the configuration for your bastion host: include(`../m4/cf.m4') include(`../ostype/.m4') define(`LOCAL_SHELL_PATH', `/bin/false') define(`confPRIVACY_FLAGS',`noexpn,novrfy,authwarnings') define(`confSMTP_LOGIN_MSG', `$j mailer ready at $b') define(`confMIME_FORMAT_ERRORS',`False') MAILER(smtp) define(`LOCAL_RELAY', `mailhub..com') define(`MAIL_HUB', `mailhub..com') MASQUERADE_AS(.com) Make the appropriate substitutions for things in <...>. Here's the m4 file for your internal mail hub ("mailhub..com" in the file above): include(`../m4/cf.m4') include(`../ostype/.m4') define(`confMIME_FORMAT_ERRORS',`False') define(`SMART_HOST', `..com') MAILER(smtp) MASQUERADE_AS(.com) Now you have to set up your email architecture for your internal networks. Do whatever you like, but just make sure that all outgoing mail eventually ends up at the mailhub so it can get sent out to the bastion machine. Hal Pomeranz / Information Security Officer / The NetMarket Company From firewalls-owner Mon Jul 3 11:50:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA08448 for firewalls-outgoing; Mon, 3 Jul 1995 10:49:14 -0700 Received: from brimstone.soscorp.com (soscorp.soscorp.com [204.52.248.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA08443 for ; Mon, 3 Jul 1995 10:49:10 -0700 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com (2.28/8.6.12/8.6.4.287) with BSMTP id BS0005082/NAA05088; Mon, 3 Jul 1995 13:48:07 -0400 Received: from dauntless.soscorp.com (dauntless.soscorp.com [204.52.249.141]) by fearless.soscorp.com (8.6.10/8.6.4.287) with ESMTP id NAA09898; Mon, 3 Jul 1995 13:47:41 -0400 From: seth@soscorp.com (Seth Robertson) Received: by dauntless.soscorp.com (8.6.10/SMI-4.1) id NAA03820; Mon, 3 Jul 1995 13:47:38 -0400 Date: Mon, 3 Jul 1995 13:47:38 -0400 Message-Id: <199507031747.NAA03820@dauntless.soscorp.com> To: okuyama@netcom.com cc: firewalls@greatcircle.com Subject: Re: DNS problems In-Reply-To: <199506300422.VAA23532@netcom15.netcom.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199506300422.VAA23532@netcom15.netcom.com> you write: >I have three Ethernet interfaces on my firewall. One interface >goes out to the Internet, one is connected to a private WAN, and >the third interface goes to my "inside" network. I use a split- >DNS strategy. I have noticed that when a user is downloading a >large file (using ftp-gw) from either the Internet or the private >WAN, DNS requests for external names issued from the firewall fail >(timeout). Has anyone seen this behavior? What is causing this? >What can I do to improve this situation (I really don't want to >un-split my DNS)? Well, first it would help if you gave a little more information about what software versions you are running, but the following is one potential scenario. It is unlikely that the problem has anything to do with split-DNS. My first guess would be that you have a slow link to the Internet (56 kbit or less). The large TCP data transfers are swamping your link causing data to overrun queues on the routers on either end. TCP thus does a lot of retransmitting. This is fine for the TCP transfers, but DNS typically runs over UDP and the UDP packets could be getting discarded because of the overloaded lines. I am not totally happy with this scenario because most routers have large queues and it would seem unlikely that all of the return DNS packets are getting discarded. However, in order to test this, try using dig (available in the bind distribution) both with and without the +vc (virtual circuit or TCP) option from the firewall querying a remote server during one of these transfers. Of course, convincing named to use TCP for all queries may be more difficult (well, it looks like the easiest way would be to hack the resolver library's res_setoptions to be able to put VC in the RES_OPTIONS environmental variable--then you can simply sent that variable when you run named. Of course you can also hack the named to set USEVC directly). -Seth Robertson seth@soscorp.com From firewalls-owner Mon Jul 3 12:12:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09239 for firewalls-outgoing; Mon, 3 Jul 1995 11:16:25 -0700 Received: from saguaro.flyingfox.com (saguaro.flyingfox.com [204.188.109.125]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09234 for ; Mon, 3 Jul 1995 11:16:23 -0700 Received: (from jas@localhost) by saguaro.flyingfox.com (8.6.12/8.6.10) id LAA16209; Mon, 3 Jul 1995 11:14:29 -0700 Date: Mon, 3 Jul 1995 11:14:29 -0700 From: Jim Shankland Message-Id: <199507031814.LAA16209@saguaro.flyingfox.com> To: firewalls@GreatCircle.COM, mcr@milkyway.com Subject: Re: Controlling ftp file transfers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mcr@milkyway.com (Michael Richardson) writes: > In article <199506301902.MAA15128@saguaro.flyingfox.com>, > Jim Shankland wrote: > >As packet filters become more stateful, and application gateways > >become more transparent, the distinction between the two > >implementation techniques blurs. In the past, you could use > >"application gateway" as shorthand for "stateful filtering and/or > >interposition based on data extending above the TCP layer" -- > > Well, when a packet filter acquires enough state to keep > track of and translate TCP sequence numbers, then it is an > application/circuit layer gateway. My point was that we need to come to agreement on definitions. If a filtering module lives in the kernel of a router, maintains filtering state on a per-PCB basis, and can filter both on fields in the IP and TCP headers, and on higher-level protocol fields (e.g., the particular ftp command being issued), and can inject data into the conversation (e.g., "531 You are not authorized to use the STOR command"), is it an application gateway? You say yes. Fair enough. But let's try to avoid having "It's a dessert topping/it's a floor wax" arguments when somebody else calls it a dynamic, adaptive, multi-protocol packet filter. > If you want to extend the metaphor: yes, application gateways do > more processing of each data byte than a "router" does, and > often with sub-optimal code. They are slower, and probably can > not protect very large pipes, or ones with definite requirements > for latency (e.g. video applications). Look, I *really* don't intend to give offense or to flame, but I think this whole paragraph is silly. Application gateways don't necessarily do more processing of *each* data byte than a router does (and what's the difference between a router and a "router"?). The "sub-optimal code" line is either completely unsupported or trivially true. And the last sentence is an unquantified, unsupported wave of the hand. Jim Shankland Flying Fox Computer Systems, Inc. From firewalls-owner Mon Jul 3 12:34:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10139 for firewalls-outgoing; Mon, 3 Jul 1995 11:51:27 -0700 Received: from lanman.aetc.af.mil (lanman.aetc.af.mil [131.44.48.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA10134 for ; Mon, 3 Jul 1995 11:51:24 -0700 Received: from mhs3.aetc.af.mil by lanman.aetc.af.mil (4.1/SMI-4.1) id AA04078; Mon, 3 Jul 95 13:21:46 CDT Message-Id: <9507031821.AA04078@lanman.aetc.af.mil> From: SMITHR.AETCRS@MHS3.AETC.AF.MIL (Smithr SSgt Robb) Date: Mon, 03 Jul 1995 13:25 CST To: firewalls@greatcircle.com, firewalls-owner@GreatCircle.COM Subject: re: E-mail review station Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of virus-scanning software for SCO-Unix 3.2.4.2 and/or HP-UX 9000??????????? ------------- Original Text >From rsmith @ SMTP (rsmith) {firewalls-owner@GreatCircle.COM}, on 7/3/95 8:50: I need to configure a mail review station (not unlike a moderated news group) so that all mail sent from one network (the "user net") to another network (the "destination net") is reviewed before it is forwarded by an authorized person on the review host. user net -------> review host ------> destination net (Sun Workstation) All E-mail traffic addressed to the destination net is received by the review host and stored until it is reviewed. Then each message is either forwarded to the destination net or rejected. Are there any simple techniques for configuring the mail program on the review host to do this, or are there any "firewall" tools (e.g., fwtk) that can be used to build this functionality? One solution would be to have the users address the mail to the review host and then have the review host re-address the mail to the destination net, but I want to allow the users to address it directly to the destination address. Thanks, Randy Smith From firewalls-owner Mon Jul 3 13:04:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11757 for firewalls-outgoing; Mon, 3 Jul 1995 12:48:27 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA11749 for ; Mon, 3 Jul 1995 12:48:23 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Jul 1995 12:48:00 -0800 To: Firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Proceedings Now Available - 5th USENIX UNIX Security Symposium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI. There were a number of good papers on encrypted TELNET and various other firewalls-related issues. -Brent --- begin forwarded text From: toni@usenix.org (Toni Veglia) Subject: Proceedings Now Available - 5th USENIX UNIX Security Symposium Reply-To: toni@usenix.org (Toni Veglia) Organization: USENIX Association, Berkeley, CA Date: Fri, 30 Jun 1995 16:46:30 GMT If you couldn't attend the 5th USENIX UNIX Security Symposium in Salt Lake City, you can now purchase the proceedings. The price is $27 for members and $35 for non-members, and includes domestic and Canadian postage. Please add $11 for overseas postage (air printed matter). You can place your order by fax, phone, or email when using a VISA or Mastercard, or you can mail a check or company purchase order to: USENIX Association Phone: 510/528-8649 2560 Ninth Street, Ste. 215 Fax 510/548-5738 Berkeley, CA 94710 office@usenix.org Abstracts of the papers below appear in the USENIX Resource Center on the World Wide Web, URL: http://www.usenix.org. If you are a current USENIX member, you will also have access to the full papers. ================================================================= 5TH USENIX UNIX Security Symposium June 5-7, 1995, Salt Lake City, Utah TABLE OF CONTENTS Information Security Technology? Don't Rely on It. A Case Study in Social Engineering Ira S. Winkler & Brian Dealy, Science Applications International Corp A Simple Active Attack Against TCP Laurent Joncheray, Merit Network Inc. WAN-hacking with AutoHack: Auditing Security Behind the Firewall Alec Muffet, Sun Microsystems, UK Kerberos Security with Clocks Adrift Don Davis, Systems Experts, Inc.; Daniel E. Geer, OpenVision Technologies Design and Implementation of Modular Key Management Protocol and IP Secure Tunnel on AIX Pau-Chen Cheng, Juan A. Garay, Amir Herzberg and Hugo Krawczyk, IBM, Thomas J. Watson Research Center Network Randomization Protocol: A Proactive Pseudo-Random Generator Chee-Seng Chow and Amir Herzberg, IBM, Thomas J. Watson Research Center Implementing a Secure rlogin Environment: A Case Study of Using a Secure Network Layer Protocol Gene H. Kim, Hilarie Orman and Sean O'Malley, University of Arizona STEL: Secure TELnet David Vincenzetti, Stefano Taino and Fabio Bolognesi, Computer Emergency Response Team Italiano (CERT-IT), University of Milan Session-Layer Encryption Matt Blaze and Steven M. Bellovin, AT&T Bell Laboratories Wednesday, June 7 File-Based Network Collaboration System Toshinari Takahashi, Atsushi Shimbo and Masao Murota, Communications and Information Systems Research Labs, Toshiba R&D Center Safe Use of X Window System Protocol Across a Firewall Brian L. Kahn, The MITRE Corporation An Architecture for Advanced Packet Filtering and Access Policy Andrew Molitor, Network Systems Corporation A Domain and Type Enforcement UNIX Prototype Lee Badger, Daniel F. Sterne, David L. Sherman and Kenneth M. Walker, and Sheila A. Haghighat, Trusted Information Systems, Inc. Providing Policy Control Over Object Operations in a Mach-Based System Spencer E. Minear, Secure Computing Corporation Joining Security Realms: A Single Login for NetWare and Kerberos William A. Adamson, Jim Rees and Peter Honeyman, University of Michigan Independent One-Time Passwords Aviel D. Rubin, Bellcore One-Time Passwords in Everything (OPIE): Experiences with Building and Using Strong Authentication Daniel L. McDonald and Randall J. Atkinson, U.S. Naval Research Laboratory; Craig Metz, Kaman Sciences Corporation Improving the Trustworthiness of Evidence Derived from Security Trace Files Ennio Pozzetti, Politecnico di Milano; Vidar Vetland, Carleton University Using the Domain Name System for System Break-ins Steven M. Bellovin, AT&T Bell Laboratories DNS and BIND Security Issues Paul A. Vixie, Internet Software Consortium MIME Object Security Services: Issues in a Multi-User Environment James M. Galvin and Mark S. Feldman, Trusted Information Systems, Inc --- end forwarded text ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Jul 3 15:04:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA14780 for firewalls-outgoing; Mon, 3 Jul 1995 14:37:49 -0700 Received: from yoda.unl.edu (yoda.unl.edu [129.93.11.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA14774 for ; Mon, 3 Jul 1995 14:37:40 -0700 Received: by yoda.unl.edu (5.x/SMI-SVR4) id AA00357; Mon, 3 Jul 1995 16:38:00 -0500 Date: Mon, 3 Jul 1995 16:38:00 -0500 From: muhlin@yoda.unl.edu (Muhlin Chen) Message-Id: <9507032138.AA00357@yoda.unl.edu> To: firewalls@greatcircle.com Subject: Netscape browser and TIS ftp proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have problems to make Netscape navigator using the TIS ftp proxy. They seemed to speak different languages. Is this well-know problem? Can it be fixed? --muhlin@yoda.unl.edu From firewalls-owner Mon Jul 3 15:24:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA15191 for firewalls-outgoing; Mon, 3 Jul 1995 15:03:47 -0700 Received: from ns1.unicomp.net (ns1.unicomp.net [199.1.42.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA15186 for ; Mon, 3 Jul 1995 15:03:44 -0700 Received: from icc-fw.integctr.com by ns1.unicomp.net (4.1/SMI-4.1) id AA23648; Mon, 3 Jul 95 17:09:18 CDT Date: Mon, 3 Jul 1995 17:21:44 -0500 (CDT) From: Brian Rogers To: firewalls@greatcircle.com Subject: NNTP caching proxy Message-Id: Organization: The Integrity Center (214)484-6140 (800)456-1811 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there such a thing as a caching proxy for NNTP? I don't want to dedicate the disk space and bandwidth to a real news feed. /* Brian Rogers -- tech admin, coffee achiever -- brogers@integctr.com */ /* The Integrity Center -- "objective risk management information" */ /* http://www.integctr.com/ -- info@integctr.com */ /* (214)484-6140 (800)456-1811 FAX (214)484-6381 FOD (214)484-2147 */ From firewalls-owner Mon Jul 3 16:39:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17004 for firewalls-outgoing; Mon, 3 Jul 1995 16:11:22 -0700 Received: from satsong.interserver.com (ckapilla.interserver.com [204.182.67.73]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA16998 for ; Mon, 3 Jul 1995 16:11:19 -0700 Message-Id: <199507032311.QAA16998@miles.greatcircle.com> Received: from [0.0.0.0] by satsong.interserver.com id aa000119 at Mon, 3 Jul 95 16:10:04 Pacific Daylight Time--100 X-Sender: ckapilla@interserver.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Jul 1995 16:10:04 -0700 To: Firewalls@GreatCircle.COM From: ckapilla@interserver.com (Chris Kapilla) Subject: BorderWare X-Info: InterServe Web Systems, Inc. X-Mailedby: NT SMTP/LISTSERVER v2.10 (ntmail@net-shopper.co.uk) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A couple of weeks ago someone raised some questions regarding BordWare's firewall product. A strong rebuttal was given by someone at BorderWare, and I expected there might be some grousing in reply, but nary a word was said. >From what I have seen of their product it looks really good -- they have taken a very intelligent approach and done an excellent implementation as far as I can tell (but I am a newbie w.r.t. all this). So my question is does anyone have anything BAD to say about the BorderWare server? ---------------------------------------------------------------- Chris Kapilla http://www.interserver.com ckapilla@interserver.com phone: 206-836-3661 fax: 206-836-9468 From firewalls-owner Mon Jul 3 21:38:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA21545 for firewalls-outgoing; Mon, 3 Jul 1995 21:28:49 -0700 Received: from ccvcom.auckland.ac.nz (ccvcom.auckland.ac.nz [130.216.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA21540 for ; Mon, 3 Jul 1995 21:28:43 -0700 Received: from ccu1.auckland.ac.nz by ccvcom.auckland.ac.nz (PMDF V4.3-7 #2864) id <01HSH8VHKKDC8X1XSN@ccvcom.auckland.ac.nz>; Tue, 4 Jul 1995 16:27:41 GMT+1300 Received: (from russells@localhost) by ccu1.auckland.ac.nz (8.6.12/8.6.12) id QAA23256 for Firewalls@GreatCircle.COM; Tue, 4 Jul 1995 16:27:33 +1200 Date: Tue, 04 Jul 1995 16:27:33 +1200 (NZT) From: Russell Street Subject: Re: TW on a w-protected floppy In-reply-to: <199507030800.BAA25524@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Jul 3, 95 01:00:11 am To: Firewalls@GreatCircle.COM Message-id: <199507040427.QAA23256@ccu1.auckland.ac.nz> MIME-version: 1.0 X-Mailer: ELM [version 2.4 PL23] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Content-length: 482 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Getting a little off topic but misinformation should not go > unchallenged. Some great information! > BUT IT HAS TO BE DONE ON THE DRIVE HARDWARE!!! What worries me is what if someone got into the kernel and replaced the FD driver with something that behaves the same, but (say) fishes the data out of a file and not off the drive. Despite the drive making grinding noises and so on. With dynamically loadable kernel modules it could "easily" be arranged. Russell (lurker) From firewalls-owner Tue Jul 4 00:15:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA23993 for firewalls-outgoing; Mon, 3 Jul 1995 23:34:35 -0700 Received: from relay2.fggm.osis.gov ([144.51.21.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01845 for ; Mon, 3 Jul 1995 06:14:51 -0700 From: AJpat@waterview.fggm.osis.gov Received: by relay2.fggm.osis.gov (4.1/SMI-4.1) id AA07756; Mon, 3 Jul 95 09:08:05 EDT Received: from waterview.fggm.osis.gov(144.51.23.1) by relay2.fggm.osis.gov via smap (V1.3) id sma007754; Mon Jul 3 09:07:42 1995 Received: from seafoam.fggm.osis.gov by waterview (5.0/SMI-SVR4) id AA23255; Mon, 3 Jul 1995 09:12:24 +0500 Received: by seafoam.fggm.osis.gov (5.0/SMI-SVR4) id AA00399; Mon, 3 Jul 1995 09:12:52 -0400 Date: Mon, 3 Jul 1995 09:12:52 -0400 Message-Id: <9507031312.AA00399@seafoam.fggm.osis.gov> To: AJpat@waterview.fggm.osis.gov Subject: Cisco Security Advisory (IP packet filtering) Cc: firewalls@greatcircle.com Content-Type: X-sun-attachment Content-Length: 14346 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 206 ----- Begin Included Message ----- >From firewalls-owner@GreatCircle.COM Mon Jun 26 13:46 EDT 1995 Resent-Message-Id: <199506020040.RAA29244@feta.cisco.com> X-Authentication-Warning: feta.cisco.com: Host localhost.cisco.com didn't use HELO protocol Date: Thu, 1 Jun 1995 17:06:28 -0700 From: MAILER-DAEMON@cisco.com Subject: Returned mail: Host unknown (Name server: greatcircle.org: host not found) To: pst@cisco.com Mime-Version: 1.0 Resent-To: firewalls@GreatCircle.COM Resent-Date: Thu, 01 Jun 1995 17:40:04 -0700 Resent-From: Paul Traina Resent-Date: Mon, 26 Jun 1995 10:23:02 -0600 (MDT) Resent-From: Chris Cota Subject: Cisco Security Advisory (IP packet filtering) Date: Thu, 01 Jun 1995 17:05:54 -0700 From: Paul Traina -----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory ----------------------- Thu Jun 1 16:27:08 PDT 1995 The following describes a vulnerability in Cisco's IOS software when the 'established' keyword is used in extended IP access control lists. This bug can, under very specific circumstances and only with certain IP host implementations, allow unauthorized packets to circumvent a filtering router. This vulnerability is present in the following IOS software versions: 10.3(1) through 10.3(2) 10.2(1) through 10.2(5) 10.0(1) through 10.0(9) and all previous versions of Cisco software. If you are running any of these IOS versions on a product that uses IP extended access lists, and you are using the 'established' keyword in these lists, then Cisco strongly recommends that you take immediate action to remove the vulnerability. You can determine what version of IOS you are running by issuing the following command: show version The recommended action is to upgrade to a more recent version of IOS, or take one of the immediate workaround actions described below. The vulnerability is fixed by in the following official software releases: 10.0(10) or later 10.2(6) or later 10.3(3) or later (For reference, the Cisco update identifier for this fix is "CSCdi34061".) Customers may obtain software upgrades without going through the Cisco's Technical Assistance Center via Cisco's Customer Information On-Line service, instructions for downloading are available at the end of this message. You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for more information. TAC can be reached by phone at 800-553-2447, by E-Mail to tac@cisco.com or via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at 32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. - ---------------------------------------------------------------------------- A) Description A bug in Cisco's extended IP access list implementation can, under very specific circumstances, allow a user to bypass IP packet filtering. This may permit unintended IP traffic to pass through your firewall setup. To determine if you are vulnerable, look through your configuration. The configuration can be displayed by enabling and then entering the command "write term". If you see an access list line using a list number in the range of 100 through 199 that permits or denies TCP traffic and contains the word 'established' near the end of the line, you may be vulnerable. An example line might look like: In IOS 10.3: access-list 100 permit tcp any any established In IOS 10.2 or earlier: access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established If you do not meet this test, then you are not vulnerable. You do not need to do anything. B) Workaround The following actions will remove the vulnerability: - Rewrite the access list parameters so the 'established' keyword is not necessary. This does not simply mean that you may remove the 'established' keyword, but rather that you will need to re-design your access lists to provide similar functionality without using the established mechanism. or - Disable the interfaces to which the access list is applied using the 'shutdown' interface subcommand: example: router(config)#interface ethernet 0 router(config-if)#shutdown C) Solution Obtain and install the appropriate release of IOS software as described above. For assistance contact Cisco's TAC. D) Technical Comments This problem is caused by an obscure but common design flaw, that we believe, exists in many router/firewall vendor's packet filtering implementations. Owners of non-Cisco hardware who use IP packet filtering features similar to Cisco's "extended access lists" as part of a firewall system may wish to contact their vendor to confirm that this vulnerability does not exist in their system. (Technical discussions about the problem have already occured in the appropriate forum.) This vulnerability can only be exploited with certain IP host implementations (we do not have information on which implementations are susceptible). Cisco suggests that all routers configured to filter IP packets based upon the 'established' mechanism be upgraded. - ---------------------------------------------------------------------------- Software upgrades may be obtained via any of the following mechanisms: A) World Wide Web (WWW): For registered CIO users please open a URL to: http://cio.cisco.com/kobayashi/Library_root.shtml and select the the version of software to download. For non-registered users open a URL to: http://cio.cisco.com/public/library/spc_req.shtml When prompted for a code, please enter: certjun2 for a list of available files to download. B) FTP: ftp cio.cisco.com and at the initial (username) prompt, enter: certjun2 At the password prompt, enter your e-mail address. Then: get README.certjun2 This file contains a list of files available that close this vulnerability. Please examine this list to determine which files you need and then download them. C) Character-based "CIO Classic": For access, the following connection options are offered: o telnet cio.cisco.com o Dial-up modem + In Europe +33 1 64 46 40 82 + In the US (408) 526 8070 + vt100, N81, up to 14.4Kbps Enter either as a guest or registered user and navigate to the topic: Software Updates Special Files At the prompt for a code, please enter: certjun2 A list of files will be displayed for you to select and download. - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAwUBL85UHZ/rGryoL8h3AQEljAP/U0feiKwhV9Acb/2hzZkckMdqpUiigt0W Q1j5xpDzQL+YTS4bmnavIbTVbdGp544PnJlZcdRq68uODmhTAHvBQpbzcbH0QJJi 6GZ51YGKhOB+dnLgF+F/PxUPvQ3AyCdnsggwW9znbv4Pe2eu/5ND6DDrDnytS1DY C4qp5Q5IfbA= =756P -----END PGP SIGNATURE----- ---------- X-Sun-Data-Type: text X-Sun-Content-Length: 6933 X-Sun-Charset: us-ascii X-Sun-Content-Lines: 195 Return-Path: pst@cisco.com Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by feta.cisco.com (8.6.8+c/CISCO.SERVER.1.1) with SMTP id RAA25853; Thu, 1 Jun 1995 17:05:54 -0700 Message-Id: <199506020005.RAA25853@feta.cisco.com> X-Authentication-Warning: feta.cisco.com: Host localhost.cisco.com didn't use HELO protocol To: cisco@spot.colorado.edu, firewalls@greatcircle.org, first-teams@first.org Subject: Cisco Security Advisory (IP packet filtering) Date: Thu, 01 Jun 1995 17:05:54 -0700 From: Paul Traina -----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory ----------------------- Thu Jun 1 16:27:08 PDT 1995 The following describes a vulnerability in Cisco's IOS software when the 'established' keyword is used in extended IP access control lists. This bug can, under very specific circumstances and only with certain IP host implementations, allow unauthorized packets to circumvent a filtering router. This vulnerability is present in the following IOS software versions: 10.3(1) through 10.3(2) 10.2(1) through 10.2(5) 10.0(1) through 10.0(9) and all previous versions of Cisco software. If you are running any of these IOS versions on a product that uses IP extended access lists, and you are using the 'established' keyword in these lists, then Cisco strongly recommends that you take immediate action to remove the vulnerability. You can determine what version of IOS you are running by issuing the following command: show version The recommended action is to upgrade to a more recent version of IOS, or take one of the immediate workaround actions described below. The vulnerability is fixed by in the following official software releases: 10.0(10) or later 10.2(6) or later 10.3(3) or later (For reference, the Cisco update identifier for this fix is "CSCdi34061".) Customers may obtain software upgrades without going through the Cisco's Technical Assistance Center via Cisco's Customer Information On-Line service, instructions for downloading are available at the end of this message. You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for more information. TAC can be reached by phone at 800-553-2447, by E-Mail to tac@cisco.com or via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at 32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. - ---------------------------------------------------------------------------- A) Description A bug in Cisco's extended IP access list implementation can, under very specific circumstances, allow a user to bypass IP packet filtering. This may permit unintended IP traffic to pass through your firewall setup. To determine if you are vulnerable, look through your configuration. The configuration can be displayed by enabling and then entering the command "write term". If you see an access list line using a list number in the range of 100 through 199 that permits or denies TCP traffic and contains the word 'established' near the end of the line, you may be vulnerable. An example line might look like: In IOS 10.3: access-list 100 permit tcp any any established In IOS 10.2 or earlier: access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established If you do not meet this test, then you are not vulnerable. You do not need to do anything. B) Workaround The following actions will remove the vulnerability: - Rewrite the access list parameters so the 'established' keyword is not necessary. This does not simply mean that you may remove the 'established' keyword, but rather that you will need to re-design your access lists to provide similar functionality without using the established mechanism. or - Disable the interfaces to which the access list is applied using the 'shutdown' interface subcommand: example: router(config)#interface ethernet 0 router(config-if)#shutdown C) Solution Obtain and install the appropriate release of IOS software as described above. For assistance contact Cisco's TAC. D) Technical Comments This problem is caused by an obscure but common design flaw, that we believe, exists in many router/firewall vendor's packet filtering implementations. Owners of non-Cisco hardware who use IP packet filtering features similar to Cisco's "extended access lists" as part of a firewall system may wish to contact their vendor to confirm that this vulnerability does not exist in their system. (Technical discussions about the problem have already occured in the appropriate forum.) This vulnerability can only be exploited with certain IP host implementations (we do not have information on which implementations are susceptible). Cisco suggests that all routers configured to filter IP packets based upon the 'established' mechanism be upgraded. - ---------------------------------------------------------------------------- Software upgrades may be obtained via any of the following mechanisms: A) World Wide Web (WWW): For registered CIO users please open a URL to: http://cio.cisco.com/kobayashi/Library_root.shtml and select the the version of software to download. For non-registered users open a URL to: http://cio.cisco.com/public/library/spc_req.shtml When prompted for a code, please enter: certjun2 for a list of available files to download. B) FTP: ftp cio.cisco.com and at the initial (username) prompt, enter: certjun2 At the password prompt, enter your e-mail address. Then: get README.certjun2 This file contains a list of files available that close this vulnerability. Please examine this list to determine which files you need and then download them. C) Character-based "CIO Classic": For access, the following connection options are offered: o telnet cio.cisco.com o Dial-up modem + In Europe +33 1 64 46 40 82 + In the US (408) 526 8070 + vt100, N81, up to 14.4Kbps Enter either as a guest or registered user and navigate to the topic: Software Updates Special Files At the prompt for a code, please enter: certjun2 A list of files will be displayed for you to select and download. - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAwUBL85UHZ/rGryoL8h3AQEljAP/U0feiKwhV9Acb/2hzZkckMdqpUiigt0W Q1j5xpDzQL+YTS4bmnavIbTVbdGp544PnJlZcdRq68uODmhTAHvBQpbzcbH0QJJi 6GZ51YGKhOB+dnLgF+F/PxUPvQ3AyCdnsggwW9znbv4Pe2eu/5ND6DDrDnytS1DY C4qp5Q5IfbA= =756P -----END PGP SIGNATURE----- From firewalls-owner Tue Jul 4 03:04:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA28699 for firewalls-outgoing; Tue, 4 Jul 1995 02:59:08 -0700 Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA28694 for ; Tue, 4 Jul 1995 02:59:04 -0700 From: axel.skough@scb.se Received: by mail.swip.net with UUCP (8.6.8/3.01) id MAA08318; Tue, 4 Jul 1995 12:03:30 +0200 Message-ID: <199507041003.MAA08318@mail.swip.net> Date: Tue, 4 Jul 1995 11:57 +0200 To: firewalls@GreatCircle.COM Cc: pezziardi@sycomore.fr, jonville@sycomore.fr Subject: RE: Info about PIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On July, 3rd, 1995, Pierre Pezziardi, Sycomore, wrote > Does anyone have informations about a product from Network > Translations called PIX ? I am myself interested in it! However, I do not think that the PIX router itself should be accepted as a regular firewall, one should consider it as a simple way to use local IP addresses within a possibly large internal LAN. To avoid heavy administration, the hosts associated internally should be configured internally by using the DHCP automatically, one could very well use reserved IP addresses for that. When external access is required the PIX router supplies a temporary lease of a registered IP address. This is not sufficient to prevent intruders, however, one should use a firewall after the PIX router to prohibit sessions initiated from outside. Public services should be granted outside the firewall, not through the firewall. There are minor details in this overwhelming sceme to consider in detail such as e-mail (SMTP), but those can be solved in a secured way by, as far as I can see, proxy servers. I should appreciate comments on this! TIA!!! Axel Skough Statistics Sweden From firewalls-owner Tue Jul 4 04:34:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA29949 for firewalls-outgoing; Tue, 4 Jul 1995 04:07:59 -0700 Received: from swissbank.swissbank.com (swissbank.swissbank.com [146.180.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA29944 for ; Tue, 4 Jul 1995 04:07:56 -0700 Received: by swissbank.swissbank.com with UUCP (4.1/BK-1.9) id AA05443; Tue, 4 Jul 95 06:09:22 CDT Received: from il.us.swissbank.com by gatekeeper.swissbank.com with SMTP (8.6.12/BK-1.12) id GAA15000; Tue, 4 Jul 1995 06:04:50 -0500 Received: from chmail.ch.swissbank.com (chmailhost) by il.us.swissbank.com (4.1/SMI-4.1) id AA21353; Tue, 4 Jul 95 06:06:23 CDT Received: from chbslu08 by chmail.ch.swissbank.com with SMTP id AA19700 (5.67a/IDA-1.5 for ); Tue, 4 Jul 1995 13:08:07 +0200 Received: from CP690016 ([161.20.3.107]) by chbslu08 (4.1/SMI-4.1) id AA03005; Tue, 4 Jul 95 13:07:28 +0200 Date: Tue, 4 Jul 95 13:07:28 +0200 Message-Id: <9507041107.AA03005@chbslu08> X-Sender: t075456@161.20.3.194 X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: hauser.martin@ch.swissbank.com (Martin Hauser) Subject: Internet Security Policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for sample Internet Security Policies as well as the experience of people who have designed one. Are there any companies who have made their policy public? I have found policies of many universities but I am interested how large, multinational companies deal with this subject. Next I would like to learn: -what strategies policy writers have used to convince management of the necessity of such a policy ... - how do persons concerned by this policy cooperate (users, sysadmins, network administrators, ... ) - managing the 'changing requirements' (new services, new security needs, ...). Do you rewrite the policy for every new service? Have you established a process how to evolve the policy? - wheter a company with a worldwide corporate network should restrict internet access to one physical entry point (security vs. WAN-coasts) - wheter there are specific juristic aspects to be considered designing a policy for a company which is resident in many countries. I am well aware that it may be too sensitive to discuss details of your specific policy in public. If you send me email please make a note if you dont't like to see your response in a future summary of mine. BTW: I have studied RFC 1244, NIST 800-10, Cheswick/Bellowin and many other papers on firewalls. - Martin --- Hauser.Martin@ch.swissbank.com From firewalls-owner Tue Jul 4 05:10:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA00604 for firewalls-outgoing; Tue, 4 Jul 1995 04:53:19 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA00599 for ; Tue, 4 Jul 1995 04:53:14 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA22742 for firewalls@greatcircle.com; Tue, 4 Jul 95 07:47:04 EDT Message-Id: <9507041147.AA22742@all.net> Subject: Re: Internet Security Policy To: hauser.martin@ch.swissbank.com (Martin Hauser) Date: Tue, 4 Jul 1995 07:47:03 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9507041107.AA03005@chbslu08> from "Martin Hauser" at Jul 4, 95 01:07:28 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 3307 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for sample Internet Security Policies as well as the experience > of people who have designed one. I have helped to designed some. > Are there any companies who have made their policy public? I have found > policies of many universities but I am interested how large, multinational > companies deal with this subject. There is also a near-encyclopedic book of policies gathered (I believe) by Charles Cresson Wood. You might also look in the Computer Security Reference Book (butterworth I believe) where policy experts have some interesting things to say. > Next I would like to learn: > -what strategies policy writers have used to convince management of the > necessity of such a policy ... We normally start with in independent outside study called an "Information Protection Posture Assessment". This sort of study, among other things, determines if policies are adequate and reports the reasons the policies are inadequate in an understandable way to management. See my book (below) for examples of such studies - all of these examples have resulted in top-level management changes in info-sec policy. > - how do persons concerned by this policy cooperate (users, sysadmins, > network administrators, ... ) Management of information security is a field in its own right. It would take far too long to discuss it here. > - managing the 'changing requirements' (new services, new security needs, > ...). Do you rewrite the policy for every new service? Have you established > a process how to evolve the policy? Policy should change rarely. Standards and procedures can, however, be changed to meet rapidly chaging needs. > - wheter a company with a worldwide corporate network should restrict > internet access to one physical entry point (security vs. WAN-coasts) Most global companies have several gateways. This is important for adequate availability and bandwidth. Typically, there is an EC, US, and Pacific Rim gateway with others as appropriate. There should also be uniform firewall and general info-sec policy, procedures, audit, .... in place to provide adequate protection with these connections in place. > - wheter there are specific juristic aspects to be considered designing a > policy for a company which is resident in many countries. Yes - many and specific to each jurisdiction. > I am well aware that it may be too sensitive to discuss details of your > specific policy in public. If you send me email please make a note if you > dont't like to see your response in a future summary of mine. These generalities not too sensitive, but the answers to your questions are too specific to the organization to be of real value to anyone else. > BTW: I have studied RFC 1244, NIST 800-10, Cheswick/Bellowin and many other > papers on firewalls. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Tue Jul 4 05:34:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA01217 for firewalls-outgoing; Tue, 4 Jul 1995 05:19:37 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA01207 for ; Tue, 4 Jul 1995 05:19:32 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa12025; 4 Jul 95 12:57 +0100 Received: from hanover.demon.co.uk by post.demon.co.uk id aa24634; 4 Jul 95 12:57 +0100 To: brogers@integctr.com Cc: firewalls@greatcircle.com From: benjamin@hanover.demon.co.uk MMDF-Warning: Parse error in original version of preceding line at post.demon.co.uk Date: Tue, 04 Jul 95 12:09:32 Subject: Re: NNTP caching proxy Message-ID: <2.51.884481B2B.BenMail@hanover.demon.co.uk> X-Mailer: BenMail 2.51 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there such a thing as a caching proxy for NNTP? I don't want to > dedicate the disk space and bandwidth to a real news feed. > I believe there is a package called INN 8-) No, seriously... Appart from running a news server, I have not found a solution... 8-( -Benjamin -- Benjamin Ellis - Hanover, Farnborough, UK. Home of BenMail and Hanover Consulting PR person, when asked if customers with support contracts got better treatment: "Oh no, definitely not, we ship the latest bugs to all of our customers..." From firewalls-owner Tue Jul 4 06:07:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA01666 for firewalls-outgoing; Tue, 4 Jul 1995 05:43:32 -0700 Received: from eeserv.ee.gatech.edu (eeserv.ee.gatech.edu [130.207.224.30]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA01661 for ; Tue, 4 Jul 1995 05:43:28 -0700 Received: from duchess.ee.gatech.edu (duchess.ee.gatech.edu [130.207.230.13]) by eeserv.ee.gatech.edu (8.6.10/8.6.11) with ESMTP id IAA26878; Tue, 4 Jul 1995 08:42:48 -0400 Received: (didier@localhost) by duchess.ee.gatech.edu (8.6.9/8.6.9) id IAA13798; Tue, 4 Jul 1995 08:42:47 -0400 Date: Tue, 4 Jul 1995 08:42:47 -0400 (EDT) From: Didier Contis To: Muhlin Chen cc: firewalls@GreatCircle.COM Subject: Re: Netscape browser and TIS ftp proxy In-Reply-To: <9507032138.AA00357@yoda.unl.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jul 1995, Muhlin Chen wrote: > Hi, > > I have problems to make Netscape navigator using the TIS ftp proxy. They > seemed to speak different languages. Is this well-know problem? Can it be > fixed? > --muhlin@yoda.unl.edu Yes it can be fixed. The problem is that lots of people try to have netscape talking with the ftp proxy whereas netscape must talk with the http proxy. In other words in the section proxies of the netscape configuration you must indicate the port 80 for FTP proxy. Regards, Didier CONTIS ----------------------------------------------------------------------- Georgia Institute of Technology School of Electrical Engineering, Atlanta, GA 30332-0250 E-MAIL: didier@ee.gatech.edu PHONE: (404) 894-2679 From firewalls-owner Tue Jul 4 08:42:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04497 for firewalls-outgoing; Tue, 4 Jul 1995 08:20:09 -0700 Received: from swissbank.swissbank.com (swissbank.swissbank.com [146.180.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA04492 for ; Tue, 4 Jul 1995 08:20:06 -0700 Received: by swissbank.swissbank.com with UUCP (4.1/BK-1.9) id AA12801; Tue, 4 Jul 95 10:21:33 CDT Received: from il.us.swissbank.com by gatekeeper.swissbank.com with SMTP (8.6.12/BK-1.12) id KAA20939; Tue, 4 Jul 1995 10:16:59 -0500 Received: from ch1d151nwk by il.us.swissbank.com (4.1/SMI-4.1) id AA28368; Tue, 4 Jul 95 10:18:31 CDT Received: by ch1d151nwk (NX5.67d/NX3.0S) id AA00709; Tue, 4 Jul 95 10:18:03 -0500 Date: Tue, 4 Jul 95 10:18:03 -0500 From: russ_davis@il.us.swissbank.com (Russ Davis) Message-Id: <9507041518.AA00709@ch1d151nwk> Received: by NeXT.Mailer (1.100.RR) Received: by NeXT Mailer (1.100.RR) To: firewalls@greatcircle.com Subject: Suscribe Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suscribe From firewalls-owner Tue Jul 4 09:40:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA05894 for firewalls-outgoing; Tue, 4 Jul 1995 09:21:52 -0700 Received: from mail1.eworld.com (hp1.online.apple.com [192.215.65.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA05885 for ; Tue, 4 Jul 1995 09:21:49 -0700 From: BBeukes@eworld.com Received: by hp1.online.apple.com (1.37.109.16/16.2) id AA102294870; Tue, 4 Jul 1995 09:21:10 -0700 Date: Tue, 4 Jul 1995 09:21:10 -0700 Message-Id: <950704092107_11790464@eWorld.com> To: firewalls@greatcircle.com Subject: Internet Security Policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a copy of a final internet user security policy. Do you know where I can get a copy or can you please send one to me. Many thanks Bernard From firewalls-owner Tue Jul 4 10:04:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA06137 for firewalls-outgoing; Tue, 4 Jul 1995 09:38:53 -0700 Received: from charon.cctechnol.com (as15.net-connect.net [204.181.38.115]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA06131 for ; Tue, 4 Jul 1995 09:38:49 -0700 Received: by charon.cctechnol.com (Smail3.1.28.1 #3) id m0sTAyh-0008sSC; Tue, 4 Jul 95 11:37 CDT Message-Id: Date: Tue, 4 Jul 95 11:37 CDT From: js@cctechnol.com (Johnie Stafford) To: jrg@gbnet.net CC: firewalls@GreatCircle.COM In-reply-to: <199507031649.RAA05276@ns.gbnet.net> (uupsi2!gbnet.net!jrg) Subject: Re: Where do I store my mail? Reply-To: js@cctechnol.com Organization: C & C Technologies, Inc., Lafayette, LA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ndd -set /dev/ip ip_forward_directed_broadcasts 0 > ndd -set /dev/ip ip_forward_src_routed 0 What do these do and where can I find a description of all the setable parameters? Johnie From firewalls-owner Tue Jul 4 10:13:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA06026 for firewalls-outgoing; Tue, 4 Jul 1995 09:33:56 -0700 Received: from charon.cctechnol.com (as15.net-connect.net [204.181.38.115]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA06015 for ; Tue, 4 Jul 1995 09:33:51 -0700 Received: by charon.cctechnol.com (Smail3.1.28.1 #3) id m0sTAuL-0008sSC; Tue, 4 Jul 95 11:33 CDT Message-Id: Date: Tue, 4 Jul 95 11:33 CDT From: js@cctechnol.com (Johnie Stafford) To: firewalls@greatcircle.com Subject: FAQ Reply-To: js@cctechnol.com Organization: C & C Technologies, Inc., Lafayette, LA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I ftp'd to ftp.greatcircle.com and cd'd to /pub/irewalls to get the FAQ. This is what I got from ftp: ftp> get FAQ 200 PORT command successful. 150 Opening BINARY mode data connection for FAQ (30263 bytes). ==>> FAQ: Is a directory 426 Transfer aborted. Data connection closed. 226 Abort successful ftp> cd FAQ ==>> 550 FAQ: Not a directory. ftp> What gives? Johnie From firewalls-owner Tue Jul 4 10:32:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA06127 for firewalls-outgoing; Tue, 4 Jul 1995 09:37:51 -0700 Received: from charon.cctechnol.com (as15.net-connect.net [204.181.38.115]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA06122 for ; Tue, 4 Jul 1995 09:37:47 -0700 Received: by charon.cctechnol.com (Smail3.1.28.1 #3) id m0sTAxs-0008sSC; Tue, 4 Jul 95 11:36 CDT Message-Id: Date: Tue, 4 Jul 95 11:36 CDT From: js@cctechnol.com (Johnie Stafford) To: uupsi2!gbnet.net!jrg CC: danny@gmap.leeds.ac.uk, firewalls@GreatCircle.COM, danny@gmap15.leeds.ac.uk In-reply-to: <199507031649.RAA05276@ns.gbnet.net> (uupsi2!gbnet.net!jrg) Subject: Re: Where do I store my mail? Reply-To: js@cctechnol.com Organization: C & C Technologies, Inc., Lafayette, LA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ndd -set /dev/ip ip_forward_directed_broadcasts 0 > ndd -set /dev/ip ip_forward_src_routed 0 What do these do and where can I find a description of all the setable parameters? Johnie From firewalls-owner Tue Jul 4 11:34:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09569 for firewalls-outgoing; Tue, 4 Jul 1995 11:16:49 -0700 Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09564 for ; Tue, 4 Jul 1995 11:16:47 -0700 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id OAA03220; Tue, 4 Jul 1995 14:13:38 -0400 Received: from eoits1.eo.ray.com by gatekeeper.ray.com; Tue Jul 4 14:14:57 1995 Received: by eo.ray.com (5.0/SMI-SVR4) id AA22356; Tue, 4 Jul 1995 14:14:31 -0400 Date: Tue, 4 Jul 1995 14:14:31 -0400 From: hhantman@eo.ray.com (Howard Hantman) Message-Id: <9507041814.AA22356@eo.ray.com> To: js@cctechnol.com Subject: Re: FAQ Cc: firewalls@GreatCircle.COM Content-Length: 640 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I ftp'd to ftp.greatcircle.com and cd'd to /pub/irewalls to get the > FAQ. This is what I got from ftp: > > ftp> get FAQ > 200 PORT command successful. > 150 Opening BINARY mode data connection for FAQ (30263 bytes). > ==>> FAQ: Is a directory > 426 Transfer aborted. Data connection closed. > 226 Abort successful > ftp> cd FAQ > ==>> 550 FAQ: Not a directory. > ftp> > > What gives? > > Johnie > I would venture to guess that FAQ is a directory on YOUR machine! FTP was therefore unable to create a file by that name. Howard Hantman; Raytheon Company hhantman@eo.ray.com From firewalls-owner Tue Jul 4 11:58:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09726 for firewalls-outgoing; Tue, 4 Jul 1995 11:29:32 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09721 for ; Tue, 4 Jul 1995 11:29:29 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id OAA06741; Tue, 4 Jul 1995 14:28:48 -0400 From: Howard Berkowitz Message-Id: <199507041828.OAA06741@clark.net> Subject: Whadayoucallit? To: firewalls@greatcircle.com Date: Tue, 4 Jul 1995 14:28:47 -0400 (EDT) Cc: hcb@clark.net (Howard Berkowitz) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 839 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In writing a tutorial on the role of routers in firewalls (planned for publication in the August issue of CiscoWorld), I realized that I can't think of a term for something many installations have. The firewalls list seemed the logical place to see if I've forgotten the term, or to invent an appropriate one. Consider a firewall system with an internal screening router, bastion host, and external screening router. Public hosts typically go onto a DMZ, which is between the external router and the bastion host. What I don't have a name for is a network between the bastion host and the internal router, which might be the home of authenticated terminal servers and other protected resources. Initially, I called it an "internal security backbone," but that sounds too much like something run by the Gestapo. :-) Thoughts? Howard From firewalls-owner Tue Jul 4 13:42:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA12429 for firewalls-outgoing; Tue, 4 Jul 1995 13:18:32 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA12422 for ; Tue, 4 Jul 1995 13:18:25 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA12004; Tue, 4 Jul 95 16:17:26 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507042117.AA12004@hawksbill.sprintmrn.com> Subject: Re: Whadayoucallit? To: hcb@clark.net (Howard Berkowitz) Date: Tue, 4 Jul 1995 16:17:26 -0500 (EST) Cc: firewalls@greatcircle.com, hcb@clark.net In-Reply-To: <199507041828.OAA06741@clark.net> from "Howard Berkowitz" at Jul 4, 95 02:28:47 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1273 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In writing a tutorial on the role of routers in firewalls (planned for > publication in the August issue of CiscoWorld), I realized that I can't > think of a term for something many installations have. The firewalls > list seemed the logical place to see if I've forgotten the term, or to > invent an appropriate one. > > Consider a firewall system with an internal screening router, bastion > host, and external screening router. Public hosts typically go onto > a DMZ, which is between the external router and the bastion host. > > What I don't have a name for is a network between the bastion host > and the internal router, which might be the home of authenticated > terminal servers and other protected resources. Initially, I called > it an "internal security backbone," but that sounds too much like > something run by the Gestapo. :-) > > Thoughts? > > Howard > I call it a 'perimeter' network. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Jul 4 23:04:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA23055 for firewalls-outgoing; Tue, 4 Jul 1995 22:48:59 -0700 Received: from jedi.perth.wgc.com.au (jedi.perth.wgc.com.au [203.8.204.250]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA23050 for ; Tue, 4 Jul 1995 22:48:20 -0700 Received: (from root@localhost) by jedi.perth.wgc.com.au (8.6.9/) id NAA29046 Received: from quol.perth.wgc.com.au(203.8.204.17) by jedi via smap (V1.3) id sma029041; Wed Jul 5 13:50:07 1995 Received: from cael.perth.wgc.com.au (cael.perth.wgc.com.au [203.8.204.3]) by quol.perth.wgc.com.au (8.6.10/8.6.10) with ESMTP id NAA20337 for ; Wed, 5 Jul 1995 13:46:39 +0800 From: Peter Musca Received: (peter@localhost) by cael.perth.wgc.com.au (8.6.10/8.6.10) id NAA20692 for firewalls@GreatCircle.COM; Wed, 5 Jul 1995 13:46:41 +0800 Message-Id: <199507050546.NAA20692@cael.perth.wgc.com.au> Subject: CERN-httpd as a http proxy. To: firewalls@GreatCircle.COM Date: Wed, 5 Jul 1995 13:46:40 +0800 (WST) X-Mailer: ELM [version 2.4 PL11] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 683 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I am about to replace the http- proxy from the fwtk with the cern-httpd proxy. I want to run it in a chrooted environment and would appreciate any tips, advice etc from anyone who has done this. I am not sure whether I will be building a full blown WWW server as yet, but that may come in the future.. thanking you.. ...peter -- ---------------------------------------------------------------------- Peter Musca System/Network Administrator Email: peter@perth.wgc.com.au World Geoscience Corp Phone: +61-9-383-7833 Western Australia fax: +61-9-383-7166 ---------------------------------------------------------------------- From firewalls-owner Wed Jul 5 01:04:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA24513 for firewalls-outgoing; Wed, 5 Jul 1995 00:47:57 -0700 Received: from btmplq.god.bel.alcatel.be (gatekeeper.alcatel.be [138.203.244.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA24505 for ; Wed, 5 Jul 1995 00:47:45 -0700 Received: from localhost (uucp@localhost) by btmplq.god.bel.alcatel.be (8.6.5/8.6.5) id JAA02093 for ; Wed, 5 Jul 1995 09:46:16 +0200 Received: from btmpjg.god.bel.alcatel.be(138.203.144.75) by btmplq via smap (V1.3) id sma001984; Wed Jul 5 09:46:01 1995 Received: from localhost (arntzo@localhost) by btmpjg (8.6.5/8.6.5) id JAA21990; Wed, 5 Jul 1995 09:43:44 +0200 From: ARNTZ Olivier Message-Id: <199507050743.JAA21990@btmpjg> Subject: Re: CERN-httpd as a http proxy. To: peter@perth.wgc.com.au (Peter Musca) Date: Wed, 5 Jul 1995 09:43:43 +0200 (MET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199507050546.NAA20692@cael.perth.wgc.com.au> from "Peter Musca" at Jul 5, 95 01:46:40 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1462 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Peter Musca: > I am about to replace the http- proxy from the fwtk with the cern-httpd > proxy. I want to run it in a chrooted environment and would appreciate any > tips, advice etc from anyone who has done this. I am not sure whether I > will be building a full blown WWW server as yet, but that may come in the > future.. Although I think this is not a topic for this discussion group, following might be interesting to know ... We used cern-httpd-proxy for 4 months without any problem ... until now. Suddenly the proxy has problems in resolving adresses he doesn't have to forward to our firewall (i.e. no_proxy for internal WWW). I don't have any clue what suddenly went wrong. All TCP/IP related stuff on our server seems to be unchanged. All other services (telnet, ftp, ...) on this server still work properly and don't have any problems in resolving whatever adress. I spent already too much time on this one ... So, I am going to stop using cern-httpd and start migrating to a commercial product (not only because I didn't get any responses from w3.org regarding this problem :-( Olivier ========================================================================== Arntz Olivier Internet : arntzo@god.bel.alcatel.be UNIX and Internet Support Voice : +32 3 2409544 Alcatel Bell Belgium Fax : +32 3 2409952 ========================================================================== From firewalls-owner Wed Jul 5 01:35:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25230 for firewalls-outgoing; Wed, 5 Jul 1995 01:15:16 -0700 Received: from rpdata.rpdata.com.au (rpdata.client.uq.edu.au [130.102.169.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA25093; Wed, 5 Jul 1995 01:15:06 -0700 From: mma@rpdata.com.au Received: from rpdata.com.au by rpdata.rpdata.com.au; Wed, 5 Jul 95 18:14 EST Received: by sydney.rpdata.com.au (5.65/1.2-eef) id AA26683; Wed, 5 Jul 95 18:13:31 -1000 Date: Wed, 5 Jul 1995 18:13:31 -1000 (AEST) >From: rpdata.com.au!mma (Mark Moraza) To: firewalls-owner@GreatCircle.COM, GreatCircle.COM!firewalls-owner@rpdata.com.au, msn.com!Ed_Woodrick@rpdata.com.au (Ed Woodrick) Cc: Firewalls@GreatCircle.COM, dmartine@campus.mty.itesm.mx ("David A. Martinez G.") Subject: RE: Why? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Length: 127 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sorry guys i'll try to get my dad to look for the green light on the keyboard mma@rpdata.com.au mark speaking have a good day From firewalls-owner Wed Jul 5 04:04:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA28722 for firewalls-outgoing; Wed, 5 Jul 1995 03:57:16 -0700 Received: from iconz.co.nz (iconz.co.nz [202.14.100.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA28717 for ; Wed, 5 Jul 1995 03:57:09 -0700 Received: from ME ([202.36.39.235]) by iconz.co.nz (8.6.12/8.6.10) with SMTP id WAA08646 for ; Wed, 5 Jul 1995 22:56:25 +1200 Date: Wed, 5 Jul 1995 22:56:25 +1200 Message-Id: <199507051056.WAA08646@iconz.co.nz> X-Sender: matt@iconz.co.nz X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: mthomps1@perform.co.nz (Matthew Thompson) Subject: Novell Groupwise SMTP gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, Has anyone examined the Novell Groupwise DOS SMTP gateway for security problems? I'm looking to use a Groupwise SMTP gateway behind a dual homed bastion host running TIS's SMAPD. Picture looks something like this. Packet Fiter <-> Dual homed Bastion <-> dual homed Wpo smtpdn <-> Internal net Paranoia makes me wonder if this config is secure if the bastion is toppled. I see some possabilities: either: SMTP gateway has been built with security in mind and acts as a secure application proxy. or: SMTP gateway has lots of "helpful" extra features which allow access to local c: drive, remote netware file servers or any of the above, ie. allow one subvert the WPO gateway and run PcRoute on it, or otherwise attack internal hosts. Any information most appreciated... --------------------------------------------------------------------- Performance Systems Ltd. Onboard Computers for Yacht Racing The computers aboard Black Magic and Tag Heuer --------------------------------------------------------------------- From firewalls-owner Wed Jul 5 05:34:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA29857 for firewalls-outgoing; Wed, 5 Jul 1995 05:21:03 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA29852 for ; Wed, 5 Jul 1995 05:21:00 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA13479; Wed, 5 Jul 1995 08:12:35 -0400 Date: Wed, 5 Jul 1995 08:12:34 -0400 (EDT) From: David Miller Subject: Re: NNTP caching proxy To: benjamin@hanover.demon.co.uk cc: brogers@integctr.com, firewalls@greatcircle.com In-Reply-To: <2.51.884481B2B.BenMail@hanover.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jul 1995 benjamin@hanover.demon.co.uk wrote: > > Is there such a thing as a caching proxy for NNTP? I don't want to > > dedicate the disk space and bandwidth to a real news feed. > > I believe there is a package called INN 8-) > > No, seriously... Appart from running a news server, I have not found a > solution... 8-( Something doesn't seem quite right here. If brogers doesn't want to have a dedicated news feed but still wants access to news, he must be looking for an NNRP proxy, not an NNTP proxy right? If that's the case, something like netscape will work just fine using the standard httpd proxy. If you want to use "tin" across a firewall though, you'll have to hack something in. I don't know of any NNRP proxies either. --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Jul 5 06:04:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA00684 for firewalls-outgoing; Wed, 5 Jul 1995 06:00:53 -0700 Received: from remus.ultranet.com (remus.ultranet.com [199.232.56.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA00678 for ; Wed, 5 Jul 1995 06:00:50 -0700 Received: from romulus.ultranet.com (romulus.ultranet.com [199.232.56.2]) by remus.ultranet.com (8.6.12/jzp1.9e) with ESMTP id IAA29065; Wed, 5 Jul 1995 08:59:50 -0400 From: Joe Provo Received: (jprovo@localhost) by romulus.ultranet.com (8.6.12/jzp0.1) id IAA11896; Wed, 5 Jul 1995 08:59:44 -0400 Date: Wed, 5 Jul 1995 08:59:44 -0400 Message-Id: <199507051259.IAA11896@romulus.ultranet.com> To: arntzo@god.bel.alcatel.be, peter@perth.wgc.com.au Subject: Re: CERN-httpd as a http proxy. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Ranging away from firewalls and onto c.i.w.s.unix, but...] Arntz Olivier wrote: >According to Peter Musca: [random query about running CERN-httpd in proxy mode] > [clip] >We used cern-httpd-proxy for 4 months without any problem ... until now. >Suddenly the proxy has problems in resolving adresses he doesn't have to >forward to our firewall (i.e. no_proxy for internal WWW). [clip] >So, I am going to stop using cern-httpd and start migrating to a commercial >product (not only because I didn't get any responses from w3.org regarding >this problem :-( We have been using the CERN server as a caching-proxy since late-august last year, and have not seen any problems. Are the othe, non-problematic services testing fine in their role as proxies as well as in "native" operation? What OS are you running under? Joe Provo Network and Systems Administration Team, UltraNet Communications Inc. 508.229.8400(voice) jprovo@ultra.net 508.229.8111(data) A Network Service Provider in Central Mass mailto:info@ultra.net From firewalls-owner Wed Jul 5 06:39:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01653 for firewalls-outgoing; Wed, 5 Jul 1995 06:32:13 -0700 Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01648 for ; Wed, 5 Jul 1995 06:32:08 -0700 Received: from wpo.barr.com by sun6.barr.com (4.1/SMI-4.1) id AA01701; Wed, 5 Jul 95 08:33:09 CDT Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Wed, 05 Jul 1995 08:32:10 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 05 Jul 1995 08:31:52 -0600 From: "Steve P. Devore" To: firewalls@greatcircle.com, mthomps1@perform.co.nz Subject: Novell Groupwise SMTP gateway -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Groupwise smtp gateway is pretty dumb. I tried banging on it and it didn't do anything stupid. All it does is capture the incoming mail, and save the message pretty much verbatim for another process to parse and deliver the mail. It is also a very small TSR. I wouldn't worry about it. No helpful processes (not even EXPN). >>> Matthew Thompson 7/5/95, 04:56am >>> Hi All, Has anyone examined the Novell Groupwise DOS SMTP gateway for security problems? I'm looking to use a Groupwise SMTP gateway behind a dual homed bastion host running TIS's SMAPD. Picture looks something like this. Packet Fiter <-> Dual homed Bastion <-> dual homed Wpo smtpdn <-> Internal net Paranoia makes me wonder if this config is secure if the bastion is toppled. I see some possabilities: either: SMTP gateway has been built with security in mind and acts as a secure application proxy. or: SMTP gateway has lots of "helpful" extra features which allow access to local c: drive, remote netware file servers or any of the above, ie. allow one subvert the WPO gateway and run PcRoute on it, or otherwise attack internal hosts. Any information most appreciated... --------------------------------------------------------------------- Performance Systems Ltd. Onboard Computers for Yacht Racing The computers aboard Black Magic and Tag Heuer --------------------------------------------------------------------- From firewalls-owner Wed Jul 5 07:30:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01912 for firewalls-outgoing; Wed, 5 Jul 1995 06:41:56 -0700 Received: from booz.bah.com (booz.bah.com [156.80.3.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA01907 for ; Wed, 5 Jul 1995 06:41:53 -0700 Received: from smtpj.bah.com (smtpj.bah.com [156.80.9.161]) by booz.bah.com (8.6.10/8.6.9) with SMTP id JAA18097 for ; Wed, 5 Jul 1995 09:39:14 -0400 Received: by smtpj.bah.com with Microsoft Mail id <2FFABFB4@smtpj.bah.com>; Wed, 05 Jul 95 09:37:08 PDT From: Orr Dan To: firewall Subject: Listing of Firewall Manufacturers Date: Wed, 05 Jul 95 09:40:00 PDT Message-ID: <2FFABFB4@smtpj.bah.com> Encoding: 9 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone out there have a listing of firewall manufacturers? Can anyone give me an idea of the high and low end costs? Any ideas about how to use firewalls in funds transfers? Thanks for the help. D. Orr From firewalls-owner Wed Jul 5 08:34:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04706 for firewalls-outgoing; Wed, 5 Jul 1995 08:10:58 -0700 Received: from vtserf.cc.vt.edu (vtserf.CC.VT.EDU [128.173.4.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA04701 for ; Wed, 5 Jul 1995 08:10:55 -0700 From: marchany@vtserf.cc.vt.edu Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3) id AA14575; Wed, 5 Jul 1995 11:10:12 -0400 Message-Id: <9507051510.AA14575@vtserf.cc.vt.edu> To: BBeukes@eworld.com Cc: firewalls@greatcircle.com, marchany@vtserf.cc.vt.edu Subject: Re: Internet Security Policy In-Reply-To: Your message of "Tue, 04 Jul 95 09:21:10 PDT." <950704092107_11790464@eWorld.com> Date: Wed, 05 Jul 95 11:10:06 -0400 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The VA Tech Acceptable Use Statement is available from the following URL: http://www.vt.edu/policies.html This statement is in our student, faculty and staff handbooks. It is also the Acceptable Use Statement for the Blacksburg Electronic Village. Hope this helps. -Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 INTERNET: randy.marchany@vt.edu From firewalls-owner Wed Jul 5 09:00:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04674 for firewalls-outgoing; Wed, 5 Jul 1995 08:07:23 -0700 Received: from mr900i.bso.com ([204.180.9.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA04669 for ; Wed, 5 Jul 1995 08:07:18 -0700 Received: (from marc@localhost) by mr900i.bso.com (8.6.11/8.6.9) id KAA00460; Wed, 5 Jul 1995 10:59:02 -0400 Date: Wed, 5 Jul 1995 10:59:02 -0400 (EDT) From: Marc Sherman To: Adam Jack cc: firewalls@GreatCircle.COM Subject: Re: How does one provide http://X.com/~FRED w/o giving FRED an account on the firewall? In-Reply-To: <9507020253.AA18309@becks> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jul 1995, Adam Jack wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > People > > I'm sorry if this isn't firewall-ish enough. I tried giving you all > a let out at subject level. > > OK - so the question is exactly as in the subject. If we wish to allow > users who have account within the firewall to have their own personal > home pages - then we should follow the convention of http://X.com/~FRED. > However - ee do not want to allow users accounts on the firewall. > > The problem is that we don't wish to hack into the httpd unless required. > Is there a configuration option like CERN's "UserDir" that might help > - or a form of MAP that does the job? > > What are peoples mechanisms for allowing users to maintain home pages w/o > given the ftp access to the firewall or accounts. > > Thanks : > > Adam > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.1 > > iQB1AwUBL/YKHX/n1RaxZTflAQE7+AL/fKu2JKGxt9eMX2VXgbJkf2JMc3Y3UcTQ > tg2zm40zONGFC2WUAHEtv6pVsY5bcNFgnqCbj8qnx5R7/b/Vah1VyB8fu7paaAUN > WgqBXni8Z9DXRChz1MIENpCTdUI6lz2E > =aaMY > -----END PGP SIGNATURE----- > Hi, Although I haven't tried it I think it might work. Try using Pass or Redirect in your httpd.conf file. (config file for cern_3.0). For example, Pass /~FRED /freds_home_page would possibly redirect http://X.com/~FRED to http://X.com/freds_home_page or maybe, Redirect /~FRED http://another_machine.X.com/~FRED Good luck on this (even though I haven't actually tried it myself) Oh yeah, look at http://www.W3.org/hypertext/WWW/Daemon/User/Config/Rules.html for more info on Pass and Redirect (again, this is for cern_3.0) (I don't know if this will help with your ftp restrictions) ..Marc Sherman (BSO Associates) From firewalls-owner Wed Jul 5 09:36:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05044 for firewalls-outgoing; Wed, 5 Jul 1995 08:40:45 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA05039 for ; Wed, 5 Jul 1995 08:40:40 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id LAA10932; Wed, 5 Jul 1995 11:38:54 -0400 Date: Wed, 5 Jul 1995 11:38:54 -0400 From: Ted Doty Message-Id: <199507051538.LAA10932@kgbvax.network.com> To: mjr@iwi.com, firewalls@greatcircle.com Subject: Re: controlling FTP transfers In-Reply-To: Mail from 'Marcus J Ranum ' dated: Fri, 30 Jun 1995 22:23:00 -2800 (EDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 30 Jun 1995 22:23:00, Marcus J Ranum wrote: The only caveat I'd make is that "statefulness" in filtering may be more than just TCP state. It may also depend on other factors like whether the user has authenticated, [...] One thing I've been thinking about lately is how a hacker might combine a sniffer attack with a hijacked termainal attack (CERT advisory 95-01). Instad of recording the username/password (not useful if one-time passwords are used), s/he would record the TCP Seq and Ack numbers, wait for the user to authenticate via token card or S/key, and THEN steal the session, using the recorded TCP numbers. It looks like this might allow a hacker into your net as an authenticated user, unless I'm being paranoid (if I am being paranoid, I refuse to appologize; they PAY me to be paranoid). Should we all be doing cryptographic authentication on a per-packet basis? This way, I have to break an MD5 key. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Jul 5 10:04:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08031 for firewalls-outgoing; Wed, 5 Jul 1995 09:55:21 -0700 Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA08020 for ; Wed, 5 Jul 1995 09:55:17 -0700 Received: (from jrg@localhost) by ns.gbnet.net (8.6.12/8.6.12) id RAA17678; Wed, 5 Jul 1995 17:54:13 +0100 Date: Wed, 5 Jul 1995 17:54:13 +0100 From: James R Grinter Message-Id: <199507051654.RAA17678@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: js@cctechnol.com Subject: Re: Where do I store my mail? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue 4 Jul, 1995, js@cctechnol.com (Johnie Stafford) wrote: > What do these do and where can I find a description of all the >setable parameters? well, unlike the official line from Sun, I happen to have a copy of 'TCP/IP Illustrated Volume 1' by W.Richard Stevens. They're listed in the appendix. The ip_forward_directed_broadcasts value will stop it forwarding a directed broadcast, if it receives it from another interface. That will stop the 'bad guys' tricking your machine with a broadcast packet. ip_forward_src_routed will stop it forwarding a source routed packet, which is independent from normal forwarding (as indeed so it is in BSD derived kernels that haven't been 'fixed'). James. From firewalls-owner Wed Jul 5 10:09:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05192 for firewalls-outgoing; Wed, 5 Jul 1995 08:48:38 -0700 Received: from iattc.ucsd.edu (iattc.ucsd.edu [132.239.94.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA05187 for ; Wed, 5 Jul 1995 08:48:35 -0700 Received: by server1.iattc.ucsd.edu id <11521>; Wed, 5 Jul 1995 08:48:35 -0700 X-Sender: mlopez@server1.iattc.ucsd.edu X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: mlopez@iattc.ucsd.edu (Milton F. Lopez) Subject: BorderWare user feedback Message-Id: <95Jul5.084835pdt.11521@server1.iattc.ucsd.edu> Date: Wed, 5 Jul 1995 08:48:33 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I, too, have been puzzled at times at the lack of user response on this list about the BorderWare (was "Janus") product. I beleive my response to a recent unupported and unspecific mention of "bad" things about BorderWare was the sole "grousing in reply" (other than Border's own) that was posted. Having prodded and lurked in this list for sometime prior to our purchase of the product, it occurs to me now that, perhaps, the targeted BorderWare customer is not very likely to subscribe to this list at all. I must admit to being here partly to "play with the professionals" while remaining at arm's length (at least!) from Unix and its Berkeley '60's idiosincrasies (there, I've said it!). I was initially impressed by BorderWare "on paper", and to some degree by the lack of "bad" things said about it. So far it has met our expectations. It lacks some basic system management tools, not directly related to security, but it seems solid. Cheers. Milton F. Lopez mlopez@ucsd.edu Voice: (619) 546-7041 Fax: (619) 546-7133 From firewalls-owner Wed Jul 5 10:43:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA08387 for firewalls-outgoing; Wed, 5 Jul 1995 10:12:20 -0700 Received: from ns1.unicomp.net (ns1.unicomp.net [199.1.42.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA08382 for ; Wed, 5 Jul 1995 10:12:16 -0700 Received: from icc-fw.integctr.com by ns1.unicomp.net (4.1/SMI-4.1) id AA09896; Wed, 5 Jul 95 12:18:05 CDT Date: Wed, 5 Jul 1995 12:32:38 -0500 (CDT) From: Brian Rogers To: David Miller Cc: firewalls@greatcircle.com Subject: Re: NNTP caching proxy In-Reply-To: Message-Id: Organization: The Integrity Center (214)484-6140 (800)456-1811 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I originally wrote: > Is there such a thing as a caching proxy for NNTP? I don't want to > dedicate the disk space and bandwidth to a real news feed. On Wed, 5 Jul 1995, David Miller wrote: > Something doesn't seem quite right here. If brogers doesn't want to have > a dedicated news feed but still wants access to news, he must be looking > for an NNRP proxy, not an NNTP proxy right? If that's the case, > something like netscape will work just fine using the standard httpd > proxy. If you want to use "tin" across a firewall though, you'll have to > hack something in. I don't know of any NNRP proxies either. I have no idea what the difference is between NNTP and NNRP. I've never heard of NNRP. Okay.... What I have in mind is an idea I got from the WWW. There are http servers, http proxies, and caching http proxies. A caching http proxy will keep the most commonly or most recently requested documents on disk. Rather than run the (I think) circuit-level proxy called plug-gw (from TIS) to read news, I want to run an application-level proxy that will keep the more frequently or recently read articles on disk. /* Brian Rogers -- tech admin, coffee achiever -- brogers@integctr.com */ /* The Integrity Center -- "objective risk management information" */ /* http://www.integctr.com/ -- info@integctr.com */ /* (214)484-6140 (800)456-1811 FAX (214)484-6381 FOD (214)484-2147 */ From firewalls-owner Wed Jul 5 11:11:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA09939 for firewalls-outgoing; Wed, 5 Jul 1995 10:57:34 -0700 Received: from boxhill.com (boxhill.com [155.254.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA09924 for ; Wed, 5 Jul 1995 10:57:29 -0700 Received: from e.boxhill.com (e.boxhill.com [155.254.1.172]) by boxhill.com (8.6.9/8.6.9) with SMTP id NAA04828 for ; Wed, 5 Jul 1995 13:55:21 -0400 Received: by e.boxhill.com (4.1/SMI-4.1) id AA26105; Wed, 5 Jul 95 13:58:07 EDT Date: Wed, 5 Jul 95 13:58:07 EDT From: Chris Maio Reply-To: Chris Maio To: firewalls@greatcircle.com Subject: One Router or Two? Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm setting up a firewall and I need to determine whether the cheaper of two possible configurations is adequate. A bastion host will provide ftp, www, mail and dns servers, and an ftp proxy. Selected TCP access will be permitted between local hosts and the Internet only when they originate inside the local net. Assuming that I'm using cisco routers, which support both incoming and outgoing packet filters on each interface, does the dual router configuration below buy me anything in terms of filtering flexibility over the cheaper single-router configuration? What other advantages of the dual-router configuration would justify its higher cost? Single-router, with three interfaces: +----------+ +----------+ internet---| router a |----| localnet | +----------+ +----------+ | +----------+ | bastion | +----------+ Dual router, with the routers and the bastion on a shared subnet: +----------+ +----------+ +----------+ internet---| router a |--+-----| router b |----| localnet | +----------+ | +----------+ +----------+ | +----------+ | bastion | +----------+ Any advice would be appreciated--please e-mail me directly and I'll summarize. Thanks. Chris From firewalls-owner Wed Jul 5 11:54:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10242 for firewalls-outgoing; Wed, 5 Jul 1995 11:08:18 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10225 for ; Wed, 5 Jul 1995 11:08:13 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id OAA06703; Wed, 5 Jul 1995 14:02:09 -0400 Date: Wed, 5 Jul 1995 14:02:08 -0400 (EDT) From: David Miller Subject: Re: NNTP caching proxy To: Brian Rogers cc: firewalls@greatcircle.com In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Brian Rogers wrote: > I originally wrote: > > > Is there such a thing as a caching proxy for NNTP? I don't want to > > dedicate the disk space and bandwidth to a real news feed. > > On Wed, 5 Jul 1995, David Miller wrote: > > > Something doesn't seem quite right here. If brogers doesn't want to have > > a dedicated news feed but still wants access to news, he must be looking > > for an NNRP proxy, not an NNTP proxy right? If that's the case, > > something like netscape will work just fine using the standard httpd > > proxy. If you want to use "tin" across a firewall though, you'll have to > > hack something in. I don't know of any NNRP proxies either. > > I have no idea what the difference is between NNTP and NNRP. I've never NNTP = Network News Transfer Protocol. It's how machines move news from system to system. NNRP = Network News Reader Protocol. It's how clients ask news servers for articles and things. > heard of NNRP. Okay.... What I have in mind is an idea I got from the > WWW. There are http servers, http proxies, and caching http proxies. A > caching http proxy will keep the most commonly or most recently requested > documents on disk. Rather than run the (I think) circuit-level proxy > called plug-gw (from TIS) to read news, I want to run an application-level > proxy that will keep the more frequently or recently read articles on > disk. Best of luck. The full newsfeed is around 100,000 articles per day. At this site at least the entropy is nearly complete (Very few articles read by many people). You'll still have to find a news server to connect to. It looks like you're trying to find a caching NNRP proxy, but I don't think it exists:) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Jul 5 12:54:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10293 for firewalls-outgoing; Wed, 5 Jul 1995 11:09:51 -0700 Received: from mbagate.mba.com ([198.60.144.99]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10279 for ; Wed, 5 Jul 1995 11:09:45 -0700 Received: (from mail@localhost) by mbagate.mba.com (8.6.9/8.6.9) id LAA04356 for ; Wed, 5 Jul 1995 11:16:33 -0700 Message-Id: <199507051816.LAA04356@mbagate.mba.com> Received: from mbadev.mba.com(198.60.144.14) by mbagate via smap (V1.3) id sma004354; Wed Jul 5 11:16:16 1995 Received: from dal1071.computek.net by mbadev.mba.com with SMTP (1.37.109.8/16.2) id AA21348; Wed, 5 Jul 1995 11:06:00 -0700 Date: Wed, 5 Jul 1995 11:06:00 -0700 X-Sender: cxh@mbadev.mba.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_804967593==_" To: firewalls@greatcircle.com From: cxh@mba.com (Cynthia He) Subject: fwtk smap's problem with this list Cc: cxh@mbadev.mba.com X-Attachments: D:\CXH\CXH; Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --=====================_804967593==_ Content-Type: text/plain; charset="us-ascii" Hello all, I'm running fwtk with smap on my linux machine. Last Friday (June 3) at around 17:25, my machine started having problems with messages from this mailing list. The subject line of these messages all complains about 'too many hops'. It got so bad that by 17:30 Saturday, the logs and message queues started filling up my hard disks. Can anyone help me with the following two questions: 1. What is causing the 'too many hops' error? Is it something on my machine? I put my machine back to work by cleaning up the queues and rebooted it. 2. How do I prevent my hard disk filling up next time? Is it something that I need to configure within smap, sendmail? Please see the attached returned mail for more detail. Thanks for any insight. --=====================_804967593==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="CXH" >From MAILER-DAEMON@mbadev.mba.com Fri Jun 30 17:25 MST 1995 Received: from mbagate.mba.com by mbadev.mba.com with SMTP (1.37.109.8/16.2) id AA21102; Fri, 30 Jun 1995 17:25:25 -0700 Return-Path: Received: from localhost (localhost) by mbagate.mba.com (8.6.9/8.6.9) with internal id RAB21586; Fri, 30 Jun 1995 17:39:50 -0700 Date: Fri, 30 Jun 1995 17:39:50 -0700 From: Mail Delivery Subsystem Subject: Returned mail: too many hops 18 (17 max): from via localhost, to Message-Id: <199507010039.RAB21586@mbagate.mba.com> To: To: postmaster@mbagate.mba.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="RAB21586.804559190/mbagate.mba.com" This is a MIME-encapsulated message --RAB21586.804559190/mbagate.mba.com The original message was received at Fri, 30 Jun 1995 17:39:49 -0700 from mail@localhost ----- Transcript of session follows ----- 554 too many hops 18 (17 max): from via localhost, to ----- Message header follows ----- --RAB21586.804559190/mbagate.mba.com Content-Type: message/rfc822 Return-Path: firewalls-owner@GreatCircle.COM Received: (from mail@localhost) by mbagate.mba.com (8.6.9/8.6.9) id RAA21586 for ; Fri, 30 Jun 1995 17:39:49 -0700 Received: from relay4.uu.net(192.48.96.14) by mbagate.mba.com via smap (V1.3) id sma021584; Fri Jun 30 17:39:26 1995 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQywkv07547; Fri, 30 Jun 1995 20:23:44 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA28230 for firewalls-outgoing; Fri, 30 Jun 1995 12:03:56 -0700 Received: from mail.unigate1.unisys.com (mail.UniGate1.Unisys.COM [192.63.100.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA28225 for ; Fri, 30 Jun 1995 12:03:53 -0700 Received: from mvdns1.mv-oc.unisys.com ([192.59.253.100]) by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA04552; Fri, 30 Jun 95 19:07:55 GMT Received: from mail.unigate1.unisys.com (unigate1.mv.unisys.com) by mvdns1.mv-oc.unisys.com (4.1/SMI-4.1-1.8) id AA16138; Fri, 30 Jun 95 19:08:33 GMT Received: from relay3.UU.NET by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA04291; Fri, 30 Jun 95 19:05:40 GMT Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQywjz09509; Fri, 30 Jun 1995 14:53:51 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA24062 for firewalls-outgoing; Fri, 30 Jun 1995 10:34:38 -0700 Received: from mail.unigate1.unisys.com (mail.UniGate1.Unisys.COM [192.63.100.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA24056 for ; Fri, 30 Jun 1995 10:34:35 -0700 Received: from mvdns1.mv-oc.unisys.com ([192.59.253.100]) by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA27551; Fri, 30 Jun 95 17:38:41 GMT Received: from mail.unigate1.unisys.com (unigate1.mv.unisys.com) by mvdns1.mv-oc.unisys.com (4.1/SMI-4.1-1.8) id AA13397; Fri, 30 Jun 95 17:39:19 GMT Received: from relay4.UU.NET by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA27177; Fri, 30 Jun 95 17:33:11 GMT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQywjs08062; Fri, 30 Jun 1995 13:13:44 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA21078 for firewalls-outgoing; Fri, 30 Jun 1995 09:20:10 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA21071 for ; Fri, 30 Jun 1995 09:20:07 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sRimB-000iF8C; Fri, 30 Jun 95 12:18 EDT Date: Fri, 30 Jun 1995 12:18:42 -0400 (EDT) From: Adam Safier To: Adam Shostack Cc: Firewalls mailing list Subject: Re: Securing Web data... configuring a key to access data? In-Reply-To: <199506271220.IAA09253@hermes.bwh.harvard.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Message body suppressed ----- --RAB21586.804559190/mbagate.mba.com-- --=====================_804967593==_ Content-Type: text/plain; charset="us-ascii" ======================================= Cynthia He Miles Burke Associates, Inc. cxh@mba.com 602-852-5600 x152 --=====================_804967593==_-- From firewalls-owner Wed Jul 5 14:15:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA11777 for firewalls-outgoing; Wed, 5 Jul 1995 11:54:22 -0700 Received: from gatekeeper.prl.philips.co.uk (gatekeeper.prl.philips.co.uk [193.129.162.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA11766 for ; Wed, 5 Jul 1995 11:54:16 -0700 Received: by gatekeeper.prl.philips.co.uk (4.1/UNIPALM-Vevision: 1.3 gatekeeper.prl.philips.co.uk) id AA00503; Wed, 5 Jul 95 19:54:04 BST Received: from prlhp1.prl.philips.co.uk(130.141.10.82) by gatekeeper.prl.philips.co.uk via smap (V1.3) id sma000501; Wed Jul 5 19:53:42 1995 Received: from prsun11 by prlhp1.prl.philips.co.uk; Wed, 5 Jul 95 19:51:29 +0100 Received: from eddie (eddie [150.3.15.107]) by prsun11 (8.6.12/prsun11) with ESMTP id TAA03279 for ; Wed, 5 Jul 1995 19:51:51 +0100 From: Jon Piesing Received: (jon@localhost) by eddie (8.6.10/8.6.6) id TAA03107 for firewalls@greatcircle.com; Wed, 5 Jul 1995 19:53:18 +0100 Date: Wed, 5 Jul 1995 19:53:18 +0100 Message-Id: <199507051853.TAA03107@eddie> To: firewalls@greatcircle.com Subject: Re: BorderWare user feedback X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Borderware (UK) had one of their firewalls at last weekend's "Access All Areas" hacking conference in London. They put an SCO unix box behind it and offered a crate of Champagne to anybody who could retrieve a file from the SCO box. Nobody admitted to succeeding. The only bad thing was that the firewall rebooted after a period of being under very heavy load from a PC on the same (dirty) ethernet. Jon > From firewalls-owner@greatcircle.com Wed Jul 5 19:40:05 1995 > X-Sender: mlopez@server1.iattc.ucsd.edu > Mime-Version: 1.0 > To: firewalls@greatcircle.com > Subject: BorderWare user feedback > Date: Wed, 5 Jul 1995 08:48:33 -0700 > X-Lines: 24 > > I, too, have been puzzled at times at the lack of user response on this list > about the BorderWare (was "Janus") product. I beleive my response to a > recent unupported and unspecific mention of "bad" things about BorderWare > was the sole "grousing in reply" (other than Border's own) that was posted. > Having prodded and lurked in this list for sometime prior to our purchase of > the product, it occurs to me now that, perhaps, the targeted BorderWare > customer is not very likely to subscribe to this list at all. I must admit > to being here partly to "play with the professionals" while remaining at > arm's length (at least!) from Unix and its Berkeley '60's idiosincrasies > (there, I've said it!). I was initially impressed by BorderWare "on paper", > and to some degree by the lack of "bad" things said about it. So far it has > met our expectations. It lacks some basic system management tools, not > directly related to security, but it seems solid. > > Cheers. > > > > > Milton F. Lopez > mlopez@ucsd.edu > Voice: (619) 546-7041 > Fax: (619) 546-7133 > > From firewalls-owner Wed Jul 5 15:29:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13512 for firewalls-outgoing; Wed, 5 Jul 1995 13:03:16 -0700 Received: from ccm.sns.com.sg (ccm.sns.com.sg [202.42.240.205]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA13507 for ; Wed, 5 Jul 1995 13:03:12 -0700 Received: from ccMail by ccm.sns.com.sg (IMA Internet Exchange v1.04a) id ffa90d70; Wed, 5 Jul 95 21:17:11 +0800 Mime-Version: 1.0 Date: Wed, 5 Jul 1995 21:12:30 +0800 Message-ID: From: Jeremy@ccm.sns.com.sg (Jeremy) Subject: Free firewall on Linux To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Are there any free firewall s/w on Linux operating system ? Thanks in advance ! ******************************** E-mail : Jeremy@ccm.sns.com.sg Company: Singapore Network Services Address: 75 Science Park Drive. #B1-01/13. Cintech II Building. Singapore 0511. Fax : 7785277 Voice : 7728210 ******************************** From firewalls-owner Wed Jul 5 15:44:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14206 for firewalls-outgoing; Wed, 5 Jul 1995 13:32:06 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA14201 for ; Wed, 5 Jul 1995 13:32:01 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id QAA16786; Wed, 5 Jul 1995 16:24:41 -0400 Date: Wed, 5 Jul 1995 16:24:41 -0400 (EDT) From: David Miller Subject: Re: NNTP caching proxy To: Jim Carroll cc: firewalls@greatcircle.com In-Reply-To: <9507051954.AA23461@wellspring.us.dg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Jim Carroll wrote: > Rumour has it that on 5 Jul 95 at 14:02, David Miller said: > > > NNTP = Network News Transfer Protocol. It's how machines move news from > > system to system. > > > > NNRP = Network News Reader Protocol. It's how clients ask news servers > > for articles and things. > > (I should probably research this first, but here goes anyway.) > > Last time I looked at the RFC concerning NNTP, I could swear this > supported both server-to-server as well as client-to-server > communications. In fact, when I spliced nntp.1.5.11 into trn, I seem > to recall just that. > > NNTP is described in RFC 977. Which RFC is NNRP? Jeez, I hate it when someone interrupts my fantasies with mere facts:) ! I thought I'd seen references to NNRP with the INN package. I'll go back to lurking mode now:-) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Jul 5 15:47:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA16210 for firewalls-outgoing; Wed, 5 Jul 1995 14:47:18 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA16205 for ; Wed, 5 Jul 1995 14:47:15 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sTcHB-000iFJC; Wed, 5 Jul 95 17:46 EDT Date: Wed, 5 Jul 1995 17:46:33 -0400 (EDT) From: Adam Safier To: Martin Hauser cc: firewalls@greatcircle.com Subject: Re: Internet Security Policy In-Reply-To: <9507041107.AA03005@chbslu08> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Are there any companies who have made their policy public? I have found > policies of many universities but I am interested how large, multinational > companies deal with this subject. The US Customs service has their policy on a WWW page. Sory I don't have the URL handy but I found them by doing a search from the Netscape search page. (http://www.netscape.com ? ) They are not multinational but pretty close and pretty big. Several other Policy manuals etc were also in the hit list. Good Luck, Adam From firewalls-owner Wed Jul 5 16:08:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA13066 for firewalls-outgoing; Wed, 5 Jul 1995 12:44:35 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA13060 for ; Wed, 5 Jul 1995 12:44:30 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sTa3C-000iLqC; Wed, 5 Jul 95 15:23 EDT Date: Wed, 5 Jul 1995 15:23:58 -0400 (EDT) From: Adam Safier To: DEEVEE@HOUVMSCC.lsis.loral.com cc: firewalls@greatcircle.com Subject: Re: Proxies In-Reply-To: <199507031418.HAA02746@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I'm assisting with the implementation of a secure subnet architecture between > a government customer and several contractor companies. Each contractor subnet > will enter the secure subnet via a secure firewall. We would like to allow the > following functions between the subnets(FTP, TELNET, client/server, NFS, and > X-windows). I'm looking for firewall proxies for (NFS, client/server, and > X-windows). > Users have OS/2 workstations, and X-windows users have OS/2 and MAC > workstations. Multi-user systems are AIX/UNIX platforms. > I'll let someone else blast X11 and NFS through a firewall and I really don't know if this will solve you're application but .... If you must have them look at IBM's own NetSP and their implementation of SOCKS. That or look at their DCE architecture. Either way, I don't think you'll have an easy fit. Adam - opinions expressed are my own and not anyone else's, except when they agree. From firewalls-owner Wed Jul 5 16:36:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15892 for firewalls-outgoing; Wed, 5 Jul 1995 14:36:02 -0700 Received: from cayuga.cs.rochester.edu (cayuga.cs.rochester.edu [192.5.53.209]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA15884 for ; Wed, 5 Jul 1995 14:35:54 -0700 Received: from slate.cs.rochester.edu (slate.cs.rochester.edu [192.5.53.101]) by cayuga.cs.rochester.edu (8.6.9/G) with ESMTP id RAA20326; Wed, 5 Jul 1995 17:35:01 -0400 Received: from artery.cs.rochester.edu (artery.cs.rochester.edu [192.5.53.113]) by slate.cs.rochester.edu (8.6.9/G) with SMTP id RAA07199; Wed, 5 Jul 1995 17:34:58 -0400 Message-Id: <199507052134.RAA07199@slate.cs.rochester.edu> To: Chris Maio cc: firewalls@greatcircle.com Subject: Re: One Router or Two? In-reply-to: Your message of "Wed, 05 Jul 1995 13:58:07 EDT." Date: Wed, 05 Jul 1995 17:34:57 -0400 From: Tim Becker Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can think of 2 reasons to have two routers: 1. Security: With 2 routers and a bastion in between, an attacker would have to breach the outside router, the bastion, and the internal router in order to get into your network. Actually, breaching just the outside router and the bastion would be enough -- because he could run whatever processes he wants on the bastion. 2. Performance and Security: You might want to put bastion functions on separate machines on the DMZ. A common idea is to put anon-ftp and web functions on a machine separate from the proxy machine. You might want to do this for performance and/or security reasons. Tim Becker. From firewalls-owner Wed Jul 5 16:39:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA13305 for firewalls-outgoing; Wed, 5 Jul 1995 12:54:56 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA13300 for ; Wed, 5 Jul 1995 12:54:52 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA02114; Wed, 5 Jul 1995 15:54:11 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA23461; Wed, 5 Jul 1995 15:54:07 -0400 Message-Id: <9507051954.AA23461@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: David Miller , firewalls@greatcircle.com Date: Wed, 5 Jul 1995 15:53:34 -0500 Subject: Re: NNTP caching proxy Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 5 Jul 95 at 14:02, David Miller said: > NNTP = Network News Transfer Protocol. It's how machines move news from > system to system. > > NNRP = Network News Reader Protocol. It's how clients ask news servers > for articles and things. (I should probably research this first, but here goes anyway.) Last time I looked at the RFC concerning NNTP, I could swear this supported both server-to-server as well as client-to-server communications. In fact, when I spliced nntp.1.5.11 into trn, I seem to recall just that. NNTP is described in RFC 977. Which RFC is NNRP? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## If you like this sort of thing, ## ## this is the sort of thing you'll like. ## From firewalls-owner Wed Jul 5 16:42:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15477 for firewalls-outgoing; Wed, 5 Jul 1995 14:22:00 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA15469 for ; Wed, 5 Jul 1995 14:21:56 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA17515; Wed, 5 Jul 1995 17:14:25 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA12392; Wed, 5 Jul 1995 17:14:21 -0400 Message-Id: <9507052114.AA12392@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: David Miller , firewalls@greatcircle.com Date: Wed, 5 Jul 1995 17:13:49 -0500 Subject: Re: NNTP caching proxy Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 5 Jul 95 at 16:24, David Miller said: > Jeez, I hate it when someone interrupts my fantasies with mere facts:) ! > I thought I'd seen references to NNRP with the INN package. I'll go back > to lurking mode now:-) Happens to the best of us. :) And the worst of us. :) :) :) Actually, I do recall service providers having FQDNs of nnrp.sub.domain.name, just for the purpose of serving those nasty hoards of PCs. First time I saw it, I thought it was a typo. -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Wed Jul 5 17:34:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18019 for firewalls-outgoing; Wed, 5 Jul 1995 15:50:24 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA18006 for ; Wed, 5 Jul 1995 15:50:19 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa20906; 5 Jul 95 23:35 +0100 Received: from ilpltd.demon.co.uk by post.demon.co.uk id aa01665; 5 Jul 95 23:35 +0100 Received: from bukowsky (bukowsky.ilp.com [1.1.128.51]) by catflap.ilp.com (8.6.12/8.6.10) with SMTP id VAA08440; Wed, 5 Jul 1995 21:57:27 +0100 Received: by bukowsky with Microsoft Mail id <2FFAFCBB@bukowsky>; Wed, 05 Jul 95 21:57:31 BST From: Jim Barry To: "'Firewalls Mailing List'" Cc: "'Peter Musca'" Subject: Re: CERN-httpd as a http proxy Date: Wed, 05 Jul 95 21:55:00 BST Message-ID: <2FFAFCBB@bukowsky> Encoding: 23 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > From: Peter Musca > Date: Wed, 5 Jul 1995 13:46:40 +0800 (WST) > Subject: CERN-httpd as a http proxy. >I am about to replace the http- proxy from the fwtk with the cern-httpd >proxy. I want to run it in a chrooted environment and would appreciate any >tips, advice etc from anyone who has done this. I am not sure whether I >will be building a full blown WWW server as yet, but that may come in the >future.. I use cern-httpd in preference to http-gw mainly because it gives more meaningful error messages back to the client. I don't understand your desire to run the proxy as chroot, as (by definition) it will only be forwarding requests to other locations. I actually run two cern-httpd daemons - one as a 'regular' WWW server and one as a proxy. They coexist peacefully on the one machine. Cheers, --Jim From firewalls-owner Wed Jul 5 17:41:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA16998 for firewalls-outgoing; Wed, 5 Jul 1995 15:19:10 -0700 Received: from nic.abii.com (nic.abii.com [204.77.143.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA16993 for ; Wed, 5 Jul 1995 15:19:06 -0700 Received: (from mail@localhost) by nic.abii.com (8.6.12/8.6.11) id RAA00508 for ; Wed, 5 Jul 1995 17:29:08 -0500 Received: from mailserv.abii.com(204.77.144.103) by nic.abii.com via smap (V1.3) id sma000506; Wed Jul 5 17:29:06 1995 Received: by mailserv.abii.com with Microsoft Mail id <2FFB2A9D@mailserv.abii.com>; Wed, 05 Jul 95 17:13:17 PDT From: Garry Garrett To: "'firewalls list from GreatCircle'" Subject: Re: NNTP caching proxy Date: Wed, 05 Jul 95 17:11:00 PDT Message-ID: <2FFB2A9D@mailserv.abii.com> Encoding: 60 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think that what this guy is asking for is all that weird, I'm just not sure that it's ever been done before. Allow me to restate it so we aren't simply bickering over acronyms. NNTP - all day long my server goes out and gets every article that every bozo with usenet access has ever written and stores it on my hard drive (okay, so I may prune it down to only those newsgroups that are useful to me, save the censorship flame wars, okay) NNRP - When I read news off of your NNTP server, my client software gets each article as I select it. I think what this guy is looking for is something in between: As I read each article, it is cashed so that when others go to read that article it is just read off my proxy server's disk instead of getting it from your NNTP server. I take it he is using his ISP's NNTP server, or something like that, and does not want to setup his own NNTP server, but does want to save a little network traffic by not getting the same article twice. Some WWW proxy servers work that way; that's where he got the idea. It makes sense. If you don't have disk space for a full newsfeed, but you don't want to go grab the same page all day long for different people. The question is, does anyone make such a NNTP proxy. I'd be willing to bet the answer is no. If there was I'm sure we'd have an acronym for it. :-) I'm sure you'll correct me if I'm wrong. Garry Garry.Garrett@abii.com ---------------------------------------------------------------------------- -- On Wed, 5 Jul 1995, Brian Rogers wrote: > I originally wrote: > > > Is there such a thing as a caching proxy for NNTP? I don't want to > > dedicate the disk space and bandwidth to a real news feed. > > On Wed, 5 Jul 1995, David Miller wrote: > > > Something doesn't seem quite right here. If brogers doesn't want to have > > a dedicated news feed but still wants access to news, he must be looking > > for an NNRP proxy, not an NNTP proxy right? [...] NNTP = Network News Transfer Protocol. It's how machines move news from system to system. NNRP = Network News Reader Protocol. It's how clients ask news servers for articles and things. From firewalls-owner Wed Jul 5 17:52:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA18986 for firewalls-outgoing; Wed, 5 Jul 1995 16:12:16 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA18979 for ; Wed, 5 Jul 1995 16:12:13 -0700 Received: from uucp1.UU.NET by relay3.UU.NET with SMTP id QQyxdc15824; Wed, 5 Jul 1995 19:11:50 -0400 Received: from lvsun.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Wed, 5 Jul 1995 19:11:35 -0400 Received: from lapse.lvsun.com by lvsun.COM (4.1/SMI-4.1) id AA26072; Wed, 5 Jul 95 16:02:18 PDT Received: by lapse.lvsun.com (4.1/SMI-4.1) id AA11619; Wed, 5 Jul 95 16:02:17 PDT Date: Wed, 5 Jul 95 16:02:17 PDT From: carl@lapse.lvsun.COM (Carl Shapiro 454-4862) Message-Id: <9507052302.AA11619@lapse.lvsun.com> To: firewalls@greatcircle.com Subject: Re: BorderWare user feedback Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I, too, have been puzzled at times at the lack of user response on this list > about the BorderWare (was "Janus") product. There is, or was, a mailing list devoted to BorderWare issues. Subscription requests to: firewall-request@netpart.com, with subject "subscribe". I received my subscription confirmation message in April, but haven't seen any mail since, so it may have died. Anybody know for sure? -- Carl Shapiro carl@lvsun.com From firewalls-owner Wed Jul 5 17:55:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA20131 for firewalls-outgoing; Wed, 5 Jul 1995 16:47:09 -0700 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA20125 for ; Wed, 5 Jul 1995 16:47:04 -0700 Received: from dhlsys.systems.DHL.COM by gateway1.DHL.COM id aa04666; 5 Jul 95 16:46 PDT Received: by dhlsys.systems.DHL.COM (DHLGMS 4.07-DSI) id AA032817894; Wed, 5 Jul 1995 16:44:54 -0700 Message-Id: <199507052344.AA032817894@dhlsys.systems.DHL.COM> From: Steve Saunders Date: Wed, 5 Jul 1995 16:44:54 -0700 To: Firewalls@greatcircle.com Subject: AUTO-REPLY X-Mailer: OAS 1.1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I will be out of the office from July 6 through July 14. For any urgent matter please contact Mike Gromek at (415)375-5125 or at mgromek@systems.DHL.COM. thank you, Steve Saunders From firewalls-owner Wed Jul 5 18:12:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA20399 for firewalls-outgoing; Wed, 5 Jul 1995 16:54:09 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA20392 for ; Wed, 5 Jul 1995 16:54:04 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA22165 for firewalls@greatcircle.com; Wed, 5 Jul 95 19:47:56 EDT Message-Id: <9507052347.AA22165@all.net> Subject: Re: One Router or Two? To: firewalls@greatcircle.com Date: Wed, 5 Jul 1995 19:47:56 -0400 (EDT) In-Reply-To: <199507052134.RAA07199@slate.cs.rochester.edu> from "Tim Becker" at Jul 5, 95 05:34:57 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1722 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I can think of 2 reasons to have two routers: > > 1. Security: With 2 routers and a bastion in between, an attacker > would have to breach the outside router, the bastion, and the internal > router in order to get into your network. Actually, breaching just > the outside router and the bastion would be enough -- because he > could run whatever processes he wants on the bastion. > > 2. Performance and Security: You might want to put bastion functions > on separate machines on the DMZ. A common idea is to put anon-ftp > and web functions on a machine separate from the proxy machine. You > might want to do this for performance and/or security reasons. I can think of several more for starters: In case of a failure in the bastion host, the routers can be configured on an emergency basis to allow select communications. In case of a design flaw in any one component, the other components (if properly used) can limit the affect. With encrypting routers, you can configure a safe pass through with a trusted remote network without any special software in the host. In case of configuration errors in one router, the other router prevents a breach. There are probably more if you think about it. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Wed Jul 5 18:36:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA19603 for firewalls-outgoing; Wed, 5 Jul 1995 16:31:08 -0700 Received: from dcc.com (firewall.dcc.com [204.147.93.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA19595 for ; Wed, 5 Jul 1995 16:31:04 -0700 Received: by firewall.dcc.com id <58881>; Wed, 5 Jul 1995 18:35:07 -0500 From: "Moubray, Steve" To: "' firewalls@greatcircle.com'" Subject: RE: BorderWare Date: Wed, 5 Jul 1995 20:28:00 -0500 Encoding: 79 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Jul5.183507cdt.58881@firewall.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The other day Chris wrote. >From: ckapilla@interserver.com (Chris Kapilla) >Date: Mon, 03 Jul 1995 16:10:04 -0700 >Subject: BorderWare >A couple of weeks ago someone raised some questions regarding BordWare's >firewall product. A strong rebuttal was given by someone at BorderWare, and >I expected there might be some grousing in reply, but nary a word was said. >From what I have seen of their product it looks really good -- they have >taken a very intelligent approach and done an excellent implementation as >far as I can tell (but I am a newbie w.r.t. all this). So my question is .does anyone have anything BAD to say about the BorderWare server? >- ---------------------------------------------------------------- >Chris Kapilla >http://www.interserver.com >ckapilla@interserver.com >phone: 206-836-3661 >fax: 206-836-9468 To be honest with you it seemed like someone was just running around starting rumors with complete ignorance of the subject in question. I have heard more than one unethical manufacturer and reseller start rumors about competitors products so I never pay attention to them. I assumed that this individual was either a reseller of a product that competes with BorderWare or heard it from a vender that does. I notice that he never stated the source of the rumors and I CHALLENGE HIM TO DO SO. If not to the list at least to me. Well, so much for why I didn't respond earlier on this issue. I simply didn't think that anyone on this list would pay attention to that type of crap (maybe those on the list that watch day time talk shows). We have a BorderWare firewall and it is very transparent. Yes, all those packet resellers that say applications gateways are not transparent are not correct. We were using a Cisco router and packet filters for about 1 month while selecting the best firewall product (not my idea to use the Cisco for security). We had implemented E-Mail, NetScape, NEWS, OS/2 WARP stuff, FTP and some people were using telnet. This stuff was running on Windows, NT, OS/2 and Windows 95 beta. We installed the firewall one night, made no changes to the applications and no one noticed. That's right 85 people didn't miss a beat when we installed the firewall. We did need to update the hosts file and some other routing tables because we now had a new segment but other than that nothing else needed to be changed. It was completely transparent. No logins and no modifications to the apps. Yes. BorderWare runs on a highly modified kernel. The kernel ignores ICMP redirects (at least the ones that I send it) ignores source routed packets and can't be spoofed. It does this by doing some packet filtering. I don't know of all of the modifications but it can use larger file systems than the original kernel and stuff like that. I will side with the individual on two issues. The user interface is not a true GUI. It is a text based pull down menu that looks and acts like a GUI but no graphics are used in the interface. This isn't big issue because it is just as easy to use as a GUI and I'm being picky. The other issue in the product is a statement about using "a forms capable web server". It uses a very good web server but it really isn't forms capable which I think is a plus for security. Do you want people running CGI scripts on your firewall? No, I don't either. >From a security, ease of use and functionality stand point - it stands up to its claims. I have a heard of at least one company falsely bashing the BorderWare product but they just didn't think transparent applications gateways were possible because they couldn't do it. The product works. Try it and find out for yourself. PLEASE LET ME KNOW WHERE THE RUMORS STARTED. (I don't mean to yell but this bothers me). -------------------------------------------------- Steve Moubray DCC, Inc. 10 2nd Street NE, Minneapolis, MN 55413 (612) 378-4469 Fax (612) 378-4401 smoubray@dcc.com http://www.dcc.com/ From firewalls-owner Wed Jul 5 19:03:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA25818 for firewalls-outgoing; Wed, 5 Jul 1995 18:31:55 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA25813 for ; Wed, 5 Jul 1995 18:31:53 -0700 From: smb@research.att.com Message-Id: <199507060131.SAA25813@miles.greatcircle.com> Received: by gryphon; Wed Jul 5 21:30:34 EDT 1995 To: Ted Doty cc: mjr@iwi.com, firewalls@greatcircle.com Subject: Re: controlling FTP transfers Date: Wed, 05 Jul 95 21:30:34 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One thing I've been thinking about lately is how a hacker might combine a sniffer attack with a hijacked termainal attack (CERT advisory 95-01. Instad of recording the username/password (not useful if one-time passwords are used), s/he would record the TCP Seq and Ack numbers, wait for the user to authenticate via token card or S/key, and THEN steal the session, using the recorded TCP numbers. Yup (though the hijacked terminal attack in 95-01 was a local-machine affair). It looks like this might allow a hacker into your net as an authenticated user, unless I'm being paranoid (if I am being paranoid, I refuse to appologize; they PAY me to be paranoid). No ``might'' about it. See Joncheray's paper from the last UNIX Security Symposium, or Mike Neumann's ``Watcher'' paper. Should we all be doing cryptographic authentication on a per-packet basis? This way, I have to break an MD5 key. -- You got it. From firewalls-owner Wed Jul 5 19:06:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA25923 for firewalls-outgoing; Wed, 5 Jul 1995 18:34:06 -0700 Received: from phoenix.org (pslip108a.egr-ri.ids.net [155.212.90.108]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA25918 for ; Wed, 5 Jul 1995 18:34:02 -0700 Received: (from medulla@localhost) by phoenix.org (8.6.11/8.6.9) id VAA01654; Wed, 5 Jul 1995 21:34:45 -0400 Date: Wed, 5 Jul 1995 21:34:38 -0400 (EDT) From: Mike Edulla To: Jeremy cc: Firewalls@GreatCircle.COM Subject: Re: Free firewall on Linux In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Jeremy wrote: > Date: Wed, 5 Jul 1995 21:12:30 +0800 > From: Jeremy > To: Firewalls@GreatCircle.COM > Subject: Free firewall on Linux > > > Hi, > > Are there any free firewall s/w on Linux operating system ? > > > Thanks in advance ! > > > fwtk should compile (i think) under a linux box. I dont know of many other free wirewalls. From firewalls-owner Wed Jul 5 19:34:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA25258 for firewalls-outgoing; Wed, 5 Jul 1995 18:20:47 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA25248; Wed, 5 Jul 1995 18:20:43 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Jul 1995 18:20:24 -0800 To: js@cctechnol.com, firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FAQ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:33 AM 7/4/95, Johnie Stafford wrote: > I ftp'd to ftp.greatcircle.com and cd'd to /pub/irewalls to get the >FAQ. This is what I got from ftp: > > ftp> get FAQ > 200 PORT command successful. > 150 Opening BINARY mode data connection for FAQ (30263 bytes). > ==>> FAQ: Is a directory > 426 Transfer aborted. Data connection closed. > 226 Abort successful > ftp> cd FAQ > ==>> 550 FAQ: Not a directory. > ftp> > > What gives? I just tried it from an account at an external site that I maintain for testing, and it works just fine. I think you've got a broken client. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed Jul 5 19:34:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA25343 for firewalls-outgoing; Wed, 5 Jul 1995 18:21:43 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA25333; Wed, 5 Jul 1995 18:21:38 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Jul 1995 18:21:19 -0800 To: js@cctechnol.com, firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FAQ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:33 AM 7/4/95, Johnie Stafford wrote: > I ftp'd to ftp.greatcircle.com and cd'd to /pub/irewalls to get the >FAQ. This is what I got from ftp: > > ftp> get FAQ > 200 PORT command successful. > 150 Opening BINARY mode data connection for FAQ (30263 bytes). > ==>> FAQ: Is a directory > 426 Transfer aborted. Data connection closed. > 226 Abort successful > ftp> cd FAQ > ==>> 550 FAQ: Not a directory. > ftp> > > What gives? Oh, I bet I know what the problem is... Have you already got a directory named "FAQ" at your end? If so, then when your FTP client tried to create a file named "FAQ", it couldn't. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed Jul 5 19:46:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA25426 for firewalls-outgoing; Wed, 5 Jul 1995 18:23:16 -0700 Received: from miriworld.its.unimelb.EDU.AU (miriworld.its.unimelb.EDU.AU [128.250.6.194]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA25415 for ; Wed, 5 Jul 1995 18:23:10 -0700 Received: (from danny@localhost) by miriworld.its.unimelb.EDU.AU (8.6.11/8.6.11) id LAA05772; Thu, 6 Jul 1995 11:22:10 +1000 Date: Thu, 6 Jul 1995 11:22:07 +1000 (EST) From: "Daniel O'Callaghan" X-Sender: danny@miriworld.its.unimelb.EDU.AU To: David Miller cc: benjamin@hanover.demon.co.uk, brogers@integctr.com, firewalls@GreatCircle.COM, www-proxy@w3.org Subject: Re: NNTP caching proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, David Miller wrote: (in firewalls@GreatCircle.COM) > On Tue, 4 Jul 1995 benjamin@hanover.demon.co.uk wrote: > > > > Is there such a thing as a caching proxy for NNTP? I don't want to > > > dedicate the disk space and bandwidth to a real news feed. > > > > I believe there is a package called INN 8-) > > > > No, seriously... Appart from running a news server, I have not found a > > solution... 8-( > > Something doesn't seem quite right here. If brogers doesn't want to have > a dedicated news feed but still wants access to news, he must be looking > for an NNRP proxy, not an NNTP proxy right? If that's the case, Yes > something like netscape will work just fine using the standard httpd > proxy. If you want to use "tin" across a firewall though, you'll have to > hack something in. I don't know of any NNRP proxies either. Except that none of the http/nnrp proxies will cache news. I think news is a good candidate for caching, personally. That way a regional news server could carry a full feed, and small ISPs could have all groups accessible w/o having to take a full feed themselves. Its on my wish list. I don't think it will make it to the *do* list, other than maybe hacking CERN proxy server to cache news articles. I remember Ari said caching news was bad, but I never understood why, after all, articles don't change, they have static "urls" and have an easily defined expiry dates. Danny From firewalls-owner Wed Jul 5 20:03:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA25498 for firewalls-outgoing; Wed, 5 Jul 1995 18:24:53 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA25492; Wed, 5 Jul 1995 18:24:49 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Jul 1995 18:24:29 -0800 To: cxh@mba.com (Cynthia He), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: fwtk smap's problem with this list Cc: cxh@mbadev.mba.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:06 AM 7/5/95, Cynthia He wrote: >Hello all, > >I'm running fwtk with smap on my linux machine. Last Friday (June 3) at >around 17:25, my machine started having problems with messages >from this mailing list. The subject line of these messages all complains >about 'too many hops'. It got so bad that by 17:30 Saturday, the logs >and message queues started filling up my hard disks. You should have seen _our_ queues... :-) I think I nuked over 5000 copies of that error message before I was done... >Can anyone help me with the following two questions: > > 1. What is causing the 'too many hops' error? Is it something on my machine? > I put my machine back to work by cleaning up the queues and rebooted it. It has nothing to do with your machine. Someone on Firewalls had looped their subscription address back to Firewalls, so every posting was going round and round in circles, with everybody on the list getting another copy of every message each time it went through the loop. Eventually each message would have the magic number of "Received:" headers (typically about 16 or so) that causes Sendmail to decide (rightly!) that the message is in a loop, and bounce it. > 2. How do I prevent my hard disk filling up next time? Is it something > that I need to configure within smap, sendmail? Not much you can do there, I don't think... -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed Jul 5 20:22:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29773 for firewalls-outgoing; Wed, 5 Jul 1995 19:58:53 -0700 Received: from icicle (icicle.winternet.com [198.174.169.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA29768 for ; Wed, 5 Jul 1995 19:58:50 -0700 Received: from klondike (dufresne@klondike.winternet.com [198.174.169.8]) by icicle (8.6.12/8.6.12) with ESMTP id VAA02642; Wed, 5 Jul 1995 21:58:03 -0500 Received: (from dufresne@localhost) by klondike (8.6.12/8.6.12) id VAA01761; Wed, 5 Jul 1995 21:58:01 -0500 Posted-Date: Wed, 5 Jul 1995 21:58:01 -0500 Date: Wed, 5 Jul 1995 21:58:00 -0500 (CDT) From: Ron DuFresne To: Mike Edulla cc: Jeremy , Firewalls@GreatCircle.COM Subject: Re: Free firewall on Linux In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Mike Edulla wrote: > On Wed, 5 Jul 1995, Jeremy wrote: > > > Date: Wed, 5 Jul 1995 21:12:30 +0800 > > From: Jeremy > > To: Firewalls@GreatCircle.COM > > Subject: Free firewall on Linux > > > > > > Hi, > > > > Are there any free firewall s/w on Linux operating system ? > > > > > > Thanks in advance ! > > > > > > > > fwtk should compile (i think) under a linux box. I dont know of many > other free wirewalls. > > > There is a ipfirewall.c file that can be complied into the kernel for linux, and I beleive that the 1.3.4 and higher kernels have this code shipped with the kernel, though you have to hand compile it in... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Jul 5 20:34:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00784 for firewalls-outgoing; Wed, 5 Jul 1995 20:13:02 -0700 Received: from risc.agsm.ucla.edu (risc.agsm.ucla.edu [164.67.163.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA00779 for ; Wed, 5 Jul 1995 20:12:59 -0700 Received: by risc.agsm.ucla.edu id AA11961 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Wed, 5 Jul 1995 20:12:11 -0700 From: Tom Kozlowski Message-Id: <199507060312.AA11961@risc.agsm.ucla.edu> Subject: controlling cern-httpd-proxy To: firewalls@greatcircle.com Date: Wed, 5 Jul 1995 20:12:11 -0800 (PDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 451 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any ideas would be appreciated on the following question. I am currently running cern-httpd as a WWW proxy on Solaris 2.4. I would like to be able to block some of the "unwanted" internet sites via this cern-httpd proxy. For example, so that users cannot access www.playboy.com from local Netscape browser and so on. Is it possible? Has anyone done it? I would be curios to know how other sites are dealing with this issue. Thanks in advance. Tom From firewalls-owner Wed Jul 5 20:38:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA26705 for firewalls-outgoing; Wed, 5 Jul 1995 18:48:43 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA26700 for ; Wed, 5 Jul 1995 18:48:39 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Jul 1995 18:48:20 -0800 To: firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: One Router or Two? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:47 PM 7/5/95, Dr. Frederick B. Cohen wrote: >> I can think of 2 reasons to have two routers: > >I can think of several more for starters: > > In case of a design flaw in any one component, the other components > (if properly used) can limit the affect. I believe the original poster was contemplating two identical Cisco routers, rendering this point moot. If one's got a design flaw, the other will have the same flaw. > In case of configuration errors in one router, the other router > prevents a breach. Not necessarily; not even probably, I don't think. If the same person configures both, they'll probably make the same error in both configurations. Even if different people configure them, it's not unlikely for them to make overlapping mistakes. There's a large body of research in the safety field on supposedly-independent implementations (i.e., two teams working completely independently to design and build the same safety-critical system, such as a flight control computer, so that one version can check the other) that suggests that the same errors get made in independent implementations far more often than you might expect. Many (but by no means all) of these errors can be traced back to errors in the original specification (which is generally _not_ done independently, by definition; it can't be, since both objects are supposed to be implementations of the same thing). Two routers _can_ be more secure than one, but only if you're very careful. There's a lot of theory out there that doesn't hold up in practice. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed Jul 5 20:39:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA27833 for firewalls-outgoing; Wed, 5 Jul 1995 19:20:35 -0700 Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA27828 for ; Wed, 5 Jul 1995 19:20:32 -0700 Received: (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) id WAA15370; Wed, 5 Jul 1995 22:18:59 -0400 Date: Wed, 5 Jul 1995 22:18:59 -0400 (EDT) From: Steven Johnson - Hukd on Fonix X-Sender: johnson@bayflash To: Firewalls@GreatCircle.COM cc: Firewalls@GreatCircle.COM Subject: Re: Free firewall on Linux In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Jeremy wrote: > Are there any free firewall s/w on Linux operating system ? This has popped up several times on this list, as well as others. Please e-mail your replies and I will compile them and make a web page available in about a week at http://www.stpt.usf.edu/~johnson/linux/firewalls.html for anyone else if there are sufficient responses. TIA, Steve P.S. a catchy firewall gif would be appreciated as well. From firewalls-owner Wed Jul 5 21:04:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA03557 for firewalls-outgoing; Wed, 5 Jul 1995 20:50:04 -0700 Received: from miriworld.its.unimelb.EDU.AU (miriworld.its.unimelb.EDU.AU [128.250.6.194]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA03543 for ; Wed, 5 Jul 1995 20:49:57 -0700 Received: (from danny@localhost) by miriworld.its.unimelb.EDU.AU (8.6.11/8.6.11) id NAA22462; Thu, 6 Jul 1995 13:49:15 +1000 Date: Thu, 6 Jul 1995 13:49:12 +1000 (EST) From: "Daniel O'Callaghan" X-Sender: danny@miriworld.its.unimelb.EDU.AU To: Tom Kozlowski cc: firewalls@GreatCircle.COM Subject: Re: controlling cern-httpd-proxy In-Reply-To: <199507060312.AA11961@risc.agsm.ucla.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Tom Kozlowski wrote: > Any ideas would be appreciated on the following question. > > I am currently running cern-httpd as a WWW proxy on Solaris > 2.4. I would like to be able to block some of the "unwanted" internet > sites via this cern-httpd proxy. For example, so that users cannot > access www.playboy.com from local Netscape browser and so on. > Is it possible? Has anyone done it? Before you say Pass http://* say # Block access to porno Map http://www.cnam.fr/* /nono.html Map http://intertain-inc.com/xxx/* /nono.html /nono.html may or may not exist, depending on what action you wish to take. Having it not exist is probably easiest. D. From firewalls-owner Wed Jul 5 21:21:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29487 for firewalls-outgoing; Wed, 5 Jul 1995 19:52:55 -0700 Received: from st-james.comp.vuw.ac.nz (st-james.comp.vuw.ac.nz [130.195.5.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA29458 for ; Wed, 5 Jul 1995 19:52:44 -0700 Received: from gopher.dosli.govt.nz (uucp@localhost) by st-james.comp.vuw.ac.nz (8.6.11/8.6.9-VUW) with UUCP/gopher id OAA17012 for firewalls@GreatCircle.COM; Thu, 6 Jul 1995 14:48:52 +1200 Date: Thu, 6 Jul 1995 14:26:19 +1200 Message-Id: <9507060226.AA14995@gopher.dosli.govt.nz> From: mikew@gopher.dosli.govt.nz (Mike Williams) To: firewalls@GreatCircle.COM Subject: Re: NNTP caching proxy References: <2.51.884481B2B.BenMail@hanover.demon.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> "David" == David Miller wrote: David> If [Brian] doesn't want to have a dedicated news feed but still David> wants access to news, he must be looking for an NNRP proxy, not an David> NNTP proxy right? >>> "Brian" == Brian Rogers replied: Brian> I have no idea what the difference is between NNTP and NNRP. I've Brian> never heard of NNRP. NNRP is a basically the subset of NNTP that's useful for news-reading (rather than transferring news from server to server). It's an INN-ism. I think David is making the point that all you really need in a caching NNTP proxy is NNRP fucntionality. It's kind of moot though, since AFAIK no such proxy exists. It's a great idea though! HTTP allows you to check the last-modified date of an URL, to verify that cache data has not changed. Part of the problem is that NNTP doesn't have a similar of verifying cached data. So you'd end up having to pass some NNTP queries (eg. LIST) back to the server. However, you can assume that header information and article text will not change, so caching those would be a big win. Any volunteers? In any case, since this has applications outside firewalls, news.software.nntp is probably a better forum for this discussion. - Mike W. From firewalls-owner Wed Jul 5 21:34:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06043 for firewalls-outgoing; Wed, 5 Jul 1995 21:27:22 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA06007 for ; Wed, 5 Jul 1995 21:26:51 -0700 From: T.Greenland@uts.EDU.AU Received: by sequoia.itd.uts.EDU.AU id AA14649 (5.65c/IDA-1.4.4 for 'firewalls list from GreatCircle' ); Thu, 6 Jul 1995 14:20:35 +1000 Date: Thu, 6 Jul 1995 14:11:52 +1000 (EST) Subject: Re: NNTP caching proxy To: Garry Garrett Cc: "'firewalls list from GreatCircle'" In-Reply-To: <2FFB2A9D@mailserv.abii.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jul 1995, Brian Rogers wrote: > > > > Is there such a thing as a caching proxy for NNTP? I don't want to > > > dedicate the disk space and bandwidth to a real news feed. On Wed, 5 Jul 1995, Garry Garrett wrote: > I don't think that what this guy is asking for is all that > weird, I'm just not sure that it's ever been done before. > > As I read each article, it is cashed so that when others go to > read that article it is just read off my proxy server's disk instead > of getting it from your NNTP server. > > I take it he is using his ISP's NNTP server, or something like that, > and does not want to setup his own NNTP server, but does want to > save a little network traffic by not getting the same article twice. > Some WWW proxy servers work that way; that's where he got the idea. the closest thing i know of is the news overview package (nov). it just downloads the headers of each message and you fetch the ones you are interested in. i *guess* it wouldn't take *too* much mucking around to get it to cache the articles as well. but then news isn't known for it's simplicity... :) Tim Greenland T.Greenland@uts.edu.au Information Technology Division Phone: +61 2 330 2116 University of Technology, Sydney Fax: +61 2 330 1994 From firewalls-owner Wed Jul 5 21:36:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA28295 for firewalls-outgoing; Wed, 5 Jul 1995 19:34:17 -0700 Received: from ncb.gov.sg (mailhub.ncb.gov.sg [160.96.4.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA28269 for ; Wed, 5 Jul 1995 19:34:07 -0700 Received: by ncb.gov.sg (4.1/SMI-4.1) id AA00741; Thu, 6 Jul 95 09:39:15 SST Date: Thu, 6 Jul 1995 09:39:15 +0800 (SST) From: Leong Yew Hong Subject: Oracle Thru Firewall To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My site has this requirement to allow external access to our internal Oracle servers. From my knowledge, Oracle do uses UDP which my firewall disallowed. Is there a way to make clients or the server to use only TCP only. Also, I am also interested in what type of authentication system Oracle has. Plain-text, encrypted password. Is it IP address-based authentication ? Any info or pointers to info will be appreciated. Info on other RDMS systems like Sybase will also be welcomed. - Yew Hong ============ http://www.ontc.ncb.gov.sg/staff/yhleong ============= Leong Yew Hong Internet: yhleong@ncb.gov.sg Network Security Analyst IDEmail : yhleong@ncboa National Computer Board, Singapore Fax : (65)-779-5234 From firewalls-owner Wed Jul 5 21:51:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04209 for firewalls-outgoing; Wed, 5 Jul 1995 20:58:18 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA04177; Wed, 5 Jul 1995 20:58:02 -0700 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id NAA20805 (8.6.12/IDA-1.6); Thu, 6 Jul 1995 13:57:04 +1000 Received: by junkers.lochard.com.au id AA51985 (5.65c/IDA-1.5); Thu, 6 Jul 1995 13:23:28 +1100 From: Mark Message-Id: <199507060223.AA51985@junkers.lochard.com.au> Subject: Re: Proceedings Now Available - 5th USENIX UNIX Security Symposium To: Brent@GreatCircle.COM (Brent Chapman) Date: Thu, 6 Jul 1995 13:23:27 +1000 (E ) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Brent Chapman" at Jul 3, 95 12:48:00 pm Content-Type: text Content-Length: 883 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >If you couldn't attend the 5th USENIX UNIX Security Symposium >in Salt Lake City, you can now purchase the proceedings. The >price is $27 for members and $35 for non-members, and includes >domestic and Canadian postage. Please add $11 for overseas >postage (air printed matter). > >You can place your order by fax, phone, or email when using a VISA or >Mastercard, or you can mail a check or company purchase order to: > >USENIX Association Phone: 510/528-8649 >2560 Ninth Street, Ste. 215 Fax 510/548-5738 >Berkeley, CA 94710 office@usenix.org > >Abstracts of the papers below appear in the USENIX Resource >Center on the World Wide Web, URL: http://www.usenix.org. >If you are a current USENIX member, you will also have access >to the full papers. I'm told that these papers are available free on the coast server. Mark From firewalls-owner Wed Jul 5 22:03:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA02185 for firewalls-outgoing; Wed, 5 Jul 1995 20:35:14 -0700 Received: from psycfrnd.interaccess.com (psycfrnd.interaccess.com [198.80.0.26]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA02180 for ; Wed, 5 Jul 1995 20:35:08 -0700 Received: from d112.tp.interaccess.com (d112.tp.interaccess.com [199.88.134.112]) by psycfrnd.interaccess.com (8.6.12/8.6.10) with SMTP id WAA27629 for ; Wed, 5 Jul 1995 22:31:36 -0500 Message-Id: <199507060331.WAA27629@psycfrnd.interaccess.com> X-Sender: gregg@pop.interaccess.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jul 1995 22:37:20 -0500 To: firewalls@GreatCircle.COM From: gregg@interaccess.com (Gregg Rosenberg) Subject: Protocol difference based firewalls and Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I may have missed this discussion. If so, a pointer to reference materials is appreciated. Many existing Novell clients want to give their desktop clients access to the Internet. They propose to use protocol isolation techniques to protect their production systems. The notion is allow IPX on the inside and IP on the outside. Using seperate NICs in the Novell server. Firefox and numerous other products are claiming this to be an effective firewall. This in my mind only addresses part of the requirements for a firewall. The question is how can these systems be compromised (or a safer variation for the list are they vulnerable.) I can see some exposures. If server services like FTP or NFS are run they could expose supposedly secure resources. Clearly a user could run a server service on their desktop if policy, control, and auditing did not protect against this. Any other thoughts are appreciated. I have implemented serial links between a terminal server and a Novell server hacing a multi-port serial board. This works well. But is not scaleable. Of course security policy and people issues considered. The question could be answered in a Novell specific context; however, I see possible greater value to the list in examining the broader issues of protocol isolation. Thanks for everyone's ear. :-) Gregg Rosenberg -- N9NNO Internet Educational Resources, Corp. gregg@k12.org -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi/ajKEAAAEEAMAMNIh9Vv4N8OGVkgdKHa1nyP6wwTlxTWTwyk9Pm/ht6zx9 xE6yYWWquJyIEUADFmr/Pi9rGkA3sEfHQVdmjalxLGyW+L4k+zwuinuF3o9Afrui R9OnpEv01hfVgJL/l/wQsWJdSVd9rMcVkxZbViiYR2tL+vvRKnVBSJ5imC6JAAUR tB9HcmVnZyBSb3NlbmJlcmcgPGdyZWdnQGsxMi5vcmc+ =+xCg -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Jul 5 22:04:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA07830 for firewalls-outgoing; Wed, 5 Jul 1995 21:53:35 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA07814; Wed, 5 Jul 1995 21:53:29 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Jul 1995 21:53:10 -0800 To: Mark From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Proceedings Now Available - 5th USENIX UNIX Security Symposium Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 1:23 PM 7/6/95, Mark wrote: >>Abstracts of the papers below appear in the USENIX Resource >>Center on the World Wide Web, URL: http://www.usenix.org. >>If you are a current USENIX member, you will also have access >>to the full papers. > >I'm told that these papers are available free on the coast server. Yes, many of them probably are, but I'm not sure about all of them. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed Jul 5 22:08:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06340 for firewalls-outgoing; Wed, 5 Jul 1995 21:33:38 -0700 Received: from neon.netscape.com (neon.netscape.com [198.93.92.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06335 for ; Wed, 5 Jul 1995 21:33:36 -0700 Received: (from luotonen@localhost) by neon.netscape.com (950215.SGI.8.6.10/8.6.9) id VAA05714; Wed, 5 Jul 1995 21:22:48 -0700 From: Ari Luotonen Message-Id: <199507060422.VAA05714@neon.netscape.com> Subject: Re: NNTP caching proxy To: danny@miriworld.its.unimelb.edu.au (Daniel O'Callaghan) Date: Wed, 5 Jul 1995 21:22:48 -0700 (PDT) Cc: isdmill@gatekeeper.ddp.state.me.us, benjamin@hanover.demon.co.uk, brogers@integctr.com, firewalls@greatcircle.com, www-proxy@w3.org In-Reply-To: from "Daniel O'Callaghan" at Jul 6, 95 11:22:07 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 849 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Its on my wish list. I don't think it will make it to the *do* list, > other than maybe hacking CERN proxy server to cache news articles. > I remember Ari said caching news was bad, but I never understood why, I said that because the news articles get retrieved from a nearby news server anyway, so caching doesn't save that much. If you're thinking of getting load off the news server, then yes, it makes a lot of sense. Yeah, I can see my statement was unnecessarily stern, so I take it back -- caching news does make sense. > after all, articles don't change, they have static "urls" and have an > easily defined expiry dates. Yes. Cheers, -- Ari Luotonen ari@netscape.com Netscape Communications Corp. http://home.netscape.com/people/ari/ 501 East Middlefield Road Mountain View, CA 94043, USA Netscape Server Development Team From firewalls-owner Wed Jul 5 22:34:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06805 for firewalls-outgoing; Wed, 5 Jul 1995 21:39:33 -0700 Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06799 for ; Wed, 5 Jul 1995 21:39:17 -0700 Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.6.11/8.6.11) id OAA17512; Thu, 6 Jul 1995 14:34:30 +1000 Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) id sma017510; Thu Jul 6 14:34:01 1995 Received: (from sjg@localhost) by zen.void.oz.au (8.6.11/8.6.9) id OAA08763; Thu, 6 Jul 1995 14:33:53 +1000 Date: Thu, 6 Jul 1995 14:33:53 +1000 From: "Simon J. Gerraty" Message-Id: <199507060433.OAA08763@zen.void.oz.au> To: smb@research.att.com Subject: Re: controlling FTP transfers Cc: , Doty@zen.void.oz.au, firewalls@GreatCircle.COM, mjr@iwi.com, Ted@zen.void.oz.au Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Should we all be doing cryptographic authentication on a > per-packet basis? This way, I have to break an MD5 key. -- > > You got it. Yes indeed, but how are we ever going to standardize? The U.S. is not the only country with restrictive laws about encryption tech. Unless of course the encryption is so weak as to be useless. The net result is that we all have to re-invent wheels that have little or no change of ever interworking. I've hacked encryption back into telnet, but with all the previous TELOPT_ENCRYPTION code removed I'm 101% sure my implementation is incompatible... (so I used a different option number). The net result is that we all have to re-invent wheels that have little or no change of ever interworking. I've hacked encryption back into telnet, but with all the previous TELOPT_ENCRYPTION code removed I'm 101% sure my implementation is incompatible... (so I used a different option number). Anyone know how IPng are tackling this? Or is everyone hoping the Phil Zimmerman case and the RSA T-shirt will force a change to the laws? --sjg From firewalls-owner Wed Jul 5 23:04:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06553 for firewalls-outgoing; Wed, 5 Jul 1995 21:36:31 -0700 Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06548; Wed, 5 Jul 1995 21:36:26 -0700 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni.ins.com (8.6.12/8.6.12) with SMTP id VAA14201; Wed, 5 Jul 1995 21:35:42 -0700 Date: Wed, 5 Jul 1995 21:35:42 -0700 Message-Id: <199507060435.VAA14201@uni.ins.com> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Brent@GreatCircle.COM (Brent Chapman) From: (Mark S. Kadrich) Subject: Re: One Router or Two? Cc: firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would agree if the goal was to configure both routers exactly the same. But the object is to understand the different requirements of internal vs. external systems and if the risk/benefit justifies the additional cost to use two routers. The configurations of the two routers should be different enough to mitigate (ok, it means attention to detail) programming errors. As stated, if there is a firmware error or an IOS error it would tend to dilute the strength of the solution. msk >At 7:47 PM 7/5/95, Dr. Frederick B. Cohen wrote: >>> I can think of 2 reasons to have two routers: >> >>I can think of several more for starters: >> >> In case of a design flaw in any one component, the other components >> (if properly used) can limit the affect. > >I believe the original poster was contemplating two identical Cisco >routers, rendering this point moot. If one's got a design flaw, the other >will have the same flaw. > >> In case of configuration errors in one router, the other router >> prevents a breach. > >Not necessarily; not even probably, I don't think. If the same person >configures both, they'll probably make the same error in both >configurations. Even if different people configure them, it's not unlikely >for them to make overlapping mistakes. There's a large body of research in >the safety field on supposedly-independent implementations (i.e., two teams >working completely independently to design and build the same >safety-critical system, such as a flight control computer, so that one >version can check the other) that suggests that the same errors get made in >independent implementations far more often than you might expect. Many >(but by no means all) of these errors can be traced back to errors in the >original specification (which is generally _not_ done independently, by >definition; it can't be, since both objects are supposed to be >implementations of the same thing). > >Two routers _can_ be more secure than one, but only if you're very careful. >There's a lot of theory out there that doesn't hold up in practice. > > >-Brent > >---------------------------------------------------------------------- >For info about the Internet Security Firewalls Tutorial and a schedule >of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM >---------------------------------------------------------------------- >Brent Chapman Great Circle Associates >Brent@GreatCircle.COM 1057 West Dana Street >+1 415 962 0841 Mountain View, CA 94041 > > > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-514-0355 _/\ e-mail @ kadrich@uni.ins.com (_) Information security is a process, not a solution. ****************************************************************** From firewalls-owner Thu Jul 6 00:37:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA14153 for firewalls-outgoing; Thu, 6 Jul 1995 00:04:42 -0700 Received: from ub4b.eunet.be (ub4b.eunet.be [192.92.130.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA14148 for ; Thu, 6 Jul 1995 00:04:36 -0700 Received: from dell5246 (dialup05.leuven.eunet.be) by ub4b.eunet.be (5.65c/ub4b_06) id AA18008; Thu, 6 Jul 1995 09:06:04 +0200 Message-Id: <199507060706.AA18008@ub4b.eunet.be> X-Sender: vlabra@pophost.eunet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Jul 1995 08:01:59 +0100 To: Firewalls@GreatCircle.COM From: vlabra@ub4b.eunet.be (Provincie Vlaams Brabant) Subject: chroot & CERN httpd Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm running the CERN httpd in a chrooted environment on a Solaris 2.4 machine. I built a "jail" which contains an etc, usr, ... directory to which I chroot. Normally the CERN httpd performs a setuid to "nobody" and a setgid "nogroup" before serving any documents. But when run in the chrooted environment it says it can't find the user nobody nor the group nogroup. The /jail/etc contains the following files: passwd, group, netconfig, nsswitch.conf. I guess I must be missing something but what ? From firewalls-owner Thu Jul 6 00:52:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA14356 for firewalls-outgoing; Thu, 6 Jul 1995 00:22:38 -0700 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA14351; Thu, 6 Jul 1995 00:22:36 -0700 Received: from Aus.Sun.COM (ausmail.Aus.Sun.COM) by Sun.COM (sun-barr.Sun.COM) id AA12722; Thu, 6 Jul 95 00:21:54 PDT Received: from concept.Aus.Sun.COM by Aus.Sun.COM id AA21176 (5.0/SMI-4.1 for <>); Thu, 6 Jul 1995 17:16:59 --1000 Received: by concept.Aus.Sun.COM (5.0/SMI-SVR4) id AA16388; Thu, 6 Jul 1995 17:21:47 --1000 Date: Thu, 6 Jul 1995 17:21:47 --1000 From: Mark.Broadbent@Aus.Sun.COM (Mark Broadbent - Partner Training Manager - Sun Australia) Message-Id: <9507060721.AA16388@concept.Aus.Sun.COM> To: Brent@GreatCircle.COM, mark_kadrich@ins.com Subject: Re: One Router or Two? Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Content-Length: 428 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My understanding of the use of two routers was that they should be from different manufacturers, so that the site was not vulnerable to a single security hole that might be discovered in any one type of network device. The two routers will require different filter configurations. This will reduce the chance that a mis-configuration of filters will open a hole into the organisation. Regards, Mark Broadbent Sun Australia From firewalls-owner Thu Jul 6 01:04:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA15246 for firewalls-outgoing; Thu, 6 Jul 1995 00:53:35 -0700 Received: from lri.lri.fr (lri.lri.fr [129.175.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA15241; Thu, 6 Jul 1995 00:53:29 -0700 Received: from sun3.lri.fr by lri.lri.fr (8.6.10/general) with ESMTP id JAA13297 ; Thu, 6 Jul 1995 09:48:04 +0200 Received: from sun3.lri.fr by sun3.lri.fr (8.6.10/local) with SMTP id JAA21369 ; Thu, 6 Jul 1995 09:47:58 +0200 Message-Id: <199507060747.JAA21369@sun3.lri.fr> X-Authentication-Warning: sun3.lri.fr: Host sun3.lri.fr didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 To: firewalls-digest@greatcircle.com, firewalls@greatcircle.com cc: mg@lri.fr, couret@lri.fr Subject: Shadow passwds under HP_UX 9.0x Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Jul 1995 09:47:56 +0200 From: Martine Gross Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We would like to setup shadow passwords with NIS for our network of - sun's with SunOS 4.1.3, - sun's with Solaris 2.4 - hp's with HP-UX 9.05 - sgi's with IRIX 5.2 We know how to do it with SunOS 4.1.3 (We saw a document "How to do shadow on SunOS without C2"). On Solaris 2.4, there is no problem. But, the problem is with HP. HP support told us a bug exists when using /.secure/etc/passwd with NIS. It does not work at all and we actually did not succeed to setup the fonctionnality of shadow passwd on HPs. Thanks for help. -- Martine GROSS Martine.Gross@lri.fr Equipe Systeme et Reseau du LRI. Universite Paris Sud Laboratoire de Recherche en Informatique Batiment 490 (33 1) 69.41.69.24 91405 Orsay Cedex - France From firewalls-owner Thu Jul 6 01:34:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA18921 for firewalls-outgoing; Thu, 6 Jul 1995 01:29:53 -0700 Received: from voro.lbl.gov (voro.lbl.gov [131.243.64.29]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA18898 for ; Thu, 6 Jul 1995 01:29:48 -0700 Received: from voro (localhost [127.0.0.1]) by voro.lbl.gov (8.6.12/G) with ESMTP id BAA06984; Thu, 6 Jul 1995 01:27:04 -0700 Message-Id: <199507060827.BAA06984@voro.lbl.gov> X-Mailer: exmh version 1.6beta 3/23/95 To: Leong Yew Hong cc: firewalls@greatcircle.com Subject: Re: Oracle Thru Firewall In-reply-to: Your message of "Thu, 06 Jul 1995 09:39:15 +0800." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 06 Jul 1995 01:27:04 -0700 From: Mark Dedlow Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oracle's networking component (sqlnet) uses TCP, not UDP. sqlnet version 1 passes clear-text passwords. sqlnet v2.0 uses DES (40-bit I assume) encrypted passwords. The latest versions (v2.2+) offer full data stream encryption (DES or RSA) as an option, but it must be separately purchased (on the server only). I assume there are export restictions on the latter. You should probably talk to your Oracle rep for more details regarding availability for your platform and location. Mark mtdedlow@lbl.gov > > My site has this requirement to allow external access to our > internal Oracle servers. From my knowledge, Oracle do uses > UDP which my firewall disallowed. > > Is there a way to make clients or the server to use only TCP only. > > Also, I am also interested in what type of authentication system > Oracle has. Plain-text, encrypted password. Is it IP address-based > authentication ? > > Any info or pointers to info will be appreciated. Info on other > RDMS systems like Sybase will also be welcomed. > > > - Yew Hong > ============ http://www.ontc.ncb.gov.sg/staff/yhleong ============= > Leong Yew Hong Internet: yhleong@ncb.gov.sg > Network Security Analyst IDEmail : yhleong@ncboa > National Computer Board, Singapore Fax : (65)-779-5234 > From firewalls-owner Thu Jul 6 02:05:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19800 for firewalls-outgoing; Thu, 6 Jul 1995 01:48:16 -0700 Received: from btmplq.god.bel.alcatel.be (gatekeeper.alcatel.be [138.203.244.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA19765 for ; Thu, 6 Jul 1995 01:47:41 -0700 Received: from localhost (uucp@localhost) by btmplq.god.bel.alcatel.be (8.6.5/8.6.5) id KAA11856 for ; Thu, 6 Jul 1995 10:46:00 +0200 Received: from btmpjg.god.bel.alcatel.be(138.203.144.75) by btmplq via smap (V1.3) id sma011792; Thu Jul 6 10:45:59 1995 Received: from localhost (arntzo@localhost) by btmpjg (8.6.5/8.6.5) id KAA20734; Thu, 6 Jul 1995 10:47:36 +0200 From: ARNTZ Olivier Message-Id: <199507060847.KAA20734@btmpjg> Subject: Re: controlling cern-httpd-proxy To: tkozlows@AGSM.UCLA.EDU (Tom Kozlowski) Date: Thu, 6 Jul 1995 10:47:36 +0200 (MET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199507060312.AA11961@risc.agsm.ucla.edu> from "Tom Kozlowski" at Jul 5, 95 08:12:11 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1232 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Tom Kozlowski: > I am currently running cern-httpd as a WWW proxy on Solaris > 2.4. I would like to be able to block some of the "unwanted" internet > sites via this cern-httpd proxy. For example, so that users cannot > access www.playboy.com from local Netscape browser and so on. > Is it possible? Has anyone done it? First of all, you could protect the use of your proxy by means of the "Protect" rule. I did some experiments and this worked fine, but for the real implementation of this sort of security we are migrating to commercial software now. Furthermore you could block traffic to some sites by defining a "Map" rule which returns a local page (with explanation of deny) instead of forwarding the request. I haven't done this yet, but I don't think it's hard to do. We ran/run cern-httpd as a proxy on an internal WWW server on SunOS4.1.3. Cheers, Olivier ========================================================================== Arntz Olivier Internet : arntzo@god.bel.alcatel.be UNIX and Internet Support Voice : +32 3 2409544 Alcatel Bell Belgium Fax : +32 3 2409952 ========================================================================== From firewalls-owner Thu Jul 6 02:31:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA20011 for firewalls-outgoing; Thu, 6 Jul 1995 01:57:29 -0700 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA20003 for ; Thu, 6 Jul 1995 01:57:21 -0700 Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA27352; Thu, 6 Jul 1995 10:55:45 +0200 Received: from ahqp14.ansf.alcatel.fr ([155.132.120.211]) by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AA16232; Thu, 6 Jul 95 10:58:21 +0200 Message-Id: <9507060858.AA16232@istans.ansf.alcatel.fr> From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Thu, 6 Jul 1995 11:03:10 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: Firewalls-Digest V4 #399 Reply-To: Kare.Presttun@ansf.alcatel.fr Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From: "Simon J. Gerraty" > Date: Thu, 6 Jul 1995 14:33:53 +1000 > Subject: Re: controlling FTP transfers > > > Should we all be doing cryptographic authentication on a > > per-packet basis? This way, I have to break an MD5 key. -- > > > > You got it. > > Yes indeed, but how are we ever going to standardize? > > The U.S. is not the only country with restrictive laws about encryption tech. > Unless of course the encryption is so weak as to be useless. > You may use and export authentication and integrity mechanisms everywhere, even strong ones. The stupid thing often seen is that these functions are implemented using a confidentiallity function, and that's where the problem starts. Using MD5 should not be a problem, you may even use DES if you run it in MAC mode and your implementation is hard to misuse to do DES encryption. If you want confidentiallity you have to limit it to 40 bit key if you want to use and export it everywhere. The strenght of 40 bit key was discussed here some weeks ago. > The net result is that we all have to re-invent wheels that have > little or no change of ever interworking. I've hacked encryption > back into telnet, but with all the previous TELOPT_ENCRYPTION code > removed I'm 101% sure my implementation is incompatible... (so I used > a different option number). > The net result is that we all have to re-invent wheels that have > little or no change of ever interworking. I've hacked encryption > back into telnet, but with all the previous TELOPT_ENCRYPTION code > removed I'm 101% sure my implementation is incompatible... (so I used > a different option number). > > Anyone know how IPng are tackling this? > > Or is everyone hoping the Phil Zimmerman case and the RSA T-shirt will > force a change to the laws? > > - --sjg > > ------------------------------ Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Thu Jul 6 02:34:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA20418 for firewalls-outgoing; Thu, 6 Jul 1995 02:03:28 -0700 Received: from ismael.gmv.es (ismael.gmv.es [193.127.51.205]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA20392 for ; Thu, 6 Jul 1995 02:03:08 -0700 Received: (from uucp@localhost) by ismael.gmv.es (8.6.9/1.1) id LAA19058 for ; Thu, 6 Jul 1995 11:04:41 +0200 Received: from melmac.gmv.es(193.127.48.3) by ismael.gmv.es via smap (V1.3) id sma019056; Thu Jul 6 11:04:23 1995 Received: by gmv.es (4.1/GMV-1.10) id AA24779; Thu, 6 Jul 95 11:02:03 +0200 Date: Thu, 6 Jul 95 11:02:03 +0200 From: jsanchez@gmv.es (Julio Sanchez) Message-Id: <9507060902.AA24779@gmv.es> To: firewalls@greatcircle.com Subject: Re: Free firewall on Linux References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron DuFresne (dufresne@winternet.com) wrote: : There is a ipfirewall.c file that can be complied into the kernel for : linux, and I beleive that the 1.3.4 and higher kernels have this code : shipped with the kernel, though you have to hand compile it in... Well, more or less. The kernel code is already there since 1.2.something. It implements filtering, i.e. deciding what packets you will accept and/or forward. It does not keep state, so the traditional warnings about screening routers apply. However, it is useful as an addition, especially since you can configure filters for packets you will accept with forwarding compiled out of the kernel. It is derived form 4.4.BSD. The code you mention, ipfirewall.c is an administrative interface that lets you define your filters, list them and obtain statistics. I found ipfwadm a simpler to understand interface. If you have the time to write some code and experiment with it, you can try my `catching' extension to Linux. This extension will let you define under what conditions packets that hit your gateway and are not really addressed to it are caught and passed up to upper layers instead of being forwarded, ignored or dropped. You could probably use this to get transparent proxies. The code is at: ftp://ftp.esegi.es/pub/linux/catch You will find there a kernel patch, a patch for ipfwadm and a silly demo program. I only found time for this (and the demo program took most of it), so I have not used it for any real application. I will get back to this in a few weeks. Comments are welcome. Julio -- Julio Sanchez, GMV SA, Isaac Newton 11, PTM Tres Cantos, E-28760 Madrid, Spain Ph. +34 1 807 21 85 | jsanchez@gmv.es | Traveller, there is no Fax +34 1 807 21 99 | jsanchez%gmv.es@Spain.EU.net | path; paths are made by Telex 48487 GMEV E | jsanchez@esegi.es | walking (A. Machado) From firewalls-owner Thu Jul 6 02:58:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA21083 for firewalls-outgoing; Thu, 6 Jul 1995 02:18:53 -0700 Received: from mail.unigate1.unisys.com (mail.UniGate1.Unisys.COM [192.63.100.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA21071 for ; Thu, 6 Jul 1995 02:18:41 -0700 Received: from mvdns1.mv-oc.unisys.com ([192.59.253.100]) by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA16649; Fri, 30 Jun 95 21:32:32 GMT Received: from mail.unigate1.unisys.com (unigate1.mv.unisys.com) by mvdns1.mv-oc.unisys.com (4.1/SMI-4.1-1.8) id AA26764; Fri, 30 Jun 95 21:33:26 GMT Received: from relay4.UU.NET by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA16537; Fri, 30 Jun 95 21:30:18 GMT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQywki13292; Fri, 30 Jun 1995 17:12:55 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA27597 for firewalls-outgoing; Fri, 30 Jun 1995 11:52:50 -0700 Received: from mail.unigate1.unisys.com (mail.UniGate1.Unisys.COM [192.63.100.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA27591 for ; Fri, 30 Jun 1995 11:52:48 -0700 Received: from mvdns1.mv-oc.unisys.com ([192.59.253.100]) by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA03470; Fri, 30 Jun 95 18:56:52 GMT Received: from mail.unigate1.unisys.com (unigate1.mv.unisys.com) by mvdns1.mv-oc.unisys.com (4.1/SMI-4.1-1.8) id AA15495; Fri, 30 Jun 95 18:57:31 GMT Received: from relay4.UU.NET by mail.unigate1.unisys.com (4.1/SMI-4.1-1.1) id AA03283; Fri, 30 Jun 95 18:54:32 GMT Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQywjy19588; Fri, 30 Jun 1995 14:33:53 -0400 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA22930 for firewalls-outgoing; Fri, 30 Jun 1995 10:05:11 -0700 Received: from gw.lsli.com (lsli.sccsi.com [198.65.130.22]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA22920 for ; Fri, 30 Jun 1995 10:05:07 -0700 Received: by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA14548; Fri, 30 Jun 1995 11:59:56 -0500 Received: by gw.lsli.com via smwrap (PORTUS 2.0) id smwrapN9ID71; Fri Jun 30 11:59:24 1995 Date: Fri, 30 Jun 95 11:59:54 PDT From: fletch@gw.lsli.com Subject: Announce: LSLI PORTUS 2.1 tutorial To: firewalls@greatcircle.com X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The new firewall tutorial for PORTUS v. 2.1 is now on the web. URL http://www.sccsi.com/lsli/lsli.homepage.html ------------------------------------- E-mail: fletch@gw.lsli.com Livermore Software Laboratories, Inc. Houston, Texas 77077 800-240-5754 713-496-1580 Please if its not too late, make mine a cheeseburger ------------------------------------- From firewalls-owner Thu Jul 6 04:16:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA24159 for firewalls-outgoing; Thu, 6 Jul 1995 03:07:45 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA24134 for ; Thu, 6 Jul 1995 03:07:34 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA15591 for firewalls@greatcircle.com; Thu, 6 Jul 95 06:01:32 EDT Message-Id: <9507061001.AA15591@all.net> Subject: Re: Proceedings Now Available - 5th USENIX UNIX Security Symposium To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 06:01:32 -0400 (EDT) In-Reply-To: <199507060223.AA51985@junkers.lochard.com.au> from "Mark" at Jul 6, 95 01:23:27 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1386 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >If you couldn't attend the 5th USENIX UNIX Security Symposium > >in Salt Lake City, you can now purchase the proceedings. The > >price is $27 for members and $35 for non-members, and includes > >domestic and Canadian postage. Please add $11 for overseas > >postage (air printed matter). > > > >You can place your order by fax, phone, or email when using a VISA or > >Mastercard, or you can mail a check or company purchase order to: > > > >USENIX Association Phone: 510/528-8649 > >2560 Ninth Street, Ste. 215 Fax 510/548-5738 > >Berkeley, CA 94710 office@usenix.org > > > >Abstracts of the papers below appear in the USENIX Resource > >Center on the World Wide Web, URL: http://www.usenix.org. > >If you are a current USENIX member, you will also have access > >to the full papers. Talk about blatant commercialism! (%^&)!- -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Thu Jul 6 04:22:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA23772 for firewalls-outgoing; Thu, 6 Jul 1995 03:06:00 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA23734; Thu, 6 Jul 1995 03:05:50 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA15577 for firewalls@greatcircle.com; Thu, 6 Jul 95 05:59:47 EDT Message-Id: <9507060959.AA15577@all.net> Subject: Re: One Router or Two? To: Brent@GreatCircle.COM (Brent Chapman) Date: Thu, 6 Jul 1995 05:59:46 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at Jul 5, 95 06:48:20 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2955 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I believe the original poster was contemplating two identical Cisco > routers, rendering this point moot. If one's got a design flaw, the other > will have the same flaw. It's certainly better from this standpoint to have two different routers. > > > In case of configuration errors in one router, the other router > > prevents a breach. > > Not necessarily; not even probably, I don't think. If the same person > configures both, they'll probably make the same error in both > configurations. Even if different people configure them, it's not unlikely > for them to make overlapping mistakes. There's a large body of research in > the safety field on supposedly-independent implementations (i.e., two teams > working completely independently to design and build the same > safety-critical system, such as a flight control computer, so that one > version can check the other) that suggests that the same errors get made in > independent implementations far more often than you might expect. Many > (but by no means all) of these errors can be traced back to errors in the > original specification (which is generally _not_ done independently, by > definition; it can't be, since both objects are supposed to be > implementations of the same thing). The question is whether it's more likely that two routers will have complementary misconfigurations or that one router will have a single misconfiguration. The answer is almost universally that it is less likely. The question you bring up has to do with weight, not admissability. > Two routers _can_ be more secure than one, but only if you're very careful. Even if one is not VERY careful, two is generally safer than one - how much safer is an issue to be considered. > There's a lot of theory out there that doesn't hold up in practice. Your comment about theory not holding up is inappropriate to this issue. This is not a matter of some theoretical issue, it is a matter of a real-world issue at many real-world sites which can suffer real-world damage, and a real-world technique that really works. It is advised by, among others, Bellovin and Cheswick, myself, and several manufacturers of quality firewalls. If you think it is all some flawed theory without basis, explain the reason you believe this so that the rest of us can evaluate the weight of your assessments. Don't just make a highly dubious claim that is unsupported and expect people to believe you. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Thu Jul 6 05:10:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA03413 for firewalls-outgoing; Thu, 6 Jul 1995 04:46:18 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA03360 for ; Thu, 6 Jul 1995 04:46:08 -0700 Received: from uucp2.UU.NET by relay3.UU.NET with SMTP id QQyxfb06322; Thu, 6 Jul 1995 07:45:31 -0400 Received: from panynj.UUCP by uucp2.UU.NET with UUCP/RMAIL ; Thu, 6 Jul 1995 07:45:31 -0400 Received: by panynj.gov (DECUS UUCP /2.0/2.0/2.0/); Thu, 6 Jul 95 07:33:21 EDT Date: Thu, 6 Jul 95 07:33:21 EDT Message-Id: <00992EFB3C7E27A0.20803447@panynj.gov> From: sheehan_m@panynj.gov To: firewalls@greatcircle.com X-VMS-Mail-To: WTMAIL::UUCP%"firewalls@greatcircle.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I N T E R O F F I C E M E M O R A N D U M Date created: 06-Jul-1995 07:32am EDT Date sent: 06-Jul-1995 07:32am EDT From: Michael J. Sheehan SHEEHAN_M Dept: Information Services Dept. Tel No: (212) 435-2011 TO: Remote Addressee ( _UUCP%"FIREWALLS@GREATCIRCLE.COM" ) Subject: ' SUBSCRIBE FIREWALLS *********************************************************************** *********************************************************************** The views expressed in this message are those of the author and do not necessarily reflect official positions of the Port Authority of New York & New Jersey or its subsidiaries *********************************************************************** *********************************************************************** From firewalls-owner Thu Jul 6 05:35:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA03758 for firewalls-outgoing; Thu, 6 Jul 1995 04:47:31 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA03621 for ; Thu, 6 Jul 1995 04:47:06 -0700 Posted-Date: Thu, 6 Jul 1995 07:45:46 -0400 From: "Bryan D. Boyle" Message-Id: <9507060745.ZM15327@maverick.erenj.com> Date: Thu, 6 Jul 1995 07:45:44 -0400 In-Reply-To: Steven Johnson - Hukd on Fonix "Re: Free firewall on Linux" (Jul 5, 10:18pm) References: X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: Steven Johnson - Hukd on Fonix Subject: Re: Free firewall on Linux Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 5, 10:18pm, Steven Johnson - Hukd on Fonix wrote: > Subject: Re: Free firewall on Linux > On Wed, 5 Jul 1995, Jeremy wrote: > > Are there any free firewall s/w on Linux operating system ? > > This has popped up several times on this list, as well as others. Please > e-mail your replies and I will compile them and make a web page available > in about a week at http://www.stpt.usf.edu/~johnson/linux/firewalls.html > for anyone else if there are sufficient responses. you are about a year behind... http://www.access.digex.net/~bdboyle/firewall.vendor.html -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. -------------------- From firewalls-owner Thu Jul 6 06:05:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA06609 for firewalls-outgoing; Thu, 6 Jul 1995 05:28:24 -0700 Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA06604; Thu, 6 Jul 1995 05:28:21 -0700 Received: from localhost (mailer@localhost) by gatekeeper.ray.com (8.6.4/8.6.5) id IAA16840; Thu, 6 Jul 1995 08:25:18 -0400 Received: from swlpak.msd.ray.com by gatekeeper.ray.com; Thu Jul 6 08:26:38 1995 Received: (from wag@localhost) by swlpak.msd.ray.com (8.6.12/8.6.12) id IAA20652; Thu, 6 Jul 1995 08:23:44 -0400 From: William Gianopoulos {84718} Message-Id: <199507061223.IAA20652@swlpak.msd.ray.com> Subject: Re: FAQ To: Brent@GreatCircle.COM (Brent Chapman) Date: Thu, 6 Jul 1995 08:23:44 -0400 (EDT) Cc: js@cctechnol.com, firewalls@GreatCircle.COM In-Reply-To: from "Brent Chapman" at Jul 5, 95 06:20:24 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1164 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent Chapman writes: > > At 11:33 AM 7/4/95, Johnie Stafford wrote: > > I ftp'd to ftp.greatcircle.com and cd'd to /pub/irewalls to get the > >FAQ. This is what I got from ftp: > > > > ftp> get FAQ > > 200 PORT command successful. > > 150 Opening BINARY mode data connection for FAQ (30263 bytes). > > ==>> FAQ: Is a directory > > 426 Transfer aborted. Data connection closed. > > 226 Abort successful > > ftp> cd FAQ > > ==>> 550 FAQ: Not a directory. > > ftp> > > > > What gives? > > I just tried it from an account at an external site that I maintain for > testing, and it works just fine. I think you've got a broken client. I think the real problem was that FAQ was a subdirectory of the current working directory on the client machine. Therefore the FTP client was complaining that it could not copy the file FAQ from the remote side to the file FAQ on the local side because FAQ on the local side was a directory. -- William A. Gianopoulos; Raytheon Electronic Systems wag@swl.msd.ray.com -------------------------------------------------------- This is my personal opinion and not that of my employer. From firewalls-owner Thu Jul 6 06:06:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA06466 for firewalls-outgoing; Thu, 6 Jul 1995 05:24:23 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA06458 for ; Thu, 6 Jul 1995 05:24:20 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA06010; Thu, 6 Jul 1995 08:17:49 -0400 Date: Thu, 6 Jul 1995 08:17:49 -0400 (EDT) From: David Miller Subject: Re: CERN-httpd as a http proxy To: Jim Barry cc: "'Firewalls Mailing List'" , "'Peter Musca'" In-Reply-To: <2FFAFCBB@bukowsky> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Jim Barry wrote: > > Hi, > > > From: Peter Musca > > Date: Wed, 5 Jul 1995 13:46:40 +0800 (WST) > > Subject: CERN-httpd as a http proxy. > > >I am about to replace the http- proxy from the fwtk with the cern-httpd > >proxy. I want to run it in a chrooted environment and would appreciate any > >tips, advice etc from anyone who has done this. I am not sure whether I > >will be building a full blown WWW server as yet, but that may come in the > >future.. > > I use cern-httpd in preference to http-gw mainly because it gives more > meaningful error messages back to the client. I don't understand your desire > to run the proxy as chroot, as (by definition) it will only be forwarding > requests to other locations. Unless, gawd forbid, someone finds a way to break it. With a few meg of source code, this sounds fairly likely to me. > > I actually run two cern-httpd daemons - one as a 'regular' WWW server and > one as a proxy. They coexist peacefully on the one machine. > Why two of them? The same server handles both just fine here:) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Jul 6 06:51:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA08712 for firewalls-outgoing; Thu, 6 Jul 1995 06:30:27 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA08699 for ; Thu, 6 Jul 1995 06:30:18 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id JAA11833; Thu, 6 Jul 1995 09:28:30 -0400 Date: Thu, 6 Jul 1995 09:28:30 -0400 From: Ted Doty Message-Id: <199507061328.JAA11833@kgbvax.network.com> To: sjg@zen.void.oz.au, smb@research.att.com Subject: Re: controlling FTP transfers In-Reply-To: Mail from '"Simon J. Gerraty" ' dated: Thu, 6 Jul 1995 14:33:53 +1000 Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jul 1995 14:33:53, Simon J. Gerraty wrote: > Should we all be doing cryptographic authentication on a > per-packet basis? This way, I have to break an MD5 key. -- > > You got it. The U.S. is not the only country with restrictive laws about encryption tech. Unless of course the encryption is so weak as to be useless. I can only speak (generally) for the US ITAR (International Trafficing in Arms Restrictions) laws, but these seems to be a big defference between ENCRYPTION and Cryptographic AUTHENTICATION. Yes, I cannot freely export DES (or Triple-DES, or IDEA) from the USA (more specifically, the lower 48 states or Canada; I have no idea what happened to Alaska or Hawaii). However, it seems that I can easily export 512-bit RSA providing I use it for authentication purposes. It is unclear (but fairly likely) that I can export 1024-bit RSA as well (again, for authentication purposes only). As far as I can tell, there are no restrictions on Digital Signature functions, provided they cannot be used to encrypt - this allows MD5 and DSS. Given this, it seems that we can get a robust, exportable (and from the point of view of other countries, importable and useable) _authentication_ capability, that is impervious (?) to hijacked terminal sessions. [stuff about Telnet encryption deleted] Anyone know how IPng are tackling this? The IPSec working group is (hopefully) nearing a draft on encryption at the IP layer (similar to SwIPE). While I am not familiar with what they are planning on Digital Signatures, I _know_ that we briefed them on our own technology (Data Privacy Facility) last December. We put this kind of capability in on purpose, because we have customers all over the world. IPng has in fact specified encryption as an option; unfortunately, they picked the wrong cypher (DES). I fear that the IPSec group will make this mistake as well; just because it is An Internet Standard doesn't mean that the US Government will allow it to be exported, or that other countries (e.g. France) will allow it to be used. Encryption-less strong authentication, on the other hand, seems widely acceptable to all governments that I've dealt with so far. Or is everyone hoping the Phil Zimmerman case and the RSA T-shirt will force a change to the laws? My guess is that my government will not be cowed by T-shirts. I'm not at all convinced that we can't do something extremely useful, even without encryption per se. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Jul 6 07:26:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA09878 for firewalls-outgoing; Thu, 6 Jul 1995 06:58:45 -0700 Received: from charon.cctechnol.com (as15.net-connect.net [204.181.38.115]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA09866 for ; Thu, 6 Jul 1995 06:58:38 -0700 Received: by charon.cctechnol.com (Smail3.1.28.1 #3) id m0sTrRG-0008szC; Thu, 6 Jul 95 08:57 CDT Message-Id: Date: Thu, 6 Jul 95 08:57 CDT From: js@cctechnol.com (Johnie Stafford) To: uupsi2!gbnet.net!jrg CC: firewalls@GreatCircle.COM In-reply-to: <199507051654.RAA17678@ns.gbnet.net> (uupsi2!gbnet.net!jrg) Subject: Re: Where do I store my mail? Reply-To: js@cctechnol.com Organization: C & C Technologies, Inc., Lafayette, LA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Tue 4 Jul, 1995, js@cctechnol.com (Johnie Stafford) wrote: > > What do these do and where can I find a description of all the > >setable parameters? > > well, unlike the official line from Sun, I happen to have a copy of > 'TCP/IP Illustrated Volume 1' by W.Richard Stevens. They're listed in > the appendix. > > The ip_forward_directed_broadcasts value will stop it forwarding a > directed broadcast, if it receives it from another interface. That > will stop the 'bad guys' tricking your machine with a broadcast > packet. > > ip_forward_src_routed will stop it forwarding a source routed packet, > which is independent from normal forwarding (as indeed so it is in BSD > derived kernels that haven't been 'fixed'). James, Thanks for the info. Like I said in private e-mail to the guy from Sun that responded to my question, what's the point of a tunable if you don't tell people what its for? They say that the tunables can change from release to release. Hmmm... that's strange, I thought I got new man pages with each release! Johnie From firewalls-owner Thu Jul 6 07:40:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA10577 for firewalls-outgoing; Thu, 6 Jul 1995 07:15:25 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA10572 for ; Thu, 6 Jul 1995 07:15:23 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id JAA13668; Thu, 6 Jul 1995 09:10:59 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma013665; Thu Jul 6 09:10:57 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA24148 (5.67b/IDA-1.5); Thu, 6 Jul 1995 09:18:18 -0500 Date: Thu, 6 Jul 1995 09:18:18 -0500 From: Ken Hardy Message-Id: <199507061418.AA24148@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: Re: Free firewall on Linux Cc: Jeremy@ccm.sns.com.sg Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 5 Jul 1995 21:12:30 +0800 > From: Jeremy > Subject: Free firewall on Linux > > > Hi, > > Are there any free firewall s/w on Linux operating system ? > > > Thanks in advance ! > Has anyone looked at Freestone yet, the recently announced free version of Brimstone? I've not looked at it yet, though I've been planning to. Per a previous announcement to this list, it's available at: ftp://ftp.cs.columbia.edu/pub/sos/ (preferred, or) ftp://ftp.soscorp.com/pub/sos/ The announcement said it currently compiles on SunOS, Solaris, IRIX and BSDI. There may be some porting work to Linux. -KH From firewalls-owner Thu Jul 6 08:01:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA10375 for firewalls-outgoing; Thu, 6 Jul 1995 07:08:35 -0700 Received: from vdoehp.vak12ed.edu (vdoehp.vak12ed.edu [141.104.22.101]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA10363 for ; Thu, 6 Jul 1995 07:08:27 -0700 Message-Id: <199507061408.HAA10363@miles.greatcircle.com> Received: by vdoehp.vak12ed.edu (1.37.109.16/16.2) id AA219919497; Thu, 6 Jul 1995 10:04:57 -0400 From: "W.C. Epperson" Subject: Re: Shadow passwds under HP_UX 9.0x To: Martine.Gross@lri.fr (Martine Gross) Date: Thu, 6 Jul 95 10:04:56 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199507060747.JAA21369@sun3.lri.fr>; from "Martine Gross" at Jul 06, 95 9:47 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Given: > [snip] > We would like to setup shadow passwords with NIS for our network of > - sun's with SunOS 4.1.3, > - sun's with Solaris 2.4 > - hp's with HP-UX 9.05 > - sgi's with IRIX 5.2 > [snip] > But, the problem is with HP. > HP support told us a bug exists when using /.secure/etc/passwd with > NIS. It does not work at all and we actually did not succeed to setup the > fonctionnality of shadow passwd on HPs. > According to HP's manual "Installing and Administering NFS Services", that's a _feature_. ;*) Appendix D of that manual discusses the issues involved. The trade-offs have to do with the visibility of encrypted passwords (e.g. via "ypcat") if they are embedded in the NIS map and with synchronization of passwords across servers when a user changes one if they are not. IMHO, if the passwords are to be visible via ypcat, then the idea of /etc/shadow or /.secure/etc/passwd as a security enhancement is a canard. And if you're going to give up synchronization across all machines in a NIS domain when a user changes a password on one of them, there simpler ways of distributing accounts than NIS. And no, I don't think this has to do with firewalls. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Jul 6 08:01:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA08106 for firewalls-outgoing; Thu, 6 Jul 1995 06:10:29 -0700 Received: from mr900i.bso.com ([204.180.9.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA08101 for ; Thu, 6 Jul 1995 06:10:24 -0700 Received: (from marc@localhost) by mr900i.bso.com (8.6.11/8.6.9) id JAA09219; Thu, 6 Jul 1995 09:02:45 -0400 Date: Thu, 6 Jul 1995 09:02:45 -0400 (EDT) From: Marc Sherman To: Jeremy cc: Firewalls@GreatCircle.COM Subject: Re: Free firewall on Linux In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jul 1995, Jeremy wrote: > > Hi, > > Are there any free firewall s/w on Linux operating system ? > Check out the newsgroup: comp.os.linux.networking There are a couple of HOWTO's posted there for doing various things on linux. If the firewall HOWTO is not posted, check out comp.os.linux.announce, there is a HOWTO index there that will tell you where you can get it from. good luck, ..Marc From firewalls-owner Thu Jul 6 08:12:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA11111 for firewalls-outgoing; Thu, 6 Jul 1995 07:33:57 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA11097 for ; Thu, 6 Jul 1995 07:33:51 -0700 Message-Id: <199507061433.HAA11097@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA126431205; Fri, 7 Jul 1995 00:33:25 +1000 From: Darren Reed Subject: Sending replies to blocked packets. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Fri, 7 Jul 1995 00:33:25 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2080 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many firewalls/firewall software now support sending back those nice ICMP messages saying that the detination host was unreachable. While this is nice for those in and outside, is there any structuring beyond the simple "host unreachable" ? For example, do rules which have a netmask which defines a network return net-unreachables as opposed to one which might block a host (thus host unreachable) or does it return some other error based on what part of the rule it failed at ? And if they're not, should they be trying to send back some sort of informed reply ? Now whilst the ICMP messages are better than nothing, there are various horror stories about those unreachables...and at Usenix, Bill Cheswick asked if crackers were taking any steps to hide themselves from tools used by network admins which do port scanning - tcpd type access control isn't enough here. With this last point in mind (sort of a challenge to do it and see what results for firewalling) I've managed to get a packet filter designed and supported which sends out FAKE TCP RSTs instead of ICMP unreachables - if told to. How many RFCs does this break ? :) (Note, I havent seen/heard of anyone else doing this yet with a firewall). How liberal should/can we be with packet filters answering on behalf of those machines which may or may not exist ? My justification is that if I block certain TCP SYN packets and send back an RST in reply, not only do I stop the connection and send back a nack, but in using TCP's RST, I can usually effect a much quicker nack response than with ICMPs - and much safer too! I might add, that there is nothing stopping it from being told to generate RSTs for ACKs or FINs or SYN-ACKs. Comments ? darren p.s. I'd have announced/released it already, but thought this should at least have some discussion before being made available. p.p.s to do this reliably, crackers need to pry into the kernel - I don't think that using bpf/nit/dlpi to see the SYN and send the RST is going to be anywhere near fast enough to beat the SYN-ACK returning (?). From firewalls-owner Thu Jul 6 08:30:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA08265 for firewalls-outgoing; Thu, 6 Jul 1995 06:17:04 -0700 Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA08260 for ; Thu, 6 Jul 1995 06:17:00 -0700 Received: from mak.is.ge.com ([3.19.100.81]) by ns.ge.com (8.6.12/8.6.11) with ESMTP id JAA26126 for ; Thu, 6 Jul 1995 09:16:21 -0400 Message-Id: <199507061316.JAA26126@ns.ge.com> Received: by mak.is.ge.com (1.37.109.9/15.6) id AA0172757871; Thu, 6 Jul 1995 08:15:59 -0500 From: Mohamad A Khatoun Subject: Re: fwtk smap's problem with this To: FIREWALLS-OWNER%GREATCIRCLE.COM%INTERNET#@geis.geis.com Date: Thu, 6 Jul 95 8:15:59 CDT Cc: firewalls@greatcircle.com In-Reply-To: from "FIREWALLS-OWNER@GREATCIRCLE.COM@INTERNET#" at Jul 5, 95 5:03 pm Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello all, > > I'm running fwtk with smap on my linux machine. Last Friday (June 3) at > around 17:25, my machine started having problems with messages > from this mailing list. The subject line of these messages all complains > about 'too many hops'. It got so bad that by 17:30 Saturday, the logs > and message queues started filling up my hard disks. > > Can anyone help me with the following two questions: > > > 1. What is causing the 'too many hops' error? Is it something on my machine? > I put my machine back to work by cleaning up the queues and rebooted it. > 2. How do I prevent my hard disk filling up next time? Is it something > that I need to configure within smap, sendmail? > > Please see the attached returned mail for more detail. > > Thanks for any insight. > 2. Your best bet is to place your mail on a separate file system. This will prevent the whole system from hanging up. Also, some Unix implementations allow you to set disk quotas per users, try that is your OS supports it. Cheers, Mohamad From firewalls-owner Thu Jul 6 08:50:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA13080 for firewalls-outgoing; Thu, 6 Jul 1995 08:08:36 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA13066 for ; Thu, 6 Jul 1995 08:08:29 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA08538; Thu, 6 Jul 1995 11:07:37 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA13598; Thu, 6 Jul 1995 11:07:32 -0400 Message-Id: <9507061507.AA13598@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: Martine Gross , mg@lri.fr, couret@lri.fr, firewalls-digest@greatcircle.com Date: Thu, 6 Jul 1995 11:06:54 -0500 Subject: Re: Shadow passwds under HP_UX 9.0x Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 6 Jul 95 at 9:47, Martine Gross said: > We would like to setup shadow passwords with NIS for our network of [schnipp] And this relates to firewalls how? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Thu Jul 6 09:42:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA13287 for firewalls-outgoing; Thu, 6 Jul 1995 08:10:39 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.84.252]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA13247 for ; Thu, 6 Jul 1995 08:10:30 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id KAA04763 for GreatCircle.COM!firewalls; Thu, 6 Jul 1995 10:06:28 -0500 Received: by ris1.nmti.com (smail2.5) id AA17216; 6 Jul 95 09:02:25 CDT (Thu) Received: by sonic.nmti.com; id AA29568; Thu, 6 Jul 1995 09:25:19 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9507061425.AA29568@sonic.nmti.com.nmti.com> Subject: Re: NNTP caching proxy To: danny@miriworld.its.unimelb.EDU.AU (Daniel O'Callaghan) Date: Thu, 6 Jul 1995 09:25:19 -0500 (CDT) Cc: isdmill@gatekeeper.ddp.state.me.us, benjamin@hanover.demon.co.uk, brogers@integctr.com, firewalls@GreatCircle.COM, www-proxy@w3.org In-Reply-To: from "Daniel O'Callaghan" at Jul 6, 95 11:22:07 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 292 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Its on my wish list. I don't think it will make it to the *do* list, > other than maybe hacking CERN proxy server to cache news articles. > I remember Ari said caching news was bad, but I never understood why, Control: cancel Supercedes: From firewalls-owner Thu Jul 6 09:54:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA13280 for firewalls-outgoing; Thu, 6 Jul 1995 08:10:37 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA13226 for ; Thu, 6 Jul 1995 08:10:24 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA08549; Thu, 6 Jul 1995 11:07:40 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA13602; Thu, 6 Jul 1995 11:07:33 -0400 Message-Id: <9507061507.AA13602@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 11:06:55 -0500 Subject: Re: ftp-gw problem to ftp.bws.com? Reply-To: jcarroll@wellspring.us.dg.com Cc: fitz@wang.com, fred@bws.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On June 29, Tom Fitzgerald (fitz@wang.com) wrote: >Funny you should ask..... BWS's ftp server is broken. It fails to accept >logins unless "USER anonymous\r\n" all fits in a single IP packet. The >ftp-gw puts the \r\n in a second packet, and ftp.bws.com barfs on it. Fred Whiteside (fred@bws.com) commented: > Interesting. ftp.bws.com is (I believe) running a firewall > package itself; i'll have to contact the vendor to follow up > on that ... > > >I sent messages to postmaster@bws.com and postmaster@ftp.bws.com on 11May95 > >and got no response. > > hmmm ... i got nothing; i'll follow up to Tom, and check that > the postmaster alias is being handled correctly. > > -fred Just thought you'd all like to know. Fred's comments forwarded to the list with his permission. -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Thu Jul 6 10:13:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17624 for firewalls-outgoing; Thu, 6 Jul 1995 09:18:00 -0700 Received: from gateway.calcomp.com (gateway.calcomp.com [146.69.160.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA17612 for ; Thu, 6 Jul 1995 09:17:54 -0700 Received: from sys02.mis.calcomp.com by gateway.calcomp.com (5.x/SMI-4.1) id AA05879; Thu, 6 Jul 1995 09:10:55 -0700 Received: by sys02.mis.calcomp.com (5.x/SMI-SVR4) id AA00620; Thu, 6 Jul 1995 09:15:21 -0700 Date: Thu, 6 Jul 1995 09:15:21 -0700 From: jwfornataro@calcomp.com (Joseph Fornataro Jr (x2163)) Message-Id: <9507061615.AA00620@sys02.mis.calcomp.com> To: firewalls@greatcircle.com Subject: Re: ip forwarding Cc: danny@gmap.leeds.ac.uk X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm slowly putting together my kit. I've a router which has two ethernet > interfaces. It's running Solaris 2.3 btw. Does anyone know how to switch > off ip-forwarding ? And is it the same procedure for Solaris 2.4? In /etc/rc2.d/S69inet numifs=1 numptptifs=0 # numifs=`ifconfig -au | grep inet | wc -l` # numptptifs=`ifconfig -au | grep inet | egrep -e '-->' | wc -l` ...joe From firewalls-owner Thu Jul 6 10:36:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA19479 for firewalls-outgoing; Thu, 6 Jul 1995 10:07:26 -0700 Received: from brimstone.soscorp.com (soscorp.soscorp.com [204.52.248.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA19474 for ; Thu, 6 Jul 1995 10:07:20 -0700 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com (2.28/8.6.12/8.6.4.287) with BSMTP id BS0014864/NAA14871; Thu, 6 Jul 1995 13:06:41 -0400 Received: from dauntless.soscorp.com (dauntless.soscorp.com [204.52.249.141]) by fearless.soscorp.com (8.6.10/8.6.4.287) with ESMTP id NAA03025; Thu, 6 Jul 1995 13:05:46 -0400 Received: from dauntless.soscorp.com by dauntless.soscorp.com (8.6.10/SMI-4.1) id NAA19756; Thu, 6 Jul 1995 13:05:44 -0400 Message-Id: <199507061705.NAA19756@dauntless.soscorp.com> To: firewalls@greatcircle.com Cc: cxh@mbadev.mba.com Subject: Re: fwtk smap's problem with this list In-Reply-To: <199507051816.LAA04356@mbagate.mba.com> Date: Thu, 06 Jul 1995 13:05:43 -0400 From: Seth Robertson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199507051816.LAA04356@mbagate.mba.com> you write: > 2. How do I prevent my hard disk filling up next time? Is it something > that I need to configure within smap, sendmail? I can't help you with smap, but Freestone's (and Brimstone's of course) mail proxy performs checks to make sure that the message does not exceed a maximum size and that the firewall disk is not too full. You should be able to put Freestone's mail software onto an otherwise Freestone-free firewall, if you so desired. Freestone is available from ftp://ftp.cs.columbia.edu/pub/sos or ftp://ftp.soscorp.com/pub/sos ---- Seth Robertson voice: +1 800 SOS UNIX +1 212 686 5700 SOS Corporation fax: +1 212 686 5703 461 5th Avenue, 16th floor email: seth@soscorp.com New York, NY 10017 http://www.soscorp.com/ From firewalls-owner Thu Jul 6 10:57:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA16682 for firewalls-outgoing; Thu, 6 Jul 1995 09:01:22 -0700 Received: from gmap15.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA16367 for ; Thu, 6 Jul 1995 08:58:07 -0700 Received: (from danny@localhost) by gmap15.leeds.ac.uk (8.6.12/8.6.9) id QAA04570; Thu, 6 Jul 1995 16:56:29 +0100 Date: Thu, 6 Jul 1995 16:56:29 +0100 From: Danny Message-Id: <199507061556.QAA04570@gmap15.leeds.ac.uk> To: firewalls@greatcircle.com Subject: Re: Where do I store my mail Cc: danny@gmap15.leeds.ac.uk X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk many thanks for many replies so far. They clarify a lot for me. A couple more questions from those. What I understand so far is that I should alter my mailhost (in /etc/hosts) to point to where I want to store the mail. Is this all I need to do in order to deliver it there? It has been suggested to me that I should setup MX records too. This suggests to me that I need DNS running on my firewall host. Ok, fair enough. I've read some bits in Cheswick and Bellovin which explain how to handle that. Although I am intrigued - if UDP is such a bad idea and DNS uses UDP then a firewall which blocks UDP without thinking is gonna stuff this up. Anyhow .. my question really is .. if I setup MX records in my DNS server on the firewall, which point to the mailhost machine, then if the link between them goes down, I'm going to be storing mail on my firewall until it comes up again, aren't I? Or have I got this wrong ? Thanks one and all for your help, Danny From firewalls-owner Thu Jul 6 11:01:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17762 for firewalls-outgoing; Thu, 6 Jul 1995 09:21:22 -0700 Received: from bastion.sentinet.demon.co.uk (sentinet.demon.co.uk [158.152.140.128]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA17753 for ; Thu, 6 Jul 1995 09:21:07 -0700 Received: (from smap@localhost) by bastion.sentinet.demon.co.uk (8.6.12/8.6.12) id AAA29998; Thu, 6 Jul 1995 00:16:03 GMT Received: from server.sentinet.demon.co.uk(192.9.105.100) by bastion.sentinet.demon.co.uk via smap (V1.3) id sma029996; Thu Jul 6 00:15:54 1995 Received: from server.sentinet.demon.co.uk (lyndond@[127.0.0.1]) by server.sentinet.demon.co.uk (8.6.12/8.6.12) with ESMTP id BAA17092; Thu, 6 Jul 1995 01:15:52 +0100 Message-Id: <199507060015.BAA17092@server.sentinet.demon.co.uk> To: Howard Berkowitz cc: firewalls@greatcircle.com Subject: Re: Whadayoucallit? In-reply-to: Your message of "Tue, 04 Jul 1995 14:28:47 EDT." <199507041828.OAA06741@clark.net> Date: Thu, 06 Jul 1995 01:13:21 +0100 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that the network between internal router and bastion should also be called DMZ as the internal environment from your own users can be just as hostile as the external one. Lyndon From firewalls-owner Thu Jul 6 11:05:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17780 for firewalls-outgoing; Thu, 6 Jul 1995 09:21:35 -0700 Received: from gmap15.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA17755 for ; Thu, 6 Jul 1995 09:21:13 -0700 Received: (from danny@localhost) by gmap15.leeds.ac.uk (8.6.12/8.6.9) id RAA04783; Thu, 6 Jul 1995 17:19:43 +0100 Date: Thu, 6 Jul 1995 17:19:43 +0100 From: Danny Message-Id: <199507061619.RAA04783@gmap15.leeds.ac.uk> To: firewalls@greatcircle.com, pete@ohm.york.ac.uk Subject: Storing mail Cc: danny@gmap15.leeds.ac.uk X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thankx all for the various answers. Mucho helpful. I set my sendmail's DR flag to be DRmailhost and set mailhost to be an alias for the host I want to store my email on, which will be within my firewall. Having done this I send a mail message from my firewall to another account on this machine, then I get a mailbounce, as the host 'mailhost' cannot be found. Is this simply because I'm not running a DNS server on the firewall yet? If I install DNS on the firewall and set the MX records to point to my mailstore machine, then if the link between the firewall and the mailstore goes down, won't I have mail stored on the firewall? This cannot be good can it? Thanks for your comments, danny From firewalls-owner Thu Jul 6 11:12:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17445 for firewalls-outgoing; Thu, 6 Jul 1995 09:13:34 -0700 Received: from picton.eecg.toronto.edu (picton.eecg.toronto.edu [128.100.10.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA17440 for ; Thu, 6 Jul 1995 09:13:30 -0700 Received: by picton.eecg.toronto.edu id <26(5)>; Thu, 6 Jul 1995 12:12:40 -0400 Subject: NetBSD firewalls From: David Jones To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 12:12:37 -0400 X-Mailer: ELM [version 2.3 PL11] Message-Id: <95Jul6.121240edt.26(5)@picton.eecg.toronto.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to a recent request for Linux packet filters, have you considered NetBSD/FreeBSD? There are plenty of packet filtering packages available for these systems. I have developed a packet filter for NetBSD that I am willing to let people beta-test. If anyone wants more info, let me know. On the same topic, I recently saw a recall notice for Cisco routers that indicates a vulnerability that permits packets to bypass the filtering. I wonder: is my filter vulnerable? Although the hole was discussed "in the appropriate places", I was not privy to those discussions. Can someone point out the hole, or offer to demonstrate it by putting a packet past a test firewall? -- David Jones, M.A.Sc student, Electronics Group (VLSI), University of Toronto email: dej@eecg.toronto.edu, finger for PGP public key For a good time, telnet torfree.net and log in as `guest'. Click me! From firewalls-owner Thu Jul 6 11:25:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17730 for firewalls-outgoing; Thu, 6 Jul 1995 09:20:23 -0700 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA17725 for ; Thu, 6 Jul 1995 09:20:21 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA18794; Thu, 6 Jul 1995 12:17:22 -0400 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9507061617.AA18794@oxygen.house.gov> Subject: Re: controlling cern-httpd-proxy To: danny@miriworld.its.unimelb.EDU.AU (Daniel O'Callaghan) Date: Thu, 6 Jul 1995 12:17:21 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Daniel O'Callaghan" at Jul 6, 95 01:49:12 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 655 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Before you say Pass http://* say > > # Block access to porno > Map http://www.cnam.fr/* /nono.html > Map http://intertain-inc.com/xxx/* /nono.html > > /nono.html may or may not exist, depending on what action you wish to take. > Having it not exist is probably easiest. > > D. > A minor point: if your intent is to limit all access to pornography, this is not a solution that scales well on the Internet. If your intent is to limit access to only sites that contain work-related items, then it doesn't scale at all. The usual refrain here is that this is more of a management/social issue--something that's hard to fix with technology. dorian From firewalls-owner Thu Jul 6 11:53:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20430 for firewalls-outgoing; Thu, 6 Jul 1995 10:27:21 -0700 Received: from ns.dknet.dk (ns.dknet.dk [193.88.44.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA20412 for ; Thu, 6 Jul 1995 10:27:08 -0700 Received: from stamlink by ns.dknet.dk with UUCP id AA28418 (5.65c8/IDA-1.4.4j for firewalls@greatcircle.com); Thu, 6 Jul 1995 19:26:12 +0200 Received: by stamlink.kampsax.dk (1.38.193.4/KxD-1994.10.18-KRS) id AA20124; Thu, 6 Jul 1995 13:23:19 -0400 To: firewalls@greatcircle.com Path: rokke.kampsax.dk!krs From: krs@kampsax.dk (Karsten Spang) Newsgroups: dk.kampsax.lists.firewalls Subject: Multiple "anonymous" FTP accounts Date: 6 Jul 1995 17:23:19 GMT Organization: Kampsax Data, Denmark Lines: 22 Distribution: world Message-Id: <3th667$jkq@stamlink.kampsax.dk> Nntp-Posting-Host: rokke.kampsax.dk X-Charset: ASCII X-Char-Esc: 29 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Maybe this question is a bit off-topic on the firewalls list, but related anyway... I want to have a number of accounts to be used only for FTP access. Each of them should chroot to their own directory trees. In other words I would like to have different logins like the anonymous one, but password protected. Is this possible with standard methods? With a tcp wrapper? I want to set this up on an Ultrix machine, or perhaps a Linux.  Thanks, Karsten -- Karsten Spang Snail Mail: Kampsax Data E-mail: krs@kampsax.dk P.O. Box 1142 Phone: +45 36 39 07 88 DK-2650 Hvidovre Fax: +45 36 77 03 01 Denmark From firewalls-owner Thu Jul 6 11:58:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23493 for firewalls-outgoing; Thu, 6 Jul 1995 11:23:28 -0700 Received: from ix3.ix.netcom.com (ix3.ix.netcom.com [199.182.120.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA23486 for ; Thu, 6 Jul 1995 11:23:25 -0700 Received: from by ix3.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id LAA09571; Thu, 6 Jul 1995 11:21:35 -0700 Date: Thu, 6 Jul 1995 11:21:35 -0700 Message-Id: <199507061821.LAA09571@ix3.ix.netcom.com> From: clp2@ix.netcom.com (Carol pollard ) Subject: TIS Gauntlet Firewall Info.... To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Currently challenged with selecting a firewall product, I would greatly appreciate any comments, both positive and negative, about TIS Gauntlet firewall product. Anyone out there currently using this product? Anyone evaluate it, but decide against it? Why? Thanks..... From firewalls-owner Thu Jul 6 12:04:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA24972 for firewalls-outgoing; Thu, 6 Jul 1995 11:45:34 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA24960 for ; Thu, 6 Jul 1995 11:45:29 -0700 Posted-Date: Thu, 6 Jul 1995 14:44:35 -0400 From: "Bryan D. Boyle" Message-Id: <9507061444.ZM16075@maverick.erenj.com> Date: Thu, 6 Jul 1995 14:44:35 -0400 In-Reply-To: dorian@oxygen.house.gov (Dorian Deane) "Re: controlling cern-httpd-proxy" (Jul 6, 12:17pm) References: <9507061617.AA18794@oxygen.house.gov> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: dorian@oxygen.house.gov (Dorian Deane) Subject: Re: controlling cern-httpd-proxy Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 6, 12:17pm, Dorian Deane wrote: > Subject: Re: controlling cern-httpd-proxy > > Before you say Pass http://* say > > > > # Block access to porno > > Map http://www.cnam.fr/* /nono.html > > Map http://intertain-inc.com/xxx/* /nono.html > > > > /nono.html may or may not exist, depending on what action you wish to take. > > Having it not exist is probably easiest. > > > > D. > > > > A minor point: if your intent is to limit all access to pornography, > this is not a solution that scales well on the Internet. If your > intent is to limit access to only sites that contain work-related > items, then it doesn't scale at all. > > The usual refrain here is that this is more of a management/social > issue--something that's hard to fix with technology. However, it does tend to make the users sit up and take notice when the nono.html file restates the company policy when users try for the more egregious sites that probably don't have a business use. You won't capture everything. You don't have to keep track of each little dirty photo. You just enforce the policy, and occasionally remind the users that their access is a privilege, and use may be monitored. -- Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. #include |Nor all your Piety nor Wit can call it back to cancel EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. -------------------- From firewalls-owner Thu Jul 6 12:08:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA16061 for firewalls-outgoing; Thu, 6 Jul 1995 08:52:40 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA16056 for ; Thu, 6 Jul 1995 08:52:37 -0700 Received: from mail.orkand.com by relay1.UU.NET with SMTP id QQyxfr25010; Thu, 6 Jul 1995 11:51:46 -0400 Received: from ccMail by mail.orkand.com (SMTPLINK V2.10.03) id AA805056590; Thu, 06 Jul 95 11:47:12 EST Date: Thu, 06 Jul 95 11:47:12 EST From: "Michael L. Sapp" Encoding: 44 Text Message-Id: <9506068050.AA805056590@mail.orkand.com> To: firewalls@GreatCircle.COM, gregg@interaccess.com (Gregg Rosenberg) Subject: Re: Protocol difference based firewalls and Novell Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gregg has said... >Many existing Novell clients want to give their desktop clients access to >the Internet. They propose to use protocol isolation techniques to protect >their production systems. The notion is allow IPX on the inside and IP on >the outside. Using seperate NICs in the Novell server. Firefox and >numerous other products are claiming this to be an effective firewall. >This in my mind only addresses part of the requirements for a firewall. The protocol isolation certainly only comprises part of the overall Netware firewalling environment. Naturally, as you have indicated, you will have to make some policy and control judgements that will allow the appropriate level of security. A screening router is a very useful addition to this type of firewall as well. >The question is how can these systems be compromised (or a safer variation >for the list are they vulnerable.) I can see some exposures. If server >services like FTP or NFS are run they could expose supposedly secure >resources. Clearly a user could run a server service on their desktop if >policy, control, and auditing did not protect against this. Any other >thoughts are appreciated Don't run ANY server processes on the machine used for the protocol conversion. Any processes run on servers behind the firewall can hide behind the IPX protocol. NOV*IX offers functionality to shut off the ability to run local server processes on desktop PC's (with the caveat that it will reduce the ability to offer any interior services to the outside). Challenges will exist in getting many important services to run properly through the protocol conversion (e-mail for example). >The question could be answered in a Novell specific context; however, I see >possible greater value to the list in examining the broader issues of >protocol isolation. I, for one, would be happy to see it treated in both a Novell and Non-Novell context. All for now, -Mike Opinions my own... From firewalls-owner Thu Jul 6 12:24:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20562 for firewalls-outgoing; Thu, 6 Jul 1995 10:29:36 -0700 Received: from guardian.EnGarde.com (dialin-41.wustl.edu [128.252.112.41]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA20557 for ; Thu, 6 Jul 1995 10:29:32 -0700 Received: (from mcn@localhost) by guardian.EnGarde.com (8.6.12/8.6.9) id MAA11847; Thu, 6 Jul 1995 12:27:37 -0500 Date: Thu, 6 Jul 1995 12:27:37 -0500 From: Mike Neuman Message-Id: <199507061727.MAA11847@guardian.EnGarde.com> To: smb@research.att.com Subject: Re: controlling FTP transfers Cc: mjr@iwi.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199507060131.SAA25813@miles.greatcircle.com>, smb@research.att.com writes: >Yup (though the hijacked terminal attack in 95-01 was a local-machine >affair). Take a look at TTY-Watcher. It uses the hijacked terminal attack to allow sysadmins to monitor, log, and control users. Of course, it can also be used maliciously, but so can any security tool. ftp://coast.cs.purdue.edu/pub/tools/unix/ttywatcher > It looks like this might allow a hacker into your net as an > authenticated user, unless I'm being paranoid (if I am being > paranoid, I refuse to appologize; they PAY me to be > paranoid). > >No ``might'' about it. See Joncheray's paper from the last UNIX Security >Symposium, or Mike Neumann's ``Watcher'' paper. The IP-Watcher paper is rough at the moment. The best source of information is to look at the WWW pages: http://nad.infostructure.com/watcher.html They describe the attack pretty thoroughly (as well as our IP-Watcher product which uses the attack to monitoring and control network users--it's essentially the network version of TTY-Watcher). -Mike Neuman mcn@EnGarde.com En Garde Systems Computer Security Software and Consulting From firewalls-owner Thu Jul 6 12:51:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20820 for firewalls-outgoing; Thu, 6 Jul 1995 10:32:46 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA20798 for ; Thu, 6 Jul 1995 10:32:40 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa20578; 6 Jul 95 13:18 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma012815; Thu, 6 Jul 95 13:18:19 -0400 Received: by tis.com (4.1/SMI-4.1) id AA09085; Thu, 6 Jul 95 13:21:43 EDT From: Marcus J Ranum Message-Id: <9507061721.AA09085@tis.com> Subject: ITAR braindamage To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 13:21:43 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1005 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Doty writes: >purposes only). As far as I can tell, there are no restrictions on Digital >Signature functions, provided they cannot be used to encrypt - this allows >MD5 and DSS. What's crazy, of course, is that most modern cryptosystems (that we know about!) are built around functions that are difficult to invert. That really *IS* the cryptosystem. MD5, in order to be a good hashing function, is difficult to invert. It's trivial to turn a strong cryptographic hashing function into a strong encryption system. A simple example would be taking a key, and running it through MD5. Then you run the first 64 bits of /dev/zero through it, yielding a 64 bit hash code. Xor that with the first 64 bits of the file and transmit them. Take the next 64 bits of the file, re-run the previous 64 bit hash through MD5 and keep Xoring and hashing. That's not as strong a way of doing it some (like feistel net ciphers) but it's pretty strong. With respect to ITAR, the emperor truly has no clothes. mjr. From firewalls-owner Thu Jul 6 13:23:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA27884 for firewalls-outgoing; Thu, 6 Jul 1995 12:28:23 -0700 Received: from mail.llu.edu (mail.LLU.EDU [151.112.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA27878 for ; Thu, 6 Jul 1995 12:28:20 -0700 Received: from brent.llu.edu (brent.llu.edu [151.112.1.2]) by mail.llu.edu (8.6.12/8.6.12) with ESMTP id MAA00449; Thu, 6 Jul 1995 12:27:18 -0700 Received: (from bboyko@localhost) by brent.llu.edu (8.7.Beta.5/8.7.Beta.3) id MAA04683; Thu, 6 Jul 1995 12:27:10 -0700 From: "Brent E. Boyko" Message-Id: <199507061927.MAA04683@brent.llu.edu> Subject: Re: Multiple "anonymous" FTP accounts To: krs@kampsax.dk (Karsten Spang) Date: Thu, 6 Jul 1995 12:27:10 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <3th667$jkq@stamlink.kampsax.dk> from "Karsten Spang" at Jul 6, 95 05:23:19 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hello > > Maybe this question is a bit off-topic on the firewalls list, but related > anyway... > > I want to have a number of accounts to be used only for FTP access. Each > of them should chroot to their own directory trees. In other words I > would like to have different logins like the anonymous one, but password > protected. > > Is this possible with standard methods? With a tcp wrapper? > I want to set this up on an Ultrix machine, or perhaps a Linux. > This should be possible with the "guestgroups" option in wu-ftpd 2.4. Details are in the ftpaccess.5 man page included with the source distribution. The distribution is available from wuarchive.wustl.edu or your friendly neighborhood mirror site. Hope this helps. -- Brent E. Boyko Telecom Engineer Loma Linda University Medical Center bboyko@brent.llu.edu 909-824-4321 From firewalls-owner Thu Jul 6 13:23:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26864 for firewalls-outgoing; Thu, 6 Jul 1995 12:17:41 -0700 Received: from amisk.cs.ualberta.ca (amisk.cs.ualberta.ca [129.128.13.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA26852 for ; Thu, 6 Jul 1995 12:17:36 -0700 Received: by amisk.cs.ualberta.ca id <138794-4>; Thu, 6 Jul 1995 13:16:50 -0600 Subject: Re: controlling cern-httpd-proxy From: Bob Beck To: dorian@oxygen.house.gov (Dorian Deane) Date: Thu, 6 Jul 1995 13:16:38 -0600 (MDT) Cc: danny@miriworld.its.unimelb.EDU.AU, firewalls@GreatCircle.COM In-Reply-To: <9507061617.AA18794@oxygen.house.gov> from "Dorian Deane" at Jul 6, 95 12:17:21 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 951 Message-Id: <95Jul6.131650-0600_(mdt).138794-4@amisk.cs.ualberta.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Before you say Pass http://* say > > > > # Block access to porno > > Map http://www.cnam.fr/* /nono.html > > Map http://intertain-inc.com/xxx/* /nono.html > > .... > > A minor point: if your intent is to limit all access to pornography, > this is not a solution that scales well on the Internet. If your > intent is to limit access to only sites that contain work-related > items, then it doesn't scale at all. > > The usual refrain here is that this is more of a management/social > issue--something that's hard to fix with technology. > Not to mention the fact that by doing the above you may be setting yourself up for potential legal problems. I.E. since you've now made a regular business practice of what could be called "making the net safe for your porn-sensitive users" you now may be able to be held responsible if someone at your site does come across porn elsewhere on the net (which they certainly can an will). -Bob From firewalls-owner Thu Jul 6 13:23:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA24587 for firewalls-outgoing; Thu, 6 Jul 1995 11:37:28 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA24582; Thu, 6 Jul 1995 11:37:25 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Jul 1995 11:37:06 -0800 To: emwmf@emw.ericsson.se (Martin Fredriksson) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Proceedings Now Available - 5th USENIX UNIX Security Symposium Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 3:55 PM 7/6/95, Martin Fredriksson wrote: >Mailing you directly to keep this uninitiated question of the list: > >What is "the coast server"? ftp://coast.cs.purdue.edu http://www.cs.purdue.edu/coast >From their introductory document: COAST -- Computer Operations, Audit, and Security Technology -- is a multiple project, multiple investigator effort in computer security research. It is intended to function with close ties to researchers and engineers in major companies and government agencies. We focus our research on real-world needs and limitations. Our goal is to develop strategic associations leading to mutual benefit over several years rather than cultivate "throw it over the wall" sponsors. The effort within COAST builds on an established record of innovation and success. Personnel associated with COAST have designed and developed many widely-used tools and techniques in computer security, operating systems, and software engineering. We also have experience with several long-term collaborations with commercial firms and government agencies. This experience and focus will aid us in identifying a research agenda of interest both to the academic community and to the community of practitioners. >Reason I ask is that I was at the Symposium (I found it VERY >informative!) and I'm currently writing a report about it to distribute >internally at my company. It would be really nice if I could refer to >on-line copies of the papers in this report, so I would like to get >hold of them electronically. > >Note that I don't want this out of economical reasons, but it's just >more convenient if people can download papers themselves. Could you >please tell me if you feel this is wrong (from Copyright or Usenix >standpoint), and if so I won't try do it. As I understand it, USENIX asserts a compilation copyright on the whole proceedings. That means you can't copy the proceedings as a whole. Each author retains copyright over their individual paper; if they choose to make it available over the WWW, so be it and it's fine to access it that way. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu Jul 6 13:54:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23296 for firewalls-outgoing; Thu, 6 Jul 1995 11:18:40 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA23291; Thu, 6 Jul 1995 11:18:35 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Jul 1995 11:18:17 -0800 To: Mark.Broadbent@Aus.Sun.COM (Mark Broadbent - Partner Training Manager - Sun Australia), mark_kadrich@ins.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: One Router or Two? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:21 AM 7/6/95, Mark.Broadbent@Aus.Sun.COM (Mark Broadbent - Partner Training M wrote: >My understanding of the use of two routers was that >they should be from different manufacturers, so that the >site was not vulnerable to a single security hole that might >be discovered in any one type of network device. Yes, that's the theory. However, they're both filtering routers; even when done independantly by different vendors, there are going to be a lot of things that end up being done the same way. For instance, take a look at Cisco's recent reported problems with handling of fragmented IP packets (i.e., artificially tiny fragments and overlapping fragments). Several vendors probably have (or had) the same problem, because they'd done their fragment filtering code in much the same "obvious" way that Cisco did. >The two routers will require different filter configurations. >This will reduce the chance that a mis-configuration of filters >will open a hole into the organisation. Again, that's the theory. However, filtering configuration languages for various platforms are more similar than different. If someone makes a mistake in programming one platform (especially if the mistake is more of a "conceptual" problem, where they don't fully understand the consequences or implications of something they're doing), the chances are very good that they'll make the same mistake in configuring the other platform. Don't get me wrong; I'm not saying "two routers are no more secure than one". Two _can_ be more secure than one, but two are not _automatically_ more secure than one; it takes careful consideration and implementation to make real the potential increases in security of a dual-router configuration. FYI, the reason I normally show dual-router configurations in my classes is because they're simpler conceptually, not necessarily because they're more secure. I show one router handling traffic between the perimeter net and the internal net, and the other router handling traffic between the perimeter net and the world. Once we've gone through the dual-router architecture in some detail, then we discuss an equivalent single-router architecture as a variation. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu Jul 6 15:09:23 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02522 for firewalls-outgoing; Thu, 6 Jul 1995 13:39:05 -0700 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA02517 for ; Thu, 6 Jul 1995 13:39:02 -0700 Received: from histar2.ezunx.com by scruz.net (8.6.9/1.34) id NAA02259; Thu, 6 Jul 1995 13:38:25 -0700 Date: Thu, 6 Jul 95 13:42:31 PDT From: Rich Subject: Firewall Plus To: firewalls@greatcircle.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for comments on those who may have worked with/play with/heard of Firewall Plus? Dos Based. (Comments?) I have been playing with it, but not extensively yet, and was looking for info/comments on anyone else's doings with the product. ADVANCE Rich Fitzgerald ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ "....I hope life is not a big joke, cause I don't get it..." From firewalls-owner Thu Jul 6 15:14:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA01449 for firewalls-outgoing; Thu, 6 Jul 1995 13:22:25 -0700 Received: from Csli.Stanford.EDU (Csli.Stanford.EDU [36.9.0.46]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA01440 for ; Thu, 6 Jul 1995 13:22:21 -0700 Received: from Csli.Stanford.EDU (localhost.Stanford.EDU [127.0.0.1]) by Csli.Stanford.EDU (8.6.11/8.6.11) with ESMTP id NAA10337; Thu, 6 Jul 1995 13:21:39 -0700 Message-Id: <199507062021.NAA10337@Csli.Stanford.EDU> To: mjr@iwi.com cc: firewalls@GreatCircle.COM Subject: Re: ITAR braindamage In-reply-to: Your message of Thu, 06 Jul 1995 13:21:43 EDT. <9507061721.AA09085@tis.com> Date: Thu, 06 Jul 1995 13:21:37 -0700 From: Christian Wettergren Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | It's trivial to turn a strong cryptographic hashing function | into a strong encryption system. A simple example would be taking a | key, and running it through MD5. Then you run the first 64 bits of | /dev/zero through it, yielding a 64 bit hash code. Xor that with the | first 64 bits of the file and transmit them. Take the next 64 bits | of the file, re-run the previous 64 bit hash through MD5 and keep | Xoring and hashing. That's not as strong a way of doing it some (like | feistel net ciphers) but it's pretty strong. Or why not use it as a (pseudo-)random cryptographic mask? Then it'll be a (pseudo-)one-time-pad. And they cannot forbid the use of XOR, can they? (Not being a cryptographer, though.) /Christian Wettergren From firewalls-owner Thu Jul 6 15:31:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA01877 for firewalls-outgoing; Thu, 6 Jul 1995 13:27:41 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA01866 for ; Thu, 6 Jul 1995 13:27:36 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id QAA12267; Thu, 6 Jul 1995 16:26:12 -0400 Date: Thu, 6 Jul 1995 16:26:12 -0400 From: Ted Doty Message-Id: <199507062026.QAA12267@kgbvax.network.com> To: mjr@iwi.com, firewalls@greatcircle.com Subject: Re: ITAR braindamage In-Reply-To: Mail from 'Marcus J Ranum ' dated: Thu, 6 Jul 1995 13:21:43 -0400 (EDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jul 1995 13:21:43, Marcus J Ranum wrote: Ted Doty writes: >purposes only). As far as I can tell, there are no restrictions on Digital >Signature functions, provided they cannot be used to encrypt - this allows >MD5 and DSS. It's trivial to turn a strong cryptographic hashing function into a strong encryption system. [lots of interesting stuff about crypto deleted] You are correct. However, the State Department (Office of Export Controls) will allow the export of all of this provided that it cannot (easily) be turned into an encryption system. As a vendor, this means that I don't give you source code or API info for the hash functions. I guess that our government hopes that nobody has a compiler and a copy of _Applied_Cryptography_, but this isn't a technical issue. With respect to ITAR, the emperor truly has no clothes. Granted, but as an atorney friend of mine says, "it's the law; it doesn't have to make sense." Just because you can download PGP from Finland (heck, we did it to take a look at an IDEA implementation), our government is trying to hoist Phil Zimmerman from a yardarm. And they're NOT trying to do this to Bruce Schneier. Go fig. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Jul 6 15:35:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA07032 for firewalls-outgoing; Thu, 6 Jul 1995 15:03:28 -0700 Received: from junix.ju.edu (junix.ju.edu [204.29.160.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA07022 for ; Thu, 6 Jul 1995 15:03:24 -0700 Received: by junix.ju.edu (5.61/1.39) id AA12486; Thu, 6 Jul 95 18:04:36 -0400 From: ddill@junix.ju.edu (Daniel Dill) Message-Id: <9507062204.AA12486@junix.ju.edu> Subject: Re: One Router or Two? To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 18:04:35 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 442 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Two. If for no other reason than that if may take extra time and activity to get through the second. Giving you a greater chance to notice the breach. Regards, Daniel -- Daniel L. Dill Ultimately, the strongest argument for the people to retain the right to keep and bear ddill@junix.ju.edu arms, is to protect themselves against tyranny in government. --Thomas Jefferson From firewalls-owner Thu Jul 6 16:05:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA09497 for firewalls-outgoing; Thu, 6 Jul 1995 15:48:53 -0700 Received: from dub-img-2.compuserve.com (dub-img-2.compuserve.com [198.4.9.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA09486 for ; Thu, 6 Jul 1995 15:48:49 -0700 Received: by dub-img-2.compuserve.com (8.6.10/5.950515) id SAA11944; Thu, 6 Jul 1995 18:48:14 -0400 Date: 06 Jul 95 18:47:02 EDT From: Julie Ann Connary <73203.2236@compuserve.com> To: firewalls Subject: cisco packet filter firewall Message-ID: <950706224702_73203.2236_DHI28-2@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have succeded in maybe createing my firewall too tight. I am using a cisco 4500 (Version 10.3 code) with packet filtering in and out. I can DNS query the Internet fine, FTP, send mail from my mail server etc. The problem is MCI says they cannot DNS query my name server. My inbound access-list allows both UDP and TCP from any host on the internet to my name server on port 53. It also allows tcp from any host to my nameserver established. According to CISCO this should work fine. But until I remove the filter it doesn't. Has anyone experienced anything like this? The filters look as follows : access-list 101 permit udp 0.0.0.0 255.255.255.255. 205.138.144.36 0.0.0.0 eq 53 access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0 0 eq 53 access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0.0 established Thanks Julie Ann From firewalls-owner Thu Jul 6 16:36:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA11246 for firewalls-outgoing; Thu, 6 Jul 1995 16:24:41 -0700 Received: from Arco.COM (inetg1.Arco.COM [130.201.119.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA11241 for ; Thu, 6 Jul 1995 16:24:38 -0700 Received: from sct.arco.com ([130.201.40.2]) by Arco.COM (4.1/SMI-4.1) id AA16075; Thu, 6 Jul 95 18:24:02 CDT Received: from calvin by sct.arco.com (4.1/SMI-4.1) id AA27892; Thu, 6 Jul 95 18:12:48 CDT Received: by calvin (4.1/SMI-4.1) id AA05962; Thu, 6 Jul 95 18:23:56 CDT Message-Id: <9507062323.AA05962@calvin> To: Firewalls@GreatCircle.COM Subject: Re: Whadayoucallit? Date: Thu, 06 Jul 1995 18:23:56 -0500 From: "\"\"John T. Horn\"\"" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about "Inner DMZ" and "Outer DMZ" ... >------------------------------ > >From: Lyndon David > >I think that the network between internal router and >bastion should also be called DMZ as the internal >environment from your own users can be just as hostile >as the external one. > >Lyndon > >------------------------------ From firewalls-owner Thu Jul 6 16:55:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA10541 for firewalls-outgoing; Thu, 6 Jul 1995 16:08:46 -0700 Received: from fsa.cpsc.ucalgary.ca (fsa.cpsc.ucalgary.ca [136.159.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA10535 for ; Thu, 6 Jul 1995 16:08:43 -0700 Received: from linux.cpsc.ucalgary.ca (linux.cpsc.ucalgary.ca [136.159.3.100]) by fsa.cpsc.ucalgary.ca (1.8) id ; Thu, 6 Jul 1995 17:08:01 -0600 Received: by linux.cpsc.ucalgary.ca (1.5; from uucp@localhost) id ; Thu, 6 Jul 1995 16:32:10 -0600 Received: by virtual.cuc.ab.ca (8.6.12) id IAA04131; Thu, 6 Jul 1995 08:40:12 -0600 Date: Thu, 6 Jul 1995 08:40:12 -0600 From: Firewall mailing list Message-Id: <199507061440.IAA04131@virtual.cuc.ab.ca> To: firewalls@GreatCircle.COM Subject: Livingston Firewall/Portmaster mailing list? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk i am in the process of setting up a internet site that is using a Livingston Firewall router and a Portmaster terminal server. is there a mailing list out there where people engaged in such tasks can exchange information? From firewalls-owner Thu Jul 6 17:05:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA11403 for firewalls-outgoing; Thu, 6 Jul 1995 16:28:56 -0700 Received: from cs.sandia.gov (cs.sandia.gov [132.175.13.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA11397 for ; Thu, 6 Jul 1995 16:28:53 -0700 Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp (Smail3.1.28.1 #5) id m0sU0L7-000XcnC; Thu, 6 Jul 95 17:28 MDT Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA25966; Thu, 6 Jul 95 17:28:14 MDT From: mccurley@cs.sandia.gov (Kevin S. McCurley) Message-Id: <9507062328.AA25966@work.cs.sandia.gov.noname> Subject: Re: controlling FTP transfers (fwd) To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 17:28:14 -0600 (MDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 935 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > As far as I can tell, there are no restrictions on Digital Signature > functions, provided they cannot be used to encrypt - this allows MD5 > and DSS. To say that there are "no restrictions" is not exactly accurate, since in fact there ARE restrictions on the export of cryptographic hash functions from the U.S., but the restrictions are fairly minor. Specifically, I requested an advisory from the department of commerce as to the export status for the Secure Hash Algorithm (SHA), that is very similar to MD5. The response was that it required an export license for a short list of countries that the U.S. government claims are involved in terrorism. As a result of these restrictions, I concluded that I could not put my SHA code up for anonymous ftp. By the way, to be accurate, MD5 is not a digital signature - you get that from using MD5 in combination with something like RSA or DSA. Kevin McCurley From firewalls-owner Thu Jul 6 17:34:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA14467 for firewalls-outgoing; Thu, 6 Jul 1995 17:25:08 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA14461; Thu, 6 Jul 1995 17:25:04 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Jul 1995 17:24:46 -0800 To: Firewall mailing list , firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Livingston Firewall/Portmaster mailing list? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:40 AM 7/6/95, Firewall mailing list wrote: >i am in the process of setting up a internet site that is using a >Livingston Firewall router and a Portmaster terminal server. >is there a mailing list out there where people engaged in such >tasks can exchange information? portmaster-users-request@livingston.com -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu Jul 6 17:36:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA13051 for firewalls-outgoing; Thu, 6 Jul 1995 16:56:20 -0700 Received: from ilinx.ilinx.com (ilinx.bctel.net [204.174.66.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA13036 for ; Thu, 6 Jul 1995 16:56:10 -0700 Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Thu, 6 Jul 95 16:54 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) Date: Thu, 6 Jul 1995 16:54:19 -0700 (PDT) Subject: Re[2]: ip forwarding To: jwfornataro@calcomp.com Cc: firewalls@greatcircle.com, danny@gmap.leeds.ac.uk Reply-To: brian@ilinx.bctel.net X-Mailer: Ishmail 1.1-950612-386 MIME-Version: 1.0 Content-Type: text/enriched Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of jwfornataro@calcomp.com (Joseph Fornataro Jr (x2163)) on scroll <<9507061615.AA00620@sys02.mis.calcomp.com> > I'm slowly putting together my kit. I've a router which has two ethernet > interfaces. It's running Solaris 2.3 btw. Does anyone know how to switch > off ip-forwarding ? And is it the same procedure for Solaris 2.4? In /etc/rc2.d/S69inet numifs=3D1 numptptifs=3D0 # numifs=3D`ifconfig -au | grep inet | wc -l` # numptptifs=3D`ifconfig -au | grep inet | egrep -e '-->' | wc -l` At the very end of the file after the system has done what it thinks is right, put the following... ndd -set /dev/ip ip_forwarding 0 That will turn off IP forwarding no matter what else was done with it earlier in the file. b. --
Brian J. Murrell InterLinx Support Services, Inc. North Vancouver, B.C. brian@ilinx.com brian@ilinx.bctel.net brian@wimsey.com Internet Security and Connectivity
From firewalls-owner Thu Jul 6 18:04:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA15388 for firewalls-outgoing; Thu, 6 Jul 1995 17:51:24 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA15383 for ; Thu, 6 Jul 1995 17:51:21 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA24986; Thu, 6 Jul 95 20:51:00 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507070151.AA24986@hawksbill.sprintmrn.com> Subject: xdmcp info To: firewalls@greatcircle.com (Firewalls List) Date: Thu, 6 Jul 1995 20:50:59 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 520 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quick question, semi-relevant to firewalls: Would anyone happen to know where one could find a detailed description of xdmcp (udp/177) and it's functions? Thanks, - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Thu Jul 6 18:12:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA14699 for firewalls-outgoing; Thu, 6 Jul 1995 17:32:12 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA14694; Thu, 6 Jul 1995 17:32:07 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Jul 1995 17:31:50 -0800 To: fc@all.net (Dr. Frederick B. Cohen), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Proceedings Now Available - 5th USENIX UNIX Security Symposium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:01 AM 7/6/95, Dr. Frederick B. Cohen wrote: >> >If you couldn't attend the 5th USENIX UNIX Security Symposium >> >in Salt Lake City, you can now purchase the proceedings. The >> >price is $27 for members and $35 for non-members, and includes >> >domestic and Canadian postage. Please add $11 for overseas >> >postage (air printed matter). > >Talk about blatant commercialism! (%^&)!- USENIX is a non-profit organization. Crawl back into your hole, Fred. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu Jul 6 18:18:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12747 for firewalls-outgoing; Thu, 6 Jul 1995 16:50:01 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA12741; Thu, 6 Jul 1995 16:49:58 -0700 From: smb@research.att.com Message-Id: <199507062349.QAA12741@miles.greatcircle.com> Received: by gryphon; Thu Jul 6 19:48:10 EDT 1995 To: Brent@GreatCircle.COM (Brent Chapman) cc: Mark.Broadbent@Aus.Sun.COM (Mark Broadbent - Partner Training Manager - Sun Australia), mark_kadrich@ins.com, firewalls@GreatCircle.COM Subject: Re: One Router or Two? Date: Thu, 06 Jul 95 19:48:07 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, that's the theory. However, they're both filtering routers; even when done independantly by different vendors, there are going to be a lot of things that end up being done the same way. For instance, take a look at Cisco's recent reported problems with handling of fragmented IP packets (i.e., artificially tiny fragments and overlapping fragments). Several vendors probably have (or had) the same problem, because they'd done their fragment filtering code in much the same "obvious" way that Cisco did. Never mind teh ``probably''; I know of at least two other vendors who had the same problem. FYI, the reason I normally show dual-router configurations in my classes is because they're simpler conceptually, not necessarily because they're more secure. I show one router handling traffic between the perimeter net and the internal net, and the other router handling traffic between the perimeter net and the world. Once we've gone through the dual-router architecture in some detail, then we discuss an equivalent single-router architecture as a variation. Whether or not there's a real security advantage depends on the details on how the routers do filtering. A two-port router has two possible traffic flows, and two of them together have four. A three-port router has six possible flows, so you're dealing with a configuration that's inherently more complex. If the filter setup is sensitive to the number of flows, you do have a worse situation. From firewalls-owner Thu Jul 6 18:31:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA14846 for firewalls-outgoing; Thu, 6 Jul 1995 17:36:20 -0700 Received: from miriworld.its.unimelb.EDU.AU (miriworld.its.unimelb.EDU.AU [128.250.6.194]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA14841 for ; Thu, 6 Jul 1995 17:36:16 -0700 Received: (from danny@localhost) by miriworld.its.unimelb.EDU.AU (8.6.11/8.6.11) id KAA07302; Fri, 7 Jul 1995 10:35:06 +1000 Date: Fri, 7 Jul 1995 10:35:04 +1000 (EST) From: "Daniel O'Callaghan" X-Sender: danny@miriworld.its.unimelb.EDU.AU To: Peter da Silva cc: isdmill@gatekeeper.ddp.state.me.us, benjamin@hanover.demon.co.uk, brogers@integctr.com, firewalls@GreatCircle.COM, www-proxy@w3.org Subject: Re: NNTP caching proxy In-Reply-To: <9507061425.AA29568@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jul 1995, Peter da Silva wrote: > > Its on my wish list. I don't think it will make it to the *do* list, > > other than maybe hacking CERN proxy server to cache news articles. > > I remember Ari said caching news was bad, but I never understood why, > > Control: cancel > Supercedes: Both of which can be handled by appropriate use of a GET If-modified-since type pragma in the caching algorithm. Danny From firewalls-owner Thu Jul 6 18:41:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA14344 for firewalls-outgoing; Thu, 6 Jul 1995 17:21:26 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA14339 for ; Thu, 6 Jul 1995 17:21:23 -0700 Received: from offramp.dsccc.com by relay2.UU.NET with SMTP id QQyxgz24764; Thu, 6 Jul 1995 20:20:45 -0400 Received: by offramp.dsccc.com (5.67b/SMI-V1.8) id AA01601; Thu, 6 Jul 1995 19:22:16 -0500 Received: from onramp(192.245.102.129) by offramp via smap (V1.3mjr) id smaqa1201; Thu Jul 6 19:21:14 1995 Received: from optilink.dsccc.com (optilink.optilink.dsccc.com [192.9.200.1]) by camelot.dsccc.com (8.6.11/8.6.10) with SMTP id RAA02595 for ; Thu, 6 Jul 1995 17:05:45 -0500 Received: from earth.optilink.dsccc.com by optilink.dsccc.com with smtp id m0sTz1x-0002MvC; Thu, 6 Jul 95 15:04 PDT Received: by earth.optilink.dsccc.com id m0sTz3i-0001S2C; Thu, 6 Jul 95 15:06 PDT Date: Thu, 6 Jul 95 15:06 PDT From: James_Dehnert@optilink.optilink.dsccc.com Message-Id: <9507061506.ZM2273@earth> In-Reply-To: jwfornataro@calcomp.com (Joseph Fornataro Jr (x2163)) "Re: ip forwarding" (Jul 6, 11:44am) References: <9507061615.AA00620@sys02.mis.calcomp.com> X-Pgp-Print: 91 FE 2F C5 9F B3 ED 9F F9 CD C6 7F 87 FF F6 6E X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@GreatCircle.COM Subject: Re: ip forwarding Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, we now have 2 Solaris 2 options for killing IP forwarding. Exactly how is it done in SunOS 4.1.*? -- +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+ = James "Zeke" Dehnert Zeke_Dehnert@optilink.dsccc.com = + Unix Network Administrator (707) 792-7000 + = DSC Access Products Div. Petaluma California = + The opinions represented herein are not necessarily those of DSC + =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+=+=+=+=+=+=+=+= From firewalls-owner Thu Jul 6 18:57:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA13904 for firewalls-outgoing; Thu, 6 Jul 1995 17:13:24 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA13887; Thu, 6 Jul 1995 17:13:19 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Jul 1995 17:13:01 -0800 To: Julie Ann Connary <73203.2236@compuserve.com>, firewalls From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: cisco packet filter firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 6:47 PM 7/6/95, Julie Ann Connary wrote: >Hi, > > I have succeded in maybe createing my firewall too tight. I am >using a cisco 4500 (Version 10.3 code) with packet filtering in and out. I can >DNS query >the Internet fine, FTP, send mail from my mail server etc. The problem >is MCI says they cannot DNS query my name server. My inbound access-list >allows both UDP and TCP from any host on the internet to my name server on port >53. >It also allows tcp from any host to my nameserver established. > >According to CISCO this should work fine. But until I remove the filter it >doesn't. > >Has anyone experienced anything like this? > > >The filters look as follows : > >access-list 101 permit udp 0.0.0.0 255.255.255.255. 205.138.144.36 0.0.0.0 eq >53 >access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0 0 eq 53 >access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0.0 >established > >Thanks > >Julie Ann Without seeing your whole filter list (I'm not suggesting you should post your full filtering list to a mailing list with tens of thousands of subscribers you don't know), I can't tell if this is really the problem or not, but here goes... What about your outbound access list? Does it allow the answers from your name server back out to the site making the query? "Inbound" versus "outbound" for packet filtering refers to packets, not services. An inbound service (MCI doing a query against your DNS server, for example) will involve both inbound packets (the queries from MCI to your server) and outbound packets (the answers from your server back to MCI). Also, is there anything else in the access-list before what you've shown us that might deny the packets before they ever get as far as the rules you've shown? -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu Jul 6 18:59:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12971 for firewalls-outgoing; Thu, 6 Jul 1995 16:55:30 -0700 Received: from rodin.cssc-syd.tansu.com.au (rodin.cssc-syd.tansu.com.au [149.135.252.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA12949 for ; Thu, 6 Jul 1995 16:55:23 -0700 Received: from picasso.cssc-syd.tansu.com.au (picasso.nssyd.tansu.com.au [149.135.36.11]) by rodin.cssc-syd.tansu.com.au (8.6.9/8.6.9) with ESMTP id JAA18788; Fri, 7 Jul 1995 09:53:46 +1000 Received: from renoir.cssc-syd.tansu.com.au.tansu.com.au (rodney@renoir.cssc-syd.tansu.com.au [149.135.44.23]) by picasso.cssc-syd.tansu.com.au (8.6.9/8.6.5) with SMTP id JAA20965; Fri, 7 Jul 1995 09:53:15 +1000 Received: by renoir.cssc-syd.tansu.com.au.tansu.com.au (4.1/SMI-4.1) id AA02052; Fri, 7 Jul 95 09:53:14 EST Date: Fri, 7 Jul 1995 09:53:13 +1000 (EST) From: Rodney Campbell X-Sender: rodney@renoir.cssc-syd.tansu.com.au To: Julie Ann Connary <73203.2236@compuserve.com> Cc: firewalls Subject: Re: cisco packet filter firewall In-Reply-To: <950706224702_73203.2236_DHI28-2@CompuServe.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 6 Jul 1995, Julie Ann Connary wrote: > Hi, > > I have succeded in maybe createing my firewall too tight. I am > using a cisco 4500 (Version 10.3 code) with packet filtering in and out. I can > DNS query > the Internet fine, FTP, send mail from my mail server etc. The problem > is MCI says they cannot DNS query my name server. My inbound access-list > allows both UDP and TCP from any host on the internet to my name server on port > 53. > It also allows tcp from any host to my nameserver established. > > According to CISCO this should work fine. But until I remove the filter it > doesn't. > > Has anyone experienced anything like this? > > The filters look as follows : > > access-list 101 permit udp 0.0.0.0 255.255.255.255. 205.138.144.36 0.0.0.0 eq > 53 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0 0 eq 53 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0.0 > established > > Thanks > > Julie Ann This is fine (and the established line is NOT needed for DNS to work) You will probably also need something like: ! Allow Traffic to udp ports greater than 1023 For things like DNS queries access-list 130 permit udp EVERYWHERE EVERYWHERE_MASK DNS BLANK_MASK gt 1023 You may also want to look at your outbound filter and check that you are allowing outbound UDP (at least from this host and at least to port 53 for all internet hosts) - if the Internet hosts want to do name transfers you will also need to allow outbound TCP traffic from your name server. Rodney... Rodney Campbell |Email : Rodney.Campbell@Telstra.com.au Telstra Corp. Ltd |Snail : Locked Bag 6634, Sydney 2001, Australia. Information Technology Group| : Level 1, 18-20 Orion Rd, Lane Cove West. Network Systems |Phone : +61 (0)2 911 3123 Fax: +61 2 911 3199 | http://www.telstra.com.au/rodney/rodney.html From firewalls-owner Thu Jul 6 19:05:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA13585 for firewalls-outgoing; Thu, 6 Jul 1995 17:06:42 -0700 Received: from macsch.com (draco.macsch.com [192.73.8.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA13573 for ; Thu, 6 Jul 1995 17:06:37 -0700 Received: from bootes.is.macsch.com by macsch.com (5.61/MSC-950614) id AA28126; Thu, 6 Jul 95 17:06:05 -0700 Received: from loki.is.macsch.com by bootes.is.macsch.com (4.1/MSCbootes.950222) id AA14117; Thu, 6 Jul 95 17:06:19 PDT Received: (from jack@localhost) by loki.is.macsch.com (8.6.11/8.6.11) id RAA25473; Thu, 6 Jul 1995 17:07:22 -0700 From: "Jack Stewart" Message-Id: <9507061707.ZM25471@loki.is.macsch.com> Date: Thu, 6 Jul 1995 17:07:22 -0700 In-Reply-To: Julie Ann Connary <73203.2236@compuserve.com> "cisco packet filter firewall" (Jul 6, 6:47pm) References: <950706224702_73203.2236_DHI28-2@CompuServe.COM> X-Mailer: Z-Mail (3.2.1 10apr95) To: Julie Ann Connary <73203.2236@compuserve.com> Subject: Re: cisco packet filter firewall Cc: firewalls Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 6, 6:47pm, Julie Ann Connary wrote: > I have succeded in maybe createing my firewall too tight. I am > using a cisco 4500 (Version 10.3 code) with packet filtering in and out. Check and make sure that you are running 10.3(3) of Cisco's code. There is a bug in 10.3(2) and 10.3(1) which might allow for unauthorized access with the use of the established keyword. > > The filters look as follows : > > access-list 101 permit udp 0.0.0.0 255.255.255.255. 205.138.144.36 0.0.0.0 eq > 53 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0 0 eq 53 > access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0.0 > established > You need to filter in both directions. That which is not explicitly allowed will be denied. If you are using the above filter list for both incoming and outgoing filter you are going to have problems. Also, in version 10.3 of Cisco's code you can filter on both source and destination port. And there are now keywords "any" and host and service names that you can use. A sample filter list for what you want to do might look like this: no access-list 101 access-list 101 deny tcp 205.138.144.0 0.0.0.255 any access-list 101 permit udp any gt 1023 host 205.138.144.36 eq domain access-list 101 permit tcp any gt 1023 host 205.138.144.36 eq domain access-list 101 permit udp any eq domain host 205.138.144.36 gt 1023 access-list 101 permit tcp any eq domain host 205.138.144.36 gt 1023 established access-list 101 permit tcp any eq telnet host 205.138.144.36 gt 1023 established no access-list 112 access-list 112 permit udp host 205.138.144.36 gt 1023 any eq domain access-list 112 permit tcp host 205.138.144.36 gt 1023 any eq domain access-list 112 permit udp host 205.138.144.36 eq domain any gt 1023 access-list 112 permit tcp host 205.138.144.36 eq domain any gt 1023 access-list 112 permit tcp host 205.138.144.36 gt 1023 any eq telnet interface Ethernet 1 ip access-group 101 in ip access-group 112 out This will also block ip spoofing attempts. You will probably want to add to this list and block any attempts to reach X11/Openwindows ports. There is also a range option that you can use to limit source or destination ports. Hope this helps. ---Jack -- Jack Stewart #include Communications Administrator email: jack.stewart@macsch.com MacNeal-Schwendler Corporation fax: 213-259-3838 From firewalls-owner Thu Jul 6 19:04:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA19016 for firewalls-outgoing; Thu, 6 Jul 1995 18:58:13 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA19006; Thu, 6 Jul 1995 18:58:09 -0700 From: smb@research.att.com Message-Id: <199507070158.SAA19006@miles.greatcircle.com> Received: by gryphon; Thu Jul 6 21:56:23 EDT 1995 To: Brent@GreatCircle.COM (Brent Chapman) cc: emwmf@emw.ericsson.se (Martin Fredriksson), firewalls@GreatCircle.COM Subject: Re: Proceedings Now Available - 5th USENIX UNIX Security Symposium Date: Thu, 06 Jul 95 21:56:23 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Reason I ask is that I was at the Symposium (I found it VERY >informative!) and I'm currently writing a report about it to distribu te >internally at my company. It would be really nice if I could refer t o >on-line copies of the papers in this report, so I would like to get >hold of them electronically. > >Note that I don't want this out of economical reasons, but it's just >more convenient if people can download papers themselves. Could you >please tell me if you feel this is wrong (from Copyright or Usenix >standpoint), and if so I won't try do it. As I understand it, USENIX asserts a compilation copyright on the whole proceedings. That means you can't copy the proceedings as a whole. Each author retains copyright over their individual paper; if they choose to make it available over the WWW, so be it and it's fine to access it that way. A complete set of electronic copies of the papers are available to Usenix members, I believe. Individual authors explicitly retain the right to make their own papers available via the Web or ftp. From firewalls-owner Thu Jul 6 19:41:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA20516 for firewalls-outgoing; Thu, 6 Jul 1995 19:16:33 -0700 Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA20489 for ; Thu, 6 Jul 1995 19:16:26 -0700 Received: by tavor.openu.ac.il id AA17125 (5.67a8/IDA-1.5 for firewalls@greatcircle.com); Fri, 7 Jul 1995 05:15:07 +0300 Date: Fri, 7 Jul 1995 05:15:05 +0300 (IDT) From: Rafi Sadowsky X-Sender: rafi@tavor To: James_Dehnert@optilink.optilink.dsccc.com Cc: firewalls@greatcircle.com Subject: Re: ip forwarding In-Reply-To: <9507061506.ZM2273@earth> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk there is no official way - on would be to add an ip filter ( I can't remember where to get off the top of my head - sorry ) & filter these packets another is an unofficial kernel patch from sun which junks IP source routed packets ( you probably also want to runrn off IP forwarding in the kernel config file ) sending an ICMP unreachable back ( this is for SunOS 4.1 ) I got the patch from util.uhcc.hawaii.edu:/pub/security/source-routing-patch.tar.Z [didn't check if it's still there though - it was a while ago] Enjoy, Rafi -- Rafi Sadowsky rafi@tavor.openu.ac.il [postmaster@openu.ac.il] FAX: +972-3-6460744 On Thu, 6 Jul 1995 James_Dehnert@optilink.optilink.dsccc.com wrote: > Ok, we now have 2 Solaris 2 options for killing IP forwarding. > > Exactly how is it done in SunOS 4.1.*? > > > -- > +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+ > = James "Zeke" Dehnert Zeke_Dehnert@optilink.dsccc.com = > + Unix Network Administrator (707) 792-7000 + > = DSC Access Products Div. Petaluma California = > + The opinions represented herein are not necessarily those of DSC + > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+=+=+=+=+=+=+=+= > From firewalls-owner Thu Jul 6 20:04:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA18793 for firewalls-outgoing; Thu, 6 Jul 1995 18:55:56 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA18788 for ; Thu, 6 Jul 1995 18:55:53 -0700 Received: from cscmail.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0sU2dQ-000iFBC; Thu, 6 Jul 95 21:55 EDT Received: by cscmail.csc.com (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA7734; Thu, 06 Jul 95 21:47:01 -0700 Message-Id: <9507070447.AA7734@cscmail.csc.com> Received: from CSC with "Lotus Notes Mail Gateway for SMTP" id 6AC8A15439108A9A852561F20009609F; Thu, 6 Jul 95 21:47:00 To: firewalls Cc: Julie Ann Connary <73203.2236@compuserve.com> From: David Madole/TMG/CSC Date: 6 Jul 95 21:57:30 EDT Subject: Re: cisco packet filter firewall Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have succeded in maybe createing my firewall too tight. I am >using a cisco 4500 (Version 10.3 code) with packet filtering in and out. I can DNS >query the Internet fine, FTP, send mail from my mail server etc. The problem >is MCI says they cannot DNS query my name server. My inbound access-list >allows both UDP and TCP from any host on the internet to my name server on port >53. It also allows tcp from any host to my nameserver established. >access-list 101 permit udp 0.0.0.0 255.255.255.255. 205.138.144.36 0.0.0.0 eq 53 >access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0 0 eq 53 >access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0.0 established It looks like this is the inbound filter and you didn't include the outbound filter, but I'd say that's where your problem is. You're probably getting the queries in, but not letting the responses back out. Responses out will be to port 53 if from another server, or to a random high port (1024-65535) if from a resolver. You'll need to add something like this to your outbound filters: access-list 102 permit udp 205.138.144.36 0.0.0.0 0.0.0.0 255.255.255.255 eq 53 access-list 102 permit udp 205.138.144.36 0.0.0.0 0.0.0.0 255.255.255.255 gt 1023 You may have some security concerns with this as well, which can be resolved using nameservers both inside and outside the firewall (see Cheswick et al for details) although this is not strictly necessary. By the way, DNS only uses TCP for zone transfers, so unless you are running a secondary nameserver on the other side of your firewall, you do not need (or want) the permit TCP lines in the filter. Feel free to mail me offline if you have other questions. We've been using packet filtering firewalls here for several years. Dave From firewalls-owner Thu Jul 6 21:39:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA25585 for firewalls-outgoing; Thu, 6 Jul 1995 21:21:06 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA25580 for ; Thu, 6 Jul 1995 21:21:01 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA22856 for firewalls@greatcircle.com; Thu, 6 Jul 95 23:27:01 EDT Message-Id: <9507070327.AA22856@all.net> Subject: one or two To: firewalls@greatcircle.com Date: Thu, 6 Jul 1995 23:27:01 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2037 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SMB's comments about the increased complexity of multiple routers were interesting, but the analysis is too shallow to really reveal the underlying issues. As I said earlier, certain issues go to weight, not validity - and this is one of them. To get a better sense of the issue, you might try analyzing the impact of two routers by assuming (based on imperical evidence) that various things go wrong with various frequencies, including syndromes of configuration errors, novel attacks, hardware failures, design flaws, common mode failures, and other such things. It is naive to say that just because a single hardware failure will expose the entire internal network when only a single router is in place that a dual router configuration is superior. The mere fact that a single design flaw might impact both routers is not adequate to evaluate the value of having two routers and neither is the increased complexity of maintining two routers. None of these points address the issue of weight, which is ultimately the factor in this context which balancees with the increased cost of twop routers in making cost effective protection decisions. If we trusted every system, we would not need routers at all. You could use a single two-interface computer and make all decisions within. Since we don't trust every (or more properly any) system, we have to address the question of how much redundancy is enough, and in order to analyze this effectively, we have to understand failure modes, their patterns of abuse and repair, etc. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Thu Jul 6 22:04:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA26027 for firewalls-outgoing; Thu, 6 Jul 1995 21:45:00 -0700 Received: from access.mbnet.mb.ca (access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA25966 for ; Thu, 6 Jul 1995 21:44:49 -0700 Received: by access.mbnet.mb.ca id AA21232 (5.67b/IDA-1.4.4 for firewalls@greatcircle.com); Thu, 6 Jul 1995 22:48:59 -0500 Date: Thu, 6 Jul 1995 22:48:59 -0500 (CDT) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: SunScreen + Fragmented packets In-Reply-To: <199507062349.QAA12741@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jul 1995 smb@research.att.com wrote: > reported problems with handling of fragmented IP packets > (i.e., artificially tiny fragments and overlapping > fragments). Several vendors probably have (or had) the same > problem, because they'd done their fragment filtering code in > much the same "obvious" way that Cisco did. > > Never mind teh ``probably''; I know of at least two other vendors who > had the same problem. On the subject of fragmented packets again, Sun's new SunScreen claims to have an IP Fragment cache, my only guess is that they safely defragment and reassemble the fragments for the internal network. They also claim that SunScreen doesn't run any standard OS, looks to me like it's a packet filter, which spoofs addresses both way (in and out), which also supports encryption. - Oliver From firewalls-owner Thu Jul 6 22:34:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA26652 for firewalls-outgoing; Thu, 6 Jul 1995 21:49:43 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA26647 for ; Thu, 6 Jul 1995 21:49:38 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA10004; Thu, 6 Jul 95 10:28:30 EDT Message-Id: <9507061428.AA10004@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: chroot & CERN httpd To: vlabra@ub4b.eunet.be (Provincie Vlaams Brabant) Date: Thu, 6 Jul 1995 10:35:50 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199507060706.AA18008@ub4b.eunet.be> from "Provincie Vlaams Brabant" at Jul 6, 95 08:01:59 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk vlabra@ub4b.eunet.be (Provincie Vlaams Brabant) writes: > > I'm running the CERN httpd in a chrooted environment on a Solaris 2.4 > machine. I built a "jail" which contains an etc, usr, ... directory to which > I chroot. > > Normally the CERN httpd performs a setuid to "nobody" and a setgid "nogroup" > before serving any documents. But when run in the chrooted environment it > says it can't find the user nobody nor the group nogroup. > > The /jail/etc contains the following files: passwd, group, netconfig, > nsswitch.conf. > > I guess I must be missing something but what ? > > The setuid and setgid system calls take numeric arguments for the UID and GID. I infer from your email that you must be getting an error message such as "can't find user 'nobody'" or "Unknown user id" or something like that. Most commands that take userid's and group names as arguments, use getpwnam and getgrnam to look up the passwd and group file intries for the names. I don't have source or documentation for the CERN htpd but I'll just make a wild guess here. Appologies in advance if this is ludicrous. Do the /jail/etc/passwd and /jail/etc/group files contain entries for the user 'nobody' and the group 'nogroup'? Are they needed? Are they in /etc/passwd and /etc/group? Does the proxy work in the non-chroot env? How is it resolving the 'nobody' uid? Truss it to see what numeric argument it gives to the setuid() syscall. The answers to those questions should help you. /usr/include/sys/param.h on my system has the following defines: I can't seem to find my POSIX manual, but I thought that they were part of the standard. #define UID_NOBODY 60001 #define GID_NOBODY UID_NOBODY #define UID_NOACCESS 60002 #define MAXUID 60002 Your problem may be related to this. Or maybe a CERN httpd expert can give you the clues you need. Mark Riggins From firewalls-owner Thu Jul 6 23:34:28 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA29137 for firewalls-outgoing; Thu, 6 Jul 1995 23:24:03 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA29132; Thu, 6 Jul 1995 23:23:56 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 6 Jul 1995 23:23:42 -0800 To: David Madole/TMG/CSC , firewalls From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: cisco packet filter firewall Cc: Julie Ann Connary <73203.2236@compuserve.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:57 PM 7/6/95, David Madole/TMG/CSC wrote: >By the way, DNS only uses TCP for zone transfers, so unless you are running a >secondary nameserver on the other side of your firewall, you do not need (or >want) the permit TCP lines in the filter. This is true for UNIX implementations of DNS (i.e., BIND), but not necessarily true in general. In fact, it's not even true for all versions of BIND, I don't think; I believe (though my info may be out of date) that IBM AIX systems always use TCP connections for DNS, even for simple resolver queries that most other UNIX systems would use UDP for. Basicly, in order to fully support DNS, you have to support both UDP and TCP queries. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Fri Jul 7 02:42:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06045 for firewalls-outgoing; Fri, 7 Jul 1995 02:22:15 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA06038 for ; Fri, 7 Jul 1995 02:22:03 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id CAA26930; Fri, 7 Jul 1995 02:21:28 -0700 Date: Fri, 7 Jul 1995 02:21:28 -0700 From: Tony Li Message-Id: <199507070921.CAA26930@greatdane.cisco.com> To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Subject: Re: One Router or Two? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe the original poster was contemplating two identical Cisco routers, rendering this point moot. If one's got a design flaw, the other will have the same flaw. One can _slightly_ mitigate this by running different versions of IOS and using different switching modes on each of the two routers. For example, on the outside, run 10.0 and fastswitching. On the inside, 10.3 and SSE switching. Two routers _can_ be more secure than one, but only if you're very careful. Amen. There's a lot of theory out there that doesn't hold up in practice. Ob punch line: In theory, there's no difference between theory and practice. But there is in practice. Tony From firewalls-owner Fri Jul 7 03:12:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA05305 for firewalls-outgoing; Fri, 7 Jul 1995 01:54:03 -0700 Received: from NYXGATE1.btco.com (gate1.btco.com [198.83.51.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA05300 for ; Fri, 7 Jul 1995 01:53:56 -0700 Received: (from mailer@localhost) by NYXGATE1.btco.com (8.6.9/8.6.9) id EAA32190 for ; Fri, 7 Jul 1995 04:53:19 -0400 Received: from lncsex0003.eu.btco.com(160.82.152.218) by NYXGATE1.btco.com via smap (V1.3) id sma026155; Fri Jul 7 04:53:12 1995 Received: from lncsea0001.eu.btco.com (lncsea0001.eu.btco.com [160.82.136.15]) by LNCSEX0003.eu.btco.com (8.6.9/BTmail) with SMTP id JAA02910 for ; Fri, 7 Jul 1995 09:53:11 +0100 To: avents@btco.com Path: newsadm From: Guru Sundararaman Newsgroups: btco.list.firewalls Subject: Windows NT Web server and bastion hosts Date: 6 Jul 1995 20:00:23 GMT Organization: Bankers Trust Co. Lines: 13 Message-ID: <3thfcn$fc2@NYCSEX0001.btco.com> NNTP-Posting-Host: nycsew0068.btco.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 1.2b2 (Windows; I; 32bit) ReSent-Date: Fri, 7 Jul 1995 09:52:58 -0900 (PDT) ReSent-From: "Todd S. Aven" ReSent-To: firewalls@greatcircle.com ReSent-X-Sender: avento@lncsex0003.eu.btco.com ReSent-Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone installed a Windows NT Web server on the external DMZ segment of a dual-interfaced bastion? If so, I would like to hear their experiences, especially on the management and administration of that server. Thanks, -Guru gurus@btco.com From firewalls-owner Fri Jul 7 03:13:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA04205 for firewalls-outgoing; Fri, 7 Jul 1995 01:26:44 -0700 Received: from mailgate.ericsson.se (mailgate.ericsson.se [130.100.2.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA04194 for ; Fri, 7 Jul 1995 01:26:38 -0700 Received: from shakespeare.emw.ericsson.se (shakespeare.emw.ericsson.se [136.225.97.10]) by mailgate.ericsson.se (8.6.11/1.0) with SMTP id KAA02135; Fri, 7 Jul 1995 10:25:56 +0200 Received: from hathaway.nis.gsunix (hathaway.emw.ericsson.se) by shakespeare.emw.ericsson.se (4.1/LME-DOM-2.2.4) id AA21265; Fri, 7 Jul 95 10:29:00 +0200 Date: Fri, 7 Jul 95 10:28:59 +0200 From: emwmf@emw.ericsson.se (Martin Fredriksson) Message-Id: <9507070829.AA21265@shakespeare.emw.ericsson.se> To: paul@hawksbill.sprintmrn.com Subject: Re: xdmcp info Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Fri Jul 7 03:16:07 1995 > From: paul@hawksbill.sprintmrn.com (Paul Ferguson) > Subject: xdmcp info > To: firewalls@GreatCircle.COM (Firewalls List) > Date: Thu, 6 Jul 1995 20:50:59 -0500 (EST) > X-Mailer: ELM [version 2.4 PL22] > Content-Type> : > text> > Content-Length: 520 > Precedence: bulk > X-Lines: 16 > Paul Ferguson (paul@hawksbill.sprintmrn.com) wrote: > > Quick question, semi-relevant to firewalls: > > Would anyone happen to know where one could find a detailed > description of xdmcp (udp/177) and it's functions? Maybe following file from the X src distr (R5): mit/hardcopy/XDMCP/xdmcp.PS.Z /// Martin F From firewalls-owner Fri Jul 7 03:19:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06397 for firewalls-outgoing; Fri, 7 Jul 1995 02:41:03 -0700 Received: from ns1.unicomp.net (ns1.unicomp.net [199.1.42.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA06391 for ; Fri, 7 Jul 1995 02:40:56 -0700 Received: from icc-fw.integctr.com by ns1.unicomp.net (4.1/SMI-4.1) id AA09053; Fri, 7 Jul 95 04:47:00 CDT Date: Fri, 7 Jul 1995 05:03:26 -0500 (CDT) From: Brian Rogers To: "Daniel O'Callaghan" Cc: Peter da Silva , isdmill@gatekeeper.ddp.state.me.us, benjamin@hanover.demon.co.uk, firewalls@GreatCircle.COM, www-proxy@w3.org Subject: Re: NNTP caching proxy In-Reply-To: Message-Id: Organization: The Integrity Center (214)484-6140 (800)456-1811 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995, Daniel O'Callaghan wrote: > > Control: cancel > > Supercedes: > > Both of which can be handled by appropriate use of a GET If-modified-since > type pragma in the caching algorithm. Is this even a part of NNRP? I want this to work independent of http, with newsreaders -- a simple news proxy. I think this is becoming a waste of bandwidth. Someone has already told me that he's working on this. /* Brian Rogers -- tech admin, coffee achiever -- brogers@integctr.com */ /* The Integrity Center -- "objective risk management information" */ /* http://www.integctr.com/ -- info@integctr.com */ /* (214)484-6140 (800)456-1811 FAX (214)484-6381 FOD (214)484-2147 */ From firewalls-owner Fri Jul 7 03:37:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06230 for firewalls-outgoing; Fri, 7 Jul 1995 02:33:14 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA06222 for ; Fri, 7 Jul 1995 02:33:04 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id CAA27033; Fri, 7 Jul 1995 02:32:08 -0700 Date: Fri, 7 Jul 1995 02:32:08 -0700 From: Tony Li Message-Id: <199507070932.CAA27033@greatdane.cisco.com> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) Subject: Sending replies to blocked packets. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many firewalls/firewall software now support sending back those nice ICMP messages saying that the detination host was unreachable. While this is nice for those in and outside, is there any structuring beyond the simple "host unreachable" ? Actually, router requirements, RFC 1812, defines a new ICMP Unreachable code: Communication Administratively Prohibited, which is the preferred mechanism for filtering routers. [Coming soon to a cisco near you. ;-) ] For example, do rules which have a netmask which defines a network return net-unreachables as opposed to one which might block a host (thus host unreachable) or does it return some other error based on what part of the rule it failed at ? And if they're not, should they be trying to send back some sort of informed reply ? I believe the thinking within the WG was that disclosing this information was probably not a good idea. If someone is going to the trouble of gathering this information by obvious probing, that's fine... they're more obvious. I've managed to get a packet filter designed and supported which sends out FAKE TCP RSTs instead of ICMP unreachables - if told to. How many RFCs does this break ? :) None that I'm aware of. However, what do you do about UDP? My justification is that if I block certain TCP SYN packets and send back an RST in reply, not only do I stop the connection and send back a nack, but in using TCP's RST, I can usually effect a much quicker nack response than with ICMPs - and much safer too! A host can immediately process the new ICMP unreachable code as a NAK, as it is presumed to have a long half-life. Tony From firewalls-owner Fri Jul 7 04:04:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA09414 for firewalls-outgoing; Fri, 7 Jul 1995 03:54:48 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA09404 for ; Fri, 7 Jul 1995 03:54:43 -0700 Message-Id: <199507071054.DAA09404@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA014394429; Fri, 7 Jul 1995 20:53:49 +1000 From: Darren Reed Subject: Re: Sending replies to blocked packets. To: tli@cisco.com (Tony Li) Date: Fri, 7 Jul 1995 20:53:49 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199507070932.CAA27033@greatdane.cisco.com> from "Tony Li" at Jul 7, 95 02:32:08 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1447 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Tony Li, sie said: > Many firewalls/firewall software now support sending back those nice > ICMP messages saying that the detination host was unreachable. While > this is nice for those in and outside, is there any structuring beyond > the simple "host unreachable" ? > > Actually, router requirements, RFC 1812, defines a new ICMP > Unreachable code: Communication Administratively Prohibited, which is > the preferred mechanism for filtering routers. [Coming soon to a > cisco near you. ;-) ] Hmmm, a newbie ICMP. [...] > I've managed to get a packet > filter designed and supported which sends out FAKE TCP RSTs instead of > ICMP unreachables - if told to. How many RFCs does this break ? :) > > None that I'm aware of. However, what do you do about UDP? Still use ICMP...afterall, that's what gets used between hosts with no intervening firewall.. > My justification is that if I block certain TCP SYN packets and send back > an RST in reply, not only do I stop the connection and send back a nack, > but in using TCP's RST, I can usually effect a much quicker nack response > than with ICMPs - and much safer too! > > A host can immediately process the new ICMP unreachable code as a NAK, > as it is presumed to have a long half-life. Except, being new, which of the currently deployed TCP/IP stacks will recognise it for what it is ? (Including commercial products) darren From firewalls-owner Fri Jul 7 04:34:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA10250 for firewalls-outgoing; Fri, 7 Jul 1995 04:24:16 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA10245 for ; Fri, 7 Jul 1995 04:24:11 -0700 Message-Id: <199507071124.EAA10245@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA024946201; Fri, 7 Jul 1995 21:23:21 +1000 From: Darren Reed Subject: Re: SunScreen + Fragmented packets To: iceman@MBnet.MB.CA (Oliver Friedrichs) Date: Fri, 7 Jul 1995 21:23:21 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Oliver Friedrichs" at Jul 6, 95 10:48:59 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 908 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Oliver Friedrichs, sie said: [...] > On the subject of fragmented packets again, Sun's new SunScreen claims to > have an IP Fragment cache, my only guess is that they safely defragment > and reassemble the fragments for the internal network. > > They also claim that SunScreen doesn't run any standard OS, looks to me > like it's a packet filter, which spoofs addresses both way (in and out), > which also supports encryption. SunScreen is turning into something very weird... It doesn't have an IP address, but forwards packets - like a bridge or maybe smart hub. And now it collects fragments in the hope of defrag'ing. (Why real hardware routers/bridges don't do this is sound theory, if what I recall about NCP before the switchover is true). Not to mention hard to get a hold of if you're not a US citizen...does it write out packets with fake source MAC addresses ? darren From firewalls-owner Fri Jul 7 04:51:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA09869 for firewalls-outgoing; Fri, 7 Jul 1995 04:07:08 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA09864 for ; Fri, 7 Jul 1995 04:07:00 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA16279; Fri, 7 Jul 95 20:35:09 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA12388; Fri, 7 Jul 1995 20:31:54 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9507071101.AA12388@bunya.awadi> Subject: Re: Sending replies to blocked packets. To: tli@cisco.com (Tony Li) Date: Fri, 7 Jul 1995 20:31:56 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199507070932.CAA27033@greatdane.cisco.com> from "Tony Li" at Jul 7, 95 02:32:08 am X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Tony Li: > > > Many firewalls/firewall software now support sending back those nice > ICMP messages saying that the detination host was unreachable. While > this is nice for those in and outside, is there any structuring beyond > the simple "host unreachable" ? > >Actually, router requirements, RFC 1812, defines a new ICMP >Unreachable code: Communication Administratively Prohibited, which is >the preferred mechanism for filtering routers. [Coming soon to a >cisco near you. ;-) ] > That's nice - it should speed up the cracker's port probe immensely, instead of waiting for a timeout and trying a again the cracker will know that the port is not reachable very shortly after the router blocks it. Just dropping the packet quietly may not sound very nice but it does slow down the port probing a bit. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Fri Jul 7 05:04:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA10907 for firewalls-outgoing; Fri, 7 Jul 1995 04:44:27 -0700 Received: from mail.swip.net (mn4.swip.net [192.71.180.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA10902 for ; Fri, 7 Jul 1995 04:44:22 -0700 From: axel.skough@scb.se Received: by mail.swip.net with UUCP (8.6.8/3.01) id NAA14945; Fri, 7 Jul 1995 13:49:07 +0200 Message-ID: <199507071149.NAA14945@mail.swip.net> Date: Fri, 7 Jul 1995 13:42 +0200 To: firewalls@GreatCircle.COM Subject: RE: Windows NT Web server and bastion ho Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am myself currently planning and installing the Purveyor Web Server for Windows NT! I've done this - very simple - on a local machine (IBM 750 P90) in our local net. This should configure as a test/development server, official publishment is planned to be done on a public server with Purveyor (already offered, but not delivered yet). Hardware we intend is Compaq Proliant 1500, the Internet Service is not enabled yet. In the beginning we do not intend to attach our internal net to the Internet, I am considering firewall questions too. I'd like to share experiences, too! Regards, Axel Skough Statistics Sweden From firewalls-owner Fri Jul 7 05:33:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11268 for firewalls-outgoing; Fri, 7 Jul 1995 04:53:46 -0700 Received: from access2.digex.net (access2.digex.net [205.197.245.193]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA11263 for ; Fri, 7 Jul 1995 04:53:42 -0700 Received: (from dstewart@localhost) by access2.digex.net (8.6.12/8.6.12) id HAA13468 ; for firewalls@greatcircle.com; Fri, 7 Jul 1995 07:53:07 -0400 From: "Dennis C. Stewart" Message-Id: <199507071153.HAA13468@access2.digex.net> Subject: RE: Axent technologies To: firewalls@greatcircle.com Date: Fri, 7 Jul 1995 07:53:06 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 831 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Jeff Redden wrote; > > >I am looking for some decent software to do security analysis and tracking > >on Unix systems. > > >I am aware of products from Axent and Bellcore. Does anyone have > >experience with these products or others? I am hoping for a product > >that will analyze based on a user defined security policy. > > >Any thoughts? I have some experience with the Axent Technologies product Intruder Alert. We are using this product to provide information concerning suspicious activity on our local area servers. The product responds automatically to certain audit trail data, which is configurable, and notify's me when an incident has occurred. It also automatically performs what ever task has been defined to occur when the event happens, such as enhanced auditing of the suspicious ID. From firewalls-owner Fri Jul 7 05:35:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA11987 for firewalls-outgoing; Fri, 7 Jul 1995 05:14:42 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA11974 for ; Fri, 7 Jul 1995 05:14:30 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA17335; Fri, 7 Jul 95 21:42:46 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA12615; Fri, 7 Jul 1995 21:41:13 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9507071211.AA12615@bunya.awadi> Subject: Re: Sending replies to blocked packets. To: avalon@coombs.anu.edu.au (Darren Reed) Date: Fri, 7 Jul 1995 21:41:14 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9507071203.AA17195@awadi.com.AU> from "Darren Reed" at Jul 7, 95 10:03:02 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Darren Reed: > >> That's nice - it should speed up the cracker's port probe immensely, >> instead of waiting for a timeout and trying a again the cracker will >> know that the port is not reachable very shortly after the router >> blocks it. Just dropping the packet quietly may not sound very nice >> but it does slow down the port probing a bit. > >Port scanning shouldn't be a threat unless you're relying on obscurity... > No, not a threat but dropping the packets without telling the other end does make the scanners suffer a bit more getting a profile of your system. If you, very cooperatively, send back a packet saying that you don't accept a port the scanner can just skip onto the next one. Dropping the packet means they need to wait, retry, wait which will make the job more tedious - admittedly with the same results but I like the idea of making the scanning more tedious ;-) Besides I don't see why you should want to send back anything anyway, if you do not advertise any service why should you accomodate a casual knob-twister or the more serious cracker. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Fri Jul 7 05:52:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA11709 for firewalls-outgoing; Fri, 7 Jul 1995 05:05:01 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA11704 for ; Fri, 7 Jul 1995 05:04:56 -0700 Message-Id: <199507071204.FAA11704@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA039868583; Fri, 7 Jul 1995 22:03:03 +1000 From: Darren Reed Subject: Re: Sending replies to blocked packets. To: blymn@awadi.com.AU (Brett Lymn) Date: Fri, 7 Jul 1995 22:03:02 +1000 (EST) Cc: tli@cisco.com, firewalls@greatcircle.com In-Reply-To: <9507071101.AA12388@bunya.awadi> from "Brett Lymn" at Jul 7, 95 08:31:56 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 995 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brett Lymn, sie said: > > According to Tony Li: > > > > > > Many firewalls/firewall software now support sending back those nice > > ICMP messages saying that the detination host was unreachable. While > > this is nice for those in and outside, is there any structuring beyond > > the simple "host unreachable" ? > > > >Actually, router requirements, RFC 1812, defines a new ICMP > >Unreachable code: Communication Administratively Prohibited, which is > >the preferred mechanism for filtering routers. [Coming soon to a > >cisco near you. ;-) ] > > > > That's nice - it should speed up the cracker's port probe immensely, > instead of waiting for a timeout and trying a again the cracker will > know that the port is not reachable very shortly after the router > blocks it. Just dropping the packet quietly may not sound very nice > but it does slow down the port probing a bit. Port scanning shouldn't be a threat unless you're relying on obscurity... darren From firewalls-owner Fri Jul 7 06:05:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA10623 for firewalls-outgoing; Fri, 7 Jul 1995 04:34:39 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA10618 for ; Fri, 7 Jul 1995 04:34:35 -0700 Message-Id: <199507071134.EAA10618@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA028116761; Fri, 7 Jul 1995 21:32:41 +1000 From: Darren Reed Subject: Re: ip forwarding To: rafi@tavor.openu.ac.il (Rafi Sadowsky) Date: Fri, 7 Jul 1995 21:32:40 +1000 (EST) Cc: James_Dehnert@optilink.optilink.dsccc.com, firewalls@greatcircle.com In-Reply-To: from "Rafi Sadowsky" at Jul 7, 95 05:15:05 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1063 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Rafi Sadowsky, sie said: > > there is no official way - on would be to add an ip filter ( I can't remember > where to get off the top of my head - sorry ) & filter these packets http://cheops.anu.edu.au/~avalon/ip-filter.html > another is an unofficial kernel patch from sun which junks IP source > routed packets ( you probably also want to runrn off IP forwarding in the > kernel config file ) sending an ICMP unreachable back > ( this is for SunOS 4.1 ) > I got the patch from > util.uhcc.hawaii.edu:/pub/security/source-routing-patch.tar.Z > [didn't check if it's still there though - it was a while ago] the other way is with adb (for your rc.local): echo "ip_forwarding?W -1" | adb -w /vmunix /dev/kmem echo "ip_forwarding/W -1" | adb -w /vmunix /dev/kmem but doesn't stop source routing. Is this a FAQ yet ? darren > On Thu, 6 Jul 1995 James_Dehnert@optilink.optilink.dsccc.com wrote: > > > Ok, we now have 2 Solaris 2 options for killing IP forwarding. > > > > Exactly how is it done in SunOS 4.1.*? [...see above...] From firewalls-owner Fri Jul 7 06:10:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA12589 for firewalls-outgoing; Fri, 7 Jul 1995 05:30:57 -0700 Received: from iona.ie (class.iona.ie [192.122.221.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA12559 for ; Fri, 7 Jul 1995 05:30:40 -0700 Received: from destructor.iona.ie (destructor [192.122.221.18]) by iona.ie (8.6.11/8.6-jm) with ESMTP id NAA10742; Fri, 7 Jul 1995 13:19:15 +0100 Received: from destructor (localhost [127.0.0.1]) by destructor.iona.ie (8.6.11/8.6.9) with ESMTP id NAA23674; Fri, 7 Jul 1995 13:16:46 +0100 Message-Id: <199507071216.NAA23674@destructor.iona.ie> To: Brian Rogers cc: "Daniel O'Callaghan" , Peter da Silva , isdmill@gatekeeper.ddp.state.me.us, benjamin@hanover.demon.co.uk, firewalls@greatcircle.com, www-proxy@w3.org Subject: Re: NNTP caching proxy In-reply-to: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <23670.805119395.1@destructor> Date: Fri, 07 Jul 1995 13:16:36 +0100 From: Justin Mason Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yep, this is something I've been hoping for. I'd be writing it myself except I've got enough bloody hacking to do as it is, and news would be a hell of a protocol to support... ;) Brian Rogers wrote: >On Fri, 7 Jul 1995, Daniel O'Callaghan wrote: >> > Control: cancel >> > Supercedes: >> Both of which can be handled by appropriate use of a GET If-modified-since >> type pragma in the caching algorithm. >Is this even a part of NNRP? I want this to work independent of http, >with newsreaders -- a simple news proxy. BTW -- something that hasn't been mentioned yet. Most (good) newsreaders these days use XOVER (the overview mechanism) for browsing the groups' headers, and only get the articles when they're explicitly requested. THIS is where a caching proxy would come in very useful; if the headers were retrieved by the proxy using XOVER and stored in its own overview cache, the newsreaders could browse the groups very quickly -- it may not even be necessary to cache articles AT ALL to gain an appreciable speedup. >I think this is becoming a waste of bandwidth. Someone has already told >me that he's working on this. Ah -- who? Sign me up for an alpha, whoever you are! ;) --j. From firewalls-owner Fri Jul 7 06:31:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA12753 for firewalls-outgoing; Fri, 7 Jul 1995 05:34:03 -0700 Received: from dcc.com (mail.dcc.com [204.147.93.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA12746 for ; Fri, 7 Jul 1995 05:33:59 -0700 Received: by firewall.dcc.com id <58881>; Fri, 7 Jul 1995 07:39:41 -0500 From: "Moubray, Steve" To: "'SMTP:firewalls@greatcircle.com'" Subject: Re: BorderWare Date: Fri, 7 Jul 1995 09:32:00 -0500 Encoding: 89 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Jul7.073941cdt.58881@firewall.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The other day Chris wrote. >From: ckapilla@interserver.com (Chris Kapilla) >Date: Mon, 03 Jul 1995 16:10:04 -0700 >Subject: BorderWare >A couple of weeks ago someone raised some questions regarding BordWare's >firewall product. A strong rebuttal was given by someone at BorderWare, and >I expected there might be some grousing in reply, but nary a word was said. >From what I have seen of their product it looks really good -- they have >taken a very intelligent approach and done an excellent implementation as >far as I can tell (but I am a newbie w.r.t. all this). So my question is .does anyone have anything BAD to say about the BorderWare server? >- ---------------------------------------------------------------- >Chris Kapilla >http://www.interserver.com >ckapilla@interserver.com >phone: 206-836-3661 >fax: 206-836-9468 To be honest with you it seemed like someone was just running around starting rumors with complete ignorance of the subject in question. I have heard more than one unethical manufacturer or reseller start rumors about competitors products so I never pay attention to them. Since the individual starting the rumors did not state the source (I read in ... or so and so said) I assumed that either he was from BorderWare's competition or heard it from BorderWare's competition. I would like to know the source of the rumors because they are incorrect. I've been a member of this list for about a year and it has always been focused on solutions, facts and some philosophy but rumors have never been a part of this list. I help many companies select firewalls and implement them so I do hear a lot of this type of talk from end users but this is the first time on this list. I hope that propaganda does not become a normal part of useful list like this. Well, so much for why I didn't respond earlier on this issue. I simply didn't think that anyone on this list would pay attention (maybe those on the list that watch day time talk shows). We installed a BorderWare firewall here because it met our needs better than any thing else I could find. We're a network integrator which means that we have no time to spend on our own internal systems and we have people that constantly reconfigure every thing (including our packet filter when we were using one). The BorderWare firewall is very transparent. We were using a Cisco router and packet filters. We had implemented E-Mail, NetScape, NEWS, OS/2 WARP stuff, FTP and some people were using telnet. This stuff was running on Windows, NT, OS/2 and Windows 95 beta. We installed the firewall one night, made no changes to the applications and no one noticed. That's right 85 people didn't miss a beat when we installed the firewall. We did need to update the hosts file and some other routing tables because we now had a new segment but other than that nothing else needed to be changed. It was completely transparent. No logins and no modifications to the apps. As far as I can tell BorderWare runs on a highly modified kernel. The kernel ignores ICMP redirects (at least the ones that we sent it) ignores source routed packets and can't be spoofed. It does this by doing some packet filtering. I don't know of all of the modifications but it can use larger file systems than the original kernel and stuff like that. I will side with the individual on two issues. The user interface is not a true GUI. It is a text based pull down menu that looks and acts like a GUI but no graphics are used in the interface. This isn't a big issue because it is just as easy to use as a GUI and I'm being picky. The other issue in the product is a statement about using "a forms capable web server". It uses a very good web server but it really isn't forms capable which I think is a plus for security. Do you want people running CGI scripts on your firewall? I don't either. >From a security, ease of use and functionality stand point - it stands up to its claims. I have heard at least one company falsely bashing the BorderWare product but they just didn't think transparent applications gateways were possible because they couldn't do it. The product works. Try it and find out for yourself. Lets keep this list focused on facts and not so much on rumors and propaganda. This list has always been useful and hope it stays that way. -------------------------------------------------- Steve Moubray DCC, Inc. 10 2nd Street NE, Minneapolis, MN 55413 (612) 378-4469 Fax (612) 378-4401 smoubray@dcc.com http://www.dcc.com/ From firewalls-owner Fri Jul 7 07:17:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16467 for firewalls-outgoing; Fri, 7 Jul 1995 06:53:32 -0700 Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA16462 for ; Fri, 7 Jul 1995 06:53:27 -0700 Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP (15.11/15.6) id AA13967; Fri, 7 Jul 95 14:57:59 gmt Received: from cc:Mail by ccmailgw.biss.co.uk id AA805154020 Fri, 07 Jul 95 14:53:40 EST Date: Fri, 07 Jul 95 14:53:40 EST From: Steve_Betts@ccmailgw.biss.co.uk (Steve Betts) Encoding: 624 Text Message-Id: <9506078051.AA805154020@ccmailgw.biss.co.uk> To: firewalls@GreatCircle.COM Subject: Re: Windows NT Web server and bastion hosts Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Todd S. Aven" at SMTPGW wrote >Has anyone installed a Windows NT Web server on the external DMZ >segment of a dual-interfaced bastion? If so, I would like to hear >their experiences, especially on the management and administration >of that server. My slightly wider interest in Windows NT with the Purveyor web server in particular, includes a number of different firewall and packet filtering configurations, so please include me on any experiences in this area. Thanks Steve From firewalls-owner Fri Jul 7 07:43:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA17623 for firewalls-outgoing; Fri, 7 Jul 1995 07:19:02 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA17603 for ; Fri, 7 Jul 1995 07:18:50 -0700 Date: Fri, 7 Jul 95 10:15 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: controlling FTP transfers To: firewalls@GREATCIRCLE.COM Message-ID: <950707141529.815410@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ranum writes: > It's *easier* to do that kind of processing in > an application but it's really an implementation > detail whether that state is held in the pcb of > a socket connected to an application ... Fascinating ... I was unaware that sockets had PCBs. I had always thought that PCBs were associated with processes, not with passive communication endpoints ... > ... or whether it's some extra state flags in some > kernel-level subroutine. I doubt that any "kernel-level subroutine" (read: kernel-level function) will be charged with maintaining "state flags" that reflect the status of a single socket, since it would be a maintenance nightmare for a reentrant module to track such state information when multiple socket-oriented system calls from multiple processes against multiple socket descriptors referencing multiple sockets are likely to be temporally interwoven. From firewalls-owner Fri Jul 7 08:09:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15696 for firewalls-outgoing; Fri, 7 Jul 1995 06:40:42 -0700 Received: from janet.advsys.com (xcrsnyder.ge_xc.dialup.net [158.254.10.56]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA15684 for ; Fri, 7 Jul 1995 06:40:35 -0700 Received: from janet.advsys.com (rsnyder@localhost [127.0.0.1]) by janet.advsys.com (8.7.Beta.9/8.7.Beta.9) with ESMTP id JAA01545 for ; Fri, 7 Jul 1995 09:41:11 -0400 Message-Id: <199507071341.JAA01545@janet.advsys.com> X-Mailer: exmh version 1.6.1 5/23/95 To: firewalls@GreatCircle.COM Subject: Re: Sending replies to blocked packets. In-reply-to: Your message of "Fri, 07 Jul 1995 20:31:56 +0930." <9507071101.AA12388@bunya.awadi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 07 Jul 1995 09:41:10 -0400 From: Bob Snyder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > That's nice - it should speed up the cracker's port probe immensely, > instead of waiting for a timeout and trying a again the cracker will > know that the port is not reachable very shortly after the router > blocks it. Just dropping the packet quietly may not sound very nice > but it does slow down the port probing a bit. Obviously not sending a response is still a valid option, if for no other reason than to prevent the Ultrix bug from dropping all connections. It's a trade off between being nice to people so that they don't have to wait for the connection to time out, and being a packet black hole, which minimally increases your security. I saw the new ICMP codes in TCP/IP Illustrated Vol 1, and wondered what the source of the new codes was. Nothing I've seen supports them yet, although since it's a subset of the Host Unreachable ICMP message, as I recall, I would hope most TCP/IP stacks out there would "do the right thing." Bob From firewalls-owner Fri Jul 7 08:24:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA17842 for firewalls-outgoing; Fri, 7 Jul 1995 07:28:47 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA17837 for ; Fri, 7 Jul 1995 07:28:43 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA12651; Fri, 7 Jul 1995 10:28:01 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA25172; Fri, 7 Jul 1995 10:27:58 -0400 Message-Id: <9507071427.AA25172@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Fri, 7 Jul 1995 10:27:19 -0500 Subject: Re: Windows NT Web server and bastion hosts Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 6 Jul 95 at 20:00, Todd S. Aven said: > Has anyone installed a Windows NT Web server on the external DMZ segment > of a dual-interfaced bastion? If so, I would like to hear their > experiences, especially on the management and administration of that > server. This question made me think of SATAN. Is SATAN generic enough to help an administrator lock down an NT host in such a scenario? Or is it more Unix/Vax/whatever -centric? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Fri Jul 7 08:55:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA17779 for firewalls-outgoing; Fri, 7 Jul 1995 07:25:29 -0700 Received: from uuneo.neosoft.com (uuneo.NeoSoft.COM [198.64.84.252]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA17774 for ; Fri, 7 Jul 1995 07:25:26 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id JAA00796 for GreatCircle.COM!firewalls; Fri, 7 Jul 1995 09:17:25 -0500 Received: by ris1.nmti.com (smail2.5) id AA17149; 7 Jul 95 08:25:46 CDT (Fri) Received: by sonic.nmti.com; id AA26686; Fri, 7 Jul 1995 08:48:48 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9507071348.AA26686@sonic.nmti.com.nmti.com> Subject: Re: NNTP caching proxy To: danny@miriworld.its.unimelb.EDU.AU (Daniel O'Callaghan) Date: Fri, 7 Jul 1995 08:48:48 -0500 (CDT) Cc: peter@nmti.com, isdmill@gatekeeper.ddp.state.me.us, benjamin@hanover.demon.co.uk, brogers@integctr.com, firewalls@GreatCircle.COM, www-proxy@w3.org In-Reply-To: from "Daniel O'Callaghan" at Jul 7, 95 10:35:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 585 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Its on my wish list. I don't think it will make it to the *do* list, > > > other than maybe hacking CERN proxy server to cache news articles. > > > I remember Ari said caching news was bad, but I never understood why, > > Control: cancel > > Supercedes: > Both of which can be handled by appropriate use of a GET If-modified-since > type pragma in the caching algorithm. You'll have to explain this more. Articles aren't modified. They're created and deleted. Those are the only operations you can perform on a news spool. From firewalls-owner Fri Jul 7 08:59:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA18097 for firewalls-outgoing; Fri, 7 Jul 1995 07:35:08 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA18088 for ; Fri, 7 Jul 1995 07:35:04 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id KAA13060; Fri, 7 Jul 1995 10:32:25 -0400 Date: Fri, 7 Jul 1995 10:32:25 -0400 From: Ted Doty Message-Id: <199507071432.KAA13060@kgbvax.network.com> To: dstewart@access.digex.net, firewalls@greatcircle.com Subject: RE: Axent technologies In-Reply-To: Mail from '"Dennis C. Stewart" ' dated: Fri, 7 Jul 1995 07:53:06 -0400 (EDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995 07:53:06, Dennis Stewart wrote: > > Jeff Redden wrote; > > >I am looking for some decent software to do security analysis and tracking > >on Unix systems. > > >I am aware of products from Axent and Bellcore. Does anyone have > >experience with these products or others? I am hoping for a product > >that will analyze based on a user defined security policy. > > >Any thoughts? I have some experience with the Axent Technologies product Intruder Alert. We are using this product to provide information concerning suspicious activity on our local area servers. The product responds automatically to certain audit trail data, which is configurable, and notify's me when an incident has occurred. It also automatically performs what ever task has been defined to occur when the event happens, such as enhanced auditing of the suspicious ID. You might check out Stalker from Haystack Labs. Send email to info@haystack.com -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Jul 7 09:02:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15668 for firewalls-outgoing; Fri, 7 Jul 1995 06:40:21 -0700 Received: from caesar.udac.se (Caesar.UDAC.SE [193.44.79.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15655 for ; Fri, 7 Jul 1995 06:40:13 -0700 Received: from [193.44.77.24] (mac-77-24.UDAC.SE) by caesar.udac.se with SMTP id AA10567 (5.67b-Emil1.1/IDA-1.5 for ); Fri, 7 Jul 1995 15:37:58 +0200 Message-Id: Date: Fri, 7 Jul 1995 15:40:17 +0200 To: firewalls@greatcircle.com From: Mats.Bredell@udac.se (Mats Bredell) Subject: Re: Sending replies to blocked packets. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >According to Darren Reed: >> >>> That's nice - it should speed up the cracker's port probe immensely, >>> instead of waiting for a timeout and trying a again the cracker will >>> know that the port is not reachable very shortly after the router >>> blocks it. Just dropping the packet quietly may not sound very nice >>> but it does slow down the port probing a bit. >> >>Port scanning shouldn't be a threat unless you're relying on obscurity... >> > > >No, not a threat but dropping the packets without telling the other >end does make the scanners suffer a bit more getting a profile of your >system. If you, very cooperatively, send back a packet saying that >you don't accept a port the scanner can just skip onto the next one. >Dropping the packet means they need to wait, retry, wait which will >make the job more tedious - admittedly with the same results but I >like the idea of making the scanning more tedious ;-) Besides I don't >see why you should want to send back anything anyway, if you do not >advertise any service why should you accomodate a casual knob-twister >or the more serious cracker. Why should the scanner wait between retrys? Surely a competent hacker knows how to make the scanner have more than one outstanding request. This in just like the flood ping program that scans a net by probing several IPs at the same time. There's nothing stopping the program from probing serveral more IP numbers while still waiting for replies from the old ones. /Mats ------------------------------------------------------------------- Mats Bredell Mats.Bredell@udac.se UDAC / Network C Communication service systems Ph: +46 18 187817 Sweden Fax: +46 18 516600 From firewalls-owner Fri Jul 7 09:35:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA18184 for firewalls-outgoing; Fri, 7 Jul 1995 07:38:00 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA18176 for ; Fri, 7 Jul 1995 07:37:56 -0700 Message-Id: <199507071437.HAA18176@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA093027708; Sat, 8 Jul 1995 00:35:08 +1000 From: Darren Reed Subject: Re: Sending replies to blocked packets. To: blymn@awadi.com.AU (Brett Lymn) Date: Sat, 8 Jul 1995 00:35:08 +1000 (EST) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <9507071211.AA12615@bunya.awadi> from "Brett Lymn" at Jul 7, 95 09:41:14 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1930 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Brett Lymn, sie said: > > According to Darren Reed: [...] > >Port scanning shouldn't be a threat unless you're relying on obscurity... > > No, not a threat but dropping the packets without telling the other > end does make the scanners suffer a bit more getting a profile of your > system. If you, very cooperatively, send back a packet saying that > you don't accept a port the scanner can just skip onto the next one. > Dropping the packet means they need to wait, retry, wait which will > make the job more tedious - admittedly with the same results but I > like the idea of making the scanning more tedious ;-) Besides I don't > see why you should want to send back anything anyway, if you do not > advertise any service why should you accomodate a casual knob-twister > or the more serious cracker. Hmmm, have you read about Berferd or the Cuckoo's Egg ? I get the impression that crackers aren't really concerned about how long it takes, for if they succeed, any time has been worth it... As long as you're keeping them out, it doesn't matter how you respond, right ? The important bit is to block the packets. Why let crackers dictate your policy for responding to attacks ? If crackers can get a pair of packets exchanged (say telnet to smtp on your bastion or mx host), they can estimate RTT, penalise that some and get a good estimate of how long they should wait irrespective of what the timeout would otherwise be. UDP port scanners _do_ use this technique to operate successfully. And what of the port scanners that do numerous ports in parallel ? And who's to say that you're the only "current" target of any particular cracker ? IF you're *really* concerned about port scanners, get something that will *detect* them...something like the SATAN detectors which would look for three `consecutive' connection attempts to `consecutive' ports; ports which are *unused* by yourself. darren From firewalls-owner Fri Jul 7 09:36:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA17156 for firewalls-outgoing; Fri, 7 Jul 1995 07:07:11 -0700 Received: from access.mbnet.mb.ca (access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA17140 for ; Fri, 7 Jul 1995 07:07:02 -0700 Received: by access.mbnet.mb.ca id AA16739 (5.67b/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 7 Jul 1995 09:06:18 -0500 Date: Fri, 7 Jul 1995 09:06:18 -0500 (CDT) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: Re: Sending replies to blocked packets. In-Reply-To: <9507071101.AA12388@bunya.awadi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995, Brett Lymn wrote: > That's nice - it should speed up the cracker's port probe immensely, > instead of waiting for a timeout and trying a again the cracker will > know that the port is not reachable very shortly after the router > blocks it. Just dropping the packet quietly may not sound very nice > but it does slow down the port probing a bit. Not if your probing in parallel, point is, if someone wants to scan you, they will. - Oliver From firewalls-owner Fri Jul 7 09:39:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA18249 for firewalls-outgoing; Fri, 7 Jul 1995 07:39:12 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA18218 for ; Fri, 7 Jul 1995 07:38:59 -0700 Date: Fri, 7 Jul 95 10:34 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: TW on a w-protected floppy To: firewalls@GREATCIRCLE.COM Message-ID: <950707143416.482694@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ranum writes: > It's possible, I suppose, but if you're dealing > with that kind of level of effort it'd be easier > to just hack the kernel to not see or remap certain > files. To "modify the open() routine in the C library" is not to "just hack the kernel." The kernel is distinct from the C library. > I know for a fact that tools exist which allow > a hacker to modify the open() routine in the C > library, so that if a program like tripwire tries > to open a file for read, it actually opens a copy > of the original file, and causes a failure if the > original file is opened or stat()ted directly. This > causes the file to be invisible to tripwire and to > check out OK. Something is missing here: how is "open a file for read" to be distinguished from "open(ed) ... directly" if the only API available to programs is open() operating upon a user-visible pathname? How will you deal with symbolic links? Anyone can make a symbolic link to any file, as long as that person can search the directory in which the file resides, and the pathname mapping [analogous to the API readlink() function] would be performed by the kernel, not by C library functions. How will your magic open() function deal with hard links to files? Will it track down each link dynamically each time a file is opened? This will impose non-negligible delays, to say the least. Lumping the stat() thingum into the open() solution is a bit parochial. One can also stat() files given only a file descriptor. In that case, pathname-based mechanisms are useless. > That's a lot of work for an attacker to go through, > though. Modifying a single library does not seem like a lot of work for an attacker to go through. From firewalls-owner Fri Jul 7 09:47:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22801 for firewalls-outgoing; Fri, 7 Jul 1995 09:18:44 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA22728 for ; Fri, 7 Jul 1995 09:16:30 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id MAA13407; Fri, 7 Jul 1995 12:14:58 -0400 Date: Fri, 7 Jul 1995 12:14:58 -0400 From: Ted Doty Message-Id: <199507071614.MAA13407@kgbvax.network.com> To: Wilner@dockmaster.ncsc.mil, firewalls@greatcircle.com Subject: Re: Re: controlling FTP transfers In-Reply-To: Mail from 'Wilner@dockmaster.ncsc.mil' dated: Fri, 7 Jul 95 10:15 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 95 10:15 EDT, Wilner@dockmaster.ncsc.mil wrote: I doubt that any "kernel-level subroutine" (read: kernel-level function) will be charged with maintaining "state flags" that reflect the status of a single socket, since it would be a maintenance nightmare for a reentrant module to track such state information when multiple socket-oriented system calls from multiple processes against multiple socket descriptors referencing multiple sockets are likely to be temporally interwoven. In a host, perhaps this is correct. In a firewall, it is not, assuming that sockets don't interact with each other very much. While I wouldn't want to say that "multiple socket-oriented system calls" against multiple sockets could not EVER (under any circumstances) interact with each other, it seems fairly straightforward for a firewall to maintain a list of active host-host pairs, with each pair having a list of active (allowed) sockets. You probably aren't talking about more than a dozen active sockets at a time, and these will probably all have the same access policy (i.e. they're all good, or they're all bad). -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Jul 7 09:58:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA17392 for firewalls-outgoing; Fri, 7 Jul 1995 07:11:07 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA17381 for ; Fri, 7 Jul 1995 07:11:02 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id KAA13040; Fri, 7 Jul 1995 10:08:13 -0400 Date: Fri, 7 Jul 1995 10:08:13 -0400 From: Ted Doty Message-Id: <199507071408.KAA13040@kgbvax.network.com> To: tli@cisco.com, avalon@coombs.anu.edu.au Subject: Re: Sending replies to blocked packets. In-Reply-To: Mail from 'Tony Li ' dated: Fri, 7 Jul 1995 02:32:08 -0700 Cc: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995 02:32:08, Tony Li wrote: Many firewalls/firewall software now support sending back those nice ICMP messages saying that the detination host was unreachable. While this is nice for those in and outside, is there any structuring beyond the simple "host unreachable" ? Actually, router requirements, RFC 1812, defines a new ICMP Unreachable code: Communication Administratively Prohibited, which is the preferred mechanism for filtering routers. [Coming soon to a cisco near you. ;-) ] Code 10, for all you geeks. Myy understanding is that this has been out there for a number of years. For example, do rules which have a netmask which defines a network return net-unreachables as opposed to one which might block a host (thus host unreachable) or does it return some other error based on what part of the rule it failed at ? And if they're not, should they be trying to send back some sort of informed reply ? I believe the thinking within the WG was that disclosing this information was probably not a good idea. If someone is going to the trouble of gathering this information by obvious probing, that's fine... they're more obvious. The only way to look at this is via a filter of scaled paranoia: 1. Hackers (or potential hackers) get nothing returned; it's as if the Great Network Black Hole ate their request. No info = no further targets. 2. People I want to be more polite to (business partners? My Dad?) get an ICMP network unreachable. A Way Cool variant of this would be to use the source address of, say, an NFSnet routing node. ;-) This makes things look like a simple breakage on the net. 3. Internal people trying to get to where they shouldn't (i.e. the Personnel Department databases) get the "Access Administratively Prohibited." Note that most hosts don't decode any ICMP unreachable except network and port, so this may or may not be valuable. [any OS's other than Ultrix do this?] 4. If you want to allow further access, watch the user data, and send back a TCP RST when they try do do more than you want `em to (i.e. "cd /home/personnel"). UDP is not a problem (note that case #4 is the only difference between TCP and UDP for the purposes of this discussion). Unlike TCP (where I hose up a TCP when I start blowing packets out of the ether), there is no state info maintained in the server. Just blast away at UDP, and let the perpetrator suffer. ;-) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Jul 7 10:10:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA18382 for firewalls-outgoing; Fri, 7 Jul 1995 07:43:06 -0700 Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA18377 for ; Fri, 7 Jul 1995 07:43:02 -0700 Received: from dejong by mail.uunet.ca with UUCP id <182209-4>; Fri, 7 Jul 1995 10:44:15 -0400 Received: from dejong.com by dejong.dejong.com; Fri, 7 Jul 95 10:09 EDT From: chris@dejong.com (Chris Tyler) To: Firewalls@GreatCircle.COM Date: Fri, 7 Jul 1995 10:08:00 -0400 Subject: Firewalls & Topologies/Screened Host Gateways Content-Length: 1682 Content-Type: text/plain Message-ID: <2ffd3ff20.609@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Warning, newbie question alert...) In theory, a router--bastion--router or router--dual_homed_host--interal_network topology is preferred to a screened host topology (i.e., router--internal_network, but filtering on the router permits the real world to talk only with a specified host on the internal_network, which serves as the bastion host). AFAICS, the screened host scenario relies on (1) the router filter rules being properly configured, (2) the filtering on the router working properly, (3) source routing being disabled on the router, (4) the router being securely configured (no possibility of an attacker changing the router configuration), (5) the screened host being set up properly (including no IP_FORWARDING), (6) elimination of the possibility that another host will assume the screened host's IP address (e.g., turn off bastion, plug in another host with same IP address... but then that requires physical access, and if 'they' have physical access we're toast anyways). Obviously, the reason for considering this approach is cost (please, no flames of the form "if you can't afford security, you can't afford the Internet")... the small size of the network and the value of the information on the network conspire together against throwing too much hardware into this. Questions: (a) Am I missing any significant vulnerabilities? (b) In the real world (theory aside), can this be made reasonably secure? (c) Any comments on real world experience with Morning Star routers (MSE+) -- gotchas/vulnerabilities? TIA. Chris Tyler chris@dejong.com Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Fri Jul 7 10:13:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15742 for firewalls-outgoing; Fri, 7 Jul 1995 06:41:26 -0700 Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA15737 for ; Fri, 7 Jul 1995 06:41:19 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id JAA14590; Fri, 7 Jul 1995 09:41:48 -0400 Date: Fri, 7 Jul 1995 09:41:48 -0400 Message-Id: <199507071341.JAA14590@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: ddill@junix.ju.edu (Daniel Dill), firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: One Router or Two? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:04 PM 7/6/95 -0400, Daniel Dill wrote: >Two. > >If for no other reason than that if may take extra time and activity to >get through the second. Giving you a greater chance to notice the breach. > Yes, I agree. But... Why not three or four routers? If you can't get one router correct then use two? This does not really fix the problem. There must be better reasons to use two routers than just to delay the hacker (although this is not a bad thing). One good reason to use two routers and a bastion host in between is to force a physical path that guarantees that the hacker must pass through the bastion host. (Who posted the original One or Two router question... Please summarize the replies. There has been a lot of good discussion.) Also, to cut down on router configuration errors, you should use a certified automated tool to configure the access lists on your routers. Configuring routers is still a very manual process and admins are going to make mistakes. Part of a firewall product should be automated router configuration. The firewall I put together automatically configures a Cisco router's access lists, and when any configuration is being done, external (untrusted) interfaces are brought down, etc. After the user has configured access lists by dragging services onto hosts, they select apply and the router and bastion host's access lists are configured automatically. Since the process is automated, you are guaranteed that there will be fewer configuration errors. Another issue concerning one or two routers is cost. Our customer would not pay for two routers. regards, -Bill. [opinions are those of the author and do not necessarily reflect those of his employer.] --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Fri Jul 7 10:27:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15453 for firewalls-outgoing; Fri, 7 Jul 1995 06:34:35 -0700 Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA15442 for ; Fri, 7 Jul 1995 06:34:28 -0700 Received: from mak.is.ge.com ([3.19.100.81]) by ns.ge.com (8.6.12/8.6.11) with ESMTP id JAA17467 for ; Fri, 7 Jul 1995 09:33:51 -0400 Message-Id: <199507071333.JAA17467@ns.ge.com> Received: by mak.is.ge.com (1.37.109.9/15.6) id AA0103814269; Fri, 7 Jul 1995 08:33:49 -0500 From: Mohamad A Khatoun Subject: Re: One Router or Two? To: firewalls@greatcircle.com Date: Fri, 7 Jul 95 8:33:49 CDT In-Reply-To: from "FIREWALLS-OWNER@GREATCIRCLE.COM@INTERNET#" at Jul 6, 95 5:03 pm Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can think of one common setup where two routers can provide better security than one. Consider a firewall which protects more than one network, e.g., LAN1 and LAN2. Assume that the firewall allows specific application level access (e.g, through plug-gw) to LAN1, and TELNET, FTP, etc. to LAN2. Without the second router, any misconfiguration or problem with the firewall will compromise the security of LAN2. With the second router configured to prevent TELNET, FTP and other unauthorized access to LAN2, even if the firewall host is compromised, LAN2 will still be relatively secure. Cheers, Mohamad > > Yes, that's the theory. However, they're both filtering routers; even when > done independantly by different vendors, there are going to be a lot of > things that end up being done the same way. For instance, take a look at > Cisco's recent reported problems with handling of fragmented IP packets > (i.e., artificially tiny fragments and overlapping fragments). Several > vendors probably have (or had) the same problem, because they'd done their > fragment filtering code in much the same "obvious" way that Cisco did. > > >The two routers will require different filter configurations. > >This will reduce the chance that a mis-configuration of filters > >will open a hole into the organisation. > > Again, that's the theory. However, filtering configuration languages for > various platforms are more similar than different. If someone makes a > mistake in programming one platform (especially if the mistake is more of a > "conceptual" problem, where they don't fully understand the consequences or > implications of something they're doing), the chances are very good that > they'll make the same mistake in configuring the other platform. > > Don't get me wrong; I'm not saying "two routers are no more secure than > one". Two _can_ be more secure than one, but two are not _automatically_ > more secure than one; it takes careful consideration and implementation to > make real the potential increases in security of a dual-router > configuration. > > FYI, the reason I normally show dual-router configurations in my classes is > because they're simpler conceptually, not necessarily because they're more > secure. I show one router handling traffic between the perimeter net and > the internal net, and the other router handling traffic between the > perimeter net and the world. Once we've gone through the dual-router > architecture in some detail, then we discuss an equivalent single-router > architecture as a variation. > > > -Brent > > ---------------------------------------------------------------------- > For info about the Internet Security Firewalls Tutorial and a schedule > of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM > ---------------------------------------------------------------------- > Brent Chapman Great Circle Associates > Brent@GreatCircle.COM 1057 West Dana Street > +1 415 962 0841 Mountain View, CA 94041 > > > > > > > > From firewalls-owner Fri Jul 7 10:54:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16361 for firewalls-outgoing; Fri, 7 Jul 1995 06:51:30 -0700 Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA16329 for ; Fri, 7 Jul 1995 06:50:37 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id JAA14708; Fri, 7 Jul 1995 09:51:23 -0400 Date: Fri, 7 Jul 1995 09:51:23 -0400 Message-Id: <199507071351.JAA14708@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: paul@hawksbill.sprintmrn.com (Paul Ferguson) From: wbunting@ch.inri.com (Bill Bunting) Subject: Re: xdmcp info Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Quick question, semi-relevant to firewalls: > >Would anyone happen to know where one could find a detailed >description of xdmcp (udp/177) and it's functions? > >Thanks, > >- paul > > Paul, You can get the source code from MIT for the X-Windows XDM (X Display Manager) program. Here is Xdmcp.h * $XConsortium: Xdmcp.h,v 1.8 91/07/23 22:28:07 keith Exp $ */ /* * Copyright 1989 Network Computing Devices, Inc., Mountain View, California. * * Permission to use, copy, modify, and distribute this software and its * documentation for any purpose and without fee is hereby granted, provided * that the above copyright notice appear in all copies and that both that * copyright notice and this permission notice appear in supporting * documentation, and that the name of N.C.D. not be used in advertising or * publicity pertaining to distribution of the software without specific, * written prior permission. N.C.D. makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. * */ #ifndef _XDMCP_H_ #define _XDMCP_H_ #define XDM_PROTOCOL_VERSION 1 #define XDM_UDP_PORT 177 #define XDM_MAX_MSGLEN 8192 #define XDM_MIN_RTX 2 #define XDM_MAX_RTX 32 #define XDM_RTX_LIMIT 7 #define XDM_KA_RTX_LIMIT 4 #define XDM_DEF_DORMANCY (3 * 60) /* 3 minutes */ #define XDM_MAX_DORMANCY (24 * 60 * 60) /* 24 hours */ typedef enum { BROADCAST_QUERY = 1, QUERY, INDIRECT_QUERY, FORWARD_QUERY, WILLING, UNWILLING, REQUEST, ACCEPT, DECLINE, MANAGE, MANAGE_REMOTE, REMOTE_ACCEPT, REMOTE_EVENT, REFUSE, FAILED, KEEPALIVE, ALIVE } xdmOpCode; typedef enum { XDM_QUERY, XDM_BROADCAST, XDM_INDIRECT, XDM_COLLECT_QUERY, XDM_COLLECT_BROADCAST_QUERY, XDM_COLLECT_INDIRECT_QUERY, XDM_START_CONNECTION, XDM_AWAIT_REQUEST_RESPONSE, XDM_AWAIT_MANAGE_RESPONSE, XDM_MANAGE, XDM_RUN_SESSION, XDM_OFF, XDM_AWAIT_USER_INPUT, XDM_KEEPALIVE, XDM_AWAIT_ALIVE_RESPONSE } xdmcp_states; #ifdef NOTDEF /* table of hosts */ #define XDM_MAX_STR_LEN 21 #define XDM_MAX_HOSTS 20 struct xdm_host_table { struct sockaddr_in sockaddr; char name[XDM_MAX_STR_LEN]; char status[XDM_MAX_STR_LEN]; }; #endif /* NOTDEF */ typedef CARD8 *CARD8Ptr; typedef CARD16 *CARD16Ptr; typedef CARD32 *CARD32Ptr; typedef struct _ARRAY8 { CARD16 length; CARD8Ptr data; } ARRAY8, *ARRAY8Ptr; typedef struct _ARRAY16 { CARD8 length; CARD16Ptr data; } ARRAY16, *ARRAY16Ptr; typedef struct _ARRAY32 { CARD8 length; CARD32Ptr data; } ARRAY32, *ARRAY32Ptr; typedef struct _ARRAYofARRAY8 { CARD8 length; ARRAY8Ptr data; } ARRAYofARRAY8, *ARRAYofARRAY8Ptr; typedef struct _XdmcpHeader { CARD16 version, opcode, length; } XdmcpHeader, *XdmcpHeaderPtr; typedef struct _XdmcpBuffer { BYTE *data; int size; /* size of buffer pointed by to data */ int pointer; /* current index into data */ int count; /* bytes read from network into data */ } XdmcpBuffer, *XdmcpBufferPtr; typedef struct _XdmAuthKey { BYTE data[8]; } XdmAuthKeyRec, *XdmAuthKeyPtr; /* implementation-independent network address structure. Equiv to sockaddr* for sockets and netbuf* for STREAMS. */ typedef char *XdmcpNetaddr; extern int XdmcpWriteCARD8(), XdmcpWriteCARD16(); extern int XdmcpWriteCARD32(); extern int XdmcpWriteARRAY8(), XdmcpWriteARRAY16(); extern int XdmcpWriteARRAY32(), XdmcpWriteARRAYofARRAY8(); extern int XdmcpWriteHeader(), XdmcpFlush(); extern int XdmcpReadCARD8(), XdmcpReadCARD16(); extern int XdmcpReadCARD32(); extern int XdmcpReadARRAY8(), XdmcpReadARRAY16(); extern int XdmcpReadARRAY32(), XdmcpReadARRAYofARRAY8(); extern int XdmcpReadHeader(), XdmcpFill(); extern int XdmcpReadRemaining(); extern void XdmcpDisposeARRAY8(), XdmcpDisposeARRAY16(); extern void XdmcpDisposeARRAY32(), XdmcpDisposeARRAYofARRAY8(); extern int XdmcpCopyARRAY8(); extern int XdmcpARRAY8Equal(); #ifdef HASXDMAUTH extern void XdmcpGenerateKey(); extern void XdmcpIncrementKey(); extern void XdmcpDecrementKey(); extern void XdmcpWrap(); extern void XdmcpUnwrap(); #endif #ifndef TRUE #define TRUE 1 #define FALSE 0 #endif #ifndef Xalloc #ifndef xalloc extern long *Xalloc (), *Xrealloc (); extern void Xfree(); #endif #endif #endif /* _XDMCP_H_ */ [opinions are those of the author and do not necessarily reflect those of his employer.] --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Fri Jul 7 10:57:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23872 for firewalls-outgoing; Fri, 7 Jul 1995 09:38:03 -0700 Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23854 for ; Fri, 7 Jul 1995 09:37:56 -0700 Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA05387; Fri, 7 Jul 95 12:37:10 EDT Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma005328; Fri Jul 7 12:36:57 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA29870; Fri, 7 Jul 95 12:39:51 EDT From: ajack@corp.micrognosis.com (Adam Jack) Received: by becks id ; Fri, 7 Jul 95 12:39:50 EDT Message-Id: <9507071639.AA04240@becks> Subject: Re: How does one provide http://X.com/~FRED w/o giving FRED an account on the firewall? To: firewalls@greatcircle.com Date: Fri, 7 Jul 1995 12:39:50 -0400 (EDT) In-Reply-To: from "Marc Sherman" at Jul 5, 95 10:59:02 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2458 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk People > On Sat, 1 Jul 1995, Adam Jack wrote: > > > > OK - so the question is exactly as in the subject. If we wish to allow > > users who have account within the firewall to have their own personal > > home pages - then we should follow the convention of http://X.com/~FRED. > > However - ee do not want to allow users accounts on the firewall. > > > > The problem is that we don't wish to hack into the httpd unless required. > > Is there a configuration option like CERN's "UserDir" that might help > > - or a form of MAP that does the job? > > > > What are peoples mechanisms for allowing users to maintain home pages w/o > > given them ftp access to the firewall or accounts. > > And I got a lot of useful responses - thanks to all. Some people asked for the final summary so : The responses were, in order of popularity : 1) Allow accounts - but disable them. I know our firewall administrator would say no to this (for maintenance reasons if nothing else). I also think hed tell me that adding accounts (even if disabled) was more risk than worthwhile. 2) Get over it - and just use http://X.com/people/FRED. (Yup - our firewall administrator included here ... and I was beggining to agree.) 3) Try comercial server XXX. (Sorry - I cant really justify paying for a ~. I mean - hopefully there'll be links to users pages - so ~'ll hardly ever be typed.) 4) Try Map/Redirect/Pass. I did - and got mixed luck. I could use : "Map(or Pass) ~* people/*" but not : "Map/Pass *~* *people/*" (the latter being useful for some CGI scripts - though CGI probably wonn't make it to our server.) *AND* the username was being checked even if I did this. So ~FRED would need an account... (I received a terse "Error 403 - Forbidden - bad user directory". I think this behaviour of CERNs is a tad antisocial - however I am open to explanation as to why/if it is more secure.) 5) Use the WN http server from : http://hopf.math.nwu.edu/ Supposedly this server can be configured to do just as I say. We are going to have a ./people directory and mirror an internal servers tree ./people/FRED (etc) where users can maintain their pages. We are going to look into WN - it seems to have a lot of powerful security features - and see what it offers. If it can't be configured to do ~ - then forget ~ - it isn't worth it. Again - thanks for all the help and suggestions : Adam From firewalls-owner Fri Jul 7 11:08:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25407 for firewalls-outgoing; Fri, 7 Jul 1995 09:59:37 -0700 Received: from gateway.calcomp.com (gateway.calcomp.com [146.69.160.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA25402 for ; Fri, 7 Jul 1995 09:59:33 -0700 Received: from sys02.mis.calcomp.com by gateway.calcomp.com (5.x/SMI-4.1) id AA23248; Fri, 7 Jul 1995 09:52:51 -0700 Received: by sys02.mis.calcomp.com (5.x/SMI-SVR4) id AA01120; Fri, 7 Jul 1995 09:57:17 -0700 Date: Fri, 7 Jul 1995 09:57:17 -0700 From: jwfornataro@calcomp.com (Joseph Fornataro Jr (x2163)) Message-Id: <9507071657.AA01120@sys02.mis.calcomp.com> To: firewalls@GreatCircle.COM, James_Dehnert@optilink.optilink.dsccc.com Subject: Re: ip forwarding X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Ok, we now have 2 Solaris 2 options for killing IP forwarding. > > Exactly how is it done in SunOS 4.1.*? > You could modify the kernel conf file. The kernel option is: options ip_forwarding=-1 Add that to your /sys/sun??/conf/kernel_name and run config, make and install the new kernel. See Chapter 22 of System and Networking Adminsitration for more details. ...joe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Joseph Fornataro jwfornataro@calcomp.com Technical Support Specialist (714) 821-2163 CalComp, Inc. (714) 821-2374 FAX From firewalls-owner Fri Jul 7 11:11:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26983 for firewalls-outgoing; Fri, 7 Jul 1995 10:23:21 -0700 Received: from leo.nmc.edu (leo.nmc.edu [192.88.242.239]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA26954 for ; Fri, 7 Jul 1995 10:23:00 -0700 Received: by leo.nmc.edu (5.65/DEC-Ultrix/4.3) id AA27609; Fri, 7 Jul 1995 13:26:06 -0400 Date: Fri, 7 Jul 1995 13:26:05 -0400 (EDT) From: Mark Dyer To: Steve Betts Cc: firewalls@greatcircle.com Subject: Re: Windows NT Web server and bastion hosts In-Reply-To: <9506078051.AA805154020@ccmailgw.biss.co.uk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our office has an NT Server running for internal use. I've been reading this group to learn more about security and firewalls. Please include me in any discussions about Web Servers and Firewalls for NT. Mark Dyer PRC, Inc. Troy, MI From firewalls-owner Fri Jul 7 12:28:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA25803 for firewalls-outgoing; Fri, 7 Jul 1995 10:05:54 -0700 Received: from leo.nmc.edu (leo.nmc.edu [192.88.242.239]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA25774 for ; Fri, 7 Jul 1995 10:05:25 -0700 Received: by leo.nmc.edu (5.65/DEC-Ultrix/4.3) id AA26570; Fri, 7 Jul 1995 13:09:18 -0400 Date: Fri, 7 Jul 1995 13:09:17 -0400 (EDT) From: Mark Dyer To: "\"\"John T. Horn\"\"" Cc: Firewalls@greatcircle.com Subject: Re: Whadayoucallit? In-Reply-To: <9507062323.AA05962@calvin> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about IZOD and OZOD? Inner Zone Of Defense and Outer Zone Of Defense. Mark Dyer PRC, Inc. Troy, MI On Thu, 6 Jul 1995, ""John T. Horn"" wrote: > > How about "Inner DMZ" and "Outer DMZ" ... > > >------------------------------ > > > >From: Lyndon David > > > >I think that the network between internal router and > >bastion should also be called DMZ as the internal > >environment from your own users can be just as hostile > >as the external one. > > > >Lyndon > > > >------------------------------ > From firewalls-owner Fri Jul 7 12:47:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA20964 for firewalls-outgoing; Fri, 7 Jul 1995 08:48:18 -0700 Received: from charon.amdahl.com (charon.amdahl.com [129.212.11.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA20954 for ; Fri, 7 Jul 1995 08:48:15 -0700 Received: from brittany.oes.amdahl.com by charon.amdahl.com (4.0/SMI-4.1/DNS) id AA12517; Fri, 7 Jul 95 08:47:40 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA15889; Fri, 7 Jul 1995 08:47:47 +0800 Date: Fri, 7 Jul 1995 08:47:47 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9507071547.AA15889@brittany.oes.amdahl.com> To: firewalls@greatcircle.com Subject: Re: cisco packet filter firewall Content-Length: 744 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:57 PM 7/6/95, David Madole/TMG/CSC wrote: >By the way, DNS only uses TCP for zone transfers, so unless you are running a >secondary nameserver on the other side of your firewall, you do not need (or >want) the permit TCP lines in the filter. This isn't true. You're confused because the most common version of resolver on UNIX, the one that comes with BIND, has this behavior. It isn't true in general. Any query, not just a zone transfer can be done in TCP. In fact you can find a recommendation in the RFCs that they should! If a resolver does prefer UDP, when a response comes back with the truncate field set, it should retry the query in TCP, so even normal resolvers like nslookup can sometimes make requests in TCP. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (mail copyright Patrick J. Horgan) (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Fri Jul 7 12:55:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA27768 for firewalls-outgoing; Fri, 7 Jul 1995 10:38:42 -0700 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA27758 for ; Fri, 7 Jul 1995 10:38:39 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by ns.incog.com (8.6.10/94082501) id KAA01134; Fri, 7 Jul 1995 10:38:45 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA09795; Fri, 7 Jul 1995 11:37:55 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA06414; Fri, 7 Jul 1995 11:37:53 -0600 Message-Id: <9507071737.AA06414@future.incog.com> To: brian@ilinx.bctel.net Cc: jwfornataro@calcomp.com, firewalls@greatcircle.com, danny@gmap.leeds.ac.uk Subject: Re: Re[2]: ip forwarding Reply-To: mulligan@incog.com In-Reply-To: Your message of "Thu, 06 Jul 1995 16:54:19 PDT." Date: Fri, 07 Jul 1995 11:37:52 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't forget !!!!!!! ndd -s /dev/ip ip_forward_src_routed 0 geoff From firewalls-owner Fri Jul 7 13:29:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00895 for firewalls-outgoing; Fri, 7 Jul 1995 11:43:03 -0700 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA00890 for ; Fri, 7 Jul 1995 11:43:00 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by ns.incog.com (8.6.10/94082501) id LAA04396; Fri, 7 Jul 1995 11:37:34 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA10081; Fri, 7 Jul 1995 12:36:43 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA06526; Fri, 7 Jul 1995 12:36:41 -0600 Message-Id: <9507071836.AA06526@future.incog.com> To: blymn@awadi.com.AU (Brett Lymn) Cc: avalon@coombs.anu.edu.au (Darren Reed), firewalls@greatcircle.com Subject: Re: Sending replies to blocked packets. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 07 Jul 1995 21:41:14 +0930." <9507071211.AA12615@bunya.awadi> Date: Fri, 07 Jul 1995 12:36:41 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As with most things in a firewall set-up, this should be configurable on a per service per endpoint basis. Besides being able to choose whether you want to send an ICMP or not and which ICMP Reject type should be selectable by the firewall administrator. While some sites may want to quietly drop packets and feel that this enhances their security, others may want to politely tell the sending site to stop and maybe save some network bandwidth. The point is that it should be site selectable and the option should be there. geoff From firewalls-owner Fri Jul 7 13:31:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00469 for firewalls-outgoing; Fri, 7 Jul 1995 11:31:46 -0700 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA00464 for ; Fri, 7 Jul 1995 11:31:42 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by ns.incog.com (8.6.10/94082501) id LAA04148; Fri, 7 Jul 1995 11:31:43 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA10010; Fri, 7 Jul 1995 12:30:53 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA06517; Fri, 7 Jul 1995 12:30:51 -0600 Message-Id: <9507071830.AA06517@future.incog.com> To: Wilner@DOCKMASTER.NCSC.MIL Cc: firewalls@GREATCIRCLE.COM Subject: Re: controlling FTP transfers Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 07 Jul 1995 10:15:00 EDT." <950707141529.815410@DOCKMASTER.NCSC.MIL> Date: Fri, 07 Jul 1995 12:30:51 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Wilner once said: > Fascinating ... I was unaware that sockets had PCBs. I had always > thought that PCBs were associated with processes, not with passive > communication endpoints ... PCB is an overloaded term. PCB isn't necessarily Process Control Block. PCB is also Protocol Control Block used in the TCP/IP stack. > I doubt that any "kernel-level subroutine" (read: kernel-level > function) will be charged with maintaining "state flags" that > reflect the status of a single socket, since it would be a > maintenance nightmare for a reentrant module to track such state > information when multiple socket-oriented system calls from > multiple processes against multiple socket descriptors referencing > multiple sockets are likely to be temporally interwoven. SunScreen does maintain state about connections IN THE KERNEL. geoff From firewalls-owner Fri Jul 7 13:57:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA27614 for firewalls-outgoing; Fri, 7 Jul 1995 10:35:31 -0700 Received: from mermaid.lake.de (mermaid.lake.de [193.197.24.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA27607 for ; Fri, 7 Jul 1995 10:35:23 -0700 Received: from bedard.lake.de by mermaid.lake.de with smtp sMail id m0sUei7-0004nmC; Sat, 8 Jul 95 19:34 GMT+0100 Message-Id: X-Sender: sbedard@mermaid.lake.de (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Jul 1995 19:38:53 +0100 To: Firewalls@GreatCircle.COM From: sbedard@mermaid.lake.de (David C Bedard) Subject: RE: ITAR braindamage Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus J Ranum Date: Thu, 6 Jul 1995 13:21:43 -0400 (EDT) Subject: ITAR braindamage wrote: - snip --- > As far as I can tell, there are no restrictions on Digital >Signature functions, provided they cannot be used to encrypt - this allows >MD5 and DSS. What's crazy, of course, is that most modern cryptosystems (that we know about!) are built around functions that are difficult to invert. That really *IS* the cryptosystem. MD5, in order to be a good hashing function, is difficult to invert. It's trivial to turn a strong cryptographic hashing function into a strong encryption system. A simple example would be taking a key, and running it through MD5. Then you run the first 64 bits of /dev/zero through it, yielding a 64 bit hash code. Xor that with the first 64 bits of the file and transmit them. Take the next 64 bits of the file, re-run the previous 64 bit hash through MD5 and keep Xoring and hashing. That's not as strong a way of doing it some (like feistel net ciphers) but it's pretty strong. With respect to ITAR, the emperor truly has no clothes. ------- end ------- Sure, and as soon as a piece of software using MD5 to "encrypt" is developed, even if developed outside the US, it would be refused for export under the ITAR, even though the "crypto-engine" was originally allowed for export. It isn't logical untill you realise the goal is intimidation, not justice. o __|\ O-/-O___________________________________________________________________ David C. Bedard | A LEFTY SAID IT: "We must not confuse dissent with | Compuserve: | disloyalty" - Edward R. Murrow | 100337.2420 | | ------------ |"Necessity is the plea for every infringement of human| sbedard@ | freedom. It is the argument of tyrants; it is the | mermaid.lake.de | creed of slaves." William Pitt [November 18, 1783] | ------------------------------------------------------------------------ From firewalls-owner Fri Jul 7 14:24:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28361 for firewalls-outgoing; Fri, 7 Jul 1995 10:48:53 -0700 Received: from nwnexus.wa.com (nwnexus.wa.com [192.135.191.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA28356 for ; Fri, 7 Jul 1995 10:48:49 -0700 Received: by nwnexus.wa.com id AA07692 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 7 Jul 1995 10:48:00 -0700 Received: by (5.65c) id AA17350; Fri, 7 Jul 1995 09:58:02 -0700 Date: Fri, 7 Jul 1995 09:58:02 -0700 From: Message-Id: <199507071658.AA17350@> To: firewalls@greatcircle.com Subject: Sun's Internet in a Rack.. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been looking at all of the turnkey systems available and came across the Internet in a Rack by Sun. Does anyone know anything about this? The only information that I really have about it is that it uses the Sun Netra Unix Server. Any information you could give me would be much apprectiated. I need to present all of our options, and would like to know as much about each system as possible. Thanks, Gil Markham gil@picco.com From firewalls-owner Fri Jul 7 14:55:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28954 for firewalls-outgoing; Fri, 7 Jul 1995 10:59:33 -0700 Received: from guardian.EnGarde.com (dialin-46.wustl.edu [128.252.112.46]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA28940 for ; Fri, 7 Jul 1995 10:59:28 -0700 Received: (from mcn@localhost) by guardian.EnGarde.com (8.6.12/8.6.9) id MAA13027; Fri, 7 Jul 1995 12:57:24 -0500 Date: Fri, 7 Jul 1995 12:57:24 -0500 From: Mike Neuman Message-Id: <199507071757.MAA13027@guardian.EnGarde.com> To: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: TW on a w-protected floppy Reply-To: mcn@EnGarde.com In-Reply-To: <950707143416.482694@DOCKMASTER.NCSC.MIL> Organization: En Garde Systems--St. Louis, MO Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <950707143416.482694@DOCKMASTER.NCSC.MIL> you write: >Ranum writes: > >> It's possible, I suppose, but if you're dealing >> with that kind of level of effort it'd be easier >> to just hack the kernel to not see or remap certain >> files. > >To "modify the open() routine in the C library" is not to "just >hack the kernel." The kernel is distinct from the C library. > >> I know for a fact that tools exist which allow >> a hacker to modify the open() routine in the C >> library... > >Modifying a single library does not seem like a lot of work for an >attacker to go through. I'd really be interested in knowing what systems implement privileged system kernel calls in the C library (and how they do it--setuid libraries?) :-) Last I checked open(2), read(2), write(2), etc. were UNIX kernel calls. fopen(3), on the other hand, is a library function which calls the open() system call. It could be modified out from under dynamically linked executables fairly easily. So, to answer the original question, yes, tools exist to allow the hacker to modify the C library. Hacking kernel routines is more difficult, but still not very hard: 1) Many machines support loadable modules. You can replace any system call with a loaded version 2) Even without loadable modules, it's not terribly difficult to romp through physical memory changing whatever you'd like. -Mike Neuman mcn@EnGarde.com En Garde Systems (314) 367-6402 (314) 367-3555 (FAX) From firewalls-owner Fri Jul 7 15:25:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA05281 for firewalls-outgoing; Fri, 7 Jul 1995 13:11:51 -0700 Received: from wally.hti.net (wally.hti.net [198.70.56.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA05276 for ; Fri, 7 Jul 1995 13:11:48 -0700 Received: from [198.70.56.90] (dialnet50.hti.net [198.70.56.90]) by wally.hti.net (8.6.12/8.6.10) with SMTP id PAA01094 for ; Fri, 7 Jul 1995 15:15:31 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 7 Jul 1995 15:10:53 -0600 To: Firewalls@GreatCircle.COM From: sengle@hti.net (Steven W. Engle) Subject: Smart Card Vendors for Securing Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking for sources/vendors who provide "smart cards" products to secure logging onto a bastion host (Harris CyberGuard) over a serial connection (modem or direct connect). Looking for vendor/source names, phone numbers, www page, etc.. Any info or insight into integrating "smart cards" onto a bastion host would be appreciated too. Thanx! -- Steve Engle sengle@hti.net From firewalls-owner Fri Jul 7 15:29:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02259 for firewalls-outgoing; Fri, 7 Jul 1995 12:18:57 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA02253 for ; Fri, 7 Jul 1995 12:18:49 -0700 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id TAA05928; Fri, 7 Jul 1995 19:20:36 GMT Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.7/8.6.6) with ESMTP id PAA00995 for ; Fri, 7 Jul 1995 15:15:50 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id PAA25613; Fri, 7 Jul 1995 15:15:49 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: xdmcp info Date: 7 Jul 1995 15:15:48 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 27 Distribution: milkyway Message-ID: <3tk154$p0a@metis.milkyway.com> References: <199507071351.JAA14708@hatteras.ch.inri.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199507071351.JAA14708@hatteras.ch.inri.com>, Bill Bunting wrote: >>Would anyone happen to know where one could find a detailed >>description of xdmcp (udp/177) and it's functions? In brief, it listens for requests for login prompts (broadcasts), and answers the query if appropriate. Later, a client (the remote X *server* --- no end of confusion there) will request a login session, which the xdm will provide by connecting to the X server and opening a nice window. It is possible to recompile xdm to ignore the INET socket, and only manage the local display. There is an define for this, but there are a couple of tweaks that need to be done. [hmm. I suppose to should submit the patches to the X consortium] You definitely do not want XDMCP packets passing through a a firewall without examination. If the internal XDM cooperates (which many do, having '*' at the end of the config file), then an *outgoing* TCP connection is initiated. Bingo, login prompt on internal machine. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Fri Jul 7 15:31:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA06427 for firewalls-outgoing; Fri, 7 Jul 1995 13:39:12 -0700 Received: from cais.cais.com (cais.com [199.0.216.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA06422 for ; Fri, 7 Jul 1995 13:39:10 -0700 Received: from vse1 ([205.177.57.119]) by cais.cais.com (8.6.10/8.6.5) with SMTP id QAA08489 for ; Fri, 7 Jul 1995 16:38:34 -0400 Received: by vse1 (4.1/SMI-4.1) id AA03495; Fri, 7 Jul 95 16:34:42 EST Date: Fri, 7 Jul 1995 16:34:42 -0500 (EST) From: Peter Wages X-Sender: pwages@vse1 To: firewalls@greatcircle.com Subject: FAQ Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a faq for this list? From firewalls-owner Fri Jul 7 15:31:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA29444 for firewalls-outgoing; Fri, 7 Jul 1995 11:10:30 -0700 Received: from igate1.hac.com (igate1.hac.com [192.48.33.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA29437 for ; Fri, 7 Jul 1995 11:10:27 -0700 Received: from pizza.pizza.hac.com ([147.19.105.118]) by igate1.hac.com (4.1/SMI-4.1) id AA21576; Fri, 7 Jul 95 11:07:55 PDT Received: from [147.19.1.99] (tomn.HAC.COM [147.19.1.99]) by pizza.pizza.hac.com (8.6.12/8.6.6) with SMTP id LAA01799 for ; Fri, 7 Jul 1995 11:08:39 -0700 Message-Id: <199507071808.LAA01799@pizza.pizza.hac.com> X-Sender: tnaka@sed.hac.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 7 Jul 1995 11:08:06 -0800 To: firewalls@greatcircle.com From: nakamura@sed.hac.com (Tom Nakamura) Subject: Re: controlling cern-httpd-proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >On Jul 6, 12:17pm, Dorian Deane wrote: >> Subject: Re: controlling cern-httpd-proxy >> > Before you say Pass http://* say >> > >> > # Block access to porno >> > Map http://www.cnam.fr/* /nono.html >> > Map http://intertain-inc.com/xxx/* /nono.html >> > >> > /nono.html may or may not exist, depending on what action you wish to take. >> > Having it not exist is probably easiest. >> > >> > D. >> > >> >> A minor point: if your intent is to limit all access to pornography, >> this is not a solution that scales well on the Internet. If your >> intent is to limit access to only sites that contain work-related >> items, then it doesn't scale at all. >> >> The usual refrain here is that this is more of a management/social >> issue--something that's hard to fix with technology. > >However, it does tend to make the users sit up and take notice when the >nono.html file restates the company policy when users try for the more >egregious sites that probably don't have a business use. > >You won't capture everything. You don't have to keep track of each little >dirty photo. You just enforce the policy, and occasionally remind the users >that their access is a privilege, and use may be monitored. > > >-- >Bryan D. Boyle |The Moving Finger writes,and having writ, moves on. >#include |Nor all your Piety nor Wit can call it back to cancel >EMAIL: bdboyle@erenj.com |Half a line, or all your tears wash out a Word of it. >-------------------- > > WWW sites can be accessed via name, all aliases and direct IP addresses. Comprehensive MAPs require entries for each form of the URL. Tom Nakamura From firewalls-owner Fri Jul 7 15:37:53 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07958 for firewalls-outgoing; Fri, 7 Jul 1995 14:02:09 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07953 for ; Fri, 7 Jul 1995 14:02:06 -0700 From: smb@research.att.com Message-Id: <199507072102.OAA07953@miles.greatcircle.com> Received: by gryphon; Fri Jul 7 16:55:00 EDT 1995 To: Ted Doty cc: tli@cisco.com, avalon@coombs.anu.edu.au, Firewalls@greatcircle.com Subject: Re: Sending replies to blocked packets. Date: Fri, 07 Jul 95 16:54:59 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995 02:32:08, Tony Li wrote: Code 10, for all you geeks. Myy understanding is that this has been out there for a number of years. Yup. But some implementations -- for example, SunOS 4.1.1 -- will ignore ICMP Unreachable messages with ``unknown'' subcodes. Specifically, it ignores any messages if that field is greater 5... (It's not Sun's fault, of course; they inherited that code from 4.2bsd. And 4.4bsd, or at least BSD/OS, hasn't gotten any better; it *still* rejects unknown subcodes, though it has a larger set of known ones, including 10.) From firewalls-owner Fri Jul 7 15:48:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04302 for firewalls-outgoing; Fri, 7 Jul 1995 12:58:22 -0700 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA17602 for ; Thu, 6 Jul 1995 18:39:44 -0700 Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.6.9/8.6.9) with ESMTP id SAA22560; Thu, 6 Jul 1995 18:41:14 -0700 Received: (from cdr@localhost) by server.livingston.com (8.6.9/8.6.9) id SAA25704; Thu, 6 Jul 1995 18:39:07 -0700 Date: Thu, 6 Jul 1995 18:39:07 -0700 From: Carl Rigney Message-Id: <199507070139.SAA25704@server.livingston.com> To: firewall@virtual.cuc.ab.ca Subject: Re: Livingston Firewall/Portmaster mailing list? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Send email to majordomo@msen.com with "subscribe portmaster-users" in the body of the message. There's a Firewall Applications Note on ftp://ftp.livingston.com/pub/livingston/firewall/firewall-1.1.ps.Z and there are several setup examples under the Technical Support topic on http://www.livingston.com/ -- Carl Rigney cdr@livingston.com P.S. Sending email to portmaster-users-request@livingston.com as Brent suggested works in a roundabout way. It'll get forwarded to msen.com, which will send back a message on how to use majordomo to subscribe. From firewalls-owner Fri Jul 7 16:03:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10929 for firewalls-outgoing; Fri, 7 Jul 1995 14:55:51 -0700 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA10924 for ; Fri, 7 Jul 1995 14:55:49 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by ns.incog.com (8.6.10/94082501) id OAA12374; Fri, 7 Jul 1995 14:55:44 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA11244; Fri, 7 Jul 1995 15:54:56 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA06664; Fri, 7 Jul 1995 15:54:54 -0600 Message-Id: <9507072154.AA06664@future.incog.com> To: Oliver Friedrichs Cc: firewalls@greatcircle.com Subject: Re: SunScreen + Fragmented packets Reply-To: mulligan@incog.com In-Reply-To: Your message of "Thu, 06 Jul 1995 22:48:59 CDT." Date: Fri, 07 Jul 1995 15:54:54 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Oilver once wrote: > On the subject of fragmented packets again, Sun's new SunScreen claims to > have an IP Fragment cache, my only guess is that they safely defragment > and reassemble the fragments for the internal network. SunScreen does have a fragment cache. It doesn't defragment packets, unless they are SKIP encrypted and subsequently fragmented. The fragment cache hold information on whether the fragment leader was passed or dropped and either passes or drops the fragment trailers. > They also claim that SunScreen doesn't run any standard OS, looks to me > like it's a packet filter, which spoofs addresses both way (in and out), > which also supports encryption. SunScreen runs on a very stripped down/embedded version of Solaris 2.4. There is only one user level process - the admin interface process - and no other network daemons or servers running. The screened interfaces have no ip address and are network invisible. All unnecessary binaries are removed and it does support encryption (DES, Triple DES, RC2 and RC4) using SKIP for key management. geoff From firewalls-owner Fri Jul 7 16:09:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03575 for firewalls-outgoing; Fri, 7 Jul 1995 12:49:31 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA03530 for ; Fri, 7 Jul 1995 12:49:16 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id MAA16596; Fri, 7 Jul 1995 12:48:02 -0700 Date: Fri, 7 Jul 1995 12:48:02 -0700 From: Tony Li Message-Id: <199507071948.MAA16596@greatdane.cisco.com> To: ted@kgbvax.network.com Cc: avalon@coombs.anu.edu.au, Firewalls@greatcircle.com In-Reply-To: <199507071408.KAA13040@kgbvax.network.com> (message from Ted Doty on Fri, 7 Jul 1995 10:08:13 -0400) Subject: Re: Sending replies to blocked packets. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, router requirements, RFC 1812, defines a new ICMP Unreachable code: Communication Administratively Prohibited, which is the preferred mechanism for filtering routers. [Coming soon to a cisco near you. ;-) ] Code 10, for all you geeks. Myy understanding is that this has been out there for a number of years. Sort of. RFC 1122 (Host requirements, Oct 1989) defines code 9 and 10 as "communication with network administratively prohibited" and "communication with host administratively prohibited", respectively. These are clearly classful and as such, obsolete. ;-) The new code is 13, and is classless. Tony From firewalls-owner Fri Jul 7 16:14:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA11292 for firewalls-outgoing; Fri, 7 Jul 1995 15:09:52 -0700 Received: from dub-img-2.compuserve.com (dub-img-2.compuserve.com [198.4.9.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA11287 for ; Fri, 7 Jul 1995 15:09:49 -0700 Received: by dub-img-2.compuserve.com (8.6.10/5.950515) id SAA24361; Fri, 7 Jul 1995 18:09:15 -0400 Date: 07 Jul 95 18:05:00 EDT From: Julie Ann Connary <73203.2236@compuserve.com> To: firewalls Subject: proxy and gateways Message-ID: <950707220500_73203.2236_DHI43-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are trying to setup windows nt as a gateway or proxy for the internet. What I want to accomplish is that all traffic to and from the internet use the windows nt ip address. >From my readings so far the Windows nt server has to act as a gateway or perhaps be a proxy for programs like netscape or ws_ftp32. Where can I get further information on what a proxy is, how to use one, how it works? Also has anyone done the above? My setup is an ethernet network attached to a cisco router attached to the internet. The router has a filtering list only allowing traffic to and from my windows nt server on the ethernet. The windows nt server only has one network card (can have more). The workstations are on the same ethernet as the windows nt server. Thanks for any insight Julie Ann From firewalls-owner Fri Jul 7 16:34:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03646 for firewalls-outgoing; Fri, 7 Jul 1995 12:50:37 -0700 Received: from sun6.barr.com (gate.barr.com [199.199.125.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01403 for ; Wed, 5 Jul 1995 06:25:06 -0700 Received: from wpo.barr.com by sun6.barr.com (4.1/SMI-4.1) id AA01597; Wed, 5 Jul 95 08:25:59 CDT Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Wed, 05 Jul 1995 08:25:00 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 05 Jul 1995 08:24:54 -0600 From: "Steve P. Devore" To: firewalls@GreatCircle.COM, peter@perth.wgc.com.au Subject: CERN-httpd as a http proxy. -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am running the cern http proxy in a chrooted environment on a sunos system and it works well. There is a web document that can help you out. I don't have the url but do a search on cern, httpd, and chroot you should find it. Unfortunately it is written in Norwegian (I think) but you can figure out the important stuff. If you do put up the full server, I would recommend doing so on a seperate server, especially if you use cgi scripts. I have had a lot better luck with the cern proxy server than with the fwtk proxy server, and it caches as well, a definate plus. The only problem is that the cern daemon is huge. >>> Peter Musca 7/4/95, 11:46pm >>> Hi all, I am about to replace the http- proxy from the fwtk with the cern-httpd proxy. I want to run it in a chrooted environment and would appreciate any tips, advice etc from anyone who has done this. I am not sure whether I will be building a full blown WWW server as yet, but that may come in the future.. thanking you.. ...peter -- ---------------------------------------------------------------------- Peter Musca System/Network Administrator Email: peter@perth.wgc.com.au World Geoscience Corp Phone: +61-9-383-7833 Western Australia fax: +61-9-383-7166 ---------------------------------------------------------------------- From firewalls-owner Fri Jul 7 16:37:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03719 for firewalls-outgoing; Fri, 7 Jul 1995 12:51:42 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA17151 for ; Wed, 5 Jul 1995 15:22:56 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id SAA01335; Wed, 5 Jul 1995 18:22:14 -0400 From: Howard Berkowitz Message-Id: <199507052222.SAA01335@clark.net> Subject: Cisco security article (was whadayacallit) To: firewalls@greatcircle.com Date: Wed, 5 Jul 1995 18:22:14 -0400 (EDT) Cc: hcb@clark.net (Howard Berkowitz) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 15592 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since I posted a question to firewalls on what to call the network between a dual-homed bastion and the internal screening router, for use in an upcoming tutorial for CiscoWorld, I have received several requests for the article. DISCLAIMER ON This article is written for a Cisco user audience in a trade paper; it is not meant as an endorsement of any specific product. I work for PSC International, a Cisco Training Partner and consultant. Text below is a draft intended for publication in the August CiscoWorld, and has not undergone final editing. DISCLAIMER OFF BTW, the consensus is that the "whadayacallit" network is called a perimeter network, as distinct from the DMZ which is on the other side of a dual-homed bastion. ---------------- Cisco: Cornerstones, but not Every Brick, of Firewalls by Howard C. Berkowitz Last month, I discussed the naming function in Cisco internetworks. One of the important things about naming and routers is that it is neither a pure router nor a pure management host function. Both sorts of machine are needed in the full solution. Even more of a multiple-component function is the firewall. Especially as internetworking clients connect to the public internet, but also as they interconnect to business partners and even among business units of the same enterprise, security becomes more and more of a concern. Before designing security solutions, first understand what security means. All too many people focus on security as a means of preventing the disclosure of information. They picture the "wily hacker" as a person out to read confidential files.In actuality, security threats are much more broad than information disclosure. The "denial of service" or "theft of service" attack is more common from the outside; information disclosure and alteration is more commonly an "inside" problem due to disgruntled employees. One of the best way to protect against inside threats is to practice management methods that keep employees gruntled as much as possible. Once they are gruntled, the next step is to keep them aware of security issues, and sensitive to outside threats. A rational security budget comes from identifying potential threats, and weighting them by the probability of their occurrence. An airline reservation system, for example, might cost its organization $5000 of revenue loss per minute of downtime. If a particular threat that could cause network-wide failure has a 1 percent chance of occurrence, a solution that costs less than $50 per minute is cost-effective. Once the threat and budget are defined, then and only then should tools be selected. Cisco products contain security features both stand-alone and used with external devices. Cisco has strategic relationships with complementary security vendors, and there are vendors of other complementary technologies on which Cisco has no position.Perhaps the most popular current buzzword in security technology is "firewall." Routers with access control features are sometimes called firewalls, but that is a simplification. Properly, a firewall is a set of security components that sits between the protected "inside" network and outside users. These users can access the network through dialup links, the Internet, etc. Routers are an important component of firewall solutions, but are not the only mechanism in a comprehensive firewall. In selected environments, simple router-based filtering can provide appropriate security, but limitations must be understood. On a boat, safety features include fire extinguishers and life jackets. While both are appropriate for their intended tasks, it would be unfortunate if one depended on a fire extinguisher for flotation, or used a plastic life jacket to snuff a gasoline fire. In like manner, different security features complement one another in networks. These various features often operate at different OSI layers. Routers provide security at the network layer. Bastion hosts are "application routers" that provide security at the network layer. Encryption devices may operate at the data link or network layers. Firewalls --------- To understand the placement of firewall(s) in a network, Cheswick and Bellovin describe the firewall as a hard crunchy shell around a soft chewy center. The soft chewy center is the set of resources the firewall protects. This analogy deals with a simple black-and-white view of the world; things are either trusted and inside the firewall, or untrusted and outside it. I find a more complex, if somewhat mixed, metaphor to be useful in dealing with more complex firewalling. At the first level of metaphor enhancement, think of a hard crunchy shell surrounding an onion, with each level of the onion being a different level of sensitivity. Some services in a company are intended to be available to the public, but in a controlled way. Other services are never to be available to the outside world. Sometimes, when cutting into a real onion, the chef finds that it is not a single symmetrical set of layers surrounding a core, but made up from two or more cloves, each with their set of layers. In many network environments, access to certain selected resources must be restricted inside the organization. By only slightly strained analogy, both the moderately and highly sensitive resources are protected by the outer skin of the onion, but the different communities are separated inside. This separation is invisible from the outside. Major firewall components include: ¥ Screening routers that use filtering logic to permit or deny network-layer packets to flow through the firewall. On Cisco, this is commonly done with access control lists, although other features can be used. Routers typically are the fastest devices in a firewall system. They do not maintain information on user connections to applications, which is more the job of the slower bastion host. ¥ Authentication challenge servers, such as the TACACS protocol function embedded in Cisco routers and access products. These prompt the user for passwords. ¥ Personal identification devices used as authenticators. Products by Security Dynamics and Enigma Logic are recognized by Cisco ¥ Authentication credentialing servers, such as public domain tacacsd software, the tacacs+ function in CiscoWorks, and stand-alone servers. These can be thought of as the function that validates passwords, which may be one-time or reusable. ¥ Accounting and audit trail mechanisms, which can be trusted disks or even printers. ¥ Bastion hosts, such as the public domain ftwk or commercial grade Gauntlet from Trusted Information Systems. Bastion hosts can be dual- homed, separating the DMZ and perimeter networks, or a single-homed "traffic cop" on the DMZ. In an ideal world, a firewall has two routers, an internal screening router between the dual-homed bastion host and public networks, and an external screening router between the bastion host and the protected inside network. The external screening router has a physical connection to the outside, to the bastion host, and to the "demilitarized zone (DMZ)" network. A secure "perimeter network" connects the bastion host with the internal screening router. It can be an economy, when the risks are understood, to use a single router (with enough interfaces) as the interior and exterior screening router functions; the bastion host is still desirable in this scenario. Alternatively, there may be additional screening routers inside the protected network, to give extra protection to specific projects or organizations. Screening routers are sensitive parts of the firewall. Many organizations disable the virtual terminal login into such routers, and will use secure modems on the auxiliary console port if remote access is needed. Screening routers complement bastion hosts, protecting them from attacks including denial of service attempts based on flooding the network layer. They can also help in protecting against TCP sequence prediction attacks that "hijack" existing connections. Bastion hosts complement screening routers by providing a framework for user-level authentication, by protecting the inside network from flooding, and by a variety of other mechanisms. These hosts work closely with user authentication devices. Typically, a bastion host is implemented on one or more stripped-down UNIX servers, which only run the bastion software and minimal system software. While it may be a temptation to put World-Wide Web and similar servers on the bastion host, this is not good practice. If a web server is hacked -- and this can happen and does happen -- the bastion is now vulnerable. Public servers belong on the demilitarized zone network between the external screening router and the bastion host. Some organizations provide added security with a split Domain Name Service (DNS), with a public DNS server in the DMZ containing only public server information, which is synchronized with a full DNS server inside the protected area and accessed through the bastion host and internal screening router. Router Security Features ------------------------ The major router-based security function is the access list, which permits or denies data flow based on addresses and other criteria. A wide range of access lists are available on Cisco routers. Different access list capabilities are available for the different protocol families handled by the Cisco IOS, such as IP, Novell, Apple, bridging, etc. In general, each protocol family has one set of capabilities that applies to unicast traffic with specific destinations, and other sets of capabilities that apply to broadcasts and other management functions such as routing updates. See the discussion of Novell SAP filtering in the June issue of CiscoWorld for an example of one major type of Cisco filter for broadcast traffic. Most capabilities are available on outgoing interfaces. Broadcast filtering for most protocols are supported on incoming interfaces, and incoming filters for IP traffic became available in Release 9.2.1. Traffic that originates in a router (e.g., telnets from the console port) is not subject to filtering. Specialized access lists guard console ports, both real and virtual. The general approach to filtering is to define global rules with access- list statements, and activate them on interfaces with appropriate access-group statements. Specialized filtering can also be activated under routing processes, console lines, etc., with specialized statements based on access-groups. Cisco's IOS has other router-based features for security. In newer releases, access list violations can be logged, as well as other significant actions such as configuration changes. Several features, originally intended for military use but applicable in appropriate commercial environments, make security decisions during routing. The Internet Protocol Security Option (IPSO) prevents IP datagrams of high sensitivity from being forwarded to untrusted subnets, regardless of other routing criteria. Support is being added for the enhanced Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX). DNSIX has auditing enhancements over IPSO, in addition to finer security granularity. Other Cisco Security Features ----------------------------- Cisco has long supported the Terminal Access Control Access Control System (TACACS) as a means of user identification for terminal servers and console parts. While not a formal Internet standard, TACACS, while not a formal Internet standard, is documented in RFC1492. TACACS is the mechanism used by the accessed resource to validate passwords entered by users. The TACACS protocol sends a password to a credentialing server, which responds with permission or denial of access.Basic TACACS passwords and responses are not encrypted, but flow in the clear. This is not necessarily a problem, if a secured LAN or point-to-point connection forms the path between Other authentication mechanisms are available on links using the Point-to-Point Protocol (PPP), using the standard CHAP and PAP protocols. TACACS Plus (TACACS+) is an extended version that becomes available in Release 10.3(3). The new protocol implements a Network Access Security (NAS) architecture for Authentication, Authorization, and Accounting ("Triple A"). While basic TACACS is IP-oriented, TACACS+ supports other protocol families such as AppleTalk Remote Access.In addition to complex multistep authorization based on the server, TACACS+ allows user- specific access control lists to be defined for specific ports and users. Passwords and responses are transmitted using MD5 encryption.Accounting is also extended with TACACS+. Various levels of accounting are available, ranging from simple connect time to an audit trail of actions performed. Cisco has entered into a strategic partnership with Cylink Corporation, which is planned to lead to the inclusion of encryption capability in Cisco products next year. -30- SIDEBAR 1: Rules of Thumb for Defining Access Lists 1. Assuming that you are defining access lists for security, define the security policy. Remember that there are perfectly good reasons to use access lists for performance tuning as well as for security. Things to be considered in a policy is what to do with traffic types that are not explicitly authorized. Some types, such as BOOTP, may be necessary for operation even if they do not appear to have "user" functions. In general, UDP-based services are more dangerous than TCP- based services. 2. Define what is to be filtered and in which directions. An informal drawing is a good first step, as shown in Figure 2. As opposed to the usual connectivity drawings among routers, it's often convenient to draw unidirectional links between routers. 3. Informally write out your filtering rules. In general, it is best to go from most specific to least specific. Modify the order of writing things to minimize the number of rules needed. 4. Review the lists to see if there are any rules that deny traffic by destination address only. Such filtering can be done much more efficiently using static routes that direct traffic to the null interface. 5. Determine which rules need to be on which routers. Explicitly consider the direction of flow, and the possible existence of additional paths that could inadvertently bypass a filter. There is often a tradeoff between placing the filters as close as possible to the source, which minimizes traffic "downstream" of the sources, and placing a smaller number of filters more centrally, which simplifies maintenance. 6. Consider maintenance of the lists. Access lists with more than a very few rules should be written and edited on a workstation editor, then downloaded to the router. It is impractical to edit most access lists on the router. SIDEBAR 2: Learning More about Firewalls and Security S. Bellovin & W. Cheswick. ``Firewalls and Internet Security: Repelling the Wily Hacker''. Addison-Wesley RFC1579: S. Bellovin, "Firewall-Friendly FTP" RFC1760: N. Haller, "The S/KEY One-Time Password System" RFC1244 P. Holbrook, J. Reynolds, "Site Security Handbook" Firewalls mailing list. Send a message with "subscribe firewalls" in the body to majordomo@greatcircle.com. From firewalls-owner Fri Jul 7 17:04:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA18421 for firewalls-outgoing; Fri, 7 Jul 1995 16:51:49 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA18406; Fri, 7 Jul 1995 16:51:44 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 7 Jul 1995 16:51:28 -0800 To: Peter Wages , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: FAQ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:34 PM 7/7/95, Peter Wages wrote: > Is there a faq for this list? ftp://ftp.greatcircle.com/pub/firewalls/FAQ -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Fri Jul 7 18:04:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA21311 for firewalls-outgoing; Fri, 7 Jul 1995 17:37:35 -0700 Received: from access.mbnet.mb.ca (access.mbnet.mb.ca [130.179.16.143]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA21300 for ; Fri, 7 Jul 1995 17:37:28 -0700 Received: by access.mbnet.mb.ca id AA13629 (5.67b/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 7 Jul 1995 19:36:48 -0500 Date: Fri, 7 Jul 1995 19:36:48 -0500 (CDT) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: Re: Sun's Internet in a Rack.. In-Reply-To: <199507071658.AA17350@> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995 gil@picco.com wrote: > I've been looking at all of the turnkey systems available and came > across the Internet in a Rack by Sun. Does anyone know anything > about this? The only information that I really have about it is > that it uses the Sun Netra Unix Server. Any information you could > give me would be much apprectiated. I need to present all of our > options, and would like to know as much about each system as > possible. Basically it's a Sparc 20 (don't know if it comes in other denominations) running Solaris, packaged with a netscape WWW server, and misc. other software. Apparantly it's easy to setup, you just fill in the blanks. - Oliver From firewalls-owner Fri Jul 7 23:34:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA27289 for firewalls-outgoing; Fri, 7 Jul 1995 23:24:51 -0700 Received: from bukula.enternet.com.au (bukula.enternet.com.au [203.63.18.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA27284 for ; Fri, 7 Jul 1995 23:24:42 -0700 Received: from e2s133.syd.enternet.com.au (e2s133.syd.enternet.com.au [203.63.37.133]) by bukula.enternet.com.au with SMTP id QAA25262 (8.6.11/IDA-1.6 for ); Sat, 8 Jul 1995 16:23:57 +1000 Message-ID: <199507080623.QAA25262@bukula.enternet.com.au> X-Sender: geoffmay@mail.enternet.com.au X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 08 Jul 1995 16:23:04 +1000 To: firewalls@greatcircle.com From: geoffmay@enternet.com.au (Geoff May) Subject: UnixWare Firewall Support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm about to start the implemetation of a UnixWare based host for the Sydney NetWare Users Group (SNUG). I would appreciate any information, pointers, and/or details of setting up a firewall under UnixWare. Thanks in Advance. Cheers.....Geoff May (President, SNUG) =-=-=----===-=-==-=-=-==-==-=-=-=-=-= Geoff May Network Business Services Pty Ltd. Computer, Network and Communications Consultants ------------------------------------- geoffmay@enternet.com.au <-- here geoffmay@ion.apana.org.au geoffmay@ozemail.com.au 73567.524@compuserve.com CIS: 73567,524 73301.3176@compuserve.com <-- SNUG Account CIS: 73301,3176 <-- SNUG Account geoffreylmay@bix.com BIX: geoffreylmay =-=-==-=-=-=-=-=-=-=-=-==-=-=-==-===- From firewalls-owner Sat Jul 8 06:04:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA04732 for firewalls-outgoing; Sat, 8 Jul 1995 06:01:09 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA04727 for ; Sat, 8 Jul 1995 06:01:05 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA02255; Sat, 8 Jul 95 08:16:07 -0400 Date: Sat, 8 Jul 95 08:16:06 -0400 Message-Id: <9507081216.AA02255@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Smart Card Vendors Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Looking for sources/vendors who provide "smart cards" products to secure >logging onto a bastion host (Harris CyberGuard) over a serial connection >(modem or direct connect). Looking for vendor/source names, phone numbers, >www page, etc.. Well, there are a number of vendors (Enigma-Logic, National Semiconductor, ACE Security Dynamics, Racal) but basically just four types of "smart card" that I know of. With the exception of the last, all depend on software running on the host-side equipment. 1) Time Synchronous: These are the cards with a display that changes periodically. Very easy to use but rely on an accurate clock on the host side to stay reasonably synchronous with the card. As a consequence PC - based hosts do not always work well 2) Challenge-response: Bit more difficult to use since the user (or software) must read the callenge sent by the host, enter this into the device, and respond to the host wth a series calculated by the device. Since there is no reliance on an external clock, these can be used on any platform and can be handled entirely by software on both ends. 3) Series: The devices are pre-seeded with a value. Each subsequent use causes a computation of the next sequential "password". Some use a One-Time-Pad type implimentation. 4) Autoigniting: This was the promise of Capstone/Tessera/Fortezza. Each use will exchange a secure authentication mechanisn developed on-the-fly. Opinion: All have merit but the first three require coordination of the units and provide only authentication of the channel. The last provides no direct authentication (could but doesn't) rather is intended to secure the channel. All could (and will eventually) provide both authentication and channel encryption (have been waiting four years for that now, expect within two). Have not (yet) seen any device that gives everything I need. Two encrypting/handshaking modems I saw at the CSI show come close, one was from IRE in Baltimore, the other was from Parallon in Bellevue Washington. Both provide session encryption and host-recognition based authentication. Parallon was interesting in that it had the potential for disk encryption as well but had not addressed the issue as yet. Do not have any to play with (hint 8*). Believe that the future is in a PCMCIA (guess new term is "PC Card") device that can provide authentication, auto-ignition session encryption, full disk encryption, duress response, and have jack for modem and Ethernet. Have most of them now but in a herd of devices, not one. (National Semi "Persona" is possibly the closest but is still "under construction". Fortezza could do it also as soon as the gov decides to either drop the LEAF - they do not need it - or allow designated escrow holders - Lockheed-Martin comes redily to mind for some obscure reason 8*). Just as error correcting modems (V-42, MNP-various) made secured communications easy, the speed/size of the PCMCIA card makes all else possible. Just a matter of time now but I am getting impatient. Warmly, Padgett ps still need a copy of the tech manual for a "Lightweight Computer Unit V2 LC" AN/GYC-37. Is "TM 11-7021-217-12 & P". Have gotten everything but the display working & have plans for a portable FireWall. So far have not been permitted to buy/beg/borrow the manual (tried both SAIC and the GPO). From firewalls-owner Sat Jul 8 07:34:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA05845 for firewalls-outgoing; Sat, 8 Jul 1995 07:14:54 -0700 Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA05840 for ; Sat, 8 Jul 1995 07:14:38 -0700 Received: from ramon.openu.ac.il[rafi] by tavor.openu.ac.il with SMTP id AA27029 (5.67a8/IDA-1.5 for ); Sat, 8 Jul 1995 17:13:29 +0300 Received: by ramon.openu.ac.il id AA14860 (5.67a8/IDA-1.5); Sat, 8 Jul 1995 17:13:17 +0300 Date: Sat, 8 Jul 1995 17:13:14 +0300 (IDT) From: Rafi Sadowsky X-Sender: rafi@ramon To: Darren Reed Cc: James_Dehnert@optilink.optilink.dsccc.com, firewalls@greatcircle.com Subject: Re: ip forwarding In-Reply-To: <199507071133.AA26931@tavor.openu.ac.il> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jul 1995, Darren Reed wrote: > In some mail from Rafi Sadowsky, sie said: > > > > there is no official way - on would be to add an ip filter ( I can't remember > > where to get off the top of my head - sorry ) & filter these packets > > http://cheops.anu.edu.au/~avalon/ip-filter.html Fist of all Darren - thanks for making this wonderfull utility publicly availible - I'm sure many ppl apreciate it ( I do ) > > > another is an unofficial kernel patch from sun which junks IP source > > routed packets ( you probably also want to runrn off IP forwarding in the > > kernel config file ) sending an ICMP unreachable back > > ( this is for SunOS 4.1 ) > > I got the patch from > > util.uhcc.hawaii.edu:/pub/security/source-routing-patch.tar.Z > > [didn't check if it's still there though - it was a while ago] > sorry I was a bit mixed up(tired :-( ) and forgot the original subject was blocking ip forwarding - just assumed that the builtin kernel option was obvious in any case a method for blocking source routed packets was definitely in this thread for Solaris 2.4 and will likely block some nasty tricks (including bouncing source routed packets off an interface without them crossing the machine - that can have nasty consequences - IMHO ... ] and I assumed the question was how to achieve the same with SunOS 4.1.x > the other way is with adb (for your rc.local): > > echo "ip_forwarding?W -1" | adb -w /vmunix /dev/kmem > echo "ip_forwarding/W -1" | adb -w /vmunix /dev/kmem this works but is more cleanly done in kernel config file ( and stays after kernel rebuilds ... (a matter of taste I agree)) - options "IPFORWARDING=-1 and with the source routing patch applied blocking source routing is accomplished by - options "IP_BLOCK_SOURCE_ROUTED=1" - > > but doesn't stop source routing. in any case the source-routing-patch adds a kernel option to reject source routed IP packets - do you think this is not neccasery to block some versions of IP forwarding(or whatever nasty source routed things can do) ? anyhow - anoyone know about 4.1 & directed broadcasts ( this also came up for Sol 2.4 ) - the source routing patch mentioned above is in source form so I guess it shouldn't be to hard to add( if needed :-( ) but I guess it is probably easier to add it as a rule to Darrens IP filter (in addition to rules for blocking packet forwarding & source routed packets) [BTW- Darren - does your IP filter handle the case of a source routed packet bouncing off the same interface it arrived ?] > > Is this a FAQ yet ? should be... (IMHO of course) > > darren > > > On Thu, 6 Jul 1995 James_Dehnert@optilink.optilink.dsccc.com wrote: > > > > > Ok, we now have 2 Solaris 2 options for killing IP forwarding. > > > > > > Exactly how is it done in SunOS 4.1.*? > [...see above...] > No offence intended Rafi -- Rafi Sadowsky rafi@tavor.openu.ac.il [postmaster@openu.ac.il] FAX: +972-3-6460744 From firewalls-owner Sat Jul 8 09:04:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06841 for firewalls-outgoing; Sat, 8 Jul 1995 08:35:15 -0700 Received: from mermaid.lake.de (mermaid.lake.de [193.197.24.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA06831; Sat, 8 Jul 1995 08:35:06 -0700 Received: from bedard.lake.de by mermaid.lake.de with smtp sMail id m0sUcpu-0004nWC; Sat, 8 Jul 95 17:34 GMT+0100 Message-Id: X-Sender: sbedard@mermaid.lake.de X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 08 Jul 1995 17:39:04 +0100 To: firewalls-digest-owner@GreatCircle.COM From: sbedard@mermaid.lake.de (David C Bedard) Subject: Source Routing Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am running off of two nearly identical PCs (486DX-33 and 40) and running a trumpet WINSOCK. One runs behind a firewall, the other has a SLIP connection to the internet server. For both, several sites that we want to reguaraly communicate with are routed through what we feel are a congested and inappropriate routing which causes unacceptable delays and fallouts. What can I do to send the packets intended for this one sensitive connection (the other connections are also slow and flakey, but the applications are not sensitive) on a specific route, or at least bypass one troublesome node? Of course I know that if source routing is turned off that this isn't possible but I would like to try. o __|\ O-/-O___________________________________________________________________ David C. Bedard | A LEFTY SAID IT: "We must not confuse dissent with | Compuserve: | disloyalty" - Edward R. Murrow | 100337.2420 | | ------------ |"Necessity is the plea for every infringement of human| sbedard@ | freedom. It is the argument of tyrants; it is the | mermaid.lake.de | creed of slaves." William Pitt [November 18, 1783] | ------------------------------------------------------------------------ From firewalls-owner Sat Jul 8 11:04:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA08352 for firewalls-outgoing; Sat, 8 Jul 1995 10:42:31 -0700 Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.1.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA08347 for ; Sat, 8 Jul 1995 10:42:28 -0700 Received: by valiant.te.CdnAir.CA id AA16446 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Sat, 8 Jul 1995 10:37:24 -0700 Date: Sat, 8 Jul 1995 10:37:23 -0700 (PDT) From: "Grant M. Fengstad" To: Geoff May Cc: firewalls@greatcircle.com Subject: Re: UnixWare Firewall Support In-Reply-To: <199507080623.QAA25262@bukula.enternet.com.au> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 8 Jul 1995, Geoff May wrote: > I'm about to start the implemetation of a UnixWare based host for the Sydney > NetWare Users Group (SNUG). > > I would appreciate any information, pointers, and/or details of setting up a > firewall under UnixWare. > The TIS firewall toolkit compiles under Unixware 2.0. There is a Solaris patch kit that defines the SVR4 stuff that Unixware recognizes very well. Simply redefine the Makefile for Unixware as opposed to Solaris and everything should work. From firewalls-owner Sat Jul 8 13:36:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10345 for firewalls-outgoing; Sat, 8 Jul 1995 13:09:36 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA10340 for ; Sat, 8 Jul 1995 13:09:32 -0700 Message-Id: <199507082009.NAA10340@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA227894109; Sun, 9 Jul 1995 06:08:29 +1000 From: Darren Reed Subject: Re: ip forwarding To: rafi@tavor.openu.ac.il (Rafi Sadowsky) Date: Sun, 9 Jul 1995 06:08:29 +1000 (EST) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: from "Rafi Sadowsky" at Jul 8, 95 05:13:14 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1528 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Rafi Sadowsky, sie said: [...] > in any case the source-routing-patch adds a kernel option to reject source > routed IP packets - do you think this is not neccasery to block some versions > of IP forwarding(or whatever nasty source routed things can do) ? if you don't have any other protection for that subnet (one might even argue host) then it is necessary. > anyhow - anoyone know about 4.1 & directed broadcasts ( this also came up > for Sol 2.4 ) - the source routing patch mentioned above is in source form > so I guess it shouldn't be to hard to add( if needed :-( ) ip_dirbroadcast The kernel option is DIRECTED_BROADCST. > but I guess it is probably easier to add it as a rule to Darrens IP filter > (in addition to rules for blocking packet forwarding & source routed packets) > [BTW- Darren - does your IP filter handle the case of a source routed packet > bouncing off the same interface it arrived ?] Ummm currently it groups all packets with IP options together if you ask it. (This is changing in a significant way...) Whether or not it allows the packet in, and to where, is upto you to specify. Personally, I don't allow any packets in which aren't to me, so that means packets which are bouncing off an interface get stopped. If you allow it to bounce off, then you make things more complex - you need to block all spoofs, then allow any destination in with ip options. And if you are careful about packets going out, then you have to make sure the packets get back out. darren From firewalls-owner Sat Jul 8 16:04:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA12292 for firewalls-outgoing; Sat, 8 Jul 1995 15:53:18 -0700 Received: from strydr.strydr.com (strydr.strydr.com [199.217.201.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA12287 for ; Sat, 8 Jul 1995 15:53:15 -0700 Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id RAA00199; Sat, 8 Jul 1995 17:51:12 -0500 From: David Schnardthorst Message-Id: <199507082251.RAA00199@strydr.strydr.com> Subject: Re: Sending replies to blocked packets. To: avalon@coombs.anu.edu.au (Darren Reed) Date: Sat, 8 Jul 1995 17:51:09 -0500 (CDT) Cc: blymn@awadi.com.AU, Firewalls@GreatCircle.COM In-Reply-To: <199507071437.HAA18176@miles.greatcircle.com> from "Darren Reed" at Jul 8, 95 00:35:08 am Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1932 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the Original, Darren Reed Says > >In some mail from Brett Lymn, sie said: >> >> According to Darren Reed: >[...] >> >Port scanning shouldn't be a threat unless you're relying on obscurity... >> >> No, not a threat but dropping the packets without telling the other >> end does make the scanners suffer a bit more getting a profile of your >> system. If you, very cooperatively, send back a packet saying that >> you don't accept a port the scanner can just skip onto the next one. >> Dropping the packet means they need to wait, retry, wait which will >> make the job more tedious - admittedly with the same results but I >> like the idea of making the scanning more tedious ;-) Besides I don't >> see why you should want to send back anything anyway, if you do not >> advertise any service why should you accomodate a casual knob-twister >> or the more serious cracker. > >Hmmm, have you read about Berferd or the Cuckoo's Egg ? I get the >impression that crackers aren't really concerned about how long it takes, >for if they succeed, any time has been worth it... If the firewall is being monitored the way that it should be, the longer it takes for the cracker to get in, the more time you will have to react to the problem. The logs should be monitored several times a day. This can tell you whether or not someone is trying to get in. By extending the time that it would take for them to scan all of the ports, you will have a much better chance of stopping them before they get in. ============================================================================ David Schnardthorst System Administrator * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Sat Jul 8 16:36:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12725 for firewalls-outgoing; Sat, 8 Jul 1995 16:29:13 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA12720 for ; Sat, 8 Jul 1995 16:29:09 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA05839; Sat, 8 Jul 95 19:27:25 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507090027.AA05839@hawksbill.sprintmrn.com> Subject: Re: Sending replies to blocked packets. To: ds3721@strydr.com (David Schnardthorst) Date: Sat, 8 Jul 1995 19:27:25 -0500 (EST) Cc: avalon@coombs.anu.edu.au, blymn@awadi.com.AU, Firewalls@GreatCircle.COM In-Reply-To: <199507082251.RAA00199@strydr.strydr.com> from "David Schnardthorst" at Jul 8, 95 05:51:09 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1154 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If the firewall is being monitored the way that it should be, the longer it > takes for the cracker to get in, the more time you will have to react to > the problem. The logs should be monitored several times a day. This can > tell you whether or not someone is trying to get in. By extending the time > that it would take for them to scan all of the ports, you will have a much > better chance of stopping them before they get in. > There is an alternative train of though that it doesn't really pay to monitor port scans, it takes too much time and resources, and if you've got 'em blocked anyway, who cares? I'll agree that it pays to monitor the ports that you do NOT have blocked, but who cares about scans on the networks, hosts or services that are unavailable? Devil's advocate, - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Jul 8 19:09:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA16668 for firewalls-outgoing; Sat, 8 Jul 1995 18:47:46 -0700 Received: from ilinx.ilinx.com (ilinx.bctel.net [204.174.66.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA16663 for ; Sat, 8 Jul 1995 18:47:41 -0700 Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Sat, 8 Jul 95 18:44 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) Date: Sat, 8 Jul 1995 18:44:09 -0700 (PDT) Subject: Re[2]: Sending replies to blocked packets. To: ds3721@strydr.com Cc: avalon@coombs.anu.edu.au, blymn@awadi.com.AU, Firewalls@GreatCircle.COM Reply-To: brian@ilinx.bctel.net X-Mailer: Ishmail 1.1-950706-386 MIME-Version: 1.0 Content-Type: text/enriched Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of David Schnardthorst < on scroll <<199507082251.RAA00199@strydr.strydr.com> If the firewall is being monitored the way that it should be, the longer it takes for the cracker to get in, the more time you will have to react to the problem. The logs should be monitored several times a day. This can tell you whether or not someone is trying to get in. By extending the time that it would take for them to scan all of the ports, you will have a much better chance of stopping them before they get in. Exactly!! I monitor my firewalls real-time. When there's a probe on one of my firewalls, I know about it within a minute or two. I also know about each probe as it happens making it relatively simple to determine if it's an innocent probe or something more malicous. But your point regarding slowing down the probing process is valid IMHO. b. --
Brian J. Murrell InterLinx Support Services, Inc. North Vancouver, B.C. brian@ilinx.com brian@ilinx.bctel.net brian@wimsey.com Internet Security and Connectivity
From firewalls-owner Sat Jul 8 20:04:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA18122 for firewalls-outgoing; Sat, 8 Jul 1995 19:36:17 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA18117 for ; Sat, 8 Jul 1995 19:36:14 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa04109; 8 Jul 95 22:29 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma015999; Sat, 8 Jul 95 22:28:52 -0400 Received: by tis.com (4.1/SMI-4.1) id AA19331; Sat, 8 Jul 95 22:32:28 EDT From: Marcus J Ranum Message-Id: <9507090232.AA19331@tis.com> Subject: Re: controlling FTP transfers To: firewalls@greatcircle.com Date: Sat, 8 Jul 1995 22:32:27 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2612 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce Wilner writes: >Fascinating ... I was unaware that sockets had PCBs. I had always >thought that PCBs were associated with processes, not with passive >communication endpoints ... There are no polychlorinated biphenyls in the kernel... :) A pcb in the BSD kernel I believe is a "protocol control block" not a process control block. Check in_pcb.[ch] for an example of what one contains. Basically, a pcb is an abstraction that contains the socket's routing information, local port and remote port, etc. It also contains pointers to jump vectors of protocol and specific functions. Each active socket structure also has similar jump vectors. An active TCP's state is held in a TCP pcb called a "tcpcb" (see tcp_var.h) which includes the state of the connection, timers, etc, etc. It also has a back pointer, if I recall, to the pcb of the socket the TCP is connected to. That way when the TCP closes it can backprop the close to the socket, etc... >> ... or whether it's some extra state flags in some >> kernel-level subroutine. > >I doubt that any "kernel-level subroutine" (read: kernel-level >function) will be charged with maintaining "state flags" that >reflect the status of a single socket, since it would be a That's how TCP/IP works! The data structures are a bit involved but in order for a system to do networking properly, all the information and bookkeeping has to get done. So the code is there. It's not strictly implemented in a function, of course, you were taking my words too literally. It's implemented by a function that operates on a data structure. tcp_input() maintains the state of all tcps by altering the tcpcb for each active tcp. It's easy to make the code reentrant since it's just working on data structures. With respect to a firewall, I suspect the Sunscreen guys (right, Geoff?) just added a few extra bits of state here and there in some of the structures. Either that or they have their own separate very lightweight structure that preserves state. In ip_input() instead of simply routing right out if the packets are not destined for us, switch through a screening table, then if it's OK crank some state values into a lightweight table that is keeping an eye on what's going through, and update the state of the connection like a normal TCP FSM as packets continue to go through. I suspect I've just described a high level design for both sunscreen and firewall-1. :) Anyone who cares about this stuff should take a look at the sources for the BSD4.4 lite IP stack or the 4.3BSD daemon book. The BSD IP imlementation is some Very Nice Code indeed. mjr. From firewalls-owner Sun Jul 9 00:34:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22496 for firewalls-outgoing; Sun, 9 Jul 1995 00:22:05 -0700 Received: from mermaid.lake.de (mermaid.lake.de [193.197.24.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA22491 for ; Sun, 9 Jul 1995 00:21:55 -0700 Received: from bedard.lake.de by mermaid.lake.de with smtp sMail id m0sUrc6-0004nZC; Sun, 9 Jul 95 09:21 GMT+0100 Message-Id: X-Sender: sbedard@mermaid.lake.de X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 09 Jul 1995 09:25:46 +0100 To: Firewalls@GreatCircle.COM From: sbedard@mermaid.lake.de (David C Bedard) Subject: Source Routing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am running off of two nearly identical PCs (486DX-33 and 40) and running a trumpet WINSOCK. One runs behind a firewall, the other has a SLIP connection to the internet server. For both, several sites that we want to reguaraly communicate with are routed through what we feel are a congested and inappropriate routing which causes unacceptable delays and fallouts. What can I do to send the packets intended for this one sensitive connection (the other connections are also slow and flakey, but the applications are not sensitive) on a specific route, or at least bypass one troublesome node? Of course I know that if source routing is turned off that this isn't possible but I would like to try. o __|\ O-/-O___________________________________________________________________ David C. Bedard | A LEFTY SAID IT: "We must not confuse dissent with | Compuserve: | disloyalty" - Edward R. Murrow | 100337.2420 | | ------------ |"Necessity is the plea for every infringement of human| sbedard@ | freedom. It is the argument of tyrants; it is the | mermaid.lake.de | creed of slaves." William Pitt [November 18, 1783] | ------------------------------------------------------------------------ From firewalls-owner Sun Jul 9 01:34:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA23713 for firewalls-outgoing; Sun, 9 Jul 1995 01:11:22 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA23702 for ; Sun, 9 Jul 1995 01:11:14 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA26360; Sun, 9 Jul 95 17:39:28 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA24048; Sun, 9 Jul 1995 17:37:23 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9507090807.AA24048@bunya.awadi> Subject: Re: Sending replies to blocked packets. To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Sun, 9 Jul 1995 17:37:24 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9507090027.AA05839@hawksbill.sprintmrn.com> from "Paul Ferguson" at Jul 8, 95 07:27:25 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Paul Ferguson: > >I'll agree that it pays to monitor the ports that you do NOT have blocked, >but who cares about scans on the networks, hosts or services that are >unavailable? > Monitoring the blocked ports for activity could be a valuable alert that someone is actually looking for a way into your system. Which could be a useful data-point to keep in mind when looking at other activity on your systems. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Sun Jul 9 05:37:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA27110 for firewalls-outgoing; Sun, 9 Jul 1995 05:23:26 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA27105 for ; Sun, 9 Jul 1995 05:23:22 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA00623 for firewalls@greatcircle.com; Sun, 9 Jul 95 08:16:59 EDT Message-Id: <9507091216.AA00623@all.net> Subject: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing (looping), service terminated To: bugtraq@crimelab.com Date: Sun, 9 Jul 1995 08:16:58 -0400 (EDT) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 914 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was trying a loop test to stress performance on our secure W3 server and found that inetd under SunOS detects what it thinks to be loops and shuts down all httpd services untill a kill -HUP is sent to the inetd process. How is this bug/feature controlled, and doesn't this lead very directly to denial of services attacks? Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing (looping), service terminated -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Sun Jul 9 12:39:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02600 for firewalls-outgoing; Sun, 9 Jul 1995 12:19:00 -0700 Received: from relay.acns.nwu.edu (ns.nwu.edu [129.105.16.56]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA02595 for ; Sun, 9 Jul 1995 12:18:57 -0700 Received: from [129.105.110.129] (socrates.acns.nwu.edu) by relay.acns.nwu.edu with SMTP (1.37.109.16/20.3) id AA131257600; Sun, 9 Jul 1995 14:20:00 -0500 Date: Sun, 9 Jul 1995 14:20:00 -0500 X-Sender: lunde@lulu.acns.nwu.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bugtraq@crimelab.com From: Albert Lunde Subject: Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing (looping), service terminated Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:16 AM 7/9/95, fc@all.net wrote: > I was trying a loop test to stress performance on our secure W3 >server and found that inetd under SunOS detects what it thinks to be >loops and shuts down all httpd services untill a kill -HUP is sent to >the inetd process. How is this bug/feature controlled, and doesn't this >lead very directly to denial of services attacks? I think this bug/feature is fairly widespread. Below are some extracts from the old (pre-4.4lite) BSD sources (ftped off uunet a year or two back): What this comes down to is that inetd shuts down a service if more than a particular number of request per minute come in, for a fixed period of time (presumably as a defense against run-away client software.) >#define TOOMANY 40 /* don't start more than TOOMANY */ >#define CNT_INTVL 60 /* servers in CNT_INTVL sec. */ >#define RETRYTIME (60*10) /* retry after bind or server fail */ > if (dofork) { > if (sep->se_count++ == 0) > (void)gettimeofday(&sep->se_time, > (struct timezone *)0); > else if (sep->se_count >= TOOMANY) { > struct timeval now; > > (void)gettimeofday(&now, (struct timezone *)0); > if (now.tv_sec - sep->se_time.tv_sec > > CNT_INTVL) { > sep->se_time = now; > sep->se_count = 1; > } else { > syslog(LOG_ERR, > "%s/%s server failing (looping), service terminated\n", > sep->se_service, sep->se_proto); > FD_CLR(sep->se_fd, &allsock); > (void) close(sep->se_fd); > sep->se_fd = -1; > sep->se_count = 0; > nsock--; > if (!timingout) { > timingout = 1; > alarm(RETRYTIME); > } Unfortunately these time constants were originally hardwired in the code and computers have been getting faster. We met this bug when it shut down a widely used service on our campus. There are patches for various versions of Unix and changes in the newer BSD sources that add a parameter to inetd that allows changing the cutoff rate of requests per minute. But this doesn't really solve the problem of denial of service... though one might argue that having some upper limit controls another kind of denial of service, a 10 minute total shutdown of the service is a drastic remedy. --- Albert Lunde Albert-Lunde@nwu.edu From firewalls-owner Sun Jul 9 14:34:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA04036 for firewalls-outgoing; Sun, 9 Jul 1995 14:16:04 -0700 Received: from venus.Sun.COM (venus.Sun.COM [192.9.25.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA04025 for ; Sun, 9 Jul 1995 14:16:02 -0700 Received: from Ebay.Sun.COM by venus.Sun.COM (Sun.COM) id OAA29232; Sun, 9 Jul 1995 14:15:30 -0700 Received: from dreamworks.EBay.Sun.COM by Ebay.Sun.COM (5.x/SMI-5.3) id AA05094; Sun, 9 Jul 1995 14:15:26 -0700 Received: by dreamworks.EBay.Sun.COM (5.x/SMI-SVR4) id AA02199; Sun, 9 Jul 1995 14:13:13 -0700 Date: Sun, 9 Jul 1995 14:13:13 -0700 From: Vincent.Yau@Ebay.Sun.COM (Vincent Yau) Message-Id: <9507092113.AA02199@dreamworks.EBay.Sun.COM> To: firewalls@greatcircle.com Subject: Programmable FTP?? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, hope this topic is not too much deviate from the nature of this list. I am wondering if there is anyway, from a program that I am writing, to invoke FTP and do all the necessary login, then check for the content of the file(s) that I ftp'ed over to see if they are really valid files? For instance, if the connection is lost in the middle of the transfer, I will have half of the valid file and is there a way to detect such cases? (this is only one of many possibilities) Thanks --vincent.yau@sun.com From firewalls-owner Sun Jul 9 16:04:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA05164 for firewalls-outgoing; Sun, 9 Jul 1995 15:41:29 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA05159 for ; Sun, 9 Jul 1995 15:41:26 -0700 Message-Id: <199507092241.PAA05159@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA124339646; Mon, 10 Jul 1995 08:40:46 +1000 From: Darren Reed Subject: Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing (looping), service terminated To: fc@all.net (Dr. Frederick B. Cohen) Date: Mon, 10 Jul 1995 08:40:46 +1000 (EST) Cc: bugtraq@crimelab.com, firewalls@greatcircle.com In-Reply-To: <9507091216.AA00623@all.net> from "Dr. Frederick B. Cohen" at Jul 9, 95 08:16:58 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 519 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Dr. Frederick B. Cohen, sie said: > > I was trying a loop test to stress performance on our secure W3 > server and found that inetd under SunOS detects what it thinks to be > loops and shuts down all httpd services untill a kill -HUP is sent to > the inetd process. How is this bug/feature controlled, and doesn't this > lead very directly to denial of services attacks? There is a patch from Sun, already, for this. Have you applied this already ? Maybe you need to be running xinetd ? darren From firewalls-owner Sun Jul 9 17:04:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA06208 for firewalls-outgoing; Sun, 9 Jul 1995 16:48:47 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA06203 for ; Sun, 9 Jul 1995 16:48:43 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA01081 for firewalls@greatcircle.com; Sun, 9 Jul 95 19:42:41 EDT Message-Id: <9507092342.AA01081@all.net> Subject: denial of services vs. denial of services To: firewalls@greatcircle.com Date: Sun, 9 Jul 1995 19:42:41 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So the nature of the problem is that if you allow tons of requests, you can get denial of services by domination of the service - while stopping services because of excessive use of services gives you denial of services by dominating of services. Has anyone come up with an analysis of this issue yet? I have been thinking of different variations on themes and think that it would be useful to deny services: - Only to the site attempting to dominate services. - Only if it exceeds a generic or site-specific number of requests in a given period of time. - Only if it is causing other services to be substantially affected. - In such a way as to indicate the issue to the dominating site. - With an audit trail that allows automated action in response. Are there other criteria that people have considered before? Are there implementations that deal with matters at this level of control? -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Sun Jul 9 18:34:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA07957 for firewalls-outgoing; Sun, 9 Jul 1995 18:32:23 -0700 Received: from leibniz.math.psu.edu (leibniz.math.psu.edu [146.186.130.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA07952 for ; Sun, 9 Jul 1995 18:32:20 -0700 Received: from hausdorff.math.psu.edu (cross@hausdorff.math.psu.edu [146.186.132.5]) by leibniz.math.psu.edu (8.6.12/8.6.9) with ESMTP id VAA03122; Sun, 9 Jul 1995 21:31:48 -0400 Received: from localhost (cross@localhost) by hausdorff.math.psu.edu (8.6.12/8.6.9) with ESMTP id VAA23532; Sun, 9 Jul 1995 21:31:47 -0400 Message-Id: <199507100131.VAA23532@hausdorff.math.psu.edu> X-Mailer: exmh version 1.5.3 12/28/94 To: Vincent.Yau@Ebay.Sun.COM (Vincent Yau) cc: firewalls@GreatCircle.COM Subject: Re: Programmable FTP?? In-reply-to: Your message of "Sun, 09 Jul 1995 14:13:13 PDT." <9507092113.AA02199@dreamworks.EBay.Sun.COM> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 09 Jul 1995 21:31:45 -0400 From: Dan Cross Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > hope this topic is not too much deviate from > the nature of this list. I don't think so; I think that questions like these parallel to questions about implementing proxy services, thus remaining consistent with the firewalls charter. > I am wondering if there is anyway, from a program > that I am writing, to invoke FTP and do all the > necessary login, then check for the content of > the file(s) that I ftp'ed over to see if they > are really valid files? For instance, if the connection > is lost in the middle of the transfer, I will have > half of the valid file and is there a way to detect > such cases? (this is only one of many possibilities) Well, if you opened a pipe to ftpd and followed the standard fork(2)/exec(2) conventions for executing a client program, then you can pass a variable to to wait(2) (or preferably, a waitpid(2)-alike...) to trap the exit status of the child process. (btw, I'm assuming C and UNIX here, sorry if I'm mistaken in my assumption.) If such an error occurs, then you could trap it via wait(2) and decide wether you got a ``valid'' file based on that. (You can also detect wether or not you suffered another error, such as unknown login on the remote system or the like...) Another approach would be to open a two-way pipe, and analize the output of ftp as it came back to the parent process. Assuming you knew what that particular version of the ftp client reports on an error condition, you can then decide wether or not an error occured, etc. You might also consider grafting FTP code directly into your program, rather than spawning another process... It really depends on a lot of factors, such as amount of usage, system overhead, your version of the FTP client, etc. If you aren't careful, though, you might find that a nasty user suddenly sent something to the FTP client which spawned a shell... :-( - Dan C. btw- as an aside, I find the popen(3) a nice interface to pipes, but the security implications of using the shell to execute a program are stomach churning at best.... Thus, I re-wrote a version of popen which calls exec(2) directly, thus bypassing the problems with using the shell... (However, I did not bother to add the code to support i/o redirection or pipelines). If anyone is interested in the code, I'll post it and/or make it availible for ftp... From firewalls-owner Sun Jul 9 18:59:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA07701 for firewalls-outgoing; Sun, 9 Jul 1995 18:11:44 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA07696 for ; Sun, 9 Jul 1995 18:11:40 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa17539; 9 Jul 95 21:04 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma021179; Sun, 9 Jul 95 21:04:23 -0400 Received: by tis.com (4.1/SMI-4.1) id AA23057; Sun, 9 Jul 95 21:08:03 EDT From: Marcus J Ranum Message-Id: <9507100108.AA23057@tis.com> Subject: Re: denial of services vs. denial of services To: fc@all.net Date: Sun, 9 Jul 1995 21:08:02 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9507092342.AA01081@all.net> from "Dr. Frederick B. Cohen" at Jul 9, 95 07:42:41 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3852 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Frederick B. Cohen: > So the nature of the problem is that if you allow tons of >requests, you can get denial of services by domination of the service - >while stopping services because of excessive use of services gives you >denial of services by dominating of services. > > Has anyone come up with an analysis of this issue yet? I have >been thinking of different variations on themes and think that it would >be useful to deny services: I've done some off-the-cuff analysis in the past and basically concluded that denial of service is not something you can effectively prevent, if you're on the Internet. The problem is that one gets tempted to think the problem is controllable locally, when in fact it is not. Since the Internet is a collection of independent fiefdoms, each of which is individually managed, it's quite easy to deny someone service higher up the chain of connectivity than they can protect. For example, I can deny you service using simple means that are outside of your control to defend, such as zapping routers upstream or at your service provider. I notice that all.net routes through serial.akron.oh.psi.net, which is a Cisco. Depending how it's configured, there are a number of nasty tricks that could be played on that Cisco to cause it to conclude that all.net was off the air. Another avenue of attack is desirable endpoints. Endpoint nodes that the victim may wish to (or have to) reach can be masked off and do every bit as much damage. Most hacker toolkits have a number of ICMP bombing tools or tools for generating spurious routing updates. It'd take a few minutes to set up a cron job on a compromised system or systems someplace out there, to make you incapable of taking to the rest of the Internet at large, except for at frustrating intervals. That's just routing and ICMP tricks. Similar tricks can be played with DNS or other services. I've seen a number of denial of service attacks implemented through sheer misinformation (what we trendily call "information warfare" these days) -- a large enough number of spoofed mail messages to alt.test or fake flames or whatnot with reply-to directed to a target mailbox is more than enough to take the system off the air. And it's almost untraceable, unlike a simpler attack in which someone tries to flood your inetd, which is going to likely generate some logging information that you could use. Meta-level attacks based on misinformation are unbeatable and you cannot protect against them short of unplugging. I suspect that most systems on the 'net would be severely degraded if an attacker posted that there were a large number of cool gifs and warez in its FTP area. Lastly, there are meta-level attacks that can be directed against service pathways: it is still the case that you can telephone the phone company, impersonate a user, and cancel service with no authentication required. A deadly effective attack would be to simply schedule removal of the victim's T1 service at 3:00PM on a friday, before a long weekend or the Christmas holiday. Heck, cancel their electricity and gas while you're at it, and make sure their postal service is forwarded to the lost luggage department at Denver airport. The Internet is *NOT* a reliable bet-your-business type of network. It's great for what it's mostly used for, but it's designed to cope and adapt to change; which leaves it all too open to introducing false changes into it. Denial of service is definitely a problem, but I'd recommend that people worry about it to the extent of factoring in the fact that it CAN happen NO MATTER WHAT and the design their systems to take that into account. That means that large scale systems built over the Internet should not be mission or national defense critical, unless there are redundant, protected channels that can be brought into play. mjr. From firewalls-owner Sun Jul 9 19:35:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA09584 for firewalls-outgoing; Sun, 9 Jul 1995 19:28:20 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA09555 for ; Sun, 9 Jul 1995 19:28:14 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA05154 for firewalls@greatcircle.com; Sun, 9 Jul 95 22:22:11 EDT Message-Id: <9507100222.AA05154@all.net> Subject: updated-secure-w#-daemons To: firewalls@greatcircle.com Date: Sun, 9 Jul 1995 22:22:10 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 935 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In formalizing our analysis of the secure W3 and gopher daemons relative to denial of service attacks, we found some potentials for abuse and made enhancements to prevent various forms of denial of service via leaving open channels, creating too many requests resulting in excessive file pointers leading to OS failures during allocation of sparse resources, and other such things. These fixes are available in the new on-line version. -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Sun Jul 9 20:01:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA10003 for firewalls-outgoing; Sun, 9 Jul 1995 19:34:24 -0700 Received: from commsun.its.csiro.au (commsun.its.csiro.au [152.83.8.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA09998 for ; Sun, 9 Jul 1995 19:34:20 -0700 Received: (from fit106@localhost) by commsun.its.csiro.au (8.6.10/8.6.10) id MAA28101; Mon, 10 Jul 1995 12:33:36 +1000 Date: Mon, 10 Jul 1995 12:33:34 +1000 (EST) From: Kent Fitch To: "Dr. Frederick B. Cohen" cc: bugtraq@crimelab.com, firewalls@greatcircle.com Subject: Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing (looping), service terminated In-Reply-To: <9507091216.AA00623@all.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Jul 1995, Dr. Frederick B. Cohen wrote: > I was trying a loop test to stress performance on our secure W3 > server and found that inetd under SunOS detects what it thinks to be > loops and shuts down all httpd services untill a kill -HUP is sent to > the inetd process. How is this bug/feature controlled, and doesn't this > lead very directly to denial of services attacks? Dunno about SUNOS, but in Linux at least inetd by default produces this message and shuts down the service if it exceeds 40 transactions per minute. This number can be changed on each service in the inetd.conf file by appending the "nowait" or "wait" parameter with a dot and a max number - eg, "nowait.100" will allow up to 100 connections per minute before inetd thinks something is looping Kent Fitch Ph: +61 6 276 6711 ITSB CSIRO Canberra Australia kent.fitch@its.csiro.au "Only a person of great faith can afford to be a skeptic" FW Nietzsche From firewalls-owner Sun Jul 9 20:04:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA10019 for firewalls-outgoing; Sun, 9 Jul 1995 19:34:36 -0700 Received: from www.netpart.com (lykos.netpart.com [206.0.20.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA10006 for ; Sun, 9 Jul 1995 19:34:31 -0700 Received: (phil@localhost) by www.netpart.com (8.6.9/8.6.5) id TAA29162; Sun, 9 Jul 1995 19:34:02 -0700 Date: Sun, 9 Jul 1995 19:34:02 -0700 From: Phil Trubey Message-Id: <199507100234.TAA29162@www.netpart.com> To: carl@lapse.lvsun.COM Subject: Re: BorderWare user feedback In-Reply-To: <9507052302.AA11619@lapse.lvsun.com> Organization: NetPartners, Newport Beach, CA Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9507052302.AA11619@lapse.lvsun.com> you write: >> I, too, have been puzzled at times at the lack of user response on this list >> about the BorderWare (was "Janus") product. > >There is, or was, a mailing list devoted to BorderWare issues. >Subscription requests to: firewall-request@netpart.com, with >subject "subscribe". > >I received my subscription confirmation message in April, but >haven't seen any mail since, so it may have died. Anybody >know for sure? The list still exists and you are subscribed to it, Carl. There has been *some* activity, just not a lot. If you are also subscribed to the firewalls@greatcircle.com list, you probably wouldn't notice that some messages came from the BorderWare list. Although there are about 150 people on the BorderWare list, there really isn't much chatter among them. I don't know if this is a good thing or bad thing :-) -- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 619-622-8966 | From firewalls-owner Sun Jul 9 21:34:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA13474 for firewalls-outgoing; Sun, 9 Jul 1995 21:07:27 -0700 Received: from hardwired.momentum.com.au ([203.2.238.132]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA13462 for ; Sun, 9 Jul 1995 21:06:15 -0700 Received: (from uucp@localhost) by hardwired.momentum.com.au (8.6.12/8.6.12) id LAA00693 for ; Mon, 10 Jul 1995 11:29:15 +0800 Received: from aristoi.momentum.com.au(203.2.238.146) by hardwired via smap (V1.3mjr) id sma000691; Mon Jul 10 11:28:56 1995 X-Sender: todd@hardwired.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jul 1995 11:32:24 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: POP security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a couple of questions on POP security. The case in question is a PPP dialin server on its own ethernet segment connected to a FireWall-1 host. The FW1 ruleset can restrict the dialin users access to hosts & ports in a variety of ways, so this provides the first line of defence. I think this part of the system is relatively secure. Behind the FW-1 host lies a proxy host which separates the internal network and the DMZ. Buried inside the internal network is a Unix POP server which the dialin users need access to. This server cannot be relocated to the DMZ. One feasible solution is to run TIS plug-gw on the proxy host. The plug-gw will allow access for the dialin users only, to the POP server for that service only. My questions: - Has anyone here run POP successfully over the plug-gw supplied with the TIS firewall toolkit? It should work in theory, but I was interested in people's experiences. - When you take the plug-gw and POP into account, how secure is this setup? Have any of the various POP servers ever been subjected to a rigorous analysis? Thanks, Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 483 2649 Western Australia Fax : 09 380 4371 From firewalls-owner Sun Jul 9 22:04:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA15112 for firewalls-outgoing; Sun, 9 Jul 1995 21:49:21 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA15107 for ; Sun, 9 Jul 1995 21:49:06 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA14518; Mon, 10 Jul 95 14:17:30 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA28421; Mon, 10 Jul 1995 14:14:30 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9507100444.AA28421@bunya.awadi> Subject: Re: Sending replies to blocked packets. To: avalon@coombs.anu.edu.au (Darren Reed) Date: Mon, 10 Jul 1995 14:14:33 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199507071437.HAA18176@miles.greatcircle.com> from "Darren Reed" at Jul 8, 95 00:35:08 am X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Darren Reed: > >Hmmm, have you read about Berferd or the Cuckoo's Egg ? Both actually. > I get the >impression that crackers aren't really concerned about how long it takes, >for if they succeed, any time has been worth it... > Ah but you notice in the Cuckoo's Egg that the hacker being tracked would spend the _minimum_ time on the target system until they put something really juicy under his nose. Making a potential cracker wait does make it more likely that the system hosting him will detect his activities, assuming that he is not using his own system to do the hacking which would be a pretty stupid move IMHO. >As long as you're keeping them out, it doesn't matter how you respond, >right ? The important bit is to block the packets. Yup that is the important bit but why respond people probing for random services, even if they are doing it innocently, should not expect an answer. > Why let crackers >dictate your policy for responding to attacks ? > If this was true then this mailing list (firewalls) would not exist - crackers already dictate policy :-( >If crackers can get a pair of packets exchanged (say telnet to smtp on >your bastion or mx host), they can estimate RTT, penalise that some and >get a good estimate of how long they should wait irrespective of what >the timeout would otherwise be. UDP port scanners _do_ use this technique >to operate successfully. > That's a very neat trick but subject to the vagaries of the intervening network so I would assume they put some slop in there which still makes things slower than getting an ICMP packet back. >And what of the port scanners that do numerous ports in parallel ? They still have to wait, not as long but they still are hanging around. >And who's to say that you're the only "current" target of any particular >cracker ? Only my packet filter which logs what packets have been dropped > IF you're *really* concerned about port scanners, get something >that will *detect* them...something like the SATAN detectors which would >look for three `consecutive' connection attempts to `consecutive' >ports; ports which are *unused* by yourself. > Got my own that gives me a report of dest ports on which packets were dropped sorted by ip address. A port scan shows up pretty easily. I think that we have just about beaten this subject to death by now. It seems that whether to reply or not to a blocked port is just another one of those things which comes under the control of a site policy. I feel better knowing what ports have been probed and that I am keeping the prober guessing as to whether not a packet made it to our firewall. Others, obviously, feel differently. What it comes down to is that the admin at each site needs to weigh up the pros and cons of each method and set up according to their taste. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Sun Jul 9 23:05:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA16998 for firewalls-outgoing; Sun, 9 Jul 1995 22:57:58 -0700 Received: from world1.worldbit.com (gw.worldbit.com [199.4.64.236]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA16993 for ; Sun, 9 Jul 1995 22:57:53 -0700 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id XAA07698; Sun, 9 Jul 1995 23:08:06 -0700 Date: Sun, 9 Jul 1995 23:08:05 -0700 (PDT) From: Tim Keanini To: Marcus J Ranum cc: fc@all.net, firewalls@greatcircle.com Subject: Re: denial of services vs. denial of services In-Reply-To: <9507100108.AA23057@tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Jul 1995, Marcus J Ranum wrote: [many great words deleted] > Denial of service is definitely a problem, but I'd > recommend that people worry about it to the extent of factoring > in the fact that it CAN happen NO MATTER WHAT and the design > their systems to take that into account. That means that large > scale systems built over the Internet should not be mission > or national defense critical, unless there are redundant, > protected channels that can be brought into play. I started on a paper about 2 months ago on denial or service attacks and boy what an eye opener it has been personally. I don't claim to be an expert of any type but here are some of my observations: Types of attack - exhaust resource(s) on victims site - poison resource(s) on victims site - re-route or blackhole objects in transit I am trying to describe these attacks in the most generic way I can because when I first started looking at all the Internet Services on an individual basis, my head just started to hurt with all the permutations. If any object is make public, then you have a problem period! DNS , SMTP, HTTP, all the stuff that makes the internet internetworkable fall prey to a denial of service attack at some level. The only defence that I can see is proper auditing (not just log auditing but cause and effect auditing) of these public objects. Even these auditing devices can turn on you and become a denial of service attach themselves if you have the knob turned up to 11. :-) I am sure I am not the first to ever become amused at all of this and if anyone has reference to papers published on this I would love to know about it. What is so amusing to me is that if you are a parent, you know that when dealing with a two year old, they push and push to find out the end of all the parameters based on what the object gives back as a consequence. There is very little consequence on the internet. Everytime I get more into the technical I find myself face to face with the social. I better get back to work... --blast ps When I was a kid(less responsiblity), I used to go down to the park with a box of detergent and put it in the fountain. I would come back and the entire park would have 6 feet of foam and no one could use it. Little did I know that it was a denial of service attack. ;-) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Sun Jul 9 23:35:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA17452 for firewalls-outgoing; Sun, 9 Jul 1995 23:32:25 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA17447 for ; Sun, 9 Jul 1995 23:32:22 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.9/sjsinc.com-hacking_in_progress) Protocol: Id: XAA14927; Sun, 9 Jul 1995 23:31:34 -0700 Date: Sun, 9 Jul 1995 23:31:34 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199507100631.XAA14927@sjsinc.com> To: firewalls@greatcircle.com Subject: DNS zone transfer detection Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: Do any of you out there have any source code that could be used to detect DNS zone transfer tests??? I don't mind other facilities using my host as a test-base, but I do like to know that it's going on..... thanx, b c++'ing u, %-) sjs -------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 -------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! -------------------------------------------------------------------------------- From firewalls-owner Sun Jul 9 23:56:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA17406 for firewalls-outgoing; Sun, 9 Jul 1995 23:27:47 -0700 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA17401 for ; Sun, 9 Jul 1995 23:27:44 -0700 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id CAA23493; Mon, 10 Jul 1995 02:26:46 -0400 Message-Id: <199507100626.CAA23493@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jul 1995 02:28:05 -0400 To: mjr@iwi.com From: wallynet@panix.com (Walter F. Inetman ) Subject: Re: denial of services vs. denial of services Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Specifically which tool kits should we look out for? >Most hacker toolkits have a number of ICMP >bombing tools or tools for generating spurious routing updates. It'd >take a few minutes to set up a cron job on a compromised system or >systems someplace out there, to make you incapable of taking to the >rest of the Internet at large, except for at frustrating intervals. > That's just routing and ICMP tricks. Similar tricks can be >played with DNS or other services. > A deadly effective >attack would be to simply schedule removal of the victim's T1 >service at 3:00PM on a friday, before a long weekend or the Christmas >holiday. Heck, cancel their electricity and gas while you're at it, >and make sure their postal service is forwarded to the lost luggage >department at Denver airport. >That means that large >scale systems built over the Internet should not be mission >or national defense critical, unless there are redundant, >protected channels that can be brought into play. > >mjr. > > From firewalls-owner Mon Jul 10 00:05:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA17439 for firewalls-outgoing; Sun, 9 Jul 1995 23:31:12 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA17434 for ; Sun, 9 Jul 1995 23:31:10 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id XAA08743; Sun, 9 Jul 1995 23:30:32 -0700 Date: Sun, 9 Jul 1995 23:30:32 -0700 From: Tony Li Message-Id: <199507100630.XAA08743@greatdane.cisco.com> To: blast@worldbit.com (Tim Keanini) Cc: firewalls@GreatCircle.COM Subject: Re: denial of services vs. denial of services Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't claim to be an expert of any type but here are some of my observations: Types of attack - exhaust resource(s) on victims site - poison resource(s) on victims site - re-route or blackhole objects in transit - exhaust resource(s) in the transit net - poison resource(s) in the transit net I am trying to describe these attacks in the most generic way I can because when I first started looking at all the Internet Services on an individual basis, my head just started to hurt with all the permutations. Yup. Consider that any knowledgeable human with sufficient bandwidth and a W&G can simply take out any point in the net. It has happened in the past as an accident. The only downside is that it's somewhat traceable. The only defence that I can see is proper auditing (not just log auditing but cause and effect auditing) of these public objects. Even these auditing devices can turn on you and become a denial of service attach themselves if you have the knob turned up to 11. :-) I question this since even with logging, you have no real idea of the source. If it's a low bandwidth attack and the source address is spoofed, it may be sufficiently subtle to never be traced. Tony From firewalls-owner Mon Jul 10 03:35:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA21489 for firewalls-outgoing; Mon, 10 Jul 1995 03:32:00 -0700 Received: from gw1.fbc.com (gw1.fbc.com [198.240.130.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA21484 for ; Mon, 10 Jul 1995 03:31:56 -0700 Received: by gw1.fbc.com (4.1/GW1-v1.1) id AA02459; Mon, 10 Jul 95 06:32:14 EDT Received: from unknown(137.34.1.36) by gw1.fbc.com via smap (V1.3) id tma002455; Mon Jul 10 06:32:09 1995 Received: from csfb.co.jp ([158.216.201.105]) by csfb1.fir.fbc.com (8.6.12/8.6.12) with SMTP id GAA21667; Mon, 10 Jul 1995 06:30:52 -0400 Received: from ronnie by csfb.co.jp (4.1/SMI-4.1.v1) id AA19387; Mon, 10 Jul 95 19:30:44 JST From: raltit@csfb.co.jp (Ronnie Altit) Received: by ronnie (4.1/Jimbo-2.1) id AA03205; Mon, 10 Jul 95 20:31:11 EST Date: Mon, 10 Jul 95 20:31:11 EST Message-Id: <9507102031.ZM3203@ronnie> In-Reply-To: Vincent.Yau@ebay.sun.com (Vincent Yau) "Programmable FTP??" (Jul 9, 14:13) References: <9507092113.AA02199@dreamworks.EBay.Sun.COM> X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@greatcircle.com, Vincent.Yau@ebay.sun.com (Vincent Yau) Subject: Re: Programmable FTP?? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is an example of what you may wanna do - a simple script cd /tmp filename=P$$.Q log=L$$.Q elog=L$$.E pchost=pcp cat >$filename #ftp -v <$log 2>$elog #printer #cd $Q #put $filename #quit #EOD #rm -f $filename # Check to see if the transfer went OK grep "Transfer complete" $log ec=$? # If it failed, give it a while to recover if [ $ec -ne 0 ]; then sleep 30 fi rm -f $log $elog exit $ec Hope this helps .. if it fails you can let it try again .. whatever.... Ronnie From firewalls-owner Mon Jul 10 04:10:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA21778 for firewalls-outgoing; Mon, 10 Jul 1995 03:53:49 -0700 Received: from gmap15.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA21768 for ; Mon, 10 Jul 1995 03:53:34 -0700 Received: (from danny@localhost) by gmap15.leeds.ac.uk (8.6.12/8.6.9) id LAA02751 for firewalls@greatcircle.com; Mon, 10 Jul 1995 11:51:11 +0100 Date: Mon, 10 Jul 1995 11:51:11 +0100 From: Danny Message-Id: <199507101051.LAA02751@gmap15.leeds.ac.uk> To: firewalls@greatcircle.com Subject: What do we pay for ? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, many thanks for many useful answers so far. I'm planning to use either SOCKS or fwtk to build my firewall. It will run Solaris 2.4, o I'm going to strip compilers etc from it, o remove all user accounts other than root, o run tcp-wrapper, o disable ip-forwarding etc, oconfigure the access control lists as best I can. This seems relatively straight forward to me. Given that, and that it costs no more than my time to do so, why should I pay umpteen thousand pounds/dollars to acqure commercial software? ie what do we get for our money? There is probably scope for paying out if it's seems as worthwhile, but in my ignorance, I don't know the advantages. Also are there any obvious things I'm missing from my little list above ? Should I remove X libraries etc ? Thanks again Danny From firewalls-owner Mon Jul 10 04:34:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA22642 for firewalls-outgoing; Mon, 10 Jul 1995 04:25:20 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA22623 for ; Mon, 10 Jul 1995 04:25:03 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA09865; Mon, 10 Jul 95 07:23:56 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507101223.AA09865@hawksbill.sprintmrn.com> Subject: Re: DNS zone transfer detection To: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Date: Mon, 10 Jul 1995 07:23:56 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199507100631.XAA14927@sjsinc.com> from "Stefan Jon Silverman" at Jul 9, 95 11:31:34 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 772 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Folks: > > Do any of you out there have any source code that could be used to > detect DNS zone transfer tests??? I don't mind other facilities using my host > as a test-base, but I do like to know that it's going on..... > Any TCP port watcher, such as tcplogger or tcpdump, would suffuce. I would imagine that tcpdump would be ideal, since you can simply listen on tcp port 53 for zone transfer activity. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Jul 10 05:40:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA27134 for firewalls-outgoing; Mon, 10 Jul 1995 05:22:16 -0700 Received: from delphi.ndhm.gtegsc.com (delphi.ndhm.gtegsc.com [155.95.155.160]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA27122 for ; Mon, 10 Jul 1995 05:22:12 -0700 Received: from mail.ndhm.gtegsc.com by eagle.ndhm.gtegsc.com with SMTP; Mon, 10 Jul 1995 8:13:52 -0400 (EDT) Message-ID: Date: 10 Jul 1995 08:11:28 U From: "Watta Louis" Subject: RE: Programmable FTP?? To: "firewalls" , "Vincent" X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can do all this much easier with a program called "expect" written by Don Libes. It's an extension of TCL/TK and allows scripting of interactive programs. So, you can make it connect an ftp session, put a file, check the file, check for errors, etc all from the same the script without any interaction. Quick example spawn ftp [index $argv 1] expect "*Name" send "anonymous\r" expect "*Password:*" send [exec whoami] expect "*ok*ftp>*" send "get [index $argv 2] \r" expect "*ftp>*" An neat little language that is extremly powerfull. If you wanted to, you could probably use it to implement proxies. Although I'm not sure how secure TCL/TK really is. Anyway you get it at ftp.cme.nist.gov in /pub/expect. There's also quite a few papers that discuss the language and how to use it. Louis Watta watta.louis@mail.ndhm.gtegsc.com System Admin/Software Eng. GTE, RTP NC ________________________________________________________ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is an example of what you may wanna do - a simple script cd /tmp filename=P$$.Q log=L$$.Q elog=L$$.E pchost=pcp cat >$filename #ftp -v <$log 2>$elog #printer #cd $Q #put $filename #quit #EOD #rm -f $filename # Check to see if the transfer went OK grep "Transfer complete" $log ec=$? # If it failed, give it a while to recover if [ $ec -ne 0 ]; then sleep 30 fi rm -f $log $elog exit $ec Hope this helps .. if it fails you can let it try again .. whatever.... Ronnie From firewalls-owner Mon Jul 10 06:05:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA28334 for firewalls-outgoing; Mon, 10 Jul 1995 05:40:26 -0700 Received: from sun.aitc.rest.tasc.com (sun.aitc.rest.tasc.com [147.81.50.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA28329 for ; Mon, 10 Jul 1995 05:40:22 -0700 Received: from iwdc1.office.rest.tasc.com by sun.aitc.rest.tasc.com (NX5.67d/NX3.0M-TASCnet-003) id AA01418; Mon, 10 Jul 95 08:34:51 -0500 Received: by AA16990wdc1.office.rest.tasc.com (4.1/SMI-4.1) id AA16990; Mon, 10 Jul 95 08:39:50 EDT Date: Mon, 10 Jul 95 08:39:50 EDT From: rebowes@iwdc1.office.rest.tasc.com (Bob Bowes) Message-Id: <9507101239.AA16990@AA16990wdc1.office.rest.tasc.com> To: firewalls@greatcircle.com, Vincent.Yau@Ebay.Sun.COM Subject: Re: Programmable FTP?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I am wondering if there is anyway, from a program > that I am writing, to invoke FTP and do all the > necessary login, then check for the content of > the file(s) that I ftp'ed over to see if they > are really valid files? For instance, if the connection > is lost in the middle of the transfer, I will have > half of the valid file and is there a way to detect > such cases? (this is only one of many possibilities) > Check out 'man netrc'. You can create a $HOME/.netrc file that will automatically do any ftp commands you want, including the login and any file transfers or normal ftp commands. I have one set up to automatically login to a particular server, create a directory, and transfer some specific files. This is called from within a script which will compile those programs and then execute them on the remote server. Another script deletes the files. Hope this helps. Bob Bowes | Show me a man with both feet planted firmly on the ground, rebowes@tasc.com | and I'll show you a man who can't even put his pants on. | -Anonymous From firewalls-owner Mon Jul 10 06:06:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26985 for firewalls-outgoing; Mon, 10 Jul 1995 05:21:06 -0700 Received: from magneto.bosch.com (magneto.bosch.com [198.111.120.52]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA26978 for ; Mon, 10 Jul 1995 05:20:55 -0700 Received: by magneto.bosch.com; id IAA08965; Mon, 10 Jul 1995 08:17:38 -0400 Received: from cyber.rbus(198.168.2.2) by magneto via smap (V1.3) id sma008963; Mon Jul 10 08:17:27 1995 Received: by inet.rbus; id IAA24988; Mon, 10 Jul 1995 08:18:49 -0400 Received: from mail(172.16.1.21) by inet.rbus via smap (V1.3) id sma024986; Mon Jul 10 08:18:49 1995 Received: by mail.fh.rbus; id IAA00576; Mon, 10 Jul 1995 08:17:49 -0400 Date: Mon, 10 Jul 1995 08:17:49 -0400 Message-Id: <199507101217.IAA00576@mail.fh.rbus> X-Sender: cwerner@fh.rbus X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: cwerner@fh.us.bosch.com (Christopher L. Werner) Subject: Re: POP security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Hooper (todd@momentum.com.au) asked: >I have a couple of questions on POP security. > >The case in question is a PPP dialin server on its own ethernet segment >connected to a FireWall-1 host. The FW1 ruleset can restrict the dialin >users access to hosts & ports in a variety of ways, so this provides the >first line of defence. I think this part of the system is relatively secure. AFAIK, FW-1 does not support APOP the POP Authentication protocol which is needed to impliment one-time-passwords when checking you POP mail. More in a moment... > > ... [further explination of config and plug-gw proposal deleted..] > >- Has anyone here run POP successfully over the plug-gw supplied with >the TIS firewall toolkit? It should work in theory, but I was >interested in people's experiences. > >- When you take the plug-gw and POP into account, how secure is this >setup? Have any of the various POP servers ever been subjected to a >rigorous analysis? > The main issue with POP mail as I see it is authentication and security of the connection. The only server software I'm aware of which supports APOP is MH which is UNIX only and a bit difficult to set up. I've written the folks at Qualcomm re: secure POP3 clients/servers and they are busy with the Client updates (spell checkers etc.). The other question I would consider is how sensitive is the information in the e-mail? Is it sensitive enough to be using PGP to encrypt it? Another option is Pine... IMAP4 allows for remote downloading of the e-mail if required. Although the Win3.1 interface is very DOS-like at present you at least get a normal login prompt on the server side (Eudora at least tends to do the authentication in the background so error messages from the server are cryptic) which means you could use s/key or OPIE directly and use STEL or a number of commercial products to establish a secure telnet session while you read your mail. See the archives on 'secure telnet session' for further discussion. You may also try the pop mailing list :). ----------------------------------------------------------------------- Opinions expressed are mine and not those of my employer (usually) ----------------------------------------------------------------------- Christopher L. Werner Robert Bosch Corporation System Engineer 38000 Hills Tech Drive (810)553-1389 Farmington Hills, MI 48331-3417 From firewalls-owner Mon Jul 10 06:37:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29588 for firewalls-outgoing; Mon, 10 Jul 1995 06:12:58 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA29583 for ; Mon, 10 Jul 1995 06:12:54 -0700 Message-Id: <199507101312.GAA29583@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA217341907; Mon, 10 Jul 1995 23:11:47 +1000 From: Darren Reed Subject: release of ip filter 2.7.1 To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Mon, 10 Jul 1995 23:11:46 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 392 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After the ensuing discussion proved the behaviour wasn't going to matter or make much difference, there can't be any harm (touch wood) in making it publicly available. I've also added support for insertion of filter rules into abitary locations to support dynamic filtering better. Checkout http://cheops.anu.edu.au/~avalon/ip-filter.html for more info. (It has URLs to the code). darren From firewalls-owner Mon Jul 10 06:59:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29161 for firewalls-outgoing; Mon, 10 Jul 1995 06:01:48 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA29151 for ; Mon, 10 Jul 1995 06:01:30 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA15636; Mon, 10 Jul 1995 08:59:57 -0400 Date: Mon, 10 Jul 1995 08:59:57 -0400 From: Ted Doty Message-Id: <199507101259.IAA15636@kgbvax.network.com> To: fc@all.net, firewalls@greatcircle.com Subject: Re: denial of services vs. denial of services In-Reply-To: Mail from 'fc@all.net (Dr. Frederick B. Cohen)' dated: Sun, 9 Jul 1995 19:42:41 -0400 (EDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Jul 1995 19:42:41, fc@all.net (Dr. Frederick B. Cohen) wrote: Has anyone come up with an analysis of this [denial of service by hogging all the resources on a server] issue yet? I have been thinking of different variations on themes and think that it would be useful to deny services: - Only to the site attempting to dominate services. - Only if it exceeds a generic or site-specific number of requests in a given period of time. - Only if it is causing other services to be substantially affected. - In such a way as to indicate the issue to the dominating site. - With an audit trail that allows automated action in response. I'd argue that the Internet is inherently vulnerable to denial of service attacks, and that the added complexity of the above is likely to provide you with marginal returns at best. There are too many ways to do interesting denial of service attacks. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Mon Jul 10 07:19:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA00446 for firewalls-outgoing; Mon, 10 Jul 1995 06:27:56 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA00441 for ; Mon, 10 Jul 1995 06:27:53 -0700 Received: from strathost.stratcom.af.mil by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id GAA15659; Mon, 10 Jul 1995 06:23:15 -0700 Received: from SMTPGATE2.STRATCOM.AF.MIL by strathost.stratcom.af.mil with SMTP ; Mon, 10 Jul 95 08:26:04 CST Received: by SMTPGATE2.STRATCOM.AF.MIL with Microsoft Mail id <30014673@SMTPGATE2.STRATCOM.AF.MIL>; Mon, 10 Jul 95 08:25:39 PDT From: "Swartz, Don (SSgt) ~U" To: Firewall Subject: US Department of Defense (DoD) Firewalls Exposition Date: Mon, 10 Jul 95 08:21:00 PDT Message-ID: <30014673@SMTPGATE2.STRATCOM.AF.MIL> Encoding: 23 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following is posted for a colleague: On 24 July, 1995, US Strategic Command Headquarters, Offutt AFB, NE; will host a Firewalls Exposition. I'm writing to see if there are Firewall vendors who may be interested in showing off the latest and greatest in Firewall products. Who's invited? We are inviting a group of Firewall vendors to come in to give a day long demonstration. Due to limited floor size, we can only host 12 to 15 vendors. In addition to the vendors, we are asking security professionals and system administrators from each of the 9 military Unified Commands, other various DoD organizations on the base, as well as the personnel in the USSTRATCOM Headquarters. This is a great opportunity for the various DoD security personnel to see the best in Firewall technology. It's also a great opportunity for the attending vendors to show their wares to people who are looking for protection from the Internet. If you need more details, please contact me at (402) 294-3525 or E-Mail me at MARTINEM@J67.STRATCOM.AF.MIL. Thank you, 2d Lt Michael L. Martinez USSTRATCOM/J6751 Computer Security Analyst From firewalls-owner Mon Jul 10 07:35:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01506 for firewalls-outgoing; Mon, 10 Jul 1995 06:49:41 -0700 Received: from hhs-custos.dhhs.gov (hhs-custos.dhhs.gov [158.70.252.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01501 for ; Mon, 10 Jul 1995 06:49:38 -0700 Received: from inms-db.os.dhhs.gov. by hhs-custos.dhhs.gov (4.1/SMI-4.1) id AA13661; Mon, 10 Jul 95 10:02:13 EDT Received: by inms-db.os.dhhs.gov. (4.1/SMI-4.1) id AA08305; Mon, 10 Jul 95 09:44:08 EDT Date: Mon, 10 Jul 1995 09:44:07 -0400 (EDT) From: Alan Dowd To: Danny Cc: firewalls@greatcircle.com Subject: Re: What do we pay for ? In-Reply-To: <199507101051.LAA02751@gmap15.leeds.ac.uk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Danny! On Mon, 10 Jul 1995, Danny wrote: > Dear all, > many thanks for many useful answers so far. I'm planning to use either > SOCKS or fwtk to build my firewall. It will run Solaris 2.4, > > o I'm going to strip compilers etc from it, > o remove all user accounts other than root, > o run tcp-wrapper, > o disable ip-forwarding etc, > o configure the access control lists as best I can. > The thread you started has served me well, too, since I am in the process of setting up a similar environment. > This seems relatively > straight forward to me. Given that, and that it costs no more than my ^^^^^^^^^^^^^^^^^^^^^^^^ > time to do so, why should I pay umpteen thousand pounds/dollars to ^^^^ > acquire commercial software? ie what do we get for our money? There > is probably scope for paying out if it's seems as worthwhile, but in > my ignorance, I don't know the advantages. You may have answered your own question. How much do you charge for your time? Minimum wage? $25/hr? $50/hr? At $25/hr you spend $1000 for a 40-hr staff week. Now, how many staff weeks have you spent just doing research on the "best" (read, "most appropriate to your needs") firewall setup? How much time do you estimate you will still have to spend to acquire, install, learn, and configure the tools you have decided on? An independent, VAR-type protection service consultant might have come in and done the whole thing for less. An might NOT have, too. What you don't get with the third-party turn-key system is the intimate knowledge of how it was put together, of what makes it tick. This can be important if you have to provide not only the on-going monitoring of the protection system, but its maintenance and configuration changes. The choice is ultimately a trade-off between the cost of growing in-house expertise vs. paying for the expertise of an outside consultant. > Also are there any obvious > things I'm missing from my little list above ? Should I remove X > libraries etc ? Don't know 'til we know more about your system setup. Regards, Al Dowd Unix Network Security Analyst Management Systems Applications, Inc. Disclaimer: These opinions are my own and do not reflect, except by conincidence, those of my present or former employers, of my present or former co-workers, or of any governmental, quasi-governmental, or non-governmental entity with which they may have dealings. And I don't have an herbal cure for ... From firewalls-owner Mon Jul 10 08:23:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA03594 for firewalls-outgoing; Mon, 10 Jul 1995 07:39:29 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA03589 for ; Mon, 10 Jul 1995 07:39:18 -0700 Date: Mon, 10 Jul 95 10:39 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: this and that To: firewalls@GREATCIRCLE.COM Message-ID: <950710143928.244347@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doty writes: > While I wouldn't want to say that "multiple socket-oriented > system calls" against multiple sockets . . . Whoa! This was referring to a sequence of calls, each operating upon a single socket, not to a call operating upon multiple sockets, which seems to be the interpretation assumed. I said at some other point in response to Ranum that: > I doubt that any kernel-level [function] will be charged > with maintaining "state flags" When someone says that a function is charged with maintaining state flags, it means to me that this function manipulates some static variables based upon the arguments that it receives. One would not expect to see this frequently; it would obviously be a nightmare when "multiple socket-oriented calls" :-) are intermixed. I perceive that many chains on this forum could be drastically shortened if people would (a) be careful about wording and (b) use terms of art with the utmost strictness. The snappy "we know what we meant, we were obviously referring only to the foobar() module in the SNAF*IX 1.4 kernel" response, whether written or merely thought, is cliquish and inappropriate in a public meeting, and slights the eternal requirement for engineering precision. By the way, I believe "PCB" has also referred to "psilocybin" at one time or another. From firewalls-owner Mon Jul 10 09:06:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA07651 for firewalls-outgoing; Mon, 10 Jul 1995 08:38:33 -0700 Received: from zergo.com (zergo.demon.co.uk [158.152.17.176]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA07623 for ; Mon, 10 Jul 1995 08:38:19 -0700 Date: Mon, 10 Jul 95 16:29:46 GMT Message-Id: <2@zergo.com> From: broderic@zergo.com (Stuart Broderick) Reply-To: broderic@zergo.com To: firewalls-digest@greatcircle.com Subject: Quarantined Mail ??? Lines: 18 X-Mailer: PCElm 3.1 (1.6 DIS) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm attempting to design and configure a firewall where any mail containing an attachment is forwarded to a 'quaratine area' where the mail can be inspected for viruses etc prior to being sent to the internal network. Does anyone know of any tech papers/faq's/descriptions/software needed to do this ? Any pointers appreciated. Does anyone know of any UNIX based virus detectors which will catch PC (dos) viruses ? Firewall hardware platform currently not set. (Apologies if these questions have been asked before) Thanks --- Stuart Broderick (broderick@zergo.com) From firewalls-owner Mon Jul 10 09:40:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06618 for firewalls-outgoing; Mon, 10 Jul 1995 08:15:48 -0700 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA06589 for ; Mon, 10 Jul 1995 08:15:37 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA08396; Mon, 10 Jul 1995 11:13:16 -0400 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9507101513.AA08396@oxygen.house.gov> Subject: Re: denial of services vs. denial of services To: mjr@iwi.com Date: Mon, 10 Jul 1995 11:13:16 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9507100108.AA23057@tis.com> from "Marcus J Ranum" at Jul 9, 95 09:08:02 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 985 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Denial of service is definitely a problem, but I'd > recommend that people worry about it to the extent of factoring > in the fact that it CAN happen NO MATTER WHAT and the design > their systems to take that into account. That means that large > scale systems built over the Internet should not be mission > or national defense critical, unless there are redundant, > protected channels that can be brought into play. > > mjr. > I was thinking to myself, "He's said this before but this was very well put!" after reading this, then I had a thought: Isn't this a little bit like saying, "Well, if everybody else is littering, I might as well, too?" In other words, developers should design with denial-of-service in mind, doing the best they can for the part of the system they control. Eventually, when things like UDP go away, we may end up with a more bulletproof Internet as a result. Tha above-quoted paragraph is, of course, absolutely true for the time being. dorian From firewalls-owner Mon Jul 10 09:47:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05329 for firewalls-outgoing; Mon, 10 Jul 1995 08:05:23 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA05191 for ; Mon, 10 Jul 1995 08:04:35 -0700 Date: Mon, 10 Jul 95 11:00 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: this and that To: firewalls@GREATCIRCLE.COM Message-ID: <950710150024.607285@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been reading this forum for quite a while, but obviously haven't spoken (much) until now. I have observed an interesting pattern of communication. I present my observation in solicitation of a thoughtful response. Why is it that, if you're "in the club" and make a glaring error or a sweeping generalization, then those who criticize you are belittled for splitting hairs or missing obvious meanings, whereas if you're *not* "in the club" and have the temerity to interpret the words of respected engineers with exactness and respond to them in literate English, then you're quasi-flamed as a goofball or a schmendrick? From firewalls-owner Mon Jul 10 09:58:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09463 for firewalls-outgoing; Mon, 10 Jul 1995 09:24:36 -0700 Received: from nic.cerf.net (nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA09453 for ; Mon, 10 Jul 1995 09:24:33 -0700 Received: from sol (cor.cerfnet.com [134.24.2.155]) by nic.cerf.net (8.6.10/8.6.9) with SMTP id JAA00293 for ; Mon, 10 Jul 1995 09:24:00 -0700 Received: from shiva.cor (shiva-le0) by sol (4.1/SMI-4.1) id AA03248; Sat, 8 Jul 95 20:40:47 PDT Received: from wpsmtp by shiva.cor (4.1/SMI-4.1) id AA04263; Sat, 8 Jul 95 20:41:17 PDT Received: from RIVCITY-Message_Server by wpsmtp with Novell_GroupWise; Sat, 08 Jul 1995 20:41:27 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sat, 08 Jul 1995 20:41:09 -0800 From: Markly Dykeman To: firewalls-digest@GreatCircle.COM Subject: Re: One Router or Two Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can think of one reason for two routers. If you have older cisco routers hanging around that you are trying to implement your DMZ with. Cisco's prior to 9.1.2 (?) only support outgoing packet filters. In this case, isn't it manditory to use two routers if you are trying to implement a "screened subnet"? markly From firewalls-owner Mon Jul 10 10:02:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA04806 for firewalls-outgoing; Mon, 10 Jul 1995 08:01:08 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA04799 for ; Mon, 10 Jul 1995 08:00:57 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig2.att.att.com id AA29674; Mon, 10 Jul 95 11:00:34 EDT Message-Id: <9507101500.AA29674@ig2.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: TW on a w-protected floppy (via libc attack) To: mcn@EnGarde.com Date: Mon, 10 Jul 1995 11:06:03 -0400 (EDT) Cc: Firewalls@greatcircle.com In-Reply-To: <199507071757.MAA13027@guardian.EnGarde.com> from "Mike Neuman" at Jul 7, 95 12:57:24 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Neuman of En Garde Systems writes in rebuttal to Ranum: > > I'd really be interested in knowing what systems implement privileged system > kernel calls in the C library (and how they do it--setuid libraries?) :-) > Last I checked open(2), read(2), write(2), etc. were UNIX kernel calls. > How about all UNIX SVR4! Applications do not "link" with the kernel, and call the "open" routine. (That would be quite impossible). Instead they link with libc which has a routine (my is in asm) called syscall which places the return address and the system call number into registers and issues a trap to cause the machine to enter kernel mode. The kernel mode code systrap() in trap.c' then executes. It determines the syscall number by examining the contents of the register, and then gathers the arguments to the system call from the users' stack. The address of the routine implementing the system call is read from a table using the syscall number as an index and the appropriate routine is called. The ones that you mention (open, read, write) are both device type and filesystem dependent. So there are a few more hops necessary before the final XXXopen routine of the device/streams driver gets called. I haven't read the linux or SunOS kernels, but the same means is probably used because this code dates way back. So you see, all system calls do go thru a library, and they can be spoofed by a malicious library! En Garde! Ranum is right. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Mon Jul 10 10:34:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA06274 for firewalls-outgoing; Mon, 10 Jul 1995 08:12:42 -0700 Received: from guardian.EnGarde.com (dialin-37.wustl.edu [128.252.112.37]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA06259 for ; Mon, 10 Jul 1995 08:12:35 -0700 Received: from localhost (mcn@localhost) by guardian.EnGarde.com (8.6.12/8.6.9) with SMTP id KAA29540; Mon, 10 Jul 1995 10:10:13 -0500 Message-Id: <199507101510.KAA29540@guardian.EnGarde.com> X-Authentication-Warning: guardian.EnGarde.com: Host localhost didn't use HELO protocol X-Mailer: exmh version 1.6.1 5/23/95 To: mdr@vodka.sse.att.com cc: Firewalls@greatcircle.com Subject: Re: TW on a w-protected floppy (via libc attack) In-reply-to: Your message of "Mon, 10 Jul 1995 11:06:03 EDT." <9507101500.AA29672@ig2.att.att.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 10 Jul 1995 10:10:06 -0500 From: Mike Neuman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So you see, all system calls do go thru a library, and they can be > spoofed by a malicious library! Yes, but access control can't be circumvented, as it remains in the kernel. That was my point. Open() is NOT implemented in libc, rather a stub which calls the kernel open() is. -Mike mcn@EnGarde.com From firewalls-owner Mon Jul 10 10:54:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA12321 for firewalls-outgoing; Mon, 10 Jul 1995 10:27:40 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA12297 for ; Mon, 10 Jul 1995 10:27:20 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA11778; Mon, 10 Jul 95 13:26:47 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507101826.AA11778@hawksbill.sprintmrn.com> Subject: Re: this and that To: Wilner@DOCKMASTER.NCSC.MIL Date: Mon, 10 Jul 1995 13:26:47 -0500 (EST) Cc: firewalls@GREATCIRCLE.COM In-Reply-To: <950710150024.607285@DOCKMASTER.NCSC.MIL> from "Wilner@DOCKMASTER.NCSC.MIL" at Jul 10, 95 11:00:00 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1102 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I have been reading this forum for quite a while, but obviously > haven't spoken (much) until now. I have observed an interesting > pattern of communication. I present my observation in solicitation > of a thoughtful response. > > Why is it that, if you're "in the club" and make a glaring error or > a sweeping generalization, then those who criticize you are > belittled for splitting hairs or missing obvious meanings, whereas > if you're *not* "in the club" and have the temerity to interpret > the words of respected engineers with exactness and respond to them > in literate English, then you're quasi-flamed as a goofball or a > schmendrick? > I would like to think that do the critisizing are recognized for their worth. :-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Jul 10 11:08:27 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10086 for firewalls-outgoing; Mon, 10 Jul 1995 09:36:55 -0700 Received: from hiphop.MarketArts.Com (hiphop.marketarts.com [204.7.18.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA10014 for ; Mon, 10 Jul 1995 09:36:42 -0700 Received: by intergate id AA036794166; Mon, 10 Jul 1995 12:36:06 -0400 Received: from mas1.marketarts.com(198.178.150.1) by hiphop.MarketArts.Com via smap (V1.3) id sma003677; Mon Jul 10 12:36:00 1995 Received: (5.0/gate1) id AA22382; Mon, 10 Jul 1995 12:35:50 -0400 Message-Id: <9507101635.AA22382@ MarketArts.Com> X-Sender: mph@mas1 X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jul 1995 11:47:24 -0400 To: Firewalls@GreatCircle.COM From: mph@MarketArts.Com (Matthew) Subject: Re: How does one provide http://X.com/~FRED w/o giving FRED an account on the firewall? Content-Length: 421 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another way that may work for you which is used is: Use NIS from a server machine which uses shadow files but do not import that shadow map/file to the WWW server machine. This will give people accounts but the password will be * (which will not allow them to log into the machine.) It matters where the machine is for this technique to work. Matthew Hirsch mph@marketarts.com New York City From firewalls-owner Mon Jul 10 11:28:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08506 for firewalls-outgoing; Mon, 10 Jul 1995 09:01:05 -0700 Received: from uni.ins.com (uni.ins.com [199.0.193.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA08501 for ; Mon, 10 Jul 1995 09:00:59 -0700 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni.ins.com (8.6.12/8.6.12) with SMTP id IAA08963; Mon, 10 Jul 1995 08:59:45 -0700 Date: Mon, 10 Jul 1995 08:59:45 -0700 Message-Id: <199507101559.IAA08963@uni.ins.com> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mcn@EnGarde.com From: (Mark S. Kadrich) Subject: Re: TW on a w-protected floppy Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the configuration files TW has a warning. It says "Do not use dynamic linked libraries" We have followed this warning and put TW on a floppy. This method does make for a fairly large bin however. We have also devoted an old HD to the task and hardware write protected it. This seemed to work fine until Solaris 2.4. I have not had the time to address this but I have heard rumors that TW can be built on 4.1.3+ and executed on S2.4. Good luck >In article <950707143416.482694@DOCKMASTER.NCSC.MIL> you write: >>Ranum writes: >> >>> It's possible, I suppose, but if you're dealing >>> with that kind of level of effort it'd be easier >>> to just hack the kernel to not see or remap certain >>> files. >> >>To "modify the open() routine in the C library" is not to "just >>hack the kernel." The kernel is distinct from the C library. >> >>> I know for a fact that tools exist which allow >>> a hacker to modify the open() routine in the C >>> library... >> >>Modifying a single library does not seem like a lot of work for an >>attacker to go through. > > I'd really be interested in knowing what systems implement privileged system >kernel calls in the C library (and how they do it--setuid libraries?) :-) >Last I checked open(2), read(2), write(2), etc. were UNIX kernel calls. > > fopen(3), on the other hand, is a library function which calls the open() >system call. It could be modified out from under dynamically linked executables >fairly easily. > > So, to answer the original question, yes, tools exist to allow the hacker to >modify the C library. Hacking kernel routines is more difficult, but still >not very hard: > >1) Many machines support loadable modules. You can replace any system call with >a loaded version > >2) Even without loadable modules, it's not terribly difficult to romp through >physical memory changing whatever you'd like. > >-Mike Neuman >mcn@EnGarde.com >En Garde Systems >(314) 367-6402 >(314) 367-3555 (FAX) > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-514-0355 _/\ e-mail @ kadrich@uni.ins.com (_) Information security is a process, not a solution. ****************************************************************** From firewalls-owner Mon Jul 10 11:35:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA14399 for firewalls-outgoing; Mon, 10 Jul 1995 11:05:43 -0700 Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA14394 for ; Mon, 10 Jul 1995 11:05:40 -0700 Received: from uranus ([13.242.56.22]) by alpha.xerox.com with SMTP id <14635(5)>; Mon, 10 Jul 1995 11:04:40 PDT Received: from altar by uranus (4.1/{XSoftHUB-1.4}SMI-4.1) id AA00176; Mon, 10 Jul 95 11:04:07 PDT Received: by altar (4.1/{XSoft-U1-1.0}SMI-4.1) id AA18024; Mon, 10 Jul 95 11:03:22 PDT Date: Mon, 10 Jul 1995 11:03:22 PDT From: meza@xsoft.xerox.com (Jose' M. Salas-Meza) Message-Id: <9507101803.AA18024@altar> To: ids@uow.edu.au, Firewalls@greatcircle.com Subject: Setting up a firewall Cc: meza@xsoft.xerox.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am in the process of setting up a firewall so that I can get connected to the internet. (From Home) This is what I have: Internet ----- Internet Provider (I am still looking for one) | |<-- PPP / SLIP Dial Up Connection ? | Firewall (Bastion Host) with all the services. | | | Server A ------- Server B I have total of three machines that I can use. (Sparc, Sparc, Pentium) I want to use a Dual Homed sun as the bastion host that also has WWW, FTP, ... services on it. I want to use Server A to be an internal sparc running DNS. I want the Server B to be the Windows (NT / 95) Client. My Questions: Is this the best configuration that I can use or should I use another configuration? Are there any potential holed that I might be creating by placing all of the services on the firewall? Email responses welcome. If there is enough interest, I will summarize and post the responses. Thanks. --- Jose' M. Salas-Meza meza@xsoft.xerox.com --- From firewalls-owner Mon Jul 10 12:03:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09468 for firewalls-outgoing; Mon, 10 Jul 1995 09:24:38 -0700 Received: from nic.cerf.net (nic.cerf.net [192.102.249.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA09462 for ; Mon, 10 Jul 1995 09:24:36 -0700 Received: from sol (cor.cerfnet.com [134.24.2.155]) by nic.cerf.net (8.6.10/8.6.9) with SMTP id JAA00316 for ; Mon, 10 Jul 1995 09:24:03 -0700 Received: from shiva.cor (shiva-le0) by sol (4.1/SMI-4.1) id AA03251; Sat, 8 Jul 95 20:48:44 PDT Received: from wpsmtp by shiva.cor (4.1/SMI-4.1) id AA04268; Sat, 8 Jul 95 20:49:18 PDT Received: from RIVCITY-Message_Server by wpsmtp with Novell_GroupWise; Sat, 08 Jul 1995 20:49:29 -0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sat, 08 Jul 1995 20:49:25 -0800 From: Markly Dykeman To: firewalls-digest@GreatCircle.COM Subject: Feedback on Cisco configurations. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am about to implement a DMZ which consists of a bastion host between two Cisco routers (as I mentioned in an ealier message). Would there be any objections if I posted to this list the senerio and configurations (with pertinent information X'ed or altered to protect the innocent) for feedback from the experienced cisco/firewall administrators? Thanx, markly@cor.cerfnet.com From firewalls-owner Mon Jul 10 12:33:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08192 for firewalls-outgoing; Mon, 10 Jul 1995 08:54:44 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA08127 for ; Mon, 10 Jul 1995 08:53:38 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id KAA15334 for ; Mon, 10 Jul 1995 10:44:05 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 161380000; 10 Jul 95 11:39 CDT Received: from sctc.com by sccmailhost.sctc.com id 221600000; 10 Jul 95 11:39 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id KAA23275; Mon, 10 Jul 1995 10:40:12 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA24748; Mon, 10 Jul 1995 10:40:11 -0500 Date: Mon, 10 Jul 1995 10:40:11 -0500 From: Rick Smith Message-Id: <199507101540.KAA24748@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: What do we pay for ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Danny asks: >.. Given that, and that it costs no more than my time to >do so, why should I pay umpteen thousand pounds/dollars to acqure commercial >software? ie what do we get for our money? There is probably scope for >paying out if it's seems as worthwhile, but in my ignorance, I don't know the >advantages. Some things to consider: *) How much testing are you going to do? A reputable vendor tests all functions of their firewalls in realistic configurations. A good vendor tests design properties, functional requirements, and resistance to known attacks. If you roll your own, you should construct and perform the tests necessary to ensure your protections work. *) Are you willing to invite unstructured attacks from hackers in order to test your firewall? This is something a vendor can do without involving operational sites. *) How much has the threat environment changed since the public domain software you've gotten was developed? Are you willing to accept the risks inherent in recently evolved threats? Do you have the time and talent to construct new countermeasures instead of getting them from a firewall vendor? *) Are you hosting the firewall on a platform with nonbypassable security mechanisms (i.e. something more than Unix user IDs)? If not, there's the risk of a weak server allowing overrun of your firewall. Such mechanisms show up in commercial firewalls; few people have the money and smarts to do a "home grown" firewall with mandatory access controls. *) How much money does your company stand to lose if someone breaks through your defenses? By doing this yourself you're betting your own admittedly new skills at blocking unknown assailants. Will your boss accept the result graciously if you lose, or will you lose your job? Don't take more responsibility than is sensible. *) From another's point of view, what if the firewall installer quits or gets hit by a truck? Who picks up the pieces? Who ensures that security measures remain in operation and trains new administrators? *) How much of your own time are you willing to spend on security? If the answer is "a lot" then maybe this can work, especially if you don't have that much at risk. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Mon Jul 10 12:38:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA14886 for firewalls-outgoing; Mon, 10 Jul 1995 11:18:02 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA14878 for ; Mon, 10 Jul 1995 11:17:57 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA12061; Mon, 10 Jul 95 14:16:24 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507101916.AA12061@hawksbill.sprintmrn.com> Subject: Re: One Router or Two To: markly@cor.cerfnet.com (Markly Dykeman) Date: Mon, 10 Jul 1995 14:16:24 -0500 (EST) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: from "Markly Dykeman" at Jul 8, 95 08:41:09 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 911 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I can think of one reason for two routers. If you have older cisco routers > hanging around that you are trying to implement your DMZ with. Cisco's > prior to 9.1.2 (?) only support outgoing packet filters. In this case, isn't it > manditory to use two routers if you are trying to implement a "screened > subnet"? > > markly > > Not necessarily, as long as access to the router itself is restricted (access-class lists on the VTY ports would be sufficient). However, the ability to configure inbound access-lists allows a lot more flexibility. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Jul 10 12:53:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA17021 for firewalls-outgoing; Mon, 10 Jul 1995 12:04:09 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA17016; Mon, 10 Jul 1995 12:04:04 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jul 1995 12:03:54 -0800 To: Markly Dykeman , firewalls-digest@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: One Router or Two Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:41 PM 7/8/95, Markly Dykeman wrote: >I can think of one reason for two routers. If you have older cisco routers >hanging around that you are trying to implement your DMZ with. Cisco's >prior to 9.1.2 (?) only support outgoing packet filters. In this case, isn't it >manditory to use two routers if you are trying to implement a "screened >subnet"? "Outgoing", in this context, is from the router's point of view. The old Ciscos do outgoing filtering on each interface. If you have a Cisco with one Ethernet interface connected to your internal net and one Serial interface connected to the Internet, you would filter traffic that is "outgoing" from the whole site's point of view as outgoing traffic on the Serial interface, and traffic that is "incoming" from the whole site's point of view as outgoing traffic on the Ethernet interface. You can build a screened subnet with either two 2-interface routers or one 3-interface router. Whether you can do both inbound and outbound filtering on each interface doesn't affect whether it's a screened subnet or not, but it _does_ affect how easy it is to build and maintain. Systems allowing both inbound and outbound filtering on each interface are generally simpler to configure (and therefore, more likely to be configured correctly) and more powerful (some things, like detecting incoming packets with forged source addresses, are difficult or impossible to do with outbound-only filtering). -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Mon Jul 10 13:10:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15211 for firewalls-outgoing; Mon, 10 Jul 1995 11:28:31 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA15206 for ; Mon, 10 Jul 1995 11:28:28 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sVNYe-0001dVC; Mon, 10 Jul 95 11:27 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA00399; Mon, 10 Jul 1995 11:27:54 +0800 Date: Mon, 10 Jul 1995 11:27:54 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9507101827.AA00399@brittany.oes.amdahl.com> To: firewalls@GREATCIRCLE.COM, Wilner@DOCKMASTER.NCSC.MIL Subject: Re: this and that X-Sun-Charset: US-ASCII content-length: 2933 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Why is it that, if you're "in the club" and make a glaring error or > a sweeping generalization, then those who criticize you are > belittled for splitting hairs or missing obvious meanings, whereas > if you're *not* "in the club" and have the temerity to interpret > the words of respected engineers with exactness and respond to them > in literate English, then you're quasi-flamed as a goofball or a > schmendrick? > I don't know if I'm in the club or out of it, but in this group as in others it takes awhile for people to know you and learn to respect your opinions. It's worse here in the virtual world for a couple of reasons...first, there are a lot of people that throw ill-formed opinions around whether because of lack of experience or because they really are a schmendrick;) The noise tends to program you to expect that people interjecting themselves into a conversation aren't the best and the brightest, (whether warrented or not!) The second problem is that there are people with technical skills, and perhaps good verbal and written communication skills, but when they get into this forum when the style is more like oral, but the medium is written they miscommunicate. The problem is that the visual cues are gone. The people that suffer the worst are those that normally use a bit of sarcasm or irony in their conversational style. It works well in oral communications with a jovial tone and a smile on your face. In written communications it's almost invariably send as an attack. These people keep angering others without knowing why...they wonder why everyone seems so touchy, when the problem is really that they just don't have the net communications skills. So, you'll see some people engender complaints when it might not have seemed warranted. You have to remember though that others come into this group, and quickly fit right in. It's not even rare. If someone has problems with this group it's probably that they keep presenting things that are incorrect, or that their presentation style needs work. I've communicated with most of the regulars on this list both via public and private email, and found them to be amusing, interesting, and (mostly) kind. I never had anyone act as if I didn't belong. (I should tell you about this one guy on com-priv though!) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (mail copyright Patrick J. Horgan) (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Jul 10 13:15:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA10374 for firewalls-outgoing; Mon, 10 Jul 1995 09:41:44 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA10369 for ; Mon, 10 Jul 1995 09:41:41 -0700 Posted-Date: Mon, 10 Jul 1995 12:41:04 -0400 From: "Bryan D. Boyle" Message-Id: <9507101241.ZM775@maverick.erenj.com> Date: Mon, 10 Jul 1995 12:41:04 -0400 X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: vendor page Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 10, 9:24am, Brent Chapman wrote: > Subject: Re: firewall vendors > At 11:29 AM 7/10/95, Bruno MAMER wrote: > > Hi, > > > >Sorry to bother for such a simple question but I have been trying to > >reach the www page with "all" the firewall vendors at the URL : > > > > http:/www.access.digex.net/~bdboyle/firewall.vendor.html > > > >but I never get an answer. > > > >Is it the correct URL ? > > Yes, as far as I know. It's maintained by Bryan D. Boyle > Just tried it and got the page... perhaps you should try http:// instead of http:/ -- Bryan D. Boyle | "The real difficulty in changing any enterprise lies #include | not in developing new ideas, but in escaping from EMAIL: bdboyle@erenj.com | the old ones." --John Maynard Keynes -------------------- From firewalls-owner Mon Jul 10 14:06:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA21672 for firewalls-outgoing; Mon, 10 Jul 1995 13:48:01 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA21667 for ; Mon, 10 Jul 1995 13:47:58 -0700 Received: by wabash.iac.net id QAA18580; Mon, 10 Jul 1995 16:45:59 -0400 Date: Mon, 10 Jul 1995 16:45:58 -0400 (EDT) From: Carl Jolley To: Markly Dykeman cc: firewalls-digest@GreatCircle.COM Subject: Re: One Router or Two In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What you say about outgoing packets is correct however depending on how the router is used, it _may_ make no difference. If one only has 2 network interfaces on a router that is serving as a screening router then you're covered since it is clear that output on a port must have come in from the other (and visa-versa). So if you want to block input from port 1 then blocking the output on port 2 would do the same thing. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Sat, 8 Jul 1995, Markly Dykeman wrote: > I can think of one reason for two routers. If you have older cisco routers > hanging around that you are trying to implement your DMZ with. Cisco's > prior to 9.1.2 (?) only support outgoing packet filters. In this case, isn't it > manditory to use two routers if you are trying to implement a "screened > subnet"? > > markly > > From firewalls-owner Mon Jul 10 14:45:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22090 for firewalls-outgoing; Mon, 10 Jul 1995 14:03:56 -0700 Received: from Sun.COM (Sun.COM [192.9.9.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA22085 for ; Mon, 10 Jul 1995 14:03:50 -0700 Received: from Corp.Sun.COM ([129.145.35.78]) by Sun.COM (sun-barr.Sun.COM) id AA06224; Mon, 10 Jul 95 14:03:12 PDT Received: from rainbow.Corp.Sun.COM (rainbow-bb.Corp.Sun.COM) by Corp.Sun.COM (5.x/SMI-5.3) id AA03839; Mon, 10 Jul 1995 14:01:48 -0700 Received: from althea.Corp.Sun.COM by rainbow.Corp.Sun.COM (5.x/SMI-SVR4) id AA05816; Mon, 10 Jul 1995 14:01:44 -0700 Received: by althea.Corp.Sun.COM (5.x/SMI-SVR4) id AA02451; Mon, 10 Jul 1995 14:01:46 -0700 Date: Mon, 10 Jul 1995 14:01:46 -0700 From: jerald@rainbow-16.Corp.Sun.COM (Jerald Josephs) Message-Id: <9507102101.AA02451@althea.Corp.Sun.COM> To: firewalls@greatcircle.com Subject: Please add me to this alias X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thank-you, Jerald Josephs Technical Support Engineer - Networks SunService From firewalls-owner Mon Jul 10 15:05:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA21268 for firewalls-outgoing; Mon, 10 Jul 1995 13:36:39 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA21261 for ; Mon, 10 Jul 1995 13:36:35 -0700 Received: by wabash.iac.net id QAA18427; Mon, 10 Jul 1995 16:35:46 -0400 Date: Mon, 10 Jul 1995 16:35:43 -0400 (EDT) From: Carl Jolley To: Stuart Broderick cc: firewalls-digest@GreatCircle.COM Subject: Re: Quarantined Mail ??? In-Reply-To: <2@zergo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are you going to do with mail messages where the virus is not included in an attachment? By this I mean for example, text of a uuencoded virus is included as part of the body of the message. This possibility would seem to require you to examine the content of all parts of a message. Are you going to look at the binary corrresponding an attachment and attempt to match it to known virus? What machine language targets are you going to match for? What different types of binary encoding will you be checking for? Will your design handle multiple nested encodings? By this I mean for example a base64 encoded attachment or part of the body of the message and when it is decoded the result is a text file, but the textfile is a uuencoded virus. How will you handle an attachment that is a compressed or an archive type file (e.g. a .zip or a .Z file). Will your design uncompress and/or unarchive so it can determine if any of the contained multiple files is a virus? Will your design handle multiple nested compressed/archived files?, e.g. a uuencoded binary is a compressed, tar file containing multiple zip files, each of which contains multiple files consisting of uuencoded or base64 content virii. What about trojan horses? What about one that when triggered installs a virus? The point is that you can't design an automated procedure to detect _all_ e-mail_transmittted virii. You _probably_ can't afford (based on cost and time) to examine each every mail message manually. You can't prevent virus infection by looking for signatures since a virus may be transported via a trojan horse and you can't just look in attachments since they may simply be appended to the body of a message using ascii text binary encoding. Your time would probably be better spent designing a perpetual motion machine. You can probably detect trivial e-mail binary attachment transmitted virii against the hardware of your most common client workstations. This will probably catch some. You will probably miss some too. Education of your end-users regarding this topic and routine use of virus detection software on their workstations will probably provide more protection than anything you can do with firewall/quarantine approach. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Mon, 10 Jul 1995, Stuart Broderick wrote: > I'm attempting to design and configure a firewall where any mail > containing an attachment is forwarded to a 'quaratine area' where > the mail can be inspected for viruses etc prior to being sent > to the internal network. > > Does anyone know of any tech papers/faq's/descriptions/software > needed to do this ? Any pointers appreciated. > > Does anyone know of any UNIX based virus detectors which will > catch PC (dos) viruses ? Firewall hardware platform currently not > set. > > (Apologies if these questions have been asked before) > > Thanks > > --- > Stuart Broderick (broderick@zergo.com) > From firewalls-owner Mon Jul 10 16:35:24 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26449 for firewalls-outgoing; Mon, 10 Jul 1995 16:14:33 -0700 Received: from darkstar.bos.locus.com (darkstar.bos.locus.com [130.200.200.82]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA26443 for ; Mon, 10 Jul 1995 16:14:28 -0700 X-Sender: hal@darkstar.bos.locus.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jul 1995 19:05:26 -0400 To: firewalls@greatcircle.com From: hal@locus.com (Hal Lockhart) Subject: DCE and the Internet X-Mailer: Message-ID: <"darkstar.b.693:10.06.95.23.12.59"@locus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently I have been investigating the details of using OSF DCE to provide security in applications using the Internet as a transport mechanisms. This consists primarily of two areas of interest: o allowing DCE RPC calls to pass through firewalls, and o hardening DCE nodes (primarily application servers) to prevent attacks via other, insecure mechanisms. I am interested in talking to anyone who either has done these things or is interested in doing so. Concerning firewalls, some of the things I am interested in are: o What is you general firewall configuration? o What is your DCE requirement? o Did you use the RPC_RESTRICTED_PORTS feature? o If so how did you configure it? o Have you experienced any operational problems? Concerning hardening: o What platform did you use? o What applications did you leave enabled? (echo, null, etc.) o Other than disabling various applications did you make other changes to prevent attacks? o Did you take any special physical security precautions? o Did the application run through a firewall? o Have you experienced any operational problems? My goal is to create a kind of cookbook for doing these things and make it public. Please reply by email. If you have concerns about confidentiality, I would be glad to call you and abide by any restrictions you desire. Thanks in advance. Hal ================================================================= Harold W. Lockhart Jr. Locus Computing Corporation Chief Technical Architect 8 New England Executive Park Email: hal@locus.com Burlington, MA 01803 USA Voice: (617)229-4980 X1202 Fax: (617)229-2969 ================================================================= From firewalls-owner Mon Jul 10 17:05:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA25990 for firewalls-outgoing; Mon, 10 Jul 1995 16:01:58 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA25981 for ; Mon, 10 Jul 1995 16:01:54 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sVRpN-0001dRC; Mon, 10 Jul 95 16:01 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA00824; Mon, 10 Jul 1995 16:01:28 +0800 Date: Mon, 10 Jul 1995 16:01:28 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9507102301.AA00824@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, smith@sctc.com Subject: Re: What do we pay for ? X-Sun-Charset: US-ASCII content-length: 5401 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find this a bit confusing. First, you must be aware that vendors got their experience the same way you're getting yours...it's nothing magical. Second, with no real certification in place, you must be aware that many of the "experts" have very little real expertise. They've read C&B, and might have done a couple of installs. That's not to say that there aren't real experts, it's just that there are many in the field for the quick buck and they really only have half a clue. Next, to imply that it's not possible, or in fact dangerous for someone to make their own firewall is silly. Each of us should know our own skills and desires, if you feel you can do it you probably can, and indeed, will probably end up doing a better job than some contractors. > > Some things to consider: > > *) How much testing are you going to do? A reputable vendor tests all > functions of their firewalls in realistic configurations. You're lucky if you get a pseudo-regression test. As has been discussed on this list many times, testing in this area is in its infancy. Some vendors are making a good effort in this area, but not all. > A good > vendor tests design properties, functional requirements, and > resistance to known attacks. So they test to see if it does what they told it to do, what the customer wants it to do, and run iss and or satan...how many actually have a suite of exploit scripts they run...how many have good exploit scripts for the rarer, but still dangerous things like the spoofing attack mitnick used. Do the tests get run from sites outside of the firewall? > If you roll your own, you should > construct and perform the tests necessary to ensure your protections > work. Certainly. > > *) Are you willing to invite unstructured attacks from hackers in > order to test your firewall? This is something a vendor can do without > involving operational sites. It's not something most vendors do, and I for one am not convinced that it's a requirement or even a benefit. It makes for good marketing though;) > > *) How much has the threat environment changed since the public domain > software you've gotten was developed? Are you willing to accept the > risks inherent in recently evolved threats? Do you have the time and > talent to construct new countermeasures instead of getting them from a > firewall vendor? That's important, but if you have an interest in the area, and keep in touch with the field, you're likely to be ahead of the vendors. > > *) Are you hosting the firewall on a platform with nonbypassable > security mechanisms (i.e. something more than Unix user IDs)? If not, > there's the risk of a weak server allowing overrun of your firewall. > Such mechanisms show up in commercial firewalls; few people have the > money and smarts to do a "home grown" firewall with mandatory access > controls. Most firewalls whether set up by a contractor, bought from a vendor, or set up by an individual don't do this. Some do, but not most. Nevertheless they still can provide security. That said, I once worked one a Bx rated machine set up as a firewall...it sure was nice to know that even if someone somehow compromised root they were still severely limited in what they could do. > > *) How much money does your company stand to lose if someone breaks > through your defenses? By doing this yourself you're betting your own > admittedly new skills at blocking unknown assailants. Will your boss > accept the result graciously if you lose, or will you lose your job? > Don't take more responsibility than is sensible. Nevertheless, your butt's on the line anyway. Again, if you feel competent to do this, it might be better to have the control. > > *) From another's point of view, what if the firewall installer quits > or gets hit by a truck? Who picks up the pieces? Who ensures that > security measures remain in operation and trains new administrators? Exactly. Many of the contractors in this area are individuals. What if they get hit by a truck? > > *) How much of your own time are you willing to spend on security? If > the answer is "a lot" then maybe this can work, especially if you > don't have that much at risk. That part after the last comma was not nice. You shouldn't impune someones skills without knowing them. That said, it's true that a good vendor/contractor can really be a wonderful thing. They can cut your time to secure connectivity, while providing you safety as well. Just be aware that you'll occasionally see posts on this forum from people who's .sigs indicate that they do firewall consulting, but their questions indicate that they don't know their donkey from a crater;) Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (mail copyright Patrick J. Horgan) (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Mon Jul 10 19:34:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA01654 for firewalls-outgoing; Mon, 10 Jul 1995 19:18:15 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA01649 for ; Mon, 10 Jul 1995 19:18:11 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA27680; Mon, 10 Jul 95 22:17:23 EDT Message-Id: <9507110217.AA27680@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: TW on a w-protected floppy (via libc attack) To: mcn@EnGarde.com (Mike Neuman) Date: Mon, 10 Jul 1995 12:34:28 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199507101510.KAA29540@guardian.EnGarde.com> from "Mike Neuman" at Jul 10, 95 10:10:06 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The thread to which you responded went like this: Russel: > what worries me is what if someone got into the kernel and replaced >the FD driver with something that behaves the same, but (say) fishes >the data out of a file and not off the drive. Despite the drive making >grinding noises >Ranum writes: >> It's possible, I suppose, but if you're dealing with that kind of >>level of effort, it'd be easier to just hack the kernel to not see or >>remap certain files. >>Oliver Friedrichs quips >>> Modifying a single library does not seem like a lot of work for an >>>attacker to go through. >>>You respond >>>>I'd really be interested in knowing what system implement >>>>privileged system kernel calls in the C library >>>>I then pointed out: >>>>> So you see, all system calls do go thru a library, and they can be >>>>>spoofed by a malicious library! >>>>>You now respond: >>>>>>Yes, but access control can't be circumvented, as it remains in the kernel. >>>>>>> That was my point. Open() is NOT implemented in libc, rather a stub which >>>>>>> calls the kernel open() is. The point be debated here is whether or not a hacker could cause bad things to happen by chaning lib C. The case in point, could he cause you to believe that you were reading and writing to a floppy drive when in fact he was just fishing data out of a file. The answer is YES! And no privilege is necessary for him to do so once the library has been corrupted. Your binary will link to libc(open') which will mess around with its arguments before calling the real open. An entire virtual file system has been implemented with this technique. The open of the spoofed file will succeed because the hacker has set the permissions on it to rwx for everybody. His attacks are not limited to floppy drive or file accesses, he's got the whole system call interface to hack. Someone will probably quip, "Yes but if the hacker can modify libc, then your already dead...." My point exactly, but you can be worse off than dead, you might still think that you are alive, meanwhile the hacker can do all sorts of logging, session stealling, ANY-THING-HE-WANTS via his libc back door. Libc is a nice place to hide, especially if its a dynamically linked .so because it has the nasty habit of affecting all of the dynamically linked executables on the system. Just incase someone misses the whole thread, please note: there is NO WAY that this is going to put data on the write-protected floppy. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Mon Jul 10 22:07:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA07872 for firewalls-outgoing; Mon, 10 Jul 1995 21:43:14 -0700 Received: from yoda.unl.edu (yoda.unl.edu [129.93.11.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA07867 for ; Mon, 10 Jul 1995 21:43:10 -0700 Received: by yoda.unl.edu (5.x/SMI-SVR4) id AA23487; Mon, 10 Jul 1995 23:43:50 -0500 Date: Mon, 10 Jul 1995 23:43:50 -0500 From: muhlin@yoda.unl.edu (Muhlin Chen) Message-Id: <9507110443.AA23487@yoda.unl.edu> To: firewalls@greatcircle.com Subject: Porblem solved: Netscape and ftp proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I really appreciate the information provided from this list. I have the TIS tool kit proxies running on Solaris and Netscape navigators work fine through the proxies for ftp sessions now. I did the followings: 1. making the ftp, gopher, and http proxies all pointing to http-gw (port 80). 2. changing sprintf(ftp_pass,"PASS -gopher@%s", ourname); to sprintf(ftp_pass,"PASS -gopher@%s.domain", ourname); in the function proxy_form. 3. changing timeout.tv_sec = 0; to timeout.tv_sec = 1; in the function get_ftp_reply. I made the third change because when I traced the program (http-gw.c), I found that the select statement in the same function failed. Since gethostbyaddr only returns the host name instead of the FQN on Solaris, I guest that the second change is necessary for some ftp sites. Well, I am not sure the changes are really the solution, but they worked for me on the sites I tested. Thanks again! --muhlin@Yoda.unl.edu From firewalls-owner Mon Jul 10 23:36:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA09442 for firewalls-outgoing; Mon, 10 Jul 1995 23:06:48 -0700 Received: from sequoia.itd.uts.EDU.AU (sequoia.itd.uts.EDU.AU [138.25.16.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA09437 for ; Mon, 10 Jul 1995 23:06:01 -0700 Received: from lordmuck.itd.uts.edu.au by sequoia.itd.uts.EDU.AU with SMTP id AA12777 (5.65c/IDA-1.4.4 for ); Tue, 11 Jul 1995 16:04:11 +1000 Received: (from matt@localhost) by lordmuck.itd.uts.edu.au (8.6.12/Jas 1.1) id QAA12529; Tue, 11 Jul 1995 16:04:54 +1000 From: Jas (Matthew K) Message-Id: <199507110604.QAA12529@lordmuck.itd.uts.edu.au> Subject: Re: TW on a w-protected floppy To: mark_kadrich@ins.com (Mark S. Kadrich) Date: Tue, 11 Jul 1995 16:04:53 +1000 (EST) Cc: mcn@engarde.com, firewalls@greatcircle.com In-Reply-To: <199507101559.IAA08963@uni.ins.com> from "Mark S. Kadrich" at Jul 10, 95 08:59:45 am X-Gc: GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ X-Gc: UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ X-Gc: !5++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 416 5722 X-Pager: +61 2 214 1111 #849482 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1013 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark S. Kadrich wrote this... > In the configuration files TW has a warning. > It says "Do not use dynamic linked libraries" > We have followed this warning and put TW on a floppy. This method does make > for a fairly large bin however. We have also devoted an old HD to the task > and hardware write protected it. This seemed to work fine until Solaris > 2.4. I have not had the time to address this but I have heard rumors that > TW can be built on 4.1.3+ and executed on S2.4. > Good luck be warned, running SunOS 4.1.x binaries on SunOS 5 is done through dynamic libraries, and so you are still susceptable... Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike From firewalls-owner Tue Jul 11 04:04:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA15194 for firewalls-outgoing; Tue, 11 Jul 1995 03:39:35 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA15188 for ; Tue, 11 Jul 1995 03:39:26 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA14728 for firewalls@greatcircle.com; Tue, 11 Jul 95 06:33:26 EDT Message-Id: <9507111033.AA14728@all.net> Subject: Vendors and Consultants Only To: firewalls@greatcircle.com Date: Tue, 11 Jul 1995 06:33:25 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 980 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ***** ADVERTISING OPORTUNITY **** TECHNICAL PEOPLE TURN YOUR HEADS ***** I am giving a series of short courses on (among other things) Firewalls in South Africa in August/September and would like to invite any vendors and/or consultants that service SA to provide copies of advertising materials and details about their products/services to all of the attendees. For full details, please contact me directly. ***** END ADVERTISING OPORTUNITY **** TECHIES MAY LOOK NOW ***** -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Tue Jul 11 05:05:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16941 for firewalls-outgoing; Tue, 11 Jul 1995 04:39:55 -0700 Received: from anke.imsd.uni-mainz.DE (anke.imsd.Uni-Mainz.DE [134.93.16.31]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA16936 for ; Tue, 11 Jul 1995 04:39:46 -0700 Received: from katrin by anke.imsd.uni-mainz.DE (NX5.67e/NX3.0M) id AA07306; Tue, 11 Jul 95 13:39:33 +0200 From: "Prof. Dr. Klaus Pommerening" Message-Id: <9507111139.AA07306@anke.imsd.uni-mainz.DE> Received: by katrin.imsd.uni-mainz.DE (NX5.67e/NX3.0X) id AA02473; Tue, 11 Jul 95 13:38:37 +0200 Date: Tue, 11 Jul 95 13:38:37 +0200 Received: by NeXT.Mailer (1.100) Received: by NeXT Mailer (1.100) To: Firewalls@GreatCircle.COM Subject: Problem: NCSA telnet and fwtk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We installed the TIS firewall toolkit and it works fine. But ... when telnetting from NCSA telnet, the telnet proxy gives its prompt but doesn't connect. It seems to hang with the message `Trying 123.45.67.89 port 23...'. Versions: telnet proxy (Version V1.3), NCSA telnet 2.3.01 Someone knows a solution? Klaus Pommerening Institut fuer Medizinische Statistik und Dokumentation der Johannes-Gutenberg-Universitaet, D-55101 Mainz, Germany PGP fingerprint: F5 03 CE E7 70 C2 8C 74 BA ED EC 60 83 3B 7C 89 From firewalls-owner Tue Jul 11 06:35:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA19411 for firewalls-outgoing; Tue, 11 Jul 1995 06:25:16 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA19406 for ; Tue, 11 Jul 1995 06:25:13 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa13773; 11 Jul 95 9:18 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma009732; Tue, 11 Jul 95 09:18:04 -0400 Received: by tis.com (4.1/SMI-4.1) id AA01271; Tue, 11 Jul 95 09:21:51 EDT From: Marcus J Ranum Message-Id: <9507111321.AA01271@tis.com> Subject: Re: TW on a w-protected floppy (via libc attack) To: firewalls@greatcircle.com Date: Tue, 11 Jul 1995 09:21:50 -0400 (EDT) In-Reply-To: <9507110217.AA27680@ig1.att.att.com> from "mdr@iwi.com" at Jul 10, 95 12:34:28 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1114 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The point be debated here is whether or not a hacker could cause bad >things to happen by chaning lib C. I guess I wasn't clear in my earlier posting: that's not open to debate. I know for a fact that this has been done in the past, specifically to get around tripwire. However it's implemented, you need to be able to remap accesses to the tripwire database so that they open different files when they think they are opening the database and libc for read. You also need to be able to make the backup copies "invisible" to the tripwire process. The version I've been told about is apparently implemented in a shared library for Suns. Presumably it jiggers stat/lstat and open with hardcoded inode numbers or something like that. My other observation was that it should be no more difficult for a skilled programmer to paste it directly into the kernel, by linking a kernel with a modified system call jump table. Take a look at init_sysent.c and ask yourself how hard it would be. There's a bunch of trivial implementation details that I'm hand-waving over but if someone wants to do it, they can. mjr. From firewalls-owner Tue Jul 11 07:00:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA19136 for firewalls-outgoing; Tue, 11 Jul 1995 06:13:59 -0700 Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA19114 for ; Tue, 11 Jul 1995 06:13:53 -0700 Received: from dejong by mail.uunet.ca with UUCP id <182282-3>; Tue, 11 Jul 1995 09:15:22 -0400 Received: from dejong.com by dejong.dejong.com; Tue, 11 Jul 95 08:24 EDT From: chris@dejong.com (Chris Tyler) To: Firewalls@GreatCircle.COM Date: Tue, 11 Jul 1995 08:23:00 -0400 Subject: Re: Sending replies to blocked packets Content-Length: 393 Content-Type: text/plain Message-ID: <30026d590.677@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WRT ICMP "unreachable -- administratively prohibited" codes, Bob Snyder writes: > Nothing I've seen supports them yet The Morning Star filters can send back these "administratively prohibited" messages for host and net (along with unknown, isolated, and tos). Chris Tyler chris@dejong.com Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Tue Jul 11 07:06:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20540 for firewalls-outgoing; Tue, 11 Jul 1995 07:04:03 -0700 Received: from maily1.prodigy.com (maily1.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA20531 for ; Tue, 11 Jul 1995 07:04:00 -0700 Received: (from frank@localhost) by maily1.prodigy.com (8.6.10/8.6.9) id JAA24048; Tue, 11 Jul 1995 09:42:25 -0400 Date: Tue, 11 Jul 1995 09:42:25 -0400 (EDT) From: Frank Wortner To: Stuart Broderick cc: Firewalls Subject: Re: Quarantined Mail ??? In-Reply-To: <2@zergo.com> Message-ID: X-Mail-1: Prodigy Services Co. X-Mail-2: 1565 Front Street X-Mail-3: Yorktown Heights NY 10598 X-Phone: 1-914-448-1740 X-FAX: 1-914-448-1946 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 10 Jul 1995, Stuart Broderick wrote: > Does anyone know of any UNIX based virus detectors which will > catch PC (dos) viruses ? Firewall hardware platform currently not > set. IBM AIX comes with such a utility (/usr/bin/virscan). Unfortunately, the dates on the virus signatures file indicate that they haven't been updated since July of 1994. Obviously, this utility can't cope with viri "hidden" somewhere other than in files on a UNIX filesystem. Frank -- "Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read." -- Groucho Marx From firewalls-owner Tue Jul 11 08:04:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22391 for firewalls-outgoing; Tue, 11 Jul 1995 07:35:47 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA22386 for ; Tue, 11 Jul 1995 07:35:44 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id JAA02548; Tue, 11 Jul 1995 09:35:12 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id JAA00282; Tue, 11 Jul 1995 09:35:10 -0500 From: Alan Hannan Message-Id: <199507111435.JAA00282@jayhawk.mid.net> Subject: NSA MISSI Project To: firewalls@greatcircle.com Date: Tue, 11 Jul 1995 09:35:07 -0500 (CDT) Cc: nocstaff@mid.net, witts@mid.net X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 431 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am curious if anyone is aware of the NSA MISSI project. If you are, please share your information (if you can... ;) or point me towards a helpful source. Thanks! -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 While most peoples' opinions change, the conviction of their correctness never does. From firewalls-owner Tue Jul 11 08:35:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22484 for firewalls-outgoing; Tue, 11 Jul 1995 07:36:47 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA22475 for ; Tue, 11 Jul 1995 07:36:44 -0700 Received: from jayhawk.mid.net (jayhawk.mid.net [198.247.250.21]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id JAA02581; Tue, 11 Jul 1995 09:36:10 -0500 Received: (from alan@localhost) by jayhawk.mid.net (8.6.10/8.6.9) id JAA00522; Tue, 11 Jul 1995 09:36:08 -0500 From: Alan Hannan Message-Id: <199507111436.JAA00522@jayhawk.mid.net> Subject: Fortezza PC-Card To: firewalls@greatcircle.com Date: Tue, 11 Jul 1995 09:36:06 -0500 (CDT) Cc: nocstaff@mid.net, witts@mid.net X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 446 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am curious if anyone is familiar with the Fortezza PC-Card for authentication. If you are, please share your thoughts, or point me towards some helpful information. Thanks! -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 While most peoples' opinions change, the conviction of their correctness never does. From firewalls-owner Tue Jul 11 09:20:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24797 for firewalls-outgoing; Tue, 11 Jul 1995 08:49:01 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA24787 for ; Tue, 11 Jul 1995 08:48:37 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id KAA27726; Tue, 11 Jul 1995 10:51:51 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 293610000; 11 Jul 95 11:47 CDT Received: from sctc.com by sccmailhost.sctc.com id 014630000; 11 Jul 95 11:47 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id KAA15223; Tue, 11 Jul 1995 10:47:36 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA04203; Tue, 11 Jul 1995 10:47:34 -0500 From: Rick Smith Message-Id: <199507111547.KAA04203@shade.sctc.com> Subject: Re: What do we pay for ? To: Patrick Horgan Date: Tue, 11 Jul 1995 10:47:34 -0500 (CDT) Cc: firewalls@greatcircle.com, smith@sctc.com In-Reply-To: <9507102301.AA00824@brittany.oes.amdahl.com> from "Patrick Horgan" at Jul 10, 95 04:01:28 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2358 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The original question was "Why go to a vendor when you can roll your own firewall for less money?" I gave my own answer and Patrick Hogan replied: > I find this a bit confusing. First, you must be aware that vendors got their > experience the same way you're getting yours...it's nothing magical. I can't speak for other vendors. I know how we developed our experience, and you aren't going to develop that sort of experience by installing and managing a single Internet firewall. Nor do you develop it by hacking together a quick product and stuffing it into hundreds of hapless customer shops. And we're not the only computer security team that was working the problems long before firewalls appeared. There's some really good expertise available that you can't grow at home. > Second, > with no real certification in place, you must be aware that many of the > "experts" have very little real expertise. They've read C&B, and might > have done a couple of installs. That's not to say that there aren't real > experts, it's just that there are many in the field for the quick buck and > they really only have half a clue. Absolutely true. Check the credentials of anyone you hire to do a critical job. Don't imply that all vendors or experienced professional security consultants are a waste because there might be some bogus ones. That's like saying "I'm never driving another compact car because my Yugo was so bad." > Next, to imply that it's not possible, > or in fact dangerous for someone to make their own firewall is silly. Some people will install a burglar alarm themselves in their home or car. It's the same thing. A *personal* choice involving a *personal* risk. Some business owners will do this, too. Very, very few banks install their own burglar alarms or construct their own vault doors. It's the same thing with firewalls. Compare the cost of strong protection against the risk of loss. If the risk isn't that great, go ahead and roll your own. But be sure your boss is informed about this tradeoff and understands the implications. Always balance your choice against the risks. We're installing firewalls in banks and other financial institutions. Even when they have in-house computer security groups they still buy from reputable vendors instead of rolling their own. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Tue Jul 11 09:36:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25542 for firewalls-outgoing; Tue, 11 Jul 1995 09:06:51 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA25536 for ; Tue, 11 Jul 1995 09:06:45 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id MAA16626; Tue, 11 Jul 1995 12:04:50 -0400 Date: Tue, 11 Jul 1995 12:04:50 -0400 From: Ted Doty Message-Id: <199507111604.MAA16626@kgbvax.network.com> To: alan@mid.net Subject: Re: Fortezza PC-Card In-Reply-To: Mail from 'Alan Hannan ' dated: Tue, 11 Jul 1995 09:36:06 -0500 (CDT) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jul 1995 09:36:06 CDT, Alan Hannan wrote: I am curious if anyone is familiar with the Fortezza PC-Card for authentication. If you are, please share your thoughts, or point me towards some helpful information. Fortezza is a PCMCIA card with a clipper chip. It comes with an entire cryptographic API, and is intended mostly for user authentication. My understanding is that they cost around $100 in quantity. Not sure which vendors (if any) support the API. My feeling is that the government has been grapling with these issues for some time, and are considerably advanced towards a real (usable) solution. Fortezza gives you real (cryptographic) authentication, so hijacked terminal sessions aren't a worry. Try sending email to info@missi.ncsc.mil (not sure if this is a real account; all I know are real people). `Course, if any of the MISSI folks are lurking here, you can all jump in. ;-) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Tue Jul 11 10:57:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA27518 for firewalls-outgoing; Tue, 11 Jul 1995 10:07:07 -0700 Received: from eitech.eit.com (eitech.eit.COM [192.100.58.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA27513 for ; Tue, 11 Jul 1995 10:07:03 -0700 Received: from kmac.eit.com by eitech.eit.com (4.1/SMI-4.1) id AA27663; Tue, 11 Jul 95 10:06:24 PDT Date: Tue, 11 Jul 95 10:06:24 PDT From: ekr@eit.COM (Eric Rescorla) Message-Id: <9507111706.AA27663@eitech.eit.com> To: alan@mid.net, ted@kgbvax.network.com Subject: Re: Fortezza PC-Card Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted writes: >Fortezza is a PCMCIA card with a clipper chip. It comes with an entire >cryptographic API, and is intended mostly for user authentication. My >understanding is that they cost around $100 in quantity. Not sure which >vendors (if any) support the API. > >My feeling is that the government has been grapling with these issues for >some time, and are considerably advanced towards a real (usable) solution. >Fortezza gives you real (cryptographic) authentication, so hijacked terminal >sessions aren't a worry. Actually, it's a lot more than just Clipper. It also supports KEA, DSA, and SHA, so basically it's a full public key engine. It's 'tamperproof' and has a secure store for your private keying material. -Ekr From firewalls-owner Tue Jul 11 11:08:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28886 for firewalls-outgoing; Tue, 11 Jul 1995 10:36:44 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA28881 for ; Tue, 11 Jul 1995 10:36:40 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig2.att.att.com id AA23668; Tue, 11 Jul 95 13:36:55 EDT Message-Id: <9507111736.AA23668@ig2.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: TW on a w-protected floppy (via libc attack) To: mjr@iwi.com Date: Tue, 11 Jul 1995 13:42:36 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9507111321.AA01271@tis.com> from "Marcus J Ranum" at Jul 11, 95 09:21:50 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus, > I guess I wasn't clear in my earlier posting: that's not > open to debate. I know for a fact that this has been done in the > past, specifically to get around tripwire. That's right. This all points out is that a tripwire type product is nearly useless on a cleverly hacked system. How do you even know that the tripwire code has not been modified? Because its on a read-only floppy? Ok, but how do you know that you've read the floppy? tripwire gives users a warm fuzzy feeling, but then so does frost bite. In response, commerical security packages should offer real-time off site archival of the audit events as they occur. The events can be logged locally and also sent over the network. (They can be logged locally to a tape drive or a worm drive). If the system was pure (unhacked) when auditing began (auditing starts before the network gets initialized) then there is a chance to catch the hacker as s/he does the dirty deed. On our system, we run real-time alarms against the audit trail to detect modifications to the TCB, which includes libc, the kernel and all of the commands, /etc, /dev, and all other files that we have to trust. Our server runs a B1 version of UNIX (SV/MLS), so we get auditing on all file creation/deletion and read/write access grants. This is really handy; we can instantly know if someone creates a .rhost file etc. What if the attacker finds a way to disable or destroy your network connection to the remote logger? An alarm on the remote logger sounds, sensing the inactivity. When a serious hack has been detected the system must shut itself down, to repair, you must boot off tape and reload the OS, or run check sums on the TCB while running the boot tape version of UNIX. The assertion here is that on the unhacked system, the initial hack connection to the remote logger? An alarm on the remote logger sounds, sensing the inactivity. The assertion here is that on the unhacked system, the initial hack will be detectable because auditing will record things like write access grants to /stand/unix or /usr/ccs/libc.so. Once the initial hack has been made all bets are off, the perp will likely try to cover any tracks and possibly disable or alter system auditing. That's why its important to get the audit data to a safe place as quickly as possible. > My other observation was that it should be no more >difficult for a skilled programmer to paste it directly into >the kernel, by linking a kernel with a modified system call >jump table. Take a look at init_sysent.c and ask yourself >how hard it would be. You are correct. We have experimented with both techniques. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Tue Jul 11 11:40:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00651 for firewalls-outgoing; Tue, 11 Jul 1995 11:28:09 -0700 Received: from ix3.ix.netcom.com (ix3.ix.netcom.com [199.182.120.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA00646 for ; Tue, 11 Jul 1995 11:28:02 -0700 Received: from by ix3.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id LAA18729; Tue, 11 Jul 1995 11:26:23 -0700 Date: Tue, 11 Jul 1995 11:26:23 -0700 Message-Id: <199507111826.LAA18729@ix3.ix.netcom.com> From: clp2@ix.netcom.com (Carol pollard ) Subject: HP OpenMail / Firewall To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our enterprise LAN email system is going to be HP OpenMail. At the same time our email developers are researching this, I'm developing our firewall solution. There has been some discussion on how the email gateway for HP will function or be integrated into the firewall solution, but none of us here have any definitive knowledge. Does anyone have any experience with HP OpenMail and integrating this as part of the firewall? Or will we have an SMTP gateway that links to the HP gateway? Anyway, my confusion should be obvious!!! Any comments or suggestions will be greatly appreciated. P.S. Still performing a comparative analysis on Gauntlet, IBM, CheckPoint, and Borderware. I'll publish the end result....if I'm still alive!! Thanks... Carol Pollard Barnett Technologies Technical Risk Management From firewalls-owner Tue Jul 11 12:04:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00358 for firewalls-outgoing; Tue, 11 Jul 1995 11:15:04 -0700 Received: from dsinc.myxa.com (dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA00350 for ; Tue, 11 Jul 1995 11:14:57 -0700 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #36) id m0sVjm6-0000cNC; Tue, 11 Jul 95 14:11 EDT Received: by pnc-pimc.com (4.1/SMI-4.1) id AA15955; Tue, 11 Jul 95 13:19:39 EDT From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9507111719.AA15955@pnc-pimc.com> Subject: Firewalls List To: firewalls@greatcircle.com Date: Tue, 11 Jul 1995 13:19:38 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1235 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For most folks who won't recognize my moniker, I maintain the list of commercial firewall products and vendors, and related product info, addresses, urls, and some public domain pointers at: http://www.access.digex.net/~bdboyle/firewall.vendor.html (And a backup copy at: http://www.waterw.com/~manowar/vendor.html) I will be recycling employers, and will be absent from the list for a couple of weeks. If you have updates, changes, deletions or additions, please send them to my home email address (as noted on the page as: manowar@waterw.com) and be patient. And don't use cfulmer@pnc-pimc.com after 7/14. Thanks, cathy -- "Still haven't found a really good MVS virus, but how would you know?" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, manowar@waterw.com : _ ___/ /\| http://www.waterw.com/~manowar : ,;`( )__ ) ~ PNC Bank (Phila, PA, US) : // // `--; Voice: 610-521-7828 : ' \ \ Fax: 610-521-7980 : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Tue Jul 11 12:36:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02867 for firewalls-outgoing; Tue, 11 Jul 1995 12:24:04 -0700 Received: from gateway.sctc.com (GATEWAY.SCTC.COM [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA02862 for ; Tue, 11 Jul 1995 12:23:58 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id OAA29845 for ; Tue, 11 Jul 1995 14:27:18 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 013800000; 11 Jul 95 15:22 CDT Received: from sctc.com by sccmailhost.sctc.com id 029420000; 11 Jul 95 15:22 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id OAA04280; Tue, 11 Jul 1995 14:23:00 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id OAA14563; Tue, 11 Jul 1995 14:22:59 -0500 Date: Tue, 11 Jul 1995 14:22:59 -0500 From: Rick Smith Message-Id: <199507111922.OAA14563@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: What do we pay for ? Newsgroups: sidewinder.d References: <9507102301.AA00824@brittany.oes.amdahl.com> <199507111547.KAA04203@shade.sctc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Something in my exchange with Patrick Hogan that I really don't want people to misunderstand: >> Second, >> with no real certification in place, you must be aware that many of the >> "experts" have very little real expertise. ... >Absolutely true. ... This could be read to say that "Rick has detected numerous bogus people pretending to be expert security consultants." This isn't true. In fact, the "many experts" I've dealt with over the years have generally been capable and often quite bright. I still haven't met anyone who is an expert down to the bare metal in everything relating to computer security, and I don't expect to. Perhaps Patrick Hogan has had experience with bogus experts; I can't say. For what it's worth, I don't count someone as bogus just because they post some simple questions and their .sig announces they are a security expert. Computer security is a pretty broad field these days. I'm sure we all agree that the last thing we need is a forum where anyone, expert or newbie, is villified for asking dumb questions. There's no better way for an expert to turn dumb than to stop learning. I suppose the exchange above could also be read to say "Rick supports certification." In fact, I have no particular opinion on the subject. Rick. smith@sctc.com roseville, minnesota From firewalls-owner Tue Jul 11 14:12:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04462 for firewalls-outgoing; Tue, 11 Jul 1995 13:13:26 -0700 Received: from Disclosure.COM ([205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04457 for ; Tue, 11 Jul 1995 13:13:23 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA13988; Tue, 11 Jul 95 16:15:30 EDT Date: Tue, 11 Jul 95 16:15:30 EDT From: scott@Disclosure.COM (Scott Barman) Message-Id: <9507112015.AA13988@ Disclosure.COM> To: firewalls@greatcircle.com Subject: Who owns what ports? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In trying to figure out how to do packet filtering for a system with some "weird" requirements, I was looking at the output of "netstat -a" to see which ports were in use. I found a few ports open that I cannot tell who they belong to (yes, I checked /etc/inetd.conf). Question: Is there something I can use to find out which process is listening or talking out a particular port? I am trying to do this under SunOS 4.1.3_U1. THANKS! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Tue Jul 11 14:23:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04069 for firewalls-outgoing; Tue, 11 Jul 1995 12:58:33 -0700 Received: from pnh10.med.navy.mil ([164.167.53.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA04063 for ; Tue, 11 Jul 1995 12:58:22 -0700 Received: from resino_r (mclo11.med.navy.mil) by pnh10.med.navy.mil with SMTP id AA09950 (5.65c/IDA-1.4.4 for ); Tue, 11 Jul 1995 15:48:52 -0400 Message-Id: <199507111948.AA09950@pnh10.med.navy.mil> X-Sender: pnh1rgr@mclo10.med.navy.mil Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jul 1995 15:58:37 -0400 To: ekr@eit.COM (Eric Rescorla) From: pnh1rgr@mclo10.med.navy.mil (Bob Resino) Subject: Re: Fortezza PC-Card Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Ted writes: >>Fortezza is a PCMCIA card with a clipper chip. It comes with an entire >>cryptographic API, and is intended mostly for user authentication. My >>understanding is that they cost around $100 in quantity. Not sure which >>vendors (if any) support the API. >> >>My feeling is that the government has been grapling with these issues for >>some time, and are considerably advanced towards a real (usable) solution. >>Fortezza gives you real (cryptographic) authentication, so hijacked terminal >>sessions aren't a worry. > >Actually, it's a lot more than just Clipper. It also supports >KEA, DSA, and SHA, so basically it's a full public key engine. > >It's 'tamperproof' and has a secure store for your private >keying material. More than that, the encryption is done "on-the-card" with protection from writting to local storage. This will provide end-node to end-node encryption. This is one step in MISSI. NSA has indicated that it will approve Fortezza to the SECRET classification. --------------------------------------------------------------- Bob Resino (RGR24) pnh1rgr@pnh10.med.navy.mil (804)398-7400 Healthcare Support Office Fax:(804)398-7265 Medical Construction Liaison Department Management Information / Data-telecommunciations Div (Code 55) 6500 Hampton Blvd "To be or not to be... Norfolk, VA 23707 What was the question ?" --------------------------------------------------------------- The opinions are mine, NOT those of the Navy or the Healthcare Support Office. If they happen to be the same, its got to be coincidence! From firewalls-owner Tue Jul 11 14:28:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03011 for firewalls-outgoing; Tue, 11 Jul 1995 12:28:40 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA03006; Tue, 11 Jul 1995 12:28:36 -0700 Received: from rssi by relay4.UU.NET with SMTP id QQyxyr26517; Tue, 11 Jul 1995 15:28:04 -0400 Received: from bass.rssi.com by rssi (4.1/SMI-4.1) id AA16092; Tue, 11 Jul 95 15:30:21 EDT Received: by bass.rssi.com with Microsoft Mail id <3002F976@bass.rssi.com>; Tue, 11 Jul 95 15:21:42 PDT From: Alex Sharpe To: alan , firewalls-owner Cc: firewalls Subject: RE: Fortezza PC-Card Date: Tue, 11 Jul 95 15:21:00 PDT Message-Id: <3002F976@bass.rssi.com> Encoding: 59 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to work that program. If the e-mail does not work call 1-800-GO-MISSI. The call will be answered by someone who gets this question all the time. They have pamphlets, contact information and the like ready to go. Ironically, it takes longer to get a response via e-mail than it does using the phone -- go figure. ---------- From: firewalls-owner[SMTP:firewalls-owner@GreatCircle.COM] Sent: Tuesday, July 11, 1995 12:04 PM To: alan Cc: firewalls Subject: Re: Fortezza PC-Card On Tue, 11 Jul 1995 09:36:06 CDT, Alan Hannan wrote: I am curious if anyone is familiar with the Fortezza PC-Card for authentication. If you are, please share your thoughts, or point me towards some helpful information. Fortezza is a PCMCIA card with a clipper chip. It comes with an entire cryptographic API, and is intended mostly for user authentication. My understanding is that they cost around $100 in quantity. Not sure which vendors (if any) support the API. My feeling is that the government has been grapling with these issues for some time, and are considerably advanced towards a real (usable) solution. Fortezza gives you real (cryptographic) authentication, so hijacked terminal sessions aren't a worry. Try sending email to info@missi.ncsc.mil (not sure if this is a real account; all I know are real people). `Course, if any of the MISSI folks are lurking here, you can all jump in. ;-) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Tue Jul 11 14:44:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02228 for firewalls-outgoing; Tue, 11 Jul 1995 12:10:30 -0700 Received: from sed.csc.com (cheetah.sed.csc.com [20.2.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA02213 for ; Tue, 11 Jul 1995 12:10:17 -0700 Received: by sed.csc.com (Smail3.1.29.1 #3) id m0sVkgP-0006OCC; Tue, 11 Jul 95 15:09 EDT Date: Tue, 11 Jul 1995 15:09:24 -0400 (EDT) From: "James L. Gerretson" To: Ted Doty cc: alan@mid.net, firewalls@greatcircle.com Subject: Re: Fortezza PC-Card In-Reply-To: <199507111604.MAA16626@kgbvax.network.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jul 1995, Ted Doty wrote: > On Tue, 11 Jul 1995 09:36:06 CDT, Alan Hannan wrote: > > I am curious if anyone is familiar with the Fortezza PC-Card for > authentication. > > If you are, please share your thoughts, or point me towards some > helpful information. > > Fortezza is a PCMCIA card with a clipper chip. It comes with an entire > cryptographic API, and is intended mostly for user authentication. I I don't think thats totally complete. The API (Message security Protocol MSP) and crypto library are for E-mail and is used for several other things as well. The CI Libary is developed by SPyrus for sure and possibly Litronix as well. Van Dyke is creating the MSP code and I think they help with the CI library as well (don't know that for sure) The cards are supposed to be $100 from the vendor who won the production contract. 3 other vendors currently are having their cards evaluated for production approval.. I also believe that Nation Semi is working on a commercial version of the card > understanding is that they cost around $100 in quantity. Not sure which > vendors (if any) support the API. > > My feeling is that the government has been grapling with these issues for > some time, and are considerably advanced towards a real (usable) solution. > Fortezza gives you real (cryptographic) authentication, so hijacked terminal > sessions aren't a worry. > > Try sending email to info@missi.ncsc.mil (not sure if this is a real account; > all I know are real people). > > `Course, if any of the MISSI folks are lurking here, you can all jump in. ;-) > -- > > - Ted > > -------------------------------------------------------------------------- > Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 > 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 > Columbia, MD, 21046 USA | voice mail: (800) 233-1485 > -------------------------------------------------------------------------- > The opinion expressed in this message is fictitious. Any resemblence to > real opinions, living or dead, is purely coincidental. > > From firewalls-owner Tue Jul 11 15:35:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04918 for firewalls-outgoing; Tue, 11 Jul 1995 13:33:49 -0700 Received: from access2.digex.net (access2.digex.net [205.197.245.193]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA04913 for ; Tue, 11 Jul 1995 13:33:46 -0700 Received: (from tara@localhost) by access2.digex.net (8.6.12/8.6.12) id QAA13014 ; for ; Tue, 11 Jul 1995 16:33:14 -0400 Date: Tue, 11 Jul 1995 16:33:13 -0400 (EDT) From: Pamela Anne Fredericks To: firewalls@GreatCircle.COM Subject: Gauntlet vs. Raptor Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My firm is in the process of evaluating various firewall products. Although much has been written about the TIS/Gauntlet product, I have not seen much on Raptor/Eagle. If anyone has experience or comments regarding Raptor, please email me directly or to the list if it has relevance to the group. thanks in advance. From firewalls-owner Tue Jul 11 15:39:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA05203 for firewalls-outgoing; Tue, 11 Jul 1995 13:43:48 -0700 Received: from usasmtp.usagroup.org ([198.70.128.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA05198 for ; Tue, 11 Jul 1995 13:43:45 -0700 Received: from DOMAIN-E-Message_Server by usasmtp.usagroup.org with Novell_GroupWise; Tue, 11 Jul 1995 15:45:39 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 11 Jul 1995 15:44:00 -0600 From: David Leonard To: firewalls@greatcircle.com Subject: Looking for Consultant Assistance Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are in the process of testing two firewall packages (RAPTOR EAGLE and Sidewinder), at this time. We are looking for an outside consulting company that has experience working with Fortune 1000 companies to assist us in testing these packages and our overall firewall configuration. If your company is interested please contact me by July 18, 1995. We will need corporate references and previous experience. You can contact me through email or give me a call at (317) 578-6704. From firewalls-owner Tue Jul 11 16:00:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07181 for firewalls-outgoing; Tue, 11 Jul 1995 14:35:38 -0700 Received: from theory.tc.cornell.edu (THEORY.TC.CORNELL.EDU [132.236.98.174]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA07174 for ; Tue, 11 Jul 1995 14:35:35 -0700 Received: (from uactech@localhost) by theory.tc.cornell.edu (8.6.9/8.6.6) id RAA123688 for firewalls@greatcircle.com; Tue, 11 Jul 1995 17:35:06 -0400 Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA25018; Tue, 11 Jul 95 17:29:54 -0400 Received: by ovid.actech.com (5.0/SMI-SVR4) id AA13524; Tue, 11 Jul 1995 17:29:52 +0500 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Tue, 11 Jul 1995 17:29:52 -0400 (EDT) Message-Id: Date: Tue, 11 Jul 1995 17:29:52 -0400 (EDT) From: Steve Gaarder To: firewalls@greatcircle.com Subject: Encryption outside the US Content-Length: 1012 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We would like to be able to use encryption to pass traffic for specific applications (e.g. http) over the Internet between our headquarters in the USA and our offices in other countries. I have found a number of firewall products that provide encrypted connections, but the [insert standard flame here] US government ban on exporting crypto rears its ugly head. I see two options: 1. Do it myself. This doesn't *look* too scary; I don't need fancy key management, just basic secret-key encryption. I could modify, say, plug-gw to call encryption routines. If I then get my encryption code from outside the US (that seems to be no problem) I won't have to export it to install it overseas. Any comments on this? 2. Find an encryption product available outside the US, probably one *made* outside the US. Does anyone know of such a beast? thanks, Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Tue Jul 11 16:22:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA10233 for firewalls-outgoing; Tue, 11 Jul 1995 15:40:54 -0700 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA10210 for ; Tue, 11 Jul 1995 15:40:23 -0700 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id SAA00890 for ; Tue, 11 Jul 1995 18:39:14 -0400 Message-Id: <199507112239.SAA00890@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jul 1995 18:39:07 -0400 To: firewalls@GreatCircle.COM From: wallynet@panix.com (Walter F. Inetman ) Subject: Quench Redundancy FYI FW Index @ http://www.access.digex.net/~bdboyle/firewall.vendor.html FW Shopping @ http://www.ziff.com/~pcweek/sr/0619/tfire.html Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FW Index @ http://www.access.digex.net/~bdboyle/firewall.vendor.html FW Shopping @ http://www.ziff.com/~pcweek/sr/0619/tfire.html For those who like this sort of thing, this is the sort of thing they like. -- Abraham Lincoln From firewalls-owner Tue Jul 11 16:42:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA13286 for firewalls-outgoing; Tue, 11 Jul 1995 16:20:49 -0700 Received: from boxhill.com (boxhill.com [155.254.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA13258 for ; Tue, 11 Jul 1995 16:20:23 -0700 Received: from e.boxhill.com (e.boxhill.com [155.254.1.172]) by boxhill.com (8.6.9/8.6.9) with SMTP id TAA28623; Tue, 11 Jul 1995 19:18:12 -0400 Received: by e.boxhill.com (4.1/SMI-4.1) id AA02073; Tue, 11 Jul 95 19:21:04 EDT Date: Tue, 11 Jul 95 19:21:04 EDT Message-Id: <9507112321.AA02073@e.boxhill.com> From: Chris Maio To: firewalls@greatcircle.com Subject: SUMMARY: One Router or Two? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Last week I asked whether two routers were better than one when isolating both a bastion and a local network from the Internet. The proposed configuration looked like this: +----------+ +----------+ internet---| router a |----| localnet | +----------+ +----------+ | +----------+ | bastion | +----------+ and I wanted to know whether using a second router and putting the bastion on the DMZ would provide advantages that justified the added cost. Replies included the following comments: 1. If input packet filtering is not provided, two routers are required to thwart address-spoofing attacks. I think that current cisco products are generally adequate in this regard, although one respondent complained that cisco routers can't isolate traffic between two PVCs arriving on the same serial interface (e.g. an Internet connection and a WAN connection). 2. In a single-router configuration, if the router falls to an intruder or is incorrectly configured, the local network is extremely vulnerable. This is probably the best justification for an additional router. 3. An advantage of the single-router configuration over two routers with a bastion on a shared subnet is that an intruder can't use the bastion to snoop on traffic between the local net and the Internet. This would justify providing the bastion with it's own private subnet regardless of how many routers are used. 4. Instead of a single three-interface router, use the bastion as a second filtering router between the local net and the Internet router. This seems to be a popular solution. I'm not wild about this idea, though, because if the bastion fails, Internet connectivity goes with it, and if it falls to an intruder, nothing is left to protect the local net. 5. Use two different routers from different vendors, so an intruder can't use a bug in a single vendor's implementation get directly to the local network. The disadvantage here is that one has to deal with the complexity of having two vendors, two different configuration languages, two streams of software updates, etc and security could be compromised if the administrator is overwhelmed. However, if you have the resources, this solution provide the best protection. Thanks to Brent Chapman, Carl Jolley, Jeff Murphy, John Schnizlein, Mark Broadbent, Mark Kadrich, Markly Dykeman, Michael H. Morse, Paul Ferguson, Rick Schneider, Robert Bonomi, Steve Acheson, and Tim Becker. Chris Maio Box Hill Systems From firewalls-owner Tue Jul 11 16:57:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA09275 for firewalls-outgoing; Tue, 11 Jul 1995 15:17:17 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA09260 for ; Tue, 11 Jul 1995 15:17:08 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id QAA18724; Tue, 11 Jul 1995 16:51:25 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma018699; Tue Jul 11 16:48:11 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA29365 (5.67b/IDA-1.5); Tue, 11 Jul 1995 16:51:48 -0500 Date: Tue, 11 Jul 1995 16:51:48 -0500 From: Ken Hardy Message-Id: <199507112151.AA29365@ignatz.bridge.com> To: scott@disclosure.com Subject: Re: Who owns what ports? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Question: Is there something I can use to find out which process is >listening or talking out a particular port? This can be done with ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ >From the "00FAQ" file in the distribution: Lsof is a Unix-specific tool. It's name stands for LiSt Open Files, and it does just that. It lists information about files that are open by the processes running on a Unix system. Sockets are files, so it works for them as well as regular files. Some sample output: COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME sendmail 104 root 4u inet 0xff64798c 0x0 TCP *:smtp tin 23976 bob 3u inet 0xff693d8c 0x2ef2d TCP ernie:1047->news:nntp From firewalls-owner Tue Jul 11 17:21:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07997 for firewalls-outgoing; Tue, 11 Jul 1995 14:54:23 -0700 Received: from Disclosure.COM ([205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07992; Tue, 11 Jul 1995 14:54:19 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA14787; Tue, 11 Jul 95 17:56:33 EDT Date: Tue, 11 Jul 1995 17:56:32 -0400 (EDT) From: Scott Barman To: Brent Chapman Cc: firewalls@greatcircle.com Subject: Re: Who owns what ports? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jul 1995, Brent Chapman wrote: > At 4:15 PM 7/11/95, Scott Barman wrote: > >Question: Is there something I can use to find out which process is > >listening or talking out a particular port? > > > >I am trying to do this under SunOS 4.1.3_U1. > > You want a program called "lsof" (list open files). Available from: > > ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ > ftp://coast.cs.purdue.edu/pub/tools/unix/lsof/ > > It runs on many different UNIX systems, and will tell you what files, UDP, > and TCP ports a process has open; what processes have a given file, UDP, or > TCP port open, and all sorts of other useful info. Good stuff; I use it > all the time. Funny thing... I already have lsof and didn't know it could do this!! :-) Thanks to EVERYONE who responded. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Tue Jul 11 17:46:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA14767 for firewalls-outgoing; Tue, 11 Jul 1995 16:39:17 -0700 Received: from news1.mnsinc.com (news1.mnsinc.com [199.164.210.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA14762 for ; Tue, 11 Jul 1995 16:39:11 -0700 Received: from localhost (mail@localhost) by news1.mnsinc.com (8.6.5/8.6.5) id TAA15732; Tue, 11 Jul 1995 19:37:57 -0400 Message-Id: <199507112337.TAA15732@news1.mnsinc.com> Received: from siriani.mnsinc.com(205.157.131.135) by news1.mnsinc.com via smap (V1.3) id sma015725; Tue Jul 11 19:37:33 1995 Comments: Authenticated sender is From: "Sirrianni" To: alan@mid.net, Ted Doty Date: Tue, 11 Jul 1995 19:39:16 -0500 Subject: Re: Fortezza PC-Card CC: firewalls@GreatCircle.COM Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just some points of clarification: > Fortezza is a PCMCIA card with a clipper chip. It comes with an entire > cryptographic API, and is intended mostly for user authentication. My > understanding is that they cost around $100 in quantity. Not sure which > vendors (if any) support the API. The Fortezza card was initially designed for messaging applications. It is the security card for the new Defense Messaging System and is going to be used to provide authentication, confidentiality, and non-repudiation services for X.400 mail. The Fortezza card can also be used for applications other than messaging. The card provides a suite of cryptographic algorithms [the Digital Signature Algorithm, the Secure Hash Algorithm, the Skipjack encryption algorithm, a key exchange algorithm, plus key storage space, etc.] that can be called by applications to provide required security services. Features/algorithms on the card are invoked by an application calling a set of library functions. The library can be obtained from the card manufacturer. You may want to check the cost with National Semiconductor. National Semi is one of the 3-party suppliers. The $100 price I believe was only for a limited government buy. > My feeling is that the government has been grapling with these > issues for some time, and are considerably advanced towards a real > (usable) solution. Fortezza gives you real (cryptographic) > authentication, so hijacked terminal sessions aren't a worry. The card by itself doesn't protect against session hijacking. Since encrypting the session is one way to defeat hijacking attacks, and since the card provides a crypto engine, it could be used by Telnet/FTP/etc. implementations to encrypt sessions. Joe ----------------------------------------------------------------------- My wife and employer tell me that my opinion doesn't count, so take what I say for what it's worth ... NOTHING! From firewalls-owner Tue Jul 11 17:50:26 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA15585 for firewalls-outgoing; Tue, 11 Jul 1995 16:49:52 -0700 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA15580 for ; Tue, 11 Jul 1995 16:49:49 -0700 Received: from medusa.US.DHL.COM by gateway1.DHL.COM id aa24840; 11 Jul 95 16:49 PDT Received: by medusa.US.DHL.COM (DHLGMS 4.03/DSI) id AA18322; Tue, 11 Jul 95 16:42:01 -0700 Message-Id: <9507112342.AA18322@medusa.US.DHL.COM> From: Douglas Ramsey X-Mailer: SCO System V Mail (version 3.2) To: firewalls@greatcircle.com Date: Tue, 11 Jul 95 16:42:00 PDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk cancel firewalls From firewalls-owner Tue Jul 11 17:51:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07278 for firewalls-outgoing; Tue, 11 Jul 1995 14:38:06 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07270; Tue, 11 Jul 1995 14:38:01 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jul 1995 14:37:53 -0800 To: scott@Disclosure.COM (Scott Barman), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Who owns what ports? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:15 PM 7/11/95, Scott Barman wrote: >In trying to figure out how to do packet filtering for a system with >some "weird" requirements, I was looking at the output of "netstat -a" >to see which ports were in use. I found a few ports open that I cannot >tell who they belong to (yes, I checked /etc/inetd.conf). > >Question: Is there something I can use to find out which process is >listening or talking out a particular port? > >I am trying to do this under SunOS 4.1.3_U1. You want a program called "lsof" (list open files). Available from: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ ftp://coast.cs.purdue.edu/pub/tools/unix/lsof/ It runs on many different UNIX systems, and will tell you what files, UDP, and TCP ports a process has open; what processes have a given file, UDP, or TCP port open, and all sorts of other useful info. Good stuff; I use it all the time. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Tue Jul 11 18:13:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA14978 for firewalls-outgoing; Tue, 11 Jul 1995 16:41:08 -0700 Received: from arl-img-5.compuserve.com (arl-img-5.compuserve.com [198.4.7.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA26064 for ; Tue, 11 Jul 1995 09:19:21 -0700 Received: by arl-img-5.compuserve.com (8.6.10/5.950515) id MAA29677; Tue, 11 Jul 1995 12:18:50 -0400 Date: 11 Jul 95 12:17:25 EDT From: Julie Ann Lunt <73203.2236@compuserve.com> To: firewalls Subject: dns and firewalls problem solved Message-ID: <950711161725_73203.2236_DHI91-3@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, thanks for all the help with my dns packet filtering. The problem was that I could do DNS queries for FTP etc going out, but my nameserver would not answer queries coming in. I am using a cisco router with packet filtering. I finally came up with a scenario like this that works: in access-list: permit tcp any host 205.138.144.36 eq domain permit udp any host 205.138.144.36 eq domain out access-list permit udp host 205.138.144.36 any eq domain permit tcp host 205.138.144.36 any eq domain permit udp host 205.138.144.36 eq domain any permit tcp host 205.138.144.36 eq domain any I understand that this is to allow my host to send to any host on source or destination port 53 with the other port don't care. Until I added that my host could send to any host with a source port of 53, soa and zone transfers failed. I hope this helps any other "newbies" to the field. Of course any further feedback is welcome. Thanks, Julei Ann From firewalls-owner Tue Jul 11 18:16:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA14384 for firewalls-outgoing; Tue, 11 Jul 1995 16:33:59 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA14343 for ; Tue, 11 Jul 1995 16:33:40 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa23040; 11 Jul 95 19:30 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma019999; Tue, 11 Jul 95 19:23:32 -0400 Received: by tis.com (4.1/SMI-4.1) id AA04262; Tue, 11 Jul 95 19:27:21 EDT From: Marcus J Ranum Message-Id: <9507112327.AA04262@tis.com> Subject: Re: Fortezza PC-Card To: firewalls@greatcircle.com Date: Tue, 11 Jul 1995 19:27:20 -0400 (EDT) In-Reply-To: <199507111948.AA09950@pnh10.med.navy.mil> from "Bob Resino" at Jul 11, 95 03:58:37 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 711 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One thing that's surprised me about Fortezza is that it's a government-developed product that they're trying to push in direct competition with the private sector. There's been amazingly little outcry from private sector companies that produce the existing products on the market, and I don't understand it. The feds are going to ice the cake by probably blessing it for export even if it has encryption (thanks to the Clipper trapdoor). Talk about competing on an uneven basis!! How'd you like to be a commercial company that made encryption products, when your competition could not only strangle you with laws and regulations, but was funding their R&D, and marketing, all on the taxpayer's nickel? mjr. From firewalls-owner Tue Jul 11 18:35:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA15601 for firewalls-outgoing; Tue, 11 Jul 1995 16:50:11 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA15596 for ; Tue, 11 Jul 1995 16:50:08 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sVp3b-0001cKC; Tue, 11 Jul 95 16:49 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA02125; Tue, 11 Jul 1995 16:49:42 +0800 Date: Tue, 11 Jul 1995 16:49:42 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9507112349.AA02125@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, smith@sctc.com Subject: Re: What do we pay for ? X-Sun-Charset: US-ASCII content-length: 1807 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > For what it's worth, I don't count someone as bogus just because they > post some simple questions and their .sig announces they are a > security expert. Computer security is a pretty broad field these days. I hope I didn't leave the impression I did either. Some people do though represent themselves as more knowledgible than they are. My favorite people are perfectly happy to say, "I don't know, but I can find out." > > I'm sure we all agree that the last thing we need is a forum where > anyone, expert or newbie, is villified for asking dumb questions. I certainly hope I've never done anything here or anywhere else to give the impression that I'm being mean to people trying to learn! > There's no better way for an expert to turn dumb than to stop learning. Actually that's my point. They often stop learning because they act as if they're experts and are afraid to sayk "I don't know". All my favorite real experts are constantly amazed by how much there is to learn and none of them seems to consider themselves real experts in a very broad sense of the term. (I put myself in that category too, I don't know much at all;) Patrick p.s. It's Horgan, not Hogan:) _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (mail copyright Patrick J. Horgan) (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Tue Jul 11 19:05:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA22578 for firewalls-outgoing; Tue, 11 Jul 1995 18:58:00 -0700 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA22573 for ; Tue, 11 Jul 1995 18:57:57 -0700 Received: from histar2.ezunx.com by scruz.net (8.6.9/1.34) id SAA22950; Tue, 11 Jul 1995 18:57:28 -0700 Date: Tue, 11 Jul 95 19:00:38 PDT From: Rich Subject: blocking cisco access (stupid question?) To: firewalls@greatcircle.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, this may be a simple one, but what the heck, I am not too proud to admit I don't know the answer and don't have a manual to look it up.... If you have a cisco router (outside screen) then a firewall, then another router (inside screen), and you MUST allow telnet-incomming to hosts on your net, how to you tell the cisco on the outside to NOT respond to console connect requests? I would still like to have it accept them from the inside net. I know how to build acl lists but have not built an access list for the console port, is there one? thanks, rich ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ "....I hope life is not a big joke, cause I don't get it..." From firewalls-owner Tue Jul 11 20:04:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA24404 for firewalls-outgoing; Tue, 11 Jul 1995 19:54:14 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA24399 for ; Tue, 11 Jul 1995 19:54:10 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA21290; Tue, 11 Jul 95 22:53:15 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507120353.AA21290@hawksbill.sprintmrn.com> Subject: Re: blocking cisco access (stupid question?) To: raf@ezunx.com (Rich) Date: Tue, 11 Jul 1995 22:53:15 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Rich" at Jul 11, 95 07:00:38 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1387 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Ok, this may be a simple one, but what the heck, I am not too proud to > admit I don't know the answer and don't have a manual to look it up.... > > If you have a cisco router (outside screen) then a firewall, then another > router (inside screen), and you MUST allow telnet-incomming to hosts on > your net, how to you tell the cisco on the outside to NOT respond to > console connect requests? I would still like to have it accept them from > the inside net. I know how to build acl lists but have not built an > access list for the console port, is there one? > > I'm not sure that you really mean 'console connect requests,' but rather vty connections from unwanted networks, if I interpret you message correctly. You can build an 'access-class' list as follows: access-list 6 permit 1.2.3.0 0.0.0.255 access-list 6 deny 0.0.0.0 255.255.255.255 ! line vty 0 4 access-class 6 in where 1.2.3.0 is your 'internal' network. It might be wise to state at this point that source addresses can be spoofed. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Jul 12 01:34:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA04211 for firewalls-outgoing; Wed, 12 Jul 1995 01:23:16 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA04200 for ; Wed, 12 Jul 1995 01:23:10 -0700 Received: from uucp1.UU.NET by relay3.UU.NET with SMTP id QQyyar09334; Wed, 12 Jul 1995 04:22:39 -0400 Received: from merccap.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Wed, 12 Jul 1995 04:22:39 -0400 Received: from dpg.uk.rnb.com (edgware) by dpg (4.1/SMI-4.1) id AA14824; Wed, 12 Jul 95 04:15:49 EDT Received: by dpg.uk.rnb.com (4.1/SMI-4.1) id AA15714; Wed, 12 Jul 95 09:14:51 BST To: Steve Gaarder Subject: Re: Encryption outside the US In-Reply-To: References: Cc: firewalls@greatcircle.com X-Mailer: Poste 2.0 From: Chris Needham Date: Wed, 12 Jul 95 09:14:51 +0100 Message-Id: <950712091451.13997@edgware.-v> Encoding: 27 TEXT, 7 TEXT SIGNATURE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We would like to be able to use encryption to pass traffic for specific > applications (e.g. http) over the Internet between our headquarters in > the USA and our offices in other countries. I have found a number of > firewall products that provide encrypted connections, but the [insert > standard flame here] US government ban on exporting crypto rears its > ugly head. > > I see two options: > > 1. Do it myself. This doesn't *look* too scary; I don't need fancy key > management, just basic secret-key encryption. I could modify, say, > plug-gw to call encryption routines. If I then get my encryption code > from outside the US (that seems to be no problem) I won't have to export > it to install it overseas. Any comments on this? > > 2. Find an encryption product available outside the US, probably one > *made* outside the US. Does anyone know of such a beast? > > thanks, > > Steven Gaarder Network and Systems Administrator > gaarder@actech.com A C Technology, Ithaca, N.Y., USA The GNU project ( in their replacement c library I think ) have an encryptiion api / lib that is available both in the us and outside ( at two different site's ). Your local gnu source should have it. Chris Chris Needham Internet: needham@dpg.rnb.com Derivative Products Group uunet: uunet!merccap!needham Republic National Bank of New York Phone: 0171 860 3388 30 Monument St Fax: 0171 860 3389 London EC3R 8NB 'bring back CPM all is forgiven' From firewalls-owner Wed Jul 12 02:34:51 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06201 for firewalls-outgoing; Wed, 12 Jul 1995 02:28:27 -0700 Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA06196 for ; Wed, 12 Jul 1995 02:28:24 -0700 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id FAA27777; Wed, 12 Jul 1995 05:19:56 -0400 Message-Id: <199507120919.FAA27777@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jul 1995 05:20:50 -0400 To: Douglas Ramsey , firewalls@GreatCircle.COM From: wallynet@panix.com (Walter F. Inetman ) Subject: Re: "cancel" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where ever did you get the "cancel" command? At 04:42 PM 7/11/95 PDT, Douglas Ramsey wrote: >cancel firewalls > > To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest To subscribe, send the command "subscribe firewalls-digest" instead. If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Wed Jul 12 03:04:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06330 for firewalls-outgoing; Wed, 12 Jul 1995 02:36:23 -0700 Received: from personal.eunet.fi (personal.eunet.fi [192.26.119.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA06259 for ; Wed, 12 Jul 1995 02:34:10 -0700 Received: from [] (klaine.pp.fi) by personal.eunet.fi with SMTP id AA05181 (5.67a/IDA-1.5 for ); Wed, 12 Jul 1995 12:33:32 +0300 Message-Id: <199507120933.AA05181@personal.eunet.fi> From: "Kari Laine" Organization: LAN Vision Oy To: firewalls@greatcircle.com Date: Wed, 12 Jul 1995 12:33:35 +0002 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: Encryption outside the US Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 11 Jul 1995 17:29:52 -0400 (EDT) > From: Steve Gaarder > To: firewalls@greatcircle.com > Subject: Encryption outside the US One company which would be able to help you with the encryption part is uti-maco Belgium. They have programming libraries which you could use. On the other hand they make also projects in the area. Contact info: uti-maco Belgium n.v. Amb. Zone De Vunt 9 B-3220 Holsbeek (Leuven) Belgium Phone +32-16-44 01 35 Fax +32-16-44 01 40 E-mail: 100272.2772@compuserve.com Best Regards Kari Kari Laine buster@klaine.pp.fi LAN Vision Oy Tel. +358-0-502 1947 Sinikalliontie 14 Fax +358-0-524 149 02630 ESPOO BBS +358-0-502 1576/1456 FINLAND From firewalls-owner Wed Jul 12 05:41:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA08834 for firewalls-outgoing; Wed, 12 Jul 1995 05:18:48 -0700 Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA08829 for ; Wed, 12 Jul 1995 05:18:45 -0700 Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id IAA12144; Wed, 12 Jul 1995 08:18:18 -0400 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA21769; Wed, 12 Jul 95 08:16:38 EDT Date: Wed, 12 Jul 95 08:16:38 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Steve Gaarder From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: Encryption outside the US Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steven, First, if you want to encrypt network traffic based on protocol type (e.g., HTTP, TELNET) then you have to use a product that can encrypt based on TCP port number. Many firewall products encrypt based on source and destination addresses of IP packets. Hence, you could not encrypt some network services and leave some network services unencrypted, unless you couple the firewall product with routers that would route selected network traffic to the encryption module. Second, the solution you build today may limit your options tomorrow. At some point your Virtual Private Network (VPN) (on Internet) may extend to other nodes. You would then force the "other nodes" to use your developed solution. Third, some products support proprietary encryption algorithms that are exportable. For example, the NSC Security Router supports NSC1, a proprietary high-speed algorithm (based in software). There are pros and cons with standards-based versus proprietary encryption algorithms, but this is another option. I am sure other firewall and router vendors are thinking along the same lines. Last, whatever you do, do some performance testing. Some of the software-based solutions are slow. A particular software-based solution may not be acceptable for lots of node-to-node Web traffic. Your users would notice slow responses and complain. Users would clearly see a difference between accessing a Web server on the Internet and a Web server at another node of your VPN. -Brian >We would like to be able to use encryption to pass traffic for specific >applications (e.g. http) over the Internet between our headquarters in >the USA and our offices in other countries. I have found a number of >firewall products that provide encrypted connections, but the [insert >standard flame here] US government ban on exporting crypto rears its >ugly head. > >I see two options: > >1. Do it myself. This doesn't *look* too scary; I don't need fancy key >management, just basic secret-key encryption. I could modify, say, >plug-gw to call encryption routines. If I then get my encryption code >from outside the US (that seems to be no problem) I won't have to export >it to install it overseas. Any comments on this? > >2. Find an encryption product available outside the US, probably one >*made* outside the US. Does anyone know of such a beast? > >thanks, > >Steven Gaarder Network and Systems Administrator >gaarder@actech.com A C Technology, Ithaca, N.Y., USA Respectfully, Brian W. McKenney Mail Stop: Z-202 The MITRE Corporation 7525 Colshire Drive McLean, VA 22102 Voice: 703-883-5463 Fax: 703-883-1397 E-Mail: mckenney@mitre.org From firewalls-owner Wed Jul 12 06:48:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10121 for firewalls-outgoing; Wed, 12 Jul 1995 06:07:16 -0700 Received: from xinter1.rwedea.de (xinter1.rwedea.de [194.39.1.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA10107 for ; Wed, 12 Jul 1995 06:07:01 -0700 Received: from mailer.rwedea.de by xinter1.rwedea.de with SMTP (1.38.193.5/16.2) id AA20152; Wed, 12 Jul 1995 15:03:45 +0200 Received: by mail.rwedea.de (1.38.193.5/16.2) id AA23728; Wed, 12 Jul 1995 15:17:02 +0200 From: Eckard Weber Message-Id: <9507121317.AA23728@mail.rwedea.de> Subject: Looking for OS/2 Web Client behind Firewall To: firewalls@greatcircle.com Date: Wed, 12 Jul 95 15:17:01 MESZ Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are a new in the Internet with a TIS Firewall installed. The Netscape WWW Client is working fine behind the Firewall in a Windows and UNIX environment, but we also have a lot of OS/2 PC's. I have OS/2 2.11 with TCP/IP 2.0 from IBM, including DOS/Windows Access Kit. If I try to run Netscape in the Windowsbox the PC hangs up. Who knows a WEB Client running in the OS/2 environment ? Thanks for all comments E.Weber@rwedea.de From firewalls-owner Wed Jul 12 07:09:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10053 for firewalls-outgoing; Wed, 12 Jul 1995 06:05:13 -0700 Received: from fsp.fsp.com (fsp.fsp.com [157.134.205.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA10047 for ; Wed, 12 Jul 1995 06:05:08 -0700 Received: by fsp.fsp.com (5.65/1.35) id AA05821; Wed, 12 Jul 95 09:12:33 -0500 From: tkellar@fsp.fsp.com (Thomas Kellar) Message-Id: <9507121412.AA05821@fsp.fsp.com> Subject: NetSp and Advantis and the Corporate LAN To: firewalls@greatcircle.com Date: Wed, 12 Jul 1995 09:12:32 -0500 (EST) Cc: tkellar@fsp.fsp.com (Thomas Kellar) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1011 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The company I work for is about to embark on the Internet adventure. We are going to connect our corporate LAN to Internet via IBM's Advantis through a NetSP firewall. The hardware is all ready in place and ready to be connected. The IBM supplied router is now connected up to its own (isolated) token ring for testing and before I move it over to connect to one of the rings on the company wide LAN I would like some assurances that it is safe. While IBM claims it is, they are not a disinterested party and in fact seem some what new at the task. I have run iss and probe on their firewall IP and have seen nothing bad. I do not have the ability to do any more sophisticated tests then that and I have no control over either the router on this end or the firewall. Am I paranoid, should I be scared, can any one offer me any advise? Thanks. Thomas Kellar -- Thomas Kellar Freelance Systems Programming 513-254-7246 Tkellar@Dayton.fsp.com Public Access UNIX and Internet Interface From firewalls-owner Wed Jul 12 07:28:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10322 for firewalls-outgoing; Wed, 12 Jul 1995 06:17:25 -0700 Received: from ian.aztec.co.za (ian.aztec.co.za [196.7.151.162]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA10287 for ; Wed, 12 Jul 1995 06:15:51 -0700 Received: by ian.aztec.co.za (Smail3.1.29.1 #4) id m0sW3WU-000MdxC; Wed, 12 Jul 95 15:16 GMT Message-Id: From: ian@aztec.co.za (Ian Cooper) Subject: Re: HP OpenMail / Firewall To: clp2@ix.netcom.com (Carol pollard) Date: Wed, 12 Jul 1995 15:16:25 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <199507111826.LAA18729@ix3.ix.netcom.com> from "Carol pollard" at Jul 11, 95 11:26:23 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2580 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Our enterprise LAN email system is going to be HP OpenMail. At the same > time our email developers are researching this, I'm developing our > firewall solution. There has been some discussion on how the email > gateway for HP will function or be integrated into the firewall > solution, but none of us here have any definitive knowledge. > > Does anyone have any experience with HP OpenMail and integrating this > as part of the firewall? Or will we have an SMTP gateway that links to > the HP gateway? Anyway, my confusion should be obvious!!! Any comments > or suggestions will be greatly appreciated. Carol - I have pretty extensive experience with HP OpenMail. HP OpenMail is an internally X.400 compliant mailserver that has an SMTP gateway for incoming and outgoing mail. For outgoing internet mail, OpenMail passes a mail message to a program called unix.out, which will then connect to the sendmail process on port tcp/25. After passing the message to sendmail, OpenMail forgets about it, as delivery from that point on is handled by sendmail. For incoming mail, a rule in the sendmail.cf file will match the / character in a user's address, which will direct sendmail to call the OpenMail unix.in program and pass the message via SMTP to unix.in. The long and short of it is that all internet mailing is done via the sendmail process, so the use of a sendmail proxy should be completely transparent to OpenMail. The most likely setup would be to have a mail host for your domain to handle all internet mail. This would be configured as your mail relay host. The sendmail process on the OpenMail server would connect to the sendmail process on the mail relay host, which would then forward mail to the internet via a proxy on the firewall host. You could eliminate the mail relay host entirely, with the sendmail process on the OpenMail server connecting directly to the proxy on the firewall host. Incoming mail could be handled in a similar fashion. Please feel free to mail me for further discussion, as this question is really outside the subject of firewalls, and lies more in OpenMail setup... > > P.S. Still performing a comparative analysis on Gauntlet, IBM, > CheckPoint, and Borderware. I'll publish the end result....if I'm still > alive!! > > Thanks... > > Carol Pollard > Barnett Technologies > Technical Risk Management > > -- Ian Cooper Internet: ian@aztec.co.za Open Mind Solutions Tel: 083 253-9865 Open Systems and Network Specialists From firewalls-owner Wed Jul 12 07:47:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10513 for firewalls-outgoing; Wed, 12 Jul 1995 06:26:38 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA10508 for ; Wed, 12 Jul 1995 06:26:33 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id JAA17382; Wed, 12 Jul 1995 09:25:04 -0400 Date: Wed, 12 Jul 1995 09:25:04 -0400 From: Ted Doty Message-Id: <199507121325.JAA17382@kgbvax.network.com> To: gaarder@actech.com, firewalls@greatcircle.com Subject: Re: Encryption outside the US In-Reply-To: Mail from 'Steve Gaarder ' dated: Tue, 11 Jul 1995 17:29:52 -0400 (EDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jul 1995 17:29:52 EDT, Steve Gaarder wrote: We would like to be able to use encryption to pass traffic for specific applications (e.g. http) over the Internet between our headquarters in the USA and our offices in other countries. I have found a number of firewall products that provide encrypted connections, but the [insert standard flame here] US government ban on exporting crypto rears its ugly head. I see two options: 1. Do it myself. This doesn't *look* too scary; I don't need fancy key management, just basic secret-key encryption. I could modify, say, plug-gw to call encryption routines. If I then get my encryption code from outside the US (that seems to be no problem) I won't have to export it to install it overseas. Any comments on this? DON'T. If you do this, you are STILL in violation of the ITAR. The act of posting your message might be enough to get you prosecuted for conspiracy as well. You cannot ship either cryptographic products, or products with a "cryptography ready socket" out of the (lower 48 states) USA or Canada without an export lisence. If you don't think that the Export Control Office is serious about this, ask Phil Zimmerman. 2. Find an encryption product available outside the US, probably one *made* outside the US. Does anyone know of such a beast? This will work. I was in Rappersweil, Switzerland in April for the Rappersweil Networking Forum meeting. There were a number of Swiss vendors there with big banners saying "Crytpography: Made in Switzerland" (I was probably the only non-german speaker there, but the banner was in english. Go fig.) I can't remember any companies, and can't vouch for the quality of their products, but I'd be seriously surprised if a swiss company provided crypto that didn't have IDEA. You have another alternative: 3. If your company is at least 51% US (or Canadian) owned, you can apply for an export lisence for your company's use. My experience is that these are always granted. Note that you'll have to take care of any lisencing that is required in the country of use (for example, you need a lisence to use crypto within France). In my book, both #2 and #3 beat #1 (going to jail). -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Jul 12 08:04:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA11301 for firewalls-outgoing; Wed, 12 Jul 1995 06:52:10 -0700 Received: from gatekeeper.abc.com.au ([203.2.218.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA11293 for ; Wed, 12 Jul 1995 06:51:56 -0700 Received: from ws6127.abc.com.au by gatekeeper.abc.com.au; (5.65/1.1.8.2/26Oct94-0956AM) id AA13206; Wed, 12 Jul 1995 23:59:44 +1000 Received: from vaxb.abc.com.au by ws6127.abc.com.au; (5.65/1.1.8.2/14Oct94-1050AM) id AA08366; Thu, 13 Jul 1995 00:00:35 +1000 Received: from mr.abcnet.abc.com.au by vaxa.abc.com.au (PMDF V4.3-10 #8835) id <01HSSUMKPDHS9N5GCX@vaxa.abc.com.au>; Wed, 12 Jul 1995 23:49:38 -0500 (EST) Received: with PMDF-MR; Wed, 12 Jul 1995 23:43:15 EST Mr-Received: by mta VAXC; Relayed; Wed, 12 Jul 1995 23:43:15 -0500 Mr-Received: by mta MCM$ABCNET; Relayed; Wed, 12 Jul 1995 23:43:20 -0500 Mr-Received: by mta VAXC; Relayed; Wed, 12 Jul 1995 23:43:30 -0500 Alternate-Recipient: prohibited Disclose-Recipients: prohibited Date: Wed, 12 Jul 1995 17:34:00 -0500 (EST) From: "William Shipway (02) 333-1950" Subject: Netscape Server cgi problem To: firewalls@greatcircle.com Message-Id: <01HSSUN3MF8W9N5GCX@mr.abcnet.abc.com.au> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT Posting-Date: Wed, 12 Jul 1995 17:41:00 -0500 (EST) Importance: normal Priority: normal X400-Mts-Identifier: [;51343221705991/98435@ABCNET] A1-Type: MAIL Hop-Count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ATTENTION: experienced Netscape Server admins only I've been lurking on the list for months and find it very enlightening. Need to find a quick answer and my other sources haven't got one. If the problem [12/Jul/1995:17:25:59] catastrophe: for host nnn.n.n.n trying to GET /cgi-bin/settings.sh, send-cgi reports: could not fork new process (Operation would block) suggests an obvious solution, please email me. TIA! WS. --------------- William Shipway (Unless indicated, I speak only for myself) Australian Broadcasting Corporation - Information Technology Email: shipway.william@a2.abc.com.au Phone: [+61] (02) 333-1950 From firewalls-owner Wed Jul 12 08:05:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA11235 for firewalls-outgoing; Wed, 12 Jul 1995 06:49:10 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA11230 for ; Wed, 12 Jul 1995 06:49:05 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id JAA17402; Wed, 12 Jul 1995 09:47:41 -0400 Date: Wed, 12 Jul 1995 09:47:41 -0400 From: Ted Doty Message-Id: <199507121347.JAA17402@kgbvax.network.com> To: mjr@iwi.com, firewalls@greatcircle.com Subject: Re: Fortezza PC-Card In-Reply-To: Mail from 'Marcus J Ranum ' dated: Tue, 11 Jul 1995 19:27:20 -0400 (EDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jul 1995 19:27:20 EDT, Marcus J Ranum wrote: One thing that's surprised me about Fortezza is that it's a government-developed product that they're trying to push in direct competition with the private sector. There's been amazingly little outcry from private sector companies that produce the existing products on the market, and I don't understand it. The feds are going to ice the cake by probably blessing it for export even if it has encryption (thanks to the Clipper trapdoor). Talk about competing on an uneven basis!! How'd you like to be a commercial company that made encryption products, when your competition could not only strangle you with laws and regulations, but was funding their R&D, and marketing, all on the taxpayer's nickel? I disagree. When we were starting work on our encryption product, we asked a whole bunch of our customers whether they wanted Clipper, as well as the other ciphers. The results were enlightening: 1. Nobody outside of the USA will touch it with a 20 foot pole. 2. No commercial customers would touch it either. One fortune 100 customer told us "We will only use Clipper if ALL other forms of encryption are outlawed." 3. Within the US Defense Department, we only found one customer even remotely interested. Some of the problem here may be that FORTEZZA use is being mandated, but no funds are being provided. I'm fairly sympathetic to the goals of the MISSI program, and if you need a hardware token to provide serious AUTHENTICATION at a reasonable cost, this is your ticket (so to speak). I confess to being suspicious about using Skipjack for (data) encryption, especially with the alternatives out there. Not speaking for my company here, but we make encryption products, and I'm not too worried about the MISSI program office putting us out of business. Maybe I'm wrong, byt I see it as filling a different need. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Jul 12 08:06:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA11249 for firewalls-outgoing; Wed, 12 Jul 1995 06:50:14 -0700 Received: from gate.demon.co.uk (gate.demon.co.uk [158.152.1.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA11244 for ; Wed, 12 Jul 1995 06:50:10 -0700 Received: from proteknw.demon.co.uk by gate.demon.co.uk id aa01336; 12 Jul 95 14:49 GMT-60:00 Received: by proteknw.demon.co.uk (AIX 3.2/UCB 5.64/4.03) id AA21000; Wed, 12 Jul 1995 14:41:26 +0100 From: Ian Gresley-Jones Message-Id: <9507121341.AA21000@proteknw.demon.co.uk> Subject: Re: HP OpenMail / Firewall To: Carol pollard Date: Wed, 12 Jul 1995 14:41:25 +0100 (BST) Cc: firewalls@greatcircle.com Reply-To: igjones@proteknw.demon.co.uk In-Reply-To: <199507111826.LAA18729@ix3.ix.netcom.com> from "Carol pollard" at Jul 11, 95 11:26:23 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2331 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Carol, I have setup a firewall on a site with Openmail as the internal email system. There's no problems with it, as evidenced by the fact that Openmail, although using an X400 addressing scheme, actually uses SMTP to communicate between client (omgui) and servers, and server:server between nodes. You would be best configuring a firewall with an SMTP forwarder like smap from the TIS fwtk to pass incoming mail to (and outgoing mail from) an internal mail host. Install openmail on this host as the main node, and set up routes to any other server nodes you need. Then configure your omgui clients to run off any of the server nodes and that's it ! Be careful with sendmail.cf on the openmail server, as the openmail installation adds some new lines to ruleset 0, and a couple of new mailer types for openmail delivery. For access to internet through the firewall you need to add an Internet Relay host (DR usually) so check to make sure the openmail lines don't interfere with the Internet Relay lines. I can't recall any other difficulties we had, but feel free to email me on any problems you encounter. Regards, Ian Gresley-Jones, Security Consultant Protek (UK). PS. I'll be interested in your comparative evaluation of the firewalls you mentioned. Gauntlet obviously has smap included so fits into the above scheme, and I believe the others all feature some form of SMTP relayer program along the same lines. > > Our enterprise LAN email system is going to be HP OpenMail. At the same > time our email developers are researching this, I'm developing our > firewall solution. There has been some discussion on how the email > gateway for HP will function or be integrated into the firewall > solution, but none of us here have any definitive knowledge. > > Does anyone have any experience with HP OpenMail and integrating this > as part of the firewall? Or will we have an SMTP gateway that links to > the HP gateway? Anyway, my confusion should be obvious!!! Any comments > or suggestions will be greatly appreciated. > > P.S. Still performing a comparative analysis on Gauntlet, IBM, > CheckPoint, and Borderware. I'll publish the end result....if I'm still > alive!! > > Thanks... > > Carol Pollard > Barnett Technologies > Technical Risk Management > > From firewalls-owner Wed Jul 12 08:12:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA13269 for firewalls-outgoing; Wed, 12 Jul 1995 07:58:00 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA13264 for ; Wed, 12 Jul 1995 07:57:54 -0700 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via SMTP; Wed, 12 Jul 1995 10:55:27 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.7) id AA02674; Wed, 12 Jul 1995 10:55:27 -0400 Date: Wed, 12 Jul 1995 10:55:27 -0400 From: long-morrow@CS.YALE.EDU (H Morrow Long) Message-Id: <199507121455.AA02674@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, xcaew@rwedea.de Subject: Re: Looking for OS/2 Web Client behind Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk E.Weber@rwedea.de sprechen: >We are a new in the Internet with a TIS Firewall installed. The Netscape >WWW Client is working fine behind the Firewall in a Windows and UNIX >environment, but we also have a lot of OS/2 PC's. >I have OS/2 2.11 with TCP/IP 2.0 from IBM, including DOS/Windows Access Kit. >If I try to run Netscape in the Windowsbox the PC hangs up. >Who knows a WEB Client running in the OS/2 environment ? Doesn't IBM have its own browser which comes with OS/2 Warp edition called "WebExplorer" ? - Morrow From firewalls-owner Wed Jul 12 08:14:05 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA12621 for firewalls-outgoing; Wed, 12 Jul 1995 07:35:04 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA12599 for ; Wed, 12 Jul 1995 07:34:53 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA23326; Wed, 12 Jul 95 10:34:30 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507121534.AA23326@hawksbill.sprintmrn.com> Subject: Re: NetSp and Advantis and the Corporate LAN To: tkellar@fsp.fsp.com (Thomas Kellar) Date: Wed, 12 Jul 1995 10:34:29 -0500 (EST) Cc: firewalls@greatcircle.com, tkellar@fsp.fsp.com In-Reply-To: <9507121412.AA05821@fsp.fsp.com> from "Thomas Kellar" at Jul 12, 95 09:12:32 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1684 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The company I work for is about to embark on the Internet adventure. We > are going to connect our corporate LAN to Internet via IBM's Advantis > through a NetSP firewall. The hardware is all ready in place and ready to > be connected. The IBM supplied router is now connected up to its own > (isolated) token ring for testing and before I move it over to connect to > one of the rings on the company wide LAN I would like some assurances that > it is safe. While IBM claims it is, they are not a disinterested party > and in fact seem some what new at the task. I have run iss and probe on > their firewall IP and have seen nothing bad. I do not have the ability to > do any more sophisticated tests then that and I have no control over > either the router on this end or the firewall. Am I paranoid, should I be > scared, can any one offer me any advise? Thanks. > > Until you have a network connected to the local-area side of the router, running a probe utility (such as ISS or SATAN) does little or no good. (That is, unless you duplicated your internal LAN's topology in your lab environment, to include similar hosts.) Unless you can examine and verify the access-lists (or whatever) in the router, you'll have to wait until it's connected to your local LAN to verify the effectiveness of the filtering. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Jul 12 09:50:59 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA15068 for firewalls-outgoing; Wed, 12 Jul 1995 08:53:35 -0700 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA15063 for ; Wed, 12 Jul 1995 08:53:33 -0700 Received: from jcg.wcdssi.com by scruz.net (8.6.9/1.34) id IAA10972; Wed, 12 Jul 1995 08:51:44 -0700 Date: Wed, 12 Jul 95 08:42:43 PDT From: John Guinasso Subject: Re: Fortezza PC-Card To: alan@mid.net, ted@kgbvax.network.com, Eric Rescorla Cc: firewalls@greatcircle.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is this product available to the general public? It was my understanding that is was not.. that the DoD was trying to control the distribution of the product. Anyone know for sure?? John ---------------Original Message--------------- Ted writes: >Fortezza is a PCMCIA card with a clipper chip. It comes with an entire >cryptographic API, and is intended mostly for user authentication. My >understanding is that they cost around $100 in quantity. Not sure which >vendors (if any) support the API. > >My feeling is that the government has been grapling with these issues for >some time, and are considerably advanced towards a real (usable) solution. >Fortezza gives you real (cryptographic) authentication, so hijacked terminal >sessions aren't a worry. >Actually, it's a lot more than just Clipper. It also supports >KEA, DSA, and SHA, so basically it's a full public key engine. >It's 'tamperproof' and has a secure store for your private >keying material. >-Ekr ----------End of Original Message---------- From firewalls-owner Wed Jul 12 09:54:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA14392 for firewalls-outgoing; Wed, 12 Jul 1995 08:23:49 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA14381 for ; Wed, 12 Jul 1995 08:23:45 -0700 Received: from guardian.co.uk by eros.britain.eu.net with UUCP id ; Wed, 12 Jul 1995 16:20:54 +0100 Received: from popserver.guardian.co.uk by guardian.co.uk (4.1/Guardian-Newspapers-1.10) id AA27501; Wed, 12 Jul 95 12:36:11 BST Received: from [191.191.12.42] by popserver.guardian.co.uk with SMTP (MailShare 1.0b8); Wed, 12 Jul 1995 12:42:30 +0000 X-Sender: marc@popserver.guardian.co.uk Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: todd@momentum.com.au From: marc@guardian.co.uk (Marc Lueck) Subject: Re: POP security Cc: firewalls@greatcircle.com Date: Wed, 12 Jul 1995 12:42:30 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Todd Hooper (todd@momentum.com.au) asked: > >The main issue with POP mail as I see it is authentication and security >of the connection. The only server software I'm aware of which supports >APOP is MH which is UNIX only and a bit difficult to set up. I've written >the folks at Qualcomm re: secure POP3 clients/servers and they are busy >with the Client updates (spell checkers etc.). The other question I would >consider is how sensitive is the information in the e-mail? Is it sensitive >enough to be using PGP to encrypt it? > > There is a (ahem) Macintosh POP server package which supports APOP called Mailshare (1.0fc6 at the moment) which has a mailing list at List-Manager@easy.com. It's commonly available from you local mirror of info-mac. I was looking for a UNIX package but it turned out that it would be unfeasible, so I turned to this cheery little package and I was happily surprised. It's really quite slick. Marc Lueck Desktop Systems The Guardian Newspapers Ltd. London From firewalls-owner Wed Jul 12 10:04:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA15619 for firewalls-outgoing; Wed, 12 Jul 1995 09:23:43 -0700 Received: from sed.csc.com (cheetah.sed.csc.com [20.2.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA15614 for ; Wed, 12 Jul 1995 09:23:39 -0700 Received: by sed.csc.com (Smail3.1.29.1 #3) id m0sW4Z3-0006NjC; Wed, 12 Jul 95 12:23 EDT Date: Wed, 12 Jul 1995 12:23:08 -0400 (EDT) From: "James L. Gerretson" To: Marcus J Ranum cc: firewalls@greatcircle.com Subject: Re: Fortezza PC-Card In-Reply-To: <9507112327.AA04262@tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Which products is it competing with? To date I don't know of any that perform the same types of functions. The smart card technolgies don't seem to have either the speed or storage capability from the reading I've done. There are severl vendors who are leveraging off the card to introduce commercial versions (National Semi for 1). There are lots of smart cards being procured and used both in the DoD and out. I just don't think that any meet what is needed for MISSI, IMHO. As to the rest, I wouldn't have any idea. I haven;t heard anywhere that they are going to allow export outside of official use On Tue, 11 Jul 1995, Marcus J Ranum wrote: > > > One thing that's surprised me about Fortezza is that it's > a government-developed product that they're trying to push in > direct competition with the private sector. There's been amazingly > little outcry from private sector companies that produce the > existing products on the market, and I don't understand it. The > feds are going to ice the cake by probably blessing it for export > even if it has encryption (thanks to the Clipper trapdoor). Talk > about competing on an uneven basis!! How'd you like to be a > commercial company that made encryption products, when your > competition could not only strangle you with laws and regulations, > but was funding their R&D, and marketing, all on the taxpayer's > nickel? > > mjr. > From firewalls-owner Wed Jul 12 10:14:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA15644 for firewalls-outgoing; Wed, 12 Jul 1995 09:25:16 -0700 Received: from ns2.nctsw.navy.mil (ns2.nctsw.navy.mil [138.145.11.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA15629 for ; Wed, 12 Jul 1995 09:25:09 -0700 From: Atkinson-K@smtpgw.nctsw.navy.mil Received: from smtpgw.nctsw.navy.mil by ns2.nctsw.navy.mil (5.0/SMI-SVR4) id AA20981; Wed, 12 Jul 1995 12:22:33 +0500 Received: from ccMail by smtpgw.nctsw.navy.mil (IMA Internet Exchange 1.04b) id 003f66b0; Wed, 12 Jul 95 12:20:59 -0400 Mime-Version: 1.0 Date: Wed, 12 Jul 1995 12:24:48 -0400 Message-Id: <003f66b0@smtpgw.nctsw.navy.mil> Subject: NSA MISSI Project To: firewalls@GreatCircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part content-length: 1499 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan wrote: > I am curious if anyone is aware of the NSA MISSI project. If you are, >please share your information (if you can... ;) or point me towards a >helpful source. We at NCTS Washington are involved in several aspects of the MISSI program. We have a MISSI Testbed with the latest DoD approved interim Mail Guard configuration (Standard Mail Guard, V-ONE SmartWall, and NSC Router). We have also integrated the FORTEZZA Crypto Card into an X.500 Directory. Strong authentication with FORTEZZA is required to access the Directory. The Directory is the repository for the public certificates required to encrypt messages with FORTEZZA and to verify FORTEZZA signatures. You can call the NSA MISSI hot Line at 1-800-GO-MISSI. They will connect you to experts in the following areas: Overview, FASTLINE (ATM Encryption), Guards (SMG/SNS), Directory/CAW, FORTEZZA or Other. Believe they will have a Bulletin Board and possibly a Web Home Page soon. Kenny Atkinson ********************** NAVCOMTELSTA Washington * +-----+ Keys to * Open Systems Department (N96) * | | Open but * 901 M Street SE, Building 143-6 * | |\ | Secure * Washington Navy Yard * | \\_ Strategic * Washington, DC 20374-5060 * | /_ / and * atkinson@wnyose.nctsw.navy.mil * | | Tactical * (202) 685-1005 (DSN 325) * +-----+ Systems * (202) 433-3188 Fax (DSN 288) ********************** From firewalls-owner Wed Jul 12 12:47:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19369 for firewalls-outgoing; Wed, 12 Jul 1995 11:31:45 -0700 Received: from sed.csc.com (cheetah.sed.csc.com [20.2.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA19360 for ; Wed, 12 Jul 1995 11:31:41 -0700 Received: by sed.csc.com (Smail3.1.29.1 #3) id m0sW6TA-0006OEC; Wed, 12 Jul 95 14:25 EDT Date: Wed, 12 Jul 1995 14:25:12 -0400 (EDT) From: "James L. Gerretson" To: John Guinasso cc: alan@mid.net, ted@kgbvax.network.com, Eric Rescorla , firewalls@greatcircle.com Subject: Re: Fortezza PC-Card In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are a couple of vendors who are working on commercial releases of this product. On Wed, 12 Jul 1995, John Guinasso wrote: > Is this product available to the general public? It was my understanding that is was not.. that the DoD was trying to control the distribution of the product. Anyone know for sure?? > John > > ---------------Original Message--------------- > Ted writes: > >Fortezza is a PCMCIA card with a clipper chip. It comes with an entire > >cryptographic API, and is intended mostly for user authentication. My > >understanding is that they cost around $100 in quantity. Not sure which > >vendors (if any) support the API. > > > >My feeling is that the government has been grapling with these issues for > >some time, and are considerably advanced towards a real (usable) solution. > >Fortezza gives you real (cryptographic) authentication, so hijacked terminal > >sessions aren't a worry. > > >Actually, it's a lot more than just Clipper. It also supports > >KEA, DSA, and SHA, so basically it's a full public key engine. > > >It's 'tamperproof' and has a secure store for your private > >keying material. > > >-Ekr > > > > ----------End of Original Message---------- > > > From firewalls-owner Wed Jul 12 13:18:01 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19589 for firewalls-outgoing; Wed, 12 Jul 1995 11:37:30 -0700 Received: from dsinc.myxa.com (dsinc.myxa.com [192.65.202.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA19582 for ; Wed, 12 Jul 1995 11:37:27 -0700 Received: from provdev by dsinc.myxa.com with uucp (Smail3.1.28.1 #36) id m0sW61G-0000dmC; Wed, 12 Jul 95 13:56 EDT Received: by pnc-pimc.com (4.1/SMI-4.1) id AA00863; Wed, 12 Jul 95 13:47:55 EDT From: cfulmer@pnc-pimc.com (Catherine Fulmer) Message-Id: <9507121747.AA00863@pnc-pimc.com> Subject: Re: NetSp and Advantis and the Corporate LAN To: firewalls@greatcircle.com Date: Wed, 12 Jul 1995 13:47:55 -0400 (EDT) In-Reply-To: <9507121412.AA05821@fsp.fsp.com> from "Thomas Kellar" at Jul 12, 95 09:12:32 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2675 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please undestand that this info is OLD so may no longer be the case, but advantis did use ibmmail, which restricts you to only being able to send email to someone who has FIRST sent email to you. blech, gag,... You are correct that NetSP is a new player in this field though that does not necessarily equate to bad. Before ibm came out with netsp, they would recommend livingstons product to their clients which had an EXCELLENT reputation. The good thing I have heard (from users) is that they have some very talented knowledgeable people who worked on it. The bad things I heard are usually related to support or lack of (you don't usually get those very talented folks I guess) and problems related to the users inability to secure aix. This is consistent with the generally good advice that you should probably run your firewall on a platform that you know (or will know) very well, whatever it may be. good luck and don't attach it to your wan for a while if you can... cathy Thomas Kellar writes: > > The company I work for is about to embark on the Internet adventure. We > are going to connect our corporate LAN to Internet via IBM's Advantis > through a NetSP firewall. The hardware is all ready in place and ready to > be connected. The IBM supplied router is now connected up to its own > (isolated) token ring for testing and before I move it over to connect to > one of the rings on the company wide LAN I would like some assurances that > it is safe. While IBM claims it is, they are not a disinterested party > and in fact seem some what new at the task. I have run iss and probe on > their firewall IP and have seen nothing bad. I do not have the ability to > do any more sophisticated tests then that and I have no control over > either the router on this end or the firewall. Am I paranoid, should I be > scared, can any one offer me any advise? Thanks. > > Thomas Kellar > > -- > Thomas Kellar Freelance Systems Programming 513-254-7246 > Tkellar@Dayton.fsp.com Public Access UNIX and Internet Interface > > > -- "Still haven't found a really good MVS virus, but how would you know?" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Catherine Fulmer : ,-^, manowar@waterw.com : _ ___/ /\| http://www.waterw.com/~manowar : ,;`( )__ ) ~ : // // `--; : ' \ \ : ^ ^ My words are mine, and don't reflect the views of my employer. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Wed Jul 12 13:51:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21295 for firewalls-outgoing; Wed, 12 Jul 1995 12:18:42 -0700 Received: from druid.reston.mci.net (druid.Reston.mci.net [204.70.128.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA21289 for ; Wed, 12 Jul 1995 12:18:39 -0700 Received: (from ddrew@localhost) by druid.reston.mci.net (8.6.12/8.6.6) id PAA05414; Wed, 12 Jul 1995 15:18:05 -0400 Date: Wed, 12 Jul 1995 15:18:05 -0400 Message-Id: <199507121918.PAA05414@druid.reston.mci.net> To: firewalls@GreatCircle.COM Subject: Firewall Information Cc: ddrew@mci.net From: ddrew@mci.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few people have been asking for Firewall Informaiton, so I thought I would pass this along. We've dealt directly with a majority of these products from a testing perspective. My apologies for the unfriendly format. If you have not seen the Firewall article in CSI's Computer Security Journal Vol XI * Number 1 * Sping 1995. I suggest you pick it up, it's a fairly good overview of a majority of the firewall products available on the market today. The article consists of matrix chart comparisions of the major functionality of firewall products. It's intend is not to provide you with enough information to pick a firewall product for use, but to at least provide you with enough information on which ones to test. If anyone has any additional entries to add please let me know. PRODUCT |Company Name | Street Address | City |State | ZIP | Phone ---------------------------------------------------------------------------------------------------------------------------------------------------- ANS Interlock | ANS CO+RE Systems | ANS CO+RE Systems | Elmsford | NY | 10523 | 914-789-5337 ASR 4200 | ACC Network | 8320 Guilford Rd suite G | Columbia | MD | 21406 | 410-290-8775 BlackHole | Mily Way Networks | 2650 Queensview Dr, suite 255 | Ottawa,Ontario| CAN | | 613-596-5549 BorderWare | Border Network Technol| 1 Younge St, Suite 1400 | Toronto,Ontari| CAN | | 416-368-7157 CyberGaurd | Harris Computers | 2101 W Cypress Creek Rd | FT Lauderdale | FL | 33309 | 305-974-1700 Digital's F/W | Digital | 40 Old Boston Rd | Stow | MA | 01775 | 508-496-8626 Eagle | Raptor Systems | 69 Hickory Dr | Waltham | MA | 02154 | 617-487-6755 Firewall-1 | Checkpoint Software | One Militia Dr | Lexington | MA | 02173 | 617-859-9051 SunScreen | Sun Microsystems | 2550 Garcia Avenue | Mountain View | CA | 94043 | 408-255-2937 Gauntlet | TIS | 2060 Washington Rd | Gleenwood | MD | 21738 | 201-854-6889 GFX-94 | Global Tech, Assoc | 3504 Lake Lynda Dr, Suite 160 | Orlando | FL | 321817 | 407-380-0220 IRX Livingston | Livingston Enterprises| 6920 Koll Center Parkway #220 | Pleasanton | CA | 94566 | 510-426-0770 Int Security Router | Atlantic Systems Group| Incutech Center, Bag Service | Freedericton | CAN | | 506-453-3505 | | 6900 | N.B | | | NetGate | Smallworks of Travis | 4401 Stont Meadow Lane | Austin | TX | 7831 | 512-338-0619 NetSP Secure Net | IBM | POB 12195, MS B44A-B501 | ResearchPark | NC | 27709 | 919-254-5074 Network-1 | Network-1 Software | 909 Third Ave (9th flood) | New York | NY | 10022 | 800-NETWORK1 Portus | Livermore Software | 1602 Mosay Stone | Houston | TX | 77077 | 800-240-5754 Priv Internet Ex | Network Translation | 1901 Embarcadero Rd, Suite 108| Palo Alto | CA | 94303 | 415-494-6387 Security Router | Network Systems | 7600 Boone Avenue North | Brooklyn Park | MN | 55428 | (612) 424-1784 Sidewinder | Secure Computing | 2675 Long Lake Rd | RoseViller | MN | 55113 | 613-628-2700 Cisco | Cisco Systems | | San Jose | CA | | (415) 688-4521 SmartWall | V-One |12300 Twinbrook Parkway, #235 | Rockville | MD | 20852 | 301-881-2297 "Success through teamwork" =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 From firewalls-owner Wed Jul 12 14:07:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23884 for firewalls-outgoing; Wed, 12 Jul 1995 13:42:33 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23879 for ; Wed, 12 Jul 1995 13:42:30 -0700 Received: from offramp.dsccc.com by relay4.UU.NET with SMTP id QQyyco10712; Wed, 12 Jul 1995 16:41:27 -0400 Received: by offramp.dsccc.com (5.67b/SMI-V1.8) id AA22716; Wed, 12 Jul 1995 15:43:01 -0500 Received: from onramp(192.245.102.129) by offramp via smap (V1.3mjr) id sma022693; Wed Jul 12 15:42:31 1995 Received: from optilink.dsccc.com (optilink.optilink.dsccc.com [192.9.200.1]) by camelot.dsccc.com (8.6.11/8.6.10) with SMTP id PAA17119; Wed, 12 Jul 1995 15:42:10 -0500 Received: from earth.optilink.dsccc.com by optilink.dsccc.com with smtp id m0sW8aM-0002MgC; Wed, 12 Jul 95 13:40 PDT Received: by earth.optilink.dsccc.com id m0sW8c8-0001Q3C; Wed, 12 Jul 95 13:42 PDT Date: Wed, 12 Jul 95 13:42 PDT From: James_Dehnert@optilink.optilink.dsccc.com Message-Id: <9507121342.ZM276@earth> X-Pgp-Print: 91 FE 2F C5 9F B3 ED 9F F9 CD C6 7F 87 FF F6 6E X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@GreatCircle.COM, socks@syl.dl.nec.com Subject: Netscape & SSL Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a user who is atempting to connect to a server under SSL. He cant seem to make the connection through our SOCKS gateway. Fas anyone seen theis problem before? Any sugestions? -- +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+ = James "Zeke" Dehnert Zeke_Dehnert@optilink.dsccc.com = + Unix Network Administrator (707) 792-7000 + = DSC Access Products Div. Petaluma California = + The opinions represented herein are not necessarily those of DSC + =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+=+=+=+=+=+=+=+= From firewalls-owner Wed Jul 12 14:41:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA25342 for firewalls-outgoing; Wed, 12 Jul 1995 14:32:15 -0700 Received: from farber2.dfci.harvard.edu (farber2.dfci.harvard.edu [155.52.45.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA25331 for ; Wed, 12 Jul 1995 14:32:08 -0700 Received: (from ellozy@localhost) by farber2.dfci.harvard.edu (8.6.11/8.6.11) id RAA07083 for firewalls@GreatCircle.COM; Wed, 12 Jul 1995 17:31:37 -0400 From: Mohamed Ellozy Message-Id: <199507122131.RAA07083@farber2.dfci.harvard.edu> Subject: UDP services (e.g dig) through firewalls To: firewalls@GreatCircle.COM Date: Wed, 12 Jul 1995 17:31:37 -0400 (EDT) Reply-To: ellozy@dfci.harvard.edu X-Organization: Dana-Farber Cancer Institute X-phone: 617-632-3034, 617-632-3425 X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 287 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I understand why user level UDP services, like dig, do not go through packet filters that screen out all "unknown" ports. Do more sophisticated products allow uuser level UDP services through? Actually the only one I care much about is dig/nslookup. If they do, how? Thanks. Mohamed From firewalls-owner Wed Jul 12 15:34:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA25527 for firewalls-outgoing; Wed, 12 Jul 1995 14:36:35 -0700 Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.1.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA25514 for ; Wed, 12 Jul 1995 14:36:20 -0700 Received: by valiant.te.CdnAir.CA id AA10447 (5.67b/IDA-1.5 for Firewalls List ); Wed, 12 Jul 1995 14:31:57 -0700 Date: Wed, 12 Jul 1995 14:31:56 -0700 (PDT) From: "Grant M. Fengstad" To: Firewalls List Subject: Access to TCP Port 113 Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have noticed several denied packets from outside systems attempting to poke at tcp port 113 on one of my DMZ systems. TCP 113 is defined as the authentication port. I can not seem to get a clear explanation as to what service(s) on the client side would be attempting to do this. This port is not enabled on our host sides. I'd appreciate any input and/or clarification. From firewalls-owner Wed Jul 12 15:49:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA25386 for firewalls-outgoing; Wed, 12 Jul 1995 14:34:32 -0700 Received: from tmai.com (tmai.com [192.246.219.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA25379 for ; Wed, 12 Jul 1995 14:34:29 -0700 Date: Wed, 12 Jul 95 14:33:16 PDT From: ken_simpson@tmai.com (Kenneth Simpson) Message-Id: <9507122133.AA12302@mailserver.tmai.com> Subject: Re: Netscape & SSL To: socks-owner@syl.dl.nec.com Cc: firewalls@GreatCircle.COM, socks@syl.dl.nec.com Reply-To: Ken_Simpson@tmai.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> I have a user who is atempting to connect to a server under SSL. He cant >>seem to make the connection through our SOCKS gateway. Fas anyone seen theis >>problem before? Any sugestions? >> >> >>-- >>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+ >>= James "Zeke" Dehnert Zeke_Dehnert@optilink.dsccc.com = >>+ Unix Network Administrator (707) 792-7000 + >>= DSC Access Products Div. Petaluma California = >>+ The opinions represented herein are not necessarily those of DSC + >>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+=+=+=+=+=+=+=+= >> I have no idea what SSL denotes but we had trouble getting Netscape 1.1N working with SOCKS too (running on SPARCstations under SunOS 4.1.4.) -- Ken -- ========================================================================= Kenneth Simpson Technology Modeling Associates, Inc. Internet: Ken_Simpson@TMAI.com 3950 Fabian Way AT&T: (415) 812-7233 Palo Alto, CA 94303 FAX: (415) 858-1591 USA, Earth ========================================================================= "A Turing machine makes an ideal PC. The only equipment needed is a pencil and a piece of paper" From firewalls-owner Wed Jul 12 16:04:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA27684 for firewalls-outgoing; Wed, 12 Jul 1995 15:56:12 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA27679 for ; Wed, 12 Jul 1995 15:56:08 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: PAA25813; Wed, 12 Jul 1995 15:55:23 -0700 Date: Wed, 12 Jul 1995 15:55:23 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199507122255.PAA25813@sjsinc.com> To: firewalls@greatcircle.com Subject: nfswatch on SLIP/PPP lines Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: Does anybody out there have a personally hacked version of nfswatch that can attach to a VJ/CSLIP or PPP serial connection??? I am interested, in a general way (ala' top) of just watching the these connections on the terminal server portion of a clients firewall machine over the course of the day... TIA...will summarize if warrented... thanx, b c++'ing u, %-) sjs -------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 -------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! -------------------------------------------------------------------------------- From firewalls-owner Wed Jul 12 16:38:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28525 for firewalls-outgoing; Wed, 12 Jul 1995 16:18:37 -0700 Received: from scn1.nmc.wpafb.af.mil (scn1.nmc.wpafb.af.mil [129.48.23.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA28520 for ; Wed, 12 Jul 1995 16:18:34 -0700 Received: by Wright-Patterson AFB Mailgate Wed Jul 12 19:16:17 1995 Received: by sw20 (5.0/SMI-SVR4) id AA02088; Wed, 12 Jul 1995 19:11:40 -0400 Date: Wed, 12 Jul 1995 19:11:40 -0400 From: staatsvr@ss2.sews.wpafb.af.mil (VERN R. STAATS) Message-Id: <9507122311.AA02088@sw20> To: firewalls@greatcircle.com Subject: icepick Content-Length: 353 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My boss just asked if I had heard anything about a vulnerability assessment tool called "icepick". So far I've been unable to find a single reference. I don't know whether this is a commercial, free, or vapor product, or whether it is meant to be directed against a single system or a network. Any info or pointers would be much appreciated... TIA. From firewalls-owner Wed Jul 12 17:04:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28793 for firewalls-outgoing; Wed, 12 Jul 1995 16:31:36 -0700 Received: from ns.incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA28786 for ; Wed, 12 Jul 1995 16:31:33 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by ns.incog.com (8.6.10/94082501) id QAA17161; Wed, 12 Jul 1995 16:31:55 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA29880; Wed, 12 Jul 1995 17:30:59 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA27181; Wed, 12 Jul 1995 17:30:54 -0600 Message-Id: <9507122330.AA27181@future.incog.com> To: ellozy@dfci.harvard.edu Cc: firewalls@GreatCircle.COM Subject: Re: UDP services (e.g dig) through firewalls Reply-To: mulligan@incog.com In-Reply-To: Your message of "Wed, 12 Jul 1995 17:31:37 EDT." <199507122131.RAA07083@farber2.dfci.harvard.edu> Date: Wed, 12 Jul 1995 17:30:54 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are commerical products that support passing UDP services and are implemented in different ways. Sunscreen supports passing many UDP services such as archie, DNS, NIS and others. If defined in the security policy, it will track outbound requests and allow inbound responses. If your rules allow passing DNS, then SunScreen will check that the packet looks like a DNS packet, not just coming from port 53 to port 53 but is carrying DNS data, before passing the packet. Other implementations for UDP open a reverse path for udp responses for a defined time period when an outbound udp packet is sent. So there are some products that do support passing udp services. geoff From firewalls-owner Wed Jul 12 17:34:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA27913 for firewalls-outgoing; Wed, 12 Jul 1995 16:02:03 -0700 Received: from darkstar.bos.locus.com (darkstar.bos.locus.com [130.200.200.82]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA27906 for ; Wed, 12 Jul 1995 16:01:59 -0700 X-Sender: hal@darkstar.bos.locus.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jul 1995 18:53:09 -0400 To: Alan Hannan , firewalls@greatcircle.com From: hal@locus.com (Hal Lockhart) Subject: Re: Fortezza PC-Card Cc: nocstaff@mid.net, witts@mid.net X-Mailer: Message-ID: <"darkstar.b.340:12.06.95.23.00.47"@locus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:36 AM 7/11/95 -0500, Alan Hannan wrote: > > I am curious if anyone is familiar with the Fortezza PC-Card for >authentication. A lot of good comments have been posted on this subject. Perhaps it is a little late, to mention, but if you are considering Fortezza, you need to be aware of the issues around Skipjack, Key Escrow, the Matt Blaze hack, etc. An excellent non-technical review of these issues and the general legal issues surrounding either allowing or requiring key escrow is a paper by Michael Froomkin of the University of Miami law school. It is available by ftp. Unfortunately I do not remember the exact URL. It is quite long, but well worth reading. Regards, Hal ================================================================= Harold W. Lockhart Jr. Locus Computing Corporation Chief Technical Architect 8 New England Executive Park Email: hal@locus.com Burlington, MA 01803 USA Voice: (617)229-4980 X1202 Fax: (617)229-2969 ================================================================= From firewalls-owner Wed Jul 12 18:01:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28625 for firewalls-outgoing; Wed, 12 Jul 1995 16:22:38 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA28615 for ; Wed, 12 Jul 1995 16:22:35 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: QAA25900; Wed, 12 Jul 1995 16:21:46 -0700 Date: Wed, 12 Jul 1995 16:21:46 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199507122321.QAA25900@sjsinc.com> To: firewalls@greatcircle.com Subject: nfswatch on SLIP/PPP lines Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: This is a re-send: Based on the first response I got, I think I need to be a little more specific: CPU: Sparc II OS: SunOS 4.1.x CSLIP: VJ 2.7 PPP: 2.1.2 (w/ kernal hacks) Firewall: mostly tcp_wrappers w/ some home-rolled & PD add-ons Does anybody out there have a personally hacked version of nfswatch that can attach to a VJ/CSLIP or PPP serial connection??? I am interested, in a general way (ala' top) of just watching the these connections on the terminal server portion of a clients firewall machine over the course of the day... TIA...will summarize if warrented... thanx, b c++'ing u, %-) sjs -------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 -------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! -------------------------------------------------------------------------------- From firewalls-owner Wed Jul 12 18:17:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA29601 for firewalls-outgoing; Wed, 12 Jul 1995 17:15:04 -0700 Received: from chronos.synopsys.com (chronos.synopsys.com [146.225.8.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA29596 for ; Wed, 12 Jul 1995 17:15:01 -0700 Received: from atropos.synopsys.com by chronos.synopsys.com with SMTP id AA12853 (5.65c/IDA-1.4.4 for ); Wed, 12 Jul 1995 17:14:32 -0700 Received: from mango.synopsys.com (mango.synopsys.com [146.225.72.11]) by atropos.synopsys.com (8.6.9/8.6.9) with ESMTP id RAA12528; Wed, 12 Jul 1995 17:14:30 -0700 From: Arnold de Leon Received: (from arnold@localhost) by mango.synopsys.com (8.7.Beta.5/8.7.Beta.5) id RAA05800; Wed, 12 Jul 1995 17:14:27 -0700 Date: Wed, 12 Jul 1995 17:14:27 -0700 Message-Id: <199507130014.RAA05800@mango.synopsys.com> In-Reply-To: ken_simpson@tmai.com (Kenneth Simpson) "Re: Netscape & SSL" (Jul 12, 2:33pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Ken_Simpson@tmai.com Subject: Re: Netscape & SSL Cc: firewalls@greatcircle.com, socks@syl.dl.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 12, 2:33pm, Kenneth Simpson wrote: } Subject: Re: Netscape & SSL } >> I have a user who is atempting to connect to a server under SSL. He cant } >>seem to make the connection through our SOCKS gateway. Fas anyone seen theis } >>problem before? Any sugestions? } >> }-- End of excerpt from Kenneth Simpson Make sure you don't have a security proxy defined if you are going to use socks w/ SSL. Works fine for me. This is a netscape 1.1N talking to a socks 4.2 daemon talking to socks 4.0 daemon (yes, a socksified sockd) The CERN httpd can also be built and configured to run as an SSL proxy. You have an apply a patch. That also works just fine. arnold From firewalls-owner Wed Jul 12 18:26:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA00950 for firewalls-outgoing; Wed, 12 Jul 1995 17:55:28 -0700 Received: from Relay1.Austria.EU.net (relay1.Austria.EU.net [192.92.138.47]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA29254 for ; Tue, 11 Jul 1995 22:56:04 -0700 From: dataline@dataline.co.at Received: from dataline.co.at (s16.vie1.Austria.EU.net) by Relay1.Austria.EU.net with SMTP id AA26125 (5.67b/IDA-1.5 for ); Wed, 12 Jul 1995 07:55:34 +0200 Date: Wed, 12 Jul 95 07:55:38 PDT Subject: rfc 1597 and firewall To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk dear all, can anybody help me ? what can happen to an ip network (ip adresses follow rfc 1597) in case of connecting it to the internet. we want to use a dual homed firewall gatway for communcation with hosts outside of our net. what kind of risks and attacks can follow after connecting in that case (which components can be attacked in case of using rfc 1597 adresses) ?? thanks in advance Thomas Pabst BANK AUSTRIA RECHENZENTRUM KG Abteilung 8897 Postfach 50000 A-1011 Wien Tel : ++43/1/71191/4233 Fax : ++43/1/71191/1919 E-mail: dataline@dataline.co.at Date: 05/09/95 Time: 07:26:11 This message was sent by Chameleon ------------------------------------- From firewalls-owner Wed Jul 12 18:34:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28585 for firewalls-outgoing; Wed, 12 Jul 1995 16:21:14 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28578 for ; Wed, 12 Jul 1995 16:21:10 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA26919; Wed, 12 Jul 95 19:20:33 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507130020.AA26919@hawksbill.sprintmrn.com> Subject: Re: Access to TCP Port 113 To: G.Fengstad@CdnAir.CA (Grant M. Fengstad) Date: Wed, 12 Jul 1995 19:20:33 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Grant M. Fengstad" at Jul 12, 95 02:31:56 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1218 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have noticed several denied packets from outside systems attempting to > poke at tcp port 113 on one of my DMZ systems. > > TCP 113 is defined as the authentication port. I can not seem to get a > clear explanation as to what service(s) on the client side would be > attempting to do this. This port is not enabled on our host sides. > > I'd appreciate any input and/or clarification. > > tcp/113 is ident protocol (RFC-1413). Filtering it may cause problems with some applications, to include some TELNET implementations. Some applications still send a tcp/113 auth request as back-channel response to incoming connections. Blocking _shouldn't_ wreak too much havoc, but you may notice that establishing connections to outside services may seem to hang during the connection process while the tcp/113 request times out. My vote: Block it. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Jul 12 20:04:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05584 for firewalls-outgoing; Wed, 12 Jul 1995 20:02:01 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05577 for ; Wed, 12 Jul 1995 20:01:58 -0700 Received: from awadi.com.AU by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id TAA26225; Wed, 12 Jul 1995 19:57:32 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA26294; Thu, 13 Jul 95 12:28:23 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA00396; Thu, 13 Jul 1995 12:25:11 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9507130255.AA00396@bunya.awadi> Subject: Re: Netscape & SSL To: arnold@Synopsys.COM (Arnold de Leon) Date: Thu, 13 Jul 1995 12:25:11 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199507130014.RAA05800@mango.synopsys.com> from "Arnold de Leon" at Jul 12, 95 05:14:27 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Arnold de Leon: > >Make sure you don't have a security proxy defined if you are >going to use socks w/ SSL. > How do you get socks working with SSL? I have socks running but when one of my PC/Mac users try to use socks they get refused because the user is always called SSL (we restrict access to sockd to specific users here). -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Jul 12 20:34:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA06302 for firewalls-outgoing; Wed, 12 Jul 1995 20:31:06 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA06291 for ; Wed, 12 Jul 1995 20:30:56 -0700 Received: (proff@localhost) by suburbia.net (8.6.10/8.6.8++) id NAA26184; Thu, 13 Jul 1995 13:28:47 +1000 From: Julian Assange Message-Id: <199507130328.NAA26184@suburbia.net> Subject: Re: Access to TCP Port 113 To: paul@hawksbill.sprintmrn.com (Paul Ferguson) Date: Thu, 13 Jul 1995 13:28:46 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9507130020.AA26919@hawksbill.sprintmrn.com> from "Paul Ferguson" at Jul 12, 95 07:20:33 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 397 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Blocking _shouldn't_ wreak too much havoc, but you may notice that > establishing connections to outside services may seem to hang during > the connection process while the tcp/113 request times out. > > My vote: Block it. > Yes, after all US sprint has to protect the usernames/uids of all the hackers come out from their internal network. Typical small minded isolationist stance. -Proff From firewalls-owner Wed Jul 12 20:49:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA06152 for firewalls-outgoing; Wed, 12 Jul 1995 20:18:39 -0700 Received: from amdext.amd.com (amdext.amd.com [139.95.251.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA06146 for ; Wed, 12 Jul 1995 20:18:36 -0700 Received: from amdint.amd.com by amdext.amd.com with SMTP id AA12725 (5.67a/IDA-1.5+AMD for ); Wed, 12 Jul 1995 20:17:36 -0700 Received: from brahms.amd.com by amdint.amd.com with SMTP id AA09662 (5.67a/IDA-1.5+AMD); Wed, 12 Jul 1995 20:17:35 -0700 Received: from by brahms.amd.com (4.1/AMDSN-1.18) id AB09586; Wed, 12 Jul 95 20:17:33 PDT Message-Id: <9507130317.AB09586@brahms.amd.com> X-Sender: chris@brahms (Unverified) X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jul 1995 20:17:19 -0700 To: Ken_Simpson@tmai.com, socks-owner@syl.dl.nec.com From: Chris.Martin@amd.com (Chris Martin) Subject: Re: Netscape & SSL Cc: firewalls@greatcircle.com, socks@syl.dl.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:33 PM 7/12/95 PDT, Ken_Simpson@tmai.com wrote: >>> > >I have no idea what SSL denotes but we had trouble getting Netscape 1.1N >working with SOCKS too (running on SPARCstations under SunOS 4.1.4.) SSL stands for "Secure Sockets Layer". Netscape believes that the way to create secure HTTP is to do so at the socket layer rather than doing so atop normal sockets. They have proxies that can proxy their protocols based atop SSL but I have met no success trying to do so otherwise. --Chris From firewalls-owner Wed Jul 12 21:07:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA06613 for firewalls-outgoing; Wed, 12 Jul 1995 20:45:36 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA06595 for ; Wed, 12 Jul 1995 20:45:29 -0700 Message-Id: <199507130345.UAA06595@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA284017099; Thu, 13 Jul 1995 13:44:59 +1000 From: Darren Reed Subject: Changing a firewall setup. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Thu, 13 Jul 1995 13:44:59 +1000 (EST) In-Reply-To: <199507101312.GAA29583@miles.greatcircle.com> from "Darren Reed" at Jul 10, 95 11:11:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 415 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What sort of procedures do people follow through design by choice (or lake thereof) in order to change their system's firewall policy ? (Yes, I realise it is not meant to change, but you may change ISP, need a new service, asked to open up an existing service, etc). Is downtime or disconnection a requirement ? Do you know what happens to your cisco when you upload a new configuration (is this safe) ? darren From firewalls-owner Wed Jul 12 21:34:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA08077 for firewalls-outgoing; Wed, 12 Jul 1995 21:20:42 -0700 Received: from phoenix.org ([131.128.20.78]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA08064 for ; Wed, 12 Jul 1995 21:20:34 -0700 Received: (from medulla@localhost) by phoenix.org (8.6.11/8.6.9) id AAA00124; Thu, 13 Jul 1995 00:07:45 -0400 Date: Thu, 13 Jul 1995 00:07:36 -0400 (EDT) From: Mike Edulla To: "Grant M. Fengstad" cc: Firewalls List Subject: Re: Access to TCP Port 113 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 12 Jul 1995, Grant M. Fengstad wrote: > Date: Wed, 12 Jul 1995 14:31:56 -0700 (PDT) > From: Grant M. Fengstad > To: Firewalls List > Subject: Access to TCP Port 113 > > I have noticed several denied packets from outside systems attempting to > poke at tcp port 113 on one of my DMZ systems. > > TCP 113 is defined as the authentication port. I can not seem to get a > clear explanation as to what service(s) on the client side would be > attempting to do this. This port is not enabled on our host sides. > > I'd appreciate any input and/or clarification. > Products like TCP_Wrapper often check that port for logging purposes. Wuftp does the same too, I believe. From firewalls-owner Wed Jul 12 22:04:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA09147 for firewalls-outgoing; Wed, 12 Jul 1995 21:49:44 -0700 Received: from nucleus.com (nucleus.com [199.45.65.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA09141 for ; Wed, 12 Jul 1995 21:49:40 -0700 Received: (mcphee@localhost) by nucleus.com (8.6.8.1/8.6.5) id WAA28690; Wed, 12 Jul 1995 22:43:30 -0600 Date: Wed, 12 Jul 1995 22:43:29 -0600 (MDT) From: Al McPhee To: Julian Assange cc: Paul Ferguson , firewalls@GreatCircle.COM Subject: Re: Access to TCP Port 113 In-Reply-To: <199507130328.NAA26184@suburbia.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 13 Jul 1995, Julian Assange wrote: > > Blocking _shouldn't_ wreak too much havoc, but you may notice that > > establishing connections to outside services may seem to hang during > > the connection process while the tcp/113 request times out. > > > > My vote: Block it. > > > > Yes, after all US sprint has to protect the usernames/uids of all the hackers > come out from their internal network. > > Typical small minded isolationist stance. > > -Proff > Small minded isolationist stance? Does firewall architecture somehow insinuate an open policy? Of course it's isolationist. Protecting uid/usernames from a subnet is good policy. It dissalows (or trys to) hackers on the *outside* from getting information about the inside. Mcphee From firewalls-owner Wed Jul 12 22:32:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA08941 for firewalls-outgoing; Wed, 12 Jul 1995 21:43:00 -0700 Received: from miriworld.its.unimelb.EDU.AU (miriworld.its.unimelb.EDU.AU [128.250.6.194]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA08934 for ; Wed, 12 Jul 1995 21:42:55 -0700 Received: (from danny@localhost) by miriworld.its.unimelb.EDU.AU (8.6.11/8.6.11) id OAA10321; Thu, 13 Jul 1995 14:41:46 +1000 Date: Thu, 13 Jul 1995 14:41:44 +1000 (EST) From: "Daniel O'Callaghan" X-Sender: danny@miriworld.its.unimelb.EDU.AU To: Mike Edulla cc: "Grant M. Fengstad" , Firewalls List Subject: Re: Access to TCP Port 113 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 13 Jul 1995, Mike Edulla wrote: > On Wed, 12 Jul 1995, Grant M. Fengstad wrote: > > > > TCP 113 is defined as the authentication port. I can not seem to get a > > clear explanation as to what service(s) on the client side would be > > attempting to do this. This port is not enabled on our host sides. > > > > I'd appreciate any input and/or clarification. > > > > Products like TCP_Wrapper often check that port for logging purposes. > Wuftp does the same too, I believe. And IRC, sendmail, NCSA httpd, CERN httpd... Best to (a) block and send unreachable; (b) pass through and have the host return E_CONN_REFUSED If you drop silently, you cause the remote system to block for 10-20 seconds. If you say conn refused, at least the remote system can get on with its work. D. From firewalls-owner Wed Jul 12 22:39:35 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA09210 for firewalls-outgoing; Wed, 12 Jul 1995 21:52:31 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA09205; Wed, 12 Jul 1995 21:52:25 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jul 1995 21:52:20 -0800 To: Julian Assange , paul@hawksbill.sprintmrn.com (Paul Ferguson) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Access to TCP Port 113 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 1:28 PM 7/13/95, Julian Assange wrote: >> Blocking _shouldn't_ wreak too much havoc, but you may notice that >> establishing connections to outside services may seem to hang during >> the connection process while the tcp/113 request times out. >> >> My vote: Block it. >> > >Yes, after all US sprint has to protect the usernames/uids of all the hackers >come out from their internal network. > >Typical small minded isolationist stance. We are NOT going to have this argument again, so knock it off. Anyone interested in the debate can access the Firewalls WAIS archives: host "wais.greatcircle.com", database name "firewalls-digest", search for keyword "ident". -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Wed Jul 12 22:54:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA09253 for firewalls-outgoing; Wed, 12 Jul 1995 21:53:48 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA09248 for ; Wed, 12 Jul 1995 21:53:45 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA12755; Wed, 12 Jul 95 22:26:14 -0700 Message-Id: <9507130526.AA12755@netmail2.microsoft.com> Received: by netmail2 using fxenixd 1.0 Wed, 12 Jul 95 22:26:14 PDT X-Msmail-Message-Id: F9AE3BF9 X-Msmail-Conversation-Id: F9AE3BF9 From: Jonathon Tidswell To: peter@perth.wgc.com.au, sdevore@barr.com Date: Wed, 12 Jul 95 14:38:37 TZ Subject: RE: CERN-httpd as a http proxy. Cc: firewalls@greatcircle.com X-Msxmtid: syd-02-msg950712034152MTP[01.00.00]000000a3-7519 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Im using a caching proxy in perl. (for caching not firewalling) It seems to run quite nicely and has a number of nice configuration options. from memory: http://www.gh.cs.su.oz.au/~matty/Ichthus/ It currently runs in a non-root account so I havent tried to run chroot'd and setuid nobody. regards Jon T Obnote: Its comes with source :-) ---------- | From: "Steve P. Devore" | To: ; | Subject: CERN-httpd as a http proxy. -Reply | Date: Wednesday, 5 July 1995 8:24 | | | I am running the cern http proxy in a chrooted environment on a sunos | system and it works well. There is a web document that can help you | out. I don't have the url but do a search on cern, httpd, and chroot | you should find it. Unfortunately it is written in Norwegian (I | think) but you can figure out the important stuff. | | If you do put up the full server, I would recommend doing so on a | seperate server, especially if you use cgi scripts. | | I have had a lot better luck with the cern proxy server than with the | fwtk proxy server, and it caches as well, a definate plus. The only | problem is that the cern daemon is huge. | | >>> Peter Musca 7/4/95, 11:46pm >>> | Hi all, | | I am about to replace the http- proxy from the fwtk with the | cern-httpd proxy. I want to run it in a chrooted environment and | would appreciate any tips, advice etc from anyone who has done this. | I am not sure whether I will be building a full blown WWW server as | yet, but that may come in the future.. | | thanking you.. | | ...peter | -- | ---------------------------------------------------------------------- | Peter Musca System/Network Administrator Email: | peter@perth.wgc.com.au | World Geoscience Corp Phone: +61-9-383-7833 | Western Australia fax: +61-9-383-7166 | ---------------------------------------------------------------------- | | | | From firewalls-owner Wed Jul 12 23:04:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA10938 for firewalls-outgoing; Wed, 12 Jul 1995 22:46:49 -0700 Received: from gxl.woodtech.com (gxl.woodtech.com [204.248.87.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA10932 for ; Wed, 12 Jul 1995 22:46:46 -0700 Received: (from joey@localhost) by gxl.woodtech.com (8.6.12/8.6.12) id AAA01246; Thu, 13 Jul 1995 00:49:36 -0500 Date: Thu, 13 Jul 1995 00:49:34 -0500 (CDT) From: Joe Smith To: firewalls@greatcircle.com Subject: firewall for OS/2 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone aware of a firewall that runs on the OS/2 Connect platform? From firewalls-owner Wed Jul 12 23:20:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA10705 for firewalls-outgoing; Wed, 12 Jul 1995 22:42:38 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA10700 for ; Wed, 12 Jul 1995 22:42:31 -0700 Received: (proff@localhost) by suburbia.net (8.6.10/8.6.8++) id PAA28935 for firewalls@greatcircle.com; Thu, 13 Jul 1995 15:41:58 +1000 From: Julian Assange Message-Id: <199507130541.PAA28935@suburbia.net> Subject: Re: Access to TCP Port 113 To: mcphee@nucleus.com (Al McPhee) Date: Thu, 13 Jul 1995 15:20:45 +1000 (EST) In-Reply-To: from "Al McPhee" at Jul 12, 95 10:43:29 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1234 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Yes, after all US sprint has to protect the usernames/uids of all the hackers > > come out from their internal network. > > > > Typical small minded isolationist stance. > > > > -Proff > > > Small minded isolationist stance? Does firewall architecture somehow > insinuate an open policy? Of course it's isolationist. Protecting > uid/usernames from a subnet is good policy. It dissalows (or trys to) > hackers on the *outside* from getting information about the inside. > > Mcphee Golly, thats serious breach of security isn't it? When someone from your site connects to a remote site and the remote site obtains a number from 0 to 65535. This enables even hackers who have had serious digital accidents with chain-saws to count beyond the number five if you connect to their site enough. The only valid security concern is that your identd may have an intentional or unintentional backdoor in it. Its more of the "user mentality" that I am disturbed to note is rampent on the internet now days. Personally I'm proud to have network that has more data flowing out of it than in. If your security is based on the secrecy of your usernames or uid's then you don't have security: you have poor man's obscurity. -Proff From firewalls-owner Thu Jul 13 00:04:52 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA13055 for firewalls-outgoing; Wed, 12 Jul 1995 23:35:02 -0700 Received: from phoenix.org ([131.128.20.78]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA13014 for ; Wed, 12 Jul 1995 23:34:52 -0700 Received: (from medulla@localhost) by phoenix.org (8.6.11/8.6.9) id CAA00267; Thu, 13 Jul 1995 02:34:12 -0400 Date: Thu, 13 Jul 1995 02:34:03 -0400 (EDT) From: Mike Edulla To: Al McPhee cc: Julian Assange , Paul Ferguson , firewalls@GreatCircle.COM Subject: Re: Access to TCP Port 113 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 12 Jul 1995, Al McPhee wrote: > Date: Wed, 12 Jul 1995 22:43:29 -0600 (MDT) > From: Al McPhee > To: Julian Assange > Cc: Paul Ferguson , > firewalls@GreatCircle.COM > Subject: Re: Access to TCP Port 113 > > > > On Thu, 13 Jul 1995, Julian Assange wrote: > > > > Blocking _shouldn't_ wreak too much havoc, but you may notice that > > > establishing connections to outside services may seem to hang during > > > the connection process while the tcp/113 request times out. > > > > > > My vote: Block it. > > > > > > > Yes, after all US sprint has to protect the usernames/uids of all the hackers > > come out from their internal network. > > > > Typical small minded isolationist stance. > > > > -Proff > > > Small minded isolationist stance? Does firewall architecture somehow > insinuate an open policy? Of course it's isolationist. Protecting > uid/usernames from a subnet is good policy. It dissalows (or trys to) > hackers on the *outside* from getting information about the inside. > Due to the nature of the service, hackers cant easily get information about your users. If memory serves, you send it a src and dest port number, and it returns the information. Because of this, it isn't all that dangerous. at the VERY least, you should sent a unreachable, so the other side doesnt hang while trying to connect. From firewalls-owner Thu Jul 13 00:43:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA13757 for firewalls-outgoing; Thu, 13 Jul 1995 00:07:39 -0700 Received: from caesar.udac.se (Caesar.UDAC.SE [193.44.79.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA13747 for ; Thu, 13 Jul 1995 00:07:34 -0700 Received: from [193.44.77.24] (mac-77-24.UDAC.SE) by caesar.udac.se with SMTP id AA20217 (5.67b-Emil1.1/IDA-1.5 for ); Thu, 13 Jul 1995 09:04:34 +0200 Message-Id: Date: Thu, 13 Jul 1995 09:06:53 +0200 To: firewalls@greatcircle.com From: Mats.Bredell@udac.se (Mats Bredell) Subject: Re: Access to TCP Port 113 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Thu, 13 Jul 1995, Mike Edulla wrote: > >> On Wed, 12 Jul 1995, Grant M. Fengstad wrote: >> > >> > TCP 113 is defined as the authentication port. I can not seem to get a >> > clear explanation as to what service(s) on the client side would be >> > attempting to do this. This port is not enabled on our host sides. >> > >> > I'd appreciate any input and/or clarification. >> > >> >> Products like TCP_Wrapper often check that port for logging purposes. >> Wuftp does the same too, I believe. > >And IRC, sendmail, NCSA httpd, CERN httpd... Best to (a) block and send >unreachable; (b) pass through and have the host return E_CONN_REFUSED > >If you drop silently, you cause the remote system to block for 10-20 seconds. >If you say conn refused, at least the remote system can get on with its work. True. We drop the packets silently, and it makes our users almost unable to use WWW with some servers. Since the new version of NSCA httpd supports identd, a lot of WWW servers out there requires identd to send some kind of response. /Mats ------------------------------------------------------------------- Mats Bredell Mats.Bredell@udac.se UDAC / Network C Communication service systems Ph: +46 18 187817 Sweden Fax: +46 18 516600 From firewalls-owner Thu Jul 13 01:08:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA15567 for firewalls-outgoing; Thu, 13 Jul 1995 00:58:30 -0700 Received: from hp00086.ina.de (hp00086.ina.de [159.51.6.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA15562 for ; Thu, 13 Jul 1995 00:58:24 -0700 Received: from de00024.ina.de by hp00086.ina.de with SMTP (1.38.193.4/INA-1.0-SER) for greatcircle.com id AA07875; Thu, 13 Jul 1995 09:54:43 +0200 From: Basil McCrea KOQ Message-Id: <9507130758.AA15802@de00024.koq.ina.de> Received: by de00024.koq.ina.de (5.65/INA-1.0) for ina id AA15802; Thu, 13 Jul 1995 09:58:18 +0200 Subject: X & Firewall To: firewalls@GreatCircle.COM Date: Thu, 13 Jul 95 9:58:17 MET DST X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I would like to have X clients running via a firewall. I don't want to work with such a setup but it's sometimes useful to be able to see what a client's software is doing. I would be very thankful for any suggestions (even if it is DON'T DO IT). Thanks Basil Basil McCrea, Industriestr 1-3, 91074 Herzogenaurach, Germany Tel: +49-9132-823318, Fax: +49-9132-824958 E-Mail: mccrebsi@koq.ina.de From firewalls-owner Thu Jul 13 02:06:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA18334 for firewalls-outgoing; Thu, 13 Jul 1995 02:02:04 -0700 Received: from daisy.ee.und.ac.za (Daisy.ee.und.ac.za [146.230.192.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA18329 for ; Thu, 13 Jul 1995 02:01:54 -0700 Received: by daisy.ee.und.ac.za (Smail3.1.28.1 #31) id m0sWK8x-0007UZC; Thu, 13 Jul 95 11:01 GMT+0200 Date: Thu, 13 Jul 1995 11:01:14 +0200 (GMT+0200) From: Alan Barrett To: Paul Ferguson cc: firewalls@greatcircle.com Subject: Re: Access to TCP Port 113 In-Reply-To: <9507130020.AA26919@hawksbill.sprintmrn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My vote: Block it. If you block it, and if it is easy for you to send back a TCP RST packet instead of simply dropping the incoming TCP SYN, then please send a TCP RST. (I suppose an ICMP port unreachable might do instead of a TCP RST.) That way, when your users connect to sites that try to get ident information, they will not have to wait for timeouts. --apb (Alan Barrett) From firewalls-owner Thu Jul 13 02:35:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA18764 for firewalls-outgoing; Thu, 13 Jul 1995 02:12:56 -0700 Received: from sirius.dk ([193.89.23.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA18750 for ; Thu, 13 Jul 1995 02:12:45 -0700 From: ugilt@sirius.dk Received: by janus.sirius.dk id <44801>; Thu, 13 Jul 1995 11:08:36 +0100 X-Mailer: SuperTCP Pro for Windows Version 1.1 (Mailer Version 1.02) Date: Thu, 13 Jul 1995 11:24:51 +0100 Subject: Re: X & Firewall To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: Text/Plain; Charset=US-ASCII Message-Id: <95Jul13.110836gmt+0100.44801@janus.sirius.dk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I would like to have X clients running via a firewall. I don't want >to work with such a setup but it's sometimes useful to be able to >see what a client's software is doing. > >I would be very thankful for any suggestions (even if it is DON'T DO IT). As you said DON'T DO IT !!! The implementation of X11 is (normally) unsecure. An even worse many times a user will telnet to the host, set the display env and launch x clients You should also note that a smart external "user" can capture and control both screen and keyboard of an internal X-terminal potentially. If you _really_ need to do this make sure that only a _very_ limited number af source and destinations adresses are allowed so you can track all sessions Good luck --- Michael Ugilt@sirius.dk "Of all the things I've lost - I miss my mind the most" From firewalls-owner Thu Jul 13 02:55:49 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA19048 for firewalls-outgoing; Thu, 13 Jul 1995 02:26:54 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA19037 for ; Thu, 13 Jul 1995 02:26:42 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA19431 for firewalls@greatcircle.com; Thu, 13 Jul 95 05:20:43 EDT Message-Id: <9507130920.AA19431@all.net> Subject: Re: Access to TCP Port 113 To: firewalls@greatcircle.com Date: Thu, 13 Jul 1995 05:20:42 -0400 (EDT) In-Reply-To: from "Al McPhee" at Jul 12, 95 10:43:29 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1996 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Blocking _shouldn't_ wreak too much havoc, but you may notice that > > > establishing connections to outside services may seem to hang during > > > the connection process while the tcp/113 request times out. > > > > > > My vote: Block it. > > > > > > > Yes, after all US sprint has to protect the usernames/uids of all the hackers > > come out from their internal network. > > > > Typical small minded isolationist stance. ... > Small minded isolationist stance? Does firewall architecture somehow > insinuate an open policy? Of course it's isolationist. Protecting > uid/usernames from a subnet is good policy. It dissalows (or trys to) > hackers on the *outside* from getting information about the inside. Blocking ident daemon is fine, except of course, that it make an implicit policy decision that secrecy is more important than integrity. Is that really the protection policy you prefer? The whole purpose of ident daemon services is to provide (admitidly weak) authentication of the user making a request. When a user at your site tries to break into another site, and the other site reports the details to you, the ident daemon allows you to trace the user down much more quickly - we have experienced a fair amount of that at our site and it has saved a lot of time and effort by remote sysops. The ident daemon can be run with a reasonable degree of protection if you have a secure version (Is there one? Maybe that'll be the next secure daemon we offer for free.) -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Thu Jul 13 03:34:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA20460 for firewalls-outgoing; Thu, 13 Jul 1995 03:27:53 -0700 Received: from ns.stibo.dk (ns.stibo.dk [193.88.170.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA20449 for ; Thu, 13 Jul 1995 03:26:25 -0700 Received: by ns.stibo.dk (8.6.9/8.6.9) id MAA26650 for ; Thu, 13 Jul 1995 12:21:39 +0200 Received: from stibo_net by ns.stibo.dk via smap (V1.3) id sma026648; Thu Jul 13 12:21:15 1995 Received: by per.stibo.dk (8.6.12/8.6.9) id MAA00031; Thu, 13 Jul 1995 12:21:15 +0200 Date: Thu, 13 Jul 1995 12:21:13 +0200 (MET DST) From: Per Hagen To: firewalls@GreatCircle.COM cc: Per Hagen Subject: Re: Encryption outside the US In-Reply-To: <950712091451.13997@edgware.-v> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=USASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I forgot to tell where to find the non US implementation of SSL. This is a short part of the readme file in the distribution. SSLeay v 0.4.3 15/06/95 Copyright (c) 1995, Eric Young All rights reserved. This directory contains Eric Young's (eay@mincom.oz.au) implementation of SSL and supporting libraries. The current version of this library is available from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.xx.tar.gz There are patches to a number of internet applications which can be found in ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/ This Library and programs are FREE for commercial and non-commercial usage. The only restriction is that I must be attributed with the development of this code. See the COPYRIGHT file for more details. Donations would still be accepted :-). For people in the USA, it is possible to compile SSLeay to use RSA Inc.'s public key library, RSAref. From my understanding, it is claimed by RSA inc. to be illegal to use my public key routines inside the USA. Read doc/RSAref.doc on how to build with RSAref. The paragraf talking about the use of RSAref looks most interesting for folks in the USA. It means that the same implementation of SSL can be used both in the US and non US. :-) Regards Per L. Hagen, Network Administrator ------------------------------------------------------------------------ Advanced Catalogue Solutions The Stibo Technology Group... Since 1794 |_// | Stibo Sletvej 34, DK-8310 Tranbjerg J, Denmark Datagraphics, Phone: +45 86 29 55 11, Fax: +45 86 29 51 03 Research Department E-mail: per@stibo.dk or postmaster@stibo.dk PGP public key available from pgp keyserver at MIT. Type bits/keyID Date User ID pub 1024/A4105121 1994/12/06 Per L. Hagen Key fingerprint = A8 FD B3 C2 32 AC 01 4F D9 55 BF 05 C3 1E 9B A3 ------------------------------------------------------------------------ From firewalls-owner Thu Jul 13 03:51:15 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA20026 for firewalls-outgoing; Thu, 13 Jul 1995 03:03:25 -0700 Received: from ns.stibo.dk (ns.stibo.dk [193.88.170.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA20016 for ; Thu, 13 Jul 1995 03:03:14 -0700 Received: by ns.stibo.dk (8.6.9/8.6.9) id LAA26602 for ; Thu, 13 Jul 1995 11:58:38 +0200 Received: from stibo_net by ns.stibo.dk via smap (V1.3) id sma026599; Thu Jul 13 11:58:27 1995 Received: by per.stibo.dk (8.6.12/8.6.9) id LAA29991; Thu, 13 Jul 1995 11:58:28 +0200 Date: Thu, 13 Jul 1995 11:58:26 +0200 (MET DST) From: Per Hagen To: firewalls@GreatCircle.COM cc: Per Hagen Subject: Re: Encryption outside the US In-Reply-To: <199507120933.AA05181@personal.eunet.fi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=USASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 12 Jul 1995, Kari Laine wrote: > > Date: Tue, 11 Jul 1995 17:29:52 -0400 (EDT) > > From: Steve Gaarder > > To: firewalls@greatcircle.com > > Subject: Encryption outside the US > A possibility for the encryption will be to use SSL (Secure Socket Layer). This will provide you with strong encryption (IDEA, DES, RC4) and authentication (MD2, MD5). Previously SSL (defined by Netscape communications) has been goverend by the US export regulations, but right now an independant complete implementation of SSL has been done in Australia, by Eric Young. This implementation is called SSLeay. I for one am going to use this for an implementation of a virtual network between our sites! Here is the setup: Inside Machine-A Inside Machine-D running PPP over tcp running PPP over tcp | socket # X | socket # X | | Firewall-B Firewall-C crypto plug-gw-cr -from Machine A ===== plug-gw-cr -from Firewall-B -to Firewall-C -to Machine-D -tokey XXX -fromkey XXX crypto plug-gw-cr -from Firewall-C ===== plug-gw-cr -from Machine-D -to Machine-A -to Firewall-B -fromkey YYY -tokey YYY The above is the setup i have allready implemented using libdes from Australia. I will now change this to use SSL. Regards, Per L. Hagen, Network Administrator ------------------------------------------------------------------------ Advanced Catalogue Solutions The Stibo Technology Group... Since 1794 |_// | Stibo Sletvej 34, DK-8310 Tranbjerg J, Denmark Datagraphics, Phone: +45 86 29 55 11, Fax: +45 86 29 51 03 Research Department E-mail: per@stibo.dk or postmaster@stibo.dk PGP public key available from pgp keyserver at MIT. Type bits/keyID Date User ID pub 1024/A4105121 1994/12/06 Per L. Hagen Key fingerprint = A8 FD B3 C2 32 AC 01 4F D9 55 BF 05 C3 1E 9B A3 ------------------------------------------------------------------------ From firewalls-owner Thu Jul 13 04:04:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA21267 for firewalls-outgoing; Thu, 13 Jul 1995 03:54:02 -0700 Received: from mms (mms.mms-gmbh.de [193.103.159.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA21262 for ; Thu, 13 Jul 1995 03:53:50 -0700 Message-Id: Comments: Authenticated sender is From: "Frank Heinzius" To: firewalls@greatcircle.com Date: Thu, 13 Jul 1995 13:00:40 +0000 Subject: Request: Summary of known services Reply-to: frimp@mms-gmbh.de Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Firewallers! >From time to time I analyze the logged packet filter denies from our firewall. Most denies are clear, but some hosts from the outside try strange UDP and TCP port numbers. Does anyone have a recent list of well-known services for TCP and UDP ports? Where can I obtain it? Thanks in advance, Frank -- ***** The expressed opinions are totally mine! ***** Frank M. Heinzius MMS Communication GmbH frimp@mms-gmbh.de Eiffestrasse 598 Phone: +49 40 2111105-0 Fax: +49 40 210 32 210 From firewalls-owner Thu Jul 13 04:35:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA22318 for firewalls-outgoing; Thu, 13 Jul 1995 04:26:06 -0700 Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA22313 for ; Thu, 13 Jul 1995 04:25:59 -0700 Received: from notes (notes.cbis.com) by cbisgate.cbis.com (4.1/SMI-4.1) id AA06303; Thu, 13 Jul 95 07:25:28 EDT Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA3510; Thu, 13 Jul 95 07:27:20 -0700 Message-Id: <9507131427.AA3510@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 1B3B84270AD2B058852561F8003D0DC3; Thu, 13 Jul 95 07:27:19 To: firewalls-digest From: Warren Moore Date: 13 Jul 95 7:22:22 EDT Subject: Re: Looking for OS/2 Web Client behind Firewall X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 12 Jul 95 @ 15:17:01 MESZ, Eckard Weber asked: > but we also have a lot of OS/2 PC's. I have OS/2 2.11 > with TCP/IP 2.0 from IBM, including DOS/Windows Access > Kit. If I try to run Netscape in the Windowsbox the PC hangs up. > Who knows a WEB Client running in the OS/2 environment ? You're probably hanging due to a WINSOCK problem. However, you can try IBM's WebExplorer for OS/2. Here's how to get it: 1) By anonymous FTP from ftp.ibm.net. (Login as user "anonymous"). Download the file WEB101.ZIP. Unzip this file in a temp directory and run WEBINST.EXE to install. You can ignore the message to "Reboot after Installation". There's also a beta version WEB303.ZIP you might try. 2) By the "Retrieve Software Updates" icon in the Internet Connection for OS/2 in the OS/2 WARP Bonus Pack. Click on this icon and then select WebExplorer to download and automatically install. According to Big Blue, the WebExplorer for OS/2 has been tested to run with both the Internet Connection for OS/2 in the Bonus pack of OS/2 WARP, and TCP/IP 2.0 on OS/2 2.1 or higher. If you are running OS/2 2.1 or higher and using TCP/IP 2.0, you MUST upgrade to the latest Corrective Service Diskette (CSD) for TCP/IP 2.0. The latest CSD is level UN64092 dated 8/30/94. (Which I haven't installed yet, so who knows?) Good Luck, Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Thu Jul 13 05:09:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA22927 for firewalls-outgoing; Thu, 13 Jul 1995 04:49:11 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA22922 for ; Thu, 13 Jul 1995 04:48:59 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa11964; 13 Jul 95 11:26 +0100 Received: from hanover.demon.co.uk by post.demon.co.uk id ab27098; 13 Jul 95 11:26 +0100 To: firewalls@greatcircle.com MMDF-Warning: Unable to confirm address in preceding line at disperse.demon.co.uk From: benjamin@hanover.demon.co.uk MMDF-Warning: Parse error in original version of preceding line at post.demon.co.uk Date: Thu, 13 Jul 95 09:43:52 Message-ID: <2.51.884D67CCB.BenMail@hanover.demon.co.uk> X-Mailer: BenMail 2.51 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > cancel firewalls > Hmmm... I think this could have some rather severe security implications! 8-) (sorry couldn't resist) [ob. firewalls Q] Has anyone heard/had any dealings with the Lotus Notes internet product... it is rumoured that this includes some firewalling capability... is this true??? Cheers, Benjamin -- Benjamin Ellis - Hanover Consulting, Farnborough, UK. Home of BenMail PR person, asked if customers with support contracts got better treatment: "Oh no, definitely not, we ship the latest bugs to all of our customers..." From firewalls-owner Thu Jul 13 05:27:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA22786 for firewalls-outgoing; Thu, 13 Jul 1995 04:43:07 -0700 Received: from gsusgi2.Gsu.EDU (gsusgi2.Gsu.EDU [131.96.1.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA22781 for ; Thu, 13 Jul 1995 04:43:04 -0700 Received: (from syshtg@localhost) by gsusgi2.Gsu.EDU (8.6.10/8.6.10) id HAA28240; Thu, 13 Jul 1995 07:41:54 -0400 From: Tom Gillman Message-Id: <199507131141.HAA28240@gsusgi2.Gsu.EDU> Subject: Re: Request: Summary of known services To: frimp@mms-gmbh.de Date: Thu, 13 Jul 1995 07:41:54 -0500 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Frank Heinzius" at Jul 13, 95 01:00:40 pm X-Mailer: ELM [version 2.4 PL17] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 658 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anyone have a recent list of well-known services for TCP and UDP > ports? Where can I obtain it? > RFC 1700, available from a fine ftp site near you. Try nic.ddn.mil, or rtfm.mit.edu, or ftp.uu.net, for starters. Tom -- Tom Gillman, Unix/AIX Systems Weenie |"For a privacy advocate to determine Wells Computer Center-Ga. State Univ. |the best way to do key escrow is like (404) 651-4503 syshtg@gsusgi2.gsu.edu |a death penalty opponent choosing I'm not allowed to have an opinion. |between gas or electricity"-D.Banisar key to UNIX: echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq'|dc From firewalls-owner Thu Jul 13 05:34:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA23467 for firewalls-outgoing; Thu, 13 Jul 1995 05:05:15 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA23462 for ; Thu, 13 Jul 1995 05:05:12 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id FAA14180; Thu, 13 Jul 1995 05:04:41 -0700 Date: Thu, 13 Jul 1995 05:04:41 -0700 From: Tony Li Message-Id: <199507131204.FAA14180@greatdane.cisco.com> To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Subject: Changing a firewall setup. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you know what happens to your cisco when you upload a new configuration (is this safe) ? That depends on how you do it. If you do the obvious thing and do no access-list 101 access-list 101 .... access-list 101 .... access-list 101 .... Then yes, there is a small window during the parsing of the access list during which you're exposed. A better technique is to change the access group on the interface. Tony From firewalls-owner Thu Jul 13 06:25:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA25088 for firewalls-outgoing; Thu, 13 Jul 1995 05:49:56 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA25071 for ; Thu, 13 Jul 1995 05:49:46 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA28810; Thu, 13 Jul 95 08:48:18 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507131348.AA28810@hawksbill.sprintmrn.com> Subject: Re: Request: Summary of known services To: syshtg@gsusgi2.Gsu.EDU (Tom Gillman) Date: Thu, 13 Jul 1995 08:48:17 -0500 (EST) Cc: frimp@mms-gmbh.de, firewalls@GreatCircle.COM In-Reply-To: <199507131141.HAA28240@gsusgi2.Gsu.EDU> from "Tom Gillman" at Jul 13, 95 07:41:54 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 719 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > Does anyone have a recent list of well-known services for TCP and UDP > > ports? Where can I obtain it? > > > > RFC 1700, available from a fine ftp site near you. Try nic.ddn.mil, or > rtfm.mit.edu, or ftp.uu.net, for starters. > Try: ds.internic.net:/rfc/rfc1700.txt Also may be worth your while to grab a copy of the rfc-index.txt as well. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Thu Jul 13 06:41:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA25580 for firewalls-outgoing; Thu, 13 Jul 1995 05:57:40 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA25560 for ; Thu, 13 Jul 1995 05:57:27 -0700 Received: (proff@localhost) by suburbia.net (8.6.10/8.6.8++) id WAA02686; Thu, 13 Jul 1995 22:56:19 +1000 From: Julian Assange Message-Id: <199507131256.WAA02686@suburbia.net> Subject: Re: Access to TCP Port 113 To: baumann@proton.llumc.edu (Michael Baumann) Date: Thu, 13 Jul 1995 22:56:17 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Baumann" at Jul 13, 95 04:34:08 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 844 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Thu, 13 Jul 1995, Julian Assange wrote: > > > Yes, after all US sprint has to protect the usernames/uids of all the hackers > > come out from their internal network. > > > > Typical small minded isolationist stance. > > > > -Proff > > > Well,,, I firmly belive in: If I don't support it, block it. > And I don't support ident. Why? Because it is *useless* for identifcation. > Case in point: IRC clients now available for Mac and PC that have > Ident servers.. guess what they return? Anything the owner wants. > > So? The very choise of what they choose to give is informative, as is the fact that the user has the ability to choose anything they want. Even if only uids are sent the constant or non-constant natures of those uids is informative. I suppose you suggest we do away with the identd protocol altogether? -Proff From firewalls-owner Thu Jul 13 06:58:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25852 for firewalls-outgoing; Thu, 13 Jul 1995 06:03:03 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA25846 for ; Thu, 13 Jul 1995 06:02:59 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA23978; Thu, 13 Jul 95 08:39:54 -0400 Date: Thu, 13 Jul 95 08:39:53 -0400 Message-Id: <9507131239.AA23978@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: Quarentined Mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Carl Jolley made a number of good points, and the fact is that such things come up against the Turing Halting Problem when you try to analyze what something does. On the other hand, binary code does not have to transmitted as binary. Compression and cryptographic envelopes exist to mask function, uuencode and tekhex can transform binary into RFC-compliant ACSII, or even executable ASCII can be transmitted. On the gripping hand, while you cannot determine what such "masked" code is, you *can* separate such code from flat ASCII with simple frequency analysis techniques as have been developed by cryptoanalysts to determine when a code has been broken. These have been around for a considerable time. Thus it would be feasible to construct a policy whereby plain flat ASCII mail is forwarded automatically to the recipient while "anything else" is examined first. With somewhat more effort, formatted text, postscript, Word/WordPerfect, or even ViaCrypt/PGP documents should be able to be identified/separated from "other things". Most likely this should be handled as a separate component device of the to which all port 25 traffic, requardless of destination, is routed. The device would accept mail, construct the complete message, analyze for type (*not* content) and forward according to a rules-based structure. Warmly, Padgett From firewalls-owner Thu Jul 13 07:05:08 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA27312 for firewalls-outgoing; Thu, 13 Jul 1995 06:59:35 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA27302 for ; Thu, 13 Jul 1995 06:59:30 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA24411; Thu, 13 Jul 95 09:29:04 -0400 Date: Thu, 13 Jul 95 09:29:04 -0400 Message-Id: <9507131329.AA24411@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Fortezza etc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lotsa negative stuff omitted: >2. No commercial customers would touch it either. One fortune 100 customer >told us "We will only use Clipper if ALL other forms of encryption are >outlawed." Didn't ask me. All I want is a PCMCIA card that has built in crypto, auto ignition, v.17/v.34/v.42/v.42bis & ethernet, full session encryption, and full local disk encryption. Would pay $500 for such a device but so far no-one has offered me one at *any* price. Still have no concern about Clipper, if really bothered will just use PGP first. (Still think the most intelligent thing the fed could do would be to either drop the LEAF or allow corporate entities to be their own escrow administrators). So far all I have heard is "RSN" (though Nat'l Semi "Personna" seems close). Such a product could have a "Capstone" module or a "RSA" module or a "Lil Orphan Annie Secret Decoder Ring" module. Point is *nothing* that I know of (and I look) is commercially available today. Since no-one can buy it (and the real key is "one stop shopping"), any "market research" can say anything you want it to (and look where it got Iomega with its ZIP drive). Point is that I do not need "100 year" crypto for 99% of what I do, just need something that authenticates both ends, would be reasonably expensive to break (and not in real-time), and is reasonably fast (say 5 MBytes/sec). Making the device more expensive to break/buy than the user is just an exercise in futility and how we got carjackings. IMNSHO we need a general purpose device that is cheap, easy to use, and *reasonably* secure. For this Clipper/Capstone/Tessera/Fortezza/??? is "good enough" (C). Just to look ahead a bit, can see a device with slots for 8/16/32 such cards as a component of a firewall, that encrypts Internet sessions as opened and is fully transparent to the user (except for an icon indicating "safe" or "unsecured". Just some thoughts but tired of waiting, Padgett From firewalls-owner Thu Jul 13 07:53:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA00290 for firewalls-outgoing; Thu, 13 Jul 1995 07:31:58 -0700 Received: from mail.Germany.EU.net (mail.Germany.EU.net [192.76.144.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA00285 for ; Thu, 13 Jul 1995 07:31:53 -0700 Date: Thu, 13 Jul 1995 16:33:16 +0200 Message-Id: <199507131433.QAA01096@mail.Germany.EU.net> Received: by mail.Germany.EU.net with SMTP (8.6.5:29/EUnetD-2.5.1.j) via EUnet id QAA01096; Thu, 13 Jul 1995 16:33:16 +0200 X-Sender: hallen@eplus.de X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: firewalls-digest@GreatCircle.COM From: hallen@eplus.de (test) Subject: Firewalls for ISO/OSI Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know about a firewall, that performs the ISO/OSI= protocol-stack? I think about filtering servives like FTAM or about application-gateways with authentication for VirtualTerminal etc. Thank you _____________________ Burkhard von Ehren E-Plus Mobilfunk GmbH Ulmenstr. 125 40476 D=FCsseldorf Tel.: +49 211 448-3534 Fax: +49 211 448-4046 From firewalls-owner Thu Jul 13 08:18:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA01114 for firewalls-outgoing; Thu, 13 Jul 1995 07:39:13 -0700 Received: from druid.reston.mci.net (druid.Reston.mci.net [204.70.128.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA01104 for ; Thu, 13 Jul 1995 07:39:09 -0700 Received: (from ddrew@localhost) by druid.reston.mci.net (8.6.12/8.6.6) id KAA10050; Thu, 13 Jul 1995 10:38:30 -0400 Date: Thu, 13 Jul 1995 10:38:30 -0400 Message-Id: <199507131438.KAA10050@druid.reston.mci.net> To: ddrew@mci.net, avolio@TIS.COM Subject: Re: Firewall Information Cc: firewalls@greatcircle.com From: ddrew@mci.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fred: Thank you for the heads up. I will make it a point to go through the data and correct any miss-spellings that are present, including the area code of your organization. Dale From firewalls-owner Thu Jul 13 08:31:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29998 for firewalls-outgoing; Thu, 13 Jul 1995 07:30:01 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA29973 for ; Thu, 13 Jul 1995 07:29:55 -0700 Received: from TIS.COM by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA28031; Thu, 13 Jul 1995 07:25:35 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa21137; 13 Jul 95 10:26 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma010518; Thu, 13 Jul 95 10:19:58 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA02006; Thu, 13 Jul 95 10:25:07 EDT Message-Id: <9507131425.AA02006@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: ddrew@mci.net Cc: firewalls@greatcircle.com Subject: Re: Firewall Information In-Reply-To: Your message of Wed, 12 Jul 95 15:18:05 -0400. <199507121918.PAA05414@druid.reston.mci.net> Date: Thu, 13 Jul 95 10:25:06 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Typos in here -- product names spelled wrong, City names spelled wrong, wrong area codes (TIS' number is 301-854-5550, for example) .... Just a warning that there are probably a lot of errors if I found 4 just skimming quickly. Fred From firewalls-owner Thu Jul 13 08:44:42 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02164 for firewalls-outgoing; Thu, 13 Jul 1995 08:12:41 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA02159 for ; Thu, 13 Jul 1995 08:12:37 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA20490; Thu, 13 Jul 1995 11:12:08 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA07877; Thu, 13 Jul 1995 11:12:04 -0400 Message-Id: <9507131512.AA07877@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: Tony Li , Firewalls@GreatCircle.COM Date: Thu, 13 Jul 1995 11:11:23 -0500 Subject: Re: Changing a firewall setup. Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 13 Jul 95 at 5:04, Tony Li said: > > Do you know what happens to your cisco when you upload a new > configuration (is this safe) ? > > That depends on how you do it. If you do the obvious thing and do > no access-list 101 > access-list 101 .... > access-list 101 .... > access-list 101 .... > > Then yes, there is a small window during the parsing of the access > list during which you're exposed. > > A better technique is to change the access group on the interface. Could you please comment on the following scenario: 1. Enable tftp server on the bastion. 2. Save configuration to bastion host. 3. Disable tftp server on the bastion. 4. Edit config file on the bastion, changing as desired. 5. Enable tftp server on the bastion. 6. Load configuration from the bastion host. 7. Disable tftp server once again. If your Cisco is blocking UDP < 1024 anyway, the risk should be very small. If you assume for the moment that your filtering rules are inadequate, and that UDP *can* get through, the risk is a bit greater, but only briefly, twice. It also helps if your tftp server supports restricting transfers to/from only one directory. If you have a way of setting it up chroot'ed, even better. Aside from commenting on the above, how large is the window of risk to the Cisco while you're loading the new config? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Thu Jul 13 09:29:36 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02722 for firewalls-outgoing; Thu, 13 Jul 1995 08:32:25 -0700 Received: from godel2.bim.be (godel2.bim.be [141.253.4.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA02717 for ; Thu, 13 Jul 1995 08:32:18 -0700 From: pc@bim.be Received: from dvorak.bim.be by godel2.bim.be (5.x/SMI-SVR4) id AA09381; Thu, 13 Jul 1995 17:28:42 +0200 Date: Thu, 13 Jul 1995 17:28:42 +0200 Message-Id: <9507131528.AA09381@godel2.bim.be> To: mccrebsi@koq.ina.de Subject: Re: X & Firewall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would like to have X clients running via a firewall. I don't want >to work with such a setup but it's sometimes useful to be able to >see what a client's software is doing. You can have a look to : - xforward (ftp://crl.dec.com/pub/DEC/xforward.tar.Z - x-gw from the TIS fwtk (ftp://ftp.tis.com//pub/firewalls/toolkit/fwtk-v1.3.tar.Z Philippe -- Ph. Cayphas Senior Engineer E-Mail: pc@bim.be Telephone: +32(10)47.08.32 Fax : +32(10)47.08.11 Postal Mail : Ph. Cayphas BIM sa 4, Av. Albert Einstein 1348 Louvain-La-Neuve Belgium From firewalls-owner Thu Jul 13 09:36:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02431 for firewalls-outgoing; Thu, 13 Jul 1995 08:21:17 -0700 Received: from druid.reston.mci.net (druid.Reston.mci.net [204.70.128.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA02426 for ; Thu, 13 Jul 1995 08:21:14 -0700 Received: (from ddrew@localhost) by druid.reston.mci.net (8.6.12/8.6.6) id LAA10249; Thu, 13 Jul 1995 11:20:40 -0400 Date: Thu, 13 Jul 1995 11:20:40 -0400 Message-Id: <199507131520.LAA10249@druid.reston.mci.net> To: firewalls@greatcircle.com Subject: Revised firewall information Cc: ddrew@mci.net From: ddrew@mci.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've recieved a number of requests to update information and other various adds, changes and deletes, so I thought I would repost this information. I've placed a version number on it, and also made it available on our FTP Server (ftp://ftp.mci.net/pub/security/firewall.vendors). We will be adding some matrix tables to the file that identify services, features and functionality compared to other firewall products. Firewall Vendor Information (v1.1) PRODUCT |Company Name | Street Address | City |State | ZIP | Phone ------------------------------------------------------------------------------------------------------------------------------- ANS Interlock | ANS CO+RE Systems | 100 Clearbrook Road | Elmsford | NY | 10523 | 914-789-5337 ASR 4200 | ACC Network | 8320 Guilford Rd suite G | Columbia | MD | 21406 | 410-290-8775 BlackHole | Milky Way Networks | 2650 Queensview Dr, suite 255 | Ottawa,Ontario| CAN | | 613-596-5549 BorderWare | Border Network Technol| 1 Yonge St, Suite 1400 | Toronto,Ontari| CAN | | 416-368-7157 CyberGaurd | Harris Computers | 2101 W Cypress Creek Rd | FT Lauderdale | FL | 33309 | 305-974-1700 Digital's F/W | Digital | 40 Old Boston Rd | Stow | MA | 01775 | 508-496-8626 Eagle | Raptor Systems | 69 Hickory Dr | Waltham | MA | 02154 | 617-487-6755 Firewall-1 | Checkpoint Software | One Militia Dr | Lexington | MA | 02173 | 617-859-9051 SunScreen | Sun Microsystems | 2550 Garcia Avenue | Mountain View | CA | 94043 | 408-255-2937 Gauntlet | TIS | 2060 Washington Rd | Glenwood | MD | 21738 | 301-854-6889 ToolKit | TIS | 2060 Washington Rd | Glenwood | MD | 21738 | 301-854-6889 GFX-94 | Global Tech, Assoc | 3504 Lake Lynda Dr, Suite 160 | Orlando | FL | 321817 | 407-380-0220 IRX Livingston | Livingston Enterprises| 6920 Koll Center Parkway #220 | Pleasanton | CA | 94566 | 510-426-0770 Int Security Router | Atlantic Systems Group| Incutech Center, Bag Service | Fredericton | CAN | | 506-453-3505 | | 6900 | N.B | | | NetGate | Smallworks of Travis | 4401 Stone Meadow Lane | Austin | TX | 7831 | 512-338-0619 NetSP Secure Net | IBM | POB 12195, MS B44A-B501 | ResearchPark | NC | 27709 | 919-254-5074 Network-1 | Network-1 Software | 909 Third Ave (9th flood) | New York | NY | 10022 | 800-NETWORK1 Portus | Livermore Software | 1602 Mosay Stone | Houston | TX | 77077 | 800-240-5754 Priv Internet Ex | Network Translation | 1901 Embarcadero Rd, Suite 108| Palo Alto | CA | 94303 | 415-494-6387 Security Router | Network Systems | 7600 Boone Avenue North | Brooklyn Park | MN | 55428 | 612-424-1784 Sidewinder | Secure Computing | 2675 Long Lake Rd | RoseViller | MN | 55113 | 613-628-2700 Cisco | Cisco Systems | PO BOX 3075 | Melo Park | CA | 94026 | 800-553-NETS SmartWall | V-One | 12300 Twinbrook Parkway, #235 | Rockville | MD | 20852 | 301-881-2297 Brimstone | Sources Of Supply Corp| 461 Fifth Ave., 16th Floor | New York | NY | 10017 | 800-SOS-UNIX Freeston | Sources Of Supply Corp| 461 Fifth Ave., 16th Floor | New York | NY | 10017 | 800-SOS-UNIX "Success through teamwork" =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 From firewalls-owner Thu Jul 13 10:34:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02847 for firewalls-outgoing; Thu, 13 Jul 1995 08:37:57 -0700 Received: from ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA02836 for ; Thu, 13 Jul 1995 08:37:52 -0700 Received: by ppco.com (/ ppco.1.0) id AA30470; Thu, 13 Jul 1995 10:37:26 -0500 Date: Thu, 13 Jul 1995 10:37:26 -0500 From: bcso@ppco.com (barry c solomon) Message-Id: <9507131537.AA30470@ppco.com> To: firewalls@GreatCircle.COM Subject: SNA Mainframe Links Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize if this has been asked before, but does anybody have general tools, comments, or advice on firewalling an SNA mainframe to mainframe link? From firewalls-owner Thu Jul 13 10:47:44 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02895 for firewalls-outgoing; Thu, 13 Jul 1995 08:40:26 -0700 Received: from syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA02890 for ; Thu, 13 Jul 1995 08:40:23 -0700 From: mele@syl.nj.nec.com Received: by syl.nj.nec.com (4.1/YDL1.4-910307.20) id AA01827(syl.nj.nec.com); Thu, 13 Jul 95 11:39:34 EDT Received: by phoenix (4.1/YDL1.4-910307.16) id AA28174(phoenix); Thu, 13 Jul 95 11:39:35 EDT Message-Id: <9507131539.AA28174@phoenix> Subject: Re: Request: Summary of known services To: frimp@mms-gmbh.de Date: Thu, 13 Jul 1995 11:39:34 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Frank Heinzius" at Jul 13, 95 01:00:40 pm X-Mailer: ELM [version 2.4 PL23alpha] Content-Type: text Content-Length: 589 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, >>Does anyone have a recent list of well-known services for TCP and UDP >>ports? Where can I obtain it? >> If you WWW access try this URL for RFC 1700: http://www.apocalypse.org/pub/rfcs/rfc1700.txt -- Elaine Mele Systems Administrator NEC Systems Laboratory Inc. Voice: (609) 734-6075 4 Independence Way Fax: (609) 734-6002 Princeton, NJ 08540 Internet: mele@syl.nj.nec.com Quotes from kids: "Bottled dreams float you to shore" - Margo Pisnoy My opinions are my own and the kids, not my employer's. From firewalls-owner Thu Jul 13 10:58:54 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA05193 for firewalls-outgoing; Thu, 13 Jul 1995 09:59:21 -0700 Received: from nrlmry.navy.mil (helium.nrlmry.navy.mil [192.138.87.243]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA05188 for ; Thu, 13 Jul 1995 09:59:19 -0700 Received: from krypton.navy.mil (krypton.nrlmry.navy.mil) by nrlmry.navy.mil (4.1/SMI-4.1) id AA23263; Thu, 13 Jul 95 09:58:56 PDT Received: by krypton.navy.mil (4.1/SMI-4.1) id AA05101; Thu, 13 Jul 95 09:58:57 PDT Date: Thu, 13 Jul 95 09:58:57 PDT From: cotham@nrlmry.navy.mil (Joe Cotham) Message-Id: <9507131658.AA05101@krypton.navy.mil> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #416 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information about the network security tool, Icepick, may be obtained from its developer at humphrey@hightop.nrl.navy.mil jcc From firewalls-owner Thu Jul 13 11:09:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03728 for firewalls-outgoing; Thu, 13 Jul 1995 09:03:02 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA03723 for ; Thu, 13 Jul 1995 09:02:59 -0700 Received: from brittany.oes.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sWQih-0001hMC; Thu, 13 Jul 95 09:02 PDT Received: by brittany.oes.amdahl.com (5.0/SMI-4.1/DNS) id AA03570; Thu, 13 Jul 1995 09:02:36 +0800 Date: Thu, 13 Jul 1995 09:02:36 +0800 From: patrick@oes.amdahl.com (Patrick Horgan) Message-Id: <9507131602.AA03570@brittany.oes.amdahl.com> To: firewalls@greatcircle.com, frimp@mms-gmbh.de Subject: Re: Request: Summary of known services X-Sun-Charset: US-ASCII content-length: 1513 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hello Firewallers! > > >From time to time I analyze the logged packet filter denies from our > firewall. Most denies are clear, but some hosts from the outside try > strange UDP and TCP port numbers. > > Does anyone have a recent list of well-known services for TCP and UDP > ports? Where can I obtain it? > > Thanks in advance, > > Frank As usual, the best answer is to look in the most recent Assigned Numbers RFC, (currently RFC 1700). If you don't want to keep up with the changing RFC numbers, it can always be accessed as STD 2, (internet standard number 2.) The following is an exerpt from the STD index. Details on obtaining STDs via FTP or EMAIL may be obtained by sending an EMAIL message to: rfc-info@ISI.EDU with the message body help: ways_to_get_stds. For example: To: rfc-info@ISI.EDU Subject: getting std's help: ways_to_get_stds Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (mail copyright Patrick J. Horgan) (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick@amdahl.com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/ From firewalls-owner Thu Jul 13 11:24:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06329 for firewalls-outgoing; Thu, 13 Jul 1995 10:28:45 -0700 Received: from vestek.com ([140.174.179.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06318 for ; Thu, 13 Jul 1995 10:28:41 -0700 Received: by vestek.com (8.6.12/) Received: from vestek.com id sma002531; Thu Jul 13 10:27:57 1995 Received: from vestek.com by vestek.com (4.1/SMI-4.1) id AA23987; Thu, 13 Jul 95 10:27:54 PDT Date: Thu, 13 Jul 95 10:27:54 PDT From: kevin@vestek.com (Kevin Freels) Message-Id: <9507131727.AA23987@doodle> To: firewalls@GreatCircle.COM Subject: Re: Request: Summary of known services Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >> >> > >> > Does anyone have a recent list of well-known services for TCP and UDP >> > ports? Where can I obtain it? >> > >> >> RFC 1700, available from a fine ftp site near you. Try nic.ddn.mil, or >> rtfm.mit.edu, or ftp.uu.net, for starters. >> > >Try: > ds.internic.net:/rfc/rfc1700.txt > > > >Also may be worth your while to grab a copy of the rfc-index.txt as well. > >- paul > Cheswick & Bellovin`s "Firewalls and Internet Security" have a great listing of the ports in Appendix B, and advice which ones should be open/blocked. ....kevin _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Kevin Freels, Systems Administrator "We keep you alive to _/ _/ Vestek Systems 1-800-VESTEK4 serve this ship. _/ _/ kevin@vestek.com Row well and live." _/ _/ All opinions blah blah blah.... _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Thu Jul 13 11:35:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07178 for firewalls-outgoing; Thu, 13 Jul 1995 10:53:37 -0700 Received: from caliph.intellicorp.com (caliph.intellicorp.com [128.92.128.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA07161 for ; Thu, 13 Jul 1995 10:53:31 -0700 Message-Id: <199507131753.KAA07161@miles.greatcircle.com> Date: Thu, 13 Jul 95 10:47:10 PDT From: Kelly Finley Sandefur Subject: Disable SKey on BSDI Console To: firewalls@GreatCircle.COM Cc: Sandefur@intellicorp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does any one know what it takes to disable skey on the console? A consultant setup skey on our bastion host and it's a 486 running BSDI. I have the "permit console" line in the /etc/skey.access file but this doesn't seen to work. Any pointers to documentation or answers would be greatly appreciated. Thanks, Kelly ------- From firewalls-owner Thu Jul 13 12:28:30 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09854 for firewalls-outgoing; Thu, 13 Jul 1995 11:54:19 -0700 Received: from netcom11.netcom.com (netcom11.netcom.com [192.100.81.121]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09837 for ; Thu, 13 Jul 1995 11:54:14 -0700 From: Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com Received: from njcorp.akbs.com by netcom11.netcom.com (8.6.12/Netcom) id LAA05944; Thu, 13 Jul 1995 11:52:37 -0700 Received: from cc:Mail by njcorp.akbs.com id AA805672440; Thu, 13 Jul 95 14:53:00 EST Date: Thu, 13 Jul 95 14:53:00 EST Encoding: 18 Text Message-Id: <9506138056.AA805672440@njcorp.akbs.com> To: firewalls@greatcircle.com Subject: DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk we will have a 56k line to connect to NetCom. Right now I am trying to setup an internet firewall using CISCO router. According to the book "Firewalls and Internet Security" writen by William R. Cheswick and Steven M. Bellovin, the best way to implement the firewall is to use our own DNS, one on internal LAN, one on unsecure LAN. since the cost will go high, my question is whether we can use our internet service provider's DNS or not. Will CISCO firewall generate some log files? Thanks in advance. Ruiyuan Jiang System Administrator ADVANTAGE kbs, Inc. rjiang@akbs.com Lotus Notes Business Partner HP-UX Business Partner (908) 287-2236 FAX (908) 287-3193 From firewalls-owner Thu Jul 13 12:38:45 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09444 for firewalls-outgoing; Thu, 13 Jul 1995 11:48:22 -0700 Received: from volitans.MorningStar.Com (volitans.MorningStar.Com [137.175.2.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09422; Thu, 13 Jul 1995 11:47:57 -0700 Received: from cowfish.MorningStar.Com by volitans.MorningStar.Com (8.6.12/95070701) id OAA14985; Thu, 13 Jul 1995 14:46:09 -0400 From: Bob Sutterfield Received: by cowfish.MorningStar.Com (5.65a/94063001) id AA02143; Thu, 13 Jul 95 14:46:07 -0400 Date: Thu, 13 Jul 95 14:46:07 -0400 Message-Id: <9507131846.AA02143@cowfish.MorningStar.Com> To: ddrew@mci.net (Dale Drew) Cc: Firewalls-Standards@greatcircle.com, Firewalls@greatcircle.com Subject: Revised firewall information In-Reply-To: <199507131520.LAA10249@druid.reston.mci.net> References: <199507131520.LAA10249@druid.reston.mci.net> Organization: Morning Star Technologies, Inc. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: ddrew@mci.net > To: firewalls@GreatCircle.COM > Cc: ddrew@mci.net > Subject: Revised firewall information > Date: Thu, 13 Jul 1995 11:20:40 -0400 > > I've recieved a number of requests to update information and other > various adds, changes and deletes, so I thought I would repost this > information. In a separate message, I'll send you info about our company and our SecureConnect product line. > I've placed a version number on it, and also made it available on > our FTP Server (ftp://ftp.mci.net/pub/security/firewall.vendors). > We will be adding some matrix tables to the file that identify > services, features and functionality compared to other firewall > products. You might want to take a look at the work of the Firewalls-Standards mailing list. They're not developing Coloured Book or ISO or ANSI style standards to which firewalls should conform. They're just developing a standard form for describing various firewall products, to make it easier for customers to compare and contrast and choose what's best suited for their needs. See http://iwi.com/iw-pubs.htm for more details. -- Bob Sutterfield, Network Environmentalist Morning Star Technologies, Inc. +1 614 451 1883 3518 Riverside Dr, Suite 101, Columbus Ohio USA, 43221-1754 +1 800 558 7827 Bob@MorningStar.Com http://www.MorningStar.Com/bob.html Fax: +1 614 459 5054 From firewalls-owner Thu Jul 13 13:39:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12456 for firewalls-outgoing; Thu, 13 Jul 1995 12:57:47 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA12451 for ; Thu, 13 Jul 1995 12:57:43 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA08393 for firewalls@greatcircle.com; Thu, 13 Jul 95 15:51:43 EDT Message-Id: <9507131951.AA08393@all.net> Subject: RFCs-Now-Searchable-in-Info-Sec-Heaven To: firewalls@greatcircle.com Date: Thu, 13 Jul 1995 15:51:42 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 633 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All.Net now has copies of all current RFCs on-line and searchable from InfoSec heaven. They can also be accessed via our Gopher server. -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Thu Jul 13 14:02:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12089 for firewalls-outgoing; Thu, 13 Jul 1995 12:46:41 -0700 Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA12084 for ; Thu, 13 Jul 1995 12:46:39 -0700 Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/3.2.083191-) id AA18063; Thu, 13 Jul 1995 15:44:21 -0400 From: dorian@oxygen.house.gov (Dorian Deane) Message-Id: <9507131944.AA18063@oxygen.house.gov> Subject: Re: Changing a firewall setup. To: avalon@coombs.anu.edu.au (Darren Reed) Date: Thu, 13 Jul 1995 15:44:20 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199507130345.UAA06595@miles.greatcircle.com> from "Darren Reed" at Jul 13, 95 01:44:59 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 752 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > What sort of procedures do people follow through design by choice (or > lake thereof) in order to change their system's firewall policy ? > (Yes, I realise it is not meant to change, but you may change ISP, > need a new service, asked to open up an existing service, etc). > Is downtime or disconnection a requirement ? Do you know what happens > to your cisco when you upload a new configuration (is this safe) ? > I'll just choose one of the questions: It seems to me that a good firewall policy will include a mechanism for changes as they become necessary. A policy that cut all users off from the Web, for example, would probably cause backdoors to quietly pop up as people found ways to access the good stuff for themselves. dorian From firewalls-owner Thu Jul 13 14:39:37 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15624 for firewalls-outgoing; Thu, 13 Jul 1995 14:31:38 -0700 Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA15614; Thu, 13 Jul 1995 14:31:34 -0700 Received: by csc.com (Smail3.1.29.1 #1) id m0sWVqR-000iDPC; Thu, 13 Jul 95 17:30 EDT Date: Thu, 13 Jul 1995 17:30:54 -0400 (EDT) From: Adam Safier To: Brent Chapman cc: David Madole/TMG/CSC , firewalls , Julie Ann Connary <73203.2236@compuserve.com> Subject: Re: cisco packet filter firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > of BIND, I don't think; I believe (though my info may be out of date) that > IBM AIX systems always use TCP connections for DNS, even for simple > resolver queries that most other UNIX systems would use UDP for. I had a sniffer on an AIX system 3.2.5 and saw it only use UDP. allowing only port 53 through the router worked for us. Adam From firewalls-owner Thu Jul 13 15:07:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15096 for firewalls-outgoing; Thu, 13 Jul 1995 14:14:43 -0700 Received: from chronos.synopsys.com (chronos.synopsys.com [146.225.8.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA15079 for ; Thu, 13 Jul 1995 14:14:36 -0700 Received: from atropos.synopsys.com by chronos.synopsys.com with SMTP id AA08198 (5.65c/IDA-1.4.4 for ); Thu, 13 Jul 1995 14:14:10 -0700 Received: from mango.synopsys.com (mango.synopsys.com [146.225.72.11]) by atropos.synopsys.com (8.6.9/8.6.9) with ESMTP id OAA19325; Thu, 13 Jul 1995 14:14:07 -0700 From: Arnold de Leon Received: (from arnold@localhost) by mango.synopsys.com (8.7.Beta.5/8.7.Beta.5) id OAA07671; Thu, 13 Jul 1995 14:14:05 -0700 Date: Thu, 13 Jul 1995 14:14:05 -0700 Message-Id: <199507132114.OAA07671@mango.synopsys.com> To: firewalls@greatcircle.com Subject: CERN httpd proxy SSL patch Cc: socks@syl.dl.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've gotten numerous requests for the url so here it is: http://www.w3.org/hypertext/WWW/Daemon/Patch/SSL.patch arnold -- Arnold de Leon Synopsys, Inc. arnold@synopsys.com 700 E. Middlefield Road +1 415 694 4183 Mtn. View, CA 94043-4033 From firewalls-owner Thu Jul 13 15:34:20 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15145 for firewalls-outgoing; Thu, 13 Jul 1995 14:15:52 -0700 Received: from eniac.disaster.com (eniac.disaster.com [205.139.198.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA15139 for ; Thu, 13 Jul 1995 14:15:49 -0700 Received: from pc2.expoguide.com (pc2.expoguide.com [205.139.198.22]) by eniac.disaster.com (8.6.9/8.6.9) with SMTP id RAA21255 for ; Thu, 13 Jul 1995 17:40:55 -0400 Message-Id: <199507132140.RAA21255@eniac.disaster.com> X-Sender: ferioli@eniac.disaster.com X-Mailer: Windows Eudora Version 2.1.1b7 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jul 1995 17:03:26 -0400 To: FIREWALLS@greatcircle.com From: Michael Ferioli - D&D Consulting Subject: UDP Proxying? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an interesting firewall problem: You have an internal network protected by both a packet filtering router and a dual homed proxy gateway. You introduce a video conferencing package that runs over the Internet that uses 6 UDP ports. One port is static and listens (a la FTP) then 6 UDP ports over 1000 are setup. What are the options? Assume the gateway is running a flavor of BSD and a non-transparant proxy agent. Any ideas? Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Michael D. Ferioli Internet: ferioli@disaster.com D&D Consulting CIS: 73542,2601 Albany, New York PHONE: (518) 462-0900 FAX: (518) 432-1829 For info on D&D, mail to info@disaster.com or http://www.disaster.com INTERNET/UNIX/SECURITY/LAN/WAN SPECIALISTS AND MORE ALL UNDER ONE ROOF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Jul 13 15:43:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA14604 for firewalls-outgoing; Thu, 13 Jul 1995 14:06:48 -0700 Received: from thong.nrl.navy.mil (thong.nrl.navy.mil [132.250.142.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA14599 for ; Thu, 13 Jul 1995 14:06:45 -0700 Received: (from humphrey@localhost) by thong.nrl.navy.mil (8.6.10/8.6.9) id RAA05376; Thu, 13 Jul 1995 17:09:53 -0400 Date: Thu, 13 Jul 1995 17:09:53 -0400 From: Jeff Humphrey (KSC) Message-Id: <199507132109.RAA05376@thong.nrl.navy.mil> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Firewalls@GreatCircle.COM Subject: Ice-Pick Cc: humphrey@thong.nrl.navy.mil Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Due to the amazing amount of email I just got concerning the Ice-Pick tool I thought I had better send something out to the firewalls group (if for no other reason than to stop this amazing amount of email) ---- About Ice-Pick --- What is it ? It's a vulnerability assessment tool-- they're popular and well known now but they weren't a few years ago when I started writing it. The package has been through a number of upgrades since it's initial release and has become GUI driven, database'd, daemon'ized, etc. It is very effective at what it does. Ice-Pick is not a script based package. --- Where do I get it ? NAVCIRT distributes the program. You'll have to get in contact with them directly for more details-- WEB: http://infosec.nosc.mil/navcirt.html EMAIL: navcirt@infosec.nosc.mil --- Who can get it ? Ice-Pick is a Navy product developed at NRL and distributed to the Navy by NAVCIRT. Outside agencies are welcome to contact NAVCIRT for more information and details-- but I'm quite positive the product isn't being distributed to the public Internet as a whole. If you would like you can send me a piece of email with the subject 'ICEPICK' and I'll make up a list of people who would like more information ... that doesn't mean I have something to send you but I'd have your names and email addresses just in case. Thanks for the interest, Jeff, (the Ice-Pick guy). disclaimer-- my thoughts are my own -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMAVfh39JjXnbYzw1AQFPcwMAqfmgwPKo1mwL0EuJ6+Q6zjkKss3JRsN2 PBNfZ/ZxCb+JdMRJ4btSEkAVkH9jYZWBVmCtzKUdTQzx5//yDf/BRVyFnjW4xG1x nZFfrHpOHSpz88SSjDAllt2qZIGDvdTT =VMYF -----END PGP SIGNATURE----- -- Jeff Humphrey, Kaman Sciences Corporation 92 yamaha fzr 600 PGPable/humphrey@hightop.nrl.navy.mil/(202)404-8241 SKYDIVE! F6 DC 16 0B EF 25 CB F2 36 55 D1 36 D2 F3 B7 12 emptywhitespaceemptywhite From firewalls-owner Thu Jul 13 16:16:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA17853 for firewalls-outgoing; Thu, 13 Jul 1995 15:43:14 -0700 Received: from [198.102.244.36] (quadra.greatcircle.com [198.102.244.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA17839; Thu, 13 Jul 1995 15:43:06 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 13 Jul 1995 15:43:03 -0800 To: fc@all.net (Dr. Frederick B. Cohen), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: RFCs-Now-Searchable-in-Info-Sec-Heaven Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 3:51 PM 7/13/95, Dr. Frederick B. Cohen wrote: >All.Net now has copies of all current RFCs on-line and searchable from InfoSec >heaven. They can also be accessed via our Gopher server. > >-> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server >-> Free: Test your system's security (scans deeper than SATAN or ISS!) >---------------------- both at URL: http://all.net ---------------------- >-> Read: "Protection and Security on the Information Superhighway" > John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 >------------------------------------------------------------------------- > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 I think it's time for you to set up your own "info-sec-heaven-announce" (or something like that) list, which interested people can subscribe to, rather than continuing to fill Firewalls with these content-free thinly-veiled ads. -Brent ---------------------------------------------------------------------- For info about the Internet Security Firewalls Tutorial and a schedule of upcoming dates, please send email to Tutorial-Info@GreatCircle.COM ---------------------------------------------------------------------- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From firewalls-owner Thu Jul 13 22:05:02 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA25616 for firewalls-outgoing; Thu, 13 Jul 1995 21:43:24 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA25611 for ; Thu, 13 Jul 1995 21:43:21 -0700 Message-Id: <199507140443.VAA25611@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA087336961; Fri, 14 Jul 1995 14:42:41 +1000 From: Darren Reed Subject: Re: Changing a firewall setup. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Fri, 14 Jul 1995 14:42:41 +1000 (EST) In-Reply-To: <199507131204.FAA14180@greatdane.cisco.com> from "Tony Li" at Jul 13, 95 05:04:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1434 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Tony Li, sie said: > > > Do you know what happens to your cisco when you upload a new > configuration (is this safe) ? > > That depends on how you do it. If you do the obvious thing and do > no access-list 101 > access-list 101 .... > access-list 101 .... > access-list 101 .... > > Then yes, there is a small window during the parsing of the access > list during which you're exposed. > > A better technique is to change the access group on the interface. I assume what you mean is you upload 102, set the interface to use 102, then upload the new 101, set it back to that and delete 102 ? (And do the same for each interface). Or even use the access group numbers in a revision number style ? Do other router vendors have similar vulnerabilities if "managed" wrong ? If, for example, I want to load a completely new set of rules into Firewal-1 or Gauntlet or any of the others, what sort of exposure do I face ? What I'm generally concerned about is the state of the router/packet filter when it is receiving and parsing the new (packet filter) configuration you send it. Do you have to delete all the old rules first, for example. darren [P.S. A few people expressed concerns about this with IP filter which led me to implementing it looking after two sets of rules: active and inactive. Idea here is load a new set and switch and yes, is part of the current version, 2.7.1.] From firewalls-owner Thu Jul 13 23:49:29 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA28461 for firewalls-outgoing; Thu, 13 Jul 1995 23:30:34 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA04953 for ; Wed, 12 Jul 1995 19:39:25 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA27505; Wed, 12 Jul 95 22:39:08 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507130339.AA27505@hawksbill.sprintmrn.com> Subject: Re: rfc 1597 and firewall To: dataline@dataline.co.at Date: Wed, 12 Jul 1995 22:39:08 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "dataline@dataline.co.at" at Jul 12, 95 07:55:38 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1883 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > can anybody help me ? > what can happen to an ip network (ip adresses follow rfc 1597) in case of connecting it to the > internet. we want to use a dual homed firewall gatway for communcation with hosts outside of our > net. what kind of risks and attacks can follow after connecting in that case (which components > can be attacked in case of using rfc 1597 adresses) ?? > > Actually, your chances of being 'attacked' is neither increased nor lessened by using RFC-1597 addresses internally. Your chances of being 'compromised' is only slightly lessened. Your Internet provider will NOT route to RFC-1597 addresses. For all intents and purposes, they really don't exist, since they are reserved. Having said that, one would have to assume that your Internet provider will have to route to _some_ network which will announce your (or part of) domain to the remainder of the Internet community. Without any additional info, one would imagine that you intend to install a perimeter network, which consists of a vaild non-RFC-1597 address, which is registered to you, and which your provider will indeed route to. The issue is that if a (external) host on your perimeter network is compromised, it most likely has to ability to access the (internal) RFC-1597 network(s) and host(s). However, it is much more desirable to announce a single 'class c' network (yes, I know we're all classless now), than to announce an entire 'class b', given the sheer number of possible hosts and subnetworks associated with each. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Jul 14 00:35:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA29403 for firewalls-outgoing; Fri, 14 Jul 1995 00:11:44 -0700 Received: from tremere.ios.com (tremere.ios.com [198.4.75.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA29314 for ; Fri, 14 Jul 1995 00:11:30 -0700 Received: (from nmw@localhost) by tremere.ios.com (8.6.9/8.6.9) id DAA00633 for firewalls@greatcircle.com; Fri, 14 Jul 1995 03:12:44 -0400 From: Nicolas Williams Message-Id: <199507140712.DAA00633@tremere.ios.com> Subject: Re: Changing a firewall setup. (fwd) To: firewalls@greatcircle.com Date: Fri, 14 Jul 1995 03:12:43 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Content-Length: 2050 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed previously wrote: >In some mail from Tony Li, sie said: >> Then yes, there is a small window during the parsing of the access >> list during which you're exposed. >> A better technique is to change the access group on the interface. >I assume what you mean is you upload 102, set the interface to use 102, >then upload the new 101, set it back to that and delete 102 ? (And do >the same for each interface). Or even use the access group numbers >in a revision number style ? I like setting up my Cisco access-lists like this (firewall lists for a 2514): 110 is output filter for Ether0 111 is output filter for Ether0 112 is input filter for Ether0 113 is input filter for Ether0 120 is output filter for Ether1 121 is output filter for Ether1 122 is input filter for Ether1 123 is input filter for Ether1 130 is output filter for Serial0 131 is output filter for Serial0 132 is input filter for Serial0 133 is input filter for Serial0 and so on. There's two reserved for each interface/filtering-type so I can easily update the lists, config term or config net (gotta be careful with config net: don't forget the 'no ' stuff, or else use config over followed by a reload (or use the newer config file managment commands instead of 'config net' and 'config over'). I use access-lists in the 70-89 and 170-189 ranges for IGP route filtering internally (and for use in route-maps), with the 90-99 and 190-199 ranges for BGP route filtering. 195 is usually for filtering BGP updates from in-to-out, with 196 being the same but suppressing holes in aggregates. If you're dealing with Cisco-like filter naming madness, I recommend you come up with a system and stick by it. It'll save you often. >darren > >[P.S. A few people expressed concerns about this with IP filter which > led me to implementing it looking after two sets of rules: active > and inactive. Idea here is load a new set and switch and yes, > is part of the current version, 2.7.1.] Cisco? Are you reading this? Please make our lives easier, :) Nick From firewalls-owner Fri Jul 14 03:04:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA03892 for firewalls-outgoing; Fri, 14 Jul 1995 02:34:55 -0700 Received: from ds5500.cc.boun.edu.tr (ds5500.cc.boun.edu.tr [193.140.192.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA03883 for ; Fri, 14 Jul 1995 02:34:18 -0700 Received: by ds5500.cc.boun.edu.tr; (5.65/1.1.8.2/26Dec94-8.2MPM) id AA01340; Fri, 14 Jul 1995 12:29:02 -0400 Date: Fri, 14 Jul 1995 12:28:59 -0400 (EDT) From: Can Baysal X-Sender: baysalc@ds5500.cc.boun.edu.tr To: Jim Carroll Cc: Tony Li , Firewalls@greatcircle.com Subject: Re: Changing a firewall setup. In-Reply-To: <9507131512.AA07877@wellspring.us.dg.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi; On Thu, 13 Jul 1995, Jim Carroll wrote: .............. > > Could you please comment on the following scenario: Following is exactly what I do here. I prefer to stay in the CISCO of course but I hate that editor, it's worse than edlin I think. > > 1. Enable tftp server on the bastion. > > 2. Save configuration to bastion host. .......................... > Aside from commenting on the above, how large is the window of risk > to the Cisco while you're loading the new config? If you do not do this regularly (usually you should not) the risk factor should be acceptable. However here we do not keep anything that should be very well protected, so I can take it easy. Regards; Can BAYSAL > > -- > Jim Carroll - jcarroll@wellspring.us.dg.com > ... the usual disclaimers ... > ## The more I learn, the less I know. ## > ## Eventually I'll know everything about nothing. ## > From firewalls-owner Fri Jul 14 03:25:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA04121 for firewalls-outgoing; Fri, 14 Jul 1995 03:01:20 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA04115 for ; Fri, 14 Jul 1995 03:01:14 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA06701 for firewalls@greatcircle.com; Fri, 14 Jul 95 05:54:50 EDT Message-Id: <9507140954.AA06701@all.net> Subject: Re: Changing a firewall setup. To: avalon@coombs.anu.edu.au (Darren Reed) Date: Fri, 14 Jul 1995 05:54:48 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199507140443.VAA25611@miles.greatcircle.com> from "Darren Reed" at Jul 14, 95 02:42:41 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1889 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... > Do other router vendors have similar vulnerabilities if "managed" > wrong ? If, for example, I want to load a completely new set of > rules into Firewal-1 or Gauntlet or any of the others, what sort > of exposure do I face ? The answer to the first questions is probably yes. In a more expanded form, almost all current security systems, even A1 systems, have failed to adequately address the processes by which protection settings change. This tends to leave very short windows of vulnerability. Here are some of the examples I have tested: In some TCBs, as you change protection settings over time, you introduce transitive information flows that violate the compatmentalization of data. (published in C+S some years back on a paper about POsets) In many systems, password file changes involve creating a new password file. If protections are not right, at the moment of creation, the file is world writable and can be opened by an attacker. Note that this may occur each time a user changes passwords. In TCP-wrappers and most other similar programs that check the control files each time they run, saving file changes as you edit can leave short time periods when your intermediate changes are in effect. You have to be careful to keep things step-wise secure. There are a lot more of these sorts of things out there for those willing to try hard enough. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Fri Jul 14 04:40:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA05818 for firewalls-outgoing; Fri, 14 Jul 1995 04:24:51 -0700 Received: from corange.com (corange.com [204.7.80.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA05813 for ; Fri, 14 Jul 1995 04:24:48 -0700 Received: from M24389.BMG.CORANGE.COM (BMG) by corange.com (5.0/SMI-SVR4) id AA08282; Fri, 14 Jul 1995 06:20:31 +0500 Received: from cc:Mail by M24389.BMG.CORANGE.COM id AA805728252; Fri, 14 Jul 95 13:13:58 PST Date: Fri, 14 Jul 95 13:13:58 PST From: "Wolfgang Hopp" Encoding: 40 Text Message-Id: <9506148057.AA805728252@M24389.BMG.CORANGE.COM> To: firewalls@GreatCircle.COM Subject: Internet security -organization vs. technical solutions content-length: 1639 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear firewall listmembers! The company i am with as IT auditor is entering the adventure internet. As a novice user of internet myself i am not sure, if i ask the questions to the right list. We already installed a firewall to avoid access from hackers into our internal network. Beside the problem to secure internal network there are still some partly more organizational questions to solve: How can we * detect viruses within E-Mail messages (attached files)? * suppress surfing in pornographic sites? * establish organizational rules for internet usage (company policy, internet user agreement...)? Its quite clear, that restricting access for users will be against the internet policy "freedom of information"; on the other hand we are running the risk that our internal network is overloaded caused "surfing" people, if we will not find an technical or organizational solution for this. I apologize if this has been asked before, but does anybody have general tools, comments, list names, www addresses or advice to support my task? Thanks a lot in advance for your input Wolfgang Hopp =========================================================================== Wolfgang Hopp | e-mail: Wolfgang_hopp@bmg.corange.com Regional IT Auditor | phone: +49 621 759 4484 c/o Sandhofer Straáe | fax: +49 621 759 3119 D-68289 Mannheim -Germany - | =========================================================================== === Disclaimer: All expressed opinions are mine, and are not necessarily the views of my employer. From firewalls-owner Fri Jul 14 05:35:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA07374 for firewalls-outgoing; Fri, 14 Jul 1995 05:26:49 -0700 Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA07362 for ; Fri, 14 Jul 1995 05:26:27 -0700 Received: from cnsmac3.crpht.lu by arthur.crpht.lu with SMTP (1.37.109.4/16.2) id AA04067; Fri, 14 Jul 95 14:26:04 +0200 X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 14 Jul 1995 14:28:17 +0200 To: Firewalls@GreatCircle.COM From: security@crpht.lu (Bruno MAMER) Subject: "Best of" this mailing list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody, I've been lurking (I prefer "getting informed") in this list for some months and have learned a lot. Especially that it takes much time to read everything. Therefore I'm testing something: making available for you all a "best of" the mails of this mailing list. By "best of" I mean that I filter all the miscellaneous mails which shouldn't have been sent, which aren't so interesting, which contain only flames ... so that there is only the most interesting left. You can find this at: http://www.crpht.lu/CNS/html/PubServ/ps_home.html in the section on firewalls. Please comment on this experiment. If it is appreciated I'll continue, if not... Bruno Mamer _____________________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor www.crpht.lu Computing and Network Services (CNS) tel: (352) 43-62-33-271 Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/security-home.html ----------------------------------------------------------------------------- From firewalls-owner Fri Jul 14 07:15:09 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA10019 for firewalls-outgoing; Fri, 14 Jul 1995 07:02:27 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA10014 for ; Fri, 14 Jul 1995 07:02:22 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA29105; Fri, 14 Jul 95 09:32:17 -0400 Date: Fri, 14 Jul 95 09:32:16 -0400 Message-Id: <9507141332.AA29105@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Windows of Opportunity Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Fred rites: >The answer to the first questions is probably yes. In a more expanded >form, almost all current security systems, even A1 systems, have failed >to adequately address the processes by which protection settings change. >This tends to leave very short windows of vulnerability. Here are some >of the examples I have tested: Sure but at the same time, the A-6 will have to be banging constantly on the wall to find the window and if you do not notice *that* you have a different problem. For the very, very nervous, you could simply break the inside connection while the 'wall is rediscovering itself - of course if a single element firewall can produce such a window, then security is not a high priority with the organization, I prefer a triple layer of protection so that "dual-fail-operational" is possible. In some cases, I will go along with a two-factor model but do not like it. In no case is "single-fail- compromised" acceptable. Of course, this is predecated on a "100% uptime" model and a reasonable budget. If you do not have that then you have different criteria but can always just "pull the plug". Warmly, Padgett ps a few months ago some engineers were speaking at a trade show. Show had a policy against hucksterism in the sessions. Co. said to engineers "If you want to go, you must do some marketing." At the start of the session, the speaker announced this paradox and put up a picture of an F-16 with the comment "Buy one". From firewalls-owner Fri Jul 14 07:38:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA10163 for firewalls-outgoing; Fri, 14 Jul 1995 07:11:09 -0700 Received: from mms (mms.mms-gmbh.de [193.103.159.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA10158 for ; Fri, 14 Jul 1995 07:10:59 -0700 Message-Id: Comments: Authenticated sender is From: "Frank Heinzius" To: firewalls@greatcircle.com Date: Fri, 14 Jul 1995 16:06:19 +0000 Subject: THANKS: Summary of known services Reply-to: frimp@mms-gmbh.de Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 13 Jul 95 at 13:00, firewalls@greatcircle.com wrote: Hello Firewallers! > Quoting myself... > From time to time I analyze the logged packet filter denies from our > firewall. Most denies are clear, but some hosts from the outside try > strange UDP and TCP port numbers. > > Does anyone have a recent list of well-known services for TCP and UDP > ports? Where can I obtain it? Thanks for the responses. I had a services list from different books like the one from Cheswick/Bellovin, but some tips of you made it feasable for me to extend this list: RFC 1700 strobe.services from the program strobe by Julian Assange (ftp://suburbia.net/pub/strobe.tgz) I found out that most denied packets are ftp data connections (tcp src gt 1023 dst gt 1023) used by the Netscape WWW browser. This seems to be a dangerous fact: browsers like Mosaic use the assigned ftp-data channel, but Netscape uses non-privileged ports nearly at random. Of course, some of the services found in strobe.services or RFC1700 are perfectly overridden ;-) Any ideas, how to handle ftp from WWW-browsers (except from removing the ftp-gateway pages)? Greetings, Frank -- ***** The expressed opinions are totally mine! ***** Frank M. Heinzius MMS Communication GmbH frimp@mms-gmbh.de Eiffestrasse 598 Phone: +49 40 2111105-0 Fax: +49 40 210 32 210 From firewalls-owner Fri Jul 14 08:05:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA11583 for firewalls-outgoing; Fri, 14 Jul 1995 07:58:15 -0700 Received: from cseic.saic.com (CSEIC.SAIC.COM [139.121.32.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA11575 for ; Fri, 14 Jul 1995 07:58:11 -0700 Received: by cseic.saic.com (4.1/1.34) id AA21010; Fri, 14 Jul 95 10:56:25 EDT Date: Fri, 14 Jul 95 10:56:25 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9507141456.AA21010@cseic.saic.com> To: ferioli@disaster.com Cc: FIREWALLS@greatcircle.com In-Reply-To: <199507132140.RAA21255@eniac.disaster.com> (message from Michael Ferioli - D&D Consulting on Mon, 10 Jul 1995 17:03:26 -0400) Subject: Re: UDP Proxying? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael D. Ferioli writes: > >You have an internal network protected by both a packet filtering router and >a dual homed proxy gateway. You introduce a video conferencing package that >runs over the Internet that uses 6 UDP ports. One port is static and >listens (a la FTP) then 6 UDP ports over 1000 are setup. What are the options? > I'm interested in solutions to this problem as well, though I'm more flexible - what type of firewall solution would be best for this type of application? Off the top of my head I would guess that one of the packet filtering products that maintains state information would do the job (Firewall-1 comes to mind), but can these handle opening up for more than one (in this case 6) outgoing ports based on one incoming request? Stephen Goldstein steveg@cseic.saic.com Disclaimer: That's not what I said. From firewalls-owner Fri Jul 14 08:44:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA12849 for firewalls-outgoing; Fri, 14 Jul 1995 08:30:58 -0700 Received: from zergo.com (zergo.demon.co.uk [158.152.17.176]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA12841 for ; Fri, 14 Jul 1995 08:30:53 -0700 Date: Fri, 14 Jul 95 15:26:48 GMT Message-Id: <7@zergo.com> From: broderic@zergo.com (Stuart Broderick) Reply-To: broderic@zergo.com To: firewalls-digest@greatcircle.com Subject: Re: Quaratined Mail ??? -Thanks for the inputs Lines: 9 X-Mailer: PCElm 3.1 (1.6 DIS) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the inputs on the original question, the responses confirmed my own opinions, but I had to ask ! Thanks again Stuart -- . From firewalls-owner Fri Jul 14 08:48:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA11277 for firewalls-outgoing; Fri, 14 Jul 1995 07:46:37 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA11271 for ; Fri, 14 Jul 1995 07:46:33 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA05875; Fri, 14 Jul 95 10:46:24 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507141546.AA05875@hawksbill.sprintmrn.com> Subject: Re: Internet security -organization vs. technical solutions To: Wolfgang_Hopp@corange.com (Wolfgang Hopp) Date: Fri, 14 Jul 1995 10:46:23 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9506148057.AA805728252@M24389.BMG.CORANGE.COM> from "Wolfgang Hopp" at Jul 14, 95 01:13:58 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1651 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > How can we > > * detect viruses within E-Mail messages (attached files)? Not a practical implementation for a 'firewall'. There are simply too may methods to transmit & receive data in a format which may not lend itself to 'scanning,' and could be rather ugly to attempt to implement. A firewall should really be used as an access-control mechanism, not an end-all-be-all application gateway. Of course, you can use your 'firewall' as an application gateway, but most available products are targeted to existing (popular) internet services (ie. FTP, TELNET, HTTP). > * suppress surfing in pornographic sites? > Strict access-control. Unfortunately, you would either have to PERMIT access to selective locations or DENY access to selective locations; either way, it may be virtually impossible to truly restrict on destination. PERMIT'ing or DENY'ing internet access altogether based on your (internal) host address would be more viable, however you won't make many friends. :-) > * establish organizational rules for internet usage > (company policy, internet user agreement...)? > This is highly encouraged. Especially include language concerning inappropriate use, punitive damages, and formal reprimand. Training is also a key factor. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Jul 14 09:10:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA12567 for firewalls-outgoing; Fri, 14 Jul 1995 08:18:26 -0700 Received: from Esy.COM (ZEUS.ESY.COM [162.36.5.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA12560 for ; Fri, 14 Jul 1995 08:18:20 -0700 Received: from qmailgw ([162.36.1.58]) by Esy.COM (4.1/SMI-4.1) id AA22701; Fri, 14 Jul 95 10:18:06 CDT Message-Id: Date: 14 Jul 1995 10:13:54 -0600 From: "Ben Ball" Subject: Re: Internet security -organ To: "Wolfgang Hopp" Cc: "Firewalls List" X-Mailer: Mail*Link SMTP-QM 3.0.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 7/14/95 9:40 AM Subject: RE>Internet security -organization vs. technical solutions Wolfgang (may I call you Wolfgang?), Since you've already set up your firewall, no, this is not the right place for your questions. However, I'm sure you will get much helpful info from this group anyway. They're a very intelligent bunch. You asked: >How can we > > * detect viruses within E-Mail messages (attached files)? As with any file you bring into your system, if you're concerned about viruses, you scan them before you run them. An e-mail enclosure is just a file like any other. As long as you don't execute an infected file, it won't infect you. > * suppress surfing in pornographic sites? This is probably the easiest one. You MUST do two things: 1) Hire professionals with strong work ethics and 2) give them meaningful, challenging work to do. If you can't do those two simple things, you'll never be able to prevent "porno-surf". You can't legislate morality. At best, you could try to keep up with all the sites in the world that you consider pornographic (hey, then you get to do all the porno-surfing) and bog your firewall/gateway/router down trying to filter requests to them. Such an effort would be an administrative and computational nightmare. There are no generic "this is a porno site!" tags and no comprehensive list of sites, regularly updated, that you could leverage. This sort of filter is best left at the physical user level. > * establish organizational rules for internet usage > (company policy, internet user agreement...)? How could you have set up a firewall without having first done this?!? One piece of advice: Don't try to over legislate. Don't turn a wonderful resource and business tool into a dirty little secret. Expect your people to act professionally and they just might. Expect them to be sneaky and wasteful and they probably will. Educate rather than legislate. The beauty of the Internet, especially the Web, is its freeform, constantly evolving, nature. The more you try to control something like that, the more you invite workarounds, dissent, and reduced productivity. Good luck and welcome to the world! -- Benjamin Ball \ "Maybe all I need, besides my pills and surgery, / bball@esy.com / is a new metaphor for reality?" - Queensryche \ From firewalls-owner Fri Jul 14 10:50:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15580 for firewalls-outgoing; Fri, 14 Jul 1995 10:25:17 -0700 Received: from sashimi.wwa.com (sashimi.wwa.com [198.49.174.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA15575 for ; Fri, 14 Jul 1995 10:25:14 -0700 Received: by sashimi.wwa.com (Smail3.1.28.1 #8) id m0sWnYK-001VvrC; Fri, 14 Jul 95 11:25 CDT Message-Id: From: emp547@wwa.com (Eric Westburg) Subject: Firewall Features/Evaluation To: Firewalls-Digest@GreatCircle.com Date: Fri, 14 Jul 1995 11:25:23 -0500 (CDT) Cc: emp547@wwa.com (Eric Westburg) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 675 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a document available that lists the features of various Firewall products and then evaluates them? We are looking at the products that we believe are the most secure: SideWinder, Eagle, BorderWare, and NetSP SNG. Is there consensus on which is the most secure? If so, are there any performance issues that arise because of the increased security? We are interested in using the Firewall between us and multiple networks, not just the Internet. I would be interested in any comments that any users of these products may have. Eric Westburg Household International emp547@wwa.com (708) 291-2046 Voice (708) 559-7177 Fax From firewalls-owner Fri Jul 14 10:51:13 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA14716 for firewalls-outgoing; Fri, 14 Jul 1995 09:38:50 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA14711 for ; Fri, 14 Jul 1995 09:38:48 -0700 Received: from macsch.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id JAA02628; Fri, 14 Jul 1995 09:34:27 -0700 Received: from bootes.is.macsch.com by macsch.com (5.61/MSC-950614) id AA07549; Fri, 14 Jul 95 09:36:33 -0700 Received: from loki.is.macsch.com by bootes.is.macsch.com (4.1/MSCbootes.950222) id AA03107; Fri, 14 Jul 95 09:36:50 PDT Received: (from jack@localhost) by loki.is.macsch.com (8.6.11/8.6.11) id JAA25728; Fri, 14 Jul 1995 09:38:28 -0700 From: "Jack Stewart" Message-Id: <9507140938.ZM25726@loki.is.macsch.com> Date: Fri, 14 Jul 1995 09:38:28 -0700 In-Reply-To: "Frank Heinzius" "THANKS: Summary of known services" (Jul 14, 4:06pm) References: X-Mailer: Z-Mail (3.2.1 10apr95) To: frimp@mms-gmbh.de Subject: Re: THANKS: Summary of known services Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 14, 4:06pm, Frank Heinzius wrote: > > I found out that most denied packets are ftp data connections (tcp > src gt 1023 dst gt 1023) used by the Netscape WWW browser. This seems to > be a dangerous fact: browsers like Mosaic use the assigned ftp-data > channel, but Netscape uses non-privileged ports nearly at random. Of > course, some of the services found in strobe.services or RFC1700 are > perfectly overridden ;-) > > Any ideas, how to handle ftp from WWW-browsers (except from removing > the ftp-gateway pages)? > Actually, it is a GOOD thing! Netscape uses PASV ftp by default (passive ftp). You should refer to Cheswick and Bellovin for a discussion on passive ftp but basically it is a good idea. A 10.3(3) Cisco access list for ftp might look like this: access-list 102 permit tcp any eq ftp 161.34.0.0 0.0.255.255 gt 1023 established access-list 102 permit tcp any gt 1023 161.34.0.0 0.0.255.255 gt 1023 established access-list 121 permit tcp 161.34.0.0 0.0.255.255 gt 1023 any eq ftp access-list 121 permit tcp 161.34.0.0 0.0.255.255 gt 1023 any gt 1023 You would use access list 102 for incoming packets and 121 for outgoing packets. This will get passive-ftp up and working. WS-FTP, Netscape, and anarchie work with passive ftp. It is also possible to modify ftp client code for passive ftp. ---Jack -- Jack Stewart #include Communications Administrator email: jack.stewart@macsch.com MacNeal-Schwendler Corporation fax: 213-259-3838 From firewalls-owner Fri Jul 14 11:34:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00399 for firewalls-outgoing; Fri, 14 Jul 1995 11:09:29 -0700 Received: from eniac.disaster.com ([205.139.198.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA00394 for ; Fri, 14 Jul 1995 11:09:23 -0700 Received: from pc2.expoguide.com (pc2.expoguide.com [205.139.198.22]) by eniac.disaster.com (8.6.9/8.6.9) with SMTP id OAA26662; Fri, 14 Jul 1995 14:33:01 -0400 Message-Id: <199507141833.OAA26662@eniac.disaster.com> X-Sender: ferioli@eniac.disaster.com X-Mailer: Windows Eudora Version 2.1.1b7 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jul 1995 13:54:59 -0400 To: paul@hawksbill.sprintmrn.com (Paul Ferguson), Wolfgang_Hopp@corange.com (Wolfgang Hopp) From: Michael Ferioli - D&D Consulting Subject: Re: Internet security -organization vs. technical solutions Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> * suppress surfing in pornographic sites? >> > > >Strict access-control. Unfortunately, you would either have to >PERMIT access to selective locations or DENY access to selective >locations; On this subject, where can one find a list of such sites? Is one publicly available? (Older lists are ok too) Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Michael D. Ferioli Internet: ferioli@disaster.com D&D Consulting CIS: 73542,2601 Albany, New York PHONE: (518) 462-0900 FAX: (518) 432-1829 For info on D&D, mail to info@disaster.com or http://www.disaster.com INTERNET/UNIX/SECURITY/LAN/WAN SPECIALISTS AND MORE ALL UNDER ONE ROOF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Jul 14 11:50:14 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01092 for firewalls-outgoing; Fri, 14 Jul 1995 11:41:26 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA01081 for ; Fri, 14 Jul 1995 11:41:21 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA07478; Fri, 14 Jul 95 14:40:12 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507141940.AA07478@hawksbill.sprintmrn.com> Subject: Re: Internet security -organization vs. technical solutions To: ferioli@disaster.com (Michael Ferioli - D&D Consulting) Date: Fri, 14 Jul 1995 14:40:12 -0500 (EST) Cc: Wolfgang_Hopp@corange.com, firewalls@GreatCircle.COM In-Reply-To: <199507141833.OAA26662@eniac.disaster.com> from "Michael Ferioli - D&D Consulting" at Jul 11, 95 01:54:59 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 811 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >> * suppress surfing in pornographic sites? > >> > > > > > >Strict access-control. Unfortunately, you would either have to > >PERMIT access to selective locations or DENY access to selective > >locations; > > On this subject, where can one find a list of such sites? Is one publicly > available? (Older lists are ok too) > Not sure there is such a list, and if there were, it would probably be obsolete or outdated upon publication. :-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Jul 14 11:51:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01030 for firewalls-outgoing; Fri, 14 Jul 1995 11:39:53 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA01025 for ; Fri, 14 Jul 1995 11:39:51 -0700 Received: from gw2.att.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA00392; Fri, 14 Jul 1995 11:34:51 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig2.att.att.com id AA07211; Fri, 14 Jul 95 14:24:54 EDT Message-Id: <9507141824.AA07211@ig2.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Quarentined Mail To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Fri, 14 Jul 1995 13:45:05 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9507131239.AA23978@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Jul 13, 95 08:39:53 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes: > On the gripping hand, while you cannot determine what such "masked" code is, > you *can* separate such code from flat ASCII with simple frequency analysis > techniques as have been developed by cryptoanalysts to determine when > a code has been broken. These have been around for a considerable time. .... > > Thus it would be feasible to construct a policy whereby plain flat ASCII > mail is forwarded automatically to the recipient while "anything else" > is examined first. > I'm not a cryptoanalyst, but I believe that the task of the algorithms that you mention is to see if the attempt at decryption produced plain text. The inverse problem of determining if plain text contains encoded data is different and not very easy to solve. Suppose that I choose 256 common words. I could encode my binary by sending one ascii word per byte. The output wouldn't make any sense to an english reader, but a computer program would have a difficult time differentiating it from other email. Of course there are some AI programs directed at understanding english text.... but then I could just use 256 common english sentences instead, or 256 paragraphs. There's probably a bazillion other ways to do this. Adding more and more fluff, decreases the effective bandwidth but makes detection harder. It would be impossible to completely block email containing covert data even if a human read every message! But you could cut down on the obvious, like uuencode, and maybe block some of the simple work arounds like i've mentioned on an ad-hoc basis. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Jul 14 13:35:48 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02085 for firewalls-outgoing; Fri, 14 Jul 1995 13:03:32 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA02080 for ; Fri, 14 Jul 1995 13:03:27 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: NAA05035; Fri, 14 Jul 1995 13:02:01 -0700 Date: Fri, 14 Jul 1995 13:02:01 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199507142002.NAA05035@sjsinc.com> To: firewalls@greatcircle.com Subject: Need network maps Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: This is sort of off of the main-line for this forum, but because it does impact tangentianlly on what one does when attacked I thought I would put my toes in the water and ask the question. The COAST project at Purdue University (ftp://coast.cs.purdue.edu) is acting as a mirror site for the Australian release of a piece of software called geotraceman (an X GIS mapping implementation of our old friend traceroute). If anyone wants to play with it, it's available from the above ftp site in /pub/tools/unix/netmon/netman. It appears to be a great tool. The problem I'm having, though, is that the cache_file maps of major US networks is woefully under-populated. I have been sitting here part of the morning doing traceroutes to a variety of sites. Trying to figure out the cities that switches, routers, etc. live in and then populating the cache file with that information and the latitude / longitude information from the included cities files. It has taken me better than 2 hours to map out MCI's high speed back- bone network. Does anybody out there have, or know where I can get maps of the big networks (MCI, Sprint, Alternet...) with IP addresses, resolvable names, and geographic locations (I can fill in the lat. /long. from the city files). I tried the Sprint web-server, but it does not have any maps. I will, of course, honor the request of the package's author and send him my up-dated maps for the next release (which is supposed to feature dns lookup also). Hope I'm not wasting bandwidth on to far of a tangent....TIA thanx, b c++'ing u, %-) sjs -------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 -------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! -------------------------------------------------------------------------------- From firewalls-owner Fri Jul 14 17:24:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA05756 for firewalls-outgoing; Fri, 14 Jul 1995 17:07:45 -0700 Received: from willy.nexial.nl (ns.nexial.nl [193.78.27.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA05751 for ; Fri, 14 Jul 1995 17:07:41 -0700 Received: (from kim@localhost) by willy.nexial.nl (8.6.10/8.6.10) id CAA19129; Sat, 15 Jul 1995 02:05:37 +0200 From: Kim Hendrikse Message-Id: <199507150005.CAA19129@willy.nexial.nl> Subject: Fuzzy search the firewalls mailing list To: firewalls@greatcircle.com Date: Sat, 15 Jul 1995 02:05:36 +0200 (MET DST) Cc: kim@willy.nexial.nl (Kim Hendrikse) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1843 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Interested in searching the firewalls archives? Can't quite remember how that article went? Then you may find the following "Fuzzy" index of the firewalls archives useful. This is accessable from our home page: http://www.nexial.nl This uses NexTrieve (http://www.nexial.nl/nextrieve.html) to produce a fast searchable index with tolerance to spelling errors in all parts of the input query. For example one can enter "suscribe" to see all entries similar to the correct version ;-). Fuzziness is applied to all of the words entered simultaneously and the "most similar" matches are displayed. e.g. Entering "natwork adress trenslation" find at the top of the list "network-level address translation" and vice versa if someone had spelt it that badly. Note this isn't an agrep implementation but a true fuzzy index. I hope you find it useful :-) - Cheers Kim Hendrikse _____________________________________________________________________________ / \ |Nexial Systems E-mail: kim@nexial.nl | | Ph: +31 4755 1643 | | Fax: +31 4755 1552 | |St. Annastraat 4 | |6109 RH | |Ohe en Laak | |The Netherlands | | | |http://www.nexial.nl | \_____________________________________________________________________________/ From firewalls-owner Fri Jul 14 18:15:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07080 for firewalls-outgoing; Fri, 14 Jul 1995 17:59:34 -0700 Received: from mail1.eworld.com (hp1.online.apple.com [192.215.65.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA07068 for ; Fri, 14 Jul 1995 17:59:31 -0700 From: Kodzo@eworld.com Received: by hp1.online.apple.com (1.37.109.16/16.2) id AA265249909; Fri, 14 Jul 1995 17:58:29 -0700 Date: Fri, 14 Jul 1995 17:58:29 -0700 Message-Id: <950714175828_12194525@eWorld.com> To: firewalls@greatcircle.com Subject: Policy Statement on Internet Usage Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My college will soon be providing Internet services (SMTP, FTP, Gopher, TELNET & HTTP) to employees & students. My dept., as the ISP, is tasked by management to create a policy statement that connections to other sites may be blocked or monitored; all employees and students would have to sign the statement before being granted access. Are there any academic sites out there that are implementing such a policy -- what is the language of the statement (may I have a copy of the contract), what objections have been raised and how were they resolved, who decides what is/is not blocked, what action is taken when somebody violates the contract, etc.? From firewalls-owner Fri Jul 14 19:17:11 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA09695 for firewalls-outgoing; Fri, 14 Jul 1995 18:59:17 -0700 Received: from TIS.COM (neptune.tis.com [192.94.214.96]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA09690 for ; Fri, 14 Jul 1995 18:59:14 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa15891; 14 Jul 95 21:57 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma002072; Fri, 14 Jul 95 21:51:01 -0400 Received: by tis.com (4.1/SMI-4.1) id AA20195; Fri, 14 Jul 95 21:55:10 EDT From: Marcus J Ranum Message-Id: <9507150155.AA20195@tis.com> Subject: Re: Internet security -organization vs. technical solutions To: firewalls@greatcircle.com Date: Fri, 14 Jul 1995 21:55:09 -0400 (EDT) In-Reply-To: <9507141546.AA05875@hawksbill.sprintmrn.com> from "Paul Ferguson" at Jul 14, 95 10:46:23 am Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD Url: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 482 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson writes: >> * establish organizational rules for internet usage >> (company policy, internet user agreement...)? Here's one I really like. Just present this to your users when the get an account: I __________________ understand that by having Internet access from my corporate account I have the ability to embarrass myself and my corporation instantly in front of 3 million people. Signed:____________________ Date:______________________ mjr. From firewalls-owner Fri Jul 14 20:15:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA10885 for firewalls-outgoing; Fri, 14 Jul 1995 20:00:19 -0700 Received: from vnet.net (elvis.vnet.net [166.82.1.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA10878 for ; Fri, 14 Jul 1995 20:00:14 -0700 Received: from char.vnet.net by vnet.net with SMTP id AA28011 (5.67b/IDA-1.5 for ); Fri, 14 Jul 1995 21:59:13 -0500 Received: from jnash.vnet.net by char.vnet.net (5.67b) id AA07594; Fri, 14 Jul 1995 22:59:09 -0400 Received: by jnash.vnet.net with Microsoft Mail id <01BA523E.5A1B52A0@jnash.vnet.net>; Fri, 14 Jul 1995 23:05:45 -0400 Message-Id: <01BA523E.5A1B52A0@jnash.vnet.net> From: Jason Nash To: "'firewalls'" Subject: RE: irc-doom: dilbert on unix Date: Fri, 14 Jul 1995 22:54:49 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [DISCLAIMER- MICROSOFT NETWORK IS PROHIBITED FROM DISTRIBUTING THIS = WORK] [IN ANY FORM. COPYRIGHT, 1995. LICENSE TO DISTIBUTETHIS POST IS = ] [AVAILABLE TO MICROSOFT FOR $1000: ALL OTHERS ARE FREE. = ] [PLEASE SEND NOTICE OF VIOLATION TO POSTMASTER@MICROSOFT.COM AND = ] [SHELDONC@ACY.DIGEX.NET = ] I just love this lamer than lame .sig. Gimme a break. Like you can = post a message, especially on a newsgroup, and say that someone cant = reproduce it. G'z. Jason From firewalls-owner Sat Jul 15 02:45:16 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA20731 for firewalls-outgoing; Sat, 15 Jul 1995 02:32:58 -0700 Received: from mermaid.lake.de (mermaid.lake.de [193.197.24.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA20726 for ; Sat, 15 Jul 1995 02:31:37 -0700 Received: from bedard.lake.de by mermaid.lake.de with smtp sMail id m0sXQxu-0004l9C; Sun, 16 Jul 95 11:30 GMT+0100 Message-Id: X-Sender: sbedard@mermaid.lake.de X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 15 Jul 1995 11:35:23 +0100 To: Firewalls@GreatCircle.COM From: sbedard@mermaid.lake.de (David C Bedard) Subject: Source Routing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---resend---- I am running off of two nearly identical PCs (486DX-33 and 40) and running a trumpet WINSOCK. One runs behind a firewall, the other has a SLIP connection to the internet server. For both, several sites that we want to reguaraly communicate with are routed through what we feel are a congested and inappropriate routing which causes unacceptable delays and fallouts. What can I do to send the packets intended for this one sensitive connection (the other connections are also slow and flakey, but the applications are not sensitive) on a specific route, or at least bypass one troublesome node? Of course I know that if source routing is turned off that this isn't possible but I would like to try. o __|\ O-/-O___________________________________________________________________ David C. Bedard | A LEFTY SAID IT: "We must not confuse dissent with | Compuserve: | disloyalty" - Edward R. Murrow | 100337.2420 | | ------------ |"Necessity is the plea for every infringement of human| sbedard@ | freedom. It is the argument of tyrants; it is the | mermaid.lake.de | creed of slaves." William Pitt [November 18, 1783] | ------------------------------------------------------------------------ From firewalls-owner Sat Jul 15 05:15:21 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA22575 for firewalls-outgoing; Sat, 15 Jul 1995 04:52:27 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA22570 for ; Sat, 15 Jul 1995 04:52:23 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA03034; Sat, 15 Jul 95 07:27:13 -0400 Date: Sat, 15 Jul 95 07:27:13 -0400 Message-Id: <9507151127.AA03034@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Quarentined mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark rites: >The inverse problem of determining if >plain text contains encoded data is different and not very >easy to solve. 1) *Anything* is possible until proven im and not always then. 2) We are dealing with the real world here. One of the problems most of us face is often too narrow a world view, getting hung up on tighter and tighter specializaton until we "know everything there is about nothing at all". The purpose of a defense is not to be perfect (though that would be nice), rather to be Good Enough (see my theory of quantum economics) that attempts will not be mounted against it. From a defender's point of view, the best war is one that never starts. The purposes of a firewall are similarly psychological as well as physical (as much as any electronic barrier is physical) and this has several ramifications, only one of which is to deter outsiders from getting in. Others are: 1) evidence of due care 2) reminder to people on the inside that due care is being exercised 3) statement to the world outside of an attitude. >Suppose that I choose 256 common words. I could encode my binary by >sending one ascii word per byte. (other even more obscure examples omitted) Sure you could but this requires two things: 1) Someone on the other side of the 'wall doing the same thing 2) A desire to circumvent the policy (most people in a well-run environment want to do the Right Thing - its their rice bowl). It would also be much easier (and has the same prerequisites) to - mail a floppy - use FTP - use a modem - learn morse code - send via the touch tones on a phone - write the code on the back of a duck (stepanography) I did not think that this was the purpose of this forum (may belong on sci.crypt), rather we were looking at real-world ways to protect people on the inside from receiving hidden viruses & other malicious software and again, protection from that is relatively simple given a rules-based system (whitespace analysis might be sufficient). Bottom line is that such obtuse mechanisms might well work but would also be considered prima facie evidence of intent. A firewall need not and should not be the only defense. Warmly, Padgett ps would like to hear from anyone knowledgable in computer access at the University of Florida, Gainesville. Please reply directly to padgett@tccslr.dnet.mmc.com From firewalls-owner Sat Jul 15 06:18:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23566 for firewalls-outgoing; Sat, 15 Jul 1995 06:11:10 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23561 for ; Sat, 15 Jul 1995 06:11:06 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA03311; Sat, 15 Jul 95 08:57:28 -0400 Date: Sat, 15 Jul 95 08:57:28 -0400 Message-Id: <9507151257.AA03311@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: Dilbert on Unix Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>[DISCLAIMER- MICROSOFT NETWORK IS PROHIBITED FROM DISTRIBUTING THIS WORK]... >I just love this lamer than lame .sig. Gimme a break. Like you can = >post a message, especially on a newsgroup, and say that someone cant = >reproduce it. G'z. Actually you can in the US if copyrighted (and I have heard that everything written is now so considered unless explicitly declared in the Public Domain). Doubt that it would be a criminal citation but could certainly be the basis for civil litigation (dunno if you would get anywhere with it but could - here you can sue for *anything* real or imagined). Look at the Playboy .GIFs case in Miami for an example. Now in this case the disclaimer is against an individual entity and not the general public but is the same concept. Point is that you can *say* anything you want. Question is 1) Is it enforcable ? 2) Can you prove damage ? 3) Could you collect (in this lifetime) ? Ask a real lawyer (probably should be getting referral fees from the bar ass.) Warmly, Padgett From firewalls-owner Sat Jul 15 06:31:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA23477 for firewalls-outgoing; Sat, 15 Jul 1995 05:56:09 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA23472 for ; Sat, 15 Jul 1995 05:56:03 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA03269; Sat, 15 Jul 95 08:35:02 -0400 Date: Sat, 15 Jul 95 08:35:01 -0400 Message-Id: <9507151235.AA03269@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Policy statement on Internet usage Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >what is the language of the statement >(may I have a copy of the contract), A couple of years ago the department of justice issued an advisory with a suggested disclaimer (the text may be seen by telneting to Dockmaster (dockmaster.ncsc.mil) when it is up - the disclaimer comes up before the login prompt. The bottom line is to use language that does not limit your rights as the computer (property) owner while setting forth a standard of acceptable behavior. It is a contract in that both sides are receiving consideration and should include penalty clauses. *Enforcable/enforced* ones, otherwise you might be limited to saying "naughty, naughty". Get your legal department involved. Tell them what your expectations are and ask how to word them. *Do not* ask them to draft the policy. Make sure that it says that *you* have the right to monitor anything/anytime but be careful not to word it such that you *must* monitor. A sample of something like this might be: "We will make every effort to respect the privacy of individual E-Mail/accounts/transactions, however in the course of normal maintenance anything may be observed and if deemed inappropriate may be brought to the attention of authorities. Further, properly authorized individuals in the course of an investigation have the right to examine anything residing on or passing through XXX owned, leased, or operated equipment." Key word is "may". "Must" or "shall" should be avoided since that places an obligation on *you*. Ask your local shyster (an not one, yet). So far, the courts in the US have found for the system owner particularly where proper notice was made to the users of exactly what was expected of them and what they might expect in exchange for access. Yes, even "public" institutions. (Due care of the public trust). Warmly, Padgett From firewalls-owner Sat Jul 15 12:15:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA28384 for firewalls-outgoing; Sat, 15 Jul 1995 11:59:06 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA28377 for ; Sat, 15 Jul 1995 11:59:00 -0700 Received: by little-miami.iac.net id OAA20298; Sat, 15 Jul 1995 14:57:54 -0400 Date: Sat, 15 Jul 1995 14:57:53 -0400 (EDT) From: Carl Jolley To: mdr@vodka.sse.att.com cc: "A. Padgett Peterson P.E. Information Security" , firewalls@GreatCircle.COM Subject: Re: Quarentined Mail In-Reply-To: <9507141824.AA07211@ig2.att.att.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 14 Jul 1995 mdr@vodka.sse.att.com wrote: > Padgett writes: > > On the gripping hand, while you cannot determine what such "masked" code is, > > you *can* separate such code from flat ASCII with simple frequency analysis > > techniques as have been developed by cryptoanalysts to determine when > > a code has been broken. These have been around for a considerable time. > .... > > > > Thus it would be feasible to construct a policy whereby plain flat ASCII > > mail is forwarded automatically to the recipient while "anything else" > > is examined first. > > > > I'm not a cryptoanalyst, but I believe that > the task of the algorithms that you mention is to see if the attempt at > decryption produced plain text. The inverse problem of determining if > plain text contains encoded data is different and not very > easy to solve. > {some stuff deleted] > > It would be impossible to completely block email containing > covert data even if a human read every message! But you could cut > down on the obvious, like uuencode, and maybe block some of the > simple work arounds like i've mentioned on an ad-hoc basis. > > Mark Riggins > Secure Systems Engineering > AT&T Bell Labs > I agree one could cut down on the obvious. It would probably work so well that people who received e-mail would tend to believe that any attachment that made its way to them was completely safe. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Sat Jul 15 18:24:43 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01177 for firewalls-outgoing; Sat, 15 Jul 1995 18:00:03 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA00934 for ; Sat, 15 Jul 1995 17:59:24 -0700 Received: from uvs1.orl.mmc.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id PAA00421; Sat, 15 Jul 1995 15:25:50 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA04646; Sat, 15 Jul 95 17:39:03 -0400 Date: Sat, 15 Jul 95 17:39:02 -0400 Message-Id: <9507152139.AA04646@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Layers of responsibility (was re: Quarentined mail) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Carl rote: >I agree one could cut down on the obvious. It would probably work so >well that people who received e-mail would tend to believe that any >attachment that made its way to them was completely safe. And the responsibility for that layer of the security policy lies with the training department and not the firewall. Sorry but the concept of "why bother, the users will abuse it anyway", is one that I have heard too often as an excuse for not doing The Right Thing. First time was from Emmanuel Goldstein explaining why he felt it was all right to publish details of the vulnerabilities of the NY school system in 2600 without sending them a copy. (do agree he had the right to publish - that is not the issue - my problem is with his restriction of the information from the entity involved). Warmly, Padgett From firewalls-owner Sat Jul 15 18:54:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02310 for firewalls-outgoing; Sat, 15 Jul 1995 18:39:06 -0700 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA02302 for ; Sat, 15 Jul 1995 18:39:03 -0700 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Sat, 15 Jul 95 18:38:03 -0700 Received: by argus.intel.com (5.65/10.0i); Sat, 15 Jul 95 18:38:01 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9507160138.AA29641@argus.intel.com> Subject: Re: Internet security -organ To: ben_ball@qmailgw.Esy.COM (Ben Ball) Date: Sat, 15 Jul 95 18:38:01 PDT Cc: Wolfgang_Hopp@corange.com, firewalls@greatcircle.com In-Reply-To: from "Ben Ball" at Jul 14, 95 10:13:54 am X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 2736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [stuff deleted] > infect you. > > > * suppress surfing in pornographic sites? > > This is probably the easiest one. You MUST do two things: 1) Hire > professionals with strong work ethics and 2) give them meaningful, > challenging work to do. If you can't do those two simple things, you'll > never be able to prevent "porno-surf". You can't legislate morality. At > best, you could try to keep up with all the sites in the world that you > consider pornographic (hey, then you get to do all the porno-surfing) and bog > your firewall/gateway/router down trying to filter requests to them. Such an > effort would be an administrative and computational nightmare. There are no > generic "this is a porno site!" tags and no comprehensive list of sites, > regularly updated, that you could leverage. This sort of filter is best left > at the physical user level. There is a company called Surfwatch that reportedly will provide a list of sites to filter (or add to your bookmarks/hotlist :-)). They have some services for keeping the list up to date (that must be an interesting job! :-)). For more information, call (415) 948-9500 or send mail to info@surfwatch.com. I have never used the service - this is just the information I got from the company. If you did get the list of porno sites regularly, you could configure a CERN or Netscape proxy server to stop access to them. > > * establish organizational rules for internet usage > > (company policy, internet user agreement...)? > How could you have set up a firewall without having first done this?!? It's really easy (having made this mistake myself). > One piece of advice: Don't try to over legislate. Don't turn a wonderful > resource and business tool into a dirty little secret. Expect your people to > act professionally and they just might. Expect them to be sneaky and > wasteful and they probably will. Educate rather than legislate. The beauty > of the Internet, especially the Web, is its freeform, constantly evolving, > nature. The more you try to control something like that, the more you invite > workarounds, dissent, and reduced productivity. Good luck and welcome to the > world! Having good guidelines and communicating them will help. A statement like "corporate resources for business use only (and incidental uses)" is good. Also remind management that their job is to manage. You can put in all the porno filters you want, but employees can always find a way to waste time if they really want. > -- > Benjamin Ball \ "Maybe all I need, besides my pills and surgery, / > bball@esy.com / is a new metaphor for reality?" - Queensryche \ -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Sat Jul 15 19:54:38 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA04231 for firewalls-outgoing; Sat, 15 Jul 1995 19:45:09 -0700 Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA04226 for ; Sat, 15 Jul 1995 19:45:07 -0700 Received: (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) id WAA04190; Sat, 15 Jul 1995 22:42:52 -0400 Date: Sat, 15 Jul 1995 22:42:52 -0400 (EDT) From: Steven Johnson - Hukd on Fonix X-Sender: johnson@bayflash To: "Jeffrey C. Sedayao" cc: firewalls@GreatCircle.COM Subject: Re: Internet security -organ In-Reply-To: <9507160138.AA29641@argus.intel.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 15 Jul 1995, Jeffrey C. Sedayao wrote: > [stuff deleted] > There is a company called Surfwatch that reportedly will provide a list > of sites to filter (or add to your bookmarks/hotlist :-)). They have > some services for keeping the list up to date (that must be an > interesting job! :-)). I fail to see how such an organization could make a profit (provided that it is a for-profit organization). Couldn't I, after receiving a list I paid for, post it on the net at an ftp site, thus crippling their business? Is the list the only service they provide? From firewalls-owner Sat Jul 15 21:24:39 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06591 for firewalls-outgoing; Sat, 15 Jul 1995 21:02:15 -0700 Received: from gw1.octel.com (gw1.octel.com [148.147.1.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06586 for ; Sat, 15 Jul 1995 21:02:12 -0700 Received: (from daemon@localhost) by gw1.octel.com (8.6.10/8.6.10) id VAA10714; Sat, 15 Jul 1995 21:00:39 -0700 Received: from curly.eng.octel.com(148.147.200.26) by gw1.octel.com via smap (V1.3) id sma010706; Sat Jul 15 21:00:21 1995 Received: from laura.eng.octel.com (laura.eng.octel.com [148.147.206.4]) by curly.eng.octel.com (8.6.12/8.6.12) with ESMTP id VAA26512; Sat, 15 Jul 1995 21:00:21 -0700 Received: (from hbo@localhost) by laura.eng.octel.com (8.6.12/8.6.12) id VAA02657; Sat, 15 Jul 1995 21:00:20 -0700 Date: Sat, 15 Jul 1995 21:00:20 -0700 From: hbo@octel.com (Howard B Owen) Message-Id: <199507160400.VAA02657@laura.eng.octel.com> To: johnson@bayflash.stpt.usf.edu CC: firewalls@GreatCircle.COM In-reply-to: (message from Steven Johnson - Hukd on Fonix on Sat, 15 Jul 1995 22:42:52 -0400 (EDT)) Subject: Re: Internet security -organ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I fail to see how such an organization could make a profit (provided that >it is a for-profit organization). Couldn't I, after receiving a list I >paid for, post it on the net at an ftp site, thus crippling their >business? Is the list the only service they provide? You have to assume they assert a copyright over the information. You could post the list, but you'd be violating their copyright. -- Howard Owen, Internet Guy/Webmaster Octel Communications Corporation http://www.egbok.com/hbo.html 1001 Murphy Ranch Rd. Mail Stop C2-1N "I am not a pay TV service!" Milpitas CA 95035-7912 408-324-6576 768/EEA7CD8D = 72 64 8B 46 FC C1 19 E3 9E DE 04 92 F4 23 52 CF 1024/DC671C31 =37 A0 46 EE BE 95 DB 92 E8 39 80 89 A9 F9 3D FB From firewalls-owner Sun Jul 16 00:29:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09454 for firewalls-outgoing; Sun, 16 Jul 1995 00:07:09 -0700 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09449 for ; Sun, 16 Jul 1995 00:07:06 -0700 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Sun, 16 Jul 95 00:06:03 -0700 Received: by argus.intel.com (5.65/10.0i); Sun, 16 Jul 95 00:06:01 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9507160706.AA01206@argus.intel.com> Subject: Re: denial of services vs. denial of services To: mjr@iwi.com Date: Sun, 16 Jul 95 0:06:00 PDT Cc: fc@all.net, firewalls@greatcircle.com In-Reply-To: <9507100108.AA23057@tis.com> from "Marcus J Ranum" at Jul 9, 95 09:08:02 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 2794 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [denial of service attacks description deleted] > Meta-level attacks based on misinformation are unbeatable > and you cannot protect against them short of unplugging. I suspect > that most systems on the 'net would be severely degraded if an > attacker posted that there were a large number of cool gifs and > warez in its FTP area. Lastly, there are meta-level attacks that > can be directed against service pathways: it is still the case that > you can telephone the phone company, impersonate a user, and > cancel service with no authentication required. A deadly effective > attack would be to simply schedule removal of the victim's T1 > service at 3:00PM on a friday, before a long weekend or the Christmas > holiday. Heck, cancel their electricity and gas while you're at it, > and make sure their postal service is forwarded to the lost luggage > department at Denver airport. Similar meta-level attacks are possible on the Internet. It is extremely worrisome to me that someone could forge mail and change policy routing in certain Internet providers. The authentication for routing changes is done by the from: address in a mail message! You'd think that they would use PGP! One faked mail could cut off a network or autonomous system from big parts of the Internet. The T1 attack seems harder, because you probably need the circuit ID to have someone's circuit disconnected. They aren't that easy to guess, although I'll admit that I once had a circuit turned off because someone with a very similar circuit ID requested their circuit turned off and the phone company killed our circuit by mistake. > The Internet is *NOT* a reliable bet-your-business type > of network. It's great for what it's mostly used for, but it's > designed to cope and adapt to change; which leaves it all too > open to introducing false changes into it. That may be true, but the Internet can have a major impact on business to the point where it becomes mission critical. For example, inattention to a few newsgroups could cost a corporation money and/or a create a public relations. Loss of USENET news service over the Internet or delays in getting news could prove disasterous, especially given the way that mainstream media now surfs the Web and newsgroups for stories. > Denial of service is definitely a problem, but I'd > recommend that people worry about it to the extent of factoring > in the fact that it CAN happen NO MATTER WHAT and the design > their systems to take that into account. That means that large > scale systems built over the Internet should not be mission > or national defense critical, unless there are redundant, > protected channels that can be brought into play. Well said. > mjr. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Sun Jul 16 03:54:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA12206 for firewalls-outgoing; Sun, 16 Jul 1995 03:38:41 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA12195 for ; Sun, 16 Jul 1995 03:38:34 -0700 Received: (proff@localhost) by suburbia.net (8.6.10/8.6.8++) id UAA26857; Sun, 16 Jul 1995 20:37:01 +1000 From: Julian Assange Message-Id: <199507161037.UAA26857@suburbia.net> Subject: Re: Internet security -organ To: johnson@bayflash.stpt.usf.edu (Steven Johnson - Hukd on Fonix) Date: Sun, 16 Jul 1995 20:37:00 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Steven Johnson - Hukd on Fonix" at Jul 15, 95 10:42:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 363 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I fail to see how such an organization could make a profit (provided that > it is a for-profit organization). Couldn't I, after receiving a list I > paid for, post it on the net at an ftp site, thus crippling their > business? Is the list the only service they provide? > I suppose you also fail to see how every software company makes a profit. -Proff From firewalls-owner Sun Jul 16 08:54:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17287 for firewalls-outgoing; Sun, 16 Jul 1995 08:41:45 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA17282; Sun, 16 Jul 1995 08:41:40 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA12118 for firewalls@greatcircle.com; Sun, 16 Jul 95 11:35:02 EDT Message-Id: <9507161535.AA12118@all.net> Subject: Your comments To: Brent@GreatCircle.COM Date: Sun, 16 Jul 1995 11:35:02 -0400 (EDT) Cc: firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1275 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your comments on my posting are typical of the inappropriate manner in which you treat my postings. In response to a person asking a question on firewalls, I posted a response notifying the list of where to find information related to the answer. A free service. A short and to-the-point posting. A response to another user's question. Your response to my posting is that it is blatant commercialism, but it is a free service. You call it commercialism when I post an answer, but you don't call it commercialism when others post similar answers. My posting told people where to find (and search) the information of interest. I don't charge for the service, and I offer a better way to find the desired information. Perhaps you should reexamine your thinking. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Sun Jul 16 09:21:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17322 for firewalls-outgoing; Sun, 16 Jul 1995 08:46:35 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA17317 for ; Sun, 16 Jul 1995 08:46:29 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA12208 for firewalls@greatcircle.com; Sun, 16 Jul 95 11:39:52 EDT Message-Id: <9507161539.AA12208@all.net> Subject: Talk about blatant commercialism To: firewalls@greatcircle.com Date: Sun, 16 Jul 1995 11:39:52 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 9218 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to my response (posted to firewalls) to Brent's unwarrented comments (posted to firewalls) about my reply to a question on firewalls, I got the following mail from Brent's automatic mail responder. Talk about blatant commercialism!!! Forwarded message: > From brent@GreatCircle.COM Sun Jul 16 11:36:26 1995 > Date: Sun, 16 Jul 1995 08:42:45 -0700 > From: Brent Chapman > Message-Id: <199507161542.IAA17291@miles.greatcircle.com> > To: fc@all.net > Subject: This is a recording... [Re: Your comments] > Precedence: junk > > [ This is a recording, last updated 28 Jun 95. ] > > I've received your mail regarding: > Your comments > > If you're writing in response to something I sent to _you_, then I > _really_ appreciate your response and apologize for sending you this > form letter. > > I appreciate you taking the time to send me a message, but unfortunately, > I'm totally swamped with work right now. I am reading my email > regularly, but it may be days or even weeks before I have time to respond > to your message, depending on its nature and urgency. > > This automated response answers many of the most common questions I get, > and tells you how to get my attention if you still feel you really need > it. Consider this Brent's personal FAQ... :-) You shouldn't receive > more than one of these automated responses each week, no matter how much > email you send me. If you send me email regularly and are tired of getting > this message every week, let me know, and I'll add you to the magic list > that will keep you from ever getting another copy. > > Current Great Circle Associates customers > > Please rest assured that your email _will_ be read and dealt > with promptly. If you need to reach me immediately, please > call my pager number, which I'll be glad to supply you with > if you don't already have it handy (it's on my business cards). > > Internet Security Firewalls tutorial > > If you would like to receive a description of the Internet > Security Firewalls tutorial, along with a schedule of upcoming > presentations and a registration form, please send an email > message to "Tutorial-Info@GreatCircle.COM". > > If you've already done that and you have more questions, or > would like to arrange a private presentation of the tutorial, > please send email to "Info@GreatCircle.COM", and someone will > get back to you as soon as possible. > > Consulting services > > We appreciate your interest, but Great Circle Associates is not > currently accepting any new consulting clients, except in conjunction > with private presentations of the Internet Security Firewalls Tutorial. > > Firewalls, Firewalls-Digest, and Firewalls-Standards mailing lists > Majordomo-Users, Majordomo-Workers, and Majordomo-Announce mailing lists > List-Managers and List-Managers-Digest mailing lists > > Michael C. Berch now handles the day-to-day > administration of all of these lists. > > For information about them, including how to subscribe or unsubscribe, > send email to the "-Request@GreatCircle.COM" (for instance, > for Firewalls, that would be "Firewalls-Request@GreatCircle.COM"). > You'll get back instructions on how to use Majordomo to handle your > request. > > If you're awaiting approval for a request you submitted to Majordomo > (for instance, to subscribe or unsubscribe an address other than the > one you sent the message from), please be patient; we try to get to > these within a week or so. > > To change from one list to another, or to change your email > address, you have to issue a "subscribe" command for the new list > or new address, and then an "unsubscribe" command for the old one. > > The archives for all of the lists based at GreatCircle.COM are > available for anonymous FTP from FTP.GreatCircle.COM, in the "pub" > directory, in subdirectories named for each list. > > Majordomo software > > The Majordomo mailing list management package is available for > anonymous FTP from FTP.GreatCircle.COM, directory pub/majordomo. > > The Majordomo Frequently Asked Questions (FAQ) file is also available > there. > > If you have further questions about how to install or use Majordomo, > there are a couple of good references written by Jerry Peek. > Which one you need depends on what version of Majordomo you're > using. To find out what version it is, email a "help" command > to "majordomo" at your site; the version number should be in > the first few lines of the response. > > If you're using versions through 1.6x, then you want the file > "majordomo.manual.Z" from the pub/majordomo directory on > ftp.greatcircle.com; the URL is: > ftp://ftp.greatcircle.com/pub/majordomo/majordomo.manual.Z > > If you're using version 1.9x or later, then you want to go out > and buy the book "Managing Internet Information Services", > written by Cricket Liu, Jerry Peek, et al, published by O'Reilly > & Associates, 1994. The book has a couple of good chapters on > setting up and managing Majordomo lists. > > If you have still more questions about how to install or use Majordomo, > you should send them to the Majordomo-Users@GreatCircle.COM mailing > list. > > If you have suggestions or requests for new features for Majordomo, > you should send them to the Majordomo-Workers@GreatCircle.COM mailing > list. > > I no longer play an active role in the development and support of > Majordomo, though GreatCircle.COM is still the official "home" of > Majordomo, and thus plays host to the Majordomo-related mailing > lists and master anonymous FTP archive. The lead developer of > Majordomo these days is John Rouillard . > > There was a significant security hole discovered in Majordomo in > early June '94 which affected all versions up to and including > 1.91. For information and fixes, see CERT Advisory 94:11, which is > available for anonymous FTP from info.cert.org, or from > FTP.GreatCircle.COM as file pub/majordomo/majordomo.CERT-Advisory. > > Civil Air Patrol mailing lists > > You can subscribe to the various Civil Air Patrol mailing lists > through the "Majordomo@ca0408.cap.gov" mailing list manager. For > more information, send "help" in the body of a message (not on the > "Subject:" line) to "Majordomo@ca0408.cap.gov". > > I try to process outstanding requests for access to the CAP mailing > lists (including the various packet traffic redistribution lists) > every couple of weeks. Please be patient. > > There are now official Civil Air Patrol FTP and WWW servers at > National Headquarters: > ftp://ftp.cap.gov/ > http://www.cap.gov/ > > SAGE-Announce, SAGE-Members, and other SAGE mailing lists > > I no longer handle the management of these lists; you should contact > SAGE-Postmaster@USENIX.ORG. > > For information about them, including how to subscribe or unsubscribe, > send email to the "-Request@USENIX.ORG" (for instance, > for SAGE-Announce, that would be "SAGE-Announce-Request@USENIX.ORG"). > You'll get back instructions on how to use Majordomo to handle your > request. > > To change from one list to another, or to change your email > address, you have to issue a "subscribe" command for the new list > or new address, and then an "unsubscribe" command for the old one. > > SAGE is the System Administrators Guild, a USENIX special technical > group. For information about SAGE, including how to join, send a > query to SAGE@USENIX.ORG. > > If you still feel you need my personal attention... > > Like I said, I _am_ reading my email; I'm just not responding to > much of it. If you want to really get my attention, try resending > your message with "URGENT" at the beginning of the "Subject:" line. > Or, call the Great Circle Associates office at +1 415 962 0841. > > Once again, I appreciate you taking the time to contact me, and I > apologize for having to resort to this automated response, but like > I said, I'm _really_ busy right now and the alternative would likely > be no response at all. > > > Thanks! > > -Brent > -- > Brent Chapman | Great Circle Associates | Call or email for info about > Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security > +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates > -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Sun Jul 16 10:55:06 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA19231 for firewalls-outgoing; Sun, 16 Jul 1995 10:36:37 -0700 Received: from dbc.mtview.ca.us (ppp.dbc.mtview.ca.us [192.103.140.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA19226 for ; Sun, 16 Jul 1995 10:36:33 -0700 Received: from localhost by dbc.mtview.ca.us (5.65/3.1.090690) id AA22469; Sun, 16 Jul 95 10:29:30 -0700 To: fc@all.net (Dr. Frederick B. Cohen) From: Marshall Rose Cc: firewalls@greatcircle.com Subject: Re: Talk about blatant commercialism In-Reply-To: Your message of "Sun, 16 Jul 1995 11:39:52 EDT." <9507161539.AA12208@all.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <22453.805915764.1@dbc.mtview.ca.us> Date: Sun, 16 Jul 1995 10:29:26 -0700 Message-Id: <22456.805915766@dbc.mtview.ca.us> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the use of mail-bots is becoming increasingly common these days, as is the use of personal homepages and FAQs. brent's mail-bot is considerably more friendly than mine, and about on par with the nathaniel borenstein's mail-bot. if you send something to brent's mailbox, it should not be unexpected that his mail-bot replies with information about his interests and activities -- personal, professional, and commercial (keep up the good work, brent!) however, this topic isn't germane to the mailing list (unless, of course, one considers a mail-bot to be the ultimate in personal firewalls), so i ask that further discussion be continued elsewhere. /mtr ps: if you reply to From: of this message, it goes to a special holding area that bypasses the mail-bot, but doesn't get read too frequently by me. if you s/.dbc@/@/ then the mail-bot will intercept the message. From firewalls-owner Sun Jul 16 11:54:57 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA20433 for firewalls-outgoing; Sun, 16 Jul 1995 11:35:34 -0700 Received: from bbnplanet.com (poblano.near.net [198.114.157.116]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA20428 for ; Sun, 16 Jul 1995 11:35:32 -0700 Received: from jcurran-ppp.near.net by poblano.bbnplanet.com id aa06157; 16 Jul 95 14:33 EDT X-Sender: jcurran@192.52.71.4 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 16 Jul 1995 14:34:25 -0400 To: "Dr. Frederick B. Cohen" From: John Curran Subject: Re: Talk about blatant commercialism Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:39 AM 7/16/95, Dr. Frederick B. Cohen wrote: >In response to my response (posted to firewalls) to Brent's unwarrented >comments (posted to firewalls) about my reply to a question on firewalls, >I got the following mail from Brent's automatic mail responder. > >Talk about blatant commercialism!!! If you send email to a private email address, be prepared for nearly any response (including messages from email robots describing how to really reach the intended recipient). As long as the email responder doesn't take aim at mailing lists, it's not issue. Similiarly, email signatures with commercial pointers generally don't generally create a problem until the content to advertising ratio gets out-of-line. Such is the nature of the Internet, and we all have to cope with things that only others consider reasonable. Divert this thread to inet-marketing, com-priv, or any usenet newsgroup. /John From firewalls-owner Sun Jul 16 12:25:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20757 for firewalls-outgoing; Sun, 16 Jul 1995 12:01:29 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA20752 for ; Sun, 16 Jul 1995 12:01:25 -0700 Received: from ds9.lis.cch.com by relay4.UU.NET with SMTP id QQyyrc27791; Sun, 16 Jul 1995 15:00:03 -0400 Received: by ds9.lis.cch.com id AA00247; Sun, 16 Jul 95 14:59:59 EDT Received: from mailhub.lis.cch.com(165.181.149.10) by ds9.lis.cch.com via smap (V1.3) id sma000244; Sun Jul 16 14:59:36 1995 Received: by deathstar.lis.cch.com (AIX 3.2/UCB 5.64/4.03) id AA79350; Sun, 16 Jul 1995 14:59:38 -0400 From: doc@deathstar.lis.cch.com (Matthew J. D'Errico) Message-Id: <9507161859.AA79350@deathstar.lis.cch.com> Subject: Commercial announcements on Firewalls List To: mrose.dbc@dbc.mtview.ca.us (Marshall Rose) Date: Sun, 16 Jul 1995 14:59:38 -0400 (EDT) Cc: fc@all.net, firewalls@greatcircle.com In-Reply-To: <22456.805915766@dbc.mtview.ca.us> from "Marshall Rose" at Jul 16, 95 10:29:26 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2076 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All things considered, it's a shame that this list is denigrating to the level it is... Let me cast an objective opinion from a non-Firewall Provider, a non-consultant, a consumer, and a systems professional perspective. For Brent's "blatant commercialism", I have difficulty accepting the argument that an automated reply to Brent's *personal* address returning information about himself and his company is "blatant commercialism"... If that were the case when sending email to this list and its recipients, then, yes, that would be, but to his personal address? Dr. Cohen, if I sent email to you and received the same, then I'd expect little less... As for the uses of this list, I appreciate seeing announcements here. I wish the other vendors would do the same -- I'd prefer it, in fact, to the nebulous (and questionably surrepticious) announcements posted by others regarding products. It's in all our best interests to see what features, etc., are available when and from where... How about it for TIS, Raptor, DEC, ANS, etc... ? But I do completely concur with some of the traffic, I think by Brent and/or Marcus that this should be within reason... While I do want to see these announcements, I don't want to be flooded with them, either. Once per month from each of the vendors, I don't think is unreasonable. Dr. Cohen, I respect your efforts, I respect that much of them are "free", but you *do* tend to send out a few too many "announcements... Perhaps if you cut back a *little*, you'd get fewer complaints... Optionally, how about someone hosting a "firewalls-annouce" list and leave the frequency wide-open ? I'd have no objection to subscribing to a list of that nature... And, yes, if Dr. Cohen would provide a list of only his announcements, I'd probably subscribe to that too, provided it also didn't become a childish, petty flame, list. I think it only responsible to be aware and up-to-date on all activities in this venue. But, again, can't we all moderate our announcements as well as our petty pride ? A little ? Regards -- -- Doc From firewalls-owner Sun Jul 16 12:55:03 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21843 for firewalls-outgoing; Sun, 16 Jul 1995 12:48:12 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA21831 for ; Sun, 16 Jul 1995 12:48:07 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA06662; Sun, 16 Jul 95 15:31:21 -0400 Date: Sun, 16 Jul 95 15:31:20 -0400 Message-Id: <9507161931.AA06662@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: Internet security - organ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I fail to see how such an organization could make a profit (provided that >it is a for-profit organization). Couldn't I, after receiving a list I >paid for, post it on the net at an ftp site, thus crippling their >business? Is the list the only service they provide? Sure you could (after editing it yourself to resolve the copyright issue). The customers they are after are those too busy to find yours. There is a great and growing market for such "digests" - think it started in the financial world with Kiplingers and the Wall Street Journal. Neither has anything you cannot find elsewhere but both give you the essence of what is happening in an easy to read format. If you post it, then those who need the info must connect to you, find the list, and download it. There are those who would rather receive it as a weekly/monthly digest. Understand that there are two kinds of people who are responsible for security: 1) Those who are genuinely interested 2) Those for whom it is a box to be checked off Right now we have a lot of people in category #1 for whom it is a dynamic and challenging discipline. However as it matures and "due care" & "culpable negligence" begin to be more than just words, there will be an ever-growing population in category #2. The "Negligence" issue is an article in Open Computing this month (I got misquoted a bit but the concept is good). However, the point is thatthere are a lot and ever growing population of people who already had full time jobs before they were handed the security hat. For these $15k-$50k for a turn-key system is well worth it. Today, most people scoff at outsourcing Internet security. In the future I see it as a valuable service from the ISPs (read RFC 1281 again). This is just the start. Warmly, Padgett ps still looking for military Zenith TransOceanics: R-520 & R-520A From firewalls-owner Sun Jul 16 13:54:50 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA22742 for firewalls-outgoing; Sun, 16 Jul 1995 13:29:43 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA22737 for ; Sun, 16 Jul 1995 13:29:38 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa11052; 16 Jul 95 21:28 +0100 Received: from dallas.demon.co.uk by post.demon.co.uk id aa06544; 16 Jul 95 21:28 +0100 Received: (from vince@localhost) by dallas.demon.co.uk (8.6.12/8.6.9) id SAA01945; Sun, 16 Jul 1995 18:34:37 GMT Date: Sun, 16 Jul 1995 18:34:35 +0000 ( ) From: Mr Pink To: firewalls@greatcircle.com Subject: Freestone SOS && Linux Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To anyone interested, i have compiled the freestone firewall for linux. But could anyone give me some pointers on how to use it, the documentation that comes with it is a little lacking / non-existant. cheers, vince "I never said i was frightened of dying" From firewalls-owner Sun Jul 16 14:24:56 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23469 for firewalls-outgoing; Sun, 16 Jul 1995 13:57:41 -0700 Received: from dcc.com (ns.dcc.com [204.147.93.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23464 for ; Sun, 16 Jul 1995 13:57:38 -0700 Received: by firewall.dcc.com id <58881>; Sun, 16 Jul 1995 15:57:17 -0500 From: "Moubray, Steve" To: "'smtp:firewalls@greatcircle.com'" Subject: Re: RFCs-Now-Searchable-in-Info-Sec-Heaven Date: Sun, 16 Jul 1995 17:52:00 -0500 Encoding: 28 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Jul16.155717cdt.58881@firewall.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 3:51 PM 7/13/95, Dr. Frederick B. Cohen wrote: >All.Net now has copies of all current RFCs on-line and searchable from InfoSec >heaven. They can also be accessed via our Gopher server. > >-> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server >-> Free: Test your system's security (scans deeper than SATAN or ISS!) >---------------------- both at URL: http://all.net ---------------------- >-> Read: "Protection and Security on the Information Superhighway" > John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 >------------------------------------------------------------------------- > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 > >I think it's time for you to set up your own "info-sec-heaven-announce" (or >something like that) list, which interested people can subscribe to, rather >than continuing to fill Firewalls with these content-free thinly-veiled >ads. > > >- -Brent Thanks Brent. Don't get me wrong I am a fan of many talents and Info-Sec Heaven's ability for self promotion has impressed me greatly but I like the idea of stopping it on the list. Do you think that you can get him to change his signature so when he sends messages that they aren't advertisements? He may have something good to say in 1 out of every 30 or so ads (I mean e-mails). From firewalls-owner Sun Jul 16 15:24:31 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA25276 for firewalls-outgoing; Sun, 16 Jul 1995 15:12:25 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA25271 for ; Sun, 16 Jul 1995 15:12:15 -0700 Received: (proff@localhost) by suburbia.net (8.6.10/Proffs_own_mailer) id IAA02147; Mon, 17 Jul 1995 08:11:13 +1000 From: Julian Assange Message-Id: <199507162211.IAA02147@suburbia.net> Subject: best-of-security@suburbia.net To: firewalls@greatcircle.com Date: Mon, 17 Jul 1995 08:11:13 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 3488 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Best of all available security resources. _/_/_/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/_/_/ Best Of Security "echo subscribe best-of-security|mail majordomo@suburbia.net" REASONS FOR INCEPTION --------------------- In order to compile the average security administrator it was found that the compiler had to parse a foreboding number of exceptionally noisy and semantically-content-free data sets. This lead to exceptional high load averages and a dramatic increase in core entropy. Further the number, names and locations of this data would change on an almost daily basis; requiring tedious version control on the part of the maintainer. OVERVIEW --------- Best-of-Security is at present an un-moderated list. That may sound strange given our stated purpose of massive entropy reduction; but because best often equates with "vital" and the moderator doesn't have a speed habit, it is important that material sent to the list arrive at the subscribers doorsteps in as minimal period of time as is possible. If you find *any* information from *any* source (including other mailinglists, newsgroups, conference notes, papers, etc) that fits into one of the acceptable categories below then you should *immediately* send it to "best-of-security@suburbia.net" (or "bos@suburbia.net"). Do not try and predict whether or not someone else will send the item in question to the list in the immediate future. Unless your on a time-delayed mail vector such as polled uucp or the item has already appeared on best-of-security, SEND AWAY. It does not matter even if it is something like a CERT advisory. If it hasn't appeared on the list yet, then send it off. It is far better to run the risk of minor duplication and have the information out where it is desired than act conservatively about possible posting duplicates. Consult the below lists for what we will and will not accept. WILL WILL WILL WILL WONT WONT WONT WONT 8lgm, cert, ciac, dod and other Any flames. non-vendor advisories. Any questions. Vendor advisories of security Any rumors. weaknesses in own or other products. Producer advisories of security Vendor new security-product line Vendor minor upgrade product release or MAJOR upgrade. information. Fully disclosed security weaknesses. "there is a hole in X" Exploitation details. Any advertising. Exploitation code. Subscription, unsubscription or Patch code. mailing list queries. Patch announcements. Any requests. Hard to obtain or otherwise occulted Vague or incomprehensible source code or uuencoded executables. statements of dysfuctional Conference announcements. persons. Security tools. Any discussions; including Blond jokes. those on the ethics of full NEW or hard to obtain security disclose or the moral (in) documents (ascii), or pointers to compatibility of any action. the location of such documents/papers. Old or otherwise well known` Announcements of new security archives information or pointers to or mailinglists. that information. Human language translations of the above. Nonsense. From firewalls-owner Sun Jul 16 16:24:33 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26530 for firewalls-outgoing; Sun, 16 Jul 1995 16:21:04 -0700 Received: from uu.psi.com (uu.psi.com [136.161.128.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA26525 for ; Sun, 16 Jul 1995 16:21:01 -0700 Received: by uu.psi.com (5.65b/4.0.061193-PSI/PSINet) via UUCP; id AA22964 for ; Sun, 16 Jul 95 19:13:03 -0400 Received: from asgaard.rocket.com (asgaard.ARPA) by earth.rocket.com (4.1/3.2.083191-Olin Aerospace Company - Redmond Wa) id AA10858; Sun, 16 Jul 95 16:06:55 PDT Organization: Olin Aerospace Company Telephone: (206)885-5000 Fax: (206)882-5804 Received: by asgaard.rocket.com (4.1/SMI-4.1) id AA27625; Sun, 16 Jul 95 16:06:02 PDT Date: Sun, 16 Jul 95 16:06:02 PDT Message-Id: <9507162306.AA27625@asgaard.rocket.com> To: Firewalls@greatcircle.com Subject: X11 From: "Philip J. Nesser" Us-Snail: 16015 84th Avenue NE, Bothell WA 98011-4451 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quick question. If I am filtering out all TCP connections which originate outside the firewall via the ack bit, is there any reason to explicitly block the 2000/6000 range for openwindows and X11, ie xclients trying to connect through the router should be blocked anyway, correct? Thanks. ---> Phil From firewalls-owner Sun Jul 16 16:54:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26895 for firewalls-outgoing; Sun, 16 Jul 1995 16:36:41 -0700 Received: from eeserv.ee.gatech.edu (eeserv.ee.gatech.edu [130.207.224.30]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA26890 for ; Sun, 16 Jul 1995 16:36:38 -0700 Received: from duchess.ee.gatech.edu (duchess.ee.gatech.edu [130.207.230.13]) by eeserv.ee.gatech.edu (8.6.10/8.6.11) with ESMTP id TAA20415 for ; Sun, 16 Jul 1995 19:35:38 -0400 Received: (didier@localhost) by duchess.ee.gatech.edu (8.6.9/8.6.9) id TAA15557; Sun, 16 Jul 1995 19:35:37 -0400 Date: Sun, 16 Jul 1995 19:35:37 -0400 (EDT) From: Didier Contis To: firewalls@GreatCircle.COM Subject: Informations about attacks on Internet Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a student writting a report about firewalls. I am looking for figures, documents, summary reports about attacks on the Internet; evaluations in term of cost and time of these attacks. My purpose is not to demonstrate that the Internet is a dangerous jungle but as for every society, because of some minor groups of crackers, vandals, security policy and security means are needed. Thanks in advance for any answers, Didier CONTIS ----------------------------------------------------------------------- Georgia Institute of Technology School of Electrical Engineering, Atlanta, GA 30332-0250 E-MAIL: didier@ee.gatech.edu PHONE: (404) 894-2679 From firewalls-owner Sun Jul 16 21:57:41 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA02284 for firewalls-outgoing; Sun, 16 Jul 1995 21:40:34 -0700 Received: from noc1.mid.net (noc1.mid.net [198.247.250.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA02274 for ; Sun, 16 Jul 1995 21:40:31 -0700 Received: (from alan@localhost) by noc1.mid.net (8.6.10/8.6.9) id XAA29808; Sun, 16 Jul 1995 23:39:24 -0500 From: Alan Hannan Message-Id: <199507170439.XAA29808@noc1.mid.net> Subject: Re: Talk about blatant commercialism To: fc@all.net (Dr. Frederick B. Cohen) Date: Sun, 16 Jul 1995 23:39:23 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9507161539.AA12208@all.net> from "Dr. Frederick B. Cohen" at Jul 16, 95 11:39:52 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1045 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Dr. Frederick B. Cohen is rumored to have said: --> --> In response to my response (posted to firewalls) to Brent's unwarrented --> comments (posted to firewalls) about my reply to a question on firewalls, --> I got the following mail from Brent's automatic mail responder. --> --> Talk about blatant commercialism!!! Lay off Frederick, more people agree with Brent than care who wrote their doctoral thesis on computer viruses. Your silly retort to his moderator comment makes me believe that you feel your "stature" must be defended. We care not for you credentials, nor for your common sense observations. Please join us in debate and discussion about firewalls and network security, but lay off the personal attacks, and heed the words of thy moderator. -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 While most peoples' opinions change, the conviction of their correctness never does. From firewalls-owner Mon Jul 17 00:01:18 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA03809 for firewalls-outgoing; Sun, 16 Jul 1995 23:24:34 -0700 Received: from seanet.com (kesha.seanet.com [199.181.164.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA03804 for ; Sun, 16 Jul 1995 23:24:31 -0700 Received: from zeos by seanet.com with SMTP (8.6.9/25-eef) id XAA08412; Sun, 16 Jul 1995 23:23:30 -0700 Message-Id: <199507170623.XAA08412@seanet.com> X-Mailer: InternetWorks Mail and News 1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 16 Jul 1995 23:15:06 From: jgilbert@jgilbert.seanet.com (Jeffrey Gilbert) To: firewalls@GreatCircle.com Subject: Need input on products: Firewall1 and Radius Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone had any experiences with these products? Good or bad I'd like to here about it... -Firewall 1 on the new Sun Netra's and Radius firewall protection for Sun boxes TIA, Jeff at work: gilbjx1@dsf.ghc.org at home: jgilbert@jgilbert.seanet.com From firewalls-owner Mon Jul 17 01:57:25 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA07241 for firewalls-outgoing; Mon, 17 Jul 1995 01:28:18 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA07227 for ; Mon, 17 Jul 1995 01:28:04 -0700 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id SAA08119 (8.6.12/IDA-1.6); Mon, 17 Jul 1995 18:26:35 +1000 Received: by junkers.lochard.com.au id AA11489 (5.65c/IDA-1.5); Mon, 17 Jul 1995 18:01:12 +1100 From: Mark Message-Id: <199507170701.AA11489@junkers.lochard.com.au> Subject: Re: Talk about blatant commercialism To: alan@mid.net (Alan Hannan) Date: Mon, 17 Jul 1995 18:01:11 +1000 (E ) Cc: fc@all.net, firewalls@GreatCircle.COM In-Reply-To: <199507170439.XAA29808@noc1.mid.net> from "Alan Hannan" at Jul 16, 95 11:39:23 pm Content-Type: text Content-Length: 324 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >--> Talk about blatant commercialism!!! > > Lay off Frederick, more people agree with Brent than care who wrote >their doctoral thesis on computer viruses. I wouldnt be surprised if someone was silly enough to fakemail unsubscribe messages from fc@all.net to majordomo@greatcircle.com. Ive seen weirder things. :) Mark From firewalls-owner Mon Jul 17 03:24:46 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA10010 for firewalls-outgoing; Mon, 17 Jul 1995 03:07:14 -0700 Received: from sun2.nsfnet-relay.ac.uk (sun2.nsfnet-relay.ac.uk [128.86.8.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA09982 for ; Mon, 17 Jul 1995 03:06:20 -0700 Message-Id: <199507171006.DAA09982@miles.greatcircle.com> Via: uk.co.salford-software-services.e; Mon, 17 Jul 1995 11:02:49 +0100 Received: from 193.37.229.23.sss.co.uk (actually pc4.sss.co.uk) by e.sss.co.uk with SMTP (PP); Mon, 17 Jul 1995 09:44:34 +0000 From: Dave Wade To: firewalls@greatcircle.com Subject: Re: filtering porn X-Mailer: ProntoIP [version 1.03] Date: Mon, 17 Jul 1995 09:44:36 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, Assuming you have a list of sites containing erotica what do you do if there are other legit things at that site that your users might need ?? Yours Dave Wade. dw@sss.co.uk From firewalls-owner Mon Jul 17 04:25:40 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11456 for firewalls-outgoing; Mon, 17 Jul 1995 04:21:39 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA11451 for ; Mon, 17 Jul 1995 04:21:36 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA14834; Mon, 17 Jul 95 07:19:09 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507171219.AA14834@hawksbill.sprintmrn.com> Subject: Re: filtering porn To: dw@salford-software-services.co.uk (Dave Wade) Date: Mon, 17 Jul 1995 07:19:09 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199507171006.DAA09982@miles.greatcircle.com> from "Dave Wade" at Jul 17, 95 09:44:36 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 773 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi folks, > Assuming you have a list of sites containing erotica what do you do if > there are other legit things at that site that your users might need ?? > Yours > Dave Wade. dw@sss.co.uk > Well, you can't allow 50% access. :-) You'll need to decide whether you you disallow access altogther, or allow 100% access. Like I said before, you're not likely to make a lot of friends this way. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Jul 17 04:55:04 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11506 for firewalls-outgoing; Mon, 17 Jul 1995 04:27:44 -0700 Received: from maia.cl.au.ac.th (maia.cl.au.ac.th [168.120.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA11480 for ; Mon, 17 Jul 1995 04:25:19 -0700 Received: by maia.cl.au.ac.th (1.37.109.4/16.2) id AA01298; Mon, 17 Jul 95 18:22:44 +0700 Date: Mon, 17 Jul 1995 18:22:43 +0700 (TST) From: Ye Tun To: Firewalls@GreatCircle.COM Subject: Want to know how to check! Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How can i check whether the server is firewall protected or not. REgards, *[ Ye ]* \```\ || ) O O ) || +--++--------.oOOo--U--ooOo-------++--+ +=-=-=-=-=-=-=-=-=-=-=-=+ \ Ye Tun \ | I am so tired! | \ Computer Laboratory \ | Can anyone | \ Assumption University \ | HELP ME! | \ Bangkok 10240, Thailand \ |______ ,____________| \ \ | / \ ye@maia.cl.au.ac.th \ |/ \ +66-2-3004543 ext 3672-5 \ ,__o +=-=-=-=-=-=-=-=-=-=-=Oooo.=-=-=-=-=-=#-----_-\_<, .oooO ( ) (*)/`(*) ( ) ) / \ ( (_/ \_) From firewalls-owner Mon Jul 17 05:25:00 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11659 for firewalls-outgoing; Mon, 17 Jul 1995 04:33:10 -0700 Received: from diablo.ppp.de (diablo.ppp.de [193.141.101.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA11633 for ; Mon, 17 Jul 1995 04:33:00 -0700 Received: from wmdhh by diablo.ppp.de with uucp (Smail3.1.28.1 #1) id m0sXoOX-0006tlC; Mon, 17 Jul 95 13:31 MET DST Received: from rs3.wmd.de by wmdhh with smtp (Smail3.1.26.7 #3) id m0sXnbD-0004SrC; Mon, 17 Jul 95 12:40 CDT Received: by rs3.wmd.de (AIX 3.2/UCB 5.64/4.03.01) id AA44926; Mon, 17 Jul 1995 12:36:25 +0200 From: pauck@rs3.wmd.de (Marco Pauck) Message-Id: <9507171036.AA44926@rs3.wmd.de> Subject: Re: Oracle Thru Firewall To: yhleong@ncb.gov.sg (Leong Yew Hong) Date: Mon, 17 Jul 1995 12:36:25 +0100 (MESZ) Cc: firewalls@greatcircle.com In-Reply-To: from "Leong Yew Hong" at Jul 6, 95 09:39:15 am X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 504 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My site has this requirement to allow external access to our > internal Oracle servers. From my knowledge, Oracle do uses > UDP which my firewall disallowed. As it was already noted, Oracle uses TCP for SQL*Net V1 and V2. We're using the plug-gw of TIS's fwtk for both V1 and V2 without any problems. Marco -- Marco Pauck - WMD GmbH Hamburg, Germany e-mail: pauck@wmd.de, phone: +49-40-58958-120, fax: +49-40-58958-199 echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From firewalls-owner Mon Jul 17 05:36:12 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA11488 for firewalls-outgoing; Mon, 17 Jul 1995 04:25:33 -0700 Received: from hearnvax.nic.surfnet.nl (hearnvax.nic.surfnet.nl [192.87.5.131]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA11483 for ; Mon, 17 Jul 1995 04:25:29 -0700 Received: from MinOCW.nl (mowmx001.MinOCW.nl) by HEARNVAX.nic.SURFnet.nl (PMDF V4.2-12 #3330) id <01HSZ89GT68G00K8DT@HEARNVAX.nic.SURFnet.nl>; Mon, 17 Jul 1995 13:24:11 +0200 (MET-DST) Received: from PC006113 ([145.67.148.3]) by MinOCW.nl (4.1/SMI-4.1) id AA09024; Mon, 17 Jul 95 13:32:31 EDT Date: Mon, 17 Jul 1995 13:23:33 -0100 From: o001hee@MINOCW.NL (Marco Heemskerk) Subject: Re: filtering porn To: Dave Wade Cc: firewalls@GreatCircle.COM Message-id: <9507171732.AA09024@MinOCW.nl> X-Envelope-to: firewalls@GreatCircle.COM MIME-version: 1.0 X-Mailer: Windows Eudora Version 1.4.4 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT X-Sender: o001hee@orc.minocw.nl Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi folks, > Assuming you have a list of sites containing erotica what do you do if >there are other legit things at that site that your users might need ?? > Yours > Dave Wade. dw@sss.co.uk > Nothing, I'm afraid. You can only make the users believe that you monitor all traffic, including pictures/movies. Cheers! Marco _______________________________________________________________________________ M.B.L. Heemskerk RCC, Zoetermeer, the Netherlands p.o. Ministry of Education, Culture and Science Tel: +31 - 79 534789 Fax: +31 - 79 523189 _______________________________________________________________________________ From firewalls-owner Mon Jul 17 05:55:07 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13507 for firewalls-outgoing; Mon, 17 Jul 1995 05:31:33 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13502 for ; Mon, 17 Jul 1995 05:31:27 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA15046; Mon, 17 Jul 95 08:30:43 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9507171330.AA15046@hawksbill.sprintmrn.com> Subject: [Q] Radius specs. To: firewalls@greatcircle.com (Firewalls List) Date: Mon, 17 Jul 1995 08:30:42 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 549 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I had it at one time but can't seem to find it at the moment; I'm looking for a technical/functional description for the RADIUS protocol used in access-control & authentication. Thanks, - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Mon Jul 17 06:12:32 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13514 for firewalls-outgoing; Mon, 17 Jul 1995 05:31:44 -0700 Received: from dcc.com (firewall.dcc.com [204.147.93.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA13509 for ; Mon, 17 Jul 1995 05:31:38 -0700 Received: by firewall.dcc.com id <58881>; Mon, 17 Jul 1995 07:31:56 -0500 From: "Moubray, Steve" To: "'smtp:firewalls@greatcircle.com'" Subject: Re: RFCs-Now-Searchable-in-Info-Sec-Heaven Date: Sun, 16 Jul 1995 17:52:00 -0500 Encoding: 28 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Jul17.073156cdt.58881@firewall.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 3:51 PM 7/13/95, Dr. Frederick B. Cohen wrote: >All.Net now has copies of all current RFCs on-line and searchable from InfoSec >heaven. They can also be accessed via our Gopher server. > >-> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server >-> Free: Test your system's security (scans deeper than SATAN or ISS!) >---------------------- both at URL: http://all.net ---------------------- >-> Read: "Protection and Security on the Information Superhighway" > John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 >------------------------------------------------------------------------- > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 > >I think it's time for you to set up your own "info-sec-heaven-announce" (or >something like that) list, which interested people can subscribe to, rather >than continuing to fill Firewalls with these content-free thinly-veiled >ads. > > >- -Brent Thanks Brent. Don't get me wrong I am a fan of many talents and Info-Sec Heaven's ability for self promotion has impressed me greatly but I like the idea of stopping it on the list. Do you think that you can get him to change his signature so when he sends messages that they aren't advertisements? He may have something good to say in 1 out of every 30 or so ads (I mean e-mails). From firewalls-owner Mon Jul 17 06:20:22 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA12239 for firewalls-outgoing; Mon, 17 Jul 1995 04:53:46 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA12234 for ; Mon, 17 Jul 1995 04:53:39 -0700 Posted-Date: Mon, 17 Jul 1995 07:52:26 -0400 From: "Bryan D. Boyle" Message-Id: <9507170752.ZM8727@maverick.erenj.com> Date: Mon, 17 Jul 1995 07:52:24 -0400 In-Reply-To: Dave Wade "Re: filtering porn" (Jul 17, 9:44am) References: <199507171006.DAA09982@miles.greatcircle.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: filtering porn Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 17, 9:44am, Dave Wade wrote: > Subject: Re: filtering porn > Hi folks, > Assuming you have a list of sites containing erotica what do you do if > there are other legit things at that site that your users might need ?? > Yours > Dave Wade. dw@sss.co.uk >-- End of excerpt from Dave Wade Depending on how the firewall passes the http stuff (as in a cern proxy on an inside machine talking socks thru the screen to the application server on the outside...), you may be able to filter on a url-based scheme, and point the offending (without getting into a porno/art discussion here, ok?) page at some other, perhaps warning, page. For instance, using the CERN http server in proxy mode (admitedly the CERN server is a monolithic, large, complex piece of C code...which is why it runs on an inside machine...:)), in the /etc/httpd.conf file, there is the provision to map any page (and this includes wildcarded pages that are below the one in question...) to some other page. So, you can say something like: Map http://www.penthousemag.com/* http://www.blarg.com/no-no.html (put this before the Pass: list...). and _any_ page at penthousemag.com will be rerouted to your own no-no.html page... using this same logic, you can say: Map http://www.nice.site.com/~luser/smut/* http://www.blarg.com/no-no.html and mr. luser's smut directory will be remapped, however, his other info, if in other directories, will not be (I would, for sanity sake, however, move the wildcard up one level, however...:)). (btw, you should know that socks is also configured so that sites like penthousemag.com and playboy.com, etc, are, in their entirety, rejected...) It is not so much a case of that dreaded word, censorship, but, since the owner of the facility and business has decided that access to certain material (and this could be dilbert cartoons at some point...) is not desired, it is enforcing the company standards. Others may argue that letting people know that they shouldn't waste company resources on access to egregiously non-business sites is enough, but, in this case, the company decided, as was their right as the people paying for the connection, to take a more proactive approach. YMMV, obviously. -- Bryan D. Boyle | "The real difficulty in changing any enterprise lies #include | not in developing new ideas, but in escaping from EMAIL: bdboyle@erenj.com | the old ones." --John Maynard Keynes -------------------- From firewalls-owner Mon Jul 17 06:28:17 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14384 for firewalls-outgoing; Mon, 17 Jul 1995 06:03:13 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14378 for ; Mon, 17 Jul 1995 06:03:08 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA20268 for firewalls@GreatCircle.COM; Mon, 17 Jul 95 08:56:32 EDT Message-Id: <9507171256.AA20268@all.net> Subject: Re: filtering porn To: firewalls@GreatCircle.COM Date: Mon, 17 Jul 1995 08:56:32 -0400 (EDT) In-Reply-To: <9507171732.AA09024@MinOCW.nl> from "Marco Heemskerk" at Jul 17, 95 01:23:33 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1687 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi folks, > Assuming you have a list of sites containing erotica what do you do if >there are other legit things at that site that your users might need ?? There are a lot of ways to provide access control beyond on a site-by-site basis, but it may take some effort to create the appropriate set of controls. Like most areas of info-sec, the interesting problems do not have trivial solutions. Here are some simple things you can do: Thing one: 1) Figure out how to differentiate the desired from the undesired. 2) Create a filter in your gateway that differentiates them. Thing two: 1) Make a policy about what is permitted ans help the users idenitify that which is not allowed. 2) Enforce the policy administratively by keeping logs of activities, searching for violations, and punishing violators. Thing three: 1) Create a training program that points out the bad things that can happen as a result of improper use. 2) Apply the training program to the people. Other things: Three is enough to get you started. For other ideas, you might want to read the book listed below. It offers a number of ways to affect protection not limited to technical safeguards. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Mon Jul 17 06:30:34 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13880 for firewalls-outgoing; Mon, 17 Jul 1995 05:46:32 -0700 Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13870 for ; Mon, 17 Jul 1995 05:46:26 -0700 Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP (15.11/15.6) id AA28159; Mon, 17 Jul 95 13:50:21 gmt Received: from cc:Mail by ccmailgw.biss.co.uk id AA806013942 Mon, 17 Jul 95 13:45:42 EST Date: Mon, 17 Jul 95 13:45:42 EST From: Steve_Betts@ccmailgw.biss.co.uk (Steve Betts) Encoding: 600 Text Message-Id: <9506178060.AA806013942@ccmailgw.biss.co.uk> To: firewalls@GreatCircle.COM, "Wolfgang Hopp" Subject: Re: Internet security -organization vs. technical solutions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wolfgang Two bits of advise: 1. On viruses: Use virus guard software on each PC that will scan every binary as it is executed. Any other way depends too much on human failings. 2. On Internet surfing: Keep a log of all internet accesses by source and destination name. Tell everybody you are doing it, and publish it regularly where everyone can see it. There may be a perfectly valid business reason for looking at www.penthousemag.com but it will be up to them to justify it to their peers Regards Steve From firewalls-owner Mon Jul 17 06:47:58 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13815 for firewalls-outgoing; Mon, 17 Jul 1995 05:43:41 -0700 Received: from interlock.turner.com (interlock.turner.com [198.81.230.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13804 for ; Mon, 17 Jul 1995 05:43:37 -0700 From: root@trumpet.turner.com Received: from tbsnames.turner.com by interlock.turner.com with SMTP id AA13177 (InterLock SMTP Gateway 3.0 for ); Mon, 17 Jul 1995 08:42:36 -0400 Received: from trumpet. (trumpet.turner.com [157.166.51.231]) by tbsnames.turner.com (8.6.9/8.6.9) with SMTP id IAA26029; Mon, 17 Jul 1995 08:42:36 -0400 Received: by trumpet. (5.x/SMI-SVR4) id AA00393; Mon, 17 Jul 1995 08:43:09 -0400 Date: Mon, 17 Jul 1995 08:43:09 -0400 Message-Id: <9507171243.AA00393@trumpet.> To: Firewalls-Digest@GreatCircle.COM, Kodzo@eworld.com Subject: Re: Policy Statement on Internet Usage X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to your request for university policies you might want to take a look at the following site: http://musie.phlab.missouri.edu/Policy/copies/tamu-collection1.html This site contains links to many different university policies and could either lead you into the right direction as to what other universities consider as "acceptable use" or give you an idea as to what you might want to include/exclude in your policy. Todd A. Hudspeth Corporate Systems Security Manager Worldwide Information Technology Services Turner Broadcasting System, Inc. todd.hudspeth@turner.com From firewalls-owner Mon Jul 17 06:56:10 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13669 for firewalls-outgoing; Mon, 17 Jul 1995 05:38:51 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13664 for ; Mon, 17 Jul 1995 05:38:48 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA08549; Mon, 17 Jul 95 08:28:24 -0400 Date: Mon, 17 Jul 95 08:28:23 -0400 Message-Id: <9507171228.AA08549@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: filtering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave rites: >Assuming you have a list of sites containing erotica what do you do if >there are other legit things at that site that your users might need ?? Well the easiest answer is a proxy host with filters for commands containing certain verboden words/sylables/phrases though you will have to realize that this will be taken as a challenge by some. Another is to display a message saying "This site is known to contain material that is considered inappropriate to our business, please be careful only to download/access relavant material." This would have the effect of putting people a bit more on guard while still treating them as adults. Now if you want show the schtick, you could finish with "All connections made across our gateway are recorded and may be monitored for content". What precisely you do depends a lot on your culture and the policy you are enforcing, but there are a lot of options that a proxy gives you. One of the biggest advantages is to move the cycles off the router (am a big fan of distributed processing). Warmly, Padgett From firewalls-owner Mon Jul 17 07:09:47 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13796 for firewalls-outgoing; Mon, 17 Jul 1995 05:43:14 -0700 Received: from all.net (all.net [204.7.229.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13766 for ; Mon, 17 Jul 1995 05:43:07 -0700 From: fc@all.net (Dr. Frederick B. Cohen) Received: by all.net (4.1/3.2.012693-Management Analytics); id AA19613 for firewalls@greatcircle.com; Mon, 17 Jul 95 08:35:40 EDT Message-Id: <9507171235.AA19613@all.net> Subject: Re: Want to know how to check! To: ye@maia.cl.au.ac.th (Ye Tun) Date: Mon, 17 Jul 1995 08:35:39 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Ye Tun" at Jul 17, 95 06:22:43 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1536 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might want to try a free test (see below) > > > How can i check whether the server is firewall protected or not. > > > REgards, > > *[ Ye ]* > \```\ > || ) O O ) || > +--++--------.oOOo--U--ooOo-------++--+ +=-=-=-=-=-=-=-=-=-=-=-=+ > \ Ye Tun \ | I am so tired! | > \ Computer Laboratory \ | Can anyone | > \ Assumption University \ | HELP ME! | > \ Bangkok 10240, Thailand \ |______ ,____________| > \ \ | / > \ ye@maia.cl.au.ac.th \ |/ > \ +66-2-3004543 ext 3672-5 \ ,__o > +=-=-=-=-=-=-=-=-=-=-=Oooo.=-=-=-=-=-=#-----_-\_<, > .oooO ( ) (*)/`(*) > ( ) ) / > \ ( (_/ > \_) > > -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From firewalls-owner Mon Jul 17 07:25:19 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17659 for firewalls-outgoing; Mon, 17 Jul 1995 06:55:35 -0700 Received: from hades.think.de (hades.think.de [194.120.140.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA17648 for ; Mon, 17 Jul 1995 06:55:30 -0700 Received: (from daemon@localhost) by hades.think.de (8.6.8.1/8.6.6) id PAA07173 for ; Mon, 17 Jul 1995 15:54:10 +0200 Received: from marquis.think.de(194.120.140.100) by hades.think.de via smap (V1.3) id sma007171; Mon Jul 17 15:53:48 1995 Received: from marquis.think.de (klingspo@localhost [127.0.0.1]) by marquis.think.de (8.6.8.1/8.6.6) with SMTP id PAA31272 for ; Mon, 17 Jul 1995 15:53:53 +0200 Date: Mon, 17 Jul 1995 15:53:49 +0200 (MET DST) From: Markus Klingspor To: Firewalls@GreatCircle.COM Subject: port 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can I find information about the host name service on port 42? - Markus Klingspor ------------------------------------------------------------------------- Markus Klingspor klingspo@think.de Thinking Objects Software GmbH klingspo@to.com Lindenstra"se 4 phone: +49 9344 91001 D-97950 Gerchsheim fax: +49 9344 91002 ------------------------------------------------------------------------- From firewalls-owner Mon Jul 17 07:25:55 1995 Received: (daemon@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17471 for firewalls-outgoing; Mon, 17 Jul 1995 06:52:46 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA17463 for ; Mon, 17 Jul 1995 06:52:27 -0700 Message-Id: <199507171352.GAA17463@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA147079084; Mon, 17 Jul 1995 23:51:24 +1000 From: Darren Reed Subject: Short revisit of sending replies to blocked packets. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Mon, 17 Jul 1995 23:51:24 +1000 (EST) In-Reply-To: <9507090807.AA24048@bunya.awadi> from "Brett Lymn" at Jul 9, 95 05:37:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 863 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you'll excuse me for digging this back up, there was one other reason to send back TCP RSTs in response to "strange" TCP packets (rather than just ignore them) and that is to stop miscreants from using your firewall as a helping hand in launching an IP spoofing attack. With "silent" dropping of SYN-ACK packets, not destined for any specific port and inbound to you with tight packet filtering policies, it is possible for an "attacker" to use this to his advantage in building an IP spoofing attack - no need to jam up a particular (open) TCP port. As far as I know, only Cisco and Livingston (?) make particular usage of an "established" type filter keyword that uses the SYN-ACK packet. This is generally only useful if the miscreant is only concerned with generating false information (such as sending fake mail, etc) but has other potential. darren From firewalls-owner