From firewalls-owner Sun Oct 1 00:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA09703 for firewalls-outgoing; Sun, 1 Oct 1995 00:24:36 -0700 Received: from huntergate.hunter.com (node2.hunter.com [199.217.148.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA17493 for ; Fri, 29 Sep 1995 00:31:24 -0700 Received: (from daemon@localhost) by huntergate.hunter.com (8.6.11/8.6.9) id CAA19886; Fri, 29 Sep 1995 02:29:49 -0500 Received: from diablo.hunter.com(10.2.1.50) by huntergate.hunter.com via smap (V1.3) id sma019876; Fri Sep 29 02:29:45 1995 Received: from Microsoft Mail (PU Serial #0) by diablo.hunter.com (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Sep29.022645.0.1569; Fri, 29 Sep 1995 02:29:46 -0500 From: rik@spirit.com (rikspirit.com) To: skh@huntergate.hunter.com, Firewalls@greatcircle.com (Firewalls) Message-ID: <1995Sep29.022645.0.1569@diablo.hunter.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Hunter Engineering Company Date: Fri, 29 Sep 1995 02:29:46 -0500 Subject: CERT and Firewalls BOFs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here are my notes from the Usenix LISA XI conference in Monterrey, CA. I try to identify speakers, but still missed some, and there are parts missing (I tend to stop taking notes if things get so interesting I forget what I'm supposed to be doing.} Comments which I added later are in square brackets. CERT BOF, 1830, 21 September, 1995 Ed DeHart of CERT started the CERT BOF by joking that the annual Sendmail-LISA CERT Alert had come out [a problem with SunOS sendmail when used with the -oR option]. Someone pointed out that last year it wasn't exactly sendmail, but rather Majordomo's use of sendmail that prompted the alert. DeHart mentioned the latest release of sendmail, 8.7, which prompted yet-another comment--a person claimed that Marcus Ranum had a two line Perl script which would overflow a gets()-style buffer in the latest release. Ranum came in a few minutes later, but did not comment on this assertion in front of the group. Syslog is considered by the CERT to be the other current problem. [It is actually not the syslog daemon that's the problem, but the subroutine which gets called by applications to communicate with syslog.] DeHart next stated that CERT is primarily interested in infrastructure problems, for example, people breaking into ISP's [Internet Service Providers]. He hinted that CERT's role would be changing from incident response to incident collection, infrastructure improvements, and working with vendors to fix problems. Which prompted a question about vendors, why they still delivered insecure versions of their operating systems. DeHart answered that customers must demand securely configured operating systems before vendors will be willing to deliver them. He mentioned a paper delivered the day before, by a security administrator from Sun, who said that SunSoft was not currently planning to improve the security of their delivered products because surveys of customers indicated that security was not an important consideration when buying OS products. [I'd asked the same question several years ago and got the same answer--when customers demand security, Sun will deliver it.] DeHart pointed out that vendors whose name appear most regularly in CERT advisories are cooperating with CERT. A prominent UNIX vendor which has no CERT advisories simply means the vendor is not cooperating with CERT. The tool apparently used during the Tsutomo Shimomura breakin is being widely distributed. The tool takes advantage of 'r' commands (rlogin, rsh), even if protected by tcp_wrappers or netacl, by using IP source address spoofing. The interface makes this cracking tool easy-to-use, asking for the name of host to breakinto, and the name of the trusted host to masquerade as. DeHart repeated something he has said many times before--do the simple things, and the crackers will go elsewhere. "Why spend 10 minutes when they can take 30 seconds to get in?" [Perhaps this seems a little unfair, but only about 70% of large, commercial sites have any type of firewall (CSI report). And people are always adding new systems to the network without checking them first for security.] The Berkeley 'r' commands, NFS, are not secure. Question: What about Macs, NT, Windows 95? DeHart answered that we may start seeing things, but so far they are mostly clients. Client software is not susceptible to direct attacks. Question: Will you report things like Word Virus? DeHart said not currently. Can't deal with every PC bug. There are about 12,000 addresses on the CERT mailing list for advisories, and 50 parallel queues are used to deliver alerts (which takes one-two hours). The CERT tools mailing list has been inactive for months, and may not be re-opened. ==== Firewalls BOF, 1833, 21 Sept, 1995 Brent Chapman takes over, starting off with the brief history of the BOF (started at the Third Usenix Security Symposium in Baltimore three years ago). Currently 8,000 subscribers to firewalls, with perhaps 15,000 readers. Carson Gaspar, of Lehman Brothers, next got things off to a lively start. [Gaspar is a frequent poster to the fwtk-users mailing list.] Carson asked the audience [about 110 persons] if he should rewrite the ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or should he work with Brimstone SOS [which also has a license similar to TIS for their proxies, but fewer services], because the code quality is better. Securitywise, fwtk is good. But return codes are never checked--when a proxy fails, it fails silently. [For some reason, he doesn't know who wrote this "poor quality code".] Marcus Ranum, steps forward, and says he wrote most of the code [his name appears in most proxies except http-gw]. There is no explosion, just tension and anticipation in the air. Carson then does an informal survey. How many have commercial firewalls, how many have 'home-grown' firewalls, how many have no firewall? About as many have commercial products (~15) as have no firewall. More than three times as many have 'home-grown' firewalls. [In CSI's survey, 12% used TIS fwtk, and 16% stated other, which probably includes a lot of SOCKS users, because SOCKS wasn't listed as a category. So a Usenix LISA BOF was unsurprisingly different than the CSI survey, which included large, not predominatly UNIX, sites, and showed about 60-70% commercial firewall products.] Brent Chapman commented on the licensing problem involved in publicky available software, such as Majordomo, or the Firewall toolkit. Marcus Ranum stated that one major concern was divergent versions. There were no security problems with the toolkit per se, but there were known problems--many of which were dealt with in Gauntlet 3.0. [No one mentioned that the issue of how to proceed with extending the toolkit, or supporting it, was thoroughly hashed out during the Usenix Security Symposium at Salt Lake City. Chapman does comment:] "I for one do not want to go down that road again." Gaspar hasn't given up yet, and wants to distribute code. Ranum comes back again by saying the unreleased code base has diverged enormously, so hard to know if what you are fixing has already been fixed. [Question: Has anyone used plug-gw to push notes through a firewall?] Alan Hannon, of Midnet, said he had done so, and plug-gw works fine for anything that is many-to-one. I asked Chapman about the syslog problem. He responded that the problem is NOT in the sylog daemon, but in the function call library itself. CSRG [Computer Science Research Group at Berkely, which I thought had disbanded] threatened to go through all the [UNIX] code and remove all unbounded string copies [the problem], but gave up. [snprintf the solution, pointed out a particpant in the front row.] Ranum steps onto the soapbox and states the "C is not a secure language, and UNIX is not a secure operating system. We're in the sendmail bug-of- the-month club because of this." Software engineers need to grow up. Hannon quips that this is like the hazardous waste industry--we're stuck with what we have. Ranum retorts that the user community is still buying toxic waste as fast as it can. Someone else asks, what about using ADA on NT? Ranum apparently ignores this, saying that for some applications, UNIX and C are not sufficient. Another person I labeled said that he recommended a client buy Gauntlet. The client did, then insisted that they permit IRC through the firewall. TIS disagreed, the consultant disgreed, but IRC was rammed through anyway. Hannon asked what do people do about modems? Someone, a defense contractor, said they had to fire someone to make people take notice of the no modem policy. Carson said Lehman implemented a dial-out modem pool, which is audited. Hannon said he worked hard so users would not WANT a modem. Carson stated that they dial all lines, using numbers acquired from facilities management, looking for modems. Two persons were 'let go'. Another got a slap on the wrist for a 'technical violation'. Chapman said that policy is a management issue [his new book has a great chapter on policy, BTW]. Ranum responded by saying you need to get a letter from the biggest, hottest person saying why the policy is important, and then get approval from the highest ranking management (president, vice-president) possible. Sal Collora asked what is the real threat posed by modems? Who is going to sit around dialing phone numbers looking for modems? Hannon answers that he hasn't met enough dweebs. [I think, hasn't he heard of demon dialers, invented for the Apple II in the late '70's?] Ranum answered that he'd seen two firewall hosts broken into, both because modem-based attacks had been used to sniff passwords. He also said he has seen networks where the firewall host was the ONLY secure computer. Chapman also answered the question by saying that not publishing modem numbers was security through obscurity. Assume the problem is an insider or an ex-employee. Collora said he'd only been at this job two months, and didn't want to beat his head against the wall. John [jco@direwolf.com] recommended doing a cost analysis. No sense building a fort protecting a dandylion. Chapman pointed out that just the cost of restoring the data would justify a firewall in most cases [one of my favorite points]. Secrecy, data integrity, and availability are reasons for security. Why do you keep the data if you don't need it?. John said he is worried about demon dialing. And that his site was fifth to be attached to the ARPANET, and they argued long and hard about putting in packet filters, not even a firewall [the company which owned that site now sells firewalls]. Ranum asked why they decided to add protection, to which John didn't respond. Another survey. How many here have done some form of risk assessment? Around 20%. Have a site security policy? 20% Have that policy signed and approved by corporate officer? Only two hands go up. Chapman points out that every site has a security policy, even if it's not written. Ranum then makes certain people are still awake. He mentions that in five years, lawyers will be able to sue for recovery of damages for a breakin. When there is a body-of-law available, they can slap suits without any effort. Likened this to soft body tissue damage. [Another of my favorite points. You have a network which is unprotected. Someone uses your network to breakinto another network, so the attack comes from your site. Who gets sued? Who has deep pockets?] Another unidentified particpant said that it is hard to keep people from screwing up machines. Chapman said you've got to do auditing. Carson, responding to a question I didn't note, said security is an iterative problem. Pick the two biggest problems and fix them. Then go on, pick the next two top things, and fix those, and so on. He sleeps soundly at night because he has three layers of protection [in Lehman's firewall?]. Ranum asks "Does Lehman have Flowtrans?" What scares Ranum is that the Internet is often behind the firewall. Private connections, connections to other organizations which are connected to the Internet. The Plan 9 guys, the Athena guys, have it right. Put security at the presentation device. John pointed out that Ranum was saying six or seven years until firewalls won't be needed, and now [several years later], he is saying three or four years. Ranum answered by saying that security has got to be everywhere. Someone wants fascinating thing X. Rather than simply providing it, need to make a service oriented requirements analysis to see if they really need X, and how to get data to X. Real purpose of a firewall is to provide service. The six main services are Mail, Web, FTP, Telnet, News, and DNS. Another speaker said you can't control clients, to which Ranum responded "The only way to solve bad management is to become it." John pointed out that human engineering was the method used in the movie Hackers, the movie, to get the modem pool number. NEARNet has had to deal with this. Their NOC [Network Operations Center] is one of the largest in the world. They went ahead and did a cost analysis which included the possibility that someone would set off a car bomb outside. They concluded it wasn't worth building a bunker in the middle of Cambridge. Collora said he's interested in moving to NT. Chapman said that you should always pick the platform you are most familiar with. There are more tools on UNIX than anything else. But if you don't have UNIX expertise, you're in a tough position. Collora said that he would be happy to buy something, then have a vendor to point a finger at. John asked if he'd ever read a software license agreement, where the only warranty is on the media used for distribution of the software. And, amazingly enough, the meeting broke up in time for the reception in the Monterrey Aquarium at 2000. Rik Farrow rik@spirit.com ------ Message Header Follows ------ Received: from lapis.hunter.com by diablo.hunter.com (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Sep29.014802.0.749; Fri, 29 Sep 1995 01:48:02 -0500 Received: from huntergate.hunter.com by lapis.hunter.com with SMTP (1.38.193.4/16.2) id AA02149; Fri, 29 Sep 95 01:45:37 -0500 Received: (from daemon@localhost) by huntergate.hunter.com (8.6.11/8.6.9) id BAA19095; Fri, 29 Sep 1995 01:47:59 -0500 Received: from uustar.starnet.net(199.217.253.12) by huntergate.hunter.com via smap (V1.3) id sma019093; Fri Sep 29 01:47:35 1995 Received: from scsgate.scscom.com by uustar.starnet.net with UUCP id AA11822 (5.67b/IDA-1.5); Fri, 29 Sep 1995 01:21:49 -0500 Received: by scsgate.stl.scscom.com (Smail3.1.29.1 #4) id m0syXqM-0002Isa; Fri, 29 Sep 95 00:18 CDT Sender: kenth@HNS.St-Louis.Mo.US Received: (from kenth@localhost) by gwydion.HNS.St-Louis.Mo.US (8.6.12/8.6.12) id AAA07444; Fri, 29 Sep 1995 00:15:36 -0500 Received: from scsgate.scscom.com (uucp@localhost) by gwydion.HNS.St-Louis.Mo.US (8.6.12/8.6.12) with UUCP id FAA07968 for Kent.Hamilton; Thu, 28 Sep 1995 05:02:59 -0500 Received: by scsgate.stl.scscom.com (Smail3.1.29.1 #4) id m0syEzl-00039ma; Thu, 28 Sep 95 04:11 CDT Sender: kenth@HNS.St-Louis.Mo.US Received: from relay4.UU.NET by uustar.starnet.net with SMTP id AA09816 (5.67b/IDA-1.5 for ); Thu, 28 Sep 1995 03:42:51 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjcs02577; Thu, 28 Sep 1995 04:34:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA04090 for firewalls-outgoing; Thu, 28 Sep 1995 00:18:07 -0700 Received: from apache.spirit.com (cust010.nb1p1.ffx1.va.ALTERDIAL.ALTER.NET [199.173.113.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA27364 for ; Tue, 26 Sep 1995 18:05:47 -0700 Reply-To: rik@spirit.com Received: from localhost (rik@localhost) by apache.spirit.com (8.6.5/8.6.5) id RAA01228 for Firewalls@greatcircle.com; Tue, 26 Sep 1995 17:45:12 -0700 Date: Tue, 26 Sep 1995 17:45:12 -0700 From: Rik Farrow Message-Id: <199509270045.RAA01228@apache.spirit.com> To: Firewalls@greatcircle.com Subject: CERT and Firewalls BOFs Sender: kenth@HNS.St-Louis.Mo.US Precedence: bulk From firewalls-owner Sun Oct 1 12:22:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA00145 for firewalls-outgoing; Sun, 1 Oct 1995 12:18:58 -0700 Received: from satsong.interserver.com (ckapilla.interserver.com [204.182.67.73]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA00138 for ; Sun, 1 Oct 1995 12:18:55 -0700 Message-Id: <199510011918.MAA00138@miles.greatcircle.com> Received: from SATSONG by satsong.interserver.com id aa000379 at Sun, 1 Oct 95 12:16:01 Pacific Daylight Time--100 X-Sender: ckapilla@interserver.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Oct 1995 12:16:00 -0700 To: firewalls@GreatCircle.COM From: Chris Kapilla Subject: Mail Loops X-Info: InterServe Web Systems, Inc. X-Mailedby: NT SMTP/LISTSERVER v2.10 (ntmail@net-shopper.co.uk) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all, This isn't really relevant to firewalls, but it *is* relevant to this list because it seems to happen here regularly, i.e., those lovely mail storms. My questions are: what causes these and what can I (and everyone else) do to make sure that *our* systems are never responsible for one of them. Thanks for any help. Cooly, Chris ------------------------------------------------------------------- ckapilla@interserver.com http://www.interserver.com 206.836.3661 206.836.9468 From firewalls-owner Sun Oct 1 15:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA02377 for firewalls-outgoing; Sun, 1 Oct 1995 15:21:48 -0700 Received: from hughes.network.com (hughes.network.com [129.191.63.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA02370 for ; Sun, 1 Oct 1995 15:21:43 -0700 Received: from [129.191.40.14] by hughes.network.com via SMTP (940816.SGI.8.6.9/940406.SGI) id RAA24859; Sun, 1 Oct 1995 17:19:15 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 1 Oct 1995 18:23:45 -0500 To: firewalls@greatcircle.com, thierry@namsa.nato.int From: hughes@hughes.network.com (James P. Hughes) Subject: The ATM Firewall, research project. (was Re: Frame Relay firewalls???) Cc: Ken Hardy , Ted Doty Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I believe that the initial quote is not talking about the switches >themselves, but just to the IP traffic which comes via ATM; the >company, which obviously has a product to sell and may be skewing >reality a bit, seems to claim that ordinary IP firewalls need the whole >IP packet, requiring reassembly. Reality is in the eye of the beholder, but let me respond with a few comments. I am the principal investigator on this project and am responsible for the claims and backing those claims up with existance proofs. Ken is correct in what he is saying. We will have a product that we want to sell in the future when it is complete. At this time, it is not ready for -prime time-. At this time, it is a research project trying to understand how to completely firewall (using the most encompassing definition of the word) a 150Mb/s ATM stream. >ATM packets are small and fixed sized -- 5 bytes header and 48 bytes >payload. Don't recall details of what I read about IP over ATM (a >recent Computer Communications Review had an issue devoted to ATM -- >v25n2 04/95), but I assume that the IP packets are spread among several >ATM packets, rather than using IP fragmentation and having an entire IP >packet, albeit a fragment, in each tiny ATM packet. (Corrections >welcome.) Your summary is indeed 100% correct. An IP packet is a sequence of cells. The first cell usually contains all of the IP header (IP options move things around) and the TCP and UDP headers can be in the 1st or later cell. The user data (obviously) is after that. The cells in the stream can be mixed with other cells of other virtual circuits. >It appears that this outfit has some sort of IP firewall (maybe just a >screen) for ATM that works without reassembling the IP packets, >achieving lower latency. At the lowest level, you are correct, but in the press release, there is not a lot of space to get in the detailed facts... This is a better forum for such a discussion. Packets, where the policy can be digested to a low number of fields (VC number, SNAP, IP Frag, IP source and destination, IP Proto, Ports and flags) without need to be changed, will indeed be screened. What is not mentioned, is that packets that can not be secured through screening, will be reassembled and fed into a more traditional firewall host (which is currently a Sun clone running SunOS, but the packets do not go through the SunOS networking stacks). Reassembly can be at the packet level or all the way to the TCP stream, there are only performance issues to work on. This is based on the idea that high performance connections (when authenticated) such as a FTP data transfer can, for the period of the transfer, be screened. (To my knowledge, this is similarly done by at least one combination of a Firewall and a brand C router...) It is also expected that the high performance stuff will releave the CPU load for the lower proformance traffic (such as telnet, ftp control connection, etc). It is expected that a 1-3ms increae in latency for reassembled telnet sessions will not be a significant loss of performance to those sessions. >It would be interesting to know what they have and what real extra >value it offers. Low latency and high performance streams. The latency of the screened traffic will be 15us +- 1us. There are several other ATM specific security measures such as filtering the ATM call setup mesages and management cells. >I posted the original press release. After having >done so, I repented somewhat and thought that perhaps I should just >have posted their URL for those really interested. I am sorry to say that this is not in our web pages yet.... >But if it initiates >a discussion here that helps increase general knowledge of these issues >(like whether or not they're significant), without too much noise, it >may be for the best. I think that this discussion is for the better. Thanks. I welcome well though out discussions of these kinds of technical issues. Please keep me in the reply streas, because I do not follow this mailing list. This is just a fragment of the details of the implementation, I will be happy to continue this discussion. jim -------------- HTTP://WWW.Network.com/~hughes From firewalls-owner Sun Oct 1 16:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA03254 for firewalls-outgoing; Sun, 1 Oct 1995 16:28:56 -0700 Received: from rex.isdn.net (rex.isdn.net [198.79.88.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA03247 for ; Sun, 1 Oct 1995 16:28:53 -0700 Received: from ppp201.ts2.isdn.net by rex.isdn.net with smtp (Smail3.1.29.1 #10) id m0szXnH-00093FC; Sun, 1 Oct 95 18:27 CDT Message-Id: Date: Sun, 1 Oct 95 18:27 CDT X-Sender: jbucy@rex.isdn.net (Unverified) X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: jbucy@rex.isdn.net (John Bucy) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Oct 1 22:52:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA06263 for firewalls-outgoing; Sun, 1 Oct 1995 20:31:01 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA06256 for ; Sun, 1 Oct 1995 20:30:56 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id LAA08766 for GreatCircle.COM!Firewalls; Thu, 28 Sep 1995 11:22:41 -0500 Received: by ris1.nmti.com (smail2.5) id AA13594; 28 Sep 95 10:15:22 CDT (Thu) Received: by sonic.nmti.com; id AA04617; Thu, 28 Sep 1995 10:42:17 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9509281542.AA04617@sonic.nmti.com.nmti.com> Subject: Re: CERT and Firewalls BOFs To: rik@spirit.com Date: Thu, 28 Sep 1995 10:42:17 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199509270045.RAA01228@apache.spirit.com> from "Rik Farrow" at Sep 26, 95 05:45:12 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1351 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Which prompted a question about vendors, why they still delivered > insecure versions of their operating systems. > [I'd asked > the same question several years ago and got the same answer--when > customers demand security, Sun will deliver it.] Sounds like a case could be made for contributory negligence on Sun's part, given how long they've known of the problem... > Carson asked the audience [about 110 persons] if he should rewrite the > ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or > should he work with Brimstone SOS [which also has a license similar to > TIS for their proxies, but fewer services], because the code quality is > better. Why can't he just use whichever proxies he wants. They won't wake up and go "Ick, Freestone, I'm outta here!"... > [Question: Has anyone used plug-gw to push notes through a firewall?] I've used plug-gw to run WinDD through a firewall. Does that count? > Someone else asks, what about using ADA on NT? [insert reference to C.A.R.Hoare's Turing Award Lecture] I've been playing around on NT. I don't have a compiler or debugger, but you have to assume just about any GPF in a service is a potential trouble spot. I've gotten GPFs in services. Remember, NT is written in assembly and C++. Do any of your daemons core dump? Have you fixed or replaced them? Why not? From firewalls-owner Mon Oct 2 02:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA11950 for firewalls-outgoing; Mon, 2 Oct 1995 01:56:36 -0700 Received: from mimos.my (mimos.my [192.228.128.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA11943 for ; Mon, 2 Oct 1995 01:56:30 -0700 Received: from ms.mimos.my (ms.mimos.my [192.228.129.33]) by mimos.my (8.6.12/8.6.12) with SMTP id QAA03026 for ; Mon, 2 Oct 1995 16:54:57 +0800 Received: by ms.mimos.my (5.64/7.0) id AA04020; Mon, 2 Oct 95 16:54:56 +0800 Date: Mon, 2 Oct 1995 16:54:55 +0800 From: Musaddik Mokhtar To: firewalls@greatcircle.com Subject: OPIE 2.03 with FWTK's auth Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Has anybody used OPIE as a one time password mechanism with FWTK's auth? I wonder if this could be done since it is very similar to S/KEY which FWTK supports. If it has been done by anybody out there, I could use and would appreciate some pointers (no point taking time reinventing the wheel). For those who are looking for S/KEY to fix on BSDI boxes (but to no avail), I suggest you take a look at OPIE. It works like a charm on BSDI. Regards. - Musaddik _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ _/ _/ _/ Musaddik Mokhtar _/ dique@ms.mimos.my _/ _/ System Support Group _/ http://www.bsk.mimos.my/~dique _/ _/ Division of Computer Systems @ MIMOS _/ _/ _/ Malaysia _/ _/ _/ _/ _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Mon Oct 2 02:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA13075 for firewalls-outgoing; Mon, 2 Oct 1995 02:43:11 -0700 Received: from hk.super.net (hk.super.net [202.14.67.4]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA13054 for ; Mon, 2 Oct 1995 02:42:49 -0700 Received: from rssd.hk.olivetti.com (rssd.hk.olivetti.com [202.64.192.5]) by hk.super.net (8.7/8.7) with SMTP id RAA18734 for <@hk.super.net:firewalls@greatcircle.com>; Mon, 2 Oct 1995 17:40:50 +0800 (HKT) Message-Id: <199510020940.RAA18734@hk.super.net> Subject: Re: Choice of secure router software To: lyndond@sentinet.demon.co.uk (Lyndon David) Date: Mon, 2 Oct 1995 17:30:22 +0800 (HKT) From: "Raju M. Daryanani" Cc: firewalls@greatcircle.com In-Reply-To: <199509271534.QAA07205@server.sentinet.demon.co.uk> from "Lyndon David" at Sep 27, 95 04:32:55 pm X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Lyndon David: > At the moment I am looking at the routers and have set up a > machine running screend which works just fine, my question > though is this. The filter rules in screend only work on > forwarded packets, it is unable to operate on any packets > destined for any of the machines interfaces. Obviously this I am setting up a single machine to act as both a router and a firewall. I'm using FreeBSD and originally planned on using screend to do all the packet filtering, until I ran into this "forwarded packets only" limitation. I've now switched to ip_fil, which can be found on coombs.anu.edu.au. It also allows greater control in specifying IP flags and options than screend or the ipfilter that ships with FreeBSD. One big difference between screend and ip_fil is that screend does a bit of caching to decide whether a IP fragment should be forwarded or not. ip_fil doesn't, but it does allow you to block fragments that might overwrite the headers in the original packet. That prevents the attack whereby someone sends in a packet with a valid header then overwrites the header options with a following fragment. I think ipfirewall only works on SGI machines, so I didn't look into it. > Would anyone be interested in a free router software resource > section in the FAQ, with enough replies we (I) could prepare > a section if it was thought to be of enough interest and the > maintainer is willing. I proposed this to someone else who sent me a few suggestions on using FreeBSD as a firewall. At the time I was suggesting a FreeBSD specific writeup, complete with installation tips, but I think a more generic writeup would be just as useful. Raju -- Raju M. Daryanani | Email: raju@rssd.hk.olivetti.com Technical Support Manager | raju@hk.super.net, raju@air.org Products Division | Tel: +852 2979 2450 / Fax: +852 2802 6650 Olivetti (HK) Ltd. | [Finger for PGP key] [MIME understood] From firewalls-owner Mon Oct 2 03:22:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA13862 for firewalls-outgoing; Mon, 2 Oct 1995 03:11:57 -0700 Received: from caesar.udac.se (caesar.udac.se [193.44.79.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA13855 for ; Mon, 2 Oct 1995 03:11:53 -0700 Received: by caesar.udac.se id AA22982 (5.67b-Emil1.1/IDA-1.5 for Firewalls@GreatCircle.COM); Mon, 2 Oct 1995 11:08:22 +0100 Date: Mon, 2 Oct 1995 11:08:21 +0100 (MEZ) From: Mats Bredell Subject: Re: Mail Proxy To: Chris Tyler Cc: Firewalls@GreatCircle.COM In-Reply-To: <306bfa630.8f9@devel.dejong.com> Message-Id: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 29 Sep 1995, Chris Tyler wrote: > Thinking about this, the main possibilities are: > > uuencode > binhex > MIME > > and a whack of proprietary formats. Each of these has a recognizable header or > some other string signature, regardless of where (body or attachment) the data > appears. Couldn't a nice fat regexp be written that would detect these strings? And, > although there are a whack of proprietary formats, if you targetted the ones that > your site would likely be able to decode (don't worry about, say, > WANG-2200-MAILABLE-BINARY or IBM-EBCDIC-AUTOMACRO-ENCRYPTED if > you're only running on PCs and Suns :-), you should be able to stop 99%+ of the > binaries-within-mail, no? (And most macros, etc., will be binary, although not object > code). Have a look at Emil, a package that converts different mail formats. Emil can be used as a filter, discovers the attachment formats and converts them into the format you want. This won't solve your particular problem, but a filter that converts all incoming mail into uuencode should make it a lot simpler. Emil can be found at /Mats From firewalls-owner Mon Oct 2 04:22:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA15815 for firewalls-outgoing; Mon, 2 Oct 1995 04:12:32 -0700 Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.28.227]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA15771 for ; Mon, 2 Oct 1995 04:12:02 -0700 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/0409) id OAA08316; Mon, 2 Oct 1995 14:08:02 +0200 Date: Mon, 2 Oct 1995 14:08:02 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Chris Tyler cc: Firewalls@GreatCircle.COM Subject: Re: Mail Proxy In-Reply-To: <306c46060.cfb@devel.dejong.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! > > based on name ... > > Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So > you look for the uuencode signature string and deny. Users *will* complain ... Maybe smth like PDF ( acrobat ) will solve the problem ? Best Slava From firewalls-owner Mon Oct 2 04:30:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA16017 for firewalls-outgoing; Mon, 2 Oct 1995 04:28:05 -0700 Received: from office.un.kiev.ua (office.un.kiev.ua [194.44.28.227]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA16010 for ; Mon, 2 Oct 1995 04:27:44 -0700 Received: (from scorp@localhost) by office.un.kiev.ua (8.6.12/0409) id OAA08457; Mon, 2 Oct 1995 14:22:54 +0200 Date: Mon, 2 Oct 1995 14:22:53 +0200 (EET) From: Slava Kritov X-Sender: scorp@office.un.kiev.ua To: Christopher Osborn cc: firewalls@greatcircle.com Subject: Re: Running ftpd on another port In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! > have the logdaemon ftpd run on another port. It can run on any port(high > ports are fine!). I can't find a compile switch or parameter on the > daemon(clients of course are no problem.) Look in inetd.conf. Duplicate the record with ftpd, and put another port number. Best Slava From firewalls-owner Mon Oct 2 05:53:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA17896 for firewalls-outgoing; Mon, 2 Oct 1995 05:31:19 -0700 Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA17889 for ; Mon, 2 Oct 1995 05:31:15 -0700 Message-Id: <199510021231.FAA17889@miles.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R2) with BSMTP id 8496; Mon, 02 Oct 95 08:29:12 EDT Date: Mon, 02 Oct 1995 08:33:01 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RFC 1597 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I really like the idea of what is proposed in RFC1597, this is (I think) AT PRESENT (before the general implementation of IPv6, who knows when) THE SOLUTION for small companies with a potential need for a lot of IP-adresses (printers, LAN-print boxes, ... ). To connect such a network to the Internet, I understand that one needs the proper kind of firewall (dual-homed gateway, nice name). To make this work perfect one would like to have the possibilty to reserve a small part of the official adresses (class C?) to be 'translated' in a static way to the internal adresses of the servers to be reached from the outside world. The remaining part should make a 'pool' to be dedicated dynamically (only when needed) for those IP-hosts that need connection from the inside to the Internet. I am a relative new abonnee to this mailing list and I was glad to find RFC1597 is somewhat a 'hot topic'. MY QUESTION: Does someone works already in this way? I hope to get in contact with people that do have some working experience with the connection between their 10. network and the Internet. Although we intend to buy a commercial firewall, I'm also interested in the experiences of people with self-made firewalls. I don't know for sure that what follows is really allowed in this forum. If not, Brent Chapman should let me know and I won't do it again. I just do it because I find it an important matter and I want to know the opinion of other people dealing with Internet security. This is also completely my own opinion and not the one of my employer. I read RFC1627 and I am not happy with it. I will not discuss every item in it in this forum, although I think that this could be usefull. The authors claim that RFC1597 has 'not the benefit of the usual, public review and approval by the IETF or IAB'. Can someone tell me whether they did it better with RFC1627. If so, I will stop complaining in public about a RFC full of logic that I can not understand. I hope that the author's of both RFC's have been speaking with each other lately and come with a compromise (we like compromises in Belgium) . Maybe this is the revision of RFC1597 I read about in a note in this forum from Eliot Lear. I hope to find a reference to this new RFC in this forum. From firewalls-owner Mon Oct 2 06:00:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18215 for firewalls-outgoing; Mon, 2 Oct 1995 05:56:53 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA18196 for ; Mon, 2 Oct 1995 05:56:48 -0700 Message-Id: <199510021256.FAA18196@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA031198509; Mon, 2 Oct 1995 22:55:09 +1000 From: Darren Reed Subject: Firewall-1: Patent-pending ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Mon, 2 Oct 1995 22:55:09 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 564 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This might be streching the charter a bit... In the advertising material for Checkpoint's Firewall-1 (version 1.2) which I picked up recently, there are two mentions of "patent pending". There is NO mention of any application numbers that I can find or any further information on this. Having sent e-mail to checkpoint last week and having received no reply (surprised - NOT) I'm wondering if this is just a game. Can anyone provide some more information about the pending patents, such as application numbers or the applications themselves ? Thanks, Darren From firewalls-owner Mon Oct 2 06:24:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18078 for firewalls-outgoing; Mon, 2 Oct 1995 05:45:28 -0700 Received: from venera.isi.edu (venera.isi.edu [128.9.0.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA18071 for ; Mon, 2 Oct 1995 05:45:25 -0700 From: bmanning@ISI.EDU Received: from zed.isi.edu by venera.isi.edu (5.65c/5.61+local-22) id ; Mon, 2 Oct 1995 05:43:39 -0700 Posted-Date: Mon, 2 Oct 1995 05:40:33 -0700 (PDT) Message-Id: <199510021240.AA11534@zed.isi.edu> Received: by zed.isi.edu (5.65c/4.0.3-4) id ; Mon, 2 Oct 1995 05:40:34 -0700 Subject: Re: Book recommendations To: long-morrow@CS.YALE.EDU Date: Mon, 2 Oct 1995 05:40:33 -0700 (PDT) Cc: firewalls@GreatCircle.COM, mikes@emj.ca In-Reply-To: <199509291550.LAA17451@SPARKY.CF.CS.YALE.EDU> from "long-morrow@CS.YALE.EDU" at Sep 29, 95 11:50:21 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 793 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > There are 3 main books on Internet Firewalls currently available: > > 1. Bellovin and Cheswick, "Firewalls and Internet Security" > > 2. Siyan and Hare, "Internet Firewalls and Network Security ", New Riders Pub. > > 3. Chapman and Zwicky, "Building Internet Firewalls", O'Reilly & Associates > ( more info at URL http://www.greatcircle.com/firewalls-book/ ) > ISBN 1-56592-124-0, just released. > > I've also seen references (rumors?) on this list about an upcoming book > by Marcus Ranum and Tina Darmohra to be published by Prentice Hall. > Anyone care to confirm? > > - Morrow > A basic grounding in Network Security is useful -BEFORE- building a firewall. I recommend: Kaufman, Perlman, Speciner, "Network Security", Prentice Hall ISBN 0-13-061466-1 first. --bill From firewalls-owner Mon Oct 2 06:30:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA18112 for firewalls-outgoing; Mon, 2 Oct 1995 05:50:23 -0700 Received: from newt.fsa.ca (newt.fsa.ca [192.197.96.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id FAA18105 for ; Mon, 2 Oct 1995 05:50:18 -0700 Received: from [192.197.96.201] (dansmac.fsa.ca [192.197.96.201]) by newt.fsa.ca (8.6.12/8.6.12) with SMTP id GAA02260; Mon, 2 Oct 1995 06:48:22 -0600 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 06:52:48 -0600 To: eddiem@ad1.srv.ad.mey.nl, firewalls@GreatCircle.COM From: dan@fsa.ca (Dan Freedman) Subject: Re: PowerBroker Cc: jthimer@iras.ucalgary.ca (Jthimer ) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >When designing, implementing and running a firewall system, not only >technical problems come in to play. > >A firewall system can be considered as a single point of entry, which is >designed to provide adequate protection against the "bad boys" populating >the outside world. IT crime statistics however show that over 80% of all IT >fraud is committed by insiders. One should therefore also ensure that the >firewall is protected against insiders with bad intentions. One of a set of >measures to implement such protection is the application of the principle of >"segregation of duties" (also known as the "need to know" principle). The >idea is that it should NOT be possible for one person to completely manage >all parts of a gateway system. If implemented correctly, it takes at least >two persons to break the protection, which reduces the probability of IT >fraud occurring. > >Does anybody on the list have practical experience with the implementation >of this principle in a firewall environment? >Eddie Michiels >Moret Ernst & Young EDP Audit Management Services, Amsterdam >tel. 020 5497 208 You might want to take a look at FSA Corporation's PowerBroker software, which controls and logs access to the power of root across a UNIX network (soon to include NT as well). For more info on PowerBroker and other security software, please see http://www.fsa.ca or send email to sales@fsa.ca or call (403) 264 4822. Dan Freedman ______________________________________________________________________________ Dan Freedman, Director, FSA Corporation. 1011 First Street SW, suite 508, Calgary, Alberta, Canada T2R 1J2 phone (403) 264 4822, fax (403) 264 0873, email: dan@fsa.ca --->> FSA Corp WWW site: http://www.fsa.ca ______________________________________________________________________________ From firewalls-owner Mon Oct 2 06:52:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA19150 for firewalls-outgoing; Mon, 2 Oct 1995 06:42:22 -0700 Received: from chsun.eunet.ch (chsun.eunet.ch [146.228.10.15]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA19140 for ; Mon, 2 Oct 1995 06:42:16 -0700 Received: from mozart.UUCP by chsun.eunet.ch (8.6.10/1.34) id OAA05576; Mon, 2 Oct 1995 14:40:42 +0100 Received: from santana.ergon.ch by mozart.ergon.ch (4.1/ERGON) id AA08749; Mon, 2 Oct 95 14:18:35 +0100 Date: Mon, 2 Oct 95 14:18:35 +0100 From: sten@ergon.CH (Sten Gunterberg) Message-Id: <9510021318.AA08749@mozart.ergon.ch> To: firewalls@greatcircle.com Subject: Re: non-root low ports (was: Firewall on Solaris 2.4, truss, CERN httpd mods.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Am I correct in my understanding that on Unix systems the only reason > > root is needed at all on many of these network services is in order to > > open ports below 2000? This feature is intended to increase security > > somewhat on multi-user systems. But it seems that on firewalls, were > > you typically have no regular users, it's a prime suspect in > > _decreasing_ security by having all these daemons launched as root. > > Yes, the point of making root only able to bind to certain ports is for > security, 1-1023 are reserved by default.. Solaris has a kernel option > to let you change that number. > The following reports the (current) lowest port number usable without being root (default = 1024): ndd /dev/tcp tcp_smallest_nonpriv_port To redefine it to 21 (to enable the ftpd to run as non-root) use ndd -set /dev/tcp tcp_smallest_nonpriv_port 21 somewhere in the boot sequence. I suggest at the end of /etc/init.d/inetinit (this is linked to /etc/rc.2/S69inet). BTW, to see the TCP parameters Solaris 2.x provides: ndd /dev/tcp \? From firewalls-owner Mon Oct 2 07:22:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA20263 for firewalls-outgoing; Mon, 2 Oct 1995 07:02:48 -0700 Received: from balder.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA20253 for ; Mon, 2 Oct 1995 07:02:44 -0700 Received: (from mail@localhost) by balder.ssds.com (8.6.9/8.6.9.SSDSnet-hub) id IAA14773; Mon, 2 Oct 1995 08:01:07 -0600 Received: from denver(134.127.16.1) by balder via smap (V1.3) id sma014764; Mon Oct 2 08:00:58 1995 Received: from baltimore.ssds.com (baltimore.ssds.com [134.127.34.1]) by denver.ssds.com (8.6.9/8.6.9.SSDSnet-hub) with ESMTP id IAA02536; Mon, 2 Oct 1995 08:00:56 -0600 Received: (from mam@localhost) by baltimore.ssds.com (8.6.9/8.6.9.SSDSnet-site) id KAA07678; Mon, 2 Oct 1995 10:00:54 -0400 Date: Mon, 2 Oct 1995 10:00:54 -0400 (EDT) From: Mike Malik -- Dover DE X-Sender: mam@baltimore To: Edward Maillet cc: firewalls@GreatCircle.COM Subject: Re: How secure is a WAN then? In-Reply-To: <9509300107.AA18383@doc.cs.usm.maine.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well their are several encryptors that work with frame-relay. (The process is actually simple encrypt everthing between the fr flags) But of course the U.S. Gov. might have ideas about who and where you can use them. Mike ( ( | ( Mike Malik (mam@ssds.com) ) ) (| ), inc. 9841 Broken Land Parkway,Suite 100 business driven Columbia, MD 21046 technology solutions 410-381-4313 FAX: 410-381-2170 From firewalls-owner Mon Oct 2 07:55:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21376 for firewalls-outgoing; Mon, 2 Oct 1995 07:38:07 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA21369 for ; Mon, 2 Oct 1995 07:38:03 -0700 From: gblolmxb@ibmmail.com Message-Id: <199510021438.HAA21369@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 1459; Mon, 02 Oct 95 10:35:57 EDT Date: Mon, 02 Oct 1995 10:39:45 EDT To: firewalls@GreatCircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby wrote that when sending encrypted mail to a French destination, one must supply the French Gov. with a key. If I, based in London, England, were to send an encrypted (say using PGP with a 1024 bit key) to someone in France, and the French state found out, who would they prosecute? They cant touch me, and all the recipient has to prove is that the message was unsolicited - or am I missing something here? Mark Blackman. From firewalls-owner Mon Oct 2 08:00:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA21401 for firewalls-outgoing; Mon, 2 Oct 1995 07:38:42 -0700 Received: from Fe3.rust.net (Fe3.rust.net [204.157.12.254]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA21394 for ; Mon, 2 Oct 1995 07:38:39 -0700 Received: from dtw-15.rust.net by Fe3.rust.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA13589; Mon, 2 Oct 1995 10:37:18 -0700 Date: Mon, 2 Oct 1995 10:37:18 -0700 Message-Id: <199510021737.KAA13589@Fe3.rust.net> X-Sender: janken@rust.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Edward Maillet From: janken@rust.net (Kenneth J. Stephens) Subject: Re: How secure is a WAN then? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >All the talk of ATM and stuff got me thinking about WANs in general. >Consider the following: >My company (me.com) has offices in Europe and headquaters in the US. If we use >didicated leased lines from the US to Europe (say from AT&T or MCI), can >someone in between get our data? >What about if used a "cloud" style network like ATM or Frame Relay which use >PVCs instead of dedicated curcuits? > >I have ofter wondered about this because a connection from say New York would >go thought NYNEX, MCI (or other), then France Telecom. That's three real big >uncontrolled portions of my Net. > >Any thoughts? (preferrably relating to the topic at hand and not just random >musings.) >----- Ed >maillet@cs.usm.maine.edu > I read Alan Hannan's post before adding this one (Outstanding Post by the way). One small question! Given the history of information interception in France, why would anyone believe France Telecom has any validity as a secure carrier? Encrypt, Encrypt, Encrypt if your data is at all important to your bottom line. Ken [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] [] [] Ken Stephens Senior Capacity Planner/Data Security Officer [] [] email: Ken_Stephens@miconsulting.com Voice (313) 876-5081 [] [] Michigan Employment Security Commission (MESC) Fax (313) 876-6827 [] [] 7th Fl. I.S. [] [] 7310 Woodward Ave [] [] Detroit, MI 48202 [] [] [] [] Millennium Consulting Your Security Policy is only [] [] 28234 Diesing Dr. as strong as your organization's [] [] Madison Heights, MI 48071 commitment to it. [] [] [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Mon Oct 2 08:30:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23138 for firewalls-outgoing; Mon, 2 Oct 1995 08:22:03 -0700 Received: from LEVA.leeds.ac.uk (leva.leeds.ac.uk [129.11.240.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA23124 for ; Mon, 2 Oct 1995 08:21:57 -0700 Received: by leva.leeds.ac.uk (MX V4.1 VAX) id 1; Mon, 02 Oct 1995 16:21:01 BST Date: Mon, 02 Oct 1995 16:21:00 BST From: John Armstrong To: firewalls@greatcircle.com CC: john@leva.leeds.ac.uk Message-ID: <0099746B.86BCF016.1@leva.leeds.ac.uk> Subject: Brent's book Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know if has anything been decided about shipping Brent's new firewall book to non-US/Canada addresses - particularly to the UK? There was some correspondence (before the recent conference) on the list about sorting out shipping for us 'foreigners', but I havne't seen anything more recently. The order form in the Firewalls_Book.Txt file only mentions shipping within the US, as does the automated message from firewall-info. Do I have to get one of my US friends to buy the book and post it on to me or is something else in the pipeline? Thanks John Armstrong john@leva.leeds.ac.uk From firewalls-owner Mon Oct 2 08:30:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA22119 for firewalls-outgoing; Mon, 2 Oct 1995 07:57:01 -0700 Received: from airdata.com (nwestwall.nwest.airdata.com [199.33.218.36]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA22112 for ; Mon, 2 Oct 1995 07:56:58 -0700 Received: from nwestmail.airdata.com by airdata.com (5.0/McCaw WDD SUN nwestwall 070594/PHG) id AA12248; Mon, 2 Oct 1995 07:55:28 -0700 Received: from radiatore.mccaw-stg.com ([205.172.10.83]) by nwestmail.airdata.com (5.0/McCaw WDD SUN nwestmail 070594/PHG) id AA13726; Mon, 2 Oct 1995 07:55:27 -0700 X-Homepage: Visit our home page at http://www.airdata.com/ Received: by radiatore.mccaw-stg.com (5.x/SMI-SVR4) id AA02912; Mon, 2 Oct 1995 07:53:54 -0700 Date: Mon, 2 Oct 1995 07:53:54 -0700 From: peterg@airdata.com (Peter Gregory) Message-Id: <9510021453.AA02912@radiatore.mccaw-stg.com> To: firewalls@greatcircle.com Subject: Re: How secure is a WAN then? X-Sun-Charset: US-ASCII Content-Length: 463 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My company (me.com) has offices in Europe and headquaters in the US. If we use > didicated leased lines from the US to Europe (say from AT&T or MCI), can > someone in between get our data? Absolutely. A CO switch at one of the local phone companies in this part of the country was broken into and dedicated circuits tapped and listened to. Because of this recent incident, my present client's "private" T1 circuits, therefore, are link-encrypted. Pete From firewalls-owner Mon Oct 2 09:00:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA24058 for firewalls-outgoing; Mon, 2 Oct 1995 08:42:51 -0700 Received: from hubbub.cisco.com (hubbub.cisco.com [198.92.30.32]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA24045 for ; Mon, 2 Oct 1995 08:42:46 -0700 Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by hubbub.cisco.com (8.6.12/CISCO.GATE.1.1) with SMTP id IAA22930; Mon, 2 Oct 1995 08:40:37 -0700 Message-Id: <199510021540.IAA22930@hubbub.cisco.com> To: toon@cem-bb.e-mail.com cc: firewalls@greatcircle.com Subject: Re: RFC 1597 In-reply-to: Your message of "Mon, 02 Oct 95 08:33:01 EDT." <199510021231.FAA17889@miles.greatcircle.com> Date: Mon, 02 Oct 95 08:40:37 PDT From: Yakov Rekhter Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I really like the idea of what is proposed in RFC1597, this is (I think) > AT PRESENT (before the general implementation of IPv6, who knows when) > THE SOLUTION for small companies with a potential need for a lot of > IP-adresses (printers, LAN-print boxes, ... ). > To connect such a network to the Internet, I understand that one needs > the proper kind of firewall (dual-homed gateway, nice name). To make > this work perfect one would like to have the possibilty to reserve a > small part of the official adresses (class C?) to be 'translated' in a > static way to the internal adresses of the servers to be reached from > the outside world. The remaining part should make a 'pool' to be > dedicated dynamically (only when needed) for those IP-hosts that need > connection from the inside to the Internet. Static translation is one possibility. But it is not the only one. It is also possible to rely only on dynamic translation, but this would involve interaction between a NAT and DNS. > I read RFC1627 and I am not happy with it. I will not discuss every > item in it in this forum, although I think that this could be usefull. > The authors claim that RFC1597 has 'not the benefit of the usual, public > review and approval by the IETF or IAB'. Can someone tell me whether > they did it better with RFC1627. RFC1627 was not approved by the IETF. RFC1627 was not approved by the IAB. > If so, I will stop complaining in > public about a RFC full of logic that I can not understand. > I hope that the author's of both RFC's have been speaking with each > other lately and come with a compromise (we like compromises in Belgium) > . Maybe this is the revision of RFC1597 I read about in a note in this > forum from Eliot Lear. I hope to find a reference to this new RFC in > this forum. The document that Eliot was referrig to is presently an Internet Draft. (draft-ietf-cidrd-private-addr-03.txt). The CIDRD Working Group is working on moving this Internet Draft towards an RFC with the status of BCP (Best Current Practices). Yakov Rekhter From firewalls-owner Mon Oct 2 09:00:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA23545 for firewalls-outgoing; Mon, 2 Oct 1995 08:27:16 -0700 Received: from internet.milkyway.com (milkyway.com [198.53.167.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA23536 for ; Mon, 2 Oct 1995 08:27:06 -0700 Received: from jupiter.milkyway.com (jupiter.milkyway.com [192.168.77.9]) by internet with ESMTP (DuhMail/2.0) id LAA09320; Mon, 2 Oct 1995 11:35:34 -0400 Received: from metis.milkyway.com (mcr@metis.milkyway.com [192.168.77.21]) by jupiter.milkyway.com (8.6.12/8.6.12) with ESMTP id LAA08266 for ; Mon, 2 Oct 1995 11:25:42 -0400 Received: by metis.milkyway.com (8.6.12/BSDI-Client) id LAA08962; Mon, 2 Oct 1995 11:27:16 -0400 To: firewalls@greatcircle.com Path: not-for-mail From: mcr@milkyway.com (Michael Richardson) Newsgroups: milkyway.mail.firewalls Subject: Re: RFC 1597 Date: 2 Oct 1995 11:27:14 -0400 Organization: Milkyway Networks Corporation, Ottawa, ON Lines: 45 Distribution: milkyway Message-ID: <44p0ci$8nv@metis.milkyway.com> References: <199510021231.FAA17889@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199510021231.FAA17889@miles.greatcircle.com>, wrote: >the proper kind of firewall (dual-homed gateway, nice name). To make >this work perfect one would like to have the possibilty to reserve a >small part of the official adresses (class C?) to be 'translated' in a >static way to the internal adresses of the servers to be reached from >the outside world. The remaining part should make a 'pool' to be >dedicated dynamically (only when needed) for those IP-hosts that need >connection from the inside to the Internet. Well, an application layer gateway (and some filters) can provide simple translation to the IP of the firewall. It is trivial to decide to use another address, but you may *not* want to do this dynamically. Why? That gives no information to the remote machines about who is connecting via DNS. If you do not want to give them info, then use either the firewall itself (often called gateway.foo.com, or foo.com), or use some "typical" name like "marketing.foo.com" for all the PCs in marketing. The other reason not to dynamically allocate things is that it makes rules a pain. That isn't to say that you need to have a different IP for each utility device. (each printer). You might have 1 "printers.foo.com" (or service.foo.com) with rules that map 100 ports on that "virtual machine" to the correct lprXX.foo.com:515. Why you want people from the untrusted side to be able to print is not a question I'll ask right here :-) >MY QUESTION: Does someone works already in this way? Yes. >I read RFC1627 and I am not happy with it. I will not discuss every >item in it in this forum, although I think that this could be usefull. My feeling is some group of managers at large companies do not want to spend money on IPv6 now. If rfc1597 can avoid the crunch, they think, then do not spend money. 1627 is a respond from the engineering people who say (quite rightly) "you snooze, you loose" -- :!mcr!: | Milkyway Networks Corporation Michael Richardson | Makers of the Black Hole firewall NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com Home: mcr@sandelman.ocunix.on.ca. PGP key available. From firewalls-owner Mon Oct 2 09:30:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25389 for firewalls-outgoing; Mon, 2 Oct 1995 09:23:34 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA25374; Mon, 2 Oct 1995 09:23:27 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 09:23:08 -0800 To: John Armstrong , firewalls@greatcircle.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Brent's book Cc: john@leva.leeds.ac.uk Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:21 PM 10/2/95, John Armstrong wrote: >Does anyone know if has anything been decided about shipping Brent's new >firewall book to non-US/Canada addresses - particularly to the UK? >There was some correspondence (before the recent conference) on the list >about sorting out shipping for us 'foreigners', but I havne't seen anything >more recently. The order form in the Firewalls_Book.Txt file only mentions >shipping within the US, as does the automated message from firewall-info. > >Do I have to get one of my US friends to buy the book and post it on to me >or is something else in the pipeline? I must apologize for the delay, to everyone outside the USA who has ordered a copy. We've only had the books for a little over a week, during which time I've been at 2 different conferences on different sides of the USA. Today is my first day in the office in 2+ weeks; unfortunately, my assistant, who has been doing all the research on international mailing options, won't be here until tomorrow. One of the first things on our agenda for tomorrow is to make a decision on how to ship the international orders. We've been having a hard time finding a reasonable option that looks like it will get the books there intact, in a timely fashion, for less than the price of the book. I don't know what my assistant has come up with in the last couple of weeks while I've been gone. Those who've placed international orders should expect to hear from us by email (assuming your email address was on the order) this week, either that the order has shipped, or offering a range of shipping options and asking which you prefer. By the way, all USA orders received prior to 25 Sep (last Monday) shipped on 25 Sep via US Postal Service Priority Mail (except for a couple of large orders, which shipped UPS). Everyone should probably have received their copy by now. We understand that the Postal Service may have mangled some of them; if so, let us know (email to "book-orders@greatcircle.com" is the best way, or call 800/270-2562), and we'll make it right. Orders placed last week (after 25 Sep) will be shipped this week. Thanks! -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Mon Oct 2 09:54:56 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26038 for firewalls-outgoing; Mon, 2 Oct 1995 09:38:20 -0700 Received: from alpha.fdu.edu (alpha.fdu.edu [132.238.2.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA26023 for ; Mon, 2 Oct 1995 09:38:11 -0700 Received: by alpha.fdu.edu; (5.65v3.0/1.1.8.2/27Sep95-0653PM) id AA01372; Mon, 2 Oct 1995 12:36:07 -0400 Date: Mon, 2 Oct 1995 12:36:07 -0400 (EDT) From: Steven ANQL Davey To: firewalls@greatcircle.com Subject: REQUEST FOR FIREWALL INFORMATION / DOCUMENTATION Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone please provide any information / documentation on the following firewall topics: 1.) Firewall Installation Master Plan. 2.) Firewall Installation Test Scripts. 3.) Firewall Trouble-shooting Procedures. 4.) Firewall Emergency Response Procedures. I realize that the details and specifics of this documentation may depend on the firewall to be, or already implemented; however, I am looking for general standards and templates as a starting point. Thank you in advance to those who can provide me with this information. Sincerely, Steven A.N.Q.L. Davey From firewalls-owner Mon Oct 2 10:00:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26108 for firewalls-outgoing; Mon, 2 Oct 1995 09:40:22 -0700 Received: from wrginet.corp.wrgrace.com (wrgrace.com [199.98.198.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA26101 for ; Mon, 2 Oct 1995 09:40:17 -0700 From: John.Karnes@corp.wrgrace.com Received: (from mail@localhost) by wrginet.corp.wrgrace.com (8.6.12/8.6.9) id MAA27481; Mon, 2 Oct 1995 12:36:14 -0400 Received: from s1boca.corp.wrgrace.com(159.97.11.20) by wrginet.corp.wrgrace.com via smap (V1.3) id sma027478; Mon Oct 2 12:35:47 1995 Received: from by s1boca.corp.wrgrace.com with SMTP (1.37.109.4/16.2) id AA19749; Mon, 2 Oct 95 12:38:49 -0400 X-Openmail-Hops: 1 Date: Mon, 2 Oct 95 12:38:27 -0400 Message-Id: Subject: RE: To: firewalls@GreatCircle.COM, gblolmxb@ibmmail.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Frank Willoughby wrote that when sending encrypted mail to a French > destination, one must supply the French Gov. with a key. If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? > > Mark Blackman. > While the government of France could not do much, if anything, to you, I'm sure they could make things unpleasant for the recipient. John From firewalls-owner Mon Oct 2 10:25:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA26005 for firewalls-outgoing; Mon, 2 Oct 1995 09:37:52 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA25998 for ; Mon, 2 Oct 1995 09:37:48 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id MAA12529; Mon, 2 Oct 1995 12:16:49 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id KAA26661; Mon, 2 Oct 1995 10:59:08 -0400 (EDT) Date: Mon, 2 Oct 1995 10:59:08 -0400 (EDT) Message-Id: <199510021459.KAA26661@SPARKY.CF.CS.YALE.EDU> To: chris@dejong.com, scorp@un.kiev.ua Subject: Re: Mail Proxy Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Tyler wrote: > >Slava Kritov writes: > >> Any uuencode ? >> Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange >> word docs in uuencode, and ( for Mac's ) you can't even say its word doc >> based on name ... > >Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So >you look for the uuencode signature string and deny. But by only looking for the 'signature's of known binary encoding formats you then open yourself up for people to create their own encoding formats to get around your scan for, and restriction on encoded message enclosures. 3 possibilities for getting around a scan for known encoding signatures : 1. rot13 a uuencoded file before e-mailing it. Describe in the message how to unrot13 the message before uudecoding it. 2. Use an (admittedly) inefficient format for encoding binary, such as: RAVE AFRO STUB DAM HONE HAY CLAD WILL JOIN PET LONG WEED ... The recipient will need a decoder of course. 3. PGP encrypt the entire message before transmitting. How will the mail scanner know what is inside the message? Are you going to reject all encrypted messages? I think that encrypted messages will increasingly become the norm on the Internet as PC based mail programs incorporate automatic easy-to-use PGP encryption. - Morrow From firewalls-owner Mon Oct 2 10:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA25733 for firewalls-outgoing; Mon, 2 Oct 1995 09:32:44 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA25725 for ; Mon, 2 Oct 1995 09:32:40 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id MAA12711; Mon, 2 Oct 1995 12:29:29 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id LAA26704; Mon, 2 Oct 1995 11:11:49 -0400 (EDT) Date: Mon, 2 Oct 1995 11:11:49 -0400 (EDT) Message-Id: <199510021511.LAA26704@SPARKY.CF.CS.YALE.EDU> To: cosborn@bbn.com, firewalls@greatcircle.com Subject: Re: Running ftpd on another port Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am trying to run 2 ftp servers on one machine. One fptd will always run >chroot and be used primarily for the public(wu-ftpd has all those nice >"features"). The other ftpd will be skey enabled and will be have access >to the rest of the file system. One problem: I can't figure out how to >have the logdaemon ftpd run on another port. It can run on any port(high >ports are fine!). I can't find a compile switch or parameter on the >daemon(clients of course are no problem.) You can use tcp_wrapper programs to exec either (or none) of the two ftp servers based on incoming IP address (ACLs of IP hosts, networks or domain names). But if you just want to run an internal skey enabled ftpd on a different port than your WU-FTP daemon you should be able to create a special service name for it (ie. skeyftp) in the /etc/services file (on Unix) and run your skey ftpd out of inetd by putting an entry in the /etc/inetd.conf file for it. skeyftp stream tcp nowait root /usr/local/etc/skey.ftpd I run a inbound telnet server which uses the skey login program on TCP port 22 this way and leave the normal telnet program on port 23 (actually I often run a tarbaby telnetd on port 23 on machines likely to be attacked via telnet because of their function or hostname): # run secure key login telnet daemon on port 22 # telnetd invokes S/keylogin # skeylogin stream tcp nowait root /usr/local/etc/skey.telnetd # # tar baby telnet server telnet stream tcp nowait root /usr/local/etc/in.tarbaby.telnetd in.telnetd - Morrow From firewalls-owner Mon Oct 2 10:54:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28062 for firewalls-outgoing; Mon, 2 Oct 1995 10:33:33 -0700 Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA28055 for ; Mon, 2 Oct 1995 10:33:30 -0700 Received: from ilosrv.ilo.dec.com by mail1.digital.com; (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA31571; Mon, 2 Oct 1995 10:10:17 -0700 Received: from ilofrs.ilo.dec.com by ilosrv.ilo.dec.com; (5.65/1.1.8.2/12Nov94-8.2MPM) id AA07813; Mon, 2 Oct 1995 18:09:12 +0100 Received: by fwsrtr.fws.ilo.dec.com; (5.65/1.3/10May95) id AA15816; Mon, 2 Oct 1995 18:10:05 +0100 Received: from karpov.fws.ilo.dec.com by hubba.fws.ilo.dec.com; (5.65/1.1.8.2/21Aug95-8.2MPM) id AA03451; Mon, 2 Oct 1995 18:10:16 +0100 Organization: Digital Firewall Engineering Received: by karpov.fws.ilo.dec.com; (5.65v3.2/1.1.8.2/18Aug95-0213PM) id AA09875; Mon, 2 Oct 1995 18:09:42 +0100 From: Dermot Tynan Message-Id: <9510021709.AA09875@karpov.fws.ilo.dec.com> Subject: Re: your mail To: gblolmxb@ibmmail.com Date: Mon, 2 Oct 1995 18:09:42 +0000 (BST) Cc: firewalls@GreatCircle.com In-Reply-To: <199510021438.HAA21369@miles.greatcircle.com> from "gblolmxb@ibmmail.com" at Oct 2, 95 10:39:45 am Content-Type: text Content-Length: 442 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gblolmxb@ibmmail.com wrote: > > > If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, That was what a group of hackers on the Mururoa Atoll thought... - Der -- Dermot Tynan +353 91 754608 dtynan@ilo.dec.com DTN: 822-4608 Digital Equipment International BV, Galway, Ireland From firewalls-owner Mon Oct 2 11:03:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA28855 for firewalls-outgoing; Mon, 2 Oct 1995 10:54:22 -0700 Received: from mailhost.targetvision.com (targetvision.roc.servtech.com [204.181.11.235]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA28848 for ; Mon, 2 Oct 1995 10:54:18 -0700 Received: by localhost from mailhost.targetvision.com (router,WinSmtp -Win32- V1.07beta1.8); Mon, 02 Oct 1995 13:56:27 Received: from sybil by mailhost.targetvision.com (204.249.123.65::mail daemon,WinSmtp -Win32- V1.07beta1.8); Mon, 02 Oct 1995 13:55:51 X-Sender: Larry Helber X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Darren Reed From: Larry Helber Subject: Re: Firewall-1: Patent-pending ? Cc: Firewalls@GreatCircle.COM Date: Mon, 02 Oct 1995 13:56:27 Message-Id: <19951002135627.3800b79d.in@mailhost.targetvision.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know the information that you are looking for but if someone has a patent pending then you will not get any information out of the patent office. A patent number and the information contained in the submitted documents does not have to be disclosed until the patent is appoved. Also a pending patent may be amended to that will defere the issue date of the patent. As long as you keep updating the patent on a yearly basis your patent will never get issued. > > >This might be streching the charter a bit... > >In the advertising material for Checkpoint's Firewall-1 (version 1.2) >which I picked up recently, there are two mentions of "patent pending". > >There is NO mention of any application numbers that I can find or any >further information on this. > >Having sent e-mail to checkpoint last week and having received no reply >(surprised - NOT) I'm wondering if this is just a game. > >Can anyone provide some more information about the pending patents, such >as application numbers or the applications themselves ? > >Thanks, >Darren > > From firewalls-owner Mon Oct 2 11:24:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA29810 for firewalls-outgoing; Mon, 2 Oct 1995 11:18:59 -0700 Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.de [193.141.169.26]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA29803 for ; Mon, 2 Oct 1995 11:18:55 -0700 Received: (from uucp@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id TAA14262; Mon, 2 Oct 1995 19:12:27 +0100 Received: from grizzly.genua.de(192.109.217.33) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) id sma014260; Mon Oct 2 19:12:00 1995 Received: from grizzly.genua.de (schneck@localhost [127.0.0.1]) by grizzly.genua.de (8.6.12/8.6.12/bs01) with ESMTP id TAA10902; Mon, 2 Oct 1995 19:16:53 +0100 Message-Id: <199510021816.TAA10902@grizzly.genua.de> To: gblolmxb@ibmmail.com cc: firewalls@greatcircle.com Subject: Re: [none] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <10898.812657809.1@grizzly.genua.de> Date: Mon, 02 Oct 1995 19:16:50 +0100 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Frank Willoughby wrote that when sending encrypted mail to a French > destination, one must supply the French Gov. with a key. If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? Yes ... your next visit to the Cote du Rhone ... \Bernhard. PS: This holds even if you send from London to me in Munich and the packets happen to hop through France. PPS: I understand this is current law, but not actively prosecuted PPPS: I'm not a lawyer (and will never be one) From firewalls-owner Mon Oct 2 11:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA29700 for firewalls-outgoing; Mon, 2 Oct 1995 11:16:46 -0700 Received: from bwh.harvard.edu (bwh.harvard.edu [134.174.81.34]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA29693 for ; Mon, 2 Oct 1995 11:16:39 -0700 Received: from calloway.bwh.harvard.edu (calloway.bwh.harvard.edu [134.174.81.46]) by bwh.harvard.edu (8.6.9/8.6.9) with ESMTP id OAA10219; Mon, 2 Oct 1995 14:15:05 -0400 From: Adam Shostack X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medical School Received: by calloway.bwh.harvard.edu (8.6.9) id OAA01633; Mon, 2 Oct 1995 14:14:49 -0400 Message-Id: <199510021814.OAA01633@calloway.bwh.harvard.edu> Subject: Re: non-root low ports To: ken@bridge.com (Ken Hardy) Date: Mon, 2 Oct 1995 14:14:48 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199509291355.AA21881@ignatz.bridge.com> from "Ken Hardy" at Sep 29, 95 08:55:24 am X-PGP: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8 X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 738 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken Hardy wrote: | It seems to me that it would be worthwhile to patch the kernel for the | firewall to not require root to open low ports. I cannot imagine (not | having examined the sources, yet) that it would be too difficult to | find and modify this behaviour in the BSD sources. It strikes me that a better idea (and one mentioned in C&B) is to have a small program to open the privledged port, and then exec the daemon. This has the benefits of not requiring kernel source modifications to work, and being small and somewhat closer to verifiable. So, does anyone have such a program written that they'd be willing to share? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Oct 2 12:09:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA01048 for firewalls-outgoing; Mon, 2 Oct 1995 11:51:41 -0700 Received: from devel.dejong.com (devel.dejong.com [198.235.24.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA01037 for ; Mon, 2 Oct 1995 11:51:33 -0700 From: Chris Tyler To: Firewalls@GreatCircle.COM Date: Mon, 2 Oct 1995 14:49 EDT Subject: Dual-DNS Problems Content-Length: 1060 Content-Type: text/plain Message-ID: <307034420.19df@devel.dejong.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Back with more dual-DNS problems. Background: DNS server 1 is internal DNS, can't reach the real world directly, but can reach server 2. Server 2 is external DNS and 'forwarder' for internal DNS server 1. Situation 1: DNS server 1 'slave' flag in named.boot is *not present*. DNS resolves are done quickly and correctly the first time, but server 1 keeps generating UDP packets aimed at outside servers (which can't reach outside of the secure net). Situation 2: DNS server 1 'slave' flag in named.boot *is* present. Non-cached DNS resolves requested by internal hosts often (usually?) fail on the 1st tty, and sometimes on the 2nd, but almost always resolve on the 3rd try. No UDP packets from server 1 are aimed at real-world servers. Sounds like a timeout problem, but this doesn't make sense, because the timeout should happen in Situation #1 as well. *Why* is this happening? Any help... TIA. Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net Systems Development Manager, Wm. De Jong Enterprises Inc. +1-519-424-9007 / fax +1-519-424-2399 From firewalls-owner Mon Oct 2 12:24:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01514 for firewalls-outgoing; Mon, 2 Oct 1995 12:03:11 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA01507 for ; Mon, 2 Oct 1995 12:03:08 -0700 Received: from ALABAMA.CF.CS.YALE.EDU by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id LAA09767; Mon, 2 Oct 1995 11:54:39 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id OAA14573; Mon, 2 Oct 1995 14:45:12 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id NAA27183; Mon, 2 Oct 1995 13:27:31 -0400 (EDT) Date: Mon, 2 Oct 1995 13:27:31 -0400 (EDT) Message-Id: <199510021727.NAA27183@SPARKY.CF.CS.YALE.EDU> To: ckapilla@interserver.com, firewalls@GreatCircle.COM Subject: Re: Mail Loops Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This isn't really relevant to firewalls, but it *is* relevant to this list >because it seems to happen here regularly, i.e., those lovely mail storms. >My questions are: what causes these and what can I (and everyone else) do to >make sure that *our* systems are never responsible for one of them. Usually they are caused by some human's error in configuring a local redistribution list (a.k.a. exploder) -- for example putting the address firewalls@greatcircle.com on their local 'firewalls-list' mailing list alias. This would cause one copy of each message posted to the list to be looped back, ad infinitum. I'd normally say that regular subscribers (people not in the "loop" so to speak :-) wouldn'nt be able to do anything about it. But, upon further thinking, you probably could rig up a mail filtering agent (such as slocal, procmail, etc.) together with a database of 'seen' RFC822 Message-Ids in a manner similar to the INN USENET software uses to screen out incoming duplicate messages based on the Message-Id header. Rather than just putting such a mechanism in front of individual mailboxes, putting it in the mailstream just before the local redistribution list expansion would short-circuit infinitely looping messages. Assuming no one is munging Message-Id headers... - Morrow From firewalls-owner Mon Oct 2 12:31:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01966 for firewalls-outgoing; Mon, 2 Oct 1995 12:12:52 -0700 Received: from xs1.xs4all.nl (xs1.xs4all.nl [193.78.33.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA01959 for ; Mon, 2 Oct 1995 12:12:48 -0700 From: foxtrot@xs4all.nl Received: from KEA_55402 (asd01-12.dial.xs4all.nl) by xs1.xs4all.nl with SMTP id AA22161 (5.67b/IDA-1.5 for ); Mon, 2 Oct 1995 20:11:23 +0100 Date: Mon, 2 Oct 1995 20:11:23 +0100 Message-Id: <199510021911.AA22161@xs1.xs4all.nl> X-Sender: foxtrot@xs4all.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com Subject: Access to MS routers X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is my second question about Morning Star routers on this list (BTW, thanks to the people who responded the first time).... Our MS router is situated between an application gateway (AG) on our internal network and a dial-up PPP connection to our Internet provider. First, as I'm using one (static dial-up) route to our service provider and one route to the AG I suppose I can disable dynamic routing on the MS router by deleting 'gated' and enable static routing with the line 'route add default <<>' in RC.BOOT. Am I right???? Second, I don't want any service running on my router, so I want to delete the files 'services'. That's OK??? Or should there be one entry for 'syslog' (514/udp)? Why should there be a nfsd on the router???? Is it safe to delete all protocol entries in the file 'protocol' but IP and TCP (I don't want any other protocols)??? Third, what's the use of the file smp.parties (SNMP???) and ACL.parties????? Can I delete the files 'vectors', 'tzposixrules', 'view.parties'??? Fourth, in the rc.boot file there's a line which reads 'getty tty2 9600 nowait respawn'. Does this mean that more than one person is allowed login in simultaneously??? Should 'nowait' be replaced with 'wait'??? The reason for asking these questions is that after bankrupcy of our firewall-supplier we haven't goy any documentation at all and we are evaluating our current firewall. The setup should be as minimum as possible. Again, my thanks in advance for any response, Adriaan From firewalls-owner Mon Oct 2 12:55:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01830 for firewalls-outgoing; Mon, 2 Oct 1995 12:07:32 -0700 Received: from daphne.Read.TASC.COM (daphne1.read.tasc.com [147.81.243.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA01821 for ; Mon, 2 Oct 1995 12:07:24 -0700 Received: from smtpgate.read.tasc.com by daphne.Read.TASC.COM (5.x/TASC-NONDOM-1.7) id AA01400; Mon, 2 Oct 1995 15:06:25 -0400 Received: from TASCREAD-Message_Server by smtpgate.read.tasc.com with Novell_GroupWise; Mon, 02 Oct 1995 15:06:25 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 02 Oct 1995 15:05:32 -0400 From: "Robert E. Bowes" To: firewalls@GreatCircle.COM Subject: RE: -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> - 10/2/95 12:38 PM >>> > Frank Willoughby wrote that when sending encrypted mail to a French > destination, one must supply the French Gov. with a key. If I, based > in London, England, were to send an encrypted (say using PGP with a > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? > > Mark Blackman. > While the government of France could not do much, if anything, to you, I'm sure they could make things unpleasant for the recipient. John >>>>>>>>>>>>>>> I'm not sure what this has to do with firewalls, but since I didn't raise the issue, perhaps I can give some insight. If you send a message to someone in France using PGP, then you will use that person's public key to encrypt the message. You cannot decrypt the message because you don't have that person's private key. Therefore, the only key you could provide would be the person's public key. Your friend may have to provide his/her private key to French officials, but that's a different story. Now, if your friend sends you an encrypted message, she will use use your public key (which you've provided to the world, thus the French officials) and since you are not in France, they can't get your private key. Thus, IMO, the only thing the French officials could possibly ask for that is not publically available is your friend's secret key since he's in France and subject to French law. Does this make sense? Bob From firewalls-owner Mon Oct 2 13:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA03416 for firewalls-outgoing; Mon, 2 Oct 1995 12:54:38 -0700 Received: from Disclosure.COM (di2.disclosure.com [205.156.194.11]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA03408 for ; Mon, 2 Oct 1995 12:54:35 -0700 Received: by Disclosure.COM (4.1/SMI-4.1) id AA29381; Mon, 2 Oct 95 15:55:30 EDT Date: Mon, 2 Oct 1995 15:55:29 -0400 (EDT) From: Scott Barman To: Adam Shostack Cc: Ken Hardy , firewalls@GreatCircle.COM Subject: Re: non-root low ports In-Reply-To: <199510021814.OAA01633@calloway.bwh.harvard.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Adam Shostack wrote: > Ken Hardy wrote: > > | It seems to me that it would be worthwhile to patch the kernel for the > | firewall to not require root to open low ports. I cannot imagine (not > | having examined the sources, yet) that it would be too difficult to > | find and modify this behaviour in the BSD sources. > > It strikes me that a better idea (and one mentioned in C&B) is > to have a small program to open the privledged port, and then exec the > daemon. This has the benefits of not requiring kernel source > modifications to work, and being small and somewhat closer to > verifiable. > > So, does anyone have such a program written that they'd be > willing to share? tcp_wrappers... then there's TIS' FWTK... I understand Freestone is something interesting to look at... scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming." From firewalls-owner Mon Oct 2 13:04:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA01462 for firewalls-outgoing; Mon, 2 Oct 1995 12:02:37 -0700 Received: from carshp.carsinfo.com (carshp.carsinfo.com [192.148.241.111]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA01455 for ; Mon, 2 Oct 1995 12:02:32 -0700 Received: by carshp.carsinfo.com (1.38.193.5/16.2) id AA21940; Mon, 2 Oct 1995 14:58:03 -0400 Date: Mon, 2 Oct 1995 14:58:02 -0400 (EDT) From: Richard Reno Subject: Re: How secure is a WAN then? To: Peter Gregory Cc: firewalls@GreatCircle.COM In-Reply-To: <9510021453.AA02912@radiatore.mccaw-stg.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Peter Gregory wrote: > > My company (me.com) has offices in Europe and headquaters in the US. If we use > > didicated leased lines from the US to Europe (say from AT&T or MCI), can > > someone in between get our data? > > Absolutely. A CO switch at one of the local phone companies in this part of > the country was broken into and dedicated circuits tapped and listened to. > Because of this recent incident, my present client's "private" T1 circuits, > therefore, are link-encrypted. > > Pete > In fact there does not have to even be a breakin if there is collusion on the part of someone at the CO. Long ago in the days of Stroeger switches there was an additional path through the CO which could connect the test bench with any subscriber line. The troubleshooting personnel could dial up the desired line without any ring signal and proceed to make electrical measurements on the target line. They could also listen for noise and sound quality. Many years ago I was involved in an electronic meter reading project in a much newer digital controlled CO. We needed to be able to attach to a subscriber line and interrogate the reader without waking the customer at night. We called one of the design engineers of the CO switch and he gave us a code which when entered on the console made the line our poller was attached to a "test" line. Now we could dial any number in the CO and there was absolutly no indication on the called line. We had in effect a dialable phone tap! T1 lines enter in a somewhat different manner but still some engineer probably put this feature in for diagnostic purposes. The point is that even if there is strong security associated with such capabilities it can be subverted. In France this probably just involves a call from the security agency. Do you think it is all that different in some areas here? Richard From firewalls-owner Mon Oct 2 13:32:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04500 for firewalls-outgoing; Mon, 2 Oct 1995 13:21:52 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04491 for ; Mon, 2 Oct 1995 13:21:48 -0700 Date: Mon, 2 Oct 1995 16:20:18 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951002162018.210456b5@hobbes.orl.mmc.com> Subject: LAWZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MArk rites: > 1024 bit key) to someone in France, and the French state found out, > who would they prosecute? They cant touch me, and all the recipient > has to prove is that the message was unsolicited - or am I missing > something here? Though I lack legal credentials (found a different way to say it), would suspect that you may be correct about (a) (just do not ever set foot in France since could be charged and found guilty in abstentia) I have this dim recollection about differences in "presumption of guilt" between English common law (on which much of the Amerricun system is built) and the Napoleonic code. If the recipient *had* a 1k private key (so you could encrypt with their public key), that may be required to be registered even to possess. Of course if you just used your private key to encrypt then anyone with your public key could decrypt & might be considered in "the public domain" particularly if on a public keyserver. Of course I may well be a couple of centuries out of date... Warmly, Padgett From firewalls-owner Mon Oct 2 14:23:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07106 for firewalls-outgoing; Mon, 2 Oct 1995 14:19:01 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA07093 for ; Mon, 2 Oct 1995 14:18:55 -0700 Received: from pm1-12.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA10607; Mon, 2 Oct 95 16:15:18 -0400 Date: Mon, 2 Oct 95 16:15:18 -0400 Message-Id: <9510022015.AA10607@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "A. Padgett Peterson, P.E. Information Security" From: frankw@in.net (Frank Willoughby) Subject: Re: Encryption strength (Was How secure is a WAN...) Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From Padgett's mail: >Frank rites: > >>Also, unless you are bank or an arm of a foreign gov't I believe the largest >>exportable key size is 40 & can be broken by a brute force attack (as Netscape >>so amply demonstrated with their brilliant IDEA). > Sorry. I should have been more explicit in my comments. I was referring to the encryption product's (h/w & s/w) capabilities - in particular, the key size. Anything over 40 bits has a significantly reduced chance of getting approval for being shipped overseas unless the recipient is an agency of a (friendly) foreign governement or a bank. >May have been exactly what Marc intended... > >Really though, ITAR (International Trade in Arms Regulation) is not well >understood (AFAIR you can find a copy on eff.org) which leads to many >mythconceptions as above (actually is a facinating document to read - almost >as good as Brent's book which just arrived - he even had the effrontery >to claim I paid too much 8*). > >There is -=>NO<=- ITAR limit on the size of a key which may be sent abroad, >many of us regularly send our 1024 bit PGP keys internationally. (And BTW, >technology exists which can break 40 bit IDEA in an average of an hour and >a half). This is correct as I mentioned above. > >What ITAR limits is the export of cryptographic *equipment* (software >is equipment and if you think that is strange, in some cases ITAR >considers patented ciphers to be in the public domain) capable of >generating larger keys (there is some question about export of receive- >only software). Further, the list of exceptions to ITAR is quite long - >antivirus software is one, ATM (bank) machine transactions is another, >cable TV is YA. However if it can generate a key, it is essentially >verboden. (Violations are considered on a case by case basis so wearing >your Li'l Orphan Annie Secret Decoder Ring to Guadalahara is probably >OK but might have to get a license. Consult a shyster 8*) > This is also correct as I mentioned above. BTW, verboden is actually spelled "Verboten". >And while the nits are RIPEM, Netscape used Ron's Code number 4, not IDEA, >after an initial RSA exchange. Phil is the one who uses RSA/IDEA. I'm not too sure about this. I went back to check my mails & the author of the posting I received about the August 16th cracking of the Netscape algorithm by the french hacker) thought it was IDEA. > > Warmly, > Padgett > Best Regards, Frank From firewalls-owner Mon Oct 2 14:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA07309 for firewalls-outgoing; Mon, 2 Oct 1995 14:24:03 -0700 Received: from village.zone.com (village.zone.com [204.247.108.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA07302 for ; Mon, 2 Oct 1995 14:23:57 -0700 Received: (from tonny@localhost) by village.zone.com (8.6.11/8.6.9) id OAA13099 for Firewalls@GreatCircle.Com; Mon, 2 Oct 1995 14:17:32 -0700 Date: Mon, 2 Oct 1995 14:17:32 -0700 From: Tonny Yu Message-Id: <199510022117.OAA13099@village.zone.com> To: Firewalls@GreatCircle.Com Subject: Computer ESP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Morning Star Technologies: U.Vision Inc introduced a new Internet service, Computer ESP, two weeks ago. Computer ESP was selected as a Yahoo weekly pick within the first week of opening. Response has been overwhelming. URL: http://www.uvision.com Computer ESP is a revolutionary new Internet guide. Anyone on the Internet can now quickly and easily find comprehensive, organized, up-to-date information on over 20,000 computer manufacturers and dealers and their products. Customers can pre-set some purchasing criteria, such as price, and when it's reached, they are automatically e-mailed. Customers can also ask for price quotes. Customers can send e-mail and faxes directly from Computer ESP to most listed companies. Customers may already have contacted your company through Computer ESP. Everything is free and easy for the customers. We may have already extracted public information from your Web pages on your company and perhaps your products. This public information may include contact information, graphical location maps, job openings, product specifications, and much more. Our FREE listings may include over 400 fields. We would appreciate it if you could take a look and let us know if we need to make any corrections to the information for your company and products. Please fill out a new account form if your company is not yet listed. Also, please let us know if you are interested in fulfilling any of our growing list of quote requests. We would love to hear what you think of Computer ESP. We have several more cool features in the works. Also, please let us know if you do not want Computer ESP customers to send email to this address. Thank you. ========================================================================== Tonny Yu U.Vision.Inc President The Visibility Provider(sm) tonny@uvision.com http://www.uvision.com FAX:(415)369-1005 From firewalls-owner Mon Oct 2 15:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA06779 for firewalls-outgoing; Mon, 2 Oct 1995 14:13:16 -0700 Received: from hatteras.ch.inri.com (hatteras.ch.inri.com [198.202.184.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA06752 for ; Mon, 2 Oct 1995 14:13:04 -0700 Received: from assateague (assateague.ch.inri.com [198.202.184.111]) by hatteras.ch.inri.com (8.6.12/8.6.6) with SMTP id RAA02810 for ; Mon, 2 Oct 1995 17:13:40 -0400 Date: Mon, 2 Oct 1995 17:13:40 -0400 Message-Id: <199510022113.RAA02810@hatteras.ch.inri.com> X-Sender: wlb@hatteras.ch.inri.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: wbunting@ch.inri.com (Bill Bunting) Subject: FW to FW FTP w/ no port > 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know a nice way to allow FTP file transfers between Firewalled sites that both do not allow TCP ports > 1023? (i.e. the screening router allows established TCP, FTP control connections (port 21), and does not allow any ports >1023) Internal users are allow to use FTP to login to non firewall protected sites using passive FTP. However, in order to have an FTP session, one of the two sides must allow arbitrary port connections. If two firewall protected sites want to talk FTP, one of the two sides must allow arbitrary ports. With our firewall, this is not allowed. Here is what it looks like (To simplify, TIS fwtk proxy not shown): Client tries passive mode... C-|----------21-control-connection---|-> S C-|---21---PASV Command--------------|-> S C-|------arbitrary-port-for-data---->| S (blocked by server side firewall) Client tries PORT command.... C-|----------21-control-connection---|-> S C-|---21-PORT--Command---------------|-> S C |<------arbitrary-port-for-data----|- S (blocked by Client side firewall) Things I have considered. ------------------------- 1. Poke a hole in the firewall and allow FTP data connections on port 20 (ftp-data). FTP client would be reprogrammed to use port 20 for data connections. Issues: Multiple concurrent FTP client listen requests could get swapped. (What happens in the FTP implementation when this occurs?) 2. Poke a range of holes in the firewall. Reprogram the FTP client to look for free ports within the range. Issues: Still required to poke several holes in the firewall, requires custom FTP software. Benefit: listen requests will not be swapped. (Best solution that I can find do far) 3. Do not use FTP and write a TCP application that uses only a single TCP port for data and control. Issues: Time + $$ no compatibility. Benefit: solves the problem. 4. Am I missing something??? Help. How are other people doing this?? Do most people just allow ports > 1023?? Thank you, --------------------------------------- | Bill Bunting, Software Engineer | ****** |Inter-National Research Institute, Inc.| ***_******_ __ _ | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== | (wbunting@inri.com) | ********* | (bunting@cs.odu.edu) | ***** | http://www.cs.odu.edu/~bunting | --------------------------------------- From firewalls-owner Mon Oct 2 16:22:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12030 for firewalls-outgoing; Mon, 2 Oct 1995 16:05:40 -0700 Received: from zacatecas.optimum.com (zacatecas.optimum.com [198.81.218.67]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA12022 for ; Mon, 2 Oct 1995 16:05:36 -0700 Received: from optimum.com by zacatecas.optimum.com (5.67a/95032401) id AA01026; Mon, 2 Oct 1995 19:04:02 -0400 X-Sender: srp336@mail.optimum.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 19:04:05 -0400 To: firewalls@greatcircle.com From: srp336@optimum.com (Steven R. Pfister) Subject: udprelay on SunOS 4.1.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am about to install udprelay on a Sun Sparc 5 running SunOS 4.1.3. I seem to remember hearing about a patch to udprelay that was needed to do this. Is there such a patch and where do I get it from? Thanks! Steve Pfister // Network Administrator optimum.net srp685@optimum.net From firewalls-owner Mon Oct 2 16:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA12711 for firewalls-outgoing; Mon, 2 Oct 1995 16:17:12 -0700 Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA12686; Mon, 2 Oct 1995 16:17:06 -0700 X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Oct 1995 16:16:47 -0800 To: Tonny Yu , Firewalls@GreatCircle.Com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Computer ESP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:17 PM 10/2/95, Tonny Yu wrote: >Morning Star Technologies: > >U.Vision Inc introduced a new Internet service, Computer ESP, two weeks >ago. Computer ESP was selected as a Yahoo weekly pick within the first >week of opening. Response has been overwhelming. > >URL: http://www.uvision.com > >Computer ESP is a revolutionary new Internet guide. Anyone on the Internet can >now quickly and easily find comprehensive, organized, up-to-date information on >over 20,000 computer manufacturers and dealers and their products. >Customers can >pre-set some purchasing criteria, such as price, and when it's reached, they >are automatically e-mailed. Customers can also ask for price quotes. You ESP is broken, if you think that "Firewalls@GreatCircle.COM" is the email address for Morning Star Technologies. Congratulations, you've just spammed and annoyed 15,000 or so people on the Firewalls mailing list. I'm sure they'll appreciate your efforts; you've certainly made a memorable first impression... Please remove all references to Firewalls@GreatCircle.COM from your system. -Brent -- Brent Chapman | Great Circle Associates | For Firewalls Tutorial info: Brent@GreatCircle.COM | 1057 West Dana Street | Tutorial-Info@GreatCircle.COM +1 415 962 0841 | Mountain View, CA 94041 | http://www.greatcircle.com From firewalls-owner Mon Oct 2 16:53:03 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA16864 for firewalls-outgoing; Mon, 2 Oct 1995 16:42:44 -0700 Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA16845 for ; Mon, 2 Oct 1995 16:42:36 -0700 Received: from yeager.corp.sgi.com by sgi.sgi.com via ESMTP (950405.SGI.8.6.12/910110.SGI) id QAA01207; Mon, 2 Oct 1995 16:39:51 -0700 Received: by yeager.corp.sgi.com (950911.SGI.8.6.12.PATCH825/930416.SGI) id QAA00800; Mon, 2 Oct 1995 16:39:10 -0700 From: lear@yeager.corp.sgi.com (Eliot Lear) Message-Id: <9510021639.ZM798@yeager.corp.sgi.com> Date: Mon, 2 Oct 1995 16:39:09 -0700 In-Reply-To: toon@cem-bb.e-mail.com "RFC 1597" (Oct 2, 8:33am) References: <199510021231.FAA17889@miles.greatcircle.com> Reply-to: lear@palladium.corp.sgi.com X-Mailer: Z-Mail (3.2.1 6apr95 MediaMail) To: toon@cem-bb.e-mail.com, firewalls@greatcircle.com Subject: Re: RFC 1597 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1627 stands on its own; but basically we had three problems with 1597: Procedural - 1597 received 0 review from the ietf. Operational - blindly following 1597 can lead to serious consequences. Architectural - it was a break from the all unique world we lived in. The new draft can be found where you find other Internet Drafts; its title is draft-ietf-cidrd-private-addr-03.txt. It attempts to address the first two of these issues. The third is basically lost. -- Eliot Lear [lear@sgi.com] From firewalls-owner Mon Oct 2 17:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA16016 for firewalls-outgoing; Mon, 2 Oct 1995 16:37:09 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA15847 for ; Mon, 2 Oct 1995 16:36:59 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA28339; Tue, 3 Oct 1995 09:30:37 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma028335; Tue Oct 3 09:30:23 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA14998; Tue, 3 Oct 1995 09:36:16 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510022336.AA14998@citecub.citec.qld.gov.au> Subject: Re: FW to FW FTP w/ no port > 1023 To: wbunting@ch.inri.com (Bill Bunting) Date: Tue, 3 Oct 95 9:36:16 EST Cc: firewalls@greatcircle.com In-Reply-To: <199510022113.RAA02810@hatteras.ch.inri.com>; from "Bill Bunting" at Oct 2, 95 5:13 pm X-Mailer: ELM [version 2.3 PL11] content-length: 2074 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe the only(?) option is to allow incoming connections. The ftp gateway (fro example) sends out a PORT command listing a port > 1023, so the ftp server creates a connection from port 20 to a port > 1023. If you can live with incoming connections to ports > 1023 you can have ftp access. Of course this means tightening up the security on the box(es) receiving those incoming connections. On a bastion host the only things listening on ports > 1023 will be the ftp gateway (on the ones I build). Colin > [chomp] > > Things I have considered. > ------------------------- > 1. Poke a hole in the firewall and allow FTP data connections on port 20 > (ftp-data). FTP client would be reprogrammed to use port 20 for data > connections. Issues: Multiple concurrent FTP client listen requests could > get swapped. (What happens in the FTP implementation when this occurs?) > > 2. Poke a range of holes in the firewall. Reprogram the FTP client to look > for free ports within the range. Issues: Still required to poke several > holes in the firewall, requires custom FTP software. Benefit: listen > requests will not be swapped. (Best solution that I can find do far) > > 3. Do not use FTP and write a TCP application that uses only a single TCP > port for data and control. Issues: Time + $$ no compatibility. Benefit: > solves the problem. > > 4. Am I missing something??? Help. How are other people doing this?? Do > most people just allow ports > 1023?? > > Thank you, > --------------------------------------- > | Bill Bunting, Software Engineer | ****** > |Inter-National Research Institute, Inc.| ***_******_ __ _ > | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//= > | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//== > | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//=== > | (wbunting@inri.com) | ********* > | (bunting@cs.odu.edu) | ***** > | http://www.cs.odu.edu/~bunting | > --------------------------------------- > > From firewalls-owner Mon Oct 2 17:24:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA18582 for firewalls-outgoing; Mon, 2 Oct 1995 17:05:31 -0700 Received: from motgate.mot.com (motgate.mot.com [129.188.136.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA18565 for ; Mon, 2 Oct 1995 17:05:26 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id TAA00382 for ; Mon, 2 Oct 1995 19:03:58 -0500 Received: from MACCVM.CORP.MOT.COM (maccvm.corp.mot.com [129.188.244.1]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id TAA28564 for ; Mon, 2 Oct 1995 19:03:57 -0500 Received: from MACCVM by MACCVM.CORP.MOT.COM (IBM VM SMTP V2R3) with BSMTP id 3955; Mon, 02 Oct 95 17:03:56 MST Date: 02 Oct 1995 17:03:55 -0700 Message-ID: <"XOPR85 95/10/03 00:03:55.546532"@MACCVM.CORP.MOT.COM> From: Jacob Hinther To: Firewalls Subject: Web Browser Test Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Test your web browser! http://www.c2.org/ http://www.c2.org/hackmsoft/ http://www.c2.org/hacknetscape/ Jake From firewalls-owner Mon Oct 2 17:30:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA19844 for firewalls-outgoing; Mon, 2 Oct 1995 17:25:29 -0700 Received: from bass.com.my (bass.com.my [161.142.248.42]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA19823 for ; Mon, 2 Oct 1995 17:25:20 -0700 Received: from bass.bass.com.my (gw.bass.com.my) by bass.com.my with SMTP id AA05844 (5.67a/IDA-1.5 for ); Tue, 3 Oct 1995 08:24:27 +0800 Received: by bass.bass.com.my (4.1/SMI-4.1) id AA02389; Tue, 3 Oct 95 08:22:02 MYT Date: Tue, 3 Oct 1995 08:20:43 +0800 (MYT) From: Tham Huei Hwan Subject: Re: Public Domain FireWall Software To: Marcus Antonio - Projeto ISODE Cc: FireWalls In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You can obtain fwtk(firewalls tool kit) from ftp.tis.com On Fri, 29 Sep 1995, Marcus Antonio - Projeto ISODE wrote: > > Helo FireAlls > > My name's Marcus Antonio, and I'm a Coputer Science student at > Brasil, and I have to implement a network security system. I'd like to know > how can I get some public domain FireWall software. I work with AIX system. > Any information wold be very important. > > Thank you very much... > > > _______________________________________________________________________________ > > _/_/_/_/ _/_/_/_/ > _/_/_/_/ _/_/_/_/ > _/_/ _/_/ _/_/ _/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/ _/_/_/ > _/_/ _/_/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ > _/_/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ > _/_/ _/_/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ > _/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ > _/_/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ > > Marcus Antonio Almeida Rodrigues > > UECE > Universidade Estadual do Ceara' > > LAR > Laboratorio Multiinstitucional de Redes e Sistemas Distribuidos > > > e-Mail:marcus@fortal.uece.br > URL: http://www.uece.br/~marcus/ > _______________________________________________________________________________ > From firewalls-owner Mon Oct 2 19:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA23692 for firewalls-outgoing; Mon, 2 Oct 1995 19:05:13 -0700 Received: from border.com (janus.border.com [199.71.190.98]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA23685 for ; Mon, 2 Oct 1995 19:05:06 -0700 Received: by janus.border.com id <4998>; Mon, 2 Oct 1995 22:16:48 -0400 To: todd@lgt.com (Todd Glassey) Subject: Re: Information, We want information Cc: firewalls@GreatCircle.COM, gated-people@gated.cornell.edu, cypherpunks@toad.com, glenn@border.com Date: Mon, 2 Oct 1995 22:03:06 -0400 From: Glenn Mackintosh Message-Id: <95Oct2.221648edt.4998@janus.border.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: todd@lgt.com (Todd Glassey) > I an immediate need of info on the liabilities of BSD type systems, and in > particular the BorderWare products. > > I heard that in the BorderWare product itself, there are several recently > discovered potential "holes"... > > I have a particular interest in both the Attack MO against the BSD > platforms in general and the Border products in particular... > > Please do not send the reply to the lists but to me personally > (todd@lgt.com). I will summarize if I get enough info to be worth the > effort. > > Any comments? Let me make a very clear statement. No site protected by BorderWare has ever had its Firewall penetrated. Never. This is the second time I've heard rumors about insecurities in the BorderWare software with nothing being brought out to substantiate them. I guess this is just an unfortunate part of doing business - especially in the security domain. I get a bit annoyed by this kind of thing since, regardless of whether we refute such comments, after the discussion itself is forgotten people will often remember that they heard something about a problem with product X. This isn't a criticism of you Todd - you are just reporting that you've heard rumors and asking about them, which is a perfectly reasonable thing to do. Obviously the rumors you heard haven't come along with any facts since you're asking here for the "Attack MO". I would very much like to here about any problem that is real, since if there were any weaknesses we would want to fix them and disseminate the fix as fast as possible. Border takes any potential problem very seriously. A couple of months ago there was a potential weakness that was discovered in the process of Border's ongoing efforts to ensure the security of the product. It was only a security risk with a very specific configuration. No customer has ever reported seeing this. Within two days of this discovery we had a fix and the fix was being actively pushed through the distribution channels to the customer base. It was given high priority and we had our support people calling down to the reseller channels to ensure that they were aware and that they got it out to their clients. We intended to make sure that this potential problem was immediately removed from the firewall even though no one had actually reported a problem. The fix was given free of charge to anyone whether they had a support contract or not. Some customers were even upgraded to a newer version of BorderWare so they could receive the fix. We strongly believe that our customers are entitled to the best available protection. They bought a Firewall for security and they should expect it to be secure. Border will do everything that we can to ensure this is always the case. So, anyone out there if you believe you have some real attack mechanism we want to know. Now that you've sat through the general ranting part of my comments, let me try to answer the BSD specific part. As far as BSD based OS's in general I don't think there is reason to believe that they are any more or less secure than System V based Unix's (or other non-Unix based operating systems for that matter). They all have pro's and con's and they have all had problems and I don't think that one variant has had more problems historically than the other. That said, Border doesn't use a stock BSD based OS anyway. We have put a large amount of effort into "hardening" the kernel so that it is a solid base upon which to build a secure firewall. We don't believe that any stock OS which was designed for a dynamic environment with users on it will really be secure. There are far too many instances (with just about any OS, Unix or otherwise) where someone has gained privilege or increased access to a system by taking advantage of some feature once they managed to get on the box. A firewall should be a static, non-user environment which means that many features are just not required and can be removed or their behavior significantly changed and limited. We spent a considerable amount of manpower stripping down the kernel and leaving only what was really needed. We removed the mechanisms which can be used to gain privilege or increase the levels of access to the system. The BorderWare kernel is in fact one of its strongest assets, and not a potential weakness. Glenn Mackintosh V.P. Technology ------------------------------------------------------------------------ Border Network Technologies Inc. Email: glenn@border.com 20 Toronto Street, Suite 400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5C 2B8 Fax: +1 416 368 7789 From firewalls-owner Mon Oct 2 21:52:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA27528 for firewalls-outgoing; Mon, 2 Oct 1995 21:34:03 -0700 Received: from commsun.its.csiro.au (commsun.its.csiro.au [152.83.8.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id VAA27514 for ; Mon, 2 Oct 1995 21:33:56 -0700 Received: (from fit106@localhost) by commsun.its.csiro.au (8.6.10/8.6.10) id OAA06267; Tue, 3 Oct 1995 14:31:51 +1000 Date: Tue, 3 Oct 1995 14:31:48 +1000 (EST) From: Kent Fitch To: firewalls@greatcircle.com Subject: securing modem access: RADIUS or TACACS+ with PGP authentication Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The organisation I work for is geographically dispersed with Internet connections in major cities in Australia. We are thinking of establishing dial-up modem pools in major cities which travelling staff in hotels or locals at home can use to connect to our WAN and the internet. Both RADIUS and TACACS+ seem attractive, as I think they would allow us to establish a central authentication service to vet dial-in access. We are experimenting with PGP based authentication systems for other purposes, so the option of using a similar mechanism for dial-in authentication would be interesting. >From a browse-thru of the RADIUS doco, I cant see how it would accomodate a challenge-response, such as we might want to use for PGP authentication (we send out a non-repeating challenge, the user signs it with their PGP private key, we check the signature). We currently have a mix of dial-in access boxes - Annex, Cisco and Shiva (maybe others). I am interested in the experiences of others using RADIUS or TACACS+, especially anyone using them with s/key, PGP, or some other software challenge/response system with different access servers. Vendor responses are welcome - I'll summarize to the list. Kent Fitch Ph: +61 6 276 6711 ITSB CSIRO Canberra Australia kent.fitch@its.csiro.au From firewalls-owner Mon Oct 2 22:52:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id WAA29081 for firewalls-outgoing; Mon, 2 Oct 1995 22:45:34 -0700 Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id WAA29074 for ; Mon, 2 Oct 1995 22:45:30 -0700 Received: by hosaka.smallworks.com (5.x/SMI-SVR4) id AA02180; Tue, 3 Oct 1995 00:43:09 -0500 Date: Tue, 3 Oct 1995 00:43:09 -0500 Message-Id: <9510030543.AA02180@hosaka.smallworks.com> From: Jim Thompson To: Kent.Fitch@its.csiro.au Cc: firewalls@GreatCircle.COM, jes@SmallWorks.COM In-Reply-To: (message from Kent Fitch on Tue, 3 Oct 1995 14:31:48 +1000 (EST)) Subject: Re: securing modem access: RADIUS or TACACS+ with PGP authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 3 Oct 1995 14:31:48 +1000 (EST) > From: Kent Fitch > The organisation I work for is geographically dispersed with Internet > connections in major cities in Australia. We are thinking of > establishing dial-up modem pools in major cities which travelling staff > in hotels or locals at home can use to connect to our WAN and the internet. > > Both RADIUS and TACACS+ seem attractive, as I think they would allow us to > establish a central authentication service to vet dial-in access. We are > experimenting with PGP based authentication systems for other purposes, so > the option of using a similar mechanism for dial-in authentication would > be interesting. > > From a browse-thru of the RADIUS doco, I cant see how it would accomodate > a challenge-response, such as we might want to use for PGP authentication > (we send out a non-repeating challenge, the user signs it with their PGP > private key, we check the signature). > > We currently have a mix of dial-in access boxes - Annex, Cisco > and Shiva (maybe others). > > I am interested in the experiences of others using RADIUS or TACACS+, > especially anyone using them with s/key, PGP, or some other software > challenge/response system with different access servers. Vendor > responses are welcome - I'll summarize to the list. I'm one-half, (Jes is the other half), of the team implementing Cisco's commercial TACACS+ server. (e.g. we're under contract to Cisco.) It wouldn't be very hard at all to roll PGP into the 'side' of the server. S/Key already works. Smallworks also makes and sells 'Netgate', a filtering firewall for SunOS 4.1.X and Solaris 2.X, in case you've not heard of us before. If you want to take this off-line and discuss it, we'd me more than happy to do so. Cheers, Jim From firewalls-owner Mon Oct 2 23:52:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA00422 for firewalls-outgoing; Mon, 2 Oct 1995 23:34:13 -0700 Received: from loke.btj.se (loke.btj.se [192.36.60.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA00415 for ; Mon, 2 Oct 1995 23:34:09 -0700 Received: (from goran@localhost) by loke.btj.se (8.6.11/8.6.11) id HAA17208; Tue, 3 Oct 1995 07:32:02 +0100 Date: Tue, 3 Oct 1995 07:32:02 +0100 (NFT) From: Goran Svensson To: Bernhard Schneck cc: gblolmxb@ibmmail.com, firewalls@GreatCircle.COM Subject: Re: [none] In-Reply-To: <199510021816.TAA10902@grizzly.genua.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Bernhard Schneck wrote: > > Frank Willoughby wrote that when sending encrypted mail to a French > > destination, one must supply the French Gov. with a key. If I, based > > in London, England, were to send an encrypted (say using PGP with a > > 1024 bit key) to someone in France, and the French state found out, > > who would they prosecute? They cant touch me, and all the recipient > > has to prove is that the message was unsolicited - or am I missing > > something here? > > Yes ... your next visit to the Cote du Rhone ... Don't forget that the french govement does not respect state borders, if you repeat the 'offense' they might send an amateur hit team to slap you on the fingers. They have done so in the past, and I suspect that they have not learned more about international politics since then. For more details about the events, please contact your nearest Greenpeace representant ...... > > \Bernhard. > > PS: This holds even if you send from London to me in Munich and the > packets happen to hop through France. > > PPS: I understand this is current law, but not actively prosecuted > > PPPS: I'm not a lawyer (and will never be one) > ---------------------------------------------+--------------------------------- Goran Svensson ! I can speak for myself, and I do BTJ System AB +--------------------------------- Email: goran@btj.se ! This is my opinion. I reserve Snail: Box 4066, S-227 21 Lund, Sweden ! the right to change it, doubt it Phone: +46 46 180 000, Fax: +46 46 180 333 ! or deny it at any time. ---------------------------------------------+--------------------------------- Believe nothing, no matter where you read it, or who said it, no matter if I have said it, unless it agrees with your own reason and your own common sense. --Buddha From firewalls-owner Tue Oct 3 00:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA00666 for firewalls-outgoing; Mon, 2 Oct 1995 23:55:08 -0700 Received: from quord.agric.nsw.gov.au (quord.agric.NSW.GOV.AU [148.145.15.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA00656 for ; Mon, 2 Oct 1995 23:55:03 -0700 From: neal.sievwright@smtpgwy.agric.nsw.gov.au Received: from spock.agnet.nis (spock.agric.NSW.GOV.AU) by quord.agric.nsw.gov.au (4.1/SMI-4.1) id AA29676; Tue, 3 Oct 95 16:55:10 EST Received: from smtpgwy.agric.nsw.gov.au by spock.agnet.nis (5.0/SMI-SVR4) id AA15540; Tue, 3 Oct 1995 16:57:45 --1000 Received: from cc:Mail by smtpgwy.agric.nsw.gov.au id AA812764551; Tue, 03 Oct 95 16:45:26 EST Date: Tue, 03 Oct 95 16:45:26 EST Encoding: 1 Text Message-Id: <9509038127.AA812764551@smtpgwy.agric.nsw.gov.au> To: Content-Length: 14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff From firewalls-owner Tue Oct 3 00:27:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA00808 for firewalls-outgoing; Tue, 3 Oct 1995 00:00:59 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id AAA00801 for ; Tue, 3 Oct 1995 00:00:54 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Tue, 3 Oct 1995 07:59:08 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3070E58A@smtpgty.saicuk.co.uk>; Tue, 03 Oct 95 07:26:02 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: RE: Encryption strength (Was How secure is a WAN...) Date: Mon, 02 Oct 95 10:37:00 GMT Message-ID: <3070E58A@smtpgty.saicuk.co.uk> Encoding: 103 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having taken time out to finish a book for a publishing deadline and not having had time to follow some discussion groups, I have resubscribed to firewalls and see most of the topics are the same as earlier in the year. Risk is still refered to as 'theoretical', but encryption, which some had complained was not applicable to firewalls, is now under discussion. Sorry if I missed some important points while unsubscribed. Risk management is not theoretical, at least no more so than any other human activity, if it is addressed correctly. There really is not too much benefit in trying to meet a risk which may not apply. The danger of the firewall is that it looks like a simple solution to every problem and once you have one it is very easy to spend more and more time (and money) adding the latest fashion gismo to it. As many firewall buyers/influencers are sysads its understandable that they approach the subject from the relatively narrow perspective of the information systems department and consider it as a technical issue. Thats a bit like fitting an engine imobiliser to the car when the real risk may be someone smashing a window to grab valuables left in full view on the back seat. It may well be that every user who connects to any of the information highways needs some type of protective barrier, and equally that they may need to protect their data as it transits the cloud, but thats only part of the risk addressed and, statistically, its probably a lower priority against other risks. By assuming that the firewall is the starting point is much like the concept of the ancient walled city where the greater risk might have been plague and fire and the walls sometimes increased those risks. The defensive wall also didnt provide complete protection from the external attacker because a strong attacker either broke through the wall or waited for the inhabitants to starve. It many cases, the money might have been better spent on a fast charriot the better to head for the hills. The probability is that most email traffic from most sites has no real value other than as conversation between two people and may not justify any encryption costs. Equally, some traffic may be a small percentage of the total but be highly sensitive. That could mean that a system needs several levels of encryption strength, but it might mean that some communication simply cant be carried out electronically. As the vast majority of data users have no method of segregating data internally and maintaining access only for authorised users, any user may be able to access any data, anytime, and export it to any address. Having the ability to strongly encrypt what is transmitted will not prevent someone sending information deliberately to someone who should not receive it. It will also not prevent an employee from accessing a recreational service during company time. There are solutions which can be applied if the risk factors justify the cost and those solutions will almost certainly require some form of firewall and some form(s) of encryption and authentication. A problem which applies to encryption, and other effective risk reduction technology, is the fact that legislators have failed miserably to keep up with technical innovation. The mess over encryption is just one example of government in confusion. As much of the information technology originates in the US, the US Federal Government plays a major role in this confusion. ITAR is only one example. Much of the import and export controls originate in the 'cold war' period and applied to much older technologies but have yet to be replaced by new legislation which addresses today's realities. From years of experience, I know that obtaining licenses is not really that difficult, but can take a considerable time to complete. There are some end users and applications which wont allow you to obtain a license, but its not as restrictive as many people claim. Certainly its much easier to get a G-Dest license on a government to government basis and some governments are more favoured by US Fed than others. US regulations have recently changed and one consequence is the need for any company wanting to import or export 'munitions' to register which is not necessarily any major problem but is an essential step. I did notice a posting which suggested than many governments are all set to ban encryption and there have been postings on other discussion groups which make similar claims, particularly citing a document issued by the British Labour Party. I have to say that this doesnt tie in with what I have experienced. Over the years I have spoken with officials and politicians in a number of countries, including the US, on encryption and associated topics. I have also had recent discussions as part of the research for a book specifically on attitudes to data protection and served on some working parties. The general response I have got is that governments recognise the legitimate requirement to protect information from theft and abuse and accept that this implies a need for encryption to give similar data protection to that provided by well established non-electronic communications systems. What worries them is that criminals can use the same technology to defeat crime prevention efforts. One example frequently cited is the availability of pornography over systems like the Internet. It is also realised that drug dealers and many other categories of criminal are often equipped with better technology than the law enforcement agencies, but then thats nothing new and goes back much further than the Thompson submachine gun. What most governments are looking for is a way by which they can decrypt data when there is justification to do so, much in the same way that telephones are tapped. Some governments may of course be more cautious about how much they use the facility than others. If these views are combined with military export rules, the result can be that the legitimate user suffers much more than the criminal and the only answer is to lobby your politicians to make sure they understand your needs. Many officials and politicians already understand that high communications availability is essential to business growth and success, and creates wealth. They also understand that this facility must be reliable and secure, so part of the battle is won. What often confuses issues is vested interests trying very hard to push their flavour of technology, rather than presenting a risk and benefits analysis to support their position. Ian J-B From firewalls-owner Tue Oct 3 01:22:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA02147 for firewalls-outgoing; Tue, 3 Oct 1995 01:02:02 -0700 Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA02139 for ; Tue, 3 Oct 1995 01:01:59 -0700 From: gblolmxb@ibmmail.com Message-Id: <199510030801.BAA02139@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R2) with BSMTP id 0023; Tue, 03 Oct 95 03:59:57 EDT Date: Tue, 03 Oct 1995 04:03:46 EDT To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Whenever I post to this list, my messages appear without a title - is there any reason for this? any other SMTP mail gets delivered OK. Mark. From firewalls-owner Tue Oct 3 01:30:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA02460 for firewalls-outgoing; Tue, 3 Oct 1995 01:13:50 -0700 Received: from clemens.dwf.com (clemens.dwf.com [204.134.2.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA02447 for ; Tue, 3 Oct 1995 01:13:39 -0700 Received: (from reg@localhost) by clemens.dwf.com (8.6.10/8.6.9) id CAA03698 for firewalls-digest@GreatCircle.com; Tue, 3 Oct 1995 02:11:25 -0600 Date: Tue, 3 Oct 1995 02:11:25 -0600 From: Reg Clemens Message-Id: <199510030811.CAA03698@clemens.dwf.com> To: firewalls-digest@GreatCircle.com Subject: NFS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am sure that this topic has been beaten to death, so if someone would just point me at the discussion (or tell me that there is no solution) I would be happy to take it from there. I remember reading a paper a couple years ago describing why NFS could never be made secure, but for the life of me I cant seem to find it now. The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half dozen file systems that are exported read-only to all the other machines in the domain. I would like to restrict their mounting to machines within the domain while maintaining connectivity to the outside world. SUN's software does not support this option, it only allows specifying specific machine names, and the list of *all* machine names overflows some internal limit in SUN's software. [ The machine uses DNS and not YP, it is rumored that possibly with YP one can get by this limit, but I have no interest in adding YP to my list of problems. ] So, the Questions (1) WITHOUT resorting to a firewall, is there any way to accomplish what I want to do? (2) If not, can it be done with a `simple' packet filter, or does it require a full blown firewall? Reg.Clemens clemens@dwf.com From firewalls-owner Tue Oct 3 01:48:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA03024 for firewalls-outgoing; Tue, 3 Oct 1995 01:17:02 -0700 Received: from gatekeeper.frontec.se (gatekeeper.frontec.se [193.13.192.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA03007 for ; Tue, 3 Oct 1995 01:16:55 -0700 Received: from tintin.lule.frontec.se (root@tintin.lule.frontec.se [192.36.15.4]) by gatekeeper.frontec.se (8.6.12/8.6.6) with SMTP id JAA06837 for ; Tue, 3 Oct 1995 09:15:22 +0100 Received: from lobo.lule.frontec.se by tintin.lule.frontec.se with SMTP id AA17006 (5.67a8/IDA-1.5 for ); Tue, 3 Oct 1995 09:15:17 +0100 Date: Tue, 3 Oct 1995 09:15:17 +0100 From: Petter H{ggman Message-Id: <199510030815.AA17006@tintin.lule.frontec.se> To: Firewalls@GreatCircle.COM Subject: Re: Dual-DNS Problems X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk cris@dejong.com wrote: > Back with more dual-DNS problems. > > Background: DNS server 1 is internal DNS, can't reach the real > world directly, but can reach server 2. Server 2 is external DNS > and 'forwarder' for internal DNS server 1. > > Situation 1: DNS server 1 'slave' flag in named.boot is *not > present*. DNS resolves are done quickly and correctly the first > time, but server 1 keeps generating UDP packets aimed at outside > servers (which can't reach outside of the secure net). > When using a forwarder without the 'slave' directive, the inside DNS will only wait for a 'short' time, before trying to resolve the name/ address itself, which it of course can't.. :-} > Situation 2: DNS server 1 'slave' flag in named.boot *is* present. > Non-cached DNS resolves requested by internal hosts often > (usually?) fail on the 1st tty, and sometimes on the 2nd, but > almost always resolve on the 3rd try. No UDP packets from server 1 > are aimed at real-world servers. > When using the 'slave' directive, if the outside DNS needs to resolve the name/address (i.e it's not cached) it takes some time, during which the internal DNS may/will timeout. > Sounds like a timeout problem, but this doesn't make sense, because > the timeout should happen in Situation #1 as well. *Why* is this > happening? Any help... TIA. > It happens in the first case as I stated above. The problem in a nutshell is that the timeout is too short, but who wants to change the source? My "trick" to fix this is to repeat the forwarder address in the forwarder directive together with the 'slave' directive. Ex. 'forwarder 193.10.10.1 193.10.10.1 193.10.10.1' 'slave' This means the slave DNS will "ask" three times, and before the third question is done the answer to the first arrives..:-) (Of course you may repeat the address as many times as you like, but in our network three times works like a charm) /Petter > Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net > Systems Development Manager, Wm. De Jong Enterprises Inc. > +1-519-424-9007 / fax +1-519-424-2399 > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Petter Haggman Email: Petter.Haggman@lule.frontec.se Arctic Software AB Phone: +46 920 75116 , Fax: +46 920 75199 Aurorum 1, S-977 75 Lulea, Sweden NMT: 010 - 259 42 77 From firewalls-owner Tue Oct 3 02:22:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA05711 for firewalls-outgoing; Tue, 3 Oct 1995 02:19:45 -0700 Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA05688 for ; Tue, 3 Oct 1995 02:19:14 -0700 Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP (15.11/15.6) id AA07456; Tue, 3 Oct 95 10:18:27 gmt Received: from cc:Mail by ccmailgw.biss.co.uk id AA812740420 Tue, 03 Oct 95 10:13:40 EST Date: Tue, 03 Oct 95 10:13:40 EST From: Steve_Betts@ccmailgw.biss.co.uk (Steve Betts) Encoding: 1342 Text Message-Id: <9509038127.AA812740420@ccmailgw.biss.co.uk> To: chris@dejong.com, scorp@un.kiev.ua, long-morrow@CS.YALE.EDU Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Mail Proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk long-morrow@CS.YALE.EDU wrote: >1. rot13 a uuencoded file before e-mailing it. Describe in the message >2. Use an (admittedly) inefficient format for encoding binary, such as: >3. PGP encrypt the entire message before transmitting. How will the It occurs to me that even if an human manager checks a uu-encoded attachment,how can they be sure that what they find is what it seems. With the use of a steganographic tool such as Andy Brown's S-Tools. A user can hide encrypted or binary files inside bitmap or sound files.(and also on a floppy disk, mail is only one media of many to worry about) I think that the only virus defence that makes any sense it to devolve the responsibility for detection out to the workstation.If every program, DLL etc is scanned before execution it will (should!) catch virii before they infect. This is of course no defence against the transfer of secrets or pornography. Regards Steve -- email: steve.betts@biss.co.uk (pgp key from www page) www: http://www.biss.co.uk/~steveb/ phone: (+44) 1 442 233 366 (Office GMT) Never assume my opinions are the same as my employer's. From firewalls-owner Tue Oct 3 03:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA06380 for firewalls-outgoing; Tue, 3 Oct 1995 02:57:50 -0700 Received: from rye.city.ac.uk (rye.city.ac.uk [138.40.11.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA06373 for ; Tue, 3 Oct 1995 02:57:45 -0700 Received: from mnt-pleasant.city.ac.uk by rye.city.ac.uk with SMTP (PP) id <12628-0@rye.city.ac.uk>; Tue, 3 Oct 1995 10:55:12 +0100 Received: from euston (sh391@euston.city.ac.uk [138.40.41.1]) by mnt-pleasant.city.ac.uk (8.6.12/8.6.12) with SMTP id KAA28734; Tue, 3 Oct 1995 10:55:08 +0100 Date: Tue, 3 Oct 1995 10:55:04 +0100 (BST) From: David Brownlee X-Sender: sh391@euston To: Reg Clemens cc: firewalls-digest@GreatCircle.com Subject: Re: NFS In-Reply-To: <199510030811.CAA03698@clemens.dwf.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Oct 1995, Reg Clemens wrote: > [...] > > The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half > dozen file systems that are exported read-only to all the other machines > in the domain. I would like to restrict their mounting to machines within > the domain while maintaining connectivity to the outside world. > SUN's software does not support this option, it only allows specifying > specific machine names, and the list of *all* machine names overflows > some internal limit in SUN's software. > > [...] Replace the innetgr.c in libc.so with a non broken version. (I have a non broken version I can mail on request) I did that here & hapilly exported to ~200 machines (with FQDN) from SunOS 4.1.3 & 4.1.4. More recently I've replaced SunOS with NetBSD which gets it right without any help (And has a _much_ better /etc/exports syntax - I can export to 138.40.X.X easily, and map all uids (not just root) to a given uid & other nice things too). David/abs D.K.Brownlee@city.ac.uk (MIME) +44 171 477 8186 {post,host}master (abs) Network Analyst, UCS, City University, Northampton Square, London EC1V 0HB. <<< Monochrome - Largest UK Internet BBS - telnet mono.org >>> >=- Microsoft: Abort and Retry Cancel -or- NetBSD: http://www.netbsd.org -=< From firewalls-owner Tue Oct 3 03:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA07100 for firewalls-outgoing; Tue, 3 Oct 1995 03:34:43 -0700 Received: from integd.integralis.co.uk (integd.integralis.co.uk [193.128.143.14]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA07092 for ; Tue, 3 Oct 1995 03:34:34 -0700 From: dan.collins@integralis.co.uk Received: from ccgate.integralis.co.uk by INTEGD.INTEGRALIS.CO.UK (PMDF V4.3-10 #8244) id <01HW0350EXS0000CP1@INTEGD.INTEGRALIS.CO.UK>; Tue, 03 Oct 1995 11:34:09 +0000 (GMT) Date: Tue, 03 Oct 1995 11:28 +0000 (GMT) Subject: Re: Network Address Translation To: firewalls@GreatCircle.com Message-id: <01HW0350J83M000CP1@INTEGD.INTEGRALIS.CO.UK> MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: Frank Senters query >I've heard there are a couple of commercial network address >translators >available for those of us who were foolish enough to build extensive >enterprise networks on non-NIC assigned addresses. Does anyone have >any >real-world experience with such a product? Is it possible to kludge >such >a product together on a commercial firewall? And lastly, is the >cost/effort of implementing such a product <= effort of renumbering >2k hosts? Time for a plug here! My company markets a product known imaginatively as the Internet Translation Gateway (ITG). It has been developed by us and is currently in it's second release. Right now it uses static address maps only but the next version, which is in development now, will provide dynamic maps and is scheduled for December release. If you want more info., contact andy.harris@integralis.co.uk (we are about to set up a US office but it's not on stream yet). Finally, if you really want a translation gateway integrated with a firewall, I believe Checkpoint now include some capability in their Friewall 1 product. PS I would not even think about re-numbering 2k hosts! From firewalls-owner Tue Oct 3 04:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA08390 for firewalls-outgoing; Tue, 3 Oct 1995 04:27:10 -0700 Received: from cbisgate.cbis.com (cbisgate.cbis.com [155.90.248.205]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA08366 for ; Tue, 3 Oct 1995 04:27:03 -0700 Received: from notes by cbisgate.cbis.com (5.x/SMI-SVR4) id AA05168; Tue, 3 Oct 1995 07:25:30 -0400 Received: by notes (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA2938; Tue, 03 Oct 95 07:26:07 -0700 Message-Id: <9510031426.AA2938@notes> Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id 3BDF2655247521538525624A003CB5FA; Tue, 3 Oct 95 07:26:05 To: firewalls-digest From: Warren Moore Date: 3 Oct 95 7:21:08 EDT Subject: Re: How secure is a WAN then? X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Oct 1995, Richard Reno wrote: >>> My company (me.com) has offices in Europe and headquaters in the US. If we use >>> didicated leased lines from the US to Europe (say from AT&T or MCI), can >>> someone in between get our data? >> >> Absolutely. A CO switch at one of the local phone companies in this part of >> the country was broken into and dedicated circuits tapped and listened to. >> Because of this recent incident, my present client's "private" T1 circuits, >> therefore, are link-encrypted. >> > > In fact there does not have to even be a breakin if there is collusion on > the part of someone at the CO. Correct. But the point is that there has to be either physical access (breakin) to the CO or collusion on the part of telco employees...(unless, of course, someone has been stupid enough to *not* guard the OEM port on a switch). And, while both have happened, it is a far less likely happenstance than you might think; at least, in the USofA. (Of course, paranoia keeps us in business.) Then again, if you're dealing with some other nation's PTT, who knows? There are a lot of published reports claiming that certain overseas telcos *routinely* intercept voice/data/fax on the behalf of their governments, who then provide what they see fit to their business entities. (And I can damn-near guarantee that this is true.) Encryption Anyone? Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Tue Oct 3 04:52:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA08856 for firewalls-outgoing; Tue, 3 Oct 1995 04:48:51 -0700 Received: from uu8.psi.com (uu8.psi.com [38.146.10.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA08849 for ; Tue, 3 Oct 1995 04:48:47 -0700 Received: from [192.104.81.8] by uu8.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA26030 for Firewalls@GreatCircle.COM; Tue, 3 Oct 95 07:46:35 -0400 Received: from ccMail by PO2.VRINET.COM (SMTPLINK V2.10.05) id AA812731523; Tue, 03 Oct 95 07:44:52 EST Date: Tue, 03 Oct 95 07:44:52 EST From: "Daniel Dutch" Message-Id: <9509038127.AA812731523@PO2.VRINET.COM> To: avalon@coombs.anu.edu.au, Larry Helber Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Firewall-1: Patent-pending ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is getting off the topic of firewalls but there is legislation going before the house this week that will change this. -Info will be disclosed 18 months after the application is filed, period. -Patent will be good 20 years from date of application, not date of patent issue. (Previously, it was 17 years from date of issue.) -Daniel Dutch ------- >patent pending then you will not get any information out of the patent >office. A patent number and the information contained in the submitted >documents does not have to be disclosed until the patent is appoved. Also a >pending patent may be amended to that will defere the issue date of the >patent. As long as you keep updating the patent on a yearly basis your >patent will never get issued. > > >This might be streching the charter a bit... > >In the advertising material for Checkpoint's Firewall-1 (version 1.2) >which I picked up recently, there are two mentions of "patent pending". > >There is NO mention of any application numbers that I can find or any >further information on this. > >Having sent e-mail to checkpoint last week and having received no reply >(surprised - NOT) I'm wondering if this is just a game. > >Can anyone provide some more information about the pending patents, such >as application numbers or the applications themselves ? > >Thanks, >Darren > > From firewalls-owner Tue Oct 3 06:23:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10424 for firewalls-outgoing; Tue, 3 Oct 1995 06:00:43 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA10307 for ; Tue, 3 Oct 1995 06:00:19 -0700 Received: from TIS.COM by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id FAA14308; Tue, 3 Oct 1995 05:39:26 -0700 Received: from relay.tis.com by neptune.TIS.COM id aa19592; 3 Oct 95 8:42 EDT Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (g3.0.1) id xma028016; Tue, 3 Oct 95 08:25:40 -0400 Received: from gildor (gildor.tis.com) by tis.com (4.1/SUN-5.64) id AA10278; Tue, 3 Oct 95 08:41:40 EDT Message-Id: <9510031241.AA10278@tis.com> X-Sender: avolio@sol.tis.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Oct 1995 08:42:43 -0400 To: Tham Huei Hwan , Marcus Antonio - Projeto ISODE From: Frederick M Avolio Subject: Re: Public Domain FireWall Software Cc: FireWalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The TIS Internet Firewall Toolkit is freely available, licensed code. It is available at ftp.tis.com. It is not public domain, however. Please read the license agreement. Fred At 08:20 AM 10/3/95 +0800, Tham Huei Hwan wrote: >Hi, > >You can obtain fwtk(firewalls tool kit) from ftp.tis.com > > >On Fri, 29 Sep 1995, Marcus Antonio - Projeto ISODE wrote: > >> >> Helo FireAlls >> >> My name's Marcus Antonio, and I'm a Coputer Science student at >> Brasil, and I have to implement a network security system. I'd like to know >> how can I get some public domain FireWall software. I work with AIX system. >> Any information wold be very important. >> >> Thank you very much... >> >> >> _______________________________________________________________________________ >> >> _/_/_/_/ _/_/_/_/ >> _/_/_/_/ _/_/_/_/ >> _/_/ _/_/ _/_/ _/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/ _/_/_/ >> _/_/ _/_/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ >> _/_/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ >> _/_/ _/_/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ >> _/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ >> _/_/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ >> >> Marcus Antonio Almeida Rodrigues >> >> UECE >> Universidade Estadual do Ceara' >> >> LAR >> Laboratorio Multiinstitucional de Redes e Sistemas Distribuidos >> >> >> e-Mail:marcus@fortal.uece.br >> URL: http://www.uece.br/~marcus/ >> _______________________________________________________________________________ >> > > > > From firewalls-owner Tue Oct 3 06:30:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA10572 for firewalls-outgoing; Tue, 3 Oct 1995 06:12:55 -0700 Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA10565 for ; Tue, 3 Oct 1995 06:12:52 -0700 Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA20048 for ; Tue, 3 Oct 95 09:00:40 -0400 Date: Tue, 3 Oct 95 08:46:36 EDT From: hhs@teleoscom.com (Chip Sharp X-6424) Received: by teleoscom.com (4.1/3.2.083191-Teleos Communications Inc.) id AA03079; Tue, 3 Oct 95 08:46:36 EDT Message-Id: <9510031246.AA03079@teleoscom.com> To: Firewalls@GreatCircle.COM In-Reply-To: firewalls-digest-owner@GreatCircle.COM's message of Mon, 2 Oct 1995 13:06:22 -0700 <199510022006.NAA03945@miles.greatcircle.com> Subject: Re: How secure is a WAN then? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Richard Reno >In fact there does not have to even be a breakin if there is collusion >on the part of someone at the CO. Long ago ... In one of our current spate of "Telecom Reform" laws, the FBI put in a requirement that all CO's have a "wiretap" port that would allow them to wiretap all digital calls. Theoretically, they are supposed to have a court order before doing so ;-). ======================================================================= Hascall H. ("Chip") Sharp Teleos Communications, Inc. Sr. Systems Engineer 2 Meridian Road Eatontown, NJ 07724 USA voice: +1 908 544 6424 fax: +1 908 544 9890 email: hhs@teleoscom.com web: http://www.teleoscom.com/ ======================================================================== From firewalls-owner Tue Oct 3 07:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA12013 for firewalls-outgoing; Tue, 3 Oct 1995 07:03:12 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA12005 for ; Tue, 3 Oct 1995 07:03:06 -0700 Message-Id: <199510031403.HAA12005@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA197318869; Wed, 4 Oct 1995 00:01:09 +1000 From: Darren Reed Subject: named on port > 1023 ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Wed, 4 Oct 1995 00:01:09 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1141 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone run named on a port > 1023 as a non-root user ? >From the 4.9.3 BETA26 man page: ... -p Use nonstandard port numbers. The default is the standard port number as returned by getservby- name(3) for service ``domain''. The argument can specify two port numbers separated by a slash (``/'') in which case the first port is that used when contacting remote servers, and the second one is the service port bound by the local instance of named. This is used mostly for debugging purposes. ... Of course, how does one fix it so things work normally ? Need to relay TCP port 53 -> your DNS port, and then a fairly intelligent program (could be spawned by inetd but!) which received packets on port 53, kept some state info about the packet and the DNS request and then made a new request (recording the matching information with the incoming one) to the name server on the non standard port. The UDP bit is probably the most complicated. Has anyone done this or tried ? Anticipated problems ? darren From firewalls-owner Tue Oct 3 07:24:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA12111 for firewalls-outgoing; Tue, 3 Oct 1995 07:08:01 -0700 Received: from uvs1.orl.mmc.com (uvs1.orl.mmc.com [141.240.192.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA12104 for ; Tue, 3 Oct 1995 07:07:57 -0700 Received: from TCCSLR.DECnet MAIL11D_V3 by uvs1.orl.mmc.com (5.57/Ultrix3.0-C) id AA28117; Tue, 3 Oct 95 09:44:36 -0400 Date: Tue, 3 Oct 95 09:44:36 -0400 Message-Id: <9510031344.AA28117@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian J-B's excellent post raises a number of issues concerning security in general. Having been exposed to a KW-26 back in 196 I have been around it for longer than many here have been alive & have become somewhat opinionated on the subject. Now I do not think for a minute in "encrypt everything and you do not need a firewall" being a disbeliever in single layer solutions. It is a valuable defense, potentially stronger than anything we have today, but enforces confidentiality and integrity (trustability) only, it does nothing for the availability issue and is subject to all manner of attacks (man-in- the-middle being the most difficult to protect against). Further, key management is a perenniel problem. "How is that first secure link established ?" is a chicken and the egg kind of problem. Today out-of- channel is the most popular answer as demonstrated by Netscape but is either a logistical nightmare or potential weakness. (It might be cheaper to buy ViaSign than to break their certificates). For all of that, I believe that good encryption will be the element that begins to make our jobs easier, both via creation of secure links between Firewalls/Enterprises and through double wrapping at the application level. We also must realize that strengthening electronic security with also increase attacks at the physical and human level and must prepare for that as well. Finally, I believe that after a lot of handwaving and rhetoric, governments are going to realize that while laws regulating encryption can be passed (sovereign rights), they cannot effectively be enforced for the very reasons that we have just been discussing concerning blocking of E-Mail. In order to prosecute a violation, in most democracies it will first be necessay to prove that encryption was used. Though easy to do today, it is trivial to make difficult (see Stenography). Once one government accepts this fact, it will be easier for others. I expect this will happen in Europe (The Netherlands ?) first. And then we will see an avalanche of products. The technology is easy and well known. A final note: governments have already admitted compliance with the needs/ wishes of multinational corporations (most financial transactions are exempt from ITAR for example). Once the major corporations of the world decide they need strong crypto, it will happen (and already is). Warmly, Padgett From firewalls-owner Tue Oct 3 08:25:51 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA13738 for firewalls-outgoing; Tue, 3 Oct 1995 08:16:56 -0700 Received: from lehman.Lehman.COM (Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA13721 for ; Tue, 3 Oct 1995 08:16:46 -0700 From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id LAA25126; Tue, 3 Oct 1995 11:15:16 -0400 Received: from relay.mail.lehman.com(192.9.140.112) by lehman via smap (V1.3) id tmp025111; Tue Oct 3 11:14:15 1995 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA24452; Tue, 3 Oct 95 11:14:08 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA07774; Tue, 3 Oct 95 11:14:04 EDT Received: by dragon.lehman.com (5.0/Lehman Bros. V1.5) id AA04489; Tue, 3 Oct 1995 11:14:04 -0400 Date: Tue, 3 Oct 1995 11:14:04 -0400 Message-Id: <9510031514.AA04489@dragon.lehman.com> To: peter@nmti.com (Peter da Silva) Cc: rik@spirit.com, Firewalls@GreatCircle.COM Subject: Re: CERT and Firewalls BOFs In-Reply-To: <9509281542.AA04617@sonic.nmti.com.nmti.com> References: <199509270045.RAA01228@apache.spirit.com> <9509281542.AA04617@sonic.nmti.com.nmti.com> Reply-To: carson@lehman.com Content-Length: 1680 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Carson asked the audience [about 110 persons] if he should rewrite the > ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or > should he work with Brimstone SOS [which also has a license similar to > TIS for their proxies, but fewer services], because the code quality is > better. Why can't he just use whichever proxies he wants. They won't wake up and go "Ick, Freestone, I'm outta here!"... While I could use anyting I want to, I'd like to contribute my code back to the community. There are a fairly large number of folks using my TIS patches, particularly the ftp PASV support. I had intended a straw poll to see how many folks lives would be made less spiffy if I stopped my work on the fwtk and went to a different code base. I, as usual, managed to put my foot in my mouth and irritate (at least) Marcus - not my intent at all. My current plans are to add the PORT <-> PASV code to the fwtk, and then stop work on it (barring any new surprises like the syslog nastiness). After that I'll be doing a proof-of-concept implementation of an application proxy in Java to see what problems (if any) I'll encounter. In theory, it should eliminate vast numbers of opportunities to screw up - particularly buffer overruns. If I'm a _really_ good boy, I'll even try and write a paper on the results (performance, implementation difficulty, security, etc.). Of course, I may get lazy/busy, so no promises that I'll finish and please don't bother to ask me how it's going - I'll let y'all know when I have anything even vaguely presentable. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com From firewalls-owner Tue Oct 3 09:00:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA14543 for firewalls-outgoing; Tue, 3 Oct 1995 08:43:05 -0700 Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA14534 for ; Tue, 3 Oct 1995 08:42:58 -0700 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id LAA00704 for ; Tue, 3 Oct 1995 11:41:13 -0400 Date: Tue, 3 Oct 1995 11:41:13 -0400 Message-Id: <199510031541.LAA00704@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Anton J Aylward Subject: Re: Web Browser Test -- WHAT!!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: 02 Oct 1995 17:03:55 -0700 >From: Jacob Hinther >To: Firewalls >Subject: Web Browser Test >Sender: firewalls-owner@GreatCircle.COM > >Test your web browser! > > http://www.c2.org/ > http://www.c2.org/hackmsoft/ > http://www.c2.org/hacknetscape/ > >Jake > Er, without some idea of what this does, I'd rather not. How do I know this isn't some kind of bobm which will hit a bug (!?!) in Netscape whch will do strange things with my files or configuration? We've thrashed the WordVirus, couldn't this bhe something of the same ilk. Jake - whoever you are - if you really want us to try this, explain what it does, why it does it, and why you are presenting it to us. Without some credentials this just stirs our - well MY - paranoia. Like the mail address and the URL being so different, and the URL being a '.org' rather than a well known site. /anton - from paranoia city -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Tue Oct 3 11:22:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18001 for firewalls-outgoing; Tue, 3 Oct 1995 11:01:07 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA17987 for ; Tue, 3 Oct 1995 11:01:03 -0700 From: /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Received: from alau.al.mt.np.els-gms.att.net by relay3.UU.NET with SMTP id QQzjwp07058; Tue, 3 Oct 1995 13:59:21 -0400 Received: from mhs!pfg1 by /C=US/AD=ATTMAIL;Tue Oct 3 17:57:16 -0000 1995 Received: by /C=us/AD=attmail/PD=pfg1;Tue Oct 3 12:25:34 -0500 1995 Date: Tue, 03 Oct 1995 12:25:34 -0500 Transport-Options: /STANDARD/REPORT Original-Encoding-Types: ASCII Disclose-Recipients: yes Subject: fax server security P2-Originator: mhs!pfg1/G=BECKY/S=HEROLD To: firewalls@greatcircle.com, /G=BECKY/S=HEROLD@mhs-pfg1.attmail.com Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This topic is marginally related to firewalls. Please excuse this not-so-appropriate posting, but I've posted this to several other security-related lists over the past couple of weeks and I've not had a single reply. With the vast amount of knowledge in the readership of this list, I'm hopeful someone reading this message can help me out. We're in the test/pilot stages of installing fax servers on our network. We're looking at the Cheyenne FAXserve product running on Netware 3.12 for a limited number of employees. Is anyone aware of any risks for unauthorized access by using the fax only boards within the system? Is it possible to hack through these specialized modems into our network? Would it be possible for someone to send an executable file of any kind through the board to any of our networked computer systems? Should we put a firewall in front of these fax servers? Thanks in advance for your thoughts/information! Becky Herold Sr. Systems Analyst, Information Protection The Principal Financial Group 515-248-8521 herold.becky@MHS-PFG1.attmail.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The opinions presented in this message are my own and do not necessarily represent the opinions of The Principal Financial Group. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Oct 3 11:30:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18286 for firewalls-outgoing; Tue, 3 Oct 1995 11:13:27 -0700 Received: from real.com (eagle.real.com [199.97.122.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18262 for ; Tue, 3 Oct 1995 11:13:19 -0700 Date: Tue, 3 Oct 1995 18:13:42 GMT From: bret@real.com (Bret McDanel) Received: by real.com (8.6.12/3.2.012693-Realistic Technologies Inc); id SAA06082 for firewalls@greatcircle.com; Tue, 3 Oct 1995 18:13:42 GMT Message-Id: <199510031813.SAA06082@real.com> To: firewalls@greatcircle.com Subject: Re: Web Browser Test -- WHAT!!!! Content-Type: X-sun-attachment Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 41 > > Er, without some idea of what this does, I'd rather not. > How do I know this isn't some kind of bobm which will hit a bug (!?!) in > Netscape > whch will do strange things with my files or configuration? > Can you not telnet to port 80 of his machine issue a few commands, and get the HTML right to your screen, where its harmless? I did and read in it, and its a memory leak (just a guess) in Netscape (lynx didnt crash on the long hostnames).. All it is is a hostname about 512 bytes long.. That causes an overflow of the buffer (so in theory you could play games with the stack and have their program execute commands, after all netscape has a habit of telling what os it comes from when it connects).. Also, following one of the links I found a bunch of discussion about that hole, and about the seed for the random number generator.. There is even a c file with an exploit somewhere on the links (the link goes to france, and that is all I remember) > Jake - whoever you are - if you really want us to try this, explain what it > does, why it does it, > and why you are presenting it to us. Without some credentials this just > stirs our - well MY - paranoia. if you are paranoid, perhaps you should take a couple of precautions (like telnetting to the port and reading the HTML, then see if it will exploit anything other than a core dump).. Inaction may mean that you never learn what is going on (and dont get the patch which is available at that site too).. For all those that want to telnet to an URL but dont know how (so that you can verify data like this in the future) I included a simple program that will do this.. ---------- X-Sun-Data-Type: c-file X-Sun-Data-Description: c-file X-Sun-Data-Name: webthief.c X-Sun-Charset: us-ascii X-Sun-Content-Lines: 86 /* This program allows you to connect to a WWW site, and get a specific HTML * (note this program wont get the cgi, only its output).. * I dont know what calue or use it may have for anyone, but hey, its * a fairly simple program.. * No warantee is implied, no guearantee of any kind is implied, etc.. * All that other standard disclaimer stuff too * Just in case that isnt enough USE AT OWN RISK :) * * I made it so that the HTML goes out on stdout, and the messages go * on stderr, so simple redirecting will enable you to save an HTML to * a file.. */ #include #include #include #include #include #include #include int bindsocket(port,host) int port; char *host; { int s; u_long address; struct sockaddr_in sin; struct hostent *hp; if((address = inet_addr(host)) == -1L) { if((hp = gethostbyname(host)) == (struct hostent *)0) { fprintf(stderr,"%s: address unknown or unparsable\n",host); exit(1); } bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length); } else bcopy((char *)&address,(char *)&sin.sin_addr,sizeof(address)); if((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } sin.sin_family=AF_INET; sin.sin_port=htons(port); fprintf(stderr,"Connecting to %s on port %d...\n",host,port); if (connect(s,&sin, sizeof sin)<0) { perror("connect"); exit(1); } fprintf(stderr,"Connected!\n"); return(s); } main(argc,argv) int argc; char **argv; { int port=80,s; char line[2048]; if(argc < 3 || argc > 4) { fprintf(stderr,"Usage: %s machine html [port]\n",argv[0]); exit(1); } if(argc == 4) port=atoi(argv[3]); s=bindsocket(port,argv[1]); sprintf(line,"GET %s HTTP/1.0\nUser-Agent: Mozilla/1.1N (X11; I; webthief 1.0 unix)\nAccept: */*\nAccept: image/gif\nAccept: image/x-xbitmap\nAccept: image/jpeg\n\n",argv[2]); write(s,line,strlen(line)); while(strlen(line)!=0) { bzero(line,sizeof(line)); read(s,line,sizeof(line)); printf("%s",line); } close(s); fprintf(stderr,"All done!\n"); } From firewalls-owner Tue Oct 3 11:52:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18592 for firewalls-outgoing; Tue, 3 Oct 1995 11:26:53 -0700 Received: from safety.worldcom.com (safety.worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA18585 for ; Tue, 3 Oct 1995 11:26:50 -0700 Received: (from smtp@localhost) by safety.worldcom.com (8.6.11/8.6.9) id NAA12827 for ; Tue, 3 Oct 1995 13:21:51 -0500 Received: from worldcom-45.worldcom.com(198.64.193.76) by safety.worldcom.com via smap (V1.3) id sma012773; Tue Oct 3 13:21:18 1995 Received: by worldcom-45.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.14/3.3) id AA3202; Tue, 03 Oct 95 13:22:13 -0400 Message-Id: <9510031722.AA3202@worldcom-45.worldcom.com> Received: from worldcom with "Lotus Notes Mail Gateway for SMTP" id C066A24E339FBE7C8625624A0064BF9C; Tue, 3 Oct 95 13:22:13 To: firewalls From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sunscribe firewalls-digest From firewalls-owner Tue Oct 3 12:01:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA18961 for firewalls-outgoing; Tue, 3 Oct 1995 11:47:46 -0700 Received: from gate.vegas.com (gate.vegas.com [199.182.236.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA18954 for ; Tue, 3 Oct 1995 11:47:43 -0700 From: oddboy@vegas.com Received: by gate.vegas.com (5.x/SMI-SVR4) id AA13775; Tue, 3 Oct 1995 11:42:44 -0700 Date: Tue, 3 Oct 1995 11:42:44 -0700 Message-Id: <9510031842.AA13775@gate.vegas.com> To: firewalls@greatcircle.com Subject: IRC X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation From firewalls-owner Tue Oct 3 12:24:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA19895 for firewalls-outgoing; Tue, 3 Oct 1995 12:10:53 -0700 Received: from Heuristicrat.COM (Heuristicrat.COM [199.171.120.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA19888 for ; Tue, 3 Oct 1995 12:10:50 -0700 Received: (smap@localhost) by Heuristicrat.COM (8.6.11/8.6.5) id MAA06269; Tue, 3 Oct 1995 12:09:21 -0700 Received: from euclid.heuristicrat.com(199.171.121.3) by Heuristicrat.COM via smap (V1.3) id sma006267; Tue Oct 3 12:09:17 1995 Received: from shattuck.Heuristicrat.COM by euclid.Heuristicrat.COM (4.1/Othar) id AA16654; Tue, 3 Oct 95 12:09:16 PDT Date: Tue, 3 Oct 95 12:09:16 PDT From: jordan@Heuristicrat.COM (Jordan M. Hayes) Message-Id: <9510031909.AA16654@euclid.Heuristicrat.COM> To: firewalls@GreatCircle.COM Subject: FLEXlm with proxy ...? Cc: fwtk-users@TIS.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone built a FLEXlm proxy for FWTK? /jordan From firewalls-owner Tue Oct 3 12:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA20009 for firewalls-outgoing; Tue, 3 Oct 1995 12:12:42 -0700 Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA19984 for ; Tue, 3 Oct 1995 12:12:33 -0700 Received: from netman.eng.auburn.edu (20663@netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.6.12/8.6.4) with ESMTP id NAA26615; Tue, 3 Oct 1995 13:43:00 -0500 From: Doug Hughes Received: from localhost (doug@localhost) by netman.eng.auburn.edu (8.6.4/8.6.4) id NAA15266; Tue, 3 Oct 1995 13:42:56 -0500 Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS To: reg@dwf.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <199510030811.CAA03698@clemens.dwf.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" From firewalls-owner Tue Oct 3 14:21:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Tue Oct 3 14:21:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23387 for firewalls-outgoing; Tue, 3 Oct 1995 13:45:58 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23371 for ; Tue, 3 Oct 1995 13:45:43 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id PAA17754; Tue, 3 Oct 1995 15:46:35 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 091390000; 3 Oct 95 16:44 CDT Received: from sctc.com by sccmailhost.sctc.com id 276510000; 3 Oct 95 16:43 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id PAA01419; Tue, 3 Oct 1995 15:43:28 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id PAA11874; Tue, 3 Oct 1995 15:43:26 -0500 Date: Tue, 3 Oct 1995 15:43:26 -0500 From: Rick Smith Message-Id: <199510032043.PAA11874@shade.sctc.com> To: firewalls@greatcircle.com Cc: glenn@border.com, smith@sctc.com Subject: Borderware (was: Information, We want information) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Glenn Mackintosh writes: >This is the second time I've heard rumors about insecurities in the >BorderWare software with nothing being brought out to substantiate them. I >guess this is just an unfortunate part of doing business - especially in the >security domain. I get a bit annoyed by this kind of thing since, >regardless of whether we refute such comments, after the discussion itself >is forgotten people will often remember that they heard something about a >problem with product X. The Internet giveth just as it taketh away -- people post unsubstantiated rumors as quickly as any of us can post denials. Now, to a technical question: >.... That said, Border doesn't use a stock BSD based OS anyway. We >have put a large amount of effort into "hardening" the kernel so that it is >a solid base upon which to build a secure firewall. ... [snip] .... >We spent a considerable amount of manpower stripping down the kernel and >leaving only what was really needed. We removed the mechanisms which can be >used to gain privilege or increase the levels of access to the system. So, the "hardening" of the Borderware kernel consists primarily of eliminating unnecessary portions of the BSD kernel, correct? This is not intended as a "leading question" from a competitor, just an attempt to clearly understand what Borderware has done. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Oct 3 15:52:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA27309 for firewalls-outgoing; Tue, 3 Oct 1995 15:38:44 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id PAA27302 for ; Tue, 3 Oct 1995 15:38:40 -0700 Received: from pm3-17.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA29112; Tue, 3 Oct 95 17:35:21 -0400 Date: Tue, 3 Oct 95 17:35:21 -0400 Message-Id: <9510032135.AA29112@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: Re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From padgett's excellent mail: >Further, key management is a perenniel problem. "How is that first secure >link established ?" is a chicken and the egg kind of problem. Today out-of- >channel is the most popular answer as demonstrated by Netscape but is either >a logistical nightmare or potential weakness. (It might be cheaper to buy >ViaSign than to break their certificates). Actually, the key management problem was solved by V-ONE a couple of years ago. (V-ONE is a firewall vendor). After the host & the firewall have mutually authenticated themselves to each other (to prevent node spoofing), the entire session is encrypted - with each session having a *different* (unique) encryption key. Individual files can also be encrypted using user-friendly "drag & drop" encryption - with the encrypted file having a *different* key than is used to encrypt the link between the user & the firewall. (The above applies to firewall-to-firewall communications also). BTW, the end-to-end encryption should put an end to the "terminal session hijacking". Eventually, other firewalls will incorporate similar technologies. Any firewall manufacturer that intends to stay in the field for the long run will have to incorporate extensive authentication & encryption mechanisms - just to stay in business. >For all of that, I believe that good encryption will be the element that >begins to make our jobs easier, both via creation of secure links between >Firewalls/Enterprises and through double wrapping at the application level. I couldn't agree more. > Warmly, > Padgett Best Regards, Frank From firewalls-owner Tue Oct 3 16:23:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Tue Oct 3 18:23:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA02534 for firewalls-outgoing; Tue, 3 Oct 1995 18:07:13 -0700 Received: from vision.postech.ac.kr (vision.postech.ac.kr [141.223.1.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id SAA02527 for ; Tue, 3 Oct 1995 18:06:57 -0700 Received: (from rhee@localhost) by vision.postech.ac.kr (8.6.12H1/8.6.12) id KAA17605; Wed, 4 Oct 1995 10:01:04 +0900 From: Snow-Flower Message-Id: <199510040101.KAA17605@vision.postech.ac.kr> Subject: Exact format for subscribing the info security list. To: Firewalls@GreatCircle.COM Date: Wed, 4 Oct 1995 10:01:03 +0900 (JST) Cc: rhee@vision.postech.ac.kr (Flower) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Content-Length: 1029 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, sir. I like to know what is the exact format for subscribing the info security list. I've tried to send subscription message to LISTSERV@ETSUADMN.ETSU.EDU serveral times I failed. Message body was ......... subscribe Young Rhee Please let me know . Thanks in advance. rhee@vision.postech.ac.kr o----o----o-----o----o----o----o----o----o----o----o----o----o----o----o----o Young Rhee (Snow-Flower) Computer Center * Pohang Institute of Science and Technology | P.O.Box 125 | Pohang,Kyungbuk 790-600 x E-mail : rhee@vision.postech.ac.kr xxx Phone : +82-0562-279-2529 xxxxxxx Fax : +82-0562-279-2599 xxxxxxxxxxxxxxx o----o----o----o----o----o----o----o----o----o----o-----o-----o----o----o----o From firewalls-owner Tue Oct 3 19:22:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03616 for firewalls-outgoing; Tue, 3 Oct 1995 19:12:29 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03609 for ; Tue, 3 Oct 1995 19:12:25 -0700 Date: Tue, 3 Oct 1995 22:10:58 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951003221058.21058735@hobbes.orl.mmc.com> Subject: re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank rites: >Actually, the key management problem was solved by V-ONE a couple of years >ago. (V-ONE is a firewall vendor). >After the host & the firewall have mutually authenticated themselves to each >other (to prevent node spoofing), the entire session is encrypted - with each >session having a *different* (unique) encryption key. Sounds wonderful but pray tell *how* do they authenticate each other ? Out- of-channel ? Nice thing about the Netscape reversal of the traditional mechanism is that a secure channel is created *before* any trust is exchanged. Given that, traditional means of authentication are possible without worry of sniffing. Spoofing yes, but not sniffing and us aunchient mainframers know how to handle spoofing 8*). Warmly, Padgett ps had an interesting conversation with the NSA today in which I was told that it is OK to explain why the right side of a KW-26 card case has all them little dents - of course you will have to be shot afterwards... From firewalls-owner Tue Oct 3 19:52:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03859 for firewalls-outgoing; Tue, 3 Oct 1995 19:33:01 -0700 Received: from aurora.cdev.com (aurorax.cdev.com [160.207.114.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03852 for ; Tue, 3 Oct 1995 19:32:57 -0700 Message-Id: <199510040232.TAA03852@miles.greatcircle.com> Received: from cdicisco8.cdev.com by aurora.cdev.com id SMTP-0013071f24d019269; Tue, 3 Oct 95 21:32:48 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Oct 1995 18:19:14 -0700 To: firewalls-digest@GreatCircle.COM From: Donald.J.Smith@.cdev.com (Donald J Smith) Subject: re re nfs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: David Brownlee >Date: Tue, 3 Oct 1995 10:55:04 +0100 (BST) >Subject: Re: NFS > >On Tue, 3 Oct 1995, Reg Clemens wrote: > >> [...] >> >> The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >> dozen file systems that are exported read-only to all the other machines >> in the domain. I would like to restrict their mounting to machines within >> the domain while maintaining connectivity to the outside world. >> SUN's software does not support this option, it only allows specifying >> specific machine names, and the list of *all* machine names overflows >> some internal limit in SUN's software. >> >> [...] > > Replace the innetgr.c in libc.so with a non broken version. > (I have a non broken version I can mail on request) > I did that here & hapilly exported to ~200 machines (with FQDN) from > SunOS 4.1.3 & 4.1.4. More recently I've replaced SunOS with NetBSD > which gets it right without any help (And has a _much_ better > /etc/exports syntax - I can export to 138.40.X.X easily, and map all > uids (not just root) to a given uid & other nice things too). > > > David/abs > > D.K.Brownlee@city.ac.uk (MIME) +44 171 477 8186 {post,host}master (abs) >Network Analyst, UCS, City University, Northampton Square, London EC1V 0HB. > <<< Monochrome - Largest UK Internet BBS - telnet mono.org >>> >>=- Microsoft: Abort and Retry Cancel -or- NetBSD: http://www.netbsd.org -=< > > >----- You can also chain netgroups, but without that firewall (that as a minimum prevents spoofing internal ip addressed) it is all for naught. Some comes in as a legal address and your hole (yes that is spelled correctly) is shot. Donald J Smith Network Security Engineer @Computing Devices International "@begin design in the security and ease_of_use != A*(1/Data_Security)" (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Tue Oct 3 20:00:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA03893 for firewalls-outgoing; Tue, 3 Oct 1995 19:34:41 -0700 Received: from gw2.att.com (gw2.att.com [192.20.239.134]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA03886 for ; Tue, 3 Oct 1995 19:34:38 -0700 Received: from vodka.sse.att.com by ig1.att.att.com id AA13463; Tue, 3 Oct 95 08:52:59 EDT Message-Id: <9510031252.AA13463@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Mail Proxy To: long-morrow@CS.YALE.EDU Date: Tue, 3 Oct 1995 08:54:35 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199510021459.KAA26661@SPARKY.CF.CS.YALE.EDU> from "long-morrow@CS.YALE.EDU" at Oct 2, 95 10:59:08 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've gone around this circle at least once before. Coming up to two conclusions. 1) it is *impossible* to prevent a determined individual from transferring executables via email. (But you can slow them down) 2) The vast majority of such transfers *can* be prevented by an automated program scanning for the most common forms of encoding. Also, it is possible to virus scan the binaries that have been detected. However, general consensus is that such scanning is ineffective because it only cover one channel of binaries to the PC, (Floppy disks are another). Virus scanning must be done at the PC. However, I must admit that I'd be interested in a Word document macro virus scanner :) These "executable content" vira are an interesting breed. Mark Riggins Secure Systems Engineering AT&T Bell Labs > > Chris Tyler wrote: > > > >Slava Kritov writes: > > > >> Any uuencode ? > >> Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange > >> word docs in uuencode, and ( for Mac's ) you can't even say its word doc > >> based on name ... > > > >Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So > >you look for the uuencode signature string and deny. > > But by only looking for the 'signature's of known binary encoding formats > you then open yourself up for people to create their own encoding formats > to get around your scan for, and restriction on encoded message enclosures. > > 3 possibilities for getting around a scan for known encoding signatures : > > 1. rot13 a uuencoded file before e-mailing it. Describe in the message > how to unrot13 the message before uudecoding it. > > 2. Use an (admittedly) inefficient format for encoding binary, such as: > > RAVE AFRO STUB DAM HONE HAY > CLAD WILL JOIN PET LONG WEED > ... > > The recipient will need a decoder of course. > > 3. PGP encrypt the entire message before transmitting. How will the > mail scanner know what is inside the message? Are you going to > reject all encrypted messages? I think that encrypted messages > will increasingly become the norm on the Internet as PC based > mail programs incorporate automatic easy-to-use PGP encryption. > > > - Morrow > > From firewalls-owner Tue Oct 3 21:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05431 for firewalls-outgoing; Tue, 3 Oct 1995 20:52:03 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05424 for ; Tue, 3 Oct 1995 20:52:00 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA09928 for GreatCircle.COM!firewalls; Tue, 3 Oct 1995 22:33:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA18501; 3 Oct 95 19:37:40 CDT (Tue) Received: by sonic.nmti.com; id AA11758; Tue, 3 Oct 1995 20:04:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9510040104.AA11758@sonic.nmti.com.nmti.com> Subject: Re: FW to FW FTP w/ no port > 1023 To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 3 Oct 1995 20:04:28 -0500 (CDT) Cc: wbunting@ch.inri.com, firewalls@GreatCircle.COM In-Reply-To: <9510022336.AA14998@citecub.citec.qld.gov.au> from "Colin Campbell" at Oct 3, 95 09:36:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 341 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 3. Do not use FTP and write a TCP application that uses only a single TCP > > port for data and control. Issues: Time + $$ no compatibility. Benefit: > > solves the problem. FSP and HTTP are both candidates for this application. And they've already been written. NNTP would work as well, and can be proxied with a simple plug gateway. From firewalls-owner Tue Oct 3 21:22:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA05669 for firewalls-outgoing; Tue, 3 Oct 1995 21:09:18 -0700 Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA05662 for ; Tue, 3 Oct 1995 21:09:14 -0700 Received: from pm2-11.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA12903; Tue, 3 Oct 95 23:06:00 -0400 Date: Tue, 3 Oct 95 23:06:00 -0400 Message-Id: <9510040306.AA12903@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: frankw@in.net (Frank Willoughby) Subject: re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the desk of Padgett: >Frank rites: >>Actually, the key management problem was solved by V-ONE a couple of years >>ago. (V-ONE is a firewall vendor). > >>After the host & the firewall have mutually authenticated themselves to each >>other (to prevent node spoofing), the entire session is encrypted - with each >>session having a *different* (unique) encryption key. > >Sounds wonderful but pray tell *how* do they authenticate each other ? Out- >of-channel ? Nice thing about the Netscape reversal of the traditional >mechanism is that a secure channel is created *before* any trust is exchanged. >Given that, traditional means of authentication are possible without worry >of sniffing. Spoofing yes, but not sniffing and us aunchient mainframers know >how to handle spoofing 8*). Would it suffice to say that it was good enough for NSA - and that it is the *only* Internet firewall used in a NSA-approved configuration? In a public forum, this is probably all I can say. > Warmly, > Padgett > >ps had an interesting conversation with the NSA today in which I was told that > it is OK to explain why the right side of a KW-26 card case has all them > little dents - of course you will have to be shot afterwards... You might also ask your contacts at the Puzzle Palace about how V-ONE does mutual authentication. Best Regards, Frank From firewalls-owner Wed Oct 4 00:32:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id AAA07878 for firewalls-outgoing; Wed, 4 Oct 1995 00:28:09 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id AAA07871 for ; Wed, 4 Oct 1995 00:28:06 -0700 Received: by gw.home.vix.com id AA28489; Wed, 4 Oct 95 00:26:39 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA26556; Wed, 4 Oct 1995 00:26:39 -0700 Message-Id: <9510040726.AA26556@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: re: network address translation Date: Wed, 04 Oct 1995 00:26:39 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was forwarded this by a friend and asked to respond to it publically. I am not on the firewalls mailing list, so CC me on your reply if any. >Frank Senter, Senior Information Specialist >Missouri Highway and Transportation Department >P.O. Box 270, Jefferson City MO 65102 ...wrote: >I've heard there are a couple of commercial network address translators >available for those of us who were foolish enough to build extensive >enterprise networks on non-NIC assigned addresses. Does anyone have any >real-world experience with such a product? I have heard that IBM sells a commercial product that can do this. I don't have any experience with it, and in fact I have never heard from a non-IBM user of it so I have no idea how well it works. At Usenix LISA a few weeks ago in Monterey, CA, the first booth inside the front door belonged to a company that sold NAT boxes. They appeared to be based on some BSD flavour, and they wanted to sell hardware rather than just a software solution. Now if I could only remember their company name. Ah, here it is in the vendor directory included with my conference materials: Border Network Technologies; Borderware Firewall Server; . Last but not least, I took a stab at this a while ago but I did all the magic in the application gateway process address space; this means the proxy gateway is something akin to SOCKS but with a more robust protocol, listeners, round robin'ed incoming/outgoing connections for performance and redundancy, and most important, little or no source code modifications (I replace system calls with library calls that have wider semantics.) I'll be giving a talk about this at the Network Security '95 ("SANS") conference; . My software will be available and freely redistributable shortly after I present my paper. >Is it possible to kludge such a product together on a commercial firewall? That depends. If you chose a network that RFC 1597 set aside for private networks, or you know that you will never want to exchange packets with whoever holds the real delegation for the network you are using, then yes, you can kludge this together out of standard components. If on the other hand you are dealing with an "ambiguous prefix" where your border will have to disambiguate two networks (one inside, one outside) with the same prefix, then you need something stronger or you need a lot of intermediate moat nets. >And lastly, is the cost/effort of implementing such a product <= effort of >renumbering 2k hosts? I renumbered 2K hosts in four days with only one person helping me. But we were in an engineering environment and the production component was pretty small; also, we had root access on virtually all of the 2K hosts. If your hosts are all over the country and owned/run by different administrations, or if your production machines aren't easily corraled, or if your users are not engineers (and thus, not understanding of _your_ problems), then I suspect that the time taken to plan and implement a "safe" renumbering of your 2K hosts is as large or larger than the time it will take to build or install a disambiguating firewall. If you do renumber, I recommend that you renumber into an RFC 1597 prefix and use some kind of NAT solution or moat-based firewall with application gateways. This will make it possible for you to multi-home your net -- all you will have to do is get additional outside connections to the NAT or firewall, since each of your providers will only see the one little segment of the network that they want you to live on. The fact that you've got 2K hosts needn't trouble them -- in fact they need not even be aware of it. This will give you the added flexibility of being able to dump your provider and move to their competitor without fighting over the ownership of your prefix, or paying the renumbering cost every time you switch. I guess you can tell that I think RFC 1597 is a good thing. Hope this helps. Paul Vixie La Honda, CA "Illegitimi non carborundum." pacbell!vixie!paul (dont let the bastards grind you down) From firewalls-owner Wed Oct 4 02:00:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA09681 for firewalls-outgoing; Wed, 4 Oct 1995 01:51:46 -0700 Received: from orpheus.amdahl.com (orpheus.amdahl.com [129.212.11.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id BAA09674 for ; Wed, 4 Oct 1995 01:51:40 -0700 Received: from juts.ccc.amdahl.com by orpheus.amdahl.com with smtp (Smail3.1.29.1 #1) id m0t0PWm-0001Z4C; Wed, 4 Oct 95 01:50 PDT Received: by juts.ccc.amdahl.com (/\../\ Smail3.1.14.4 #14.6) id ; Wed, 4 Oct 95 01:50 PDT Date: Wed, 4 Oct 95 09:42:42 PDT From: Luc Vanderschelde Subject: RE: Borderware vs. Firewall-1 To: RTATE@folio.com Cc: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert, deciding on what package is the best can only be done in function of the security policy you want to apply. So, I can not tell you if there is a better package somewhere. If you like a firewall comparison of the products Firewall_1, Raptor Eagle, Black Hole, DEC SEAL, Janus, TIS Gauntlet, then contact info@milkyway.com Note that Milkyway Networks (Ontario, Canada) is the developer of Black Hole, so the comparison mught be somewhat "coloured". Their web server is at http://www.milkyway.com Have fun, Luc ----------------------------------------------------- Name: Luc Vanderschelde Company: AMDAHL Belgium NV/SA Department: Business Solutions Group Function: Consultant E-mail: lzv10@juts.ccc.amdahl.com (Luc Vanderschelde) Date: 06/15/95 Time: 17:32:08 ----------------------------------------------------- ---------------Included Message--------------- To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Wed Oct 4 05:24:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id FAA12523 for firewalls-outgoing; Wed, 4 Oct 1995 05:10:42 -0700 Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id FAA12516 for ; Wed, 4 Oct 1995 05:10:39 -0700 Message-Id: <199510041210.FAA12516@miles.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R2) with BSMTP id 1925; Wed, 04 Oct 95 08:08:38 EDT Date: Wed, 04 Oct 1995 08:12:27 EDT From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm always happy when I find overview lists of products or even comparisons between products. So I asked RPower@MFI.COM already for the '1995 Internet security survey' and I hope I will get it soon. So, I liked the response from Luc Vanderschelde (AMDAHL) to Robert Tate including a list of products and a reference to a comparison. However the IBM product NetSP Gateway was not in the list. Maybe he just forgot to mention it. (Hoi, Luc) The question now is. I've heard a lot of good things about NetSP Gateway at different places. Are there some clients of this product on this list, that I can contact to ask them about their experiences? Toon Mordijck CEM-Groep Boerenbond, Belgium toon@cem-bb.e-mail.com From firewalls-owner Wed Oct 4 06:23:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA13624 for firewalls-outgoing; Wed, 4 Oct 1995 06:15:32 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA13617 for ; Wed, 4 Oct 1995 06:15:29 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA03088; Wed, 4 Oct 1995 09:07:57 -0400 Date: Wed, 4 Oct 1995 09:07:56 -0400 (EDT) From: David Miller Subject: Re: Encryption strength To: Frank Willoughby cc: firewalls@GreatCircle.com In-Reply-To: <9510032135.AA29112@su1.in.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Oct 1995, Frank Willoughby wrote: > >From padgett's excellent mail: > > > >Further, key management is a perenniel problem. "How is that first secure > >link established ?" is a chicken and the egg kind of problem. Today out-of- > >channel is the most popular answer as demonstrated by Netscape but is either > >a logistical nightmare or potential weakness. (It might be cheaper to buy > >ViaSign than to break their certificates). > > Actually, the key management problem was solved by V-ONE a couple of years > ago. (V-ONE is a firewall vendor). > > After the host & the firewall have mutually authenticated themselves to each > other (to prevent node spoofing), the entire session is encrypted - with each > session having a *different* (unique) encryption key. But this is the crux of the chicken-and-egg problem. How do they mutually authenticate each other? If they do it with a shared secret or through prior arrangement a secure channel had to previously exist. If there is no third pary/shared secret then it's subject to a man-in-the-middle attack. Now if *thats* been solved, I'd be *delighted* to hear about it! --- David ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Wed Oct 4 06:52:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA13963 for firewalls-outgoing; Wed, 4 Oct 1995 06:31:24 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA13956 for ; Wed, 4 Oct 1995 06:31:16 -0700 Date: Wed, 4 Oct 1995 9:29:47 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004092947.2105ed38@hobbes.orl.mmc.com> Subject: Re: Mail proxy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1) it is *impossible* to prevent a determined individual from >transferring executables via email. (But you can slow them down) Quibble: if you block the common mechanisms, then it will take ->two<- individuals, one - perhaps unwitting - to install the decode/execute mechanism on the inside. >However, I must admit that I'd be interested in a Word document macro >virus scanner :) These "executable content" vira are an interesting >breed. Still think "scanners" are not a global solution. Am not particularly interested in providing a steady income to some for "updates", just want to block the spread. Now all you need for that is to disallow execution of macros from documents (with notice that the document contains one). *Documents are not supposed to contain macros*. The fact that they CAN and that the default installion of WORD will execute them are some of the causes of the current problem. Of course if we demonstrate how easy it is to block them (either with DisableAutoMacros or by using a viewer like the free one that comes from Microsloth), maybe they will go the way of ANSI bombs and writing to CLK$. Warmly, Padgett From firewalls-owner Wed Oct 4 07:00:38 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Wed Oct 4 07:54:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA15784 for firewalls-outgoing; Wed, 4 Oct 1995 07:44:32 -0700 Received: from gateway.sctc.com (gateway.sctc.com [192.55.214.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA15776 for ; Wed, 4 Oct 1995 07:44:24 -0700 Received: from sccmailhost.sctc.com (sccmailhost.sctc.com [192.55.214.100]) by gateway.sctc.com (8.6.10/8.6.9) with SMTP id JAA23297 for ; Wed, 4 Oct 1995 09:46:09 -0500 Received: from sccmailhost.sctc.com by sccmailhost.sctc.com id 187570000; 4 Oct 95 10:43 CDT Received: from sctc.com by sccmailhost.sctc.com id 044250000; 4 Oct 95 10:42 CDT Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by spirit.sctc.com (8.6.12/8.6.10) with ESMTP id JAA19812; Wed, 4 Oct 1995 09:42:36 -0500 Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id JAA02645; Wed, 4 Oct 1995 09:42:35 -0500 Date: Wed, 4 Oct 1995 09:42:35 -0500 From: Rick Smith Message-Id: <199510041442.JAA02645@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: Encryption strength References: <9510040306.AA12903@su1.in.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk frankw@in.net (Frank Willoughby) says: >>>Actually, the key management problem was solved by V-ONE a couple of years >>>ago. (V-ONE is a firewall vendor). >Padgett asks the obvious: >>Sounds wonderful but pray tell *how* do they authenticate each other ? >So Frank rites: >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. Interesting. The only "approved configuration" I know of wasn't so much NSA as DISA, and the cryptographic services were irrelevant to its application. If you really do know of an "approved configuration" involving crypto on a commercial firewall, then there are at least *two* different "approved configurations" out there. There have been several "solutions" to the "key management problem," and so far nobody, not even NSA, has come up with one that solves everything. Choosing a key management scheme is just like any other big mechanism decision: it depends on what your threats and operational objectives are. PGP takes one approach yielding one set of results, FORTEZZA takes another. It is true that we can't pick apart the details of whatever these government configurations *are* in a public forum. However, I suspect that any 2 year old commercial implementation is probably at most proprietary information. Most likely there's a public whitepaper describing what V-One does, and how. If V-One (or its crypto implementer) is represented on this list, it might be interesting to hear a first hand report of what they really achieve. Rick. smith@sctc.com secure computing corporation From firewalls-owner Wed Oct 4 08:33:32 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA16920 for firewalls-outgoing; Wed, 4 Oct 1995 08:24:21 -0700 Received: from neon.ingenia.com (neon.ingenia.com [134.117.55.86]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA16913 for ; Wed, 4 Oct 1995 08:24:17 -0700 Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id LAA11947; Wed, 4 Oct 1995 11:24:13 -0400 From: Mike Shaver Message-Id: <199510041524.LAA11947@neon.ingenia.com> Subject: Network Address Translation stuff To: firewalls@greatcircle.com, paul@vix.com Date: Wed, 4 Oct 1995 11:24:12 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1658 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Vixie mumbled something vague about: > >I've heard there are a couple of commercial network address translators > >available for those of us who were foolish enough to build extensive > >enterprise networks on non-NIC assigned addresses. Does anyone have any > >real-world experience with such a product? > > At Usenix LISA a few weeks ago in Monterey, CA, the first booth inside the > front door belonged to a company that sold NAT boxes. They appeared to be > based on some BSD flavour, and they wanted to sell hardware rather than just > a software solution. Now if I could only remember their company name. Ah, > here it is in the vendor directory included with my conference materials: > Border Network Technologies; Borderware Firewall Server; . Newer Linux kernels include IP masquerading functionality, which does this sort if thing, in software. (For free, too, which is a nice touch.) The state-of-the-art (which may not be suitable for a production environment; YMMV) includes code to parse FTP packets and alter the PORT lines, and similar support for talk is pending. More information is available at ftp://ftp.eves.com/pub/linux/masq (I think). Mike (who also doesn't follow firewalls as closely as he should... please cc: on response) -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Wed Oct 4 09:53:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for ; Wed, 4 Oct 1995 09:44:07 -0700 Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for ; Wed, 4 Oct 1995 12:42:35 -0400 Message-ID: Date: 4 Oct 1995 12:46:35 -0500 From: "Pat Heinle" Subject: Re: Firewalls-Digest V4 #573 To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewalls-Digest V4 #573 From: pheinle@mitre.org Subject: RE> Borderware vs. Firewall-1 Mr. Tate asks: I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? rtate@folio.com -- Robert, "Info Security News" just had a supplement to their magazine for Sept/Oct. 95 entitled "Internet Security." Within the "Internet Security" supplement was a section -Shopping for Firewalls which contained a matrix of a majority of the current firewall products and their attributes. It might provided some additional insight. In addition, to your Security Policy which Luc noted in his response, another issue to consider is how well the Firewall product adjusts as your enterprise expands. Good luck. Patty -------------------------------------- Date: 10/4/95 11:34 AM To: Pat Heinle From: Firewalls@GreatCircle.COM !!! Original message was too large. !!! !!! It is contained in the enclosure whose name !!! is the same as the subject of this message. !!! !!! A preview of the message follows: Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573 In this issue: -No Subject- IRC FLEXlm with proxy ...? Re: NFS Need Windows FTP client source Borderware (was: Information, We want information) Re: Encryption strength Borderware vs. Firewall-1 Exact format for subscribing the info security list. re: Encryption strength re re nfs Re: Mail Proxy Re: FW to FW FTP w/ no port > 1023 re: Encryption strength re: network address translation RE: Borderware vs. Firewall-1 [none] Re: Encryption strength Re: Mail proxy See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- sunscribe firewalls-digest ------------------------------ From: oddboy@vegas.com Date: Tue, 3 Oct 1995 11:42:44 -0700 Subject: IRC I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation ------------------------------ From: jordan@Heuristicrat.COM (Jordan M. Hayes) Date: Tue, 3 Oct 95 12:09:16 PDT Subject: FLEXlm with proxy ...? Anyone built a FLEXlm proxy for FWTK? /jordan ------------------------------ From: Doug Hughes Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" ------------------------------ From: Joe McGuckin Date: Tue From firewalls-owner Wed Oct 4 10:57:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA19563 for firewalls-outgoing; Wed, 4 Oct 1995 10:44:55 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA19526 for ; Wed, 4 Oct 1995 10:44:43 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11759; Wed, 04 Oct 1995 12:43:30 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil, firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11759@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:30 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Wed Oct 4 12:22:53 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21185 for firewalls-outgoing; Wed, 4 Oct 1995 12:02:13 -0700 Received: from lonestar.jsc.nasa.gov (lonestar.jsc.nasa.gov [139.169.137.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA21178 for ; Wed, 4 Oct 1995 12:02:09 -0700 Received: from mickey.jsc.nasa.gov by lonestar.jsc.nasa.gov; Wed, 4 Oct 95 14:02:26 -0500 Received: from janus.jsc.nasa.gov by mickey.jsc.nasa.gov (5.65c/ISL-ser-1.2) id AA25464; Wed, 4 Oct 1995 14:00:43 -0500 Received: by janus.jsc.nasa.gov (5.65c/ISL-cli-1.1) id AA25204; Wed, 4 Oct 1995 14:00:42 -0500 Received: from freefall.jsc.nasa.gov(139.169.132.24) by janus.jsc.nasa.gov via smap (V1.3) id sma025201; Wed Oct 4 14:00:11 1995 Received: by freefall.jsc.nasa.gov (8.6.9/ISL-cli-1.1) id OAA00439; Wed, 4 Oct 1995 14:00:11 -0500 From: mark.horn1@jsc.nasa.gov Message-Id: <199510041900.OAA00439@freefall.jsc.nasa.gov> Subject: Technical details of NT Domains.. To: firewalls@greatcircle.com Date: Wed, 4 Oct 1995 14:00:11 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2058 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We have some users who need to login to a windows NT domain that has been set up here. We currently have an IP firewall installed. This firewall is installed on our LAN and protects us from the Internet. Since there isn't a site wide firewall, it also protects us from the rest of JSC. Its a screened host gateway (Nomenclature taken from Marcus J. Ranum's "Thinking About Firewalls"). Currently, only IP is filtered at our firewall. All non-IP protocolas are passed through. All non-IP protocols are filtered at the site's connection to the Internet. Now, it turns out that my users can't login to an NT domain. I wouldn't have expected this because I assumed that NT would have used NetBEUI or some such other non-IP protocol to communicate. After some experimentation, I've discovered that I need to set up the following for this to work: a) Each Win95 machine needs to have a WINS server configured b) UDP needs to be wide open to that Win95 machine. It looks like WINS is a UDP based protocol, and it manages the name resolution for the NT domain. Then, using some unknown protocol, our machines talk to the NT domain server for authentication. From there, they talk to the individual disk servers in the NT domain over NetBEUI. (All of this is not much more than a Wild Ass Guess (tm)) So, the questions is can anyone tell me the specifics of how one logs into an NT domain? In particular, what are the details of the data exchange? What I'm looking for is something along the lines of how Brent Chapman describes protocols in his tutorials (e.g. NTP servers send to & from UDP port 123, NTP clients send to UDP 123, and from random UDP port >1023). Does anyone know how logging into an NT domain utilizes UDP? If WINS is the only thing using UDP, has anyone set up udprelay to act as a proxy for it? Thanks in advance. -- Mark Horn (sparkie) horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn mark.horn1@jsc.nasa.gov Free Advice and Opinions -- Refunds Available From firewalls-owner Wed Oct 4 12:53:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA21663 for firewalls-outgoing; Wed, 4 Oct 1995 12:30:04 -0700 Received: from netcom11.netcom.com (netcom11.netcom.com [192.100.81.121]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA21656 for ; Wed, 4 Oct 1995 12:30:01 -0700 Received: by netcom11.netcom.com (8.6.12/Netcom) id MAA22431; Wed, 4 Oct 1995 12:28:23 -0700 From: okuyama@netcom.com (Darin Okuyama) Message-Id: <199510041928.MAA22431@netcom11.netcom.com> Subject: running "smapd" chrooted .. To: firewalls@greatcircle.com (Firewall Mailing List) Date: Wed, 4 Oct 1995 12:28:23 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 485 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My firewall has the following configuration for "smap" and "smapd": smap, smapd: directory /var/mail According to the documentation, "smap" does a chroot to the specified directory, but it seems "smapd" doesn't. Questions: 1. Is running "smapd" chrooted a lot safer than not? 2. What exactly would it take to run "smapd" chrooted? 3. If one is running "smapd" chrooted, I suppose one should run the periodic check of the "mqueue" chrooted too? ---Darin Okuyama From firewalls-owner Wed Oct 4 13:54:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA24485 for firewalls-outgoing; Wed, 4 Oct 1995 13:49:23 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA24477 for ; Wed, 4 Oct 1995 13:49:18 -0700 Received: by gw.home.vix.com id AA27100; Wed, 4 Oct 95 13:47:47 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA27158; Wed, 4 Oct 1995 13:47:46 -0700 Message-Id: <9510042047.AA27158@wisdom.home.vix.com> To: firewalls@greatcircle.com Cc: Mike Shaver Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Wed, 04 Oct 1995 11:24:12 EDT." <199510041524.LAA11947@neon.ingenia.com> Date: Wed, 04 Oct 1995 13:47:46 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Newer Linux kernels include IP masquerading functionality, which does > this sort if thing, in software. (For free, too, which is a nice > touch.) > > The state-of-the-art (which may not be suitable for a production > environment; YMMV) includes code to parse FTP packets and alter the > PORT lines, and similar support for talk is pending. I guess I thought this would have gone without saying, but I don't agree with the idea of modifying PORT verbs in stream -- this is a very slippery slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary address assignments, and accomplishes its goals without any layering violations -- in particular the user data is never interpreted. This goes to show that it can be done without searching for PORT verbs in user data. From firewalls-owner Wed Oct 4 15:54:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA00836 for firewalls-outgoing; Wed, 4 Oct 1995 15:47:44 -0700 Received: from provider.ins.com (provider.ins.com [199.0.194.125]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA00829 for ; Wed, 4 Oct 1995 15:47:34 -0700 Received: from mattpc.ins.com (lab_pc.ins.com [199.0.193.229]) by provider.ins.com (8.6.12/8.6.12) with SMTP id SAA08983 for ; Wed, 4 Oct 1995 18:45:57 -0400 Date: Wed, 4 Oct 1995 18:45:57 -0400 Message-Id: <199510042245.SAA08983@provider.ins.com> X-Sender: waugh@provider.ins.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Matthew Waugh Subject: Re: running "smapd" chrooted .. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thats a strange configuration - you send smap to some separate area so that if it is broken into there is nothing it can access, it appears your setup is giving away access to the mailboxes. Anyway - the reason smap runs chroot is because its the process listening on port 25. Its supposed to be a simple, clearly understood program that is not susceptible to attack - and even if attacked all it allows is access to some restricted chroot area. On the other hand smapd takes the output of smap, is not running with privilege, and so it can hand the message off to sendmail with less risk of a mail message giving access to the system. Off-hand, running smapd chroot would be possible, but awfully difficult, because what you actually end up doing is running sendmail chrooted (all smapd does is format traffic and give it to sendmail). If running sendmail chroot was easy we'd probably be doing that and not running smap/smapd. You'd probably have to include so much of the system in your chroot area for smapd that the actual security obtained would be minimal. Mat At 12:28 PM 10/4/95 -0700, you wrote: > >My firewall has the following configuration for "smap" and "smapd": > > smap, smapd: directory /var/mail > >According to the documentation, "smap" does a chroot to the specified >directory, but it seems "smapd" doesn't. Questions: > > 1. Is running "smapd" chrooted a lot safer than not? > > 2. What exactly would it take to run "smapd" chrooted? > > 3. If one is running "smapd" chrooted, I suppose one should run > the periodic check of the "mqueue" chrooted too? > >---Darin Okuyama > > > -- Matthew Waugh Matthew_Waugh@ins.com INS - Raleigh, NC From firewalls-owner Wed Oct 4 16:22:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA01758 for firewalls-outgoing; Wed, 4 Oct 1995 16:18:21 -0700 Received: from inet-smtp-gw-1.us.oracle.com (inet-smtp-gw-1.us.oracle.com [192.86.155.81]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA01751 for ; Wed, 4 Oct 1995 16:18:03 -0700 Received: from mailsun2.us.oracle.com by inet-smtp-gw-1.us.oracle.com with SMTP (8.6.12/37.7) id QAA25555; Wed, 4 Oct 1995 16:16:31 -0700 Received: by mailsun2.us.oracle.com (4.1/37.8) id AA28157; Wed, 4 Oct 95 16:17:21 PDT Message-Id: <9510042317.AA28157@mailsun2.us.oracle.com> Date: 04 Oct 95 16:09:49 -0700 From: "David Sidwell" To: firewalls@greatcircle.com Subject: DMZ definition ? Reply-To: dasidwel@us.oracle.com Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ for short, in connection with firewall terminology ? I am under the belief, perhaps incorrectly, that it is used to refer to any kind of screened subnet placed between the internal networks and the Internet (or other external networks). A colleague of mine is convinced that it is a separate subnet hung off a single firewall machine. So would the follwoing be correctly termed DMZ's or not ? 1. [ packet ] [ packet ] Internet---[filtering]----DMZ subnet----[filtering]---internal [ router ] (containing [ router ] networks publically accessible machines) 2. As above but protected by firewalls instead of packet filtering routers. 3. Internet----firewall----internal networks... | | DMZ subnet Finally, does a DMZ implementation always prevent direct IP forwarding from Internet to internal nets ? TIA, David Sidwell From firewalls-owner Wed Oct 4 16:30:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA01038 for firewalls-outgoing; Wed, 4 Oct 1995 15:59:24 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA01031 for ; Wed, 4 Oct 1995 15:59:21 -0700 Received: from ford.gbnet.org by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id PAA02823; Wed, 4 Oct 1995 15:50:50 -0700 Received: (from steve@localhost) by ford.gbnet.org (8.7.Beta.10/8.6.12) id XAA15887; Wed, 4 Oct 1995 23:53:43 +0100 (BST) From: Steve Kennedy Message-Id: <199510042253.XAA15887@ford.gbnet.org> Subject: Re: Technical details of NT Domains.. To: mark.horn1@jsc.nasa.gov Date: Wed, 4 Oct 1995 23:53:43 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199510041900.OAA00439@freefall.jsc.nasa.gov> from "mark.horn1@jsc.nasa.gov" at Oct 4, 95 02:00:11 pm X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to mark.horn1@jsc.nasa.gov > So, the questions is can anyone tell me the specifics of how one logs into an > NT domain? In particular, what are the details of the data exchange? What > I'm looking for is something along the lines of how Brent Chapman describes > protocols in his tutorials (e.g. NTP servers send to & from UDP port 123, NTP > clients send to UDP 123, and from random UDP port >1023). Does anyone know > how logging into an NT domain utilizes UDP? check out Samba (SMB server for UNIX). This will shortly support master browsing and domain controller functionality. The master site is ftp://nimbus.anu.edu.au/pub/tridge/samba (or very similar - it's late here) - though mirrored in lots of places. It has pretty good docs with it and explains how logging in etc work. Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * GSM mobile +44-(0)802 444 500 bits steve@gbnet.net * GSM data @2400 0802-449500 @9600 449501 fax 449502 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Wed Oct 4 16:52:40 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA01823 for firewalls-outgoing; Wed, 4 Oct 1995 16:23:40 -0700 Received: from prometheus.microchip.com (PROMETHEUS.MICROCHIP.COM [198.175.253.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA01816 for ; Wed, 4 Oct 1995 16:23:36 -0700 Received: (from daemon@localhost) by prometheus.microchip.com (8.6.12/8.6.9) id QAA02185 for ; Wed, 4 Oct 1995 16:27:38 -0700 Received: from pegasus.microchip.com(199.170.150.38) by prometheus.microchip.com via smap (V1.3) id sma002183; Wed Oct 4 16:27:25 1995 Received: from localhost (localhost.Microchip.COM [127.0.0.1]) by pegasus.Microchip.COM (8.7/8.7) with ESMTP id QAA08533; Wed, 4 Oct 1995 16:11:07 -0700 (MST) Message-Id: <199510042311.QAA08533@pegasus.Microchip.COM> To: Snow-Flower cc: Firewalls@greatcircle.com Subject: Re: Exact format for subscribing the info security list. In-reply-to: Your message of "Wed, 04 Oct 1995 10:01:03 +0900." <199510040101.KAA17605@vision.postech.ac.kr> Date: Wed, 04 Oct 1995 16:11:05 -0700 From: Gustavo Vegas Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I do not know if anyone has answered this posting, and I think this info may be of general interest to the list, so, here it goes: [extracted from the response to the command lists detail to their listserver] * ------------------------------------------- * INFSEC-L Information Systems Security Forum * ------------------------------------------- * INFSEC-L is for discussions of information systems security and * related issues. Discussions are not moderated. Thus, all messages * sent to the list are immediately distributed to members of the * list. The discussion list is an outgrowth of the "Technology * for the Information Security '94: Managing Risk" at Galveston, TX * (December 5-8, 1994). The main objective of the list is to foster * open and constructive communication among information systems security * and auditing professionals in government, industry, and academic * institutions. Initial subscriptions are screened by listowner to * ensure that only appropriate professionals are subscribed. * * To subscribe to INFSEC-L, send: * * SUBSCRIBE INFSEC-L yourname * * in the body of email message to LISTSERV@ETSUADMN.ETSU.EDU (leave * the subject line blank). * * Participation in this list is not limited to and does not imply * affiliation with East Texas State University (ETSU). Views expressed * in no way reflect the opinions of ETSU administration, its students, * its faculty/staff, and its Board of Regents. * * PLEASE NOTE: Replies are set up to go to the LIST as an aid to * facilitate discussion. You can OVERRIDE the REPLY option by * including a Reply-To: option in the header of mail you send to * INFSEC-L@ETSUADMN.BITNET. * * Monthly notebooks will be maintained. For a list, send LISTSERV at * ETSUADMN the command: INDEX INFSEC-L . For example: * TELL LISTSERV AT ETSUADMN INDEX INFSEC-L or * SEND LISTSERV@ETSUADMN INDEX INFSEC-L etc. * * To UNSUBSCRIBE, send the command: SIGNOFF INFSEC-L to * LISTSERV@ETSUADMN.ETSU.EDU. Please bear in mind that LISTSERV * commands go to the LISTSERV ID, *NOT* to the list! For more * information on LISTSERV, send the command: INFO to * LISTSERV@ETSUADMN.ETSU.EDU. This may be sent TEXT LINE of MAIL, * or in a file. * (BITNET: TELL LISTSERV AT ETSUADMN HELP on CMS, or * SEND LISTSERV@ETSUADMN HELP using JNET, etc.). * ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas Gustavo.VegasMicrochip.COM ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Wed Oct 4 17:22:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA02669 for firewalls-outgoing; Wed, 4 Oct 1995 17:10:17 -0700 Received: from scifi.maid.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA02662 for ; Wed, 4 Oct 1995 17:10:12 -0700 Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id UAA06615; Wed, 4 Oct 1995 20:08:33 -0400 Date: Wed, 4 Oct 1995 20:08:33 -29900 From: Nick Simicich Subject: Re: Encryption strength cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Oct 1995, David Miller wrote: > On Tue, 3 Oct 1995, Frank Willoughby wrote: > > > >From padgett's excellent mail: > But this is the crux of the chicken-and-egg problem. How do they > mutually authenticate each other? If they do it with a shared secret or > through prior arrangement a secure channel had to previously exist. If > there is no third pary/shared secret then it's subject to a > man-in-the-middle attack. The new version of IBM's firewall provides this function. To set up a secure channel, you describe the channel, and it cuts a diskette, which you fedex to the other party. > Now if *thats* been solved, I'd be *delighted* to hear about it! I thought that was what the public key distribution stuff was all about. Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Wed Oct 4 17:52:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA03776 for firewalls-outgoing; Wed, 4 Oct 1995 17:37:20 -0700 Received: from relay-1.mail.demon.net (relay-1.mail.demon.net [158.152.1.140]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id RAA03756 for ; Wed, 4 Oct 1995 17:37:14 -0700 Received: from post.demon.co.uk by relay-1.mail.demon.net id aa22534; 4 Oct 95 13:36 +0100 Date: Wed, 4 Oct 95 13:29:38 PDT From: stuart@loddon.demon.co.uk Subject: WWW & Proxy Servers To: firewalls-digest@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies if the following questions has been asked before - if they have, I can't find them ! i) Is/Are there any proxy servers for WWW to restrict access to the WWW on a username basis AND to further restrict use of 'sub-protocols' supported by WWW such as ftp, gopher ... again on a username basis ? ii) If yes to i), can you provide pointers please ? iii) If no to i), is the requirement technically feasible - if so, any clues ? iv) If the above has been done, has it been integrated with strong authentication tokens e.g. SecureID, Digital Pathways or even S/Key ? TIA ------------------------------------- Name: Stuart Broderick E-mail: stuart@loddon.demon.co.uk Date: 10/04/95:13:29:38 This site is not affiliated with any other in demon.co.uk. ------------------------------------- From firewalls-owner Wed Oct 4 19:22:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05661 for firewalls-outgoing; Wed, 4 Oct 1995 19:01:26 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA05654 for ; Wed, 4 Oct 1995 19:01:22 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA01523; Wed, 4 Oct 95 21:53:39 EDT Received: by starlight.ingress.com (4.1) id AA07907; Wed, 4 Oct 95 21:53:58 EDT Date: Wed, 4 Oct 1995 21:53:56 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: RE: BorderWare vs. Firewall-1 Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have sat quietly on this list the past month or two (been reading and posting for almost 2 years) due to huge work loads, but the past few days have started to urk me. I will say that I resell BorderWare for a good part of my living. However, I sell security, and the customers needs are first, not just me pushing my product. With that said, let me post up 3 or 4 messages in one clump. ------ >From: RTATE@folio.com >I am in the process of purchasing a firewall package for the >company I work for. I have narrowed my choices down to >Borderware and Firewall-1. Which is a better choice, and why? Is >there another package out there that is better I may not have >seen? >Thanks in advance for responses!! The first questions that really need to be asked, are what are you protecting, what is your security policy, what are you looking to provide service wise. BorderWare operates as in integrated Firewall and application server, all on one box, running a 'propritary' hardened operating system. The box allows 100% transparent access to the internet for all standard Internet services, with the ability to define custom services. The BorderWare box has no Unix prompt, and no ability to 'screw it up'. It is 100% menu driven. The BorderWare box includes a full sweet of Internet servers (dual DNS, anonymous FTP, POP, WWW, finger, News) all standard. BorderWare also happens to provide IP translation. Firewall-1 is a statefull packet filter VS. BorderWares' application layer approach. Packet filtering can yield a higher packet throughput (please make sure to compare hardware platforms, and limiting link speeds when evaluting packets per second) Packet filtering can often be more flexable as new services develop. While I in know way want to start any kind of flame war, Firewall-1 can 'easily' be installed in insecure fashions without the administrator being aware of this. This is primarily due to running ontop of Sun-OS 'un-hardened', running syslog, allowing login accounts onto the machine (espically prevelent in Netra situations), etc.. Rather than tie up this group any farther, feel free to contact www.border.com to find your local reseller, and talk through these issues with them. -Charles Kaplan From firewalls-owner Wed Oct 4 19:30:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05748 for firewalls-outgoing; Wed, 4 Oct 1995 19:15:21 -0700 Received: from ingress.com (ioma.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA05741 for ; Wed, 4 Oct 1995 19:15:18 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA02744; Wed, 4 Oct 95 22:07:35 EDT Received: by starlight.ingress.com (4.1) id AA07999; Wed, 4 Oct 95 22:07:54 EDT Date: Wed, 4 Oct 1995 22:07:52 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: re: network address translation Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Paul A Vixie >Date: Wed, 04 Oct 1995 00:26:39 -0700 >Subject: re: network address translation >>Frank Senter, Senior Information Specialist >>Missouri Highway and Transportation Department >>P.O. Box 270, Jefferson City MO 65102 >>I've heard there are a couple of commercial network address translators >>available for those of us who were foolish enough to build extensive >>enterprise networks on non-NIC assigned addresses. Does anyone have any >>real-world experience with such a product? >At Usenix LISA a few weeks ago in Monterey, CA, the first booth inside the >front door belonged to a company that sold NAT boxes. They appeared to be >based on some BSD flavour, and they wanted to sell hardware rather than just >a software solution. Now if I could only remember their company name. Ah, >here it is in the vendor directory included with my conference materials: >Border Network Technologies; Borderware Firewall Server; . I have to jump in here, as a BorderWare reseller (not the one in Monterey CA) BorderWare is a SOFTWARE company. They don't manfacturer or recomend hardware. Yes, I bet all the resellers sell hardware (convence, guranteed compatability, etc) BorderWare is a SOFTWARE product. The product is based on a hardened port of BSDi. If you were to have a shell on the machine (not possible), but even if you were, it wouldn't execute your code anyway. The kernel effectivly only talks to its own authenticable applications. >Is it possible to kludge such a product together on a commercial firewall? BorderWare is a commercial firewall, which happens to due IP translation. I just returned from an install of BorderWare at a site that had about 450 hosts, accross 2 domains (xx.dec.com and xx.sun.com), and a mix of class A and C addresses none of which belonged to them (they belonged to dec and sun whom this company had placed out of the box onto there net). The install took about 5 hours including training. The customers first comments back to his boss infront of me were 'excellent performace, I love the box allrleady'. Enough hype. >And lastly, is the cost/effort of implementing such a product <= effort of >renumbering 2k hosts? BorderWare is in my opinion VERY cost effective. Address Translation also gives you a slight twinge of security by obsecurity. Coupled with BorderWares dual name servers ALL internal site information is hidden from the 'hacker' not in itself secure, but a great start. -Charles Kaplan .....a slightly biased BorderWare reseller..... From firewalls-owner Wed Oct 4 19:53:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA05796 for firewalls-outgoing; Wed, 4 Oct 1995 19:20:48 -0700 Received: from ingress.com (ingress.com [199.171.57.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA05789 for ; Wed, 4 Oct 1995 19:20:44 -0700 Received: from starlight.ingress.com by ingress.com (4.1/SMI-4.1) id AA03403; Wed, 4 Oct 95 22:13:02 EDT Received: by starlight.ingress.com (4.1) id AA08065; Wed, 4 Oct 95 22:13:21 EDT Date: Wed, 4 Oct 1995 22:13:18 -0400 (EDT) From: Charles Kaplan To: firewalls@greatcircle.com Subject: NetSP vs ??? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: toon@cem-bb.e-mail.com >Date: Wed, 04 Oct 1995 08:12:27 EDT >I'm always happy when I find overview lists of products or even >comparisons between products. So I asked RPower@MFI.COM already for >the '1995 Internet security survey' and I hope I will get it soon. >So, I liked the response from Luc Vanderschelde (AMDAHL) to Robert >Tate including a list of products and a reference to a comparison. >However the IBM product NetSP Gateway was not in the list. Maybe he >just forgot to mention it. (Hoi, Luc) >The question now is. I've heard a lot of good things about >NetSP Gateway at different places. Are there some clients of this >product on this list, that I can contact to ask them about their >experiences? I would recomend searching the archives of this list. I have seen quite a bit of traffic on thsi subject. Things that stick in my mind: Un-hardened kernel, and the AIX kernel, perhaps the LARGEST (most code=most bug potential) kernel of all firewalls Stock sendmail either requires SOCKS or running in NON-transparent mode VERY expensive both for the required hardware and the software. I think those are the highlites. Remember, if this is protecting wide area, do you really need all the power of an RS6000 for a T1 link ??? or even Ethernet for that matter. -Charles Kaplan .....a biased reseller of the BorderWare firewall server..... From firewalls-owner Wed Oct 4 20:00:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA06218 for firewalls-outgoing; Wed, 4 Oct 1995 19:37:13 -0700 Received: from awadi.com.AU (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id TAA06203 for ; Wed, 4 Oct 1995 19:36:57 -0700 Received: from bunya.awadi ([150.207.1.63]) by awadi.com.AU (4.1/SMI-4.1) id AA18054; Thu, 5 Oct 95 12:04:22 CST Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA10917; Thu, 5 Oct 1995 12:00:52 +0930 From: blymn@awadi.com.AU (Brett Lymn) Message-Id: <9510050230.AA10917@bunya.awadi> Subject: Re: Encryption strength To: njs@scifi.maid.com (Nick Simicich) Date: Thu, 5 Oct 1995 12:00:53 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Nick Simicich" at Oct 4, 95 08:08:33 pm X-Mailer: ELM [version 2.4 PL2] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Nick Simicich: > >The new version of IBM's firewall provides this function. To set up a >secure channel, you describe the channel, and it cuts a diskette, which >you fedex to the other party. > How .... ummmmm..... trusting of you. I suppose it really depends on the level of security you are looking for but you did consider that the fedex package may get intercepted? Delivered to the incorrect person (say, the janitor)? Exchanging encryption keys is always a thorny problem since the key _is_ your data security - if it is subverted then your encryption is useless. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "It's fifteen hundred miles to Ankh-Morpork" he said. "We've got three hundred and sixty three elephants, fifty carts of forage, the monsoon's about to break and we're wearing ... we're wearing ... sort of things, like glass, only dark... dark glass things on our eyes..." - Terry Pratchett "Moving Pictures". From firewalls-owner Wed Oct 4 20:13:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA06161 for firewalls-outgoing; Wed, 4 Oct 1995 19:35:30 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA06147 for ; Wed, 4 Oct 1995 19:35:24 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id VAA16004; Wed, 4 Oct 1995 21:33:58 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id VAA29187; Wed, 4 Oct 1995 21:34:14 -0500 From: Alan Hannan Message-Id: <199510050234.VAA29187@gaijin.mid.net> Subject: Re: WWW & Proxy Servers To: stuart@loddon.demon.co.uk Date: Wed, 4 Oct 1995 21:34:13 -0500 (CDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: from "stuart@loddon.demon.co.uk" at Oct 4, 95 01:29:38 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2328 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good day: ] Apologies if the following questions has been asked before - if they have, I can't ] find them ! The WWW user authentication is a very valid question, one that we have been considering as our firewall systems mature. ] i) Is/Are there any proxy servers for WWW to restrict access to the WWW on ] a username basis AND to further restrict use of 'sub-protocols' supported ] by WWW such as ftp, gopher ... again on a username basis ? I have not seen a large desire to this, however it would certainly be nice to have the capacity to provide filtering on that. I would think it could be hacked into existing http gateways...... ] ii) If yes to i), can you provide pointers please ? Sorry... ] iii) If no to i), is the requirement technically feasible - if so, any clues ? Yes, it is possible, my discussions with people have involved implementing such in a matter where: A) User A from IP Node A authenticates himself B) Entry made in table for User A == Node A C) If no requests from User A in time 'T' then the entry in the table is flushed. C) Until that time, Node A's requests come through no prob. Another thought has been given to doing something of this nature with SSl, and still another with the reference field in the requests, but I haven't spent too much time on it. ] iv) If the above has been done, has it been integrated with strong authentication ] tokens e.g. SecureID, Digital Pathways or even S/Key ? That would be easy to include with step A. I know of two companies that are interested in doing this. However, neither of them have expertise in firewalls, though they do in programming. (ie they're both r&d departments of companies). If you're still interested and don't find an existing product (I know of none) then come to me, and we'll see about maybe putting together a project....... -- Alan Hannan Email: alan@mid.net Network Systems/Security Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 " The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. " - George Bernard Shaw From firewalls-owner Wed Oct 4 20:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA08415 for firewalls-outgoing; Wed, 4 Oct 1995 20:26:28 -0700 Received: from mail-relay1.cis.yale.edu (mail-relay1.cis.yale.edu [130.132.21.199]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA08402 for ; Wed, 4 Oct 1995 20:26:24 -0700 Received: from capitoline.cis.yale.edu by mail-relay1.cis.yale.edu with SMTP id AA24684 (5.67a/IDA-1.5 for ); Wed, 4 Oct 1995 23:19:00 -0400 Received: from minerva.cis.yale.edu (minerva [130.132.143.250]) by capitoline.cis.yale.edu (8.6.12/8.6.12) with ESMTP id XAA05171 for ; Wed, 4 Oct 1995 23:24:55 -0400 Received: (from adept@localhost) by minerva.cis.yale.edu (8.6.12/8.6.12) id XAA22561; Wed, 4 Oct 1995 23:24:52 -0400 Date: Wed, 4 Oct 1995 23:24:51 -0400 (EDT) From: Ben X-Sender: adept@minerva To: firewalls@greatcircle.com Subject: Re: Encryption strength In-Reply-To: <9510050230.AA10917@bunya.awadi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > How .... ummmmm..... trusting of you. I suppose it really depends on > the level of security you are looking for but you did consider that > the fedex package may get intercepted? Delivered to the incorrect > person (say, the janitor)? Use the Shamir Sharing algorithm to break the key up into n parts. Send the n parts via n different vectors--phone, USPS, UPS, FedEx, Fax, e-mail, etc. As long as no one gets more than n/2 parts, it doesn't matter if they subvert the key. Ben. ____ Ben Samman..............................................samman@cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf@clark.net http://www.netresponse.com/zldf echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit From firewalls-owner Wed Oct 4 20:55:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA08700 for firewalls-outgoing; Wed, 4 Oct 1995 20:31:43 -0700 Received: from westie.mid.net (westie.mid.net [198.247.250.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA08685 for ; Wed, 4 Oct 1995 20:31:37 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by westie.mid.net (8.6.10/8.6.9) with ESMTP id WAA16794; Wed, 4 Oct 1995 22:30:12 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id WAA29521; Wed, 4 Oct 1995 22:30:28 -0500 From: Alan Hannan Message-Id: <199510050330.WAA29521@gaijin.mid.net> Subject: Re: DMZ definition ? To: dasidwel@us.oracle.com Date: Wed, 4 Oct 1995 22:30:28 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510042317.AA28157@mailsun2.us.oracle.com> from "David Sidwell" at Oct 4, 95 04:09:49 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2469 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The term DMZ grew out of the border area between north and south korea (or was it vietnam, I wasn't alive for either...) We could argue all day about which of the following more exactly fit the definition of a DMZ, but that's what college professors are for :) IMHO a DMZ is any network which sits between two other networks, which, for whatever reason, have a problem with each other. ] Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ See above. ] for short, in connection with firewall terminology ? I am under the belief, ] perhaps incorrectly, that it is used to refer to any kind of screened subnet ] placed between the internal networks and the Internet (or other external ] networks). Agreed. ] A colleague of mine is convinced that it is a separate subnet hung ] off a single firewall machine. That's kind of fuzzy, though it could be constructed that this 'logical' network is between the two other networks. ] 1. ] [ packet ] [ packet ] ] Internet---[filtering]----DMZ subnet----[filtering]---internal ] [ router ] (containing [ router ] networks Yep. ] 2. As above but protected by firewalls instead of packet filtering routers. Yep. ] 3. ] Internet----firewall----internal networks... ] | ] | ] DMZ ] subnet 3 == 1 logically. One could implement a system w/ 3 that did the same thing. ] Finally, does a DMZ implementation always prevent direct IP forwarding from ] Internet to internal nets ? Nope. For whatever reason, network 1) above could allow telnet's from the far left to the far right, and I'd have no problem with it, and would call it a DMZ. (actually, I would have a problem allowing telnets directly into my network, but I'd still whore myself out to the customer if their security policy allowed it. This is where me and the 'experts' part company.) -- Alan Hannan Email: alan@mid.net Network Systems/Security Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 " The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. " - George Bernard Shaw From firewalls-owner Wed Oct 4 21:00:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA09410 for firewalls-outgoing; Wed, 4 Oct 1995 20:51:24 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA09396 for ; Wed, 4 Oct 1995 20:51:16 -0700 Date: Wed, 4 Oct 1995 23:49:50 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004234950.2104b6a4@hobbes.orl.mmc.com> Subject: re: Encryption strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The new version of IBM's firewall provides this function. To set up a >secure channel, you describe the channel, and it cuts a diskette, which >you fedex to the other party. Now this will work but the One True Solution will be one in which you can create a secure channel and authenticate *on the fly* over it. This is why I find the netscape mechanosm so appealing - a secure channel is created without needing any authentication. At this point, all you need is a shared secret - no passphrases, no floppy disks fedexing around the world etc. Lotus Notes hierarchy looks good - once the first authentication channel is created, all else *including public key revocation/reissue* can be accomplished. (Too bad the multi-page description is so full of pablum and vagaries - I already know that long keys are good, what I want to know is "how long is long ?" Add in the fact that for SBU, a dial-up PPP might provide an "out of channel" mechanism for a initial trusted *real-time* keyserver (am rapidly coming to the conclusion that if you are not worried about the FBI listeming in, POTS is really a good mechanism for such - after all, Joe's public key is meant to be distributed so you are not worried about Confidentiality, Ma Bell is handling the Availability, so all you need is Integrity to avoid men in the middle. A U-Dial-It is hard to spoof and Caller-ID (FCC said this year everywhere) provides node validation, & once you have a public key you can trust from the host, all else is easy. Naturally, this is just in time for corporate Amurrica to go into a panic over modems when all they need is a (C)LASS capable switch... The fact is I can see where we are going to be and it is a wonderful place. Do expect the vendors to do their homework though so am not going to grind it all the way down - want them to show me they understand the problem. The really funny part is that certification via a trusted central authority is essential. The big difference between this and key escrow is one critical element - the authority will not have any private keys except its own, rather it will be a point of verification. Corporations may serve as their own but in that case there will need to be a means for them to be able to monitor employees - not a matter of civil rights, rather property rights so either they will hold the secret keys or MicroVault (hi Nick) will do a land office business in electronic lockboxes. The marvel of it all is seeing the pieces become available (one of the more fun parts of my job is pointing people with problems at people with solutions. Sometimes the problem people don't know they have one and the solutions people do not know they have one either. Then it's really enjoyable, and lately both sets have been vendors (even more fun). Now if they would just catch on to '70s style hospitality suites... The real message is that what we have is like colour television in 1960. We are not breaking any new ground (and I wish someone would tell the patent lawyers that), all the technology we need is available, is just a matter of putting it all together and watch that peacock spread its tail. Warmly, Padgett ps seems like I saw a reference somewhere to a set of locks (Chubb ?) nigh on 150 years ago that used one set of keys to lock a door, and a second set was required to open it. If things get irritating, I might even research it. From firewalls-owner Wed Oct 4 21:26:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA10475 for firewalls-outgoing; Wed, 4 Oct 1995 21:10:40 -0700 Received: from thor.tjhsst.edu (thor.tjhsst.edu [192.65.174.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA10468 for ; Wed, 4 Oct 1995 21:10:35 -0700 Received: by thor.tjhsst.edu (Smail3.1.28.1 #1) id m0t0hcK-00074qC; Thu, 5 Oct 95 04:09 EST Message-Id: To: alan@mid.net, firewalls-digest@greatcircle.com Subject: Re: WWW & Proxy Servers In-reply-to: Your message of "Wed, 04 Oct 1995 21:34:13 EDT." <199510050234.VAA29187@gaijin.mid.net> Date: Thu, 05 Oct 1995 00:09:01 EDT From: "James Croall" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Yes, it is possible, my discussions with people have involved > implementing such in a matter where: > > A) User A from IP Node A authenticates himself > > B) Entry made in table for User A == Node A > > C) If no requests from User A iith the reference field > in the requests, but I haven't spent too much time on it. I've been playing with something like that, for accessing a firewalled WWW Server with proper authentication: A) User A from IP Node A authenticates himself to the server over Basic HTTP Access Authorization using some sort of One-Time password system. B) The server adds an entry to a table: User A : Node A : Authentication method & "password" C) The combination is valid for some time T. If it is used in that time T, the time gets extended. If it is "idle" for T, it is removed from the table. > Another thought has been given to doing something of this > nature with SSl, and still another with the reference field > in the requests, but I haven't spent too much time on it. Hence a user could connect to an acessible machine, authenticate themself, and have access to a proxy server. Of course, this whole system falls apart without some type of encryption ;) >] iv) If the above has been done, has it been integrated with strong authentication >] tokens e.g. SecureID, Digital Pathways or even S/Key ? > > That would be easy to include with step A. The whole system is relatively easy; In fact I implemented it as a little toy a little while ago, adding HTTP Proxy support, S/Key authentication, and SSL (based on the SSLeay package) all on top of NCSA 1.4. As far as I played with it, it seemed to work. If anybody wants to play with it, I can dig up the code. --- jcroall@tjhsst.edu * jcroall@foo.org http://www.tjhsst.edu/people/jcroall/ From firewalls-owner Thu Oct 5 00:00:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA14810 for firewalls-outgoing; Wed, 4 Oct 1995 23:53:43 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA14803 for ; Wed, 4 Oct 1995 23:53:40 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Thu, 5 Oct 1995 08:51:59 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA01429; Thu, 5 Oct 95 08:51:44 +0200 Date: Thu, 5 Oct 1995 08:51:43 +0200 (EET) From: Keinanen Vesa To: Paul A Vixie Cc: firewalls@greatcircle.com, Mike Shaver Subject: Re: Network Address Translation stuff In-Reply-To: <9510042047.AA27158@wisdom.home.vix.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary > address assignments, and accomplishes its goals without any layering > violations -- in particular the user data is never interpreted. This goes > to show that it can be done without searching for PORT verbs in user data. > How is that possible. FTP client announces it's IP address/port to other party using PORT command and then waits for incoming connection to that addrss. In this case host address is non-reachable to outside world. If direct IP-routing is blocked and internal addresses are not announced to outside world, you cannot make host addresses reachable with "DNS tricks" or any other tricks. I still don't think that even IBM can do address translation without modifying FTP PORT command: you either modify PORT command packet-per-packet (as NAT:s seem to do) or you re-create necessary commands (as FTP proxy's do it). VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Thu Oct 5 00:13:49 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA14861 for firewalls-outgoing; Wed, 4 Oct 1995 23:58:00 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA14853 for ; Wed, 4 Oct 1995 23:57:58 -0700 Received: by gw.home.vix.com id AA09604; Wed, 4 Oct 95 23:56:33 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA27394; Wed, 4 Oct 1995 23:56:32 -0700 Message-Id: <9510050656.AA27394@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Thu, 05 Oct 1995 08:51:43 +0200." Date: Wed, 04 Oct 1995 23:56:32 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I still don't think that even IBM can do address translation > without modifying FTP PORT command: you either modify PORT command > packet-per-packet (as NAT:s seem to do) or you re-create necessary > commands (as FTP proxy's do it). The trick is to use an FTP proxy without the client having to know that it's talking to an FTP proxy. With a simple DNS trick and a complicated FTP proxy, you can make these ends meet. The thought of modifying PORT verbs in-stream makes my skin crawl. From firewalls-owner Thu Oct 5 01:52:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id BAA17056 for firewalls-outgoing; Thu, 5 Oct 1995 01:43:54 -0700 Received: from warrane.connect.com.au (warrane.connect.com.au [192.189.54.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id BAA17025 for ; Thu, 5 Oct 1995 01:43:28 -0700 Received: (from root@localhost) by warrane.connect.com.au with UUCP id SAA18783 (8.6.12/IDA-1.6 for Firewalls@GreatCircle.COM); Thu, 5 Oct 1995 18:41:58 +1000 Received: from macbank ([130.2.230.3]) by macquarie.com.au (8.6.12/8.6.12) with SMTP id RAA17371 for ; Thu, 5 Oct 1995 17:55:59 +1000 Received: from isdprod2.macbank by macbank (5.0/SMI-SVR4) id AA13453; Thu, 5 Oct 1995 17:55:57 --1000 Date: Thu, 5 Oct 1995 17:55:57 --1000 From: pcooper@macquarie.com.au (Peter Cooper) Message-Id: <9510050755.AA13453@macbank> To: Firewalls@GreatCircle.COM Subject: What's the admin effort content-length: 422 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're considering the business case for a firewall product at the moment. I've been asked how much of a persons' (or multiple people) time would be taken up in day to day operational control of a firewall, in terms of monitoring the activity, and change management. Is there any sort of benchmarking of this activity that people are aware of, I'd be interested in any statistics or experience have had. Peter Cooper From firewalls-owner Thu Oct 5 02:22:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA17736 for firewalls-outgoing; Thu, 5 Oct 1995 02:16:40 -0700 Received: from Mailer.Uni-Marburg.DE (papin.HRZ.Uni-Marburg.DE [137.248.1.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id CAA17691 for ; Thu, 5 Oct 1995 02:15:42 -0700 Received: from sumbi01.med.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) id AA23894; Thu, 5 Oct 1995 10:13:39 +0100 Received: by med.uni-marburg.de (8.6.12/ADD-HUB-2.1) id KAA00219; Thu, 5 Oct 1995 10:12:43 +0100 Received: from post.med.uni-marburg.de(137.248.202.51) by sumbi01.med.uni-marburg.de via smap (V1.3) id sma000217; Thu Oct 5 10:12:28 1995 Received: from pcmbi60.med.uni-marburg.de (pcmbi60.med.uni-marburg.de [137.248.202.60]) by post.med.uni-marburg.de (8.6.11/8.6.9) with SMTP id LAA03898 for ; Thu, 5 Oct 1995 11:19:47 +0100 Message-Id: <199510051019.LAA03898@post.med.uni-marburg.de> From: "D.A. Meyer" To: firewalls@greatcircle.com Date: Thu, 5 Oct 1995 10:12:43 +0000 Subject: http-gw on dual-homed gateways Reply-To: meyerd@post.med.uni-marburg.de Priority: normal X-Mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, my question of the day is: has anybody tried to run TIS http-gw on a dual-homed gateway? The proxy has to rewrite the URL, and it seems to do it using the outside interface name/address (gethostname + gethostbyname). When I change the hostname so that it is connected to the IP-Adress of the internal interface, my mail-proxy won't work. Has anybody build a patch, which rewrites the adress depending on the interface on which the client-request came in? Any other idea? Thanx Dirk ----------------------------------------------------------------- Dirk A. Meyer meyerd@mailer.uni-marburg.de Klinikum der Philipps-Universitaet Marburg Tel.xx49-6421-28-6291 Med. Informatik Fax.-------------8921 Bunsenstr. 3 D-35033 Marburg/Lahn ----------------------------------------------------------------- From firewalls-owner Thu Oct 5 02:30:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA17587 for firewalls-outgoing; Thu, 5 Oct 1995 02:10:26 -0700 Received: from pina1.telecom.at (pina1.telecom.at [194.37.252.41]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA17575 for ; Thu, 5 Oct 1995 02:09:59 -0700 Received: from pina2.telecom.at (pina2.telecom.at [194.37.252.42]) by pina1.telecom.at (8.6.10/8.6.6) with ESMTP id JAA56301 for ; Thu, 5 Oct 1995 09:59:20 +0100 Received: (from ilias@localhost) by pina2.telecom.at (8.6.10/8.6.6) id KAA23641 for firewalls@GreatCircle.COM; Thu, 5 Oct 1995 10:05:49 +0100 From: Ilias Liakopoulos Message-Id: <199510050905.KAA23641@pina2.telecom.at> Subject: cisco router extended access-list question To: firewalls@GreatCircle.COM Date: Thu, 5 Oct 1995 10:05:49 +0100 (MEZ) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1522 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have set up an access-list like the example in UnileverCD for allowing only SMTP connections (the IP addrs are invented): access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 SMTP works but with this config I tried telnet and it also works . this is not acceptable and if I remove the established line -> nothing works. the interface config: interface Ethernet0 ip address 2.2.3.2 'some adr mask' ip access-group 102 out have I done something wrong in the config or is this a bug in our version? : Cisco Internetwork Operating System Software IOS (tm) 4000 Software (XX-K), Version 10.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1994 by cisco Systems, Inc. Compiled Tue 25-Oct-94 19:29 by dougs ROM: System Bootstrap, Version 4.14(7), SOFTWARE System image file is "xk10060z", booted via flash cisco 4000 (68030) processor (revision 0xB0) with 16384K/4096K bytes of memory. Processor ID 5012216 thanx, iLiAS ---------------------------------------------------------------------- Ilias Liakopoulos | Email: ilias@telecom.at Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia 1110-Vienna | nic-hdl: IL7-RIPE Austria | Europe | ---------------------------------------------------------------------- From firewalls-owner Thu Oct 5 02:39:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA17525 for firewalls-outgoing; Thu, 5 Oct 1995 02:07:37 -0700 Received: from funet.fi (funet.fi [130.230.1.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA17518 for ; Thu, 5 Oct 1995 02:07:26 -0700 Received: from relevantum.fi (actually user nobody@relevantum.fi) by funet.fi with SMTP (PP); Thu, 5 Oct 1995 11:05:51 +0200 Received: by relevantum.fi (4.1/SMI-4.1-MHS-7.0) id AA01811; Thu, 5 Oct 95 11:05:44 +0200 Date: Thu, 5 Oct 1995 11:05:43 +0200 (EET) From: Keinanen Vesa To: Paul A Vixie Cc: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: <9510050656.AA27394@wisdom.home.vix.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Oct 1995, Paul A Vixie wrote: > The trick is to use an FTP proxy without the client having to know that > it's talking to an FTP proxy. With a simple DNS trick and a complicated > FTP proxy, you can make these ends meet. > OK I get it, IBM NAT box has application level proxies inside instead of pakcet-per-packet address translation. (BTW, Do you know where I can find info about this IBM box. Quick search on IBM Web site didn't get me anything) Let me try to summarize this subject a bit. There seems to be (at least) 2 different techniques for address translation: * Translate IP addresses on each IP packet that goes through, otherwise let packets go through unmodified. Handling FTP requires some dirty tricks like modifying data inside IP-pakets that contain FTP PORT commands. Invisible to users. * Use application level proxies. This can be made unvisible to users by using transparent proxies. Packet-by-packet address translation may be dirty in some sense, but on other hand it doesn't requre own process on each connection and requires just a little of state information. It can be implemented on standalone box with no disks and limited main memory (like router). Maybe some day someone will announce "proxy firewall router" which claims to have best features of both worlds. Maybe in this moment guys in translation.com are rewriting their sales material and "new" kind of out-of-box Firewall will pop into market. VK -- Vesa Keinanen Nasilinnankatu 24 D, 33210 Tampere, Finland Relevantum Oy Phone +358 31 2147200, Fax +358 31 2147402 From firewalls-owner Thu Oct 5 02:52:45 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA18352 for firewalls-outgoing; Thu, 5 Oct 1995 02:48:39 -0700 Received: from enny01.enicom.co.jp (enny01.enicom.co.jp [202.33.90.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA18345 for ; Thu, 5 Oct 1995 02:48:33 -0700 Received: by enny01.enicom.co.jp (8.6.12+2.4W/3.3W9/enicom1995.05.19) with UUCP id SAA11784 for firewalls@GreatCircle.COM; Thu, 5 Oct 1995 18:45:22 +0900 Received: from re.enicom.co.jp by enicom.rd.enicom.co.jp (8.6.12+2.5Wb7/3.3W9/enicom5.0) with ESMTP id SAA22628 for ; Thu, 5 Oct 1995 18:47:24 +0900 Received: from (MTD2001 [133.179.8.32]) by re.enicom.co.jp (8.6.11+2.4W/3.4W/re1.4) with SMTP id SAA14194 for firewalls@GreatCircle.COM; Thu, 5 Oct 1995 18:44:09 +0900 Date: Thu, 5 Oct 1995 18:44:09 +0900 Message-Id: <199510050944.SAA14194@re.enicom.co.jp> From: Shuzo Ishihara To: firewalls@GreatCircle.COM Mime-Version: 1.0 Subject: Please tell me adequate books and articles about Firewalls. Content-Type: text/plain; charset=iso-2022-jp X-Mailer: Winbiff [version 1.07] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm novice of Internet and Firewall securities. I have read the book , "Firewalls and Internet Security" by William R.Cheswick, Steven M.Bellovin. This book is very useful and I learned the framework of Firewall. But there is a cupple of models of firewalls in this book. I think that there are more types of model about firewalls , and I need more systemized learning about them. I'm very grateful for someone , who would tell me the source of informations containing illustration, that is , books, aritcles and others. S.Ishihara $B!!!!(J ishihara@re.enicom.co.jp From firewalls-owner Thu Oct 5 03:22:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA18956 for firewalls-outgoing; Thu, 5 Oct 1995 03:07:17 -0700 Received: from mn3.swip.net (mn3.swip.net [192.71.180.33]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id DAA18949 for ; Thu, 5 Oct 1995 03:07:11 -0700 Received: by mn3.swip.net with UUCP (8.6.8/2.01) id LAA13635; Thu, 5 Oct 1995 11:03:16 +0100 Received: from mfvlh.microfront.se by mfsvinx.microfront.se id aa03177; Thu, 5 Oct 95 10:42:56 MET To: Firewalls@greatcircle.com From: Lars Hornborg Subject: Re: Address Translators X-Originating-Host: lhpc Reply-To: lasseh@microfront.se In-Reply-To: <199509291355.GAA01364@miles.greatcircle.com> Message-Id: <1995Oct05.110526+0200@lhpc> Date: 05 Oct 1995 11:05:24 +0200 MIME-Version: 1.0 X-Mailer: BWMail for Windows Version 3.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A commercial NAT product is Private Internet Exchange from Network Translation Inc. Any positive things I say about it on this list would be biased, since we distribute it in Sweden, but I'll say this: It's a helluva product! NTI have a Web site at www.translation.com. Lars. PS Any thoughts regarding weaknesses or strengths in this kind of solution are welcome, since the NAT approach is fairly new and needs to be discussed. DS -- __________________________________________________________________________ Lars Hornborg, Tech mgr Tel: +46-47010150 Microfront Vaxjo AB Fax: 21150 (67929 home) Sjoeuddev 8, Internet: lasseh@microfront.se S-352 46 VAXJO, SWEDEN X400: /S=lasseh/P=microfront/A=interx/C=se _________________________________________________________________________ From firewalls-owner Thu Oct 5 03:30:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id DAA19295 for firewalls-outgoing; Thu, 5 Oct 1995 03:21:51 -0700 Received: from sun2.nsfnet-relay.ac.uk (sun2.nsfnet-relay.ac.uk [128.86.8.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id DAA19288 for ; Thu, 5 Oct 1995 03:21:46 -0700 Message-Id: <199510051021.DAA19288@miles.greatcircle.com> Via: uk.co.salford-software-services.e; Thu, 5 Oct 1995 11:19:57 +0100 Received: from 193.37.229.23.sss.co.uk (actually pc4.sss.co.uk) by e.sss.co.uk with SMTP (PP); Thu, 5 Oct 1995 09:54:02 +0000 From: Dave Wade To: Firewalls@GreatCircle.COM Subject: Re: Mail proxy X-Mailer: ProntoIP [version 1.5 Beta] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Date: Thu, 5 Oct 1995 09:54:06 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>1) it is *impossible* to prevent a determined individual from >>transferring executables via email. (But you can slow them down) > >Quibble: if you block the common mechanisms, then it will take ->two<- >individuals, one - perhaps unwitting - to install the decode/execute >mechanism on the inside. Rather than invent a new encoding the two individuals might just use the = SNAIL MAIL to exchange programs. Floppies through the mail normaly give a= consitant through put at low cost and avoid all those nasty scanners in t= he firewall. Much less tracable as well in most companies. Warmley, Dave Wade dw@sss.co.uk From firewalls-owner Thu Oct 5 04:22:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA21202 for firewalls-outgoing; Thu, 5 Oct 1995 04:16:56 -0700 Received: from gateway.toploguk.co.uk (gateway.toploguk.co.uk [193.119.169.250]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id EAA21195 for ; Thu, 5 Oct 1995 04:16:36 -0700 From: Paul Crossley To: ilias.liakopoulos@telecom.at, firewalls@GreatCircle.COM Subject: cisco router extended access-list question X-Mailer: ScoMail 1.0 Date: Thu, 5 Oct 1995 12:07:28 +0100 (BST) Message-ID: <9510051207.aa21699@gateway.toploguk.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out The established keyword allows any established tcp session through the interface. SMTP may be initiated from the "wrong" side so it will not be established in the first instance so another filter is required. What your filters are doing is saying is that any packets destined for hosts connected to (inside) ethernet0 will be allowed out so long as the tcp session was initiated from a host on ethernet0, this is because they are part of an "established" session. Because SMTP connections may be initiated from hosts that are not connected to ethernet0 a second filter is required to allow smtp sessions out to ethernet0. Your telnet probably works because you are initiating the connection from a host connected to (inside) ethernet0, the response packets will therefore be permitted out through ethernet0 by the "established" filter. If you try telneting to a host connected to ethernet0 from another interface I think that you'll find that you can't. Without the established line, the only thing that should work is SMTP from any interface other than ethernet0 to a host on ethernet0. It occurrs to me that you may simply need to change your "out" to an "in" as I think you've got your logic reversed. ------------------------------------------------------------------------- Paul Crossley (paul@toploguk.co.uk) Senior Consultant SCO ACE TopLog Limited TopLog House, Knaves Beech Business Centre, Loudwater, Bucks. HP10 9QY Phone (01628) 819444 Fax (01628) 819356 ------------------------------------------------------------------------- From firewalls-owner Thu Oct 5 04:52:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id EAA21584 for firewalls-outgoing; Thu, 5 Oct 1995 04:46:34 -0700 Received: from gatekeeper.frontec.se (gatekeeper.frontec.se [193.13.192.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id EAA21577 for ; Thu, 5 Oct 1995 04:46:28 -0700 Received: from tintin.lule.frontec.se (root@tintin.lule.frontec.se [192.36.15.4]) by gatekeeper.frontec.se (8.6.12/8.6.6) with SMTP id MAA26791 for ; Thu, 5 Oct 1995 12:45:00 +0100 Received: from lobo.lule.frontec.se by tintin.lule.frontec.se with SMTP id AA01670 (5.67a8/IDA-1.5 for ); Thu, 5 Oct 1995 12:44:58 +0100 Date: Thu, 5 Oct 1995 12:44:58 +0100 From: Petter H{ggman Message-Id: <199510051144.AA01670@tintin.lule.frontec.se> To: firewalls@GreatCircle.COM Subject: Re: cisco router extended access-list question X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ilias.liakopoulos@telecom.at wrote: > > Hello, > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out > > have I done something wrong in the config or is this a bug > in our version? : > [snip] You can use access lists on both incoming and outgoing packets, and if what you want to accomplish is SMTP connections to and from your host, this should work: interface Ethernet0 ip address 2.2.3.2 'some adr mask' ip access-group 101 in ip access-group 102 out ! Allow SMTP connections from all to "my_host" access-list 101 permit tcp 0.0.0.0 255.255.255.255 "my_host" 0.0.0.0 eq 25 ! Allow connections from all to "my_host" that's established access-list 101 permit tcp 0.0.0.0 255.255.255.255 "my_host" 0.0.0.0 established ! Allow "my_host" to connect to all on port SMTP access-list 102 permit tcp "my_host" 0.0.0.0 0.0.0.0 255.255.255.255 eq 25 ! Must allow tcp established on outgoing packets to make connection possible access-list 102 permit tcp "my_host" 0.0.0.0 0.0.0.0 255.255.255.255 established This should make only SMTP connections allowed in and out. Note that this is not the only way to do this, and one can apply small changes that totally changes the filtering function.(For example consider 'gt 1023' instead of 'established' on the second line of access list 102, which would allow your host to use any service on all that resides on ports above 1023!) Also note that when using filters both on incoming and outgoing packets, one has to read both filters at the same time to see the functionality, but that's what's fun about access-lists...;-) Hope this'll help you on the way..:-) /Petter -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Petter Haggman Email: Petter.Haggman@lule.frontec.se Arctic Software AB Phone: +46 920 75116 , Fax: +46 920 75199 Aurorum 1, S-977 75 Lulea, Sweden NMT: 010 - 259 42 77 From firewalls-owner Thu Oct 5 06:22:52 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23065 for firewalls-outgoing; Thu, 5 Oct 1995 06:11:05 -0700 Received: from scifi.maid.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA23056 for ; Thu, 5 Oct 1995 06:10:57 -0700 Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id JAA30854; Thu, 5 Oct 1995 09:07:48 -0400 Date: Thu, 5 Oct 1995 09:07:48 -29900 From: Nick Simicich Subject: Re: Encryption strength To: Brett Lymn cc: firewalls@GreatCircle.COM In-Reply-To: <9510050230.AA10917@bunya.awadi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Oct 1995, Brett Lymn wrote: > According to Nick Simicich: > > > >The new version of IBM's firewall provides this function. To set up a > >secure channel, you describe the channel, and it cuts a diskette, which > >you fedex to the other party. > > > > How .... ummmmm..... trusting of you. I suppose it really depends on > the level of security you are looking for but you did consider that > the fedex package may get intercepted? Delivered to the incorrect > person (say, the janitor)? I knew as soon as I sent this that I was courting trouble from two points: 1. People would assume that I was advertising Fedex as a secure channel. I wasn't. I was advertising it as a 'different', non-network channel. 2. People would assume that I was somehow endorsing Federal Express. Generally, IBM's deal is with Airbourne :-). Hmmm...at some point, you have to trust someone. Is fedex (generic term for overnight courier, like asprin for ASA :-) [now I expect a letter from Federal Express - please remember that I'm speaking for myself] a secure channel? No, but if you are that paranoid and your data is that valuable, you carry the key there yourself. I knew that I should have said, "You pick a courier that you can trust, depending on your level of paranoia - anyone from Fedex to your company CEO making a special trip depending on your level of trust and the value of your data" but I shortcut it. No, Fedex is not a secure channel - but a network cracker is unlikely to intercept it, I suspect. They may have other worldviews. My point was that the original key exchange was not by IP on a clear channel. You could also make an image of the diskette and transfer it by secure encrypted modem connection, or you could uuencode the config files, transcribe them to onionskin paper, send them by carrier pigeon, and OCR them at the other end. Or you could FTP the unencrypted diskette image on an open network and hope that no one would intercept it. You pick the method depending on your paranoia and the value of your data. Even if you hired a Brinks armored car to make a special trip with armed guards and couriers, how do you know that they haven't been subverted such that there is a laptop on the armored car to make a copy in transit? You don't. Do you have time and the money to make an overseas trip to courier a diskette? I believe that a cracker is significantly more likely to take the network approach of breaking the end system and getting the keys once the secure channel is set up. If they are so intent on breaking you that they are intercepting your Fedex, you also have to worry about dumpster diving, people subverting employees, people kidnapping employees and stealing their ID to gain physical access to the building, armed attack and so forth. > Exchanging encryption keys is always a thorny problem since the key > _is_ your data security - if it is subverted then your encryption is > useless. Absolutely, and I didn't mean to make light of it. I did, though, and people made some good points. > -- > Brett Lymn, Computer Systems Administrator, AWA Defence Industries Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Thu Oct 5 06:53:47 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23331 for firewalls-outgoing; Thu, 5 Oct 1995 06:43:36 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23324 for ; Thu, 5 Oct 1995 06:43:30 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 5 Oct 1995 14:41:57 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3073E6D8@smtpgty.saicuk.co.uk>; Thu, 05 Oct 95 14:08:24 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: Encryption strength Date: Thu, 05 Oct 95 13:48:00 GMT Message-ID: <3073E6D8@smtpgty.saicuk.co.uk> Encoding: 41 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Similar solution is one option with the Armadillo products which are also B1+ COTS products. However, the selection of a particular transit system is subject to your level of paranoia. I was involved in a system where the customer engaged an armed escort to convey the product from production to their embassy. From there it travelled under escort as a diplomatic bag transfer, and then under armed escort to the user site. Key changing is done by special messengers travelling between embassies. Thats a bit OTT for most people and either reflected the paranoia of the customer or the fact that an ending of East West tension has created a large number of redundant or potentially redundant armed guards. Ian J-B ---------- From: firewalls-owner Cc: firewalls Subject: Re: Encryption strength Date: Wednesday, October 04, 1995 8:08PM On Wed, 4 Oct 1995, David Miller wrote: > On Tue, 3 Oct 1995, Frank Willoughby wrote: > > > >From padgett's excellent mail: > But this is the crux of the chicken-and-egg problem. How do they > mutually authenticate each other? If they do it with a shared secret or > through prior arrangement a secure channel had to previously exist. If > there is no third pary/shared secret then it's subject to a > man-in-the-middle attack. The new version of IBM's firewall provides this function. To set up a secure channel, you describe the channel, and it cuts a diskette, which you fedex to the other party. > Now if *thats* been solved, I'd be *delighted* to hear about it! I thought that was what the public key distribution stuff was all about. Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Thu Oct 5 07:02:10 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23288 for firewalls-outgoing; Thu, 5 Oct 1995 06:40:42 -0700 Received: from gatekeeper.ddp.state.me.us (gatekeeper.ddp.state.me.us [141.114.130.70]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA23269 for ; Thu, 5 Oct 1995 06:40:35 -0700 Received: from localhost by gatekeeper.ddp.state.me.us (8.6.5/1.37) id JAA01114; Thu, 5 Oct 1995 09:33:06 -0400 Date: Thu, 5 Oct 1995 09:33:05 -0400 (EDT) From: David Miller Subject: Re: Encryption strength To: Nick Simicich cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Oct 1995, Nick Simicich wrote: > On Wed, 4 Oct 1995, David Miller wrote: > > > On Tue, 3 Oct 1995, Frank Willoughby wrote: > > > > > >From padgett's excellent mail: > > > But this is the crux of the chicken-and-egg problem. How do they > > mutually authenticate each other? If they do it with a shared secret or > > through prior arrangement a secure channel had to previously exist. If > > there is no third pary/shared secret then it's subject to a > > man-in-the-middle attack. > > The new version of IBM's firewall provides this function. To set up a > secure channel, you describe the channel, and it cuts a diskette, which > you fedex to the other party. Wouldn't you have to describe fedex as an additional channel, one which you are assuming is secure? > > Now if *thats* been solved, I'd be *delighted* to hear about it! > > I thought that was what the public key distribution stuff was all about. The public key solves part of the problem. Unfortunately it's subject to the man-in-the-middle (MITM) attack. How do *you* know that the public key you hold for me is indeed *mine*, and not that of slimey_sam, who will decrypt your secret message to me, encode it with my *real* public key, and ship along to me (along with *his* public key which I then think is *yours*)???? I agree completely that the odds of this are truly remote. Particularly for things like mailing love triangle stories via PGP. But I'd like to see a mathematical solution to the problem so that I know there's no chance whatsoever that my telnet session to my branch in France isn't being listened to by the french authorities. --- David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do! From firewalls-owner Thu Oct 5 07:19:43 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23315 for firewalls-outgoing; Thu, 5 Oct 1995 06:43:06 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23307 for ; Thu, 5 Oct 1995 06:42:59 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 5 Oct 1995 14:41:08 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3073E6AA@smtpgty.saicuk.co.uk>; Thu, 05 Oct 95 14:07:38 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: Re: DMZ definition ? Date: Thu, 05 Oct 95 12:48:00 GMT Message-ID: <3073E6AA@smtpgty.saicuk.co.uk> Encoding: 104 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is also used sometimes to describe 'air-gapped' solutions where there is no physical link between the public and untrusted gateway and the sensitive/classified private networks. In that situation, the traffic is taken onto transfer disks which are usually then examined by the security officer on a machine which serves as a sanitation area, before being loaded to the machine which gateways to one environment only. That obviously introduces delays which can be considerable and costly. The updated version of that approach is performed on Armadillo Gargoyle systems on a single Trusted Gateway server between the two networks which permits automated transfer using personal security profiles and only requires manual intervention if a user wants to transact outside his/her profile limits. That system is in use by civil and military departments of several governments where classified and unclassified data is involved. Where manual intervention is required, the security officer performs this on the same system and authorised transfers execute electronically within the machine rather than requiring disks to be used physically between two sets of unconnected machines. This has the virtue of applying high security with good levels of access at an affordable cost, is easily re-configured and can have the automated transfer shut down any time by the security officer if the situation demands it. It is flexible in that it can handle exceptions faster than an air-gapped system. Ian J-B. ---------- From: firewalls-owner To: dasidwel Cc: firewalls Subject: Re: DMZ definition ? Date: Wednesday, October 04, 1995 10:30PM The term DMZ grew out of the border area between north and south korea (or was it vietnam, I wasn't alive for either...) We could argue all day about which of the following more exactly fit the definition of a DMZ, but that's what college professors are for :) IMHO a DMZ is any network which sits between two other networks, which, for whatever reason, have a problem with each other. ] Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ See above. ] for short, in connection with firewall terminology ? I am under the belief, ] perhaps incorrectly, that it is used to refer to any kind of screened subnet ] placed between the internal networks and the Internet (or other external ] networks). Agreed. ] A colleague of mine is convinced that it is a separate subnet hung ] off a single firewall machine. That's kind of fuzzy, though it could be constructed that this 'logical' network is between the two other networks. ] 1. ] [ packet ] [ packet ] ] Internet---[filtering]----DMZ subnet----[filtering]---internal ] [ router ] (containing [ router ] networks Yep. ] 2. As above but protected by firewalls instead of packet filtering routers. Yep. ] 3. ] Internet----firewall----internal networks... ] | ] | ] DMZ ] subnet 3 == 1 logically. One could implement a system w/ 3 that did the same thing. ] Finally, does a DMZ implementation always prevent direct IP forwarding from ] Internet to internal nets ? Nope. For whatever reason, network 1) above could allow telnet's from the far left to the far right, and I'd have no problem with it, and would call it a DMZ. (actually, I would have a problem allowing telnets directly into my network, but I'd still whore myself out to the customer if their security policy allowed it. This is where me and the 'experts' part company.) -- Alan Hannan Email: alan@mid.net Network Systems/Security Voice: (402) 472-0239 MIDnet, Lincoln NOC Office Fax: (402) 472-0240 " The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. " - George Bernard Shaw From firewalls-owner Thu Oct 5 07:24:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA23322 for firewalls-outgoing; Thu, 5 Oct 1995 06:43:11 -0700 Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA23313 for ; Thu, 5 Oct 1995 06:43:04 -0700 Received: from smtpgty.saicuk.co.uk by flow.pipex.net with SMTP (PP); Thu, 5 Oct 1995 14:41:32 +0100 Received: by smtpgty.saicuk.co.uk with Microsoft Mail id <3073E6C2@smtpgty.saicuk.co.uk>; Thu, 05 Oct 95 14:08:02 GMT From: "Johnson-Bryden, Ian" To: "'firewalls@greatcircle.com'" Subject: RE: What's the admin effort Date: Thu, 05 Oct 95 13:40:00 GMT Message-ID: <3073E6C2@smtpgty.saicuk.co.uk> Encoding: 99 TEXT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With respect thats a 'piece of string' question because there are so many variables, including: If you have a 'roll-your-own' firewall, as many do, you may have a considerable support overhead which should not be present in a Commercial Off The Shelf, COTS product. Whether the firewall is home brewed or COTS, it could come in any one of a wide range of configurations and that range is constantly growing as different users show different needs and the market for specialised systems grows. For example, some users want a barrier but only want to permit mail to pass, while others want to permit rich access to all facilities. For many, a firewall is a system for Internet access. However, there are other Information Super Highway environments and they may grow in number. That could increase management overheads because requirements could be very different for each ISH, even if you operate everything through a single machine. Most implemented firewalls are single machines but this should be regarded as a mission critical service for most users. How you handle resilience will have management overhead implications. Many users may have a single firewall gateway to ISH, but an increasing number of users are implementing firewalls at several different locations and management overhead will vary according to how you intend to manage these different sites. Overhead for a single level, system high, security policy will be different from a multi-level secure system. Perhaps the biggest variable will be traffic types and levels. If you only have a handful of emails passing each way, each day, the management requirement will be very different from that on a system where a wide range of activities are catered for, there are thousands of users, and Gbs of data passing 24X7. Although someone else may claim different, IMHO there is no linear graph which works because there are so many potential variables. Also there is the highly contentious issue of engineers 'playing'. There are subscribers to this list who clearly grew up with Internet firewalls and may have known a great deal about UNIX (or some other OS), but nothing about risk management/security, at least in the beginning. Over time they have acquired risk management knowledge, but often against a background of where they started from. At the other extreme, there are folk who are risk/security specialists from one or more environments. That provides a range of views and each of us must believe that our view is right, or nearly right. The UNIX background people are used to an environment where they start off with source code. The MS background folk generally believe the gospel according to Uncle Bill, etc. If your system is to be run by UNIX people, you may already be biased to home brew firewalls and the need for source code. That will probably result in maximum time spent on 'system management' but much of that time may be totally unnecessary. These are only a few variables, and responses to your posting will probably list a great many more, some of which may apply to your situation and some which wont. The most important factor is how you approached risk management. I really do not believe that a firewall can be treated on its own, any more than any other risk reduction service. You have to start with a real risk policy. That policy may determin that only a small % of employees need ISH access and it may be possible to restructure the private networks to reduce load on, or even remove the need for, a firewall. Do remember that many of us may have a vested interest, like trying to sell you a firewall, and the bad news about risk policies for product vendors is that sometimes they show there is no need to buy product, or that a very different type of product would best suit your specific needs. It should also establish what levels of control you should apply, and who should be managing security, and at what level. For example, a great many firewall owners simply add the security duties for the firewall to the sysad. In a structured risk management environment, you should have a security management team who are responsible for risk management through the enterprise, including information systems and gateways. How big that team is, and what % is firewall related, will depend on all the sizing factors and operational requirements. Then again, you could do what so many have done before and say that the firewall will take X% of the existing staffing time in the MIS department and hope you are right. If you are wrong then maybe you can smuggle additional headcount through later on, but then again you could end up with a bigger problem than you started out with. Ian J-B ---------- From: firewalls-owner To: Firewalls Subject: What's the admin effort Date: Thursday, October 05, 1995 5:55PM We're considering the business case for a firewall product at the moment. I've been asked how much of a persons' (or multiple people) time would be taken up in day to day operational control of a firewall, in terms of monitoring the activity, and change management. Is there any sort of benchmarking of this activity that people are aware of, I'd be interested in any statistics or experience have had. Peter Cooper From firewalls-owner Thu Oct 5 07:31:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA24071 for firewalls-outgoing; Thu, 5 Oct 1995 07:13:55 -0700 Received: from mailhost.lanl.gov (mailhost.lanl.gov [128.165.3.12]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA24064 for ; Thu, 5 Oct 1995 07:13:52 -0700 Received: from xdiv.lanl.gov by mailhost.lanl.gov (8.6.12/1.2) id IAA20603; Thu, 5 Oct 1995 08:12:28 -0600 Received: from xdiv.lanl.gov (arno.lanl.gov [128.165.116.121]) by xdiv.lanl.gov (8.6.12/8.6.12) with SMTP id IAA20849 for ; Thu, 5 Oct 1995 08:12:38 -0600 Date: Thu, 5 Oct 1995 08:12:38 -0600 From: Parks Fields Message-Id: <199510051412.IAA20849@xdiv.lanl.gov> To: firewalls@greatcircle.com Subject: Security policy ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, I know the basic of security is a good security policy. I have created a security policy but I am not 100% happy with it. Could some of you send me a copy of yours so I can figure out what mine is missing? Thank you. **************************************************************************** Parks Fields MS B218 Internet: parks@lanl.gov Los Alamos National Laboratory Phone: (505) 667-6872 Los Alamos, NM 87545 **************************************************************************** From firewalls-owner Thu Oct 5 07:58:59 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA24055 for firewalls-outgoing; Thu, 5 Oct 1995 07:12:10 -0700 Received: from margit.scri.fsu.edu (margit.scri.fsu.edu [144.174.128.45]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id HAA24047 for ; Thu, 5 Oct 1995 07:12:05 -0700 Received: by margit.scri.fsu.edu (AIX 3.2/UCB 5.64/4.03) id AA12389; Thu, 5 Oct 1995 10:10:35 -0400 Date: Thu, 5 Oct 1995 10:10:35 -0400 From: hays@margit.scri.fsu.edu (Ken Hays) Message-Id: <9510051410.AA12389@margit.scri.fsu.edu> To: dasidwel@us.oracle.com Cc: firewalls@GreatCircle.COM In-Reply-To: <9510042317.AA28157@mailsun2.us.oracle.com> Subject: DMZ definition ? Reply-To: Ken Hays Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David, In one of the views of the Internet architecture, the term DMZ is used to describe the media layer (Ethernet/FDDI/...) where route peering is done among multiple administrative regions that have their own policies for routing and transit traffic. This usage is not dependant on the routing protocols used, although BGP is the current favorite for peering between autonomous systems. I believe this to be a valid use of the term DMZ, of course this usage is wrt route peering and independent of whether there is any packet level filtering implemented. This usage might be viewed as #0 in your list below since it is the least disruptive of "wide open any to any" connectivity. In this case, it does not block "direct" access of packets from the internal nets to the rest of the world. This usage may be not be to the taste of some but has existed for many years. Of course, the routers doing the route peering are prime candidates for implementing any "network router level" packet filters that you desire, as depicted in your #1 below. An example would be blocking all the r* services from the "outer" regions. Later, Ken --------------- Prompting Message Fragment Follows --------------- "David Sidwell" wrote on 04-Oct-95 at 16:09:49 -0700, in part: > > >Can anyone give me a concise defition of the term Demilitarized Zone, or DMZ >for short, in connection with firewall terminology ? I am under the belief, >perhaps incorrectly, that it is used to refer to any kind of screened subnet >placed between the internal networks and the Internet (or other external >networks). A colleague of mine is convinced that it is a separate subnet hung >off a single firewall machine. > >So would the follwoing be correctly termed DMZ's or not ? > >1. > [ packet ] [ packet ] > Internet---[filtering]----DMZ subnet----[filtering]---internal > [ router ] (containing [ router ] networks > publically > accessible > machines) > >2. As above but protected by firewalls instead of packet filtering routers. > > >3. > Internet----firewall----internal networks... > | > | > DMZ > subnet > > >Finally, does a DMZ implementation always prevent direct IP forwarding from >Internet to internal nets ? > > TIA, > David Sidwell > > From firewalls-owner Thu Oct 5 08:25:54 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA25275 for firewalls-outgoing; Thu, 5 Oct 1995 08:00:02 -0700 Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA25256 for ; Thu, 5 Oct 1995 07:59:57 -0700 Received: from gmap-gw.leeds.ac.uk by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-950602) id HAA12734; Thu, 5 Oct 1995 07:51:26 -0700 Received: from gmap3 (gmap-mailhub.leeds.ac.uk [129.11.200.3]) by gmap-gw.leeds.ac.uk (8.6.12/8.6.9) with ESMTP id PAA00764 for ; Thu, 5 Oct 1995 15:31:17 +0100 Received: from gmap.leeds.ac.uk (dannyc@gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id PAA02807 for ; Thu, 5 Oct 1995 15:52:59 +0100 From: Danny Cox Date: Thu, 5 Oct 1995 15:47:39 +0100 Message-Id: <642.9510051447@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Firewalls ISDN and modems X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Thu, 5 Oct 1995 08:43:08 -0700 Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.9) with SMTP id LAA14491 for ; Thu, 5 Oct 1995 11:41:13 -0400 Date: Thu, 5 Oct 1995 11:41:13 -0400 Message-Id: <199510051541.LAA14491@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: Anton J Aylward Subject: Re: Web Browser Test -- WHAT!!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The issue isn't whether I can or cannot telnet to a port and read the HTML the 'hard' way. The issue is the format and style of the posting. Go back and read the original. The issue is the philosophy, not the technology or the implelemtation. Its in the same class, IMHO, as the "Send a postcard to Craig" postings. There's always someone who doesn't know, some poor sucker who gets caught. Perhaps I'm sufficiently a social creature to try and prevent the innocent and immature from the consequences of their own folly ;-) Yes, the actual document explains what it is about, but the author could equally well have said something to that effect in the posting. Why didn't he? Would someone inviting you to a trap have formatted the message in a similar way? Acks and Kudos to those who mailed me saying their reaction to such things is simply to delete them as junk mail for much the reasons I outlined. Just because something IS technically possible doesn't mean that we have to waste the time, money and manpower flutzing around with it. 'Nuff said, end of discussion, end of thread. /anton - from a nice quite neighbourhood in paranoia city -- Anton J Aylward The Strahn and Strachan Group Inc Information Security Consultants Voice: (416) 494-8661 Fax: (416) 494-8803 From firewalls-owner Thu Oct 5 09:44:29 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26238 for firewalls-outgoing; Thu, 5 Oct 1995 08:39:33 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26231 for ; Thu, 5 Oct 1995 08:39:29 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124655.0.12137; Thu, 05 Oct 1995 10:38:13 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil, firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124655.0.12137@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:38:13 -0500 Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124234.0.8747; Wed, 04 Oct 1995 12:42:35 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjxm10004; Tue, 3 Oct 1995 19:43:45 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Thu Oct 5 09:52:57 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA29177 for firewalls-outgoing; Thu, 5 Oct 1995 09:49:58 -0700 Received: from inms-db.os.dhhs.gov (inms-db.os.dhhs.gov [158.70.254.28]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA29164 for ; Thu, 5 Oct 1995 09:49:52 -0700 Received: by inms-db.os.dhhs.gov (4.1/2.9-eef) id AA07041; Thu, 5 Oct 95 12:42:53 EDT Date: Thu, 5 Oct 1995 12:42:53 -0400 (EDT) From: Alan Dowd To: Parks Fields Cc: firewalls@greatcircle.com Subject: Re: Security policy ? In-Reply-To: <199510051412.IAA20849@xdiv.lanl.gov> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, Parks! On Thu, 5 Oct 1995, Parks Fields wrote: > Hello world, > > I know the basic of security is a good security policy. I have created a > security policy but I am not 100% happy with it. Could some of you > send me a copy of yours so I can figure out what mine is missing? > > Thank you. > > **************************************************************************** > Parks Fields > MS B218 Internet: parks@lanl.gov > Los Alamos National Laboratory Phone: (505) 667-6872 > Los Alamos, NM 87545 > **************************************************************************** Start out with RFC1244: Site Security Handbook. You can obtain it from http://csrc.ncsl.nist.gov/secpolcy - the document is the last one on the page: rfc1244.txt. There are more security sites and sources of policy on the net than it is reasonable to list in a single reply. Hovever, here are three good starting points for general security information: NIST Computer Security Resource Center (CSRC) http://csrc.ncsl.nist.gov TELSTRA http://www.telstra.com.au/security.html DoE Computer Incident Advisory Center (CIAC) http://ciac.llnl.gov/ciac/CIACHome.html Somewhere or another I tripped upon an archive of security policies from educational institutions, but I could not locate it on a real fast search for this reply. Perhaps, with the knowledge that it exists, you can find it with a bit of Web-walking. Regards, Al Dowd Unix Network Security Management Systems Applications, Inc. From firewalls-owner Thu Oct 5 10:00:15 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26400 for firewalls-outgoing; Thu, 5 Oct 1995 08:43:50 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26381 for ; Thu, 5 Oct 1995 08:43:27 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.12200; Thu, 05 Oct 1995 10:42:29 -0500 From: peter@nmti.com (Peter da Silva) To: cmilam@cap.au.af.mil, sgcccdc@citec.qld.gov.au (Colin Campbell) Cc: wbunting@ch.inri.com (wbunting), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.12200@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:42:29 -0500 Subject: Re: FW to FW FTP w/ no port > 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay2.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.125109.0.8805; Wed, 04 Oct 1995 12:51:09 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzjyf20945; Wed, 4 Oct 1995 00:28:48 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05431 for firewalls-outgoing; Tue, 3 Oct 1995 20:52:03 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05424 for ; Tue, 3 Oct 1995 20:52:00 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA09928 for GreatCircle.COM!firewalls; Tue, 3 Oct 1995 22:33:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA18501; 3 Oct 95 19:37:40 CDT (Tue) Received: by sonic.nmti.com; id AA11758; Tue, 3 Oct 1995 20:04:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9510040104.AA11758@sonic.nmti.com.nmti.com> Subject: Re: FW to FW FTP w/ no port > 1023 To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 3 Oct 1995 20:04:28 -0500 (CDT) Cc: wbunting@ch.inri.com, firewalls@GreatCircle.COM In-Reply-To: <9510022336.AA14998@citecub.citec.qld.gov.au> from "Colin Campbell" at Oct 3, 95 09:36:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 341 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 3. Do not use FTP and write a TCP application that uses only a single TCP > > port for data and control. Issues: Time + $$ no compatibility. Benefit: > > solves the problem. FSP and HTTP are both candidates for this application. And they've already been written. NNTP would work as well, and can be proxied with a simple plug gateway. From firewalls-owner Thu Oct 5 10:30:55 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA29732 for firewalls-outgoing; Thu, 5 Oct 1995 10:11:27 -0700 Received: from inms-db.os.dhhs.gov (inms-db.os.dhhs.gov [158.70.254.28]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA29723 for ; Thu, 5 Oct 1995 10:11:20 -0700 Received: by inms-db.os.dhhs.gov (4.1/2.9-eef) id AA07052; Thu, 5 Oct 95 12:51:05 EDT Date: Thu, 5 Oct 1995 12:51:04 -0400 (EDT) From: Alan Dowd To: Parks Fields , firewalls@greatcircle.com Subject: Re: Security policy ? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Oct 1995, Alan Dowd wrote: [... snip ...] > > Somewhere or another I tripped upon an archive of security policies from > educational institutions, but I could not locate it on a real fast search > for this reply. Perhaps, with the knowledge that it exists, you can find > it with a bit of Web-walking. > And two minutes later I found the reference: http://www.rpi.edu/Internet/Guides/decemj/icmc/organizations-standards.html Regards, Al Dowd Unix Network Security Management Systems Applications, Inc. From firewalls-owner Thu Oct 5 10:35:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26767 for firewalls-outgoing; Thu, 5 Oct 1995 08:55:00 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26751 for ; Thu, 5 Oct 1995 08:54:54 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080000.0.12306; Thu, 05 Oct 1995 10:53:37 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.080000.0.12306@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:53:37 -0500 Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080028.0.8843; Thu, 05 Oct 1995 08:00:28 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.11908; Thu, 05 Oct 1995 08:00:28 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil , firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.11908@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:00:28 -0500 Subject: Need Windows FTP client source Received: from relay3.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.070658.0.8812; Thu, 05 Oct 1995 07:06:59 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzjxg07039; Tue, 3 Oct 1995 18:08:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Thu Oct 5 11:00:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26627 for firewalls-outgoing; Thu, 5 Oct 1995 08:51:53 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26615 for ; Thu, 5 Oct 1995 08:51:48 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075000.0.12255; Thu, 05 Oct 1995 10:50:33 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.075000.0.12255@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:50:33 -0500 Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075007.0.8826; Thu, 05 Oct 1995 07:50:07 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124655.0.11870; Thu, 05 Oct 1995 07:50:07 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124655.0.11870@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:50:07 -0500 Subject: Borderware vs. Firewall-1 Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124234.0.8747; Wed, 04 Oct 1995 12:42:35 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjxm10004; Tue, 3 Oct 1995 19:43:45 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Thu Oct 5 11:05:50 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26780 for firewalls-outgoing; Thu, 5 Oct 1995 08:55:14 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26770 for ; Thu, 5 Oct 1995 08:55:07 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080410.0.12310; Thu, 05 Oct 1995 10:53:51 -0500 From: peter@nmti.com (Peter da Silva) To: cmilam@cap.au.af.mil (cmilam), sgcccdc@citec.qld.gov.au (Colin Campbell) Cc: wbunting@ch.inri.com (wbunting), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.080410.0.12310@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:53:51 -0500 Subject: Re: FW to FW FTP w/ no port > 1023 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080028.0.8846; Thu, 05 Oct 1995 08:00:28 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.11911; Thu, 05 Oct 1995 08:00:28 -0500 From: peter@nmti.com (Peter da Silva) To: cmilam@cap.au.af.mil , sgcccdc@citec.qld.gov.au (Colin Campbell) Cc: wbunting@ch.inri.com (wbunting), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.11911@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:00:28 -0500 Subject: Re: FW to FW FTP w/ no port > 1023 Received: from relay2.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.125109.0.8805; Wed, 04 Oct 1995 12:51:09 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzjyf20945; Wed, 4 Oct 1995 00:28:48 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA05431 for firewalls-outgoing; Tue, 3 Oct 1995 20:52:03 -0700 Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id UAA05424 for ; Tue, 3 Oct 1995 20:52:00 -0700 Received: from ris1.UUCP (ficc@localhost) by uuneo.neosoft.com (8.6.10/8.6.10) with UUCP id WAA09928 for GreatCircle.COM!firewalls; Tue, 3 Oct 1995 22:33:46 -0500 Received: by ris1.nmti.com (smail2.5) id AA18501; 3 Oct 95 19:37:40 CDT (Tue) Received: by sonic.nmti.com; id AA11758; Tue, 3 Oct 1995 20:04:29 -0500 From: peter@nmti.com (Peter da Silva) Message-Id: <9510040104.AA11758@sonic.nmti.com.nmti.com> Subject: Re: FW to FW FTP w/ no port > 1023 To: sgcccdc@citec.qld.gov.au (Colin Campbell) Date: Tue, 3 Oct 1995 20:04:28 -0500 (CDT) Cc: wbunting@ch.inri.com, firewalls@GreatCircle.COM In-Reply-To: <9510022336.AA14998@citecub.citec.qld.gov.au> from "Colin Campbell" at Oct 3, 95 09:36:16 am X-Mailer: ELM [version 2.4 PL23] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 3. Do not use FTP and write a TCP application that uses only a single TCP > > port for data and control. Issues: Time + $$ no compatibility. Benefit: > > solves the problem. FSP and HTTP are both candidates for this application. And they've already been written. NNTP would work as well, and can be proxied with a simple plug gateway. From firewalls-owner Thu Oct 5 11:07:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26819 for firewalls-outgoing; Thu, 5 Oct 1995 08:56:13 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26811 for ; Thu, 5 Oct 1995 08:56:08 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.082703.0.12332; Thu, 05 Oct 1995 10:54:51 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.082703.0.12332@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:54:51 -0500 Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.082330.0.8857; Thu, 05 Oct 1995 08:23:30 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075000.0.11935; Thu, 05 Oct 1995 08:23:30 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.075000.0.11935@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:23:30 -0500 Subject: Borderware vs. Firewall-1 Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.075007.0.8826; Thu, 05 Oct 1995 07:50:07 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124655.0.11870; Thu, 05 Oct 1995 07:50:07 -0500 From: RTATE@folio.com (RTATEfolio.com) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124655.0.11870@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:50:07 -0500 Subject: Borderware vs. Firewall-1 Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124234.0.8747; Wed, 04 Oct 1995 12:42:35 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjxm10004; Tue, 3 Oct 1995 19:43:45 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA28611 for firewalls-outgoing; Tue, 3 Oct 1995 16:05:44 -0700 Received: from folio.com (smtpgate.folio.com [198.60.24.58]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA28604 for ; Tue, 3 Oct 1995 16:05:41 -0700 From: RTATE@folio.com Received: from FOLIO_PRIMARY_DOMAIN-Message_Server by folio.com with WordPerfect_Office; Tue, 03 Oct 1995 17:07:44 -0600 Message-Id: X-Mailer: WordPerfect Office 4.0 Date: Tue, 03 Oct 1995 17:05:45 -0600 To: firewalls@greatcircle.com Subject: Borderware vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ** Low Priority ** I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? Thanks in advance for responses!! Please reply to: rtate@folio.com Robert Tate Sr. Network Technician Folio Corporation Thanks robert From firewalls-owner Thu Oct 5 11:07:48 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00640 for firewalls-outgoing; Thu, 5 Oct 1995 10:33:56 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA00604 for ; Thu, 5 Oct 1995 10:33:46 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.114159.0.13101; Thu, 05 Oct 1995 12:32:30 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.114159.0.13101@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 12:32:30 -0500 Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <1995Oct05.092558.0.12470@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:59:08 -0500 Subject: Need Windows FTP client source Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.092345.0.8927; Thu, 05 Oct 1995 09:23:46 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.083200.0.12078; Thu, 05 Oct 1995 09:23:46 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.083200.0.12078@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 09:23:46 -0500 Subject: Need Windows FTP client source Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.083256.0.8879; Thu, 05 Oct 1995 08:32:56 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080000.0.11977; Thu, 05 Oct 1995 08:32:56 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil (cmilam), firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.080000.0.11977@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:32:56 -0500 Subject: Need Windows FTP client source Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080028.0.8843; Thu, 05 Oct 1995 08:00:28 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.11908; Thu, 05 Oct 1995 08:00:28 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil , firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.11908@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:00:28 -0500 Subject: Need Windows FTP client source Received: from relay3.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.070658.0.8812; Thu, 05 Oct 1995 07:06:59 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzjxg07039; Tue, 3 Oct 1995 18:08:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Thu Oct 5 11:10:42 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26265 for firewalls-outgoing; Thu, 5 Oct 1995 08:40:21 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26258 for ; Thu, 5 Oct 1995 08:40:15 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124656.0.12147; Thu, 05 Oct 1995 10:38:59 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124656.0.12147@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:38:59 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from spaatz.cap.af.mil by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124345.0.8756; Wed, 04 Oct 1995 12:43:45 -0500 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11762; Wed, 04 Oct 1995 12:43:45 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11762@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:45 -0500 Subject: re: Encryption Strength Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Thu Oct 5 11:12:06 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26566 for firewalls-outgoing; Thu, 5 Oct 1995 08:50:38 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26559 for ; Thu, 5 Oct 1995 08:50:34 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073459.0.12245; Thu, 05 Oct 1995 10:49:17 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.073459.0.12245@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:49:17 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073230.0.8821; Thu, 05 Oct 1995 07:32:30 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124656.0.11860; Thu, 05 Oct 1995 07:32:30 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124656.0.11860@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:32:30 -0500 Subject: re: Encryption Strength Received: from spaatz.cap.af.mil by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124345.0.8756; Wed, 04 Oct 1995 12:43:45 -0500 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11762; Wed, 04 Oct 1995 12:43:45 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11762@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:45 -0500 Subject: re: Encryption Strength Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Thu Oct 5 11:13:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA26797 for firewalls-outgoing; Thu, 5 Oct 1995 08:55:28 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA26790 for ; Thu, 5 Oct 1995 08:55:22 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080850.0.12314; Thu, 05 Oct 1995 10:54:05 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.080850.0.12314@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 10:54:05 -0500 Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.080432.0.8851; Thu, 05 Oct 1995 08:04:32 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073459.0.11920; Thu, 05 Oct 1995 08:04:32 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct05.073459.0.11920@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 08:04:32 -0500 Subject: re: Encryption Strength Received: from cap.au.af.mil by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.073230.0.8821; Thu, 05 Oct 1995 07:32:30 -0500 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124656.0.11860; Thu, 05 Oct 1995 07:32:30 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil (cmilam), firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.124656.0.11860@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 07:32:30 -0500 Subject: re: Encryption Strength Received: from spaatz.cap.af.mil by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.124345.0.8756; Wed, 04 Oct 1995 12:43:45 -0500 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123823.0.11762; Wed, 04 Oct 1995 12:43:45 -0500 From: PADGETT@hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Infor) To: cmilam@cap.au.af.mil , firewalls@greatcircle.com (firewalls) Message-ID: <1995Oct04.123823.0.11762@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Organization: Civil Air Patrol National Headquarters Date: Wed, 04 Oct 1995 12:43:45 -0500 Subject: re: Encryption Strength Received: from relay4.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct04.123619.0.8704; Wed, 04 Oct 1995 12:36:20 -0500 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP id QQzjzx29201; Wed, 4 Oct 1995 11:18:20 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id GAA14097 for firewalls-outgoing; Wed, 4 Oct 1995 06:47:14 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id GAA14083 for ; Wed, 4 Oct 1995 06:47:10 -0700 Date: Wed, 4 Oct 1995 9:45:44 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951004094544.2105ed38@hobbes.orl.mmc.com> Subject: re: Encryption Strength Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Would it suffice to say that it was good enough for NSA - and that it is the >*only* Internet firewall used in a NSA-approved configuration? In a public >forum, this is probably all I can say. No, a) Cryptic remarks like that have no place on a public forum IMNSHO and are considered free of content. Better not to be said at all. b) Was talking to X-3 (dept id, not a code name 8*) yesterday and it was not mentioned. Asked specifically about firewalls (true those folks do not volunteer and I was asking about another subject but did ask specifically which firewalls had been "examined"). c) "Security by obscurity" rates a "Run, do not Walk". d) "Assume" you refer to the MISSI stuff approved for connection of up-to-Secret LANs to unclassified. Those I know of still require an out-of-channel exchange to take place to define "trust". e) The NSA/NIST/NCSA conference in Baltimore next week will be a good place to discuss such things (plug). Vendor suites with open bars particularly appreciated 8*). Is Tuesday 10th - Friday 13th at the convention center at the Inner Harbour. Don't miss Phillips. Warmly, Padgett From firewalls-owner Thu Oct 5 11:14:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27265 for firewalls-outgoing; Thu, 5 Oct 1995 09:09:32 -0700 Received: from hobbes.orl.mmc.com (hobbes.orl.mmc.com [141.240.192.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA27251 for ; Thu, 5 Oct 1995 09:09:25 -0700 Date: Thu, 5 Oct 1995 12:07:48 -0400 (EDT) From: "A. Padgett Peterson, P.E. Information Security" To: firewalls@greatcircle.com Message-Id: <951005120748.21066a30@hobbes.orl.mmc.com> Subject: Re: FTPing through a smart firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vessa commented that this seemed difficult (someone else's post): > slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary > address assignments, and accomplishes its goals without any layering > violations -- in particular the user data is never interpreted. Really not difficult at all provided standard conventions are followed: Node makes Port 21 connection to DE along with PORT command. Firewall sees this and watches for return from same DE port 20 addressed to same node. Can assume from the requested port on the internal node is the requested one, never needs to read/interpret the PORT command since the response header contains all necessary port information (and is good to open data channel only if command channel was previously opened). Warmly, Padgett From firewalls-owner Thu Oct 5 11:16:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA00738 for firewalls-outgoing; Thu, 5 Oct 1995 10:35:42 -0700 Received: from spaatz.cap.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA00710 for ; Thu, 5 Oct 1995 10:35:34 -0700 Received: from Microsoft Mail (PU Serial #0) by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.114209.0.13165; Thu, 05 Oct 1995 12:34:17 -0500 From: Pat_Heinle@STAR9GATE.MITRE.ORG (Pat Heinle) To: cmilam@cap.au.af.mil (cmilam), Firewalls@GreatCircle.COM (Firewalls) Message-ID: <1995Oct05.114209.0.13165@spaatz.cap.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 12:34:17 -0500 Subject: Re: Firewalls-Digest V4 #573 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <1995Oct05.103600.0.12572@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 11:01:17 -0500 Subject: Re: Firewalls-Digest V4 #573 Received: from relay2.UU.NET by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.103659.0.8957; Thu, 05 Oct 1995 10:37:00 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzkah20513; Wed, 4 Oct 1995 13:56:32 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for ; Wed, 4 Oct 1995 09:44:07 -0700 Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for ; Wed, 4 Oct 1995 12:42:35 -0400 Message-ID: Date: 4 Oct 1995 12:46:35 -0500 From: "Pat Heinle" Subject: Re: Firewalls-Digest V4 #573 To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewalls-Digest V4 #573 From: pheinle@mitre.org Subject: RE> Borderware vs. Firewall-1 Mr. Tate asks: I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? rtate@folio.com -- Robert, "Info Security News" just had a supplement to their magazine for Sept/Oct. 95 entitled "Internet Security." Within the "Internet Security" supplement was a section -Shopping for Firewalls which contained a matrix of a majority of the current firewall products and their attributes. It might provided some additional insight. In addition, to your Security Policy which Luc noted in his response, another issue to consider is how well the Firewall product adjusts as your enterprise expands. Good luck. Patty -------------------------------------- Date: 10/4/95 11:34 AM To: Pat Heinle From: Firewalls@GreatCircle.COM !!! Original message was too large. !!! !!! It is contained in the enclosure whose name !!! is the same as the subject of this message. !!! !!! A preview of the message follows: Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573 In this issue: -No Subject- IRC FLEXlm with proxy ...? Re: NFS Need Windows FTP client source Borderware (was: Information, We want information) Re: Encryption strength Borderware vs. Firewall-1 Exact format for subscribing the info security list. re: Encryption strength re re nfs Re: Mail Proxy Re: FW to FW FTP w/ no port > 1023 re: Encryption strength re: network address translation RE: Borderware vs. Firewall-1 [none] Re: Encryption strength Re: Mail proxy See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- sunscribe firewalls-digest ------------------------------ From: oddboy@vegas.com Date: Tue, 3 Oct 1995 11:42:44 -0700 Subject: IRC I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation ------------------------------ From: jordan@Heuristicrat.COM (Jordan M. Hayes) Date: Tue, 3 Oct 95 12:09:16 PDT Subject: FLEXlm with proxy ...? Anyone built a FLEXlm proxy for FWTK? /jordan ------------------------------ From: Doug Hughes Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" ------------------------------ From: Joe McGuckin Date: Tue From firewalls-owner Thu Oct 5 11:20:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA27808 for firewalls-outgoing; Thu, 5 Oct 1995 09:24:30 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA27796 for ; Thu, 5 Oct 1995 09:24:25 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.071240.0.12661; Thu, 05 Oct 1995 11:23:08 -0500 From: joe@ns.via.net (Joe McGuckin) To: cmilam@cap.au.af.mil, firewalls@GreatCircle.COM (firewalls) Message-ID: <1995Oct05.071240.0.12661@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 11:23:08 -0500 Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay3.UU.NET by spaatz.cap.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.070658.0.8812; Thu, 05 Oct 1995 07:06:59 -0500 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP id QQzjxg07039; Tue, 3 Oct 1995 18:08:55 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA23435 for firewalls-outgoing; Tue, 3 Oct 1995 13:47:43 -0700 Received: from ns.via.net (ns.via.net [140.174.204.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA23422 for ; Tue, 3 Oct 1995 13:47:38 -0700 Received: (from joe@localhost) by ns.via.net (8.6.9/8.6.9) id NAA07589 for firewalls@GreatCircle.COM; Tue, 3 Oct 1995 13:46:08 -0700 Date: Tue, 3 Oct 1995 13:46:08 -0700 From: Joe McGuckin Message-Id: <199510032046.NAA07589@ns.via.net> To: firewalls@GreatCircle.COM Subject: Need Windows FTP client source Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need a windows FTP client that can do SNK authentication. I want to use it with the FWTK ftp-gw proxy. The problem is that most of the gui based windows FTP clients don't have a command line or a logging window to view status messages, etc. Any suggestions? -joe From firewalls-owner Thu Oct 5 12:02:37 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA03995 for firewalls-outgoing; Thu, 5 Oct 1995 11:39:43 -0700 Received: from ns2.emirates.net.ae ([194.170.1.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id LAA03988 for ; Thu, 5 Oct 1995 11:39:36 -0700 Received: from csa102.emirates.net.ae by ns2.emirates.net.ae (5.x/SMI-SVR495081401) id AA17881; Thu, 5 Oct 1995 22:38:05 +0400 Date: Thu, 5 Oct 1995 22:38:04 +0400 Message-Id: <9510051838.AA17881@ns2.emirates.net.ae> X-Sender: forster@emirates.net.ae X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: forster@ns2.emirates.net.ae (Andrew & Terri Forster) Subject: Copy of RFC1597 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Being new to the net ( only being in the UAE ) since August I'm interested in locating a copy of RFC1597. Any assistance as to where I can find it would be appreciated. Thanks in Advance AMF ========================================================================== Andrew M Forster Email: forster@emirates.net.ae Phone: +9712 262556 or +9712 453613 Fax: +9712 465344 ========================================================================== From firewalls-owner Thu Oct 5 12:09:11 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA28469 for firewalls-outgoing; Thu, 5 Oct 1995 09:36:37 -0700 Received: from cap.au.af.mil ([132.60.58.245]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA28443 for ; Thu, 5 Oct 1995 09:36:28 -0700 Received: from Microsoft Mail (PU Serial #0) by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.103600.0.12780; Thu, 05 Oct 1995 11:35:11 -0500 From: Pat_Heinle@STAR9GATE.MITRE.ORG (Pat Heinle) To: cmilam@cap.au.af.mil, Firewalls@GreatCircle.COM (Firewalls) Message-ID: <1995Oct05.103600.0.12780@cap.au.af.mil> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Civil Air Patrol National Headquarters Date: Thu, 05 Oct 1995 11:35:11 -0500 Subject: Re: Firewalls-Digest V4 #573 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Received: from relay2.UU.NET by cap.au.af.mil (PostalUnion/SMTP(tm) v2.1.7 for Windows NT(tm)) id AA-1995Oct05.103659.0.8957; Thu, 05 Oct 1995 10:37:00 -0500 Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP id QQzkah20513; Wed, 4 Oct 1995 13:56:32 -0400 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18290 for firewalls-outgoing; Wed, 4 Oct 1995 09:44:21 -0700 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id JAA18275 for ; Wed, 4 Oct 1995 09:44:07 -0700 Received: from star9gate.mitre.org (star9gate.mitre.org [129.83.22.1]) by mbunix.mitre.org (8.6.10/8.6.9) with SMTP id MAA06776 for ; Wed, 4 Oct 1995 12:42:35 -0400 Message-ID: Date: 4 Oct 1995 12:46:35 -0500 From: "Pat Heinle" Subject: Re: Firewalls-Digest V4 #573 To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-QM 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reply to: RE>Firewalls-Digest V4 #573 From: pheinle@mitre.org Subject: RE> Borderware vs. Firewall-1 Mr. Tate asks: I am in the process of purchasing a firewall package for the company I work for. I have narrowed my choices down to Borderware and Firewall-1. Which is a better choice, and why? Is there another package out there that is better I may not have seen? rtate@folio.com -- Robert, "Info Security News" just had a supplement to their magazine for Sept/Oct. 95 entitled "Internet Security." Within the "Internet Security" supplement was a section -Shopping for Firewalls which contained a matrix of a majority of the current firewall products and their attributes. It might provided some additional insight. In addition, to your Security Policy which Luc noted in his response, another issue to consider is how well the Firewall product adjusts as your enterprise expands. Good luck. Patty -------------------------------------- Date: 10/4/95 11:34 AM To: Pat Heinle From: Firewalls@GreatCircle.COM !!! Original message was too large. !!! !!! It is contained in the enclosure whose name !!! is the same as the subject of this message. !!! !!! A preview of the message follows: Firewalls-Digest Wednesday, 4 October 1995 Volume 04 : Number 573 In this issue: -No Subject- IRC FLEXlm with proxy ...? Re: NFS Need Windows FTP client source Borderware (was: Information, We want information) Re: Encryption strength Borderware vs. Firewall-1 Exact format for subscribing the info security list. re: Encryption strength re re nfs Re: Mail Proxy Re: FW to FW FTP w/ no port > 1023 re: Encryption strength re: network address translation RE: Borderware vs. Firewall-1 [none] Re: Encryption strength Re: Mail proxy See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- From: Joseph Urban Date: 3 Oct 95 14:12:00 Subject: -No Subject- sunscribe firewalls-digest ------------------------------ From: oddboy@vegas.com Date: Tue, 3 Oct 1995 11:42:44 -0700 Subject: IRC I find myself in the position of having to put up a private IRC server (private being not connected to either Undernet or Efnet). Basically this is to allow "chat" forums for a few of my clients. I would like to make these chat lines live outside of my firewall (and plan on it) nut am curious what I should watch out for in terms of folks being able to hack through and into an OS. (i run solaris2.4 but I think the IRC server will run on a DEC box running OSF/DecUnix. Any and all info will be greatly appreciated. Gideon Wober Systems Administrator Digitainment Corporation ------------------------------ From: jordan@Heuristicrat.COM (Jordan M. Hayes) Date: Tue, 3 Oct 95 12:09:16 PDT Subject: FLEXlm with proxy ...? Anyone built a FLEXlm proxy for FWTK? /jordan ------------------------------ From: Doug Hughes Date: Tue, 3 Oct 1995 13:42:56 -0500 Subject: Re: NFS > >I am sure that this topic has been beaten to death, so if someone would >just point me at the discussion (or tell me that there is no solution) >I would be happy to take it from there. I remember reading a paper a >couple years ago describing why NFS could never be made secure, but for >the life of me I cant seem to find it now. > >The problem is SUN's NFS under SUNOS 4.1.3/4. I have a server with a half >dozen file systems that are exported read-only to all the other machines >in the domain. I would like to restrict their mounting to machines within >the domain while maintaining connectivity to the outside world. >SUN's software does not support this option, it only allows specifying >specific machine names, and the list of *all* machine names overflows >some internal limit in SUN's software. > >[ The machine uses DNS and not YP, it is rumored that possibly with YP one >can get by this limit, but I have no interest in adding YP to my list of >problems. ] > >So, the Questions > > (1) WITHOUT resorting to a firewall, is there any way to accomplish >what I want to do? > > (2) If not, can it be done with a `simple' packet filter, or does it >require a full blown firewall? > > > Reg.Clemens > clemens@dwf.com > > > Without necessary resorting to a firewall, you can have your router to the outside world block: port 2049/udp - NFS port 111 udp/tcp - Sun RPC source routed packets outside packets with internal IP source addresses (IP spoofing) This helps prevent a great deal of the most common attacks on NFS by preventing it getting outside your domain at the interface to the Internet. also, installing the replacement tcp_wrappered version of portmap on your NFS servers from ftp.win.tue.nl is also a good thing to do. This way you can limit what networks are able to send RPC requests to your server. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" ------------------------------ From: Joe McGuckin Date: Tue From firewalls-owner Thu Oct 5 13:23:24 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA06934 for firewalls-outgoing; Thu, 5 Oct 1995 12:47:30 -0700 Received: from aruba.lerc.nasa.gov (aruba.lerc.nasa.gov [139.88.35.16]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA06927 for ; Thu, 5 Oct 1995 12:47:25 -0700 Received: from nyjets.lerc.nasa.gov by aruba.lerc.nasa.gov with ESMTP (950215.SGI.8.6.10/LeRC/DLW/TAF(1.24-main)) id PAA24487; Thu, 5 Oct 1995 15:45:52 -0400 Received: by nyjets.lerc.nasa.gov (950215.SGI.8.6.10/LeRC/DLW/TAF(1.22p-local)) id PAA15839; Thu, 5 Oct 1995 15:45:51 -0400 From: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Message-Id: <199510051945.PAA15839@nyjets.lerc.nasa.gov> Subject: Re: Copy of RFC1597 To: forster@ns2.emirates.net.ae (Andrew & Terri Forster) Date: Thu, 5 Oct 95 15:45:50 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9510051838.AA17881@ns2.emirates.net.ae>; from "Andrew & Terri Forster" at Oct 5, 95 10:38 pm X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Being new to the net ( only being in the UAE ) since August I'm interested in > locating a copy of RFC1597. Any assistance as to where I can find it would be > appreciated. > > > Thanks in Advance > > AMF > ========================================================================== > Andrew M Forster > Email: forster@emirates.net.ae > Phone: +9712 262556 or +9712 453613 > Fax: +9712 465344 > ========================================================================== > Hello Andrew: RFC1597 subject title is, "Address Allocation for Private Internets". There are undoutably many places to get it (i.e. there used to be when I pulled it down!!). Ftp to the site ds.internic.net in the subdirectory rfc. Alternately you can go to the web site http://www.ds.internic.net and look where the RFC's are located. It's a searchable index. Ben -- ______________________________________________________________________________ | Ben Nowlin | If you don't get what you want in life, it's either NASA Lewis Research Center | a sign that you seriously didn't want it, or that ben@lerc.nasa.gov | you tried to BARGAIN over the PRICE. ______________________________________________________________________________ From firewalls-owner Thu Oct 5 14:01:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA10770 for firewalls-outgoing; Thu, 5 Oct 1995 13:50:21 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA10763 for ; Thu, 5 Oct 1995 13:50:18 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA18345; Thu, 5 Oct 95 14:52:18 -0700 Received: by netmail2 using fxenixd 1.0 Thu, 05 Oct 95 14:52:18 PDT X-Received: from chopper by xmtp2 with recvsmtp ; Thu, 5 Oct 1995 20:25:08 GMT Received: by CHOPPER with Microsoft Exchange id <01BA9325.D1CA5080@CHOPPER>; Thu, 5 Oct 1995 13:23:54 -0700 Message-Id: From: "Greg King (Exchange)" To: "firewalls@greatcircle.com" , "mark.horn1@jsc.nasa.gov" Subject: RE: Technical details of NT Domains.. Date: Thu, 5 Oct 1995 13:23:48 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Msxmtid: xmtp2951005202508RECVSMTP[01.51.01]000000b0-16207 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To logon onto a NT domain you have a rpc call the the domain server. The = RPC to logon is TCP. The datagrams to discover the DC to log onto is = UDP. If you need more info please let me know Greg King Microsoft=20 BackOffice Capacity Planning ---------- From: mark.horn1@jsc.nasa.gov[SMTP:mark.horn1@jsc.nasa.gov] Sent: Wednesday, October 04, 1995 12:00 PM To: firewalls@greatcircle.com Subject: Technical details of NT Domains.. Hello, We have some users who need to login to a windows NT domain that has = been set up here. We currently have an IP firewall installed. This firewall is installed = on our LAN and protects us from the Internet. Since there isn't a site wide firewall, it also protects us from the rest of JSC. Its a screened host gateway (Nomenclature taken from Marcus J. Ranum's "Thinking About Firewalls"). Currently, only IP is filtered at our firewall. All = non-IP protocolas are passed through. All non-IP protocols are filtered at the site's connection to the Internet. Now, it turns out that my users can't login to an NT domain. I wouldn't = have expected this because I assumed that NT would have used NetBEUI or some = such other non-IP protocol to communicate. After some experimentation, I've discovered that I need to set up the following for this to work: a) Each Win95 machine needs to have a WINS server configured b) UDP needs to be wide open to that Win95 machine. It looks like WINS is a UDP based protocol, and it manages the name = resolution for the NT domain. Then, using some unknown protocol, our machines talk = to the NT domain server for authentication. From there, they talk to the individual disk servers in the NT domain over NetBEUI. (All of this is = not much more than a Wild Ass Guess (tm)) So, the questions is can anyone tell me the specifics of how one logs = into an NT domain? In particular, what are the details of the data exchange? = What I'm looking for is something along the lines of how Brent Chapman = describes protocols in his tutorials (e.g. NTP servers send to & from UDP port = 123, NTP clients send to UDP 123, and from random UDP port >1023). Does anyone = know how logging into an NT domain utilizes UDP? If WINS is the only thing using UDP, has anyone set up udprelay to act = as a proxy for it? Thanks in advance. -- Mark Horn (sparkie) = horn@mickey.jsc.nasa.gov http://tommy.jsc.nasa.gov/~horn = mark.horn1@jsc.nasa.gov Free Advice and Opinions -- Refunds Available From firewalls-owner Thu Oct 5 16:02:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA13902 for firewalls-outgoing; Thu, 5 Oct 1995 15:44:45 -0700 Received: from uu10.psi.com (uu10.psi.com [38.8.4.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA11336 for ; Thu, 5 Oct 1995 14:06:18 -0700 Received: from po.gis.prc.com by uu10.psi.com (5.65b/4.0.061193-PSI/PSINet) via SMTP; id AA00280 for Firewalls@GreatCircle.COM; Thu, 5 Oct 95 17:04:05 -0400 Message-Id: Date: 5 Oct 1995 14:47:09 U From: "Dominy Leigh" Subject: RE: WWW & Proxy Servers To: Firewalls@GreatCircle.COM X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk May want to research Raptor's Eagle Firewall, they're at www.raptor.com. This family of products allows restrictions by username. _______________________________________________________________________________ From: stuart@loddon.demon.co.uk Date: Wed, 4 Oct 95 13:29:38 PDT Subject: WWW & Proxy Servers Apologies if the following questions has been asked before - if they have, I can't find them ! i) Is/Are there any proxy servers for WWW to restrict access to the WWW on a username basis AND to further restrict use of 'sub-protocols' supported by WWW such as ftp, gopher ... again on a username basis ? ii) If yes to i), can you provide pointers please ? iii) If no to i), is the requirement technically feasible - if so, any clues ? iv) If the above has been done, has it been integrated with strong authentication tokens e.g. SecureID, Digital Pathways or even S/Key ? TIA - ------------------------------------- Name: Stuart Broderick E-mail: stuart@loddon.demon.co.uk Date: 10/04/95:13:29:38 This site is not affiliated with any other in demon.co.uk. - ------------------------------------- From firewalls-owner Thu Oct 5 16:02:35 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA13953 for firewalls-outgoing; Thu, 5 Oct 1995 15:46:24 -0700 Received: from remarque.berkeley.edu (remarque.Berkeley.EDU [128.32.152.164]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA13946 for ; Thu, 5 Oct 1995 15:46:21 -0700 From: tox@remarque.berkeley.edu Received: by remarque.berkeley.edu (8.6.10/1.31) id PAA05205; Thu, 5 Oct 1995 15:44:53 -0700 Date: Thu, 5 Oct 95 15:44:52 PDT To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V4 #576 In-Reply-To: Your message of Thu, 5 Oct 1995 09:45:37 -0700 Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding the ISDN dialin to a Novell network as being a possible end-run around the firewall: Point out to your Netware person that various flavors of Netware have not been infallible in rejection bad root logon attempts. Depending upon the version running there, and which patches you have applied, root logon attempts w/ a bad password will most likely occassionally (espescially if stressed) be authenticated by mistake. If you are going to place that level of faith in the scheme, talk to Novell or one of the better Platinum resellers to make sure your faith is founded. If the ISDN solution you are looking at is more along the lines of an ether bridge than a shell, it's possible that you would also be left open to a denial of service attack by known schemes where crafted service advertisement packets can cause the server to suffer from a resource depletion severe enough to render it unusable for hours after such an attack has ended. I don't speak for Novell or my present employer. These are just some of my observations from having worked with Netware in the past. These problems may have been addressed more thoroughly in the last year than I'm aware of. Still, this is my $.02. Good luck, Tox Gunn *********************************************** * Tox Gunn .......tox@remarque.berkeley.edu * * "Your sanity is not my responsibility!" * *********************************************** From firewalls-owner Thu Oct 5 16:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA14309 for firewalls-outgoing; Thu, 5 Oct 1995 16:06:31 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA14299 for ; Thu, 5 Oct 1995 16:06:24 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id IAA05596; Fri, 6 Oct 1995 08:57:29 +1000 Received: from citecub.citec.qld.gov.au(131.242.4.98) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma005593; Fri Oct 6 08:57:10 1995 Received: by citecub.citec.qld.gov.au (5.0/SMI-SVR4) id AA10714; Fri, 6 Oct 1995 09:03:09 +1000 From: sgcccdc@citec.qld.gov.au (Colin Campbell) Message-Id: <9510052303.AA10714@citecub.citec.qld.gov.au> Subject: Re: cisco router extended access-list question To: ilias.liakopoulos@telecom.at (Ilias Liakopoulos) Date: Fri, 6 Oct 95 9:03:08 EST Cc: firewalls@greatcircle.com In-Reply-To: <199510050905.KAA23641@pina2.telecom.at>; from "Ilias Liakopoulos" at Oct 5, 95 10:05 am X-Mailer: ELM [version 2.3 PL11] content-length: 3794 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, First I am assuming you have a cisco with two interfaces. If you don't I think you should get one. If you are not using both, you should be. I think you are getting more than you want from your filters because you are only filtering on one interface. You really should be using two. For the purposes of the following discussion, I will assume that there are two interfaces; inside and outside. It doesn't really matter whether outside is an ethernet or serial. Further, both interfaces should use INCOMING filters. Thus what you really want for mail only access is: interface `outside' ip address 'outside address' 'some mask' ip access group 101 in interface `inside' ip address 'inside address' 'some mask' ip access group 102 in (1) access-list 101 permit tcp any gt 1023 'mailhost' 0.0.0.0 eq 25 (2) access-list 101 permit tcp any eq 25 'mailhost' 0.0.0.0 gt 1023 established (3) access-list 102 permit tcp 'mailhost' 0.0.0.0 gt 1023 any eq 25 (4) access-list 102 permit tcp 'mailhost' 0.0.0.0 eq 25 any gt 1023 They operate as follows: (1) allows any host to connect to your 'mailhost' on port 25. (2) allows the return packets from any host to which your mailhost is connected, when your mailhost initiated the connection (3) allows your mailhost to connect to any external machine on port 25 (4) allows return packets from the mailhost to any host which has connected Thus (1) and (4) are complimentary - to allow a connection to your mailhost (1) the return packets must get out (4). And, (2) and (3) are complimentary - to allow your mailhost to send mail (3) the return packets must be able to get in (2). I think that is right :-). Anyone car to comment? Whenever I try and work out things like this, I always draw a picture, eg: The arrows indicate the direction of the 'connection'. Remeber that tcp is two-way traffic. I want to send and receive mail / \ remote mailhost remote mailhost tcp=25 tcp>1023 ^ | | | | | |(2) V(1) ---------------------------------- router ---------------------------------- ^(3) |(4) | | | | | V tcp>1023 tcp=25 local mailhost local mailhost Remembering that tcp requires two-way traffic and that the return packets always have the ACK bit set (established) it becomes very easy to do the filters. Sometimes it requires some work to determine all the connections (eg ftp) but a picture will never steer you wrong. Colin > > Hello, > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out > > have I done something wrong in the config or is this a bug > in our version? : > [chomp] From firewalls-owner Thu Oct 5 17:00:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA15117 for firewalls-outgoing; Thu, 5 Oct 1995 16:38:50 -0700 Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA15110 for ; Thu, 5 Oct 1995 16:38:39 -0700 Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.6.10/8.6.10) id JAA07122; Fri, 6 Oct 1995 09:32:08 +1000 Received: from citecuf.citec.qld.gov.au(147.132.176.10) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma007118; Fri Oct 6 09:31:43 1995 Received: from jaykay.citec.qld.gov.au (jaykay.citec.qld.gov.au [131.242.4.117]) by citecuf.citec.qld.gov.au (8.6.10/8.6.10) with SMTP id JAA29494; Fri, 6 Oct 1995 09:35:50 +1000 Message-Id: <199510052335.JAA29494@citecuf.citec.qld.gov.au> From: "John Kidston" To: joe@ns.via.net (Joe McGuckin) Date: Fri, 6 Oct 1995 09:36:13 +1000 Subject: Re: Need Windows FTP client source Reply-to: j.kidston@citec.qld.gov.au CC: firewalls@GreatCircle.com Priority: normal X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: joe@ns.via.net (Joe McGuckin) > > I need a windows FTP client that can do SNK authentication. > I want to use it with the FWTK ftp-gw proxy. > > The problem is that most of the gui based windows FTP > clients don't have a command line or a logging window to view > status messages, etc. > > Any suggestions? > Try WS_FTP from Ipswitch (http://www.ipswitch.com). It is firewall aware and works well with FWTK ftp-gw proxy. It has a full logging window and can be run with command line parameters. > John Kidston j.kidston@citec.qld.gov.au CITEC voice: +61 7 2222356 fax: +61 7 2277890 317 Edward Street, Brisbane 4000, Australia "My opinions and CITEC's are not always the same." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Oct 5 18:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id RAA16766 for firewalls-outgoing; Thu, 5 Oct 1995 17:47:23 -0700 Received: from furnace.cybergraphic.com.au ([203.5.40.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id RAA16759 for ; Thu, 5 Oct 1995 17:47:18 -0700 Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id KAA01718; Fri, 6 Oct 1995 10:43:14 +1000 Received: from cc:Mail by mailgate.cybergraphic.com.au id AA813001359; Fri, 06 Oct 95 10:38:49 eet Date: Fri, 06 Oct 95 10:38:49 eet From: "greg hume" Message-Id: <9509068130.AA813001359@mailgate.cybergraphic.com.au> To: parks@xdiv.lanl.gov, firewalls@greatcircle.com Subject: Re: requests for Security policys Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Parks, On Thu, 5 Oct 1995, Parks Fields wrote: >Hello world, >I know the basic of security is a good security policy. I have >created a security policy but I am not 100% happy with it. Could some >of you >send me a copy of yours so I can figure out what mine is missing? >Thank you. The official response by most may be as follows 1) don't send out our security policy to anyone 2) deleted because of 1) ;-) On a more serious note, various books on firewalls have good sections on going about designing a security policy. Cheswick and Bellovin Firwalls and Internet Security (Addison-Wesley Publishing) has been an invaluable reference source for us. Our policy was designed and then agreed upon before the technology was looked at i.e.. taking a leaf from my Business Systems Analysis hat. We designed it based on what the business wanted to achieve. This allowed us to apply current and future technology to a well defined business need. We then applied the technology (Fire wall, routers, client applications, access rules etc..). Then we designed the business process's required to maintain the security level. After all the firewall and those that have the responsibility to maintain it are now (at least from our companies perspective) performing a business critical function. The biggest problem that needs to be overcome is getting management to sign on the dotted line. Without the policy being adopted high enough up in the organisational structure the ability to maintain the required security level (from a business perspective) it sure to be watered down. Do as much Analysis as you can within the time they (management) will allow. I wish I had the information contained in Alan Dowd's responses to this query when I got my fingers bunt (-: Good luck Greg. Senior Systems/Network Analyst Cybergraphic Systems PTY LTD 862 Glenferrie Rd. Hawthorn Melbourne, Australia 3122 From firewalls-owner Thu Oct 5 18:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id SAA16974 for firewalls-outgoing; Thu, 5 Oct 1995 18:00:14 -0700 Received: from uu6.psi.com (uu6.psi.com [38.145.155.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id SAA16960 for ; Thu, 5 Oct 1995 18:00:05 -0700 Received: from mony.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA23757 for ; Thu, 5 Oct 95 20:35:11 -0400 Received: by mony.com (Smail3.1.28.1 #3) id ;Thu, 5 Oct 1995 18:33 EDT Received: by monygmc.mony.com (1.37.109.14/15.6) id AA213942361; Thu, 5 Oct 1995 18:32:41 -0400 From: David Kozinn Message-Id: <199510052232.AA213942361@monygmc.mony.com> Subject: Packet filtering OK for mail-only connection? To: firewalls@GreatCircle.com Date: Thu, 5 Oct 1995 18:32:41 -0400 (EDT) Reply-To: david@monygmc.mony.com X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1881 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm going to be assisting with the implementation of a "mail-only" connection to the Internet shortly. By "mail-only" I mean that while there will be a router connected to an ISP via a leased line, the only traffic that we want to permit will be SMTP traffic to a specific machine designated as our "mail gateway" server. The only other traffic allowed will be to support DNS so that the gateway machine (only) can find the proper host to connect to for outbound traffic. I've just finished reading the FAQ and Brent Chapman's paper on Packet Filtering, and I'm starting to better understand the issues involved. What we would like to do, initially, is to set up a router (which will probably be a Cisco 2501) to do packet filtering as Brent's described in his paper, to allow for this mail-only connection to a machine on our internal network. Eventually, we will add in a dedicated firewall machine between the inbound router and the internal network, but we'd like to put that step off for a while if we can be reasonably safe without doing that. What I'd like to know is this: Is the Cisco 2501 capable of filtering based on source port (not just source address) so that I can block incoming packets that aren't (apparently) coming from the remote SMTP server? Does the router provide for blocking start-of-connection packets so that a remote system can't use port 25 to launch an attack as described in Brent's paper? If this router won't do the trick, would a simple (hah!) firewall/mail gateway "between" the Internet, behind a filtering router, and the internal network, which could "see" the internal network, do the trick? What else should I be concerned with? TIA.........David -- David Kozinn dkozinn@csc.com / david@mony.com Computer Sciences Corporation Under contract to Mutual of New York Technology Management Group +1-201-907-6990 From firewalls-owner Thu Oct 5 20:30:14 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id UAA18729 for firewalls-outgoing; Thu, 5 Oct 1995 20:01:58 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id UAA18722 for ; Thu, 5 Oct 1995 20:01:51 -0700 Date: Thu, 5 Oct 95 22:52 EDT From: Jack Holleran Subject: 18th National Information Systems Security Conference To: firewalls@GREATCIRCLE.COM Message-ID: <951006025217.884121@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Event: 18th National Information Systems Security Conference Theme: Making Security Real Dates: October 10-13, 1995 Place: Baltimore Convention Center, Baltimore Maryland Cost: $280 Sponsors: National Institute of Standards and Technology National Computer Security Center Registration: On-site This is a reminder that the Government is not closed and the annual National Information Systems Security Conference is going to happen. We expect over 2200 attendees this year. Below is a list of the sessions and topics being discussed in a formal 6-7 concurrent track program. Below that list is a partial list of speakers at this conference. We and they invite you to attend. If you are serious about Information Security, this conference is indeed the place to learn from peers and experts. Sessions include: Research for the Future, High Speed ATM Networks, Secure DBMS Panel, Security Policy I & II, Security in Infinite Networks, Application Challenges, New Baselines, Cryptographic Application Program Interfaces, Intrusion Dection, and The Future of Formal Methods for Security. NCSC and NIST Products and Services, Building a MLS System: A Real Life Adventure, Trusted Products I & II, Information Systems Security Research Joint Technology Office, Developing and Incident Handling Capability, An Assurance Framework or Can Process replace Evaluation, Network Rating Model, Case Studies I & II, and Contingency in Action. The TMACH Experiment, Common Criteria Editorial Board, The New OMB A-130, Appendix III, Internet Security Evaluation & Assurance, Trusted Products - How they are Used, Trusted Technology Assessment Program, The Development of Generally Accepted System Security Principles, Key Escrow, Evaluation Criteria I & II, and Security Issues for Electronic Commerce. Continuous Process Improvement, INFOSEC Security Market, Encipherment, Metrics, Architectures, Will Encryption keep Out the Hackers, Security Plans, Requirements vs. Solutions, two (2) NII Security Initiative sessions, and INFOSEC, Prepare to Meet the New Millenium. Computer Crime on the Internet, Legal Issues, Computer Forensics and Law Enforcement, Advanced Educational Opportunities, Current Threats and Practical Solutions, The INTERNET: Problems and Solutions; Weaknesses and Vulnerabilities; Tools and Defenses; Implementing Solutions; Maintainance of Security; and, Information Warfare: Its Impact Upon Information Security. Introduction to Computer Security, Trusted Systems Concepts, Introduction to the Insecurity of the Internet, Trusted Networks, Security Engineering Principles, System Engineering CMM, two (2) unique Database Security Tutorials, A How to on Awareness and Training, How to Teach Information Security, and From Training Standards to Courseware. MISSI (2 sessions and a workshop), A Tutorial: The Internet, World-Wide Web, and Beyond, and Building Countermeasure Tools. Some of the Speakers: Marjory Blumenthal, Dennis Branstad, Jon David, Marc Andreesen, Scott Charney, Dorothy Denning, Lance Hoffman, Marc Rotenberg, Marc Pollitt, Ken Rowe, Gene Troy, Kevin Zeiss, Ed Springer, Mike Nelson, Marshall Abrams, Steve Walker, Gene Schultz, Steve Bellovin, Bill Cheswick, Harold Highland, Joel Sachs, Bill Cook, Marv Schaefer, Matt Bishop, Paul Ferguson, Padgett Peterson, Wayne Madsen, Dave Banisar, Peter Neumann, Corey Schou, Jim Bidzos, and Gene Spafford. This is a list of less than 10% of the speakers at this years conference. From firewalls-owner Thu Oct 5 22:00:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id VAA19820 for firewalls-outgoing; Thu, 5 Oct 1995 21:31:06 -0700 Received: from aurora.cdev.com (aurorax.cdev.com [160.207.114.200]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id VAA19813 for ; Thu, 5 Oct 1995 21:31:02 -0700 Message-Id: <199510060431.VAA19813@miles.greatcircle.com> Received: from cdicisco5.cdev.com by aurora.cdev.com id SMTP-0013074b0f4008400; Thu, 5 Oct 95 23:30:46 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Oct 1995 20:13:13 -0700 To: meyerd@post.med.uni-marburg.de From: Donald.J.Smith@.cdev.com (Donald J Smith) Subject: http-gw & tis Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "D.A. Meyer" >Date: Thu, 5 Oct 1995 10:12:43 +0000 >Subject: http-gw on dual-homed gateways > >Hi, >my question of the day is: has anybody tried to run TIS http-gw on a >dual-homed gateway? yes >The proxy has to rewrite the URL, and it seems to do it using the >outside interface name/address (gethostname + gethostbyname). When I >change the hostname so that it is connected to the IP-Adress of the >internal interface, my mail-proxy won't work. >Has anybody build a patch, which rewrites the adress depending on the >interface on which the client-request came in? Any other idea? > I went into the code and hardcoded the name of my inside interface. This will probably only work in one direction, but thats all I need I'm only proxying out. NO ins. (This took about 5 minutes to fix but a day to figure out what was happening ;-) >Thanx >Dirk >- ----------------------------------------------------------------- >Dirk A. Meyer meyerd@mailer.uni-marburg.de Donald J Smith Network Security Engineer @Computing Devices International "@begin design in the security and ease_of_use != A*(1/Data_Security)" (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Thu Oct 5 23:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA21726 for firewalls-outgoing; Thu, 5 Oct 1995 23:01:37 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id XAA21719 for ; Thu, 5 Oct 1995 23:01:31 -0700 Date: Fri, 6 Oct 95 01:58 EDT From: Jon David Subject: Clarification/expansion To: Firewalls@GREATCIRCLE.COM Message-ID: <951006055811.235375@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jack Holleran's posting regarding the 18th National Information Systems Security Conference was a tad on the disorganized side. Of particular interest to readers of this group, well hidden in the list of topics is the fact that a full day (4 consecutive sessions) will be devoted to various aspects of Internet security. The first session will deal with weaknesses and vulnerabilities of the Internet, and will be given by Padgett Peterson. Bill Cheswick and Steve Bellovin will handle the 2nd session dealing with tools. The afternoon will start will Paul Ferguson dealing with setting up proper security, and the final session will have Marcus Ranum and Sarah Gordon discussing the ways to keep your system secure. (Marcus and Sarah didn't make the sample list of speakers in Jack's posting.) Even though each session will have only 1 or 2 speakers, the entire panel will be available for Q&A, and a private room is available for between session discussions of a more personal nature. And, while each session is presented as a stand-alone event, the full sequence is recommended to cover the necessary aspects of Internet security. For those that may be in the novice class, Dr. Harold Highland will be giving an introductory level tutorial the day before. (Since this is Brent's group, be assured he was asked to participate in these sessions. His schedule wouldn't permit him to do so, but he was good enough to send some advertising literature on his seminars which will be given out at the sessions. :-) Jon PS: Do N-O-T contact me for any additional information, contact the man (Holleran@dockmaster.ncsc.mil) who made the original posting. _ _ _ | | | | | | "You don't have to agree with me just because I'm right." ^^^^^^^^^^^ | + + | Jon David PC Security 145 Howard Avenue | + + | President LAN Security Tappan, NY 10983 | _ | The FORTRESS Internet Security U S A | | | | ----\ \--- (914)365-4700 fortress@dockmaster.ncsc.mil From firewalls-owner Fri Oct 6 02:30:09 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA25005 for firewalls-outgoing; Fri, 6 Oct 1995 02:05:55 -0700 Received: from greatdane.cisco.com (greatdane.cisco.com [171.69.1.141]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA24998 for ; Fri, 6 Oct 1995 02:05:46 -0700 Received: (tli@localhost) by greatdane.cisco.com (8.6.8+c/8.6.5) id CAA00830; Fri, 6 Oct 1995 02:04:12 -0700 Date: Fri, 6 Oct 1995 02:04:12 -0700 From: Tony Li Message-Id: <199510060904.CAA00830@greatdane.cisco.com> To: david@monygmc.mony.com (David Kozinn) Cc: firewalls@GreatCircle.COM Subject: Packet filtering OK for mail-only connection? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What I'd like to know is this: Is the Cisco 2501 capable of filtering based on source port (not just source address) so that I can block incoming packets that aren't (apparently) coming from the remote SMTP server? Yes. However, we strongly suggest that you not delude yourself into thinking that a cracker cannot attack using the SMTP well known port as the source port. It would take someone maybe 30 seconds extra to do this. Filtering on destination port is the only sane approach. Does the router provide for blocking start-of-connection packets so that a remote system can't use port 25 to launch an attack as described in Brent's paper? Yes, if you only want to allow outbound connections you can certainly do that. Look at the "established" keyword. Tony From firewalls-owner Fri Oct 6 02:30:16 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id CAA24946 for firewalls-outgoing; Fri, 6 Oct 1995 02:01:03 -0700 Received: from server2.dh.ixe.net (server2.dh.ixe.net [205.244.44.71]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id CAA24918 for ; Fri, 6 Oct 1995 02:00:53 -0700 Received: from nemesis.UUCP (Unemesis@localhost) by server2.dh.ixe.net (8.6.11/8.6.11) with UUCP id JAA24042; Fri, 6 Oct 1995 09:59:10 +0100 Received: from orbit.usn.nl by nemesis.usn.nl with smtp (Smail3.1.28.1 #15) id m0t17de-0005C3C; Fri, 6 Oct 95 09:56 MESZ Message-Id: Date: Fri, 06 Oct 1995 10:59:47 -0500 From: "N.W. van der Lugt" Reply-To: "N.W. van der Lugt" Subject: Re: FTP FW solution To: Paul A Vixie , firewalls@GreatCircle.COM In-Reply-To: <9510042047.AA27158@wisdom.home.vix.com> X-Mailer: EMBLA 1.1 Demo MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk firewalls-owner@GreatCircle.COM: > > environment; YMMV) includes code to parse FTP packets and alter the > > PORT lines, and similar support for talk is pending. > > I guess I thought this would have gone without saying, but I don't agree > with the idea of modifying PORT verbs in stream -- this is a very slippery > slope indeed. IBM's NAT does FTP proxying via DNS tricks and temporary > address assignments, and accomplishes its goals without any layering > violations -- in particular the user data is never interpreted. This goes > to show that it can be done without searching for PORT verbs in user data. So 'NAT does FTP proxying' and this 'without searching for PORT verbs in user data' ? Not right. The FTP proxy, of course, will look at user data. A proxy *IS* Layering Violation #1. We now have the Linux solution (searching and modifying part of the data stream) vs the proxy solution (searching all of the data stream, re-implementing the entire FTP protocol, and sending out it's own data). I prefer the packet filtering methods - generic solutions. With FTP, as we have seen, one should examine the data stream. Thus; the best solution (used by well-known fw) is to combine the two and create a virtual back-connection accept 'rule' when the FTP port command comes by. Klaas (klaas@usn.nl - disclaimers apply) From firewalls-owner Fri Oct 6 07:30:17 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id HAA29826 for firewalls-outgoing; Fri, 6 Oct 1995 07:04:14 -0700 Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id HAA29819 for ; Fri, 6 Oct 1995 07:04:11 -0700 Received: (from uucp@localhost) by pony-express.ims.advantis.com (8.6.9/8.6.9) id JAA29263; Fri, 6 Oct 1995 09:58:16 -0400 Received: from pangloss.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma075083; Fri Oct 6 09:58:14 1995 Received: by pangloss.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA62795; Fri, 6 Oct 1995 10:02:43 -0400 Date: Fri, 6 Oct 1995 10:02:43 -0400 (EDT) From: "Henry W. Farkas" To: Andrew & Terri Forster Cc: firewalls@GreatCircle.COM Subject: Re: Copy of RFC1597 In-Reply-To: <9510051838.AA17881@ns2.emirates.net.ae> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Thu, 5 Oct 1995, Andrew & Terri Forster wrote: > Being new to the net ( only being in the UAE ) since August I'm interested in > locating a copy of RFC1597. Any assistance as to where I can find it would be > appreciated. Try my security page, if you have web access: http://newstand.ims.advantis.com/henry/security.html You can search or download RFCs from there. =========================================================================== Henry W. Farkas | Me? Speak for IBM? Fat chance. hfarkas@ims.advantis.com |------------------------------------------------ hfarkas@vnet.ibm.com | http://newstand.ims.advantis.com/henry henry@nhcc.com | http://www.nhcc.com/~henry - --------------------------------------------------------------------------- PGP 6.2.2 Key fingerprint: AA D0 F5 44 C1 8C 11 52 B3 80 34 1C CE 38 EC 53 Public key at: pgp-public-keys@pgp.mit.edu, and other popular key servers. - --------------------------------------------------------------------------- Why use cryptogrophy? "Because it's still legal for Americans to hold private conversations." - Phil Zimmermann - Let's keep it that way. =========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMHU27KDthkLkvrK9AQE5/wP+LnpsyQXolu1PUEU31Ei2YEZ/AsBAMzrT z3UTm9mUM71IMi+p705b5SgQMfz2hGkUOqnsPnaXpXvT26TXCRO7Vu7E+G6r24xB E5iOpEIk2w1wifRnJcZlT3QVL8oCDzRY+XqbTfQnTpBuUrl6Qo6s1GYhOQU2d/zE 3H0xdvo/EvA= =dXNB -----END PGP SIGNATURE----- From firewalls-owner Fri Oct 6 09:00:31 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA02904 for firewalls-outgoing; Fri, 6 Oct 1995 08:39:44 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA02890 for ; Fri, 6 Oct 1995 08:39:39 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQzkhi21848; Fri, 6 Oct 1995 11:38:13 -0400 Received: from fmrco.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Fri, 6 Oct 1995 11:38:13 -0400 Received: from ocean.fmrco.com by fmrco.com (4.1/SMI-4.1) id AA22227; Fri, 6 Oct 95 08:27:12 EDT Received: from capstan by ocean.fmrco.com (4.1/SMI-4.1) id AA04821; Fri, 6 Oct 95 08:26:23 EDT From: fmrco!ocean!ajl@uunet.uu.net (Andrew Luca) Received: by capstan (4.1/Spike-2.1) id AA08000; Fri, 6 Oct 95 08:26:22 EDT Date: Fri, 6 Oct 95 08:26:22 EDT Message-Id: <9510061226.AA08000@capstan> To: uunet!jsc.nasa.gov!mark.horn1@uunet.uu.net Cc: uunet!GreatCircle.COM!firewalls@uunet.uu.net In-Reply-To: (message from uunet!jsc.nasa.gov!mark.horn1 on 4 Oct 1995 16:02:26 U) Subject: Re: Technical details of NT Dom Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: uunet!jsc.nasa.gov!mark.horn1 Date: 4 Oct 1995 16:02:26 U X-Mailer: Mail*Link SMTP/QM 3.0.0 Mail*Link(r) SMTP Technical details of NT Domains.. Hello, We have some users who need to login to a windows NT domain that has been set up here. We currently have an IP firewall installed. This firewall is installed on our LAN and protects us from the Internet. Since firewalls-owner@GreatCircle.COM Precedence: bulk {Much text deleted to save digital trees} In order to make this work, you need to be forwarding udp broadcast packets on udp ports 137 and 138. This is how the MSW domain system finds a domain controller to authenticate you and log on. Andrew. From firewalls-owner Fri Oct 6 09:01:04 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03298 for firewalls-outgoing; Fri, 6 Oct 1995 08:55:01 -0700 Received: from firat.bcc.bilkent.edu.tr (firat.bcc.bilkent.edu.tr [139.179.10.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id IAA03285 for ; Fri, 6 Oct 1995 08:54:02 -0700 Received: by bilkent.edu.tr (5.65c/IDA-1.4) id AA11837; Fri, 6 Oct 1995 09:55:06 +0300 From: akgul@bilkent.edu.tr (Mustafa Akgul) Message-Id: <199510060655.AA11837@firat.bcc.bilkent.edu.tr> Subject: Re: Copy of RFC1597 To: bnowlin@nyjets.lerc.nasa.gov (Ben Nowlin) Date: Fri, 6 Oct 1995 09:55:05 +0300 (EET) Cc: forster@ns2.emirates.net.ae, firewalls@GreatCircle.COM In-Reply-To: <199510051945.PAA15839@nyjets.lerc.nasa.gov> from "Ben Nowlin" at Oct 5, 95 03:45:50 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 322 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To get a copy of rfc1597.txt by email write to bilkent-server@bilkent.edu.tr in the body begin send rfc1597.txt dir INFO/rfc send HELP end dir INFO/rfc will give you list of available rfc at Bilkent, and HELP is help-file of the mail server software. Best regards Mustafa Akgul Bilkent University Ankara From firewalls-owner Fri Oct 6 09:30:39 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03332 for firewalls-outgoing; Fri, 6 Oct 1995 08:58:06 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA03325 for ; Fri, 6 Oct 1995 08:58:01 -0700 Message-Id: <199510061558.IAA03325@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA066644970; Sat, 7 Oct 1995 01:56:10 +1000 From: Darren Reed Subject: Re: Network Address Translation stuff To: paul@vix.com (Paul A Vixie) Date: Sat, 7 Oct 1995 01:56:10 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9510050656.AA27394@wisdom.home.vix.com> from "Paul A Vixie" at Oct 4, 95 11:56:32 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1172 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Paul A Vixie, sie said: > > > I still don't think that even IBM can do address translation > > without modifying FTP PORT command: you either modify PORT command > > packet-per-packet (as NAT:s seem to do) or you re-create necessary > > commands (as FTP proxy's do it). > > The trick is to use an FTP proxy without the client having to know that > it's talking to an FTP proxy. With a simple DNS trick and a complicated > FTP proxy, you can make these ends meet. > > The thought of modifying PORT verbs in-stream makes my skin crawl. You don't want to look at what the Linux port has done...(someone was raving about Linux, or they will given the chance). It's a surprise it even works (just RTFS for 1.3.31). And just to remind people, the 1.3.* kernels for Linux are development only - use of 1.2.* is recommended for production - this code isn't in 1.2.*. Having looked at the code, it only convinces me that using ftp-gw is by far the better thing to do, especially considering the options available to control ftp-gw c.f. modifying PORT commands in the kernel. I hope the commercial products which do this look a lot better... darren From firewalls-owner Fri Oct 6 09:30:46 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA03339 for firewalls-outgoing; Fri, 6 Oct 1995 08:58:17 -0700 Received: from pina1.telecom.at (pina1.telecom.at [194.37.252.41]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA03311 for ; Fri, 6 Oct 1995 08:57:52 -0700 Received: from pina2.telecom.at (pina2.telecom.at [194.37.252.42]) by pina1.telecom.at (8.6.10/8.6.6) with ESMTP id QAA34343 for ; Fri, 6 Oct 1995 16:47:24 +0100 Received: (from ilias@localhost) by pina2.telecom.at (8.6.10/8.6.6) id QAA14400 for firewalls@GreatCircle.COM; Fri, 6 Oct 1995 16:53:46 +0100 From: Ilias Liakopoulos Message-Id: <199510061553.QAA14400@pina2.telecom.at> Subject: Re: cisco router extended access-list question ( -> solved ) To: firewalls@GreatCircle.COM Date: Fri, 6 Oct 1995 16:53:46 +0100 (MEZ) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1564 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! my question was: > > I have set up an access-list like the example in UnileverCD > for allowing only SMTP connections (the IP addrs are invented): > > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 established > access-list 102 permit tcp 1.2.3.4 0.0.0.0 2.2.3.4 0.0.0.0 eq 25 > > SMTP works but with this config I tried telnet and it also works . > this is not acceptable and if I remove the established line -> > nothing works. > the interface config: > > interface Ethernet0 > ip address 2.2.3.2 'some adr mask' > ip access-group 102 out > this is a greatfull mailing list. it was the first problem I added a question and I got many and very usefull answers. the problem is solved like that: interface Ethernet0 ip address 2.2.3.2 'some adr mask' ip access-group 102 out ip access-group 101 in where access-list 101 is exactly like 102 but with swapped dest&source addrs so now SMTP is in and out allowed and nothing else. many,many thanx to all aswerers especially to : Colin Campbell , Bill Bunting, Petter H{ggman , Paul Crossley :-) iLiAS ---------------------------------------------------------------------- Ilias Liakopoulos | Email: ilias@telecom.at Spardat AG & Co KG | Tel: 0043/1/74045-4762 Fax -5704 Geiselbergstr. 21-25 | WWW: http://pina2.telecom.at/~lia 1110-Vienna | nic-hdl: IL7-RIPE Austria | Europe | ---------------------------------------------------------------------- From firewalls-owner Fri Oct 6 10:00:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA04451 for firewalls-outgoing; Fri, 6 Oct 1995 09:36:27 -0700 Received: from noc4.dccs.upenn.edu (NOC4.DCCS.UPENN.EDU [128.91.254.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA04442 for ; Fri, 6 Oct 1995 09:36:23 -0700 Received: from JAKE.DCCS.UPENN.EDU by noc4.dccs.upenn.edu id AA11941; Fri, 6 Oct 95 12:34:46 -0400 Date: Fri, 6 Oct 95 12:34:46 -0400 Message-Id: <9510061634.AA11941@noc4.dccs.upenn.edu> X-Sender: tex@pobox.upenn.edu Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: lasseh@microfront.se, Firewalls@greatcircle.com From: boone@isc.upenn.edu (Jon 'tex' Boone) Subject: Re: Address Translators X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:05 AM 10/5/95 +0200, lasseh@microfront.se wrote: >A commercial NAT product is Private Internet Exchange from >Network Translation Inc. Any positive things I say about it on >this list would be biased, since we distribute it in Sweden, but >I'll say this: It's a helluva product! > >NTI have a Web site at www.translation.com. > >Lars. > >PS >Any thoughts regarding weaknesses or strengths in this kind of >solution are welcome, since the NAT approach is fairly new and >needs to be discussed. >DS Lars, et. al: I'm glad that you brought this up. I have done an evaluation of this product and have some criticisms of how it works. 1) The version I looked at did not support MTU discovery [according to the guy who wrote the code.] This meant overall poor performance since everywhere that I was trying to go to through the PIX was "off-net" and required a 512-byte MTU. :-( 2) The box will map your address into a new range dynamically and does so well - however, you must already be numbered in a reserved range if you want to have "global" connectivity. For example, if you have already set up your network [net 20.0.0.0, say] and you want to use this box to dynamically map you into your provider's space, you need to renumber into the reserved net 10.0.0.0 space if you want to be able to reach the site that is going to be legitimately using net 20.0.0.0. This should come as no suprise to anyone [re-numbering would normally be required if you are set up for a netwoerk which someone else has already registered for and is routing on the Internet]. However, with a clever hack, you could have this PIX dynamically map the legitimate net 20.0.0.0 hosts into net 10.0.0.0 when talking to the "internal" side and map the non-legitimate net 20.0.0.0 into net 10.0.0.0 on the "external" side. The DNS would have to be hacked to do the same as well. I have spoken with the developers about this idea and they said they would think about it - although they didn't seem that excited by the idea. [The one guy I spoke to thought that you ought to renumber into net 10.0.0.0 and just be done with it - but that isn't always an option.] If this hack could be worked out, then I think that this kind of box would be very popular - especially as the need for CIDR-related renumbering grows. On the positive side, this box is very easy to configure and requires little more than power and ethernt connections to be up and running. Total installation time [including reading the manual] was about 10 minutes. ___________________________________________________________________ Jon 'tex' Boone email: tex@isc.upenn.edu Operations Engineer work: (215) 898 - 2477 ISC - DCCS fax: University of Pennsylvania From firewalls-owner Fri Oct 6 10:31:02 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA05318 for firewalls-outgoing; Fri, 6 Oct 1995 10:05:46 -0700 Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id KAA05311 for ; Fri, 6 Oct 1995 10:05:20 -0700 From: bcsolom@bvemx.ppco.com Received: from bvemx.ppco.com by charon.ppco.com with SMTP id AA06306 (InterLock SMTP Gateway 3.0 for ); Fri, 6 Oct 1995 11:52:43 -0500 X400-Originator: bcsolom@bvemx.ppco.com X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/ADMD=ATTMAIL/C=US/;0011200001408301000004] X400-Content-Type: P2-1988 (22) Priority: Urgent Message-Id: <0011200001408301000004*@MHS> To: "firewalls(a)GreatCircle.COM" Subject: VRML through a Proxy Date: Fri, 6 Oct 1995 11:49:23 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody successfully used VRML ( Virtual Reality Markup Language ) through an Application based Proxy firewall? If so, what was the client VRML viewer, and what was the firewall product? From firewalls-owner Fri Oct 6 11:05:44 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id KAA06455 for firewalls-outgoing; Fri, 6 Oct 1995 10:49:31 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id KAA06443 for ; Fri, 6 Oct 1995 10:49:28 -0700 Received: by gw.home.vix.com id AA09808; Fri, 6 Oct 95 10:48:03 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA28636; Fri, 6 Oct 1995 10:48:03 -0700 Message-Id: <9510061748.AA28636@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: FTP FW solution In-Reply-To: Your message of "Fri, 06 Oct 1995 10:59:47 CDT." Date: Fri, 06 Oct 1995 10:48:02 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > So 'NAT does FTP proxying' and this 'without searching for PORT verbs in user > data' ? > > Not right. The FTP proxy, of course, will look at user data. A proxy > *IS* Layering Violation #1. An FTP proxy speaks the FTP protocol. Rather than modify protocol elements it translates entire transactions (which can have multiple protocol-level verb/response exchanges.) This is a violation in the sense Clark meant in his end-to-end paper way back when, but it's not the same as pattern matching in a stream and making alterations to suit the environment. The fact that I don't like it doesn't mean it won't work or that it's "wrong." But I feel pretty strongly that routers ought to route, and that asking them to modify anything deeper than the transport level headers is just bad news. From firewalls-owner Fri Oct 6 11:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA06944 for firewalls-outgoing; Fri, 6 Oct 1995 11:02:41 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA06937 for ; Fri, 6 Oct 1995 11:02:36 -0700 Received: by gw.home.vix.com id AA10696; Fri, 6 Oct 95 11:01:13 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA28453; Fri, 6 Oct 1995 11:01:13 -0700 Message-Id: <9510061801.AA28453@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff Date: Fri, 06 Oct 1995 11:01:13 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In private e-mail, someone quoted me and then asked a question which I have decided to answer here: > > The trick is to use an FTP proxy without the client having to know that > > it's talking to an FTP proxy. With a simple DNS trick and a complicated > > FTP proxy, you can make these ends meet. > > Could you explain this in a little more detail? Assume an RFC 1597 net which cannot exchange packets with the outside world. Everything a host on the internal net does, it does with other internal hosts or with some kind of fancy border gateway. This includes name service. Assume that the name server is smart enough to answer "creatively" when asked certain questions by internal hosts about external hosts. The border gateway makes the assumption that the time between asking for a remote host's address and attempting to connect to that address will be relatively short, and that these events are for the most part paired (other than as provided for by DNS caching on intermediate internal name servers.) Assume that the addresses given back by our "creative" border name server will refer to internal addresses (probably using alias interfaces) on some border machine, and that border machine has the "socket" command available, and that DNS replies can be made to coincide with execution of "socket" commands. Assume that for protocols which do not contain addresses within them, such as telnet, the above is all that's required. In other cases, like SMTP where the internal hostnames may not be mappable by an external SMTP server, an applic- ation layer gateway (like sendmail running as a mail relay) will be used. In the case of FTP, the application layer gateway is fired up by the creative DNS server and it is given the desired remote host name/address mappings needed to complete the transaction even though the internal FTP client's TCP connection has "ended" at the border. Some of the assumptions, especially the tight binding between DNS replies and remote server identities, are unpleasantly constraining. I observe that this situation is only encountered by clients who don't know about explicit proxies, and as such, most of the user population won't have to suffer with it. Older and dumber clients _do_ work, though. And the benefits of using an RFC 1597 network are just extreme: no renumbering when switching carriers; multihoming for free; absolute packet-level security no matter who misconfigures what. From firewalls-owner Fri Oct 6 11:30:22 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA07338 for firewalls-outgoing; Fri, 6 Oct 1995 11:21:52 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA07331 for ; Fri, 6 Oct 1995 11:21:48 -0700 Received: by gw.home.vix.com id AA12384; Fri, 6 Oct 95 11:20:26 -0700 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us Received: by wisdom.home.vix.com id AA28505; Fri, 6 Oct 1995 11:20:25 -0700 Message-Id: <9510061820.AA28505@wisdom.home.vix.com> To: firewalls@greatcircle.com Subject: Re: Network Address Translation stuff In-Reply-To: Your message of "Thu, 05 Oct 1995 11:05:43 +0200." Date: Fri, 06 Oct 1995 11:20:25 -0700 From: Paul A Vixie Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > OK I get it, IBM NAT box has application level proxies inside instead of > pakcet-per-packet address translation. (BTW, Do you know where I can > find info about this IBM box. Quick search on IBM Web site didn't get me > anything) IBM, like DEC and other large companies, makes it just about impossible to buy anything from them unless it's something carried by your local computer store. I've never understood how American industry has lasted so long. I honestly have no idea how you'd go about learning more details about this; perhaps ANS is still reselling them and their web page knows about it? > Let me try to summarize this subject a bit. There seems to be > (at least) 2 different techniques for address translation: > > * Translate IP addresses on each IP packet that goes through, otherwise > let packets go through unmodified. Handling FTP requires some dirty > tricks like modifying data inside IP-pakets that contain FTP PORT > commands. Invisible to users. > > * Use application level proxies. This can be made unvisible to users > by using transparent proxies. All true to the best of my understanding. > Packet-by-packet address translation may be dirty in some sense, > but on other hand it doesn't requre own process on each connection and > requires just a little of state information. It can be implemented > on standalone box with no disks and limited main memory (like router). I think the perceived and widely publicized IPv4 address will lead to all kinds of layer-violating (RFC 1597) and aesthetically-disasterous (IPv6) solutions. Market pressure is going to cause more NAT-like solutions to fall out. You're right that doing it statelessly is better _when_possible_; I'd just like to note that modifying FTP data in-stream is not stateless even if a kernel-only implementation would be diskless. From firewalls-owner Fri Oct 6 12:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id LAA08145 for firewalls-outgoing; Fri, 6 Oct 1995 11:49:02 -0700 Received: from prometheus.microchip.com (PROMETHEUS.MICROCHIP.COM [198.175.253.66]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id LAA08138 for ; Fri, 6 Oct 1995 11:48:59 -0700 Received: (from daemon@localhost) by prometheus.microchip.com (8.6.12/8.6.9) id LAA11033 for ; Fri, 6 Oct 1995 11:53:03 -0700 Received: from pegasus.microchip.com(199.170.150.38) by prometheus.microchip.com via smap (V1.3) id sma011031; Fri Oct 6 11:52:33 1995 Received: from localhost (localhost.Microchip.COM [127.0.0.1]) by pegasus.Microchip.COM (8.7/8.7) with ESMTP id LAA20120; Fri, 6 Oct 1995 11:38:49 -0700 (MST) Message-Id: <199510061838.LAA20120@pegasus.Microchip.COM> To: firewalls@greatcircle.com, fwtk-list@tis.com cc: meyerd@post.med.uni-marburg.de, Donald.J.Smith@cdev.com Subject: Re: http-gw & tis In-reply-to: Your message of "Thu, 05 Oct 1995 20:13:13 MST." <199510060431.VAA19813@miles.greatcircle.com> Date: Fri, 06 Oct 1995 11:38:45 -0700 From: Gustavo Vegas Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "D.A. Meyer" >Date: Thu, 5 Oct 1995 10:12:43 +0000 >Subject: http-gw on dual-homed gateways >......[text deleted...] >The proxy has to rewrite the URL, and it seems to do it using the >outside interface name/address (gethostname + gethostbyname). When I >change the hostname so that it is connected to the IP-Adress of the >internal interface, my mail-proxy won't work. >Has anybody build a patch, which rewrites the adress depending on the >interface on which the client-request came in? Any other idea? I have had more serious problems than the address/hostname translation. The fix for Lynx/Mosaic to run properly was just to define properly the _proxy environment variables(where service is one of: http, gohper, ftp, wais). That fixed the hostname translation problem. I am not sure if this is the exact problem you have, though. I am more interested in interfacing http_gw with some form of user auth. in the same style as the other fwtk proxies, like tn_gw. I believe to have asked this question on the fwtk list, but I received no answers, not even my own message back. weird. Cheers, ===========================================+=========================== ****** * *** * * * * *** * * * * * * * * * *** *** * Gustavo Vegas Gustavo.VegasMicrochip.COM ********** CAD Systems Administrator Microchip Technology Inc. ******* Chandler, Arizona ===========================================+=========================== From firewalls-owner Fri Oct 6 13:00:25 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10225 for firewalls-outgoing; Fri, 6 Oct 1995 12:44:44 -0700 Received: from netmail2.microsoft.com (netmail2.microsoft.com [131.107.1.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id MAA10210 for ; Fri, 6 Oct 1995 12:44:40 -0700 Received: by netmail2.microsoft.com (5.65/25-eef) id AA23205; Fri, 6 Oct 95 13:46:55 -0700 Received: by netmail2 using fxenixd 1.0 Fri, 06 Oct 95 13:46:54 PDT X-Received: from chopper by xmtp2 with recvsmtp; Fri, 6 Oct 1995 12:12:51 -0700 Received: by CHOPPER with Microsoft Exchange id <01BA93E5.0DC1D2B0@CHOPPER>; Fri, 6 Oct 1995 12:12:49 -0700 Message-Id: From: "Greg King (Exchange)" To: "Firewalls@GreatCircle.COM" Subject: NT browsing in a domain Date: Fri, 6 Oct 1995 12:12:45 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Msxmtid: xmtp2951006191251RECVSMTP[01.51.00]000000ce-2103 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Since there seems to be some confusion about what is happening in an NT = environment for browsing or server announcements I thought that I would = specify what is happening exactly. A computer with a server component will initiate a browser announcement = to its local browse master indicating it has the capabilities of = receiving client connection requests. This announcement is a frame of = 243 bytes, and is an Ethernet broadcast at the MAC level, and a subnet = broadcast at the IP level. Browser communications are accomplished using = UDP Port 138 (NetBIOS Datagram Service), and is a standard UDP length of = eight bytes. The next 82 bytes are the NBT section of the frame. This contains the = local source name, and the destination name of the announcement. The = Destination name workgroup <1D> is an announcement to the local browse = master for local clients to query and request browse lists from. The next 86 bytes are the SMB (Server Message Block) header. This = designates the entire SMB command structure used in this announcement. = The thing to note is that the SMB transact file is \MAILSLOT\BROWSE. The = final 33 bytes represent the browser portion of the frame. It contains = the browser command, Host Announcement, the announcement interval = (progresses to 12 minutes), the announced name, and the server type, = such as Windows NT Workstation and Windows NT Server. There may be = multiple Host Announcement frames broadcast, each specifying the host as = a workstation, a server, and as a potential browser. Thanks, Greg King Microsoft Corp. BackOffice Capacity Planning Manager From firewalls-owner Fri Oct 6 13:00:27 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id MAA10420 for firewalls-outgoing; Fri, 6 Oct 1995 12:55:20 -0700 Received: from bigdipper.iagi.net (bigdipper.iagi.net [204.157.123.29]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id MAA10413 for ; Fri, 6 Oct 1995 12:55:17 -0700 Received: (from daveyb@localhost) by bigdipper.iagi.net (8.6.12/8.6.9) id PAA04327; Fri, 6 Oct 1995 15:57:24 -0400 Date: Fri, 6 Oct 1995 15:57:24 -0400 (EDT) From: "David A. Baldwin" To: firewalls@greatcircle.com cc: "David A. Baldwin" Subject: Re: An interesting dilema that I could use help with In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We have a few Xylogics Annex 3 terminal servers at We would like to place a firewall between the Terminal server and the boot/security server. The firewall package that we use is Raptor's firewall product. While I was trying to implement this I ran into a few problems. The way that we have to use the firewall for this is a bit strange due to the fact that ERPC is a UDP based protocol. We can not use a proxy (which could be bi-directional) because their generic proxyd does not allow UDP to pass through. The way that we implement this is to use what is known as a generic service passer. We set up port 121 on the firewall to pass directly to port 121 on the security/boot server. Thus the terminal server is set up to boot from port 121 on the firewall. The problem with this is that this solution is not bi-directional. There is now no way to use this utility (called na) that resides on the boot/security server to talk to the annex terminal server at port 121. To do this, I would need to set up a rule on the firewall such that all traffic destined to port 121 would go to the terminal server at port 121. That is not possible because this thing does not allow for bi-directional traffic. The way that the na utility works is that it talks to the erpcd on the boot/security server, then the erpcd sends the UDP packet to the terminal server and gets a response or sets a setting to NVRAM. One way to fix this problem might be to get the source of erpcd and make it send info to different ports (i.e. send all info that the na util is sending to port 122 on the firewall and have it redirected to port 121 on the terminal server). I was however hoping that there was an easier solution. I do not mind changing the code myself, but I may not be here forever and if someone were to get a new version of erpcd later and replace my version it might take them a while to figure out what is going on. ------- | ------- | ------- | | |---| | |---| | | | | | | | | | | |---| | |---| | | | | | | | | | | ------- | ------- | ------- Annex | Firewall | Boot Server This is sort of a network diagram of what I have been talking about. Thank you for any help, David Baldwin daveyb@iagi.net From firewalls-owner Fri Oct 6 14:01:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11315 for firewalls-outgoing; Fri, 6 Oct 1995 13:31:18 -0700 Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id NAA11302 for ; Fri, 6 Oct 1995 13:31:14 -0700 From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7/res.host.cf-4.0) with ESMTP id QAA08807; Fri, 6 Oct 1995 16:28:41 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7/res.client.cf-4.0) id QAA12950; Fri, 6 Oct 1995 16:28:36 -0400 (EDT) Date: Fri, 6 Oct 1995 16:28:36 -0400 (EDT) Message-Id: <199510062028.QAA12950@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, paul@vix.com Subject: Re: Network Address Translation stuff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul A Vixie wrote: >> OK I get it, IBM NAT box has application level proxies inside instead of >> pakcet-per-packet address translation. (BTW, Do you know where I can >> find info about this IBM box. Quick search on IBM Web site didn't get me >> anything) > >IBM, like DEC and other large companies, makes it just about impossible to >buy anything from them unless it's something carried by your local computer >store. I've never understood how American industry has lasted so long. I >honestly have no idea how you'd go about learning more details about this; >perhaps ANS is still reselling them and their web page knows about it? Try : http://www.issc1.ibm.com/rsdirect/us/promotions/netsp_promo.htm for the technical details: http://www.issc1.ibm.com/rsdirect/us/promotions/techinfo.htm ----------------- H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT 06520-8285, VOICE: (203)-432-{1248,1254} FAX: (203)-432-0593 INET: Long-Morrow@CS.Yale.EDU UUCP: yale!Long-Morrow BITNET: Long-Morrow@YaleCS WWW: http://www.cs.yale.edu/HTML/YALE/CS/HyPlans/long-morrow.html From firewalls-owner Fri Oct 6 14:02:36 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA11869 for firewalls-outgoing; Fri, 6 Oct 1995 13:47:14 -0700 Received: from Rt66.com (mack.rt66.com [198.59.162.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA11862 for ; Fri, 6 Oct 1995 13:47:10 -0700 Received: by Rt66.com (4.1/SMI-4.1) id AA28221; Fri, 6 Oct 95 14:42:10 MDT From: dlewis@Rt66.com (David Lewis) Message-Id: <9510062042.AA28221@Rt66.com> Subject: Re: VRML through a Proxy To: firewalls@greatcircle.com Date: Fri, 6 Oct 1995 14:42:09 -0600 (MDT) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 598 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anybody successfully used VRML ( Virtual Reality Markup Language ) > through an Application based Proxy firewall? > If so, what was the client VRML viewer, and what was the firewall > product? I actually just tried it using FWTK's http-gw on the firewall, and the WorldView demo off of the CDROM from Mark Pesce's new book. It worked right off the bat with no changes to the firewall. Of course, we're already setup for web browsing. If you can web browse, I believe you ought to be able to use VRML browsers with no changes to your firewall. dl -- David Lewis dlewis@rt66.com From firewalls-owner Fri Oct 6 14:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13223 for firewalls-outgoing; Fri, 6 Oct 1995 14:27:15 -0700 Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA13216 for ; Fri, 6 Oct 1995 14:27:10 -0700 From: bcsolom@bvemx.ppco.com Received: from bvemx.ppco.com by charon.ppco.com with SMTP id AA12002 (InterLock SMTP Gateway 3.0 for ); Fri, 6 Oct 1995 16:25:40 -0500 X400-Originator: bcsolom@bvemx.ppco.com X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/ADMD=ATTMAIL/C=US/;0011200001408865000004] X400-Content-Type: P2-1988 (22) Priority: Urgent Message-Id: <0011200001408865000004*@MHS> To: "firewalls(a)GreatCircle.COM" Subject: VRML Through a Proxy Firewall Date: Fri, 6 Oct 1995 16:22:09 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody successfully used VRML ( Virtual Reality Markup Language ) through an Application based Proxy firewall? If so, what was the client VRML viewer, and what was the firewall product? From firewalls-owner Fri Oct 6 14:30:20 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA13062 for firewalls-outgoing; Fri, 6 Oct 1995 14:19:57 -0700 Received: from dns.state.mi.us (dns.state.mi.us [204.25.6.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA13055 for ; Fri, 6 Oct 1995 14:19:52 -0700 Received: from STATE.MI.US (ngwsmtp.state.mi.us [167.240.253.6]) by dns.state.mi.us (8.6.12/8.6.12) with SMTP id RAA11749 for ; Fri, 6 Oct 1995 17:13:01 -0400 Received: from MI-Message_Server by STATE.MI.US with Novell_GroupWise; Fri, 06 Oct 1995 17:09:32 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 06 Oct 1995 17:19:23 -0400 From: Mark Jaeger To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #579 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Until I return from vacation on October 16, Linda Baker will receive a forwarded copy of all my correspondence. From firewalls-owner Fri Oct 6 15:01:58 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id OAA12561 for firewalls-outgoing; Fri, 6 Oct 1995 14:08:01 -0700 Received: from wh.bayer.com (wh.bayer.com [192.80.67.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id OAA12547 for ; Fri, 6 Oct 1995 14:07:53 -0700 From: tws@wh.bayer.com Received: from mrcs1 ([140.250.41.24]) by wh.bayer.com (8.6.12/8.6.12) with SMTP id RAA12161; Fri, 6 Oct 1995 17:02:48 -0400 Received: by mrcs1 (5.64/X1.00) id AA27676; Fri, 6 Oct 95 17:00:13 -0400 Date: Fri, 6 Oct 95 17:00:13 -0400 Message-Id: <9510062100.AA27676@mrcs1> To: alan@mid.net, firewalls-digest@GreatCircle.COM, jcroall@thor.tjhsst.edu Subject: Re: WWW & Proxy Servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Thu Oct 5 00:56:56 1995 > To: alan@mid.net, firewalls-digest@GreatCircle.COM > Subject: Re: WWW & Proxy Servers > From: "James Croall" . . > The whole system is relatively easy; In fact I > implemented it as a little toy a little while > ago, adding HTTP Proxy support, S/Key authenti- > cation, and SSL (based on the SSLeay package) > all on top of NCSA 1.4. As far as I played with > it, it seemed to work. > > If anybody wants to play with it, I can dig up > code. > --- > jcroall@tjhsst.edu * jcroall@foo.org > http://www.tjhsst.edu/people/jcroall/ Rather than have you dig it up and give it to somebody, does it not make sense to have you give the code to ncsa and have them incorporate it into the next release? According to what you describe, that doesn't sound hard. Regards, Tenna Sakai (tws@wh.bayer.com) Bayer Inc. From firewalls-owner Fri Oct 6 17:01:26 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17189 for firewalls-outgoing; Fri, 6 Oct 1995 16:46:37 -0700 Received: from port.island.net (port.island.net [199.60.231.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id QAA17182 for ; Fri, 6 Oct 1995 16:46:33 -0700 Received: from hakatac.port.island.net by port.island.net with smtp (Smail3.1.29.1 #2) id m0t1MK9-000IMBC; Fri, 6 Oct 95 16:37 PDT Received: by hakatac.port.island.net (4.1/SMI-4.1) id AA21638; Fri, 6 Oct 95 16:34:51 PDT To: firewalls@greatcircle.com Subject: Firewalls From: soccer@hakatac.almanac.bc.ca (mi) Message-Id: <4ZPkcD9w165w@hakatac.almanac.bc.ca> Date: Fri, 06 Oct 95 16:34:26 PDT Organization: Sir HackAlot's UNIX BBS, Port Alberni, B.C. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would you please ad me to your mailing list? L8r, Sonic From firewalls-owner Fri Oct 6 17:11:34 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17111 for firewalls-outgoing; Fri, 6 Oct 1995 16:40:04 -0700 Received: from charon.ppco.com (ppco.com [138.32.15.1]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id OAA12783 for ; Fri, 6 Oct 1995 14:13:01 -0700 From: asunden@bvemx.ppco.com Received: from bvemx.ppco.com by charon.ppco.com with SMTP id AA11489 (InterLock SMTP Gateway 3.0 for ); Fri, 6 Oct 1995 16:11:21 -0500 X400-Originator: asunden@bvemx.ppco.com X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/ADMD=ATTMAIL/C=US/;0011200001408839000004] X400-Content-Type: P2-1988 (22) Message-Id: <0011200001408839000004*@MHS> To: "firewalls(a)greatcircle.com" Subject: NOTE 10/06/95 16:11:00 Date: Fri, 6 Oct 1995 16:07:52 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: OAS --BVEMX1 EMXOAS Has anyone been able to get VRML (virtual reality markup language) to work properly through an application proxy firewall? From firewalls-owner Fri Oct 6 17:12:33 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA17061 for firewalls-outgoing; Fri, 6 Oct 1995 16:39:02 -0700 Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id GAA28759 for ; Fri, 6 Oct 1995 06:27:19 -0700 Message-Id: <199510061327.GAA28759@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA035495947; Fri, 6 Oct 1995 23:25:47 +1000 From: Darren Reed Subject: Security announcement from IBM. To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Fri, 6 Oct 1995 23:25:46 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 10977 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe this announcement is of interest to firewalls... ...there are some very interesting items below, including IBM setting up their own CERT squad. I apologise in advance if it has already been posted here and I just haven't caught up with it. darren > *------------------------------------------------------------------------ > IBM Announces Security Software and Services to Protect the Enterprise > September 28, 1995 > > As part of its long-standing commitment to data security, IBM has > announced enhancements, availability and pricing for a broad range of > I/T security products and services designed to protect the enterprise > from intrusion. > > The announcement includes: > > -- The launch of the Emergency Response Service , which provides expert > incident management skills to clients during and after electronic > security emergencies; > > -- A Customized Infiltration Tool Kit , to detect the most > subtle weaknesses in a customer's Internet connection; > > -- Significant enhancements and price reductions on IBM's > firewall product; > > -- The announcement for secure Web servers and browsers ; > enhancements to IBM AntiVirus software to support Windows 95 **; > > -- The availability of a new release of RACF *, IBM's award- > winning Resource Access Control Facility, which now provides > password synchronization across your RACF managed systems; > > -- The announcement of Internet secure OS/400 *, the operating system > for the world's most popular business computing system. > > > Emergency Response Team Operational Worldwide > > In response to concerns about network infiltrations, IBM > announced that its Emergency Response Service for commercial > businesses is now operational for customers throughout the world. > Chartered to provide swift, expert incident management skills to > clients during and after electronic security emergencies, the > emergency response team specializes in electronic disasters that > affect data processing capabilities, and is available to > customers on a subscription basis via IBM's Integrated Systems > Solutions Corporation (ISSC)*. > > This global service periodically checks customers' networks > and can act as an extension of clients' I/T staffs. In the event > of a network break-in, the team helps customers detect, isolate, > contain and recover from unauthorized network infiltration. They > are on call 24 hours a day, seven days a week around the world. > IBM team members, who have extensive incident management > experience, develop an understanding of customers' networks and > system architectures, as well as how their firewalls are > configured and maintained. > > > Customized Weakness Detection Kit > > IBM's Customized Infiltration Tool Kit, a sophisticated set > of tools to detect security weaknesses in clients' Internet > connections, is available today. With these tools, IBM can probe > the subtlest weaknesses that the most sophisticated hackers might > try to exploit. > > These tools exercise network connections that go beyond the > capabilities of most existing tools on the market and are > customized to match clients' specific network configurations. > > The Customized Infiltration Tool Kit is part of IBM's I/T Security > Consulting offering, and was developed in conjunction with IBM > Research's Global Security Analysis Labs in New York and Zurich. > > Advanced Firewall Security *** > > As part of these security announcements, IBM announces a > new release and a price reduction for its firewall, the Internet > Connection Secured Network Gateway*, to promote its wider > availability and advance the state of security on the Internet. > Formerly known as the NetSP Secured Network Gateway, the Internet > Connection Secure Network Gateway will be available to the public > on October 27. > > The firewall now supports AIX 4.1.3, and operates with the > popular RISC System/6000* workstation. It contains an encrypted > IP tunnel that encodes data from one firewall to another using > DES, the Data Encryption Standard invented by IBM more than 20 > years ago, and Commercial Data Masking Facility (CDMF), an > exportable encryption technology used outside of North America. > The IP tunnel and key distribution is one of the first that is > based on the latest IETF specifications, providing the most > advanced technology for firewalls currently available. > > The Internet Connection Secured Network Gateway also includes remote > administration and an alarm capability that allows a user to set > alerts that are triggered when certain errors or other security > violations occur. > > > Secure Web Servers and Browsers *** > > IBM is also announcing the IBM Internet Connection Secure > Web Servers for the OS/2* and AIX* platforms and IBM's Internet > Connection Secure WebExplorer for OS/2 Warp. Using the industry > standard protocols Secure HyperText Transfer Protocol (S-HTTP) > and Secure Sockets Layer (SSL)**, these secure Web servers and > browser will be commercially available on December 8. IBM > Internet Connection Secure Servers provide several security > methods for conducting commerce over the Internet, including > public key data encryption technology. > > > Anti-Virus Software and Services > > IBM also announced that its IBM AntiVirus software will be > available for the Windows 95 platform in November. IBM AntiVirus > software provides comprehensive virus detection, removal and > protection for over 6,000 known computer viruses, and is widely > available on the OS/2*, DOS**, Windows**, and NetWare** > platforms for $49. > > IBM AntiVirus scans memory, hard disks, floppy drives and > network servers for thousands of viruses, including polymorphic > viruses that change to avoid detection, and viruses previously > considered impossible to discover. To uncover unknown viruses, > the software contains heuristics that attempt to find viruses by > watching for behavior that is characteristic of viruses. IBM's > anti-virus software products are available on the Internet via > IBM's AntiVirus home page at http://www.brs.ibm.com/ibmav.html. > > > RACF 2.2 Debuts > > IBM's acclaimed Resource Access Control Facility (RACF) for > MVS will debut Version 2.2 this week on September 29. RACF is a > versatile, effective security tool that protects MVS system > resources from inadvertent damage and deliberate misuse of data. > New features for RACF 2.2 include password synchronization and > the ability to administer multiple remote RACF databases with a > single command, without logging onto the remote systems. RACF > 2.2 also features a "remove ID" utility that eliminates security > problems created by old, unneeded user ID's, and has expanded its > support for OpenEdition MVS by providing security checking and > auditing for the XPG4 environment. RACF 2.2 also provides > enhancements to its PassTicket support, an alternative to RACF > passwords. With RACF 2.2 you can now use unique PassTicket keys > for different RACF users and groups who need access to the same > secured application. > > These new features build upon support provided in RACF 2.1, > such as RACF's sysplex data sharing support which uses the > System/390 parallel sysplex services to cache RACF data. RACF > also uses these services to transmit selected administrative > commands to peer RACF systems. The administrator can send these > commands from one system to take effect on all systems enabled > for sysplex communication. > > IBM has previously announced its intention to enhance RACF > for VM by providing support for the OpenEdition POSIX and Shared > File System features of VM/ESA. > > > Internet Secure OS/400 > > IBM's AS/400 operating system, OS/400, offers a fully integrated > set of security features that have been evaluated to meet the U.S. > Government C2 security criteria. OS/400 Version 2 Release 3 is > scheduled to receive the C2 rating at the National Security Conference > in October. Subsequent releases of OS/400 have been designed to meet > C2 and IBM intends to continue to participate in the government > evaluation process. Included in the C2 evaluation was the AS/400 > relational database DB2/400, which is integrated into the operating > system, and utilizes the same security mechanisms as OS/400. This > ensures the integrity of information stored in OS/400, as well as the > security of user access to AS/400 computing resources, providing > customers with unmatched security for midrange system computing. > > IBM's AS/400 provides full individual accountability via a > centralized identification and authentication built into the > system. Users are uniquely identified by a one-way DES encrypted > password. > > Since all sharable data is contained in encapsulated > objects, discretionary access control is maintained by each > object manager using a system-wide access algorithm. Access to > objects may be controlled through public, private, or adopted > authorities and may be managed through user groups and common > object authorization lists. > > Additionally, AS/400 provides a highly configurable set of > auditing capabilities selectable to individual users, objects, or > events. > > Hardware and software encryption/decryption capabilities > supporting data confidentiality, non-repudiation, authentication, > and data integrity are also available on AS/400. > > These announcements complement a wide range of I/T > security offerings already available from IBM -- from encryption > hardware and software, access control products, firewalls and > security management and administration, to DCE security services, > IBM Global Network security services and implementation services. > Additional information on these offerings can be found through > the IBM I/T Security home page, at http://www.ibm.com/Security. > > IBM's security products support the security component of > the Open Blueprint. A white paper with information about > security in the Open Blueprint is available for reference on the > Internet at: http://www.torolab.ibm.com/openblue/openblue.html. > > For more information about other IBM products and services, > see the IBM home page on the World Wide Web, located at > http://www.ibm.com. > > * Indicates trademark or registered trademark of International > Business Machines. > > ** Indicates trademark or registered trademark of the > respective companies. > > *** Editor's Note: For more information on IBM's advanced > firewall security and Internet Connection Secure Web Servers and > Browsers, please refer to the accompanying press release. From firewalls-owner Fri Oct 6 20:00:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id TAA19848 for firewalls-outgoing; Fri, 6 Oct 1995 19:45:19 -0700 Received: from wabash.iac.net (wabash.iac.net [198.180.60.138]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id TAA19841 for ; Fri, 6 Oct 1995 19:45:15 -0700 Received: by wabash.iac.net id WAA04325; Fri, 6 Oct 1995 22:43:36 -0400 Date: Fri, 6 Oct 1995 22:43:34 -0400 (EDT) From: Carl Jolley To: Chris Tyler cc: Slava Kritov , Firewalls@GreatCircle.COM Subject: Re: Mail Proxy In-Reply-To: <306c46060.cfb@devel.dejong.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Uhh, and what do you suggest for a uuencoded text that's been rot13'ed and is appended to the body of the message, not attached? **** cjolley@iac.net **** All opinions are my own and not necessarily those of my employer **** On Fri, 29 Sep 1995, Chris Tyler wrote: > > Slava Kritov writes: > > > Any uuencode ? > > Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange > > word docs in uuencode, and ( for Mac's ) you can't even say its word doc > > based on name ... > > Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So > you look for the uuencode signature string and deny. > > Chris Tyler Chris@DeJong.Com CTyler@Oxford.Net > Systems Development Manager, Wm. De Jong Enterprises Inc. > +1-519-424-9007 / fax +1-519-424-2399 > From firewalls-owner Fri Oct 6 23:30:12 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA22113 for firewalls-outgoing; Fri, 6 Oct 1995 23:06:29 -0700 Received: from furnace.cybergraphic.com.au ([203.5.40.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA22106 for ; Fri, 6 Oct 1995 23:06:24 -0700 Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id QAA02627; Sat, 7 Oct 1995 16:02:59 +1000 Received: from cc:Mail by mailgate.cybergraphic.com.au id AA813106958; Sat, 07 Oct 95 16:00:24 eet Date: Sat, 07 Oct 95 16:00:24 eet From: "greg hume" Message-Id: <9509078131.AA813106958@mailgate.cybergraphic.com.au> To: firewalls@greatcircle.com, fwtk-users@tis.com Subject: FWTK ftp-gw, http-gw Statically linked problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, We are at his moment attempting to find the cause to a problem with FWTK 1.3. The FTP-GW and HTTP-GW are the services we have configured so far. Each time we start the service by connecting to the server/firewall we are getting "Statically Linked" messages. The messages appear in the log files and on telnet sessions when we telnet to the gw service ports. We think it may be an environment problem but cannot pin it down. The authsvr has successfully been compiled with linking forced to be dynamic or static. The gw apps appear work fine in debug mode. Any help/advise would be welcome. I really don't wish to scrog the hd and rebuild from aaaaaAAARGH. Greg Senior Systems/Network Analyst Cybergraphic Systems PTY LTD. 862 Glenferrie Rd. Hawthorn Melbourne, Australia 3122 From firewalls-owner Fri Oct 6 23:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id XAA22136 for firewalls-outgoing; Fri, 6 Oct 1995 23:11:25 -0700 Received: from furnace.cybergraphic.com.au ([203.5.40.10]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id XAA22129 for ; Fri, 6 Oct 1995 23:11:19 -0700 Received: from mailgate.cybergraphic.com.au (mailgate.cybergraphic.com.au [203.5.40.130]) by furnace.cybergraphic.com.au (8.6.12/8.6.12) with SMTP id QAA02632; Sat, 7 Oct 1995 16:07:59 +1000 Received: from cc:Mail by mailgate.cybergraphic.com.au id AA813107259; Sat, 07 Oct 95 16:04:54 eet Date: Sat, 07 Oct 95 16:04:54 eet From: "greg hume" Message-Id: <9509078131.AA813107259@mailgate.cybergraphic.com.au> To: firewalls@greatcircle.com, fwtk-users@tis.com Subject: RE: FWTK ftp-gw, http-gw Statically linked problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 7/10/95 Greg wrote >Hi all, >We are at his moment attempting to find the cause to a problem with >FWTK 1.3. The FTP-GW and HTTP-GW are the services we have configured >so far. Each time we start the service by connecting to the >server/firewall we are getting "Statically Linked" messages. The >messages appear in the log files and on telnet sessions when we telnet >to the gw service ports. We think it may be an environment problem but >cannot pin it down. >The authsvr has successfully been compiled with linking forced to be >dynamic or static. The gw apps appear work fine in debug mode. >Any help/advise would be welcome. I really don't wish to scrog the hd >and rebuild from aaaaaAAARGH. ps. We are running Linux build 1.3.8 Greg Senior Systems/Network Analyst Cybergraphic Systems PTY LTD. 862 Glenferrie Rd. Hawthorn Melbourne, Australia 3122 From firewalls-owner Sat Oct 7 13:30:05 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04649 for firewalls-outgoing; Sat, 7 Oct 1995 13:27:33 -0700 Received: from fmgmt.mgmt.utoronto.ca (fmgmt.mgmt.utoronto.ca [128.100.43.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04642 for ; Sat, 7 Oct 1995 13:27:30 -0700 Received: by fmgmt.mgmt.utoronto.ca (5.57/Ultrix3.0-C) id AA10735; Sat, 7 Oct 95 16:20:58 -0400 Date: Sat, 7 Oct 95 16:20:58 -0400 Message-Id: <9510072020.AA10735@fmgmt.mgmt.utoronto.ca> X-Sender: hayes@fmgmt.mgmt.utoronto.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Gordon Hayes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sat Oct 7 14:00:19 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA04715 for firewalls-outgoing; Sat, 7 Oct 1995 13:37:51 -0700 Received: from fmgmt.mgmt.utoronto.ca (fmgmt.mgmt.utoronto.ca [128.100.43.253]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA04706 for ; Sat, 7 Oct 1995 13:37:48 -0700 Received: by fmgmt.mgmt.utoronto.ca (5.57/Ultrix3.0-C) id AA10792; Sat, 7 Oct 95 16:31:18 -0400 Date: Sat, 7 Oct 95 16:31:18 -0400 Message-Id: <9510072031.AA10792@fmgmt.mgmt.utoronto.ca> X-Sender: hayes@fmgmt.mgmt.utoronto.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@greatcircle.com From: Gordon Hayes Subject: Survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I am a Graduate Student at the University of Toronto, Canada, doing my thesis on DATA COMMUNICATION SECURITY AUDIT. I would greatly appreciate if you could take a minute to assist me in my academic endeavours by reviewing and completing the following questionaire. Respondents will receive a summary if the findings. All information provided will be held in the strictest confidence. Any questions you do not wish to answer, please mark "N/A". Any addtional comments which you might fell would be helpful in this study would be greatly appreciated. Thank you in advance for your assistance in this study. Questions: a) As a firm, are you concerned about the security of your internet connection? b) Are you concerned about the Audibility of your Internet Connection? c) Please rate the importance of the following to your firm: i) timeliness of reporting ii) readibility of audit reports iii) notification of breach iv) traffic pattern analysis v) forensic analysis vi) personal contact vii) seamless integration into your particular environment. d) What tyoe of firewall systems do you use today? e) How long have you been connected to Internet? f) How longhave you used a firewall? g) How big is your oranization? - # employees and sales revenue, remote locations, # people authorized to use Internet? Thank you for taking time in completing the above. I look forward to tabulating the results. From firewalls-owner Sat Oct 7 17:00:13 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA07562 for firewalls-outgoing; Sat, 7 Oct 1995 16:35:57 -0700 Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA07549 for ; Sat, 7 Oct 1995 16:35:53 -0700 Received: from xanadu.centrum.is by isgate.is (8.6.10/ISnet/14-10-91); Sat, 7 Oct 1995 23:34:23 GMT Received: by xanadu.centrum.is (5.x/ISnet/11-02-92); Sat, 7 Oct 1995 23:34:18 GMT Date: Sat, 7 Oct 1995 23:34:18 +0000 (GMT) From: KiDDi To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sunscribe firewalls-digest From firewalls-owner Sun Oct 8 08:30:00 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA16514 for firewalls-outgoing; Sun, 8 Oct 1995 08:07:05 -0700 Received: from utrecht.knoware.nl (utrecht.knoware.nl [193.78.120.3]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA16507 for ; Sun, 8 Oct 1995 08:06:59 -0700 Received: from csehost.idiscover.co.uk (csehost.idiscover.co.uk [194.128.134.177]) by utrecht.knoware.nl (8.6.12/8.6.12) with SMTP id QAA12630 for ; Sun, 8 Oct 1995 16:04:48 +0100 Date: Sun, 8 Oct 1995 16:04:48 +0100 Message-Id: <199510081504.QAA12630@utrecht.knoware.nl> X-Sender: njb@pop.knoware.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: njb@knoware.nl (Niels Bjergstrom) Subject: Brent Chapman in Europe X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A number of people have informed me that they did not see the original announcement of Brent's tutorials in Europe because of vacation. I probably should have reposted it, but I rarely use the net for advertising purposes. However, there is still space at the following tutorials: In Munchen Oct 16, in Amsterdam Oct 17 and in London Oct 19. Email me for further info in case of interest. Niels -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 -- -- Netherlands Email: njb@csehost.knoware.nl -- -- PGP Public key available on request - please use when mailing vira -- From firewalls-owner Sun Oct 8 09:00:07 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id IAA17535 for firewalls-outgoing; Sun, 8 Oct 1995 08:54:53 -0700 Received: from clark.net (clark.net [168.143.0.7]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA17528 for ; Sun, 8 Oct 1995 08:54:50 -0700 Received: (hcb@localhost) by clark.net (8.6.12/8.6.5) id LAA15553; Sun, 8 Oct 1995 11:53:30 -0400 From: Howard Berkowitz Message-Id: <199510081553.LAA15553@clark.net> Subject: RFC1597 subtleties To: firewalls@greatcircle.com Date: Sun, 8 Oct 1995 11:53:29 -0400 (EDT) Cc: hcb@clark.net (Howard Berkowitz) X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 1269 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There have been several discussions going that deal purely with RFC1597, or its use with network address translation. While this might be slightly far afield, there are some subtleties of certain ways to use RFC1597. I refer specifically to the use of the "class A block," 10.0.0.0, rather than the Class B or Class C blocks, and potential interactions with routing. If one uses 10.0.0.0 with a classful routing protocol such as RIP or IGRP, there will be no opportunity for route summarization. For each additional subnet, the total routing update size will grow by at least 24 bytes for RIP and 104 bytes for IGRP. Packet fragmentation, etc., may cause additional growth. There's no free lunch. If one uses the Class B or Class C blocks, one must be careful to avoid discontiguous subnets if also using a classful routing protocol. Discontiguous subnets arise when two subnets of one major network are separated by a subnet of another major network (e.g., two LANs in 172.20.0.0 are interconnected by a serial line in 172.21.0.0). This won't work unless a classless routing protocol such as OSPF, EIGRP, or integrated IS-IS are used. Classless routing protocols also would allow summarization with 10.0.0.0. They are, however, harder to configure. Howard From firewalls-owner Sun Oct 8 09:30:18 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA18107 for firewalls-outgoing; Sun, 8 Oct 1995 09:24:04 -0700 Received: from iez.com (mail.iez.com [194.77.84.39]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA18100 for ; Sun, 8 Oct 1995 09:23:48 -0700 Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA07034; Sun, 8 Oct 1995 17:22:07 +0100 Message-Id: <9510081622.AA07034@iez.com> Received: from sphpv01(172.16.13.11) by iez.com via smap (V1.3) id sma006776; Sun Oct 8 17:21:51 1995 Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA18497; Sun, 8 Oct 95 17:21:47 +0100 Received: by inhps-a (1.38.193.3/16.2) id AA11465; Sun, 8 Oct 95 17:21:46 +0100 From: Rolf-Weber Subject: sendmail on AIX without suid root? To: firewalls@greatcircle.com Date: Sun, 8 Oct 95 17:21:46 MEZ Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, i'm running an application gateway with the TIS toolkit on a AIX 3.2 workstation. smap and smapd work fine, but i wish to remove the ugly suid root bit from /usr/sbin/sendmail. I did it, made the spool directory writable for it, but it didn't work. In my syslog appeared "sendmail[14414]: send-mail : auditproc: Not owner" I found nothing in the FAQs, neither in the sendmail nor the AIX related. Any idea? TIA, rolf From firewalls-owner Sun Oct 8 09:30:21 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id JAA17833 for firewalls-outgoing; Sun, 8 Oct 1995 09:11:36 -0700 Received: from rds.com (wpgate.rds.com [206.54.49.2]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id JAA17826 for ; Sun, 8 Oct 1995 09:11:33 -0700 Received: from RDS-Message_Server by rds.com with Novell_GroupWise; Sun, 08 Oct 1995 09:03:53 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 08 Oct 1995 09:11:58 -0700 From: Doug Kaye To: firewalls@GreatCircle.COM Subject: Firewall Subcontractor Wanted (Bay Area) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are an Internet/email integrator in the San Francisco Bay Area and are beginning to receive a fair number of requests for quality firewall plans and implementations. Our workload does not permit us to address all of these opportunities directly. We are looking for experienced firewall designers who are willing to work as subcontractors to RDS. If you are interested, please email me directly with qualifications (including security products you have used), your rates as a subcontractor and a brief statement of your philosophy towards the security audit and planning process. Please do not respond if you are not in the SF Bay Area or if you are not very experienced in this area. We've got no shortage of people who *want* to be firewall designers -- we're looking for those few who are already good at it. We're not an Internet startup. We are a 17 year old integrator serving major California based companies. Check us out at http://www.rds.com. Thanks. ...doug ============================================================ Doug Kaye Rational Data Systems, Novato, CA Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com From firewalls-owner Sun Oct 8 13:30:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id NAA20916 for firewalls-outgoing; Sun, 8 Oct 1995 13:17:21 -0700 Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [26.1.0.172]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with SMTP id NAA20909 for ; Sun, 8 Oct 1995 13:17:13 -0700 Date: Sun, 8 Oct 95 16:10 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: new firewall book (Chapman & Zwicky) To: firewalls@GREATCIRCLE.COM Message-ID: <951008201044.786003@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just purchased and read Chapman and Zwicky's new book, Building Internet Firewalls. The discussions are clear, the authors' mastery of the technology is impressive, and the pictures are marvelous. Yet, just as in the other firewall books, there is no mention of "meatier" INFOSEC issues, such as high-assurance trusted platforms or formal modeling of TCP/IP protocols. There is little substantive discussion of denial of service, which is quite important. There is no mention of integrating firewall technology with COTS security products other than I&A tools. No mention of emerging technology pursuant to either NSA's MISSI program or NIST's PKC entity authentication research (q.v. Draft FIPS PUB "JJJ") is to be found. What's the deal? It seems that the participants in this august forum are concerned only about cookbook-style approaches. "How can I run such-and-such application?" "What ports should I block in order to securely operate FOOBAR?" "What commands do I issue to my Telebit?" "How can I get DNS to do such-and-such on a screened-subnet doodad with DYNIX and NetWare?" This is all that people seem to want to discuss. It is noted with sadness that challenges such as the one detailed in the preceding four paragraphs are never responded to. One takes that to mean either that everyone is in complete agreement and therefore no discussion is required, or that no one feels qualified to disagree in writing. Bruce D. Wilner -------------------------------------------------- no PGP key, no witticisms, no cutesy line graphics From firewalls-owner Sun Oct 8 16:00:01 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id PAA23438 for firewalls-outgoing; Sun, 8 Oct 1995 15:37:57 -0700 Received: from dns.state.mi.us (dns.state.mi.us [204.25.6.18]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id PAA23431 for ; Sun, 8 Oct 1995 15:37:53 -0700 Received: from STATE.MI.US (ngwsmtp.state.mi.us [167.240.253.6]) by dns.state.mi.us (8.6.12/8.6.12) with SMTP id SAA05984 for ; Sun, 8 Oct 1995 18:30:56 -0400 Received: from MI-Message_Server by STATE.MI.US with Novell_GroupWise; Sun, 08 Oct 1995 18:28:11 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 08 Oct 1995 18:37:17 -0400 From: Mark Jaeger To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V4 #580 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Until I return from vacation on October 16, Linda Baker will receive a forwarded copy of all my correspondence. From firewalls-owner Sun Oct 8 17:00:08 1995 Received: (majordom@localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id QAA24446 for firewalls-outgoing; Sun, 8 Oct 1995 16:57:55 -0700 Received: from ace.mid.net (ace.mid.net [198.247.225.251]) by miles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id QAA24439 for ; Sun, 8 Oct 1995 16:57:51 -0700 Received: from gaijin.mid.net (gaijin.mid.net [198.247.250.28]) by ace.mid.net (8.6.10/8.6.9) with ESMTP id SAA09586; Sun, 8 Oct 1995 18:56:20 -0500 Received: (from alan@localhost) by gaijin.mid.net (8.6.10/8.6.9) id SAA09074; Sun, 8 Oct 1995 18:56:39 -0500 From: Alan Hannan Message-Id: <199510082356.SAA09074@gaijin.mid.net> Subject: Re: new firewall book (Chapman & Zwicky) To: Wilner@DOCKMASTER.NCSC.MIL Date: Sun, 8 Oct 1995 18:56:38 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <951008201044.786003@DOCKMASTER.NCSC.MIL> from "Wilner@DOCKMASTER.NCSC.MIL" at Oct 8, 95 04:10:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3532 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ......... Wilner@DOCKMASTER.NCSC.MIL is rumored to have said: ] ] Yet, just as in the other firewall books, there is no mention ] of "meatier" INFOSEC issues, such as high-assurance trusted ] platforms or formal modeling of TCP/IP protocols. There is IMHO this is not 'firewalling (read:separating networks accor